#sql

### Overview An attacker with access to the SQL Lab and the ab_user and ab_user_role tables can elevate his privileges to become administrator. ### Details On a more general level, diverse tables who are supposed to be only readable can be modified using the WITH … AS and RETURNING keywords. Modification of the table key_value can also be done, which could lead to a Remote Code Execution (cf. "V7 - Insecure deserialization leading to remote code execution" report vulnerability). ### Proof of Concept Some tables are supposed to accept only SELECT requests from the SQL tab. - Attempt to create a new user injected_admin into the ab_user table: [PoC_1](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_1.png) But this protection can be bypassed by using the WITH … AS () syntax with RETURNING value after the INSERT / UPDATE / DELETE query. INSERT query accepted by the database due to the use of WITH … AS ( … RETURNING ) syntax: WITH a AS ( INSERT INTO ab_use...

SQL Injection Remote Code Vulnerability was found in the SolarWinds Platform. This vulnerability can be exploited with a low privileged account.

A coordinated law enforcement operation has led to the arrest of key individuals in Ukraine who are alleged to be a part of several ransomware schemes. "On 21 November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne, and Vinnytsia, resulting in the arrest of the 32-year-old ringleader," Europol said in a statement today. "Four of the ringleader's most active accomplices were

Cybersecurity researchers have discovered a case of "forced authentication" that could be exploited to leak a Windows user's NT LAN Manager (NTLM) tokens by tricking a victim into opening a specially crafted Microsoft Access file. The attack takes advantage of a legitimate feature in the database management system solution that allows users to link to external data sources, such as a remote SQL

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.

Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution.

Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write.

Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.