SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() methods.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Opart Save Cart” (opartsavecart) up to version 2.0.7 from Opart for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-34575
*   **Published at**: 2023-09-19
*   **Platform**: PrestaShop
*   **Product**: opartsavecart
*   **Impacted release**: <= 2.0.7 (2.0.8 fixed the vulnerability)
*   **Product author**: Opart
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Methods OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 2.0.7**

    --- 2.0.7/modules/opartsavecart/controllers/front/default.php
    +++ 2.0.8/modules/opartsavecart/controllers/front/default.php
    ...
                         } else {
                             $idCart = Tools::getValue('opartCartId');
    -                        $sql = "DELETE FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE id_cart=" . $idCart . " AND id_customer=" . $idCustomer;
    +                        $sql = "DELETE FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE id_cart=" . (int)$idCart . " AND id_customer=" . (int)$idCustomer;
                             Db::getInstance()->execute($sql);
    ...
                             //check if cart exist for this customer
                             if (Tools::getIsset('opartCartId') && Tools::getValue('opartCartId')) {
                                 $idCart = Tools::getValue('opartCartId');
    -                            $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE id_customer=" . $idCustomer . " AND id_cart=" . $idCart;
    +                            $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE id_customer=" . (int)$idCustomer . " AND id_cart=" . (int)$idCart;
                             } else if (Tools::getIsset('token') && Tools::getValue('token')) {
                                 $token = Tools::getValue('token');
    -                            $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE token = '" . $token . "'";
    +                            $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE token = '" . pSQL($token) . "'";
                             }
    ...
    
                 if (Validate::isEmail($email)) {
    -                $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE token = '" . $token . "'";
    +                $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE token = '" . pSQL($token) . "'";
                     $result = Db::getInstance()->getRow($sql);
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **opartsavecart**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-05-23

Issue discovered during a code review by TouchWeb.fr

2023-05-23

Contact Author to confirm version scope

2023-05-23

Author confirms versions scope

2023-05-24

Request CVE ID

2023-09-05

Received CVE ID

2023-09-19

Publish this security advisory

Opart thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-34575: [CVE-2023-34575] Improper neutralization of SQL parameter in Opart Save Cart for PrestaShop

SimpleImportProduct Prestashop Module v6.2.9 was discovered to contain a SQL injection vulnerability via the key parameter at send.php.

This blog post details an SQL Injection we found within SimpleImportProduct, a Prestashop module developed by MyPrestaModules. In modules/simpleimportproduct/send.php there is the following code:

      if ( Tools::getValue('remove') == true){  
        $key = Tools::getValue('key');  
        $key = pSQL($key);  
        Db::getInstance()->delete('simpleimport_tasks', "import_settings=$key");
    

This is vulnerable to SQL injection which allows an attacker to extract data from the database.  
The key parameter does get sanitized by pSQL() but when it’s put in the query it’s not surrounded by quotes so an attacker can still manipulate the query. This is a similar situation to an SQLi I found in a different Prestashop module.

Adding quotes around the key would be sufficient to patch this SQLi:

    Db::getInstance()->delete('simpleimport_tasks', "import_settings='$key'");
    

**Proof of Concept**

To test this we used SQLmap on a local Prestashop install. Care should be taken when testing for this as it is within a DELETE SQL query and can result in records getting deleted. SQLMap command:

    sqlmap -u "http://localhost:8080/modules/simpleimportproduct/send.php?ajax=true&remove=true&key=1*" --threads=10 --random-agent --dbms=mysql --level=5 --risk=3 --tables  
    

It’s a “blind” SQLi as it doesnt affect the contents of the page so information is extracted using SLEEP() to change the time it takes to respond.

**Timeline**

Date

Action

10/07/2023

Issue discovered during a pentest

12/07/2023

Reported issue to MyPrestaModules

29/07/2023

Requested CVE from MITRE

??/08/2023

Patch released

28/08/2023

Number CVE-2023-39675 assigned

07/09/2023

Blog post released

CVE-2023-39675: SQLi in SimpleImportProduct Prestashop Module CVE-2023-39675

Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters.

CVE-2023-43375

Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php.

CVE-2023-43373

Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php.

CVE-2023-43374

Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php.

CVE-2023-43371


In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator

 could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.



Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-40043: Progress Customer Community

Red Hat Security Advisory 2023-5259-01 - MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. Issues addressed include a null pointer vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: mariadb:10.3 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:5259-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5259  
Issue date:        2023-09-19  
CVE Names:         CVE-2022-32084 CVE-2022-32091 CVE-2022-38791   
                   CVE-2022-47015   
=====================================================================

1. Summary:

An update for the mariadb:10.3 module is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

MariaDB is a multi-user, multi-threaded SQL database server that is binary  
compatible with MySQL.

The following packages have been upgraded to a later upstream version:  
mariadb (10.3). (BZ#2223572, BZ#2223574, BZ#2223962, BZ#2223965)

Security Fix(es):

* mariadb: segmentation fault via the component sub_select (CVE-2022-32084)

* mariadb: server crash in JOIN_CACHE::free or in copy_fields  
(CVE-2022-32091)

* mariadb: compress_write() fails to release mutex on failure  
(CVE-2022-38791)

* mariadb: NULL pointer dereference in spider_db_mbase::print_warnings()  
(CVE-2022-47015)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* [MariaDB 10.3.32] socat: E Failed to set SNI host "" (SST failure)  
(BZ#2223961)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MariaDB server daemon (mysqld) will be  
restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2106034 - CVE-2022-32084 mariadb: segmentation fault via the component sub_select  
2106042 - CVE-2022-32091 mariadb: server crash in JOIN_CACHE::free or in copy_fields  
2130105 - CVE-2022-38791 mariadb: compress_write() fails to release mutex on failure  
2163609 - CVE-2022-47015 mariadb: NULL pointer dereference in spider_db_mbase::print_warnings()  
2223572 - [Tracker] Rebase to MariaDB 10.3.39 [rhel-8.8.0.z]  
2223574 - [Tracker] Rebase to Galera 25.3.37 [rhel-8.8.0.z]  
2223961 - [MariaDB 10.3.32] socat: E Failed to set SNI host "" (SST failure) [rhel-8.8.0.z]  
2223962 - [MariaDB 10.3] JSON_VALUE() does not parse NULL properties properly [rhel-8.8.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
Judy-1.0.5-18.module+el8+2765+cfa4f87b.src.rpm  
galera-25.3.37-1.module+el8.8.0+19444+aac3c36b.src.rpm  
mariadb-10.3.39-1.module+el8.8.0+19673+72b0d35f.src.rpm

aarch64:  
Judy-1.0.5-18.module+el8+2765+cfa4f87b.aarch64.rpm  
Judy-debuginfo-1.0.5-18.module+el8+2765+cfa4f87b.aarch64.rpm  
Judy-debugsource-1.0.5-18.module+el8+2765+cfa4f87b.aarch64.rpm  
galera-25.3.37-1.module+el8.8.0+19444+aac3c36b.aarch64.rpm  
galera-debuginfo-25.3.37-1.module+el8.8.0+19444+aac3c36b.aarch64.rpm  
galera-debugsource-25.3.37-1.module+el8.8.0+19444+aac3c36b.aarch64.rpm  
mariadb-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-backup-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-backup-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-common-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-debugsource-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-devel-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-embedded-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-embedded-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-embedded-devel-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-errmsg-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-gssapi-server-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-gssapi-server-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-oqgraph-engine-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-oqgraph-engine-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-server-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-server-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-server-galera-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-server-utils-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-server-utils-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-test-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm  
mariadb-test-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.aarch64.rpm

ppc64le:  
Judy-1.0.5-18.module+el8+2765+cfa4f87b.ppc64le.rpm  
Judy-debuginfo-1.0.5-18.module+el8+2765+cfa4f87b.ppc64le.rpm  
Judy-debugsource-1.0.5-18.module+el8+2765+cfa4f87b.ppc64le.rpm  
galera-25.3.37-1.module+el8.8.0+19444+aac3c36b.ppc64le.rpm  
galera-debuginfo-25.3.37-1.module+el8.8.0+19444+aac3c36b.ppc64le.rpm  
galera-debugsource-25.3.37-1.module+el8.8.0+19444+aac3c36b.ppc64le.rpm  
mariadb-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-backup-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-backup-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-common-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-debugsource-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-devel-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-embedded-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-embedded-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-embedded-devel-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-errmsg-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-gssapi-server-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-gssapi-server-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-oqgraph-engine-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-oqgraph-engine-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-server-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-server-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-server-galera-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-server-utils-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-server-utils-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-test-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm  
mariadb-test-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.ppc64le.rpm

s390x:  
Judy-1.0.5-18.module+el8+2765+cfa4f87b.s390x.rpm  
Judy-debuginfo-1.0.5-18.module+el8+2765+cfa4f87b.s390x.rpm  
Judy-debugsource-1.0.5-18.module+el8+2765+cfa4f87b.s390x.rpm  
galera-25.3.37-1.module+el8.8.0+19444+aac3c36b.s390x.rpm  
galera-debuginfo-25.3.37-1.module+el8.8.0+19444+aac3c36b.s390x.rpm  
galera-debugsource-25.3.37-1.module+el8.8.0+19444+aac3c36b.s390x.rpm  
mariadb-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-backup-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-backup-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-common-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-debugsource-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-devel-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-embedded-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-embedded-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-embedded-devel-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-errmsg-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-gssapi-server-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-gssapi-server-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-oqgraph-engine-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-oqgraph-engine-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-server-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-server-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-server-galera-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-server-utils-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-server-utils-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-test-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm  
mariadb-test-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.s390x.rpm

x86_64:  
Judy-1.0.5-18.module+el8+2765+cfa4f87b.x86_64.rpm  
Judy-debuginfo-1.0.5-18.module+el8+2765+cfa4f87b.x86_64.rpm  
Judy-debugsource-1.0.5-18.module+el8+2765+cfa4f87b.x86_64.rpm  
galera-25.3.37-1.module+el8.8.0+19444+aac3c36b.x86_64.rpm  
galera-debuginfo-25.3.37-1.module+el8.8.0+19444+aac3c36b.x86_64.rpm  
galera-debugsource-25.3.37-1.module+el8.8.0+19444+aac3c36b.x86_64.rpm  
mariadb-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-backup-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-backup-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-common-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-debugsource-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-devel-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-embedded-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-embedded-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-embedded-devel-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-errmsg-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-gssapi-server-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-gssapi-server-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-oqgraph-engine-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-oqgraph-engine-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-server-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-server-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-server-galera-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-server-utils-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-server-utils-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-test-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm  
mariadb-test-debuginfo-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32084  
https://access.redhat.com/security/cve/CVE-2022-32091  
https://access.redhat.com/security/cve/CVE-2022-38791  
https://access.redhat.com/security/cve/CVE-2022-47015  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlCb3ZAAoJENzjgjWX9erEDxEP/Aq+wfTm3Ops51Y9JC/obwkp  
HkxuJNiHTQT0JK6d3ESOE2/mIi0raSjpKRhJW3MnyDrJwNeZoTd93t1FaTAkAkA9  
U1za0tzSCvHv1vNz7ieB4DfrvVyW12oqBI26mckkRvuSfGli+yVZnKA9MinLVw+w  
E2V5l0yvvlTzNCqm5W4B1WeYTzHvYJz3bIuVcVWEBiIqpl6pjl086EhZZgttNEbW  
9MG67YqpAftxzP/PEJG57vIGNLrpUJu6k2OYTmOCWOwkE8JOvznTbqmtyoV8BPVT  
taokxWeLEZGvXSoNBfTZkON4Fvcx04eFzFXEObptHOajeeg9tmudE+GR6bjr0PJE  
5TDUOc45JGHbBKwDkX2qZCMtCHOXKirx83oQcZAbSzHCCk9zi/3nfWp3CZhpP8TI  
0/BUBJCmyzpNxehEMgiEFf62CQMS9h2FZvvdI5QgHQPVLPye2y9NWbwYyABI6mX4  
IwuOBHLkRoUej7pgjUvPAWYfQyEomUWegi6Jp0Vo6Pf8Jr0QCYh4J6HDGKoEO6uk  
Tdo1z1q0YIiv2a0EMWN3j+3fOweKJaPFGJiiOzRV/bsVzJR/TPHrsReWbkYplHmb  
VVLPRg4vtwqdSILgpNzF2E5qwwdN90wA2IIEWLruHw/H75a5+ZdeYzIadZvaFL7E  
sttMS85nL+3ugr4OSLB9  
=lKOL  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5259-01

Multiple security flaws have been disclosed in the Nagios XI network monitoring software that could result in privilege escalation and information disclosure.
The four security vulnerabilities, tracked from CVE-2023-40931 through CVE-2023-40934, impact Nagios XI versions 5.11.1 and lower. Following responsible disclosure on August 4, 2023, They have been patched as of September 11, 2023, with

Network Security / Vulnerability

Multiple security flaws have been disclosed in the Nagios XI network monitoring software that could result in privilege escalation and information disclosure.

The four security vulnerabilities, tracked from CVE-2023-40931 through CVE-2023-40934, impact Nagios XI versions 5.11.1 and lower. Following responsible disclosure on August 4, 2023, They have been patched as of September 11, 2023, with the release of version 5.11.2.

"Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections," Outpost24 researcher Astrid Tedenbrant said.

"The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data such as password hashes and API tokens."

CVE-2023-40932, on the other hand, relates to a cross-site scripting (XSS) flaw in the Custom Logo component that could be used to read sensitive data, including cleartext passwords from the login page.

The list of flaws is described below -

*   **CVE-2023-40931** - SQL Injection in Banner acknowledging endpoint
*   **CVE-2023-40932** - Cross-Site Scripting in Custom Logo Component
*   **CVE-2023-40933** - SQL Injection in Announcement Banner Settings
*   **CVE-2023-40934** - SQL Injection in Host/Service Escalation in the Core Configuration Manager (CCM)

Successful exploitation of the three SQL injection vulnerabilities could permit an authenticated attacker to execute arbitrary SQL commands, while the XSS bug could be exploited to inject arbitrary JavaScript and read and modify page data.

This is not the first time security issues have been uncovered in Nagios XI. In 2021, Skylight Cyber and Claroty discovered as many as two dozen flaws that could be abused to hijack the infrastructure and achieve remote code execution.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Security Flaws Exposed in Nagios XI Network Monitoring Software 

Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.

**Cross Site Scripting vulnerability in Dolibarr ERP CRM**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

Tag

#sql