{"vulnerability": "cve-2023-3275", "sightings": [{"uuid": "a2f06e9b-1ed3-43e2-9c52-fd8d1394fa8c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-32758", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/2814", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-32758\n\ud83d\udd39 Description: giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package.\n\ud83d\udccf Published: 2023-05-15T00:00:00.000Z\n\ud83d\udccf Modified: 2025-01-23T19:38:56.258Z\n\ud83d\udd17 References:\n1. https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53\n2. https://pypi.org/project/git-url-parse\n3. https://github.com/returntocorp/semgrep/pull/7611\n4. https://github.com/returntocorp/semgrep/pull/7955\n5. https://github.com/returntocorp/semgrep/pull/7943", "creation_timestamp": "2025-01-23T20:03:34.000000Z"}, {"uuid": "b1afbb77-5a81-4a86-bdc4-a0535af5e3ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-32757", "type": "seen", "source": "https://t.me/cibsecurity/69182", "content": "\u203c CVE-2023-32757 \u203c\n\ne-Excellence U-Office Force file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker without logging the service can exploit this vulnerability to upload arbitrary files to perform arbitrary command or disrupt service.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-25T12:17:11.000000Z"}, {"uuid": "050e9f5f-a35e-4087-8c48-21e421c34e6d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-32756", "type": "seen", "source": "https://t.me/cibsecurity/69181", "content": "\u203c CVE-2023-32756 \u203c\n\ne-Excellence U-Office Force has a path traversal vulnerability within its file uploading and downloading functions. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary system files, but can\u00e2\u20ac\u2122t control system or disrupt service.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-25T12:17:09.000000Z"}, {"uuid": "0639d51a-329c-4f33-85f2-c6778a721cf9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-3275", "type": "seen", "source": "https://t.me/cibsecurity/65262", "content": "\u203c CVE-2023-3275 \u203c\n\nA vulnerability classified as critical was found in PHPGurukul Rail Pass Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view-pass-detail.php of the component POST Request Handler. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The identifier VDB-231625 was assigned to this vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-06-15T16:22:07.000000Z"}, {"uuid": "67e4e73d-85ad-4e6b-9b05-492f0aa12f45", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-32758", "type": "seen", "source": "https://t.me/cibsecurity/64078", "content": "\u203c CVE-2023-32758 \u203c\n\ngiturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep through 1.21.0, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-05-15T07:29:12.000000Z"}, {"uuid": "73240491-613e-4380-a768-4b3b7953d223", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-32750", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/8419", "content": "#exploit\n1. CVE-2023-33381:\nOS command injection on MitraStar GPT-2741GNAC\nhttps://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC\n\n2. CVE-2023-32750:\nPydio Cells <=4.1.2 - Server-Side Request Forgery\nhttps://packetstormsecurity.com/files/172647", "creation_timestamp": "2023-07-05T13:11:08.000000Z"}, {"uuid": "18099be0-07fb-47c2-a511-31f56c6f36f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-32755", "type": "seen", "source": "https://t.me/cibsecurity/69172", "content": "\u203c CVE-2023-32755 \u203c\n\ne-Excellence U-Office Force generates an error message in webiste service. An unauthenticated remote attacker can obtain partial sensitive system information from error message by sending a crafted command.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-25T12:16:58.000000Z"}, {"uuid": "b933ddbe-0aff-4244-8884-a0695fd799ae", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-32751", "type": "seen", "source": "https://t.me/cibsecurity/65083", "content": "\u203c CVE-2023-32751 \u203c\n\nPydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript [1]. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it is possible to generate valid signatures for arbitrary download URLs. By uploading an HTML file and modifying the download URL to serve the file inline instead of as an attachment, any included JavaScript code is executed when the URL is opened in a browser, leading to a cross-site scripting vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-06-10T11:02:27.000000Z"}, {"uuid": "8b5daa7c-387a-4a7e-be11-8defe59aaff1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-32750", "type": "seen", "source": "https://t.me/cibsecurity/65081", "content": "\u203c CVE-2023-32750 \u203c\n\nPydio Cells through 4.1.2 allows SSRF. For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job \"remote-download\" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-06-09T00:26:13.000000Z"}, {"uuid": "2ad7458c-fbeb-48fd-bbe1-0c1bd79f5de4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-32759", "type": "seen", "source": "https://t.me/cibsecurity/66751", "content": "\u203c CVE-2023-32759 \u203c\n\nAn issue in Archer Platform before v.6.13 and fixed in 6.12.0.6 and 6.13.0 allows an authenticated attacker to obtain sensitive information via a crafted URL.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-07-14T22:22:40.000000Z"}]}