Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

Event Management 1.0 SQL Injection

Event Management version 1.0 suffers from a remote SQL injection vulnerability.

Packet Storm
#sql#xss#vulnerability#windows#git#php#auth
Purei CMS 1.0 SQL Injection

Purei CMS version 1.0 suffers from a remote SQL injection vulnerability.

LMS PHP 1.0 SQL Injection

LMS PHP version 1.0 suffers from a remote SQL injection vulnerability.

Red Hat Security Advisory 2024-1509-03

Red Hat Security Advisory 2024-1509-03 - An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a denial of service vulnerability.

Insurance Management System PHP And MySQL 1.0 Cross Site Scripting

Insurance Management System PHP and MySQL version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

Orange Station 1.0 Shell Upload

Orange Station version 1.0 suffers from a remote shell upload vulnerability.

CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities added are as follows - CVE-2023-48788 (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability CVE-2021-44529 (CVSS score: 9.8) - Ivanti

GHSA-2grw-mc9r-822r: phpMyFAQ SQL injections at insertentry & saveentry

### Summary A SQL injection vulnerability has been discovered in the `insertentry` & `saveentry` when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. ### PoC 1 - SQL Injection at insertentry: 1. Browse to “/admin/?action=editentry”, edit record and save. Intercept the POST request to "/admin/?action=insertentry" and modify the email and notes parameters in the body to the payloads below: a. `email=test'/*@email.com` b. `notes=*/,1,1,1,1,null,1);select+pg_sleep(5)--` 2. Send the request and notice the `pg_sleep(5)` command is executed with a time delay of 5 seconds in the response. This verifies that the SQL injection vulnerability exists. ![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/1000482f-3b00-462a-be8a-1eb21f720aca) ### PoC 2 - SQL Injection at saveentry 1....

GHSA-qgxx-4xv5-6hcw: phpMyFAQ SQL Injection at "Save News"

### Summary A SQL injection vulnerability has been discovered in the the "Add News" functionality due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. ### Details The vulnerable field lies in the `authorEmail` field which uses PHP's `FILTER_VALIDATE_EMAIL` filter. This filter is insufficient in protecting against SQL injection attacks and should still be properly escaped. However, in this version of phpMyFAQ (3.2.5), this field is not escaped properly can be used together with other fields to fully exploit the SQL injection vulnerability. ### PoCs 4 PoCs are demonstrated here to illustrate the potential impacts. #### PoC 1 - Postgres Time Based SQLi 1. Login as admin or any user with the rights to view and save news. 2. Navigate to "../phpmyfaq/admin/?action=news", click on "Add news", fill in some data, send and...