LioTree

A SQL injection vulnerability in Razor v0.8.0.

In https://github.com/cobub/razor/blob/2c991aff4a9c83f99e77a03e26056715706f15c0/web/application/controllers/manage/autoupdate.php#L187, $description is controlled by users and has few restrictions on its format.

$this->form_validation->set_rules('description', lang('v_man_au_updateLog'), 'trim|required|xss_clean');
$this->form_validation->set_rules('versionid', lang('v_man_au_versionID'), 'trim|required|xss_clean|callback_versionid_check');
//......
  $description = $this->input->post('description');

LioTree

A SSRF vulnerability in gleezcms 1.20.

If :// is present in the URL path, GleezCMS will use the cURL library to send a request specified by the attacker.

POC:

https://gleezcms.org/http%3A%2F%2Fwww.google.com
https://gleezcms.org/gopher%3A%2F%2F127%2E0%2E0%2E1%3A9000%2F%5Ftest

LioTree

A SQL injection vulnerability in Onethink 1.1

In https://github.com/liu21st/onethink/blob/f705308bc24611af650e6830e3be2a07dd8bb823/wwwroot/Application/Admin/Controller/ModelController.class.php#L148, $table is controlled by users.

$table = I('post.table');
empty($table) && $this->error('请选择要生成的数据表！');
$res = D('Model')->generate($table,I('post.name'),I('post.title'));

LioTree

A code injection vulnerability in Onethink 1.1

In https://github.com/liu21st/onethink/blob/f705308bc24611af650e6830e3be2a07dd8bb823/wwwroot/Application/Admin/Controller/AddonsController.class.php#L38, $data is controlled by users.

$data                   =   $_POST;

In https://github.com/liu21st/onethink/blob/f705308bc24611af650e6830e3be2a07dd8bb823/wwwroot/Application/Admin/Controller/AddonsController.class.php#L226, $data['config'] is written into a php file directly.

LioTree

A code injection vulnerability in hisiphp 2.0.11

In https://github.com/hisiphp/hisiphp/blob/d05c908c29d574b84aa9e8932b13a5ef54e0a429/application/system/admin/Plugins.php#L129, $data is controlled by users.

$model = new PluginsModel();
$data = $this->request->post();
$result = $this->validate($data, 'app\system\validate\SystemPlugins');
if ($result !== true) {
    return $this->error($result);

LioTree

vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)

version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)

A code injection(CWE-94) vulnerability is in application/modules/admin/controllers/advanced_settings/Languages.php. In the saveLanguageFiles method, the element of $_POST['php_keys'] is escaped by htmlentities and enclosed in two single quotes as the key of $lang. However, htmlentities doesn't escape ' , which allows the attacker to escape from single quotes and inject malicious PHP code, leading to authenticated remote code execution.

private function saveLanguageFiles()

LioTree

vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)

version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)

An arbitrary file deletion (CWE-73) vulnerability is in application/modules/admin/controllers/ecommerce/Publish.php. In the method removeSecondaryImage, the attacker can delete any file in the server by controlling $_POST['folder'] and $_POST['image'] after authorization.

public function removeSecondaryImage()

LioTree

vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)

version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)

A second-order SQL injection vulnerability is in manageQuantitiesAndProcurement method of application/modules/admin/models/Orders_model.php. The $product['product_quantity'] and $product['product_info']['id'] are inserted into SQL statements without any sanitizers. These two values come from previous query result and users can control them in setOrder method of application/models/Public_model.php, which leads to a SQL injection.

LioTree

vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)

version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)

A file inclusion vulnerability is in getLangFolderForEdit method of application/modules/admin/controllers/advanced_settings/Languages.php. By controlling $_GET['editLang'], the attacker can make the server include .php files under specific directory. The attacker can use CVE-2024-31821 to write malicous PHP code in log-xxxx.php and use this vulnerability to include PHP files under application/logs/ (At this point, BASEPATH has been set, allowing bypass of the check at the beginning of the log file.), which leads to remote code execution.

LioTree

Vendor: https://github.com/xiebruce/PicUploader

version: before https://github.com/xiebruce/PicUploader/commit/fcf82eacc4ad2e62b6182ca152a48bda739157be

A SQL injection vulnerability is in https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/HistoryController.php#L107

$keyword = isset($_GET['keyword']) ? trim($_GET['keyword']) : '';

$model = new HistoryModel();