SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the page_id parameter at article_edit.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-31940: BugReport/php/Online-Travel-Agency-System/bug7-SQL-Injection-page_id.md at main · DiliLearngent/BugReport

SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the costomer_id parameter at customer_edit.php.

CVE-2023-31939: BugReport/php/Online-Travel-Agency-System/bug4-SQL-Injection-costomer_id.md at main · DiliLearngent/BugReport

SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the ticket_id parameter at ticket_detail.php.

CVE-2023-31943: BugReport/php/Online-Travel-Agency-System/bug6-SQL-Injection-ticket_id.md at main · DiliLearngent/BugReport

SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the emp_id parameter at employee_edit.php.

CVE-2023-31944: BugReport/php/Online-Travel-Agency-System/bug3-SQL-Injection-emp_id2.md at main · DiliLearngent/BugReport

SQL injection vulnerability in Jeecg-boot v.3.5.0 and before allows a local attacker to cause a denial of service via the Benchmark, PG_Sleep, DBMS_Lock.Sleep, Waitfor, DECODE, and DBMS_PIPE.RECEIVE_MESSAGE functions.

    GET /jeecg-boot/sys/duplicate/check?tableName=v3_hello&fieldName=1+and%09if(user(%20)='root@localhost',sleep(0),sleep(0))&fieldVal=1&dataId=asd HTTP/1.1
    Host: 127.0.0.1:8080
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    X_ACCESS_TOKEN: eyJ0eXAi0iJKV1QiLCJhbGci0iJIUzI1Ni J9.eyJleHAi0jE2NzA2NjUy0TQsInVzZXJ uYW1lIjoiYWRtaW4i fQ.bL0e7k3rbFEewdMoL2YfPCo9rtzx7g9 KLjB2LK-J9SU

CVE-2023-38905: [CVE-2023-38905] sys/duplicate/check SQL注入 · Issue #4737 · jeecgboot/jeecg-boot

In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.

**OCD CVE Repository**  
   

The table of CVE registered by people working for OCD:

CVE ID / Advisory

EDB ID / Exploit

Type

Product

Author(s)

CVE-2023-26469

PoC

Path traversal

Jorani/bbalet

Guilhem RIOUX

CVE-2023-23565

PoC

Local File Inclusion (authenticated)

Geomatika IsiGeo Web 6.0

Romain PENLOUP

CVE-2023-23564

PoC

Command injection (authenticated)

Geomatika IsiGeo Web 6.0

Romain PENLOUP & Guilhem RIOUX

CVE-2023-23563

PoC

SQL Injection (authenticated)

Geomatika IsiGeo Web 6.0

Romain PENLOUP

CVE-2023-20065

No PoC

Local Privilege Escalation

CISCO IOS XE Software

Mickael DORIGNY  
Benoit MALABOEUF

CVE-2022-45186

PoC

Authenticated Database Leak

SuiteCRM <= 7.12.7 (<= 8.2.0)

Guilhem RIOUX

CVE-2022-45185

PoC

Authenticated RCE (arbitrary unserialize)

SuiteCRM <= 7.12.7 (<= 8.2.0)

Guilhem RIOUX

CVE-2022-41573

PoC

File Upload

Ovidentia 8.3

Nidal GUEDOUAR

CVE-2022-41572

PoC

Privilege escalation

Eyesofnetwork <= 5.3

Guilhem RIOUX

CVE-2022-41571

PoC

Authenticated local file inclusion

Eyesofnetwork <= 5.3

Guilhem RIOUX

CVE-2022-41570

PoC

Unauthenticated sql injection

Eyesofnetwork <= 5.3

Guilhem RIOUX

CVE-2022-35914

PoC

Unauthenticated RCE

GLPI (versions < 10.0.3 < 9.5.9 )

Cyril SERVIERES

CVE-2022-34328

PoC

SQL Injection (Authentificated)

PMB (version 7.4.1 )

Mike HOUZIAUX

CVE-2022-34328

PoC

XSS (Reflected)

PMB (version 7.3.10 )

Mike HOUZIAUX

CVE-2021-46107

PoC

Unauthenticated SSRF

Ligeo Archives (version < 4.0.78)

Guilhem RIOUX

CVE-2021-44032

PoC

Authentication Bypass

TP-Link Omada SDN Controler V4.4.4 (Windows)

Kevin LEHONGRE

CVE-2021-42056

PoC

Privilege Escalation

Safenet Authentication Client (Linux)

Wilfried PASCAULT

CVE-2021-36355

PoC

File upload to RCE

evolucaire imaging <8.5 (8.2.0.12)

Cyril SERVIERES

CVE-2020-2528

PoC

XSS (Reflected)

EasyVista 2018.1.185.5

Mike HOUZIAUX

CVE-2020-25287

PoC

Client Side Template Injection

EasyVista 2018.1.185.5

Mike HOUZIAUX

CVE-2020-25287

PoC

Authenticated RCE

Pligg 2.0.3

Mike HOUZIAUX

CVE-2020-17454

PoC

Self XSS

WSO2 API Manager: 3.1.0 or earlier

Zakaria BRAHIMI

CVE-2020-14950

PoC

Authenticated RCE

aapanel 6.6.6

Mike HOUZIAUX

CVE-2020-14462

PoC

Authenticated reflected XSS

Caldera 2.7.0

Aurélien CHALOT

CVE-2020-14421

PoC

Authenticated RCE

aapanel 6.6.6

Mike HOUZIAUX

CVE-2020-14295

PoC

Authenticated RCE (from SQLi)

cacti (1.2.7, 1.2.12)

Cyril SERVIERES

CVE-2020-14146

PoC

XSS (Reflected)

KumbiaPHP 1.1.1

Mike HOUZIAUX

CVE-2020-11712

PoC

XSS (Reflected)

Openupload 0.4.3

Mike HOUZIAUX

CVE-2020-10787

PoC

Root EoP

VestaCP 0.9.8-26

Alexandre ZANNI

CVE-2020-10786

PoC

Authenticated RCE

VestaCP 0.9.8-26

Alexandre ZANNI

CVE-2020-10220

48208

Unauthenticated SQLi

rConfig < 3.9.4

Jean-Pascal THOMAS

CVE-2020-8776  
CVE-2020-8777  
CVE-2020-8778

48162

Stored XSS

Alfresco 5.2.4

Alexandre ZANNI  
Romain LOISEL

CVE-2020-1949

PoC

Reflected XSS

Sling CMS App 0.14.0 and previous releases

Guillaume GRABÉ

CVE-2019-19585

PoC

Root LPE

rConfig < 3.9.4

Jean-Pascal THOMAS

CVE-2019-19509

47982

Authenticated RCE

rConfig < 3.9.4

Jean-Pascal THOMAS

CVE-2019-15253

48459

Stored XSS

Cisco DNAC 1.3

Dylan GARNAUD  
Benoit MALABOEUF

CVE-2019-13029

47146

Stored XSS

REDCap 8.10/9.1

Alexandre ZANNI  
Dylan GARNAUD

Note: the table is sorted by CVE ID.

CVE-2023-26469: GitHub - Orange-Cyberdefense/CVE-repository: Repository of CVE found by OCD people

Unsurprisingly, it seems like AI was the talk of the town.

Thursday, August 17, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I had a significant amount of FOMO last week seeing everyone out in Vegas. (I was happy to not get conference crud sickness, but it seems like I missed a great time otherwise.)

But, as anyone who works with me could guess, I was following closely online through social media and news reporting. If you’re in the same boat as me and couldn’t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more.

Unsurprisingly, it seems like AI was the talk of the town. One panel, which featured the former Cyber Czar in the Obama administration, promised coming action from the Biden administration around AI and its intersection with cybersecurity, including an executive order that apparently will be as broad as earlier orders around the U.S.’ broader approach to security.

There were many other panels and talks around AI, along with questions about whether the technology has plateaued after so many companies developed their own ChatGPT-like.

I was also fascinated by several interviews and talks from an FBI official about distributed denial-of-service attacks. I’ve written before about how there’s a renewed interest in DDoS attacks recently, especially those targeting high-profile companies and games.

Two high-ranking government officials gave a joint talk at Black Hat where they said the majority of DDoS attacks are the result of a dispute over business transactions or good ‘ol fashioned video game beef.

The same presenters gave additional details on how the FBI prioritizes stopping DDoS attacks. Chances are, if you’re a bad actor who makes the news for DDoS attacks, the federal government is not far behind.

I also always love the crazy vulnerabilities or hacking methods that come out of both these conferences. A highlight for me was a group of researchers who found a way to hijack one of the most popular automatic card shufflers (fitting for Vegas) to the point that someone could know the order of cards ahead of time in a gambling game.

I’m not quite sure what the actual attack surface is here because the potential hacker would need to install a tiny physical USB device into the shuffler, and I don’t think any casino worker would be thrilled to see you crawling around on the floor, but I do always love to see the downside of putting a USB port on everything.

And there was the brief, but confusing, saga at DEFCON about the pop-up notifications iPhone users were getting asking people to pair with a rogue Apple TV. Turns out it was a harmless prank from one of the attendees, who just wanted to drive home the point that it’s important to really turn off Bluetooth all the way, and not just click the little button in the Control Center.

Lastly, we wanted to thank Viktor Zhora, the deputy chairman and chief digital transformation officer at the State Service of Special Communication and Information Protection for Ukraine, for taking the time to say “Hi” to us on the show floor. He specifically took time out of his day to make sure he could meet Matt Olney, who’s been one of our leaders in helping support Ukraine. Viktor was a speaker at BlackHat and had a very busy schedule of media appearances, so we were flattered that he made sure to see Matt.

**The one big thing**

Since AI was already the talk of the town at Black Hat and DEF CON, we wanted to continue the conversation around tehse tools and the implications on cybersecurity. As one of our incident responders wrote in the latest in our “On the Radar” series, AI’s influence is growing across the security space, bringing with it major implications for cybercriminals and defenders. The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit.

**Why do I care?**

AI can help streamline criminals' operations, making them more efficient, sophisticated, and scalable while allowing them to evade detection and attribution. AI presents another avenue for cybercriminals to exploit by utilizing it to analyze enormous amounts of information, including leaked data. This analysis empowers them to identify vulnerabilities or high-value targets, enabling more precise and effective attacks that could potentially yield greater financial gains. For defenders, though, AI also opens the door to new defensive tactics and tools, so it’s important to see the positives and negatives of AI in security.

**So now what?**

There is no real action for the average user to take at this point, but I feel this piece is a good opportunity for everyone to take a step back about what we currently know, and don’t know, about AI and its intersection with security.

**Top security headlines of the week**

**Two police precincts in the U.K. had mistakenly been leaking the personal information of individuals connected to crimes for years.** The UK's Norfolk and Suffolk police constabularies disclosed that, between April 2021 and March 2022, the information was accidentally attached to crime statistics distributed as part of Freedom of Information Act (FOIA) requests. The data includes personally identifiable information related to witnesses, suspects and victims of a variety of crimes, including domestic violence, assaults, thefts and hate crimes. The forces say they are now contacting more than 1,200 people who may have been affected. Representatives from the two departments said in a statement that, “Strenuous efforts have been made to determine if the data released has been accessed by anyone outside of policing. At this stage we have found nothing to suggest that this is the case.” (CSO Online, Politico)

Viktor Zhora, one of Ukraine’s top cybersecurity officials, said at Black Hat that **his country is taking several steps to document what may constitute war crimes committed by Russian state-sponsored actors.** Zhora said that attacks affecting critical infrastructure and communications for civilians could fall under such umbrellas and his team is actively collecting evidence as the kinetic military conflict continues. Speaking alongside Zhora, Jen Easterly, the U.S.’ top cybersecurity official, said the U.S. has learned several lessons from Russia’s invasion of Ukraine, including the importance of assistance from private cybersecurity companies. (CyberScoop, The Record)

**Several years’ worth of Intel chips contains a newly discovered flaw known as “Downfall,”** which is like the Meltdown and Spectre bugs from several years ago. Identified as CVE-2022-40982, the issue could allow the CPU to “unintentionally reveal internal hardware registers to software,” according to a write-up from Google’s security research team. Proof of concept code shows that an attacker could use Downfall to steal encryption keys from other users on a given server and other sensitive data. Downfall affects most CPUs in Intel's 6th through 11th-generation Core lineups for consumer PCs. Most of the affected devices were sold starting in 2015 and may still be available in systems today. Intel’s patch for the issue negatively affects the performance of the CPUs, with some studies finding that performance could dip to 40 percent. (Ars Technica, PC World)

**Can’t get enough Talos?**

*   Cisco XDR: from detection and response to continuity after a cyberattack
*   As Ransomware Gangs Shift To Data Extortion, Some Adopt A New Tactic: ‘Customer Service’
*   Talos Takes Ep. #150: What's the difference between data theft extortion and ransomware?

**Upcoming events where you can find Talos**

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!Mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

Recapping the top stories from Black Hat and DEF CON

Ubuntu Security Notice 6296-1 - It was discovered that PostgreSQL incorrectly handled certain extension script substitutions. An attacker having database-level CREATE privileges can use this issue to execute arbitrary code as the bootstrap superuser. It was discovered that PostgreSQL incorrectly handled the MERGE command. A remote attacker could possibly use this issue to bypass certain UPDATE and SELECT policies. This issue only affected Ubuntu 23.04.

==========================================================================  
Ubuntu Security Notice USN-6296-1  
August 17, 2023

postgresql-12, postgresql-14, postgresql-15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in PostgreSQL.

Software Description:  
- postgresql-15: Object-relational SQL database  
- postgresql-14: Object-relational SQL database  
- postgresql-12: Object-relational SQL database

Details:

It was discovered that PostgreSQL incorrectly handled certain extension  
script substitutions. An attacker having database-level CREATE privileges  
can use this issue to execute arbitrary code as the bootstrap superuser.  
(CVE-2023-39417)

It was discovered that PostgreSQL incorrectly handled the MERGE command. A  
remote attacker could possibly use this issue to bypass certain UPDATE and  
SELECT policies. This issue only affected Ubuntu 23.04. (CVE-2023-39418)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   postgresql-15                   15.4-0ubuntu0.23.04.1  
   postgresql-client-15            15.4-0ubuntu0.23.04.1

Ubuntu 22.04 LTS:  
   postgresql-14                   14.9-0ubuntu0.22.04.1  
   postgresql-client-14            14.9-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
   postgresql-12                   12.16-0ubuntu0.20.04.1  
   postgresql-client-12            12.16-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart PostgreSQL to  
make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6296-1  
   CVE-2023-39417, CVE-2023-39418

Package Information:  
   https://launchpad.net/ubuntu/+source/postgresql-15/15.4-0ubuntu0.23.04.1  
   https://launchpad.net/ubuntu/+source/postgresql-14/14.9-0ubuntu0.22.04.1  
   https://launchpad.net/ubuntu/+source/postgresql-12/12.16-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6296-1

Cybersecurity researchers have documented a novel post-exploit persistence technique on iOS 16 that could be abused to fly under the radar and main access to an Apple device even when the victim believes it is offline.
The method "tricks the victim into thinking their device's Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial

Mobile Security / Vulnerability

Cybersecurity researchers have documented a novel post-exploit persistence technique on iOS 16 that could be abused to fly under the radar and main access to an Apple device even when the victim believes it is offline.

The method "tricks the victim into thinking their device's Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application," Jamf Threat Labs researchers Hu Ke and Nir Avraham said in a report shared with The Hacker News.

Airplane Mode, as the name implies, allows users to turn off wireless features in their devices, effectively preventing them from connecting to Wi-Fi networks, cellular data, and Bluetooth as well as sending or receiving calls and text messages.

The approach devised by Jamf, in a nutshell, provides an illusion to the user that the Airplane Mode is on while allowing a malicious actor to stealthily maintain a cellular network connection for a rogue application.

"When the user turns on Airplane Mode, the network interface pdp\_ip0 (cellular data) will no longer display ipv4/ipv6 ip addresses," the researchers explained. "The cellular network is disconnected and unusable, at least to the user space level."

While the underlying changes are carried out by CommCenter, the user interface (UI) modifications, such as the icon transitions are taken care of by the SpringBoard.

The goal of the attack, then, is to devise an artificial Airplane Mode that keeps the UI changes intact but retains cellular connectivity for a malicious payload installed on the device by other means.

"After enabling Airplane Mode without a Wi-Fi connection, users would expect that opening Safari would result in no connection to the internet," the researchers said. "The typical experience is a notification window that prompts a user to 'Turn Off Airplane Mode.'"

To pull off the ruse, the CommCenter daemon is utilized to block cellular data access for specific apps and disguise it as Airplane Mode by means of a hooked function that alters the alert window to look like the setting has been turned on.

It's worth noting that the operating system kernel notifies the CommCenter via a callback routine, which, in turn, notifies the SpringBoard to display the pop-up.

A closer examination of the CommCenter daemon has also revealed the presence of an SQL database that's used to record the cellular data access status of each app (aka bundle ID), with a flag set to the value "8" if an application is blocked from accessing it.

"Using this database of installed application bundle IDs we can now selectively block or allow an app to access Wi-Fi or cellular data using the following code," the researchers said.

"When combined with the other techniques outlined above, the fake Airplane Mode now appears to act just as the real one, except that the internet ban does not apply to non-application processes such as a backdoor trojan."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

SQL injection vulnerability in Kidus Minimati v.1.0.0 allows a remote attacker to obtain sensitive information via the edit.php component.

Tag

#sql