The following articles demonstrate what went wrong in the web applications' code and how they were fixed.

Everything is code, So enjoy it!

CVE-2019-10062

PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871bf633973cfd9fc4fe59d4a912397cf8. https://github.com/pluck-cms/pluck/issues/44

CVE-2019-1010259

SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: specially crafted password string. The fixed version is: 2018.3.4. https://github.com/saltstack/salt/pull/51462 https://github.com/saltstack/salt/pull/51462/commits/ed62a2f87312ced2bc555cad2d756a2228f1987d

CVE-2019-10158

A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling. https://github.com/infinispan/infinispan/pull/7025

https://github.com/infinispan/infinispan/pull/7025/commits/936f26826e8bb60758ff70b8f1f2eb2862648e79

CVE-2019-10231

Teclib GLPI before 9.4.1.1 is affected by a PHP type juggling vulnerability allowing bypass of authentication. This occurs in Auth::checkPassword() (inc/auth.class.php). https://github.com/glpi-project/glpi/releases/tag/9.4.1.1

https://github.com/glpi-project/glpi/pull/5520/files

CVE-2019-10743

All versions of archiver allow attacker to perform a Zip Slip attack via the "unarchive" functions. It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a "../../file.exe" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily. https://github.com/mholt/archiver/pull/169

https://github.com/mholt/archiver/pull/169/commits/d818164a438603f1ba3fa952c7d99321f924301c

CVE-2019-10748

Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. https://github.com/sequelize/sequelize/pull/11089

CVE-2019-10762

columnQuote in medoo before 1.7.5 allows remote attackers to perform a SQL Injection due to improper escaping. https://github.com/catfan/Medoo/commit/659864b393961bf224bba1efc03b7dcbed7de533

CVE-2019-10842

Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare. https://github.com/twbs/bootstrap-sass/issues/1195

CVE-2019-11408

XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX. https://github.com/fusionpbx/fusionpbx/commit/391a23d070f3036d0c7760992f6970b0a76ee4d7



