A vulnerability classified as critical has been found in code-projects Bus Dispatch and Information System 1.0. Affected is an unknown function of the file delete_bus.php. The manipulation of the argument busid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230112.

CVE-2023-2951

Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up

@@ -55,7 +55,7 @@ function add\_template(){

url: "ajax\_code.php",

dataType: "html",

data: {

list\_id: <?php echo htmlspecialchars($list\_id, ENT\_QUOTES);?>,

list\_id: <?php echo js\_escape($list\_id); ?>,

multi: val,

source: "save\_provider"

},

Expand All

@@ -71,7 +71,7 @@ function add\_template(){

return;

}

else{

alert("<?php echo addslashes(xl('You should select at least one Provider'));?>");

alert(<?php echo xlj('You should select at least one Provider');?>);

}

  

}

Expand All

@@ -97,13 +97,13 @@ function add\_template(){

$sel = '';

}

}

echo "<option value='" . htmlspecialchars($row\['id'\], ENT\_QUOTES) . "' $sel\>" . htmlspecialchars($row\['lname'\] . "," . $row\['fname'\], ENT\_QUOTES) . "</option>";

echo "<option value='" . attr($row\['id'\]) . "' $sel\>" . text($row\['lname'\] . "," . $row\['fname'\]) . "</option>";

}

?>

</select\>

</td\>

<td\>

<a href\="#" onclick\="add\_template()" class\="btn btn-primary"\><span\><?php echo htmlspecialchars(xl('Save'), ENT\_QUOTES);?></span\></a\>

<a href\="#" onclick\="add\_template()" class\="btn btn-primary"\><span\><?php echo xlt('Save');?></span\></a\>

</td\>

</tr\>

</table\>

Expand Down

CVE-2023-2948: fixes: couple more misc fixes (#6336) · openemr/openemr@af1ecf7

Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up @@ -120,13 +120,13 @@ function sqlQuery($statement, $link) } }  
echo " <td>$sfname</td>\\n"; echo " <td>$dbase</td>\\n"; echo " <td>" . htmlspecialchars($sfname, ENT\_NOQUOTES) . "</td>\\n"; echo " <td>" . htmlspecialchars($dbase, ENT\_NOQUOTES) . "</td>\\n";  
if (!$config) { echo " <td colspan='3'><a href='setup.php?site=$sfname' class='text-decoration-none'>Needs setup, click here to run it</a></td>\\n"; echo " <td colspan='3'><a href='setup.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Needs setup, click here to run it</a></td>\\n"; } elseif ($errmsg) { echo " <td colspan='3' class='text-danger'>$errmsg</td>\\n"; echo " <td colspan='3' class='text-danger'>" . htmlspecialchars($errmsg, ENT\_NOQUOTES) . "</td>\\n"; } else { // Get site name for display. $row = sqlQuery("SELECT gl\_value FROM globals WHERE gl\_name = 'openemr\_name' LIMIT 1", $dbh); Expand All @@ -152,20 +152,20 @@ function sqlQuery($statement, $link) }  
// Display relevant columns. echo " <td>$openemr\_name</td>\\n"; echo " <td>$openemr\_version</td>\\n"; echo " <td>" . htmlspecialchars($openemr\_name, ENT\_NOQUOTES) . "</td>\\n"; echo " <td>" . htmlspecialchars($openemr\_version, ENT\_NOQUOTES) . "</td>\\n"; if ($v\_database != $database\_version) { echo " <td><a href='sql\_upgrade.php?site=$sfname' class='text-decoration-none'>Upgrade Database</a></td>\\n"; echo " <td><a href='sql\_upgrade.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Upgrade Database</a></td>\\n"; } elseif (($v\_acl > $database\_acl)) { echo " <td><a href='acl\_upgrade.php?site=$sfname' class='text-decoration-none'>Upgrade Access Controls</a></td>\\n"; echo " <td><a href='acl\_upgrade.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Upgrade Access Controls</a></td>\\n"; } elseif (($v\_realpatch != $database\_patch)) { echo " <td><a href='sql\_patch.php?site=$sfname' class='text-decoration-none'>Patch Database</a></td>\\n"; echo " <td><a href='sql\_patch.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Patch Database</a></td>\\n"; } else { echo " <td><i class='fa fa-check fa-lg text-success' aria-hidden='true' ></i></a></td>\\n"; } if (($v\_database == $database\_version) && ($v\_acl <= $database\_acl) && ($v\_realpatch == $database\_patch)) { echo " <td><a href='interface/login/login.php?site=$sfname' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site $sfname'></i></a></td>\\n"; echo " <td><a href='portal/index.php?site=$sfname' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site $sfname'></i></a></td>\\n"; echo " <td><a href='interface/login/login.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site " . htmlspecialchars($sfname, ENT\_QUOTES) . "'></i></a></td>\\n"; echo " <td><a href='portal/index.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site " . htmlspecialchars($sfname, ENT\_QUOTES) . "'></i></a></td>\\n"; } else { echo " <td><i class='fa fa-ban fa-lg text-secondary' aria-hidden='true'></i></td>\\n"; echo " <td><i class='fa fa-ban fa-lg text-secondary' aria-hidden='true'></i></td>\\n"; Expand Down

CVE-2023-2947: fix: bug fix (#6296) · openemr/openemr@8d2d601

 Code Injection in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up @@ -43,7 +43,7 @@ require\_once("$srcdir/forms.inc.php"); require\_once("$srcdir/appointments.inc.php");  
use OpenEMR\\Core\\Header; use OpenEMR\\Services\\AppointmentService;  
// Things that might be passed by our opener. // Expand All @@ -64,6 +64,24 @@ exit(); }  
if (!empty($\_POST\['form\_pid'\])) { if ($\_POST\['form\_pid'\] != $\_SESSION\['pid'\]) { echo js\_escape("error"); exit(); }  
if (! getAvailableSlots($\_POST\['form\_date'\], date('Y-m-d', strtotime("+1 year " . $\_POST\['form\_date'\])), $\_POST\['form\_provider\_ae'\])) { echo js\_escape("error"); exit(); }  
$appointment\_service = (new AppointmentService())->getOneCalendarCategory($\_POST\['form\_category'\]); if (($\_POST\['form\_duration'\] \* 60) != ($appointment\_service\[0\]\['pc\_duration'\])) { echo js\_escape("error"); exit(); } }  
if ($date) { $date = substr($date, 0, 4) . '-' . substr($date, 4, 2) . '-' . substr($date, 6); } else { Expand Down Expand Up @@ -135,7 +153,7 @@ $event\_date = fixDate($\_POST\['form\_date'\]);  
// Compute start and end time strings to be saved. if ($\_POST\['form\_allday'\]) { if ($\_POST\['form\_allday'\] ?? null) { $tmph = 0; $tmpm = 0; $duration = 24 \* 60; Expand Down Expand Up @@ -165,7 +183,7 @@  
// More garbage, but this time 1 character of it is used to save the // repeat type. if ($\_POST\['form\_repeat'\]) { if ($\_POST\['form\_repeat'\] ?? null) { $recurrspec = 'a:5:{' . 's:17:"event\_repeat\_freq";s:1:"' . $\_POST\['form\_repeat\_freq'\] . '";' . 's:22:"event\_repeat\_freq\_type";s:1:"' . $\_POST\['form\_repeat\_type'\] . '";' . Expand All @@ -185,7 +203,7 @@ //for example monday, or thursday. We set the start date on the first day of the week //that the event is scheduled. For example if you set the event to repeat on each monday //the start date of the event will be set on the first monday after the day the event is scheduled if ($\_POST\['form\_repeat\_type'\] == 5) { if (($\_POST\['form\_repeat\_type'\] ?? null) == 5) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Tue") { Expand All @@ -201,7 +219,7 @@ } elseif ($edate == "Sun") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 6) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 6) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Wed") { Expand All @@ -217,7 +235,7 @@ } elseif ($edate == "Mon") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 7) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 7) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Thu") { Expand All @@ -233,7 +251,7 @@ } elseif ($edate == "Tue") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 8) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 8) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Fri") { Expand All @@ -249,7 +267,7 @@ } elseif ($edate == "Wed") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 9) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 9) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Sat") { Expand Down Expand Up @@ -305,7 +323,7 @@ "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($row\['pc\_multiple'\]) . "', " . "'" . add\_escape\_custom($to\_be\_inserted) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand All @@ -332,7 +350,7 @@ foreach ($\_POST\['form\_provider\_ae'\] as $provider) { sqlStatement("UPDATE openemr\_postcalendar\_events SET " . "pc\_catid = '" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "pc\_title = '" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "pc\_time = NOW(), " . "pc\_hometext = '" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand Down Expand Up @@ -365,22 +383,22 @@ sqlStatement("UPDATE openemr\_postcalendar\_events SET " . "pc\_catid = '" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "pc\_aid = '" . add\_escape\_custom($prov) . "', " . "pc\_pid = '" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "pc\_title = '" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "pc\_time = NOW(), " . "pc\_hometext = '" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . "pc\_informant = '" . add\_escape\_custom($\_SESSION\['providerId'\]) . "', " . "pc\_eventDate = '" . add\_escape\_custom($event\_date) . "', " . "pc\_endDate = '" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\])) . "', " . "pc\_endDate = '" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\] ?? '')) . "', " . "pc\_duration = '" . add\_escape\_custom(($duration \* 60)) . "', " . "pc\_recurrtype = '" . ($\_POST\['form\_repeat'\] ? '1' : '0') . "', " . "pc\_recurrtype = '" . (($\_POST\['form\_repeat'\] ?? null) ? '1' : '0') . "', " . "pc\_recurrspec = '" . add\_escape\_custom($recurrspec) . "', " . "pc\_startTime = '" . add\_escape\_custom($starttime) . "', " . "pc\_endTime = '" . add\_escape\_custom($endtime) . "', " . "pc\_alldayevent = '" . add\_escape\_custom($\_POST\['form\_allday'\]) . "', " . "pc\_alldayevent = '" . add\_escape\_custom(($\_POST\['form\_allday'\] ?? '')) . "', " . "pc\_apptstatus = '" . add\_escape\_custom($\_POST\['form\_apptstatus'\]) . "', " . "pc\_prefcatid = '" . add\_escape\_custom($\_POST\['form\_prefcat'\]) . "', " . "pc\_facility = '" . (int)$\_POST\['facility'\] . "' " . // FF stuff "pc\_prefcatid = '" . add\_escape\_custom(($\_POST\['form\_prefcat'\] ?? '')) . "', " . "pc\_facility = '" . (int)($\_POST\['facility'\] ?? null) . "' " . // FF stuff "WHERE pc\_eid = '" . add\_escape\_custom($eid) . "'"); }  
Expand Down Expand Up @@ -416,7 +434,7 @@ "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($new\_multiple\_value) . "', " . "'" . add\_escape\_custom($provider) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand Down Expand Up @@ -446,24 +464,24 @@ ") VALUES ( " . "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_provider\_ae'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['providerId'\]) . "', " . "'" . add\_escape\_custom($event\_date) . "', " . "'" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\])) . "', " . "'" . add\_escape\_custom(fixDate(($\_POST\['form\_enddate'\] ?? ''))) . "', " . "'" . add\_escape\_custom(($duration \* 60)) . "', " . "'" . ($\_POST\['form\_repeat'\] ? '1' : '0') . "', " . "'" . (($\_POST\['form\_repeat'\] ?? null) ? '1' : '0') . "', " . "'" . add\_escape\_custom($recurrspec) . "', " . "'" . add\_escape\_custom($starttime) . "', " . "'" . add\_escape\_custom($endtime) . "', " . "'" . add\_escape\_custom($\_POST\['form\_allday'\]) . "', " . "'" . add\_escape\_custom(($\_POST\['form\_allday'\] ?? '')) . "', " . "'" . add\_escape\_custom($\_POST\['form\_apptstatus'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_prefcat'\]) . "', " . "'" . add\_escape\_custom(($\_POST\['form\_prefcat'\] ?? null)) . "', " . "'" . add\_escape\_custom($locationspec) . "', " . "1, " . "1, " . (int)$\_POST\['facility'\] . ")"); // FF stuff "1, " . (int)($\_POST\['facility'\] ?? null) . ")"); // FF stuff } // INSERT single } // else - insert } elseif (($\_POST\['form\_action'\] ?? null) == "delete") { Expand Down Expand Up @@ -496,7 +514,7 @@ $note .= ". " . xl("Use Portal Dashboard to confirm with patient."); $title = xl("Patient Reminders"); $user = sqlQueryNoLog("SELECT users.username FROM users WHERE authorized = 1 And id = ?", array($\_POST\['form\_provider\_ae'\])); $rtn = addPnote($\_POST\['form\_pid'\], $note, 1, 1, $title, $user\['username'\], '', 'New'); $rtn = addPnote($\_SESSION\['pid'\], $note, 1, 1, $title, $user\['username'\], '', 'New');  
$\_SESSION\['whereto'\] = '#appointmentcard'; header('Location:./home.php'); Expand Down Expand Up @@ -657,12 +675,12 @@ <form method\='post' name\='theaddform' id\='theaddform' action\='add\_edit\_event\_user.php?eid=<?php echo attr\_url($eid); ?>'\> <div class\="col-12"\> <input type\="hidden" name\="form\_action" id\="form\_action" value\="" /> <input type\='hidden' name\='form\_title' id\='form\_title' value\='<?php echo $row\['pc\_catid'\] ? attr($row\['pc\_title'\]) : xla("Office Visit"); ?>' /> <input type\='hidden' name\='form\_apptstatus' id\='form\_apptstatus' value\='<?php echo $row\['pc\_apptstatus'\] ? attr($row\['pc\_apptstatus'\]) : "^" ?>' /> <input type\='hidden' name\='form\_title' id\='form\_title' value\='<?php echo ($row\['pc\_catid'\] ?? '') ? attr($row\['pc\_title'\]) : xla("Office Visit"); ?>' /> <input type\='hidden' name\='form\_apptstatus' id\='form\_apptstatus' value\='<?php echo ($row\['pc\_apptstatus'\] ?? '') ? attr($row\['pc\_apptstatus'\] ?? '') : "^" ?>' /> <div class\="row form-group"\> <div class\="input-group col-12 col-md-6"\> <label class\="mr-2" for\="form\_category"\><?php echo xlt('Visit'); ?>:</label\> <select class\="form-control mb-1" onchange\='set\_category()' id\='form\_category' name\='form\_category' value\='<?php echo ($row\['pc\_catid'\] > "") ? attr($row\['pc\_catid'\]) : '5'; ?>'\> <select class\="form-control mb-1" onchange\='set\_category()' id\='form\_category' name\='form\_category' value\='<?php echo (($row\['pc\_catid'\] ?? '') > "") ? attr($row\['pc\_catid'\]) : '5'; ?>'\> <?php echo $catoptions ?> </select\> </div\> Expand All @@ -684,7 +702,7 @@ </div\> <div class\="input-group"\> <label class\="mr-2" for\="form\_duration"\><?php echo xlt('Duration'); ?></label\> <input class\="form-control" type\='text' size\='1' id\='form\_duration' name\='form\_duration' value\='<?php echo $row\['pc\_duration'\] ? ($row\['pc\_duration'\] \* 1 / 60) : attr($thisduration) ?>' readonly /> <input class\="form-control" type\='text' size\='1' id\='form\_duration' name\='form\_duration' value\='<?php echo ($row\['pc\_duration'\] ?? '') ? ($row\['pc\_duration'\] \* 1 / 60) : attr($thisduration) ?>' readonly /> <span class\="input-group-append"\> <span class\="input-group-text"\><?php echo "&nbsp;" . xlt('minutes'); ?></span\> </span\> Expand Down Expand Up @@ -730,7 +748,7 @@ </div\> </div\> <div class\="row input-group my-1"\> <?php if ($\_GET\['eid'\] && $row\['pc\_apptstatus'\] !== 'x') { ?> <?php if (($\_GET\['eid'\] ?? null) && $row\['pc\_apptstatus'\] !== 'x') { ?> <input type\='button' id\='form\_cancel' class\='btn btn-danger' onsubmit\='return false' value\='<?php echo xla('Cancel Appointment'); ?>' onclick\="cancel\_appointment()" /> <?php } ?> <input type\='button' name\='form\_save' class\='btn btn-success' onsubmit\='return false' value\='<?php echo xla('Save'); ?>' onclick\="validate()" /> Expand Down

CVE-2023-2943: bug fix (#6079) · openemr/openemr@c1c0805

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up

@@ -17,8 +17,14 @@

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

if (!AclMain::aclCheckCore('admin', 'practice')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Address Book")\]);

exit;

}

  

if (!empty($\_POST)) {

if (!CsrfUtils::verifyCsrfToken($\_POST\["csrf\_token\_form"\])) {

CsrfUtils::csrfNotVerified();

Expand Down Expand Up

@@ -467,7 +473,7 @@ function typeSelect(a) {

<label for\="form\_state" class\="font-weight-bold col-form-label col-form-label-sm"\><?php echo xlt('State') . "/" . xlt('county'); ?>:</label\>

</div\>

<div class\="col"\>

<?php echo generate\_select\_list('form\_state', 'state', ($row\['state'\] ?? null), '', 'Unassigned', 'form-control-sm', 'typeSelect(this.value)'); ?>

<?php echo generate\_select\_list('form\_state', 'state', ($row\['state'\] ?? null), '', 'Unassigned', 'form-control-sm', 'typeSelect(this.value)'); ?>

</div\>

<div class\="col-2"\>

<label for\="form\_zip" class\="font-weight-bold col-form-label col-form-label-sm"\><?php echo xlt('Postal code'); ?>:</label\>

Expand Down Expand Up

@@ -498,7 +504,7 @@ function typeSelect(a) {

<label for\="form\_state2" class\="font-weight-bold col-form-label col-form-label-sm"\><?php echo xlt('Alt State') . "/" . xlt('county'); ?>:</label\>

</div\>

<div class\="col-auto"\>

<?php echo generate\_select\_list('form\_state2', 'state', ($row\['state2'\] ?? null), '', 'Unassigned', 'form-control-sm', 'typeSelect(this.value)'); ?>

<?php echo generate\_select\_list('form\_state2', 'state', ($row\['state2'\] ?? null), '', 'Unassigned', 'form-control-sm', 'typeSelect(this.value)'); ?>

</div\>

<div class\="col-auto"\>

<label for\="form\_zip2" class\="font-weight-bold col-form-label col-form-label-sm"\><?php echo xlt('Alt Postal code'); ?>:</label\>

Expand Down

CVE-2023-2944: bug fix (#6267) · openemr/openemr@723ac5d

A vulnerability was found in DedeCMS up to 5.7.106. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file uploads/dede/article_allowurl_edit.php. The manipulation of the argument allurls leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230083.

CVE-2023-2928

A vulnerability was found in SeaCMS 11.6 and classified as problematic. This issue affects some unknown processing of the file member.php of the component Picture Upload Handler. The manipulation of the argument oldpic leads to denial of service. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-230081 was assigned to this vulnerability.

CVE-2023-2926

A vulnerability was found in JIZHICMS 2.4.5. It has been classified as critical. Affected is the function index of the file TemplateController.php. The manipulation of the argument webapi leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-230082 is the identifier assigned to this vulnerability.

CVE-2023-2927

A vulnerability classified as problematic has been found in SourceCodester Comment System 1.0. Affected is an unknown function of the file index.php of the component GET Parameter Handler. The manipulation of the argument msg leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230076.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-2922: CVERequest/XSS.md at main · kanyl6/CVERequest

A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io.
The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could

API Security / Vulnerability

A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io.

The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could then be used to hijack accounts and siphon sensitive data.

Under certain circumstances, a threat actor could have taken advantage of the flaw to perform arbitrary actions on behalf of a compromised user on various platforms such as Facebook, Google, or Twitter.

Expo, similar to Electron, is an open source platform for developing universal native apps that run on Android, iOS, and the web.

It's worth noting that for the attack to be successful, sites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party provider such as Google and Facebook.

Put differently, the vulnerability could be leveraged to send the secret token associated with a sign-in provider (e.g., Facebook) to an actor-controlled domain and use it to seize control of the victim's account.

This, in turn, is accomplished by tricking the targeted user into clicking on a specially crafted link that could be sent via traditional social engineering vectors like email, SMS messages, or a dubious website.

Expo, in an advisory, said it deployed a hotfix within hours of responsible disclosure on February 18, 2023. It's also recommended that users migrate from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers to enable SSO features.

"The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials," Expo's James Ide said.

"This was because auth.expo.io used to store an app's callback URL before the user explicitly confirmed they trust the callback URL."

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The disclosure follows the discovery of similar OAuth issues in Booking.com (and its sister site Kayak.com) that could have been leveraged to take control of a user's account, gain full visibility into their personal or payment-card data, and perform actions on the victim's behalf.

The findings also come weeks after Swiss cybersecurity company Sonar detailed a path traversal and an SQL injection flaw in the Pimcore enterprise content management system (CVE-2023-28438) that an adversary can abuse to run arbitrary PHP code on the server with the permissions of the webserver.

Sonar, back in March 2023, also revealed an unauthenticated, stored cross-site scripting vulnerability impacting LibreNMS versions 22.10.0 and prior that could be exploited to gain remote code execution when Simple Network Management Protocol (SNMP) is enabled.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#php