#php

### Summary In the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL. ### Affected Resources - [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868) - `https://<site>/<user>/system/api/saveNode` ### PoC 1. Set the URL in an iframe pointing to an attacker-controlled server running Responder  2. Once another user visits the site, they are prompted to sign in.  3. If a user inputs credentials, the username and password hash are outputted in Responder.  ### Impact An au...

### Summary An authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). ### Details The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS like in[ HAXCMSSite.php line 1248](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/HAXCMSSite.php#L1248) to resolve and load the content for a given node. I...

### Summary The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a 'script' tag, it does allow the use of other HTML tags to run JavaScript. ### Affected Resources - [Operations.php:258](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L258) `saveManifest()` - [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868) `saveNode()` - `https://<site>/<user>/system/api/saveNode` - `https://<site>/<user>/system/api/saveManifest` ### Impact An authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the sit...

**Overview** The laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. **Am I Affected?** You are affected by this vulnerability if you meet the following preconditions: 1. Applications using laravel-auth0 SDK, versions between 7.0.0-BETA1 to 7.2.1. 2. Laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0. **Fix** Upgrade Auth0/laravel-auth0 to the latest version (v7.17.0). **Acknowledgement** Okta would like to thank Andreas Forsblom for discovering this vulnerability.

**Overview** The Auth0 Symfony SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. **Am I Affected?** You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0 Symfony SDK, versions between 5.0.0 BETA-0 to 5.0.0. 2. Auth0 Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0. **Fix** Upgrade Auth0/symfony to the latest version (v5.4.0). **Acknowledgement** Okta would like to thank Andreas Forsblom for discovering this vulnerability.

**Overview** The Auth0 Wordpress plugin contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. **Am I Affected?** You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0 WordPress plugin, versions between 5.0.0 BETA-0 to 5.0.1. 2. Auth0 WordPress plugin uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0. **Fix** Upgrade the Auth0 WordPress plugin to the latest version (v5.3.0).

A buffer overflow vulnerability exists in the mstp.ko kernel module, responsible for processing BACnet MS/TP frames over serial (RS485). The SendFrame() function writes directly into a statically sized kernel buffer (alloc_entry(0x1f5)) without validating the length of attacker-controlled data (param_5). If an MS/TP frame contains a crafted payload exceeding 492 bytes, the function performs out-of-bounds writes beyond the allocated 501-byte buffer, corrupting kernel memory. This flaw allows local or physically connected attackers to trigger denial-of-service or achieve remote code execution in kernel space. Tested against version 3.08.03 with a custom BACnet frame over /dev/ttyS0.

**Overview** The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. **Am I Affected?** You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0-PHP SDK, versions between 8.0.0-BETA3 to 8.3.0. 2. Applications using the following SDKs that rely on the Auth0-PHP SDK versions between 8.0.0-BETA3 to 8.3.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress. **Fix** Upgrade Auth0/Auth0-PHP to 8.3.1. **Acknowledgement** Okta would like to thank Andreas Forsblom for discovering this vulnerability.

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

**Product:** Math **Version:** 0.2.0 **CWE-ID:** CWE-611: Improper Restriction of XML External Entity Reference **CVSS vector v.4.0:** 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) **CVSS vector v.3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) **Description:** An attacker can create a special XML file, during which it processed, external entities are loaded, and it’s possible to read local server files. **Impact:** Local server files reading **Vulnerable component:** The [`loadXML`](https://github.com/PHPOffice/Math/blob/c3ecbf35601e2a322bf2ddba48589d79ac827b92/src/Math/Reader/MathML.php#L38C9-L38C55) function with the unsafe [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag, the [`MathML`](https://github.com/PHPOffice/Math/blob/master/src/Math/Reader/MathML.php) class **Exploitation conditions:** The vulnerability applies only to reading a file in the `MathML` format. **Mitigation:** If there is no option to refuse u...