Red Hat Security Advisory 2023-7784-03 - An update for postgresql is now available for Red Hat Enterprise Linux 9. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7784.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql security updateAdvisory ID:        RHSA-2023:7784-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7784Issue date:         2023-12-13Revision:           03CVE Names:          CVE-2023-5868====================================================================Summary: An update for postgresql is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)* postgresql: Memory disclosure in aggregate function calls (CVE-2023-5868)* postgresql: extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)* postgresql: Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5868References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2228111https://bugzilla.redhat.com/show_bug.cgi?id=2247168https://bugzilla.redhat.com/show_bug.cgi?id=2247169https://bugzilla.redhat.com/show_bug.cgi?id=2247170

Red Hat Security Advisory 2023-7784-03

Red Hat Security Advisory 2023-7783-03 - An update for postgresql is now available for Red Hat Enterprise Linux 7. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7783.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql security updateAdvisory ID:        RHSA-2023:7783-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7783Issue date:         2023-12-13Revision:           03CVE Names:          CVE-2023-5869====================================================================Summary: An update for postgresql is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5869References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247169

Red Hat Security Advisory 2023-7783-03

Red Hat Security Advisory 2023-7778-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7778.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:10 security updateAdvisory ID:        RHSA-2023:7778-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7778Issue date:         2023-12-13Revision:           03CVE Names:          CVE-2023-5869====================================================================Summary: An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5869References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247169

Red Hat Security Advisory 2023-7778-03

Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1

SQLi vulnerability in LMS Lite component for Joomla.

× We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.

CVE-2023-40629: LMS Lite - Joomla! Extension Directory

SQLi vulnerability in S5 Register module for Joomla.

CVE-2023-49707: S5 Register - Joomla! Extension Directory

SQLi vulnerability in Starshop component for Joomla.

CVE-2023-49708: Starshop - Joomla! Extension Directory

SQL injection vulnerability in Buy Addons bavideotab before version 1.0.6, allows attackers to escalate privileges and obtain sensitive information via the component BaVideoTabSaveVideoModuleFrontController::run().

In the module “Product Video, Youtube, Vimeo Tab” (bavideotab) up to version 1.0.5 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions.

Methods BaVideoTabSaveVideoModuleFrontController::run() and BaVideoTabConfirmDeleteModuleFrontController::run() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

**WARNING** : This exploit is actively used to deploy a webskimmer to massively steal credit cards.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

    --- 1.0.5/modules/bavideotab/controllers/front/confirmdelete.php
    +++ 1.0.6/modules/bavideotab/controllers/front/confirmdelete.php
    @@ -33,8 +33,8 @@ class BaVideoTabConfirmDeleteModuleFront
         public function run()
         {
             $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
    -        $id_product=Tools::getValue('id');
    -        $id_lang = Tools::getValue('id_lang');
    +        $id_product = (int) Tools::getValue('id');
    +        $id_lang = (int) Tools::getValue('id_lang');
             $id_shop=($this->context->shop->id);
             $sql="SELECT text_url FROM "._DB_PREFIX_."url_video WHERE id_product='".$id_product."'";
             $sql .= "AND id_lang='".$id_lang."' AND id_store='".$id_shop."' AND type = 1 ";
    
    

    --- 1.0.5/modules/bavideotab/controllers/front/savevideo.php
    +++ 1.0.6/modules/bavideotab/controllers/front/savevideo.php
    @@ -33,14 +33,14 @@ class BaVideoTabSaveVideoModuleFrontCont
             $id_lang_default = Configuration::get('PS_LANG_DEFAULT');
             $ob_lang_default = new Language($id_lang_default);
             $name_lang_default = $ob_lang_default->name;
    -        $id_shop = Tools::getValue('id_shop');
    +        $id_shop = (int) Tools::getValue('id_shop');
             $name_shop = Tools::getValue('name_shop');
             $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
             $url = $_SERVER['SCRIPT_FILENAME'];
             $url = rtrim($url, 'index.php');
             $languages = Language::getLanguages();
    -        $type_video = Tools::getValue('type_video');
    -        $id_product = Tools::getValue('id_product');
    +        $type_video = (int) Tools::getValue('type_video');
    +        $id_product = (int) Tools::getValue('id_product');
             $sql = 'SELECT * FROM '._DB_PREFIX_.'product_lang WHERE id_product="'.$id_product.'"';
             $show = $db->ExecuteS($sql);
    
    @@ -91,7 +91,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql = "INSERT INTO "._DB_PREFIX_."url_video ";
                             $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                             $sql .= " VALUES ('','".$id_product."','".$id_lang_default."','".$id_shop."','";
    -                        $sql .= "".$video_upload_default."','".$name_lang_default."','".$name_shop."','";
    +                        $sql .= "".$video_upload_default."','".$name_lang_default."','".pSQL($name_shop)."','";
                             $sql .= "".$name_product."','".$type_video."')";
                             $db->query($sql);
                             $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -102,7 +102,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                                 $sql = "INSERT INTO "._DB_PREFIX_."url_video ";
                                 $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                                 $sql .= " VALUES ('','".$id_product."','".$value['id_lang']."','".$id_shop."','";
    -                            $sql .= "".$video_upload_default."','".$value['name']."','".$name_shop."','";
    +                            $sql .= "".$video_upload_default."','".$value['name']."','".pSQL($name_shop)."','";
                                 $sql .= "".$name_product."','".$type_video."')";
                                 $db->query($sql);
                                 $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -113,7 +113,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                                 $sql = "INSERT INTO "._DB_PREFIX_."url_video ";
                                 $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                                 $sql .= " VALUES ('','".$id_product."','".$value['id_lang']."','".$id_shop."','";
    -                            $sql .= "".$video_url."','".$value['name']."','".$name_shop."','";
    +                            $sql .= "".$video_url."','".$value['name']."','".pSQL($name_shop)."','";
                                 $sql .= "".$name_product."','".$type_video."')";
                                 $db->query($sql);
                                 $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -160,7 +160,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql = "REPLACE INTO "._DB_PREFIX_."url_video ";
                             $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$value['id_lang']."','";
    -                        $sql .= "".$id_shop."','".$video_url."','".$value['name']."','".$name_shop."','";
    +                        $sql .= "".$id_shop."','".$video_url."','".$value['name']."','".pSQL($name_shop)."','";
                             $sql .= "".$name_product."','".$type_video."')";
                             $db->query($sql);
                             $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -195,7 +195,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
                             $sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
    -                        $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
    +                        $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
                             $db->query($sql);
                             $ok="3";
                         }
    @@ -214,7 +214,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
                             $sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
    -                        $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
    +                        $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
                             $db->query($sql);
                             $ok="3";
                         } else {
    @@ -230,7 +230,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
                             $sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
    -                        $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
    +                        $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
                             $db->query($sql);
                             $ok="3";
                         }

CVE-2023-48925: [CVE-2023-48925] Improper neutralization of SQL parameter in Buy Addons - Product Video, Youtube, Vimeo Tab module for PrestaShop

SQL njection vulnerability in SunnyToo sturls before version 1.1.13, allows attackers to escalate privileges and obtain sensitive information via StUrls::hookActionDispatcher and StUrls::getInstanceId methods.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Urls” (sturls) up to version 1.1.13 from SunnyToo for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-46348
*   **Published at**: 2023-12-07
*   **Platform**: PrestaShop
*   **Product**: sturls
*   **Impacted release**: <= 1.1.11 (1.1.13 fixed the vulnerability - WARNING : see WARNING below)
*   **Product author**: SunnyToo
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Methods StUrls::hookActionDispatcher and StUrls::getInstanceId have sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a hook Dispatcher with forged parameters so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

WARNING : Since we noticed this vulnerability on a 1.1.13 version but the author confirm us that it only affects 1.1.11, be warned that there is maybe manufactured versions in the wild and you should check all version prior to 1.1.13.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.1.13**

    --- 1.1.13/modules/sturls/sturls.php
    +++ XXXXXX/modules/sturls/sturls.php
    @@ -1288,7 +1288,7 @@ class StUrls extends Module
                             FROM '._DB_PREFIX_.'category_lang l
                             LEFT JOIN '._DB_PREFIX_.'category a
                             ON (a.id_category=l.id_category)
    -                        WHERE `link_rewrite` = "'.$top_parent_name.'"
    +                        WHERE `link_rewrite` = "'.pSQL($top_parent_name).'"
                             AND a.`active` = 1
                             AND `id_lang` = '.(int)$this->context->language->id
                         );
    @@ -1297,7 +1297,7 @@ class StUrls extends Module
                         FROM '._DB_PREFIX_.'category_lang l
                         LEFT JOIN '._DB_PREFIX_.'category a
                         ON (a.id_category=l.id_category)
    -                    WHERE `link_rewrite` = "'.$parent_name.'"
    +                    WHERE `link_rewrite` = "'.pSQL($parent_name).'"
                         AND a.`active` = 1'.
                         ($top_parent_name ? ' AND `id_parent` = ' . (int)$top_parent_id : '').'
                         AND `id_lang` = '.(int)$this->context->language->id
    @@ -1344,11 +1344,11 @@ class StUrls extends Module
                     ON (a.id_'.$table.'=l.id_'.$table.')
                     '.($table != 'category' ? 'INNER JOIN '._DB_PREFIX_.$table.'_shop s
                     ON (a.id_'.$table.'=s.id_'.$table.' AND s.id_shop = '.(int)$this->context->shop->id.')' : '').'
    -                WHERE `'.$field.'` = "'.$rewrite.'"
    +                WHERE `'.bqSQL($field).'` = "'.pSQL($rewrite).'"
                     AND `id_lang` = '.(int)$this->context->language->id.'
                     '.($is_id_shop ? 'AND l.id_shop='.(int)$this->context->shop->id : '').'
    -                '.($has_ref ? 'AND reference="'.$reference.'"' : '').'
    -                '.($id_parent ? 'AND id_parent IN ('.implode(',',$id_parent).')' : '').'
    +                '.($has_ref ? 'AND reference="'.pSQL($reference).'"' : '').'
    +                '.($id_parent ? 'AND id_parent IN ('.implode(',', array_map('intval', $id_parent)).')' : '').'
                     ');
                 if ($id) {
                     Configuration::updateValue($this->_prefix_st.'sha1_'.$sig, (int)$id);
    @@ -1513,7 +1513,7 @@ class StUrls extends Module
                             SELECT bl.id_st_blog FROM '._DB_PREFIX_.'st_blog_lang bl
                             INNER JOIN '._DB_PREFIX_.'st_blog_shop bs
                             ON(bl.`id_st_blog` = bs.`id_st_blog`)
    -                        WHERE link_rewrite = "'.$rewrite.'"
    +                        WHERE link_rewrite = "'.pSQL($rewrite).'"
                             AND id_lang = '.(int)Context::getContext()->language->id.'
                             AND id_shop = '.(int)$this->context->shop->id.'
                             ');
    @@ -1536,7 +1536,7 @@ class StUrls extends Module
                             SELECT l.id_st_blog_category FROM '._DB_PREFIX_.'st_blog_category_lang l
                             INNER JOIN '._DB_PREFIX_.'st_blog_category_shop s
                             ON(l.`id_st_blog_category` = s.`id_st_blog_category`)
    -                        WHERE link_rewrite = "'.$rewrite.'"
    +                        WHERE link_rewrite = "'.$pSQL($rewrite).'"
                             AND id_lang = '.(int)Context::getContext()->language->id.'
                             AND id_shop = '.(int)$this->context->shop->id.'
                             ');
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **sturls**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-08-31

Issue discovered during a code review by TouchWeb.fr

2023-08-31

Contact Author to confirm versions scope

2023-09-09

Author confirm versions scope

2023-09-16

Author provide a patch

2023-10-17

Request a CVE ID

2023-10-23

Received CVE ID

2023-12-07

Publish this security advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-46348: [CVE-2023-46348] Improper neutralization of SQL parameter in SunnyToo - Urls module for PrestaShop


There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.



Tag

#sql