In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between March 30-31, 2024.
During this period, The National Vulnerability Database published 26, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 7
Medium: 14
Low: 2
Severity Not Assigned: 2
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-2047
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.0.5/widgets/testimonial/testimonial.php#L2458
https://plugins.trac.wordpress.org/changeset/3054091/elementskit-lite/tags/3.0.7/widgets/testimonial/testimonial.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/413e6326-14c6-4734-8adc-114a7842c574?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-2086
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: The Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers to modify plugin settings as well as allowing full read/write/delete access to the Google Drive associated with the plugin.
References: https://plugins.trac.wordpress.org/changeset/3051452/integrate-google-drive/tags/1.3.9/includes/class-ajax.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/a303c798-c206-426a-9a96-263c8c069bdb?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-2948
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'user_favorites' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes such as 'no_favorites'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3061244%40favorites&new=3061244%40favorites&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/38a87046-9a46-40c2-b10d-d1a7d5ef8742?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-3085
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical has been found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login Page. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-258678 is the identifier assigned to this vulnerability.
References: https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/eahp_sqli.md
https://vuldb.com/?ctiid.258678
https://vuldb.com/?id.258678
https://vuldb.com/?submit.306958
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-3087
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected by this issue is some unknown functionality of the file ambulance-tracking.php of the component Ambulance Tracking Page. The manipulation of the argument searchdata leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-258680.
References: https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/eahp_rce.md
https://vuldb.com/?ctiid.258680
https://vuldb.com/?id.258680
https://vuldb.com/?submit.306961
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-3088
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, was found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. This affects an unknown part of the file /admin/forgot-password.php of the component Forgot Password Page. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-258681 was assigned to this vulnerability.
References: https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/eahp_forgotpasssqli.md
https://vuldb.com/?ctiid.258681
https://vuldb.com/?id.258681
https://vuldb.com/?submit.306962
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-3018
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.13 via deserialization of untrusted input from the 'error_resetpassword' attribute of the "Login | Register Form" widget (disabled by default). This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/changeset/3060417/essential-addons-for-elementor-lite
https://www.wordfence.com/threat-intel/vulnerabilities/id/342049e5-834e-4867-8174-01ca7bb0caa2?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-1522
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: I have activated the CORS because I had a development ui that uses another port number then I forgot to remove it.
So what I just did is :
- First removed the cors configuration that allows everyone to access it :
before:
```python
sio = socketio.AsyncServer(async_mode="asgi", cors_allowed_origins="*", ping_timeout=1200, ping_interval=30) # Enable CORS for every one
```
after:
```python
cert_file_path = lollms_paths.personal_certificates/"cert.pem"
key_file_path = lollms_paths.personal_certificates/"key.pem"
if os.path.exists(cert_file_path) and os.path.exists(key_file_path):
is_https = True
else:
is_https = False
# Create a Socket.IO server
sio = socketio.AsyncServer(async_mode="asgi", cors_allowed_origins=config.allowed_origins+[f"https://localhost:{config['port']}" if is_https else f"http://localhost:{config['port']}"], ping_timeout=1200, ping_interval=30) # Enable CORS for selected origins
```
- Second, I have updated lollms to have two modes (a headless mode and a ui mode).
And updated the /execute_code to block if the server is headless or is exposed
```python
@router.post("/execute_code")
async def execute_code(request: Request):
"""
Executes Python code and returns the output.
:param request: The HTTP request object.
:return: A JSON response with the status of the operation.
"""
if lollmsElfServer.config.headless_server_mode:
return {"status":False,"error":"Code execution is blocked when in headless mode for obvious security reasons!"}
if lollmsElfServer.config.host=="0.0.0.0":
return {"status":False,"error":"Code execution is blocked when the server is exposed outside for very obvipous reasons!"}
try:
data = (await request.json())
code = data["code"]
discussion_id = int(data.get("discussion_id","unknown_discussion"))
message_id = int(data.get("message_id","unknown_message"))
language = data.get("language","python")
if language=="python":
ASCIIColors.info("Executing python code:")
ASCIIColors.yellow(code)
return execute_python(code, discussion_id, message_id)
if language=="javascript":
ASCIIColors.info("Executing javascript code:")
ASCIIColors.yellow(code)
return execute_javascript(code, discussion_id, message_id)
if language in ["html","html5","svg"]:
ASCIIColors.info("Executing javascript code:")
ASCIIColors.yellow(code)
return execute_html(code, discussion_id, message_id)
elif language=="latex":
ASCIIColors.info("Executing latex code:")
ASCIIColors.yellow(code)
return execute_latex(code, discussion_id, message_id)
elif language in ["bash","shell","cmd","powershell"]:
ASCIIColors.info("Executing shell code:")
ASCIIColors.yellow(code)
return execute_bash(code, discussion_id, message_id)
elif language in ["mermaid"]:
ASCIIColors.info("Executing mermaid code:")
ASCIIColors.yellow(code)
return execute_mermaid(code, discussion_id, message_id)
elif language in ["graphviz","dot"]:
ASCIIColors.info("Executing graphviz code:")
ASCIIColors.yellow(code)
return execute_graphviz(code, discussion_id, message_id)
return {"status": False, "error": "Unsupported language", "execution_time": 0}
except Exception as ex:
trace_exception(ex)
lollmsElfServer.error(ex)
return {"status":False,"error":str(ex)}
```
I also added an optional https mode and looking forward to add a full authentication with cookies and a personal session etc.
All updates will be in V 9.1
Again, thanks alot for your work. I will make it harder next time, but if you find more bugs, just be my guest :)
References: https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b
https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between March 30-31, 2024.
During this period, The National Vulnerability Database published 26, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 7
Medium: 14
Low: 2
Severity Not Assigned: 2
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-2047
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.0.5/widgets/testimonial/testimonial.php#L2458
https://plugins.trac.wordpress.org/changeset/3054091/elementskit-lite/tags/3.0.7/widgets/testimonial/testimonial.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/413e6326-14c6-4734-8adc-114a7842c574?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-2086
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: The Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers to modify plugin settings as well as allowing full read/write/delete access to the Google Drive associated with the plugin.
References: https://plugins.trac.wordpress.org/changeset/3051452/integrate-google-drive/tags/1.3.9/includes/class-ajax.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/a303c798-c206-426a-9a96-263c8c069bdb?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-2948
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'user_favorites' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes such as 'no_favorites'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3061244%40favorites&new=3061244%40favorites&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/38a87046-9a46-40c2-b10d-d1a7d5ef8742?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-3085
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability classified as critical has been found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login Page. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-258678 is the identifier assigned to this vulnerability.
References: https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/eahp_sqli.md
https://vuldb.com/?ctiid.258678
https://vuldb.com/?id.258678
https://vuldb.com/?submit.306958
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-3087
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected by this issue is some unknown functionality of the file ambulance-tracking.php of the component Ambulance Tracking Page. The manipulation of the argument searchdata leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-258680.
References: https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/eahp_rce.md
https://vuldb.com/?ctiid.258680
https://vuldb.com/?id.258680
https://vuldb.com/?submit.306961
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-3088
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, was found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. This affects an unknown part of the file /admin/forgot-password.php of the component Forgot Password Page. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-258681 was assigned to this vulnerability.
References: https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/eahp_forgotpasssqli.md
https://vuldb.com/?ctiid.258681
https://vuldb.com/?id.258681
https://vuldb.com/?submit.306962
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-3018
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.13 via deserialization of untrusted input from the 'error_resetpassword' attribute of the "Login | Register Form" widget (disabled by default). This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/changeset/3060417/essential-addons-for-elementor-lite
https://www.wordfence.com/threat-intel/vulnerabilities/id/342049e5-834e-4867-8174-01ca7bb0caa2?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-1522
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: I have activated the CORS because I had a development ui that uses another port number then I forgot to remove it.
So what I just did is :
- First removed the cors configuration that allows everyone to access it :
before:
```python
sio = socketio.AsyncServer(async_mode="asgi", cors_allowed_origins="*", ping_timeout=1200, ping_interval=30) # Enable CORS for every one
```
after:
```python
cert_file_path = lollms_paths.personal_certificates/"cert.pem"
key_file_path = lollms_paths.personal_certificates/"key.pem"
if os.path.exists(cert_file_path) and os.path.exists(key_file_path):
is_https = True
else:
is_https = False
# Create a Socket.IO server
sio = socketio.AsyncServer(async_mode="asgi", cors_allowed_origins=config.allowed_origins+[f"https://localhost:{config['port']}" if is_https else f"http://localhost:{config['port']}"], ping_timeout=1200, ping_interval=30) # Enable CORS for selected origins
```
- Second, I have updated lollms to have two modes (a headless mode and a ui mode).
And updated the /execute_code to block if the server is headless or is exposed
```python
@router.post("/execute_code")
async def execute_code(request: Request):
"""
Executes Python code and returns the output.
:param request: The HTTP request object.
:return: A JSON response with the status of the operation.
"""
if lollmsElfServer.config.headless_server_mode:
return {"status":False,"error":"Code execution is blocked when in headless mode for obvious security reasons!"}
if lollmsElfServer.config.host=="0.0.0.0":
return {"status":False,"error":"Code execution is blocked when the server is exposed outside for very obvipous reasons!"}
try:
data = (await request.json())
code = data["code"]
discussion_id = int(data.get("discussion_id","unknown_discussion"))
message_id = int(data.get("message_id","unknown_message"))
language = data.get("language","python")
if language=="python":
ASCIIColors.info("Executing python code:")
ASCIIColors.yellow(code)
return execute_python(code, discussion_id, message_id)
if language=="javascript":
ASCIIColors.info("Executing javascript code:")
ASCIIColors.yellow(code)
return execute_javascript(code, discussion_id, message_id)
if language in ["html","html5","svg"]:
ASCIIColors.info("Executing javascript code:")
ASCIIColors.yellow(code)
return execute_html(code, discussion_id, message_id)
elif language=="latex":
ASCIIColors.info("Executing latex code:")
ASCIIColors.yellow(code)
return execute_latex(code, discussion_id, message_id)
elif language in ["bash","shell","cmd","powershell"]:
ASCIIColors.info("Executing shell code:")
ASCIIColors.yellow(code)
return execute_bash(code, discussion_id, message_id)
elif language in ["mermaid"]:
ASCIIColors.info("Executing mermaid code:")
ASCIIColors.yellow(code)
return execute_mermaid(code, discussion_id, message_id)
elif language in ["graphviz","dot"]:
ASCIIColors.info("Executing graphviz code:")
ASCIIColors.yellow(code)
return execute_graphviz(code, discussion_id, message_id)
return {"status": False, "error": "Unsupported language", "execution_time": 0}
except Exception as ex:
trace_exception(ex)
lollmsElfServer.error(ex)
return {"status":False,"error":str(ex)}
```
I also added an optional https mode and looking forward to add a full authentication with cookies and a personal session etc.
All updates will be in V 9.1
Again, thanks alot for your work. I will make it harder next time, but if you find more bugs, just be my guest :)
References: https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b
https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found