Server-Side Request Forgery (SSRF) in kubeflow/kubeflow

CVE-2023-6570

Cross-site Scripting (XSS) - Reflected in kubeflow/kubeflow

CVE-2023-6571

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Page Visit Counter Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress advanced-page-visit-counter allows Cross-Site Scripting (XSS).This issue affects Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress: from n/a through 8.0.6.



**Solution**

 No fix available

No patched version is available.

Found this useful? Thank Abu Hurayra for reporting this vulnerability. Buy a coffee ☕

Abu Hurayra discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Advanced Page Visit Counter Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 1 present

 7 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-50371: WordPress Advanced Page Visit Counter plugin <= 8.0.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.


**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-46750

SQLi vulnerability in S5 Register module for Joomla.

× We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.

CVE-2023-49707: S5 Register - Joomla! Extension Directory

SQLi vulnerability in Starshop component for Joomla.

CVE-2023-49708: Starshop - Joomla! Extension Directory

SQL njection vulnerability in SunnyToo sturls before version 1.1.13, allows attackers to escalate privileges and obtain sensitive information via StUrls::hookActionDispatcher and StUrls::getInstanceId methods.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Urls” (sturls) up to version 1.1.13 from SunnyToo for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-46348
*   **Published at**: 2023-12-07
*   **Platform**: PrestaShop
*   **Product**: sturls
*   **Impacted release**: <= 1.1.11 (1.1.13 fixed the vulnerability - WARNING : see WARNING below)
*   **Product author**: SunnyToo
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Methods StUrls::hookActionDispatcher and StUrls::getInstanceId have sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a hook Dispatcher with forged parameters so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

WARNING : Since we noticed this vulnerability on a 1.1.13 version but the author confirm us that it only affects 1.1.11, be warned that there is maybe manufactured versions in the wild and you should check all version prior to 1.1.13.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.1.13**

    --- 1.1.13/modules/sturls/sturls.php
    +++ XXXXXX/modules/sturls/sturls.php
    @@ -1288,7 +1288,7 @@ class StUrls extends Module
                             FROM '._DB_PREFIX_.'category_lang l
                             LEFT JOIN '._DB_PREFIX_.'category a
                             ON (a.id_category=l.id_category)
    -                        WHERE `link_rewrite` = "'.$top_parent_name.'"
    +                        WHERE `link_rewrite` = "'.pSQL($top_parent_name).'"
                             AND a.`active` = 1
                             AND `id_lang` = '.(int)$this->context->language->id
                         );
    @@ -1297,7 +1297,7 @@ class StUrls extends Module
                         FROM '._DB_PREFIX_.'category_lang l
                         LEFT JOIN '._DB_PREFIX_.'category a
                         ON (a.id_category=l.id_category)
    -                    WHERE `link_rewrite` = "'.$parent_name.'"
    +                    WHERE `link_rewrite` = "'.pSQL($parent_name).'"
                         AND a.`active` = 1'.
                         ($top_parent_name ? ' AND `id_parent` = ' . (int)$top_parent_id : '').'
                         AND `id_lang` = '.(int)$this->context->language->id
    @@ -1344,11 +1344,11 @@ class StUrls extends Module
                     ON (a.id_'.$table.'=l.id_'.$table.')
                     '.($table != 'category' ? 'INNER JOIN '._DB_PREFIX_.$table.'_shop s
                     ON (a.id_'.$table.'=s.id_'.$table.' AND s.id_shop = '.(int)$this->context->shop->id.')' : '').'
    -                WHERE `'.$field.'` = "'.$rewrite.'"
    +                WHERE `'.bqSQL($field).'` = "'.pSQL($rewrite).'"
                     AND `id_lang` = '.(int)$this->context->language->id.'
                     '.($is_id_shop ? 'AND l.id_shop='.(int)$this->context->shop->id : '').'
    -                '.($has_ref ? 'AND reference="'.$reference.'"' : '').'
    -                '.($id_parent ? 'AND id_parent IN ('.implode(',',$id_parent).')' : '').'
    +                '.($has_ref ? 'AND reference="'.pSQL($reference).'"' : '').'
    +                '.($id_parent ? 'AND id_parent IN ('.implode(',', array_map('intval', $id_parent)).')' : '').'
                     ');
                 if ($id) {
                     Configuration::updateValue($this->_prefix_st.'sha1_'.$sig, (int)$id);
    @@ -1513,7 +1513,7 @@ class StUrls extends Module
                             SELECT bl.id_st_blog FROM '._DB_PREFIX_.'st_blog_lang bl
                             INNER JOIN '._DB_PREFIX_.'st_blog_shop bs
                             ON(bl.`id_st_blog` = bs.`id_st_blog`)
    -                        WHERE link_rewrite = "'.$rewrite.'"
    +                        WHERE link_rewrite = "'.pSQL($rewrite).'"
                             AND id_lang = '.(int)Context::getContext()->language->id.'
                             AND id_shop = '.(int)$this->context->shop->id.'
                             ');
    @@ -1536,7 +1536,7 @@ class StUrls extends Module
                             SELECT l.id_st_blog_category FROM '._DB_PREFIX_.'st_blog_category_lang l
                             INNER JOIN '._DB_PREFIX_.'st_blog_category_shop s
                             ON(l.`id_st_blog_category` = s.`id_st_blog_category`)
    -                        WHERE link_rewrite = "'.$rewrite.'"
    +                        WHERE link_rewrite = "'.$pSQL($rewrite).'"
                             AND id_lang = '.(int)Context::getContext()->language->id.'
                             AND id_shop = '.(int)$this->context->shop->id.'
                             ');
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **sturls**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-08-31

Issue discovered during a code review by TouchWeb.fr

2023-08-31

Contact Author to confirm versions scope

2023-09-09

Author confirm versions scope

2023-09-16

Author provide a patch

2023-10-17

Request a CVE ID

2023-10-23

Received CVE ID

2023-12-07

Publish this security advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-46348: [CVE-2023-46348] Improper neutralization of SQL parameter in SunnyToo - Urls module for PrestaShop

SQL injection vulnerability in Buy Addons bavideotab before version 1.0.6, allows attackers to escalate privileges and obtain sensitive information via the component BaVideoTabSaveVideoModuleFrontController::run().

In the module “Product Video, Youtube, Vimeo Tab” (bavideotab) up to version 1.0.5 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions.

Methods BaVideoTabSaveVideoModuleFrontController::run() and BaVideoTabConfirmDeleteModuleFrontController::run() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

**WARNING** : This exploit is actively used to deploy a webskimmer to massively steal credit cards.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

    --- 1.0.5/modules/bavideotab/controllers/front/confirmdelete.php
    +++ 1.0.6/modules/bavideotab/controllers/front/confirmdelete.php
    @@ -33,8 +33,8 @@ class BaVideoTabConfirmDeleteModuleFront
         public function run()
         {
             $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
    -        $id_product=Tools::getValue('id');
    -        $id_lang = Tools::getValue('id_lang');
    +        $id_product = (int) Tools::getValue('id');
    +        $id_lang = (int) Tools::getValue('id_lang');
             $id_shop=($this->context->shop->id);
             $sql="SELECT text_url FROM "._DB_PREFIX_."url_video WHERE id_product='".$id_product."'";
             $sql .= "AND id_lang='".$id_lang."' AND id_store='".$id_shop."' AND type = 1 ";
    
    

    --- 1.0.5/modules/bavideotab/controllers/front/savevideo.php
    +++ 1.0.6/modules/bavideotab/controllers/front/savevideo.php
    @@ -33,14 +33,14 @@ class BaVideoTabSaveVideoModuleFrontCont
             $id_lang_default = Configuration::get('PS_LANG_DEFAULT');
             $ob_lang_default = new Language($id_lang_default);
             $name_lang_default = $ob_lang_default->name;
    -        $id_shop = Tools::getValue('id_shop');
    +        $id_shop = (int) Tools::getValue('id_shop');
             $name_shop = Tools::getValue('name_shop');
             $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
             $url = $_SERVER['SCRIPT_FILENAME'];
             $url = rtrim($url, 'index.php');
             $languages = Language::getLanguages();
    -        $type_video = Tools::getValue('type_video');
    -        $id_product = Tools::getValue('id_product');
    +        $type_video = (int) Tools::getValue('type_video');
    +        $id_product = (int) Tools::getValue('id_product');
             $sql = 'SELECT * FROM '._DB_PREFIX_.'product_lang WHERE id_product="'.$id_product.'"';
             $show = $db->ExecuteS($sql);
    
    @@ -91,7 +91,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql = "INSERT INTO "._DB_PREFIX_."url_video ";
                             $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                             $sql .= " VALUES ('','".$id_product."','".$id_lang_default."','".$id_shop."','";
    -                        $sql .= "".$video_upload_default."','".$name_lang_default."','".$name_shop."','";
    +                        $sql .= "".$video_upload_default."','".$name_lang_default."','".pSQL($name_shop)."','";
                             $sql .= "".$name_product."','".$type_video."')";
                             $db->query($sql);
                             $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -102,7 +102,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                                 $sql = "INSERT INTO "._DB_PREFIX_."url_video ";
                                 $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                                 $sql .= " VALUES ('','".$id_product."','".$value['id_lang']."','".$id_shop."','";
    -                            $sql .= "".$video_upload_default."','".$value['name']."','".$name_shop."','";
    +                            $sql .= "".$video_upload_default."','".$value['name']."','".pSQL($name_shop)."','";
                                 $sql .= "".$name_product."','".$type_video."')";
                                 $db->query($sql);
                                 $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -113,7 +113,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                                 $sql = "INSERT INTO "._DB_PREFIX_."url_video ";
                                 $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                                 $sql .= " VALUES ('','".$id_product."','".$value['id_lang']."','".$id_shop."','";
    -                            $sql .= "".$video_url."','".$value['name']."','".$name_shop."','";
    +                            $sql .= "".$video_url."','".$value['name']."','".pSQL($name_shop)."','";
                                 $sql .= "".$name_product."','".$type_video."')";
                                 $db->query($sql);
                                 $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -160,7 +160,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql = "REPLACE INTO "._DB_PREFIX_."url_video ";
                             $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$value['id_lang']."','";
    -                        $sql .= "".$id_shop."','".$video_url."','".$value['name']."','".$name_shop."','";
    +                        $sql .= "".$id_shop."','".$video_url."','".$value['name']."','".pSQL($name_shop)."','";
                             $sql .= "".$name_product."','".$type_video."')";
                             $db->query($sql);
                             $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -195,7 +195,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
                             $sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
    -                        $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
    +                        $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
                             $db->query($sql);
                             $ok="3";
                         }
    @@ -214,7 +214,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
                             $sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
    -                        $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
    +                        $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
                             $db->query($sql);
                             $ok="3";
                         } else {
    @@ -230,7 +230,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
                             $sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
    -                        $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
    +                        $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
                             $db->query($sql);
                             $ok="3";
                         }

CVE-2023-48925: [CVE-2023-48925] Improper neutralization of SQL parameter in Buy Addons - Product Video, Youtube, Vimeo Tab module for PrestaShop

Unauthenticated LFI/SSRF in JCDashboards component for Joomla.

*   **_Display Real-time data_**  
    You can setup datasources that will provide real-time data to the widgets.
    
*   **_Base widgets_**  
    JcDashboards is packaged with readily available standardized widgets (over 40 and counting) that work out the box with very little setup required.
    
*   **_JoomCode widgets_**  
    Seeing as JC Dashboards is part of the wider JoomCode developer environment we have added widget integration for the majority of JoomCode components.
    
*   **_Plotalot widget_**  
    JCDashboards provides seamless Plotalot component integration for its widget, allowing the user to select Plotalot charts that have been configured in the backend to be displayed by simply selecting the corresponding chart from the list.
    
*   **_Custom layout configurations_**  
    We give our customers the ability to customize layouts to fit their given environments, be it rearranging and resizing widgets or changing font, background and panel styling.
    
*   **_Drag 'n drop panels_**  
    The easy-to-use layout editor lets you drag and drop panels into just about any configuration you can think of.
    
*   **_Tabulated layout_**  
    Not everybody works with multiple monitor displays and so we have set JcDashboards up to able to display multiple layouts within a tabbed format. The layouts can be configured to both hide the tabs and automatically swap to the next layout in the sequence, which lets the user view multiple sets of data without having to manually work the display.
    
*   **_Comprehensive documentation_**  
    Documentation on the features and functionality of JcDashboards is available that gets updated with each new set of features.
    
*   **_Backend and frontend editing_**  
    JcDashboards makes use of Joomla's access levels which gives admins the power to not only edit layouts in the backend but gives them the opportunity to grant edit access to frontend users should the need arise.
    
*   **_Share Dashboards_**  
    You can share dashboards with non-joomla users or sites, by sharing links with secret keys provided
    
*   **_Kiosk Mode_**  
    You can configure JC Dashboards in kiosk mode with fullscreen options and setting up your rotation interval if desired.
    
*   **_Template Styles_**  
    Plenty of template styles to choose from or create your own
    

Free

**JCTables**

By JoomCode

Tables & Lists

JC Tables is a powerful and customizable Joomla! datatable component that lets you display master-detail tables, pull queries from any database, and allow user editing. JC Tables is a combination of all the best datatables out there, bringing you an extremely feature rich datatables component. Master-detail Functionality Navigation Tree Record Preview Connect to External Databases Customizable L...

Free

**JCAdminUtils**

By JoomCode

Administration

JC AdminUtils is a handy toolbox cPanel module utility for Joomla! Administrators. View your linux server health status, make notes, save code snippets, create to-do items and even configure handy shortcut URLs! Linux Server Health Info View live server health info, including: CPU Usage System Info Network Usage Disk Usage Service Status Load Average Memory Status Info Server Logins Shortcut...

CVE-2023-40630: JCDashboards, by JoomCode - Joomla Extension Directory

A reflected XSS vulnerability was discovered in the Clicky Analytics Dashboard module for Joomla.

_Clicky Analytics_ is a web analytics service from Roxr Software Ltd that can track and generate statistics about visitors from a website, at IP level. With Clicky Analytics you can collect statistics about: visits, visitors, page views, bounce rates, organic searches, referrers, goals and conversions. _Clicky Analytics_ also provides features like real-time analytics, username tracking, heatmaps, on-site analytics and uptime monitoring.

To find out more about this awesome analytics service and its features read my Clicky Analytics review.

Clicky Analytics Dashboard is a Joomla! module that will display Clicky Analytics data on your website backend. Analytics data, provided through Clicky analytics API, is integrated into a simple dashboard in your Administration Panel.

**How to install and setup Clicky Analytics Dashboard**

*   download:  Clicky Analytics Dashboard
*   unzip it and open your Joomla _Administration Panel_, go to _Extensions -> Extension Manager_, select _Choose File_, select the file downloaded above and choose _Upload & Install_
*   after installation, go to _Extensions -> Module Manager_, for filters choose _Administrator_ instead of _Site_ and search for the module called _Clicky Analytics Dashboard_
*   in module settings, set _Position_ to _Control Panel_ and _Status_ to _Published_
*   go to Options and enter your _Site ID_ and _Site Key_

_Note:_ In Joomla 3.x you can use the _Bootstrap Size_ option to control the width of the module (you can find this option in module’s settings, under _Advanced_ tab)

**How to find your Site ID and Site Key for Clicky Analytics API?**

*   log in to your Clicky Analytics account, if you don’t have one you can create it for free on clicky.com
*   select your website and go to _Preferences_ (see picture bellow)

*   copy/paste _Site ID_ and _Site Key_ in to Clicky Analytics Dashboard and click _Save & Close_
*   if the above steps were correct, _Clicky Analytics Dashboard_ should start displaying data on _System -> Control Panel_

To start tracking data with Clicky Analytics, you need to install the corresponding tracking code in to your Joomla! website, using this plugin: Clicky Tracking Code for Joomla!

**Further reading:**

*   Clicky Tracking Code for Joomla
*   Clicky Analytics Review

Source

CVE