[webapps] Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)

Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)

[remote] Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing

Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing

Re: OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by pesco on Jun 21

C. W. Schech on Sat, Jun 17 2023:

By who? Which user ID specifically?

And clearly such checksums could not be tampered with?

PoC or GTFO.

rolling on the floor laughing

Re: OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by jvoisin via Fulldisclosure on Jun 21

I'm unsure I understand the threat model here: an attacker with root
privileges is able to modify the kernel data about to be relinked?

You're also mentioning SLSA, but as you also said, OpenBSD doesn't have
reproducible builds and all the cool build hardening things(tm). So
having a cryptographic path to the resulting relinked kernel won't
really improve anything, given the current state of affairs.

OXAS-ADV-2023-0002: OX App Suite Security Advisory

Posted by Martin Heiland via Fulldisclosure on Jun 21

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Internal reference: MWB-1994
Type:...

Debian Security Advisory 5434-1

Debian Linux Security Advisory 5434-1 - A heap-based buffer overflow vulnerability was found in the HTTP chunk parsing code of minidlna, a lightweight DLNA/UPnP-AV server, which may result in denial of service or the execution of arbitrary code.

Ubuntu Security Notice USN-6182-1

Ubuntu Security Notice 6182-1 - It was discovered that pngcheck incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

Ubuntu Security Notice USN-6181-1

Ubuntu Security Notice 6181-1 - Hiroshi Tokumaru discovered that Ruby did not properly handle certain user input for applications the generate HTTP responses using cgi gem. An attacker could possibly use this issue to maliciously modify the response a user would receive from a vulnerable application. This issue only affected Ubuntu 22.10. It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service.

Ubuntu Security Notice USN-6180-1

Ubuntu Security Notice 6180-1 - It was discovered that VLC could be made to read out of bounds when decoding image files. If a user were tricked into opening a crafted image file, a remote attacker could possibly use this issue to cause VLC to crash, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that VLC could be made to write out of bounds when processing H.264 video files. If a user were tricked into opening a crafted H.264 video file, a remote attacker could possibly use this issue to cause VLC to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

Red Hat Security Advisory 2023-3705-01

Red Hat Security Advisory 2023-3705-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include privilege escalation and use-after-free vulnerabilities.

Ubuntu Security Notice USN-6143-3

Ubuntu Security Notice 6143-3 - USN-6143-1 fixed vulnerabilities and USN-6143-2 fixed minor regressions in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Jun Kokatsu discovered that Firefox did not properly validate site-isolated process for a document loaded from a data: URL that was the result of a redirect, leading to an open redirect attack. An attacker could possibly use this issue to perform phishing attacks.

Debian Security Advisory 5433-1

Debian Linux Security Advisory 5433-1 - Gregory James Duck reported that missing input validation in various functions provided by libx11, the X11 client-side library, may result in denial of service.

Ubuntu Security Notice USN-5948-2

Ubuntu Security Notice 5948-2 - USN-5948-1 fixed vulnerabilities in Werkzeug. This update provides the corresponding updates for Ubuntu 23.04. It was discovered that Werkzeug did not properly handle the parsing of nameless cookies. A remote attacker could possibly use this issue to shadow other cookies.

[webapps] HiSecOS 04.0.01 - Privilege Escalation

HiSecOS 04.0.01 - Privilege Escalation

[webapps] Super Socializer 7.13.52 - Reflected XSS

Super Socializer 7.13.52 - Reflected XSS

[webapps] WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)

WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)

[webapps] SPIP v4.2.0 - Remote Code Execution (Unauthenticated)

SPIP v4.2.0 - Remote Code Execution (Unauthenticated)

[remote] Nokia ASIKA 7.13.52 - Hard-coded private key disclosure

Nokia ASIKA 7.13.52 - Hard-coded private key disclosure

OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by Schech, C. W. ("Connor") on Jun 19

The automatic and mandatory-by-default reordering of OpenBSD kernels
is NOT transactional and as a result, a local unpatched exploit exists
which allows tampering or replacement of the kernel. Arbitrary build
artifacts are cyclically relinked with no data integrity or provenance
being maintained or verified for the objects being consumed with
respect to the running kernel before and during the execution of the
mandatory kernel_reorder process in...

Polycom BToE Connector 4.4.0.0 Multiple Vulnerabilities

Posted by BUG on Jun 19

Microsoft® Lync™ Better Together over Ethernet (BToE) feature on
Polycom® VVX® business media. phones enables you to control phone
activity from your computer using your Lync client.
The BToE feature enables you to place, answer, and hold audio and video
calls from your Polycom VVX phone and your Lync client on your computer.

#### Title: Polycom BToE Connector 4.4.0.0 Multiple Vulnerabilities
#### Affected versions: 4.4.0.0
#### Tested...

[webapps] Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS)

Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS)

[webapps] Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)

Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)

[webapps] The Shop v2.5 - SQL Injection

The Shop v2.5 - SQL Injection

[webapps] Jobpilot v2.61 - SQL Injection

Jobpilot v2.61 - SQL Injection

[webapps] Diafan CMS 6.0 - Reflected Cross-Site Scripting (XSS)

Diafan CMS 6.0 - Reflected Cross-Site Scripting (XSS)

[webapps] Groomify v1.0 - SQL Injection

Groomify v1.0 - SQL Injection

[webapps] WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password

WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password

[webapps] Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)

Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)

[webapps] PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

[webapps] Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)

Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)

Ubuntu Security Notice USN-6161-1

Ubuntu Security Notice 6161-1 - It was discovered that .NET did not properly enforce certain restrictions when deserializing a DataSet or DataTable from XML. An attacker could possibly use this issue to elevate their privileges. Kevin Jones discovered that .NET did not properly handle the AIA fetching process for X.509 client certificates. An attacker could possibly use this issue to cause a denial of service.

Debian Security Advisory 5426-1

Debian Linux Security Advisory 5426-1 - An arbitrary file reads from malformed XML payload vulnerability was discovered in owslib, the Python client library for Open Geospatial (OGC) web services. This issue has been addressed by always using lxml as the XML parser with entity resolution disabled.

[webapps] Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)

Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)

[webapps] projectSend r1605 - Stored XSS

projectSend r1605 - Stored XSS

[webapps] Online Thesis Archiving System v1.0 - Multiple-SQLi

Online Thesis Archiving System v1.0 - Multiple-SQLi

[remote] Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak

Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak

[webapps] projectSend r1605 - CSV injection

projectSend r1605 - CSV injection

[remote] Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution

Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution

[webapps] PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

[webapps] Monstra 3.0.4 - Stored Cross-Site Scripting (XSS)

Monstra 3.0.4 - Stored Cross-Site Scripting (XSS)

[remote] Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution

Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution

Ubuntu Security Notice USN-6160-1

Ubuntu Security Notice 6160-1 - It was discovered that GNU binutils incorrectly performed bounds checking operations when parsing stabs debugging information. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

Debian Security Advisory 5424-1

Debian Linux Security Advisory 5424-1 - It was discovered that PHP's implementation of SOAP HTTP Digest authentication performed insufficient error validation, which may result in a stack information leak or use of weak randomness.

Debian Security Advisory 5425-1

Debian Linux Security Advisory 5425-1 - It was discovered that PHP's implementation of SOAP HTTP Digest authentication performed insufficient error validation, which may result in a stack information leak or use of weak randomness.

Ubuntu Security Notice USN-6159-1

Ubuntu Security Notice 6159-1 - It was discovered that Tornado incorrectly handled certain redirect. An remote attacker could possibly use this issue to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

Ubuntu Security Notice USN-6143-2

Ubuntu Security Notice 6143-2 - USN-6143-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Jun Kokatsu discovered that Firefox did not properly validate site-isolated process for a document loaded from a data: URL that was the result of a redirect, leading to an open redirect attack. An attacker could possibly use this issue to perform phishing attacks.

Ubuntu Security Notice USN-6158-1

Ubuntu Security Notice 6158-1 - It was discovered that Node Fetch incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information.

Red Hat Security Advisory 2023-3495-01

Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.

Ubuntu Security Notice USN-6157-1

Ubuntu Security Notice 6157-1 - Tao Lyu discovered that GlusterFS did not properly handle certain event notifications. An attacker could possibly use this issue to cause a denial of service.

Ubuntu Security Notice USN-6156-1

Ubuntu Security Notice 6156-1 - It was discovered that SSSD incorrectly sanitized certificate data used in LDAP filters. When using this issue in combination with FreeIPA, a remote attacker could possibly use this issue to escalate privileges.

Ubuntu Security Notice USN-6148-1

Ubuntu Security Notice 6148-1 - It was discovered that SNI Proxy did not properly handle wildcard backend hosts. An attacker could possibly use this issue to cause a buffer overflow, resulting in a denial of service, or arbitrary code execution.

Ubuntu Security Notice USN-6154-1

Ubuntu Security Notice 6154-1 - It was discovered that Vim was using uninitialized memory when fuzzy matching, which could lead to invalid memory access. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10 and Ubuntu 23.04. It was discovered that Vim was not properly performing bounds checks when processing register contents, which could lead to a NULL pointer dereference. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

Ubuntu Security Notice USN-6155-1

Ubuntu Security Notice 6155-1 - Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information.

[webapps] Sales Tracker Management System v1.0 - Multiple Vulnerabilities

Sales Tracker Management System v1.0 - Multiple Vulnerabilities

[webapps] Teachers Record Management System 1.0 - File Upload Type Validation

Teachers Record Management System 1.0 - File Upload Type Validation

[webapps] Online Examination System Project 1.0 - Cross-site request forgery (CSRF)

Online Examination System Project 1.0 - Cross-site request forgery (CSRF)

Ubuntu Security Notice USN-6153-1

Ubuntu Security Notice 6153-1 - It was discovered that Jupyter Core executed untrusted files in the current working directory. An attacker could possibly use this issue to execute arbitrary code.

Debian Security Advisory 5423-1

Debian Linux Security Advisory 5423-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

Red Hat Security Advisory 2023-3557-01

Red Hat Security Advisory 2023-3557-01 - OpenShift GitOps KAM OpenShift GitOps Kubernetes Application Manager CLI tool. Issues addressed include a bypass vulnerability.

Windows PowerShell / Trojan File RCE revisited

Posted by hyp3rlinx on Jun 09

Hi,

Windows PowerShell Filename Code Execution POC

Discovery: 2019 and revisited 2023

Since it still works, I dusted off and made minor improvements:

Execute a remote DLL using rundll32
Execute an unintended secondary PS1 script or local text-file (can be
hidden)
Updated the PS1 Trojan Filename Creator Python3 Script
First reported to Microsoft back in 2019 yet remains unfixed as of the time
of this writing.

Remote code execution via a...