
There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.



CVE-2023-25651: Security Bulletin Details


There is a weak folder permission vulnerability in ZTE's ZXCLOUD iRAI product. Due to weak folder permission, an attacker with ordinary user privileges could construct a fake DLL to execute command to escalate local privileges.



CVE-2023-25648: Security Bulletin Details

PlutoSVG commit 336c02997277a1888e6ccbbbe674551a0582e5c4 and before was discovered to contain an integer overflow via the component plutosvg_load_from_memory.

**Summary**

An integer overflow in the allocated size of calloc causes a segment fault.  
It might lead to heap overflow and arbitrary code execution.

**Steps to reproduce**

code:

#include <plutosvg.h>
#include <stdlib.h>
#include <stdio.h>

int main(int argc, char\* argv\[\])
{
    plutovg\_surface\_t\* surface \= plutosvg\_load\_from\_file(argv\[1\], NULL, 0, 0, 96.0);
    return 0;
}

run

$ ./example ./poc
Segmentation fault

ASAN report

    ==16700==WARNING: AddressSanitizer failed to allocate 0xfffffffffef21b74 bytes
    ==16700==AddressSanitizer's allocator is terminating the process instead of returning 0
    ==16700==If you don't like this behavior set allocator_may_return_null=1
    ==16700==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
        #0 0x7ffff6f01bf2  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9bf2)
        #1 0x7ffff6f20575 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108575)
        #2 0x7ffff6f07332  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef332)
        #3 0x7ffff6e3fe46  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46)
        #4 0x7ffff6ef6b0a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb0a)
        #5 0x555555588ba1 in plutovg_surface_create (/home/waterfire/fuzz/example/plutosvg/build/example/example+0x34ba1)
        #6 0x55555557a6aa in plutosvg_load_from_memory (/home/waterfire/fuzz/example/plutosvg/build/example/example+0x266aa)
        #7 0x55555557aa21 in plutosvg_load_from_file (/home/waterfire/fuzz/example/plutosvg/build/example/example+0x26a21)
        #8 0x55555556405a in main (/home/waterfire/fuzz/example/plutosvg/build/example/example+0x1005a)
        #9 0x7ffff66aac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #10 0x555555563f19 in _start (/home/waterfire/fuzz/example/plutosvg/build/example/example+0xff19)
    
    
    

**Analysis**

plutosvg_load_from_memory does not check the size of width and height and calls plutovg_surface_create(width, height);.  
In plutovg\_surface\_create:

plutovg\_surface\_t\* plutovg\_surface\_create(int width, int height)
{
    plutovg\_surface\_t\* surface \= malloc(sizeof(plutovg\_surface\_t));
    surface\->ref \= 1;
    surface\->owndata \= 1;
    surface\->data \= calloc(1, (size\_t)(width \* height \* 4));
    surface\->width \= width;
    surface\->height \= height;
    surface\->stride \= width \* 4;
    return surface;
}

An integer overflow might happen when calculating width * height * 4. It might be better to check the sizes of width and height before the allocation.

**PoC**

poc.zip

I'll make sure to dive into this matter as soon as my schedule permits. Thank you for bringing it to my attention!

A simple way to fix the bug is adding a size check like this

    if((size_t)(width * height * 4) >= 0x80000000){
        // error message
        exit(0);
    }
    

By the way, the allocation in function stbi_write_png_to_mem seems to have the same problem:

filt \= (unsigned char \*) STBIW\_MALLOC((x\*n+1) \* y); if (!filt) return 0;
line\_buffer \= (signed char \*) STBIW\_MALLOC(x \* n); if (!line\_buffer) { STBIW\_FREE(filt); return 0; }

They can be fixed by the same way.

**Steps to reproduce**

code:

#include <plutosvg.h>
#include <stdlib.h>
#include <stdio.h>

int main(int argc, char\* argv\[\])
{
    plutovg\_surface\_t\* surface \= plutosvg\_load\_from\_file(argv\[1\], NULL, 0, 0, 96.0);
    if(surface \== NULL)
    {
        printf("Load failed\\n");
        return \-1;
    }
    plutovg\_surface\_write\_to\_png(surface, "test.png");
    plutovg\_surface\_destroy(surface);
    return 0;
}

ASAN report

    =================================================================
    
    ==32443==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000191 at pc 0x555555582f20 bp 0x7fffffffd740 sp 0x7fffffffd730
    
    READ of size 1 at 0x602000000191 thread T0
    
        #0 0x555555582f1f in stbiw__encode_png_line (/home/waterfire/fuzz/example/plutosvg/build/example/example_asan+0x2ef1f)
    
        #1 0x555555583ff8 in stbi_write_png_to_mem (/home/waterfire/fuzz/example/plutosvg/build/example/example_asan+0x2fff8)
    
        #2 0x5555555852cd in stbi_write_png (/home/waterfire/fuzz/example/plutosvg/build/example/example_asan+0x312cd)
    
        #3 0x55555558950a in plutovg_surface_write_to_png (/home/waterfire/fuzz/example/plutosvg/build/example/example_asan+0x3550a)
    
        #4 0x55555556408b in main (/home/waterfire/fuzz/example/plutosvg/build/example/example_asan+0x1008b)
    
        #5 0x7ffff66aac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
        #6 0x555555563f19 in _start (/home/waterfire/fuzz/example/plutosvg/build/example/example_asan+0xff19)
    
      
    
    0x602000000191 is located 0 bytes to the right of 1-byte region [0x602000000190,0x602000000191)
    
    allocated by thread T0 here:
    
        #0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    
        #1 0x555555589232 in plutovg_surface_write_to_png (/home/waterfire/fuzz/example/plutosvg/build/example/example_asan+0x35232)
    
        #2 0x55555556408b in main (/home/waterfire/fuzz/example/plutosvg/build/example/example_asan+0x1008b)
    
        #3 0x7ffff66aac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
      
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/waterfire/fuzz/example/plutosvg/build/example/example_asan+0x2ef1f) in stbiw__encode_png_line
    
    Shadow bytes around the buggy address:
    
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    
      0x0c047fff8000: fa fa fd fd fa fa fd fd fa fa 01 fa fa fa fd fd
    
      0x0c047fff8010: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
    
      0x0c047fff8020: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
    
    =>0x0c047fff8030: fa fa[01]fa fa fa 00 01 fa fa 01 fa fa fa fa fa
    
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    
      0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    
    Shadow byte legend (one shadow byte represents 8 application bytes):
    
      Addressable:           00
    
      Partially addressable: 01 02 03 04 05 06 07
    
      Heap left redzone:       fa
    
      Freed heap region:       fd
    
      Stack left redzone:      f1
    
      Stack mid redzone:       f2
    
      Stack right redzone:     f3
    
      Stack after return:      f5
    
      Stack use after scope:   f8
    
      Global redzone:          f9
    
      Global init order:       f6
    
      Poisoned by user:        f7
    
      Container overflow:      fc
    
      Array cookie:            ac
    
      Intra object redzone:    bb
    
      ASan internal:           fe
    
      Left alloca redzone:     ca
    
      Right alloca redzone:    cb
    
    ==32443==ABORTING
    
    
    

The poc does not cause segment fault, but can trigger heap overflow.  
The allocation size of line_buffer is overflowed to 0, and the heap overflow is triggered in stbiw__encode_png_line when writing to line_buffer.  
poc\_heap\_overflow.zip

CVE-2023-44709: CWE-131 (Incorrect Calculation of Buffer Size) in plutosvg_load_from_memory · Issue #7 · sammycage/plutosvg

IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks.  IBM X-Force ID:  268270.

  

**Summary**

IBM i Access Client Solutions is vulnerable to remote code execution due to a flaw which fails to authenticate the origin of a serialized object (CVE-2023-45185), and insecurely storing passwords by allowing the password encryption key to be retrieved (CVE-2023-45184) or decoded using a brute force attack (CVE-2023-45182). IBM has addressed these CVEs by providing a fix to IBM i Access Client Solutions as described in the remediation/fixes section.

**Vulnerability Details**

**CVEID:**   CVE-2023-45184  
**DESCRIPTION:**   IBM i Access Client Solutions could allow an attacker to obtain a decryption key due to improper authority checks.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268270 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-45182  
**DESCRIPTION:**   IBM i Access Client Solutions is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems.  
CVSS Base score: 7.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268265 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

**CVEID:**   CVE-2023-45185  
**DESCRIPTION:**   IBM i Access Client Solutions could allow an attacker to execute remote code. Due to improper authority checks the attacker could perform operations on the PC under the user's authority.  
CVSS Base score: 7.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268273 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM i Access Family

1.1.2 - 1.1.4,  
1.1.4.3 - 1.1.9.3

**Remediation/Fixes**

The issue can be fixed by upgrading to version 1.1.9.4 or later.   See IBM i Access Client Solutions updates for the latest version available.

Product(s)

Version(s)

Remediation/Fix/Instructions

IBM i Access Client Solutions

1.1.2 - 1.1.4,  
1.1.4.3 - 1.1.9.3

The current version of IBM i Access Client Solutions is available at Downloads.

Or you may download it from the general IBM i software site at  
Entitled Systems Support (ESS).

**Workarounds and Mitigations**

None.

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Michał Majchrowicz and Maksymilian Kubiak \[AFINE Team\].

**Change History**

08 Dec 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSRQKY","label":"IBM i Access Client Solutions"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"All","Edition":"","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"}}\]

CVE-2023-45184: Security Bulletin: IBM i Access Client Solutions is vulnerable to remote code execution and failing to secure passwords due to multiple vulnerabilities

A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker with a foothold on an Ivanti Connect Secure (ICS) appliance can escalate their privileges by exploiting a vulnerable installed application. This vulnerability allows the attacker to gain elevated execution privileges on the affected system.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-41720: Ivanti Community

IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize 8.3 products use default passwords for a privileged user.  IBM X-Force ID:  266874.

CVE-2023-43042

Cross Site Scripting (XSS) vulnerability in DedeBIZ v6.0.3 allows attackers to run arbitrary code via the search feature.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-31546: CVE-2023-31546/CVE-2023-31546.md at main · ran9ege/CVE-2023-31546

IBM Spectrum Scale 5.1.5.0 through 5.1.5.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  IBM X-Force ID:  239080.

CVE-2022-43843

SQL Injection vulnerability in functions/point_list.php in Common Services soliberte before v4.3.03 allows attackers to obtain sensitive information via the lat and lng parameters.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “soliberte” for PrestaShop, an attacker can perform a SQL injection from >= 4.0.0 and < 4.3.03. Release 4.3.03 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-40921
*   **Published at**: 2023-12-12
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: soliberte
*   **Impacted release**: >= 4.0.0 and < 4.3.03 (4.3.03 fixed issue)
*   **Product author**: Common Services
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Before 4.3.03, a sensitive SQL calls in file functions/point_list.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted lat and lng variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Patch**

    --- a/modules/soliberte/classes/socolissimo.class.php
    +++ b/modules/soliberte/classes/socolissimo.class.php
    @@ -822,7 +822,7 @@ class So_Colissimo extends Module
            public function lookup_latlng($lat, $lng, $limiter = 30)
            {
                    $countDeactivateCarrier = 0;
    -               $formula = "(6366*acos(cos(radians('$lat'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('$lng'))+sin(radians('$lat'))*sin(radians(`lat`))))";
    +               $formula = "(6366*acos(cos(radians('" . (float)$lat . "'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('" . (float)$lng . "'))+sin(radians('" . (float)$lat . "'))*sin(radians(`lat`)))>
                    // meme principe que chmod pour savoir lesquels ne sont pas a inclure dans la recherche
                    if (!Configuration::get('SOLIBERTE_BPR'))
                            $countDeactivateCarrier += 4;
    @@ -899,8 +899,8 @@ class So_Colissimo extends Module
                    {
                            case $this->_retrait :
                                    if ($lat)
    -                                       $formula = "(6366*acos(cos(radians('$lat'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('$lng'))+sin(radians('$lat'))*sin(radians(`lat`))))";
    -                               $sql = 'select `id`, `libelle`, `adresse1`, `adresse2`, `lieudit`, `indice`, `code_postal`, `commune`, `lat`, `lng`, `mobilite_reduite`, `type`, `poids` '.
    +                                       $formula = "(6366*acos(cos(radians('" . (float)$lat . "'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('" . (float)$lng . "'))+sin(radians('" . (float) $lat . >
    +                               $sql = 'select `id`, `libelle`, `adresse1`, `adresse2`, `lieudit`, `indice`, `code_postal`, `commune`, `la t`, `lng`, `mobilite_reduite`, `type`, `poids` '.
                                            ($lat ? ', '.$formula.' as distance ' : '').
                                            ' from '.$this->_retrait.' where id = "'.(int)$pr_id.'"';
                                    $tab = 0;
    

**Other recommandations**

*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-08-12

Vunlnerability found during a audit by 202 ecommerce

2023-08-16

Contact PrestaShop addons teams to get the scope

2023-09-18

PrestaShop addons teams confirm the issue and supply a fixed release

2023-08-15

Request a CVE ID

2023-08-25

Received CVE ID

2023-12-12

Publication of this advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-40921: [CVE-2023-40921] Improper neutralization of a SQL parameter in deprecated soliberte module from Common Services for PrestaShop

Azure DevOps Server Spoofing Vulnerability

Source

CVE