In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies.

HackMD

*   

*   

*   *   Create new note
    *   Create a note from template
*   

*   *   Options
    *   Versions and GitHub Sync
    *   Transfer ownership
    *   Delete this note
    *   Template
    *   Save as template
    *   Insert from template
    *   Export
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Import
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Clipboard
    *   Download
    *   Markdown
    *   HTML
    *   Raw HTML
    *   ODF (Beta)
*   *   Sharing
    
    *   View mode
        
        *   Edit mode
        *   View mode
        *   Book mode
        *   Slide mode
        
    *   Note Permission
    *   Read
        
        *   Owners
        *   Signed-in users
        *   Everyone
        
    *   Write
        
        *   Owners
        *   Signed-in users
        *   Everyone
        
    *   More (Comment, Invitee)

CVE-2021-46009: CVE-2021-46009 - HackMD

totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks.

CVE-2021-46007: CVE-2021-46007 - HackMD

In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication.

CVE-2021-46006: CVE-2021-46006 - HackMD

In miniadb, there is a possible way to get read/write access to recovery system properties due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-201308542

_Published February 22, 2022_

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 12L. Android 12L devices with a security patch level of 2022-03-01 or later are protected against these issues (Android 12L, as released on AOSP, will have a default security patch level of 2022-03-01). To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 12L release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Announcements**

*   The issues described in this document are addressed as part of Android 12L. This information is provided for reference and transparency.
*   We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**Android 12L vulnerability details**

The sections below provide details for security vulnerabilities fixed as part of Android 12L. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

**Framework**

   

CVE

References

Type

Severity

CVE-2021-39749

A-205996115

EoP

High

CVE-2021-39743

A-201534884

EoP

Moderate

CVE-2021-39746

A-194696395

EoP

Moderate

CVE-2021-39750

A-206474016

EoP

Moderate

CVE-2021-39752

A-202756848

EoP

Moderate

CVE-2021-39758

A-205130886

EoP

Moderate

CVE-2022-20002

A-198657657

EoP

Moderate

CVE-2021-39744

A-192369136

ID

Moderate

CVE-2021-39745

A-206127671

ID

Moderate

CVE-2021-39747

A-208268457

ID

Moderate

CVE-2021-39748

A-203777141

ID

Moderate

CVE-2021-39751

A-172838801

ID

Moderate

CVE-2021-39753

A-200035185

ID

Moderate

CVE-2021-39755

A-204995407

ID

Moderate

CVE-2021-39756

A-184354287

ID

Moderate

CVE-2021-39757

A-176094662

ID

Moderate

CVE-2021-39754

A-207133709

ID

Moderate

**Media Framework**

   

CVE

References

Type

Severity

CVE-2021-39759

A-180200830

EoP

Moderate

CVE-2021-39760

A-194110526

ID

Moderate

CVE-2021-39761

A-179783181

ID

Moderate

CVE-2021-39762

A-210625816

ID

Moderate

**Platform**

   

CVE

References

Type

Severity

CVE-2021-39741

A-173567719

EoP

Moderate

CVE-2021-39763

A-199176115

EoP

Moderate

CVE-2021-39764

A-170642995

EoP

Moderate

CVE-2021-39767

A-201308542

EoP

Moderate

CVE-2021-39768

A-202017876

EoP

Moderate

CVE-2021-39771

A-198661951

EoP

Moderate

CVE-2021-25393

A-180518134

ID

Moderate

CVE-2021-39739

A-184525194

ID

Moderate

CVE-2021-39740

A-209965112

ID

Moderate

CVE-2021-39742

A-186405602

ID

Moderate

CVE-2021-39765

A-201535427

ID

Moderate

CVE-2021-39766

A-198296421

ID

Moderate

CVE-2021-39769

A-193663287

ID

Moderate

CVE-2021-39770

A-193033501

ID

Moderate

**System**

   

CVE

References

Type

Severity

CVE-2021-39776

A-192614125

EoP

High

CVE-2021-39787

A-202506934

EoP

High

CVE-2021-39772

A-181962322

EoP

Moderate

CVE-2021-39780

A-204992293

EoP

Moderate

CVE-2021-39781

A-195311502

EoP

Moderate

CVE-2021-39782

A-202760015

EoP

Moderate

CVE-2021-39783

A-197960597

EoP

Moderate

CVE-2021-39784

A-200163477

EoP

Moderate

CVE-2021-39786

A-192551247

EoP

Moderate

CVE-2021-39789

A-203880906

EoP

Moderate

CVE-2021-39790

A-186405146

EoP

Moderate

CVE-2021-39773

A-191276656

ID

Moderate

CVE-2021-39775

A-206465854

ID

Moderate

CVE-2021-39777

A-194743207

ID

Moderate

CVE-2021-39778

A-196406138

ID

Moderate

CVE-2021-39779

A-190400974

ID

Moderate

CVE-2021-39788

A-191768014

ID

Moderate

CVE-2021-39791

A-194112606

ID

Moderate

CVE-2021-39774

A-205989472

DoS

Moderate

**Additional Vulnerability details**

The section below provides details for security vulnerabilities that are being provided for disclosure purposes. **These issues are not required for SPL compliance.**

**Android TV**

   

CVE

References

Type

Severity

CVE-2021-1000

A-185190688

EoP

Moderate

CVE-2021-1033

A-185247656

EoP

Moderate

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

Android 12L, as released on AOSP, has a default security patch level of 2022-03-01. Android devices running Android 12L and with a security patch level of 2022-03-01 or later address all issues contained in these security release notes.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

**Versions**

  

Version

Date

Notes

1.0

February 22, 2022

Security Release Notes Published

CVE-2021-39767: Android 12L Security Release Notes  |  Android Open Source Project

In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-198657657

CVE-2022-20002: Android 12L Security Release Notes  |  Android Open Source Project

On unix-like systems, the system temporary directory is shared between all users on that system. The root cause is File.createTempFile creates files in the the system temporary directory with world readable permissions. Any sensitive information written to theses files is visible to all other local users on unix-like systems. We recommend upgrading past commit https://github.com/google/data-transfer-project/pull/969

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-22572: Switch to using Files.createTempFile by seehamrun · Pull Request #969 · google/data-transfer-project

A stack overflow re2c 2.2 exists due to infinite recursion issues in src/dfa/dead_rules.cc.

Operating System Version：ubuntu 20.04

re2c version：2.2

error function：re2c::backprop

\==9992==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdf3f83ff8 (pc 0x00000066f8e0 bp 0x000000135534 sp 0x7ffdf3f84000 T0)  
#0 0x66f8e0 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long) re2c/src/dfa/dead\_rules.cc:149:9  
#1 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long) re2c/src/dfa/dead\_rules.cc:149:9  
#2 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long) re2c/src/dfa/dead\_rules.cc:149:9  
#3 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long) re2c/src/dfa/dead\_rules.cc:149:9  
Omit.....  
#245 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long)re2c/src/dfa/dead\_rules.cc:149:9  
#246 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long)re2c/src/dfa/dead\_rules.cc:149:9  
#247 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long) re2c/src/dfa/dead\_rules.cc:149:9  
#248 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long)re2c/src/dfa/dead\_rules.cc:149:9  
AddressSanitizer: stack-overflow re2c/src/dfa/dead\_rules.cc:149:9 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long)

Test example link：

https://drive.google.com/file/d/1bLXgifNQhcTQI6937lJhapAa3hgwEugT/view?usp=sharing

Run the following command to repeat the error：

$ ./re2c example

CVE-2022-23901: Stack overflow due to recursion in src/dfa/dead_rules.cc · Issue #394 · skvadrik/re2c

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Netegrity SiteMinder up to 4.5.1 and classified as critical. Affected by this issue is the file /siteminderagent/pwcgi/smpwservicescgi.exe of the component Login. The manipulation of the argument target leads to an open redirect. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Meta Temp Score

CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.

Current Exploit Price (≈)

Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.

CTI Interest Score

Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.

5.0

$0-$5k

0.07

A vulnerability was found in Netegrity SiteMinder up to 4.5.1 and classified as critical. Affected by this issue is an unknown function of the file _/siteminderagent/pwcgi/smpwservicescgi.exe_ of the component _Login_. The manipulation of the argument `target` with an unknown input leads to a redirect vulnerability. Using CWE to declare the problem leads to CWE-601. Impacted is confidentiality, and integrity.

The weakness was disclosed 01/17/2005 by Marc Ruef with scip AG as _VDB-1022_ as confirmed advisory (Website). The advisory is available at vuldb.com. The public release has been coordinated in cooperation with the vendor. This vulnerability is handled as CVE-2005-10001. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. Technical details as well as a public exploit are known.

A public exploit has been developed by Marc Ruef in URL and been published immediately after the advisory. It is declared as proof-of-concept. By approaching the search of inurl:/siteminderagent/pwcgi/smpwservicescgi.exe it is possible to find vulnerable targets with Google Hacking.

Applying a patch is able to eliminate this problem. The bugfix is ready for download at rsasecurity.com.Addressing this vulnerability is possible by firewalling Web Server Port. The best possible mitigation is suggested to be applying a restrictive firewalling.

The vulnerability is also documented in the vulnerability database at SecurityTracker (ID 1012927).

**Productinfoedit**

**Vendor**

*   Netegrity

**Name**

*   SiteMinder

**CPE 2.3infoedit**

*   🔍
*   🔍

**CPE 2.2infoedit**

*   🔍
*   🔍

**CVSSv3infoedit**

VulDB Meta Base Score: 5.4  
VulDB Meta Temp Score: 5.0

VulDB Base Score: 5.4  
VulDB Temp Score: 5.0  
VulDB Vector: 🔍  
VulDB Reliability: 🔍

**CVSSv2infoedit**

AV

AC

Au

C

I

A

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

Vector

Complexity

Authentication

Confidentiality

Integrity

Availability

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

VulDB Base Score: 🔍  
VulDB Temp Score: 🔍  
VulDB Reliability: 🔍

**Exploitinginfoedit**

Class: Redirect  
CWE: CWE-601  
ATT&CK: Unknown

Local: No  
Remote: Yes

Availability: 🔍  
Access: Public  
Status: Proof-of-Concept  
Author: Marc Ruef  
Reliability: 🔍  
Programming Language: 🔍  
Google Hack: 🔍  
Price Prediction: 🔍  
Current Price Estimation: 🔍

0-Day

unlock

unlock

unlock

unlock

Today

unlock

unlock

unlock

unlock

ATK: 282

**Threat Intelligenceinfoedit**

Interest: 🔍  
Active Actors: 🔍  
Active APT Groups: 🔍

**Countermeasuresinfoedit**

Recommended: Firewall  
Status: 🔍

0-Day Time: 🔍  
Exploit Delay Time: 🔍

Patch: rsasecurity.com  
Firewalling: 🔍

**Timelineinfoedit**

12/09/2004 🔍  
01/17/2005 +39 days 🔍  
01/17/2005 +0 days 🔍  
01/18/2005 +1 days 🔍  
01/20/2005 +2 days 🔍  
01/20/2005 +0 days 🔍  
03/03/2022 +6250 days 🔍

**Sourcesinfoedit**

Advisory: VDB-1022  
Researcher: Marc Ruef  
Organization: scip AG  
Status: Confirmed  
Coordinated: 🔍

CVE: CVE-2005-10001 (🔍)  
SecurityTracker: 1012927 - Netegrity SiteMinder &#039;smpwservicescgi.exe&#039; Lets Remote Users Forward the Target User to an Arbitrary URL  
SecuriTeam: securiteam.com  
Secunia: 13896 - Netegrity SiteMinder "smpwservicescgi.exe" Redirection Weakness, Not Critical  
OSVDB: 13094 - Netegrity SiteMinder smpwservicescgi.exe Obscured Site Redirection

scip Labs: https://www.scip.ch/en/?labs.20161013

**Entryinfoedit**

Created: 12/09/2004 12:01  
Updated: 03/03/2022 09:45  
Changes: (3) vulnerability\_cvss2\_vuldb\_basescore vulnerability\_cvss2\_vuldb\_tempscore exploit\_price\_0day  
Complete: 🔍

**Comments**

No comments yet. Languages: en.

Please log in to comment.

◂ PreviousOverviewNext ▸

**Do you know our Splunk app?**

Download it now for free!

CVE-2005-10001: Netegrity SiteMinder Login smpwservicescgi.exe redirect

The Sync WooCommerce Product feed to Google Shopping WordPress plugin through 1.2.4 uses the 'feed_id' POST parameter which is not properly sanitized for use in a SQL statement, leading to a SQL injection vulnerability in the admin dashboard

CVE-2021-25068

Vertical Privilege Escalation in KONGA 0.14.9 allows attackers to higher privilege users to full administration access. The attack vector is a crafted condition, as demonstrated by the /api/user/{ID} at ADMIN parameter.

**terça-feira, 16 de novembro de 2021**

  **KONGA 0.14.9 - Privilege Escalation (Exploit)**

**Report Vulnerability**

**_Product: KONGA Model:  0.14.9 Vulnerability: Privilege EscalationImpact: Full admin access (v__ertical privilege escalation__)_****_Authentication: required_ ****_Exploit Author: Fabricio Salomao (__@\_SOl0m0n__) / Paulo Trindade (@paulotrindadec)_**

**PoC**

Bellow has created a normal user called "usernormal" without privilege.

Through of request bellow was changed the flag "FALSE" in the parameter "admin" to "**TRUE**".

![](https://1.bp.blogspot.com/-UvzhCIJXGGM/YZP0iI5s4vI/AAAAAAAAT00/tlLPp9CzvO8yr16cNxsx_TGyLoGUqqDfgCLcBGAsYHQ/w640-h234/p2.png)

  

![](https://lh3.googleusercontent.com/-ZLbg9rps_J0/YZPx5tNmzWI/AAAAAAAAT0s/uU-Hi62G0oogpKzNYu75ZCS22CkrTWogwCLcBGAsYHQ/w640-h250/image.png)

After running the exploit, the privilege escalation was a success!

**Result:**

![](https://1.bp.blogspot.com/-QkIP_UYLdMQ/YZP0_MYbvfI/AAAAAAAAT08/Cdl2tOveJNstnRXWQPf_N9w8CJXQnfOOwCLcBGAsYHQ/w640-h200/p3.jpeg)

  

**Nenhum comentário:**

**Postar um comentário**

Tag

#google