A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.

'15868?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-42364: Invalid Bug ID

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary
JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

CVE-2023-49145: Apache NiFi Security Reports

The discontinued FFS Colibri product allows a remote user to access files on the system including files containing login credentials for other users.


CVE-2023-5885

OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Moderate

dkhrysev published GHSA-x2xm-p6vq-482g

Nov 27, 2023

**Package**

composer oro/calendar-bundle (Composer)

**Affected versions**

\>=4.2.0, <=4.2.6 || >=5.0.0, <=5.0.6 || >=5.1.0, <5.1.1

**Patched versions**

5.1.1, 5.0.7

**Description**

Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks.

**Severity**

**CVSS base metrics**

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CVE-2023-32062: Incorrect system calendar events visibility

A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.

'15865?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-42363: Invalid Bug ID

Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the ssid parameter in the function form_fast_setting_wifi_set.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-49044: IOT_VULN/Tenda/AX1803/form_fast_setting_wifi_set.md at main · Anza2001/IOT_VULN

An issue discovered in Acer Wireless Keyboard SK-9662 allows attacker in physical proximity to both decrypt wireless keystrokes and inject arbitrary keystrokes via use of weak encryption.

**CVE-2023-48034**

I have discovered weak encryption used in the wireless protocol of the Acer Wireless Keyboard SK-9662 (FCC ID: H4IKB9662). This weak encryption allows an attacker to easily monitor and log keystrokes and also inject arbitrary keystrokes.

**Intro**

The keyboard uses a Texas Instruments CC2545 chip, transmitting data using the Enhanced Shockburst protocol developed by Nordic Semiconductors. The payload consists of 12 bytes, the first byte appears to be a constant value (0x48 in my testing). The second byte is the modifier byte (ctrl, shift etc.), the third and fourth bytes are consumer and power control keys. The fifth thru tenth bytes are the key codes. The eleventh bytes acts as a checksum and the twelfth byte is the random number used for encryption.

**Encryption Scheme**

Payload encryption starts with the generation of a random byte from radio noise. A different byte stored in the firmware (keyvalue) is used as a key for AES. Both the key and random byte are zero padded to 128 bits and sent to the AES coprocessor on the CC2545. The AES coprocessor is configured for CBC mode with a null IV. The output of the AES coprocessor will be referred to as the xorkey. The first eleven bytes of the payload are xor'ed with the corresponding bytes in the xorkey. The random byte is the last byte of the payload in order for the receiver to decrypt the payload.

Decryption of the payload is similar to encryption. The twelfth byte of the payload (the random value) along with the keyvalue (known by the receiver ahead of time) is used to generate the xorkey and xor'ed with the encrypted payload.

**Exploit**

This encryption scheme is easily circumvented due to the use of only a one byte AES key. Since the key is limited to only 256 possible values, the key can be easily brute-forced within seconds. The python script in this repository shows brute force decryption of a captured encrypted packet.

In order for this vulnerability to exploited, an attacker must have means to capture the 2.4 GHz radio traffic. This requires close physical proximity to the target keyboard. However, once a single packet is captured, the AES key can be brute-forced within seconds and real-time keylogging and keystroke injection is possible, allowing access to the victim's computer. A popular wireless hacking tool, jackit (https://github.com/insecurityofthings/jackit), can be extended to support sniffing and injecting keystrokes into nearby SK-9662 keyboards all on a cheap 2.4 GHz USB dongle.

**Mitigation**

The SK-9662 keyboard is an obsolete product. An update mechanism for the keyboard does not exist and users should discontinue usage of the vulnerable keyboard. Acer recommends switching to a newer keyboard product.

CVE-2023-48034: GitHub - aprkr/CVE-2023-48034: Weak encryption in Acer Wireless Keyboard SK-9662 allows attacker in physical proximity to both decrypt wireless keystrokes and inject wireless arbitrary keystrokes.

SQL Injection vulnerability in32ns KLive v.2019-1-19 and before allows a remote attacker to obtain sensitive information via a crafted script to the web/user.php component.

CVE-2023-49030: vulnerability/32ns-KLive-SQL-user.php.md at main · Chiaki2333/vulnerability

OroPlatform is a PHP Business Application Platform (BAP) designed to make development of custom business applications easier and faster. Path Traversal is possible in `Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName`. With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. This vulnerability has been fixed in version 5.0.9.

**Package**

**Affected versions**

\>=4.1.0, <4.1.14 || >=4.2.0, <4.2.11 || >=5.0.0, <5.0.8

**Impact**

Path Traversal is possible in Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName.  
With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted immediately after the script ends.

**Workarounds**

Apply patch

\--- a/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php
+++ b/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php
@@ -614,6 +614,10 @@
      \*/
     public function getTemporaryFileName(string $suggestedFileName = null): string
     {
+        if ($suggestedFileName) {
+            $suggestedFileName = basename($suggestedFileName);
+        }
+
         $tmpDir = ini\_get('upload\_tmp\_dir');
         if (!$tmpDir || !is\_dir($tmpDir) || !is\_writable($tmpDir)) {
             $tmpDir = sys\_get\_temp\_dir();

Or decorate Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName in your customization and clear $suggestedFileName argument

    public function getTemporaryFileName(string $suggestedFileName = null): string
    {
        if ($suggestedFileName) {
            $suggestedFileName = basename($suggestedFileName);
        }

        return parent::getTemporaryFileName($suggestedFileName);
    }

**References**

*   Path Traversal
*   How to Decorate Services

CVE-2022-41951: Path traversal possible during temporary file manipulations

In Math/BinaryField.php in phpseclib before 3.0.34, excessively large degrees can lead to a denial of service.

Expand Up

@@ -704,4 +704,20 @@ public function testIEEESignature()

  

$this\->assertTrue($key\->verify('hello world!', $signature));

}

  

public function testExcessivelyLargeBinaryField()

{

$this\->expectException('\\OutOfBoundsException');

  

$key = '-----BEGIN PUBLIC KEY-----

MIIBDDCB0wYHKoZIzj0CATCBxwIBATAgBgcqhkjOPQECMBUCBH////8GCSqGSM49

AQIDAgICAMEwTQQZABeFj+t6mJdRaeFx93tAh94JisipEd97AQQZAP37Sb/mw6if

rK2qeh5bvHzBwuXYMUeIFAMVABA/rsdNaW5naHVhUXV3f8Wxke8wBDMEAfSBvF8P

+Ep0rWzfb970v2F5YlNy2MDF4QAl45nykDcSzPPqnjoa0X+wsyAbavfOGwUCGQEA

AAAAAAAAAAAAAADH80p3j0Q6zJIOukkCAQIDNAAEAE2mUTAwdPK952h3G8ZinK8B

z9DYTLdGkQDqox3AtEs9nn6kE1O/vHE4bqMegjj4gbA=

\-----END PUBLIC KEY-----';

$key = EC::loadFormat('PKCS8', $key);

$this\->assertInstanceOf(PublicKey::class, $key);

}

}

Source

CVE