#php

Debian Linux Security Advisory 5771-1 - Fabien Potencier discovered that under some conditions the sandbox mechanism of Twig, a template engine for PHP, could by bypassed.

Debian Linux Security Advisory 5770-1 - Shang-Hung Wan discovered multiple vulnerabilities in the Expat XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code.

Online Bus Ticket Booking Website version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Nipah Virus Testing Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Membership Management System version 1.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

HYSCALE System version 1.9 suffers from add administrator and cross site request forgery vulnerabilities.

Furniture Master version 2 suffers from a remote SQL injection vulnerability.

Beauty Parlour and Saloon Management System version 1.1 suffers from an ignored default credential vulnerability.

### Summary Kimai uses [PHPSpreadsheet](https://github.com/PHPOffice/PhpSpreadsheet) for importing and exporting invoices. Recently, a [CVE](https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7) was identified in PHPSpreadsheet, which could lead to an XXE vulnerability. ### Details Exploitation requires an Administrator account, allowing the upload of an `XLSX` template containing the payload. The vulnerability is triggered by the following code snippet: ```php // https://github.com/kimai/kimai/blob/b1903ba18359be16dd32ea9c40377c486498f082/src/Invoice/Renderer/AbstractSpreadsheetRenderer.php#L41 public function render(InvoiceDocument $document, InvoiceModel $model): Response { $spreadsheet = IOFactory::load($document->getFilename()); $worksheet = $spreadsheet->getActiveSheet(); $entries = $model->getCalculator()->getEntries(); $sheetReplacer = $model->toArray(); $invoiceItemCount = \count($entries); if ($invoiceItemCount > 1) {...

This Metasploit module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a WordPress plugin that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default. The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload.