A newly discovered heap-based buffer overflow in the glibc's __vsyslog_internal() function, called by syslog() and vsyslog(), poses a significant security risk. Identified as CVE-2023-6246, this vulnerability was inadvertently introduced in glibc versions 2.37 and backported to 2.36. **Impact:** - Allows for Local Privilege Escalation to root from an unprivileged user. - Affects common distributions like Debian 12 & 13, Ubuntu 23.04 & 23.10, and Fedora 37 to 39. - Requires local network access; remote exploitation is highly unlikely. **Mitigation:** - Review and apply necessary patches immediately. - Monitor system logs for unusual activities.

Summary A template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Attacker was able to trigger SSTI via the Laravel dispatcher functionality. Advisory: (https://github.com/cachethq/cachet/security/advisories/GHSA-hv79-p62r-wg3p)

An issue in Roundcube Plus Plugin: Two Factor Authentication (x2fa) 1.0 to 1.1.8 allows attackers to bypass the security mechanism and gain unauthorized access via a crafted request.



how to exploit or do a poc for this vulnerability

Technical Details by Researcher is published here : https://link.medium.com/5Vi22ULA8xb

This is a complete detailed technical analysis of the CVE-2022-44877 with exploitation script and video explaining how to use the tool https://www.vicarius.io/vsociety/blog/unauthenticated-rce-in-centos-control-web-panel-7-cwp-cve-2022-44877 https://www.vicarius.io/vsociety/blog/unique-exploit-cve-2022-44877-exploitation-tool https://www.vicarius.io/vsociety/posts/1347