6en6ar

Product:  https://kwhotel.com/download/kwhotel-free/
Version: v0.47
Vulnerability type: CSV injection
CVE ID: CVE-2023-46400

Description: CSV Formula Injection inside KWHotel Free edition through version 0.47 inside add guest functionality.
When adding a guest a payload in form of a csv injection can be embedded inside the comment field of the guest. 
The input is not validated and can be exported to a csv file resulting in a csv formula injection. Payload used:

@SUM(44+44)*cmd|' /C powershell'!A0

6en6ar

Product:  https://www.npmjs.com/package/parse-uri
Version: v1.0.9
Vulnerability type: Denial of Service
CVE ID: CVE-2024-36751

Description: There is a possible Denial of service when repeating characters are added to a url being parsed. 
It seems that the regex for checking the url on line 28. and 29. in index.jsis vulnerable to regex denial of service;

Github issue: https://github.com/Kikobeats/parse-uri/issues/14

6en6ar

Product: https://www.npmjs.com/package/s3-url-parser
Version: 1.0.3
Vulnerability type: Denial of Service
CVE ID: CVE-2024-25355

The regexes defined on lines 7. , 17. and 27. inside https://github.com/AntonioRecaldeRusso/s3-url-parser/blob/master/index.js 
are vulnerable to regex denial of service when a long input is provided resulting in a crash. 
I've managed to reproduce it with this code:

import s3ParseUrl from 's3-url-parser';

6en6ar

Product: https://www.npmjs.com/package/domain-suffix
Version: 1.0.8
Vulnerability type: Denial of Service
CVE ID: CVE-2024-25354

The regex defined on line 28. inside https://github.com/ikrong/domain-suffix/blob/master/src/domainSuffix.ts 
is vulnerable to Regex Denial of Service. When a long string is provided to the application without specifying "/" character 
the function parse will be stuck for indefinite amount of time,  in this case 10 seconds, but this can be 
amplified if more characters are added. 
PoC code:

6en6ar

A regex defined on line 1. inside https://github.com/alanclarke/urlite/blob/master/lib/pattern.js inside npm package "Urlite" 
(https://www.npmjs.com/package/urlite) is found to be vulnerable to Regex Denial of Service when malicious input containing a long regex input is 
provided to the application that parses a URL. When  a malicious payload is provided to the parsing 
function the application will hang for indefinite amount of time causing Denial of Service. 
If more requests are sent using the same payload it can result in 
Distributed Denial of service potentially rendering the service unavailable.

Payload that was used:

  var payload ='//:' + '\t:\t'.repeat(90000)+ '\t'

6en6ar

[NAME OF AFFECTED PRODUCT(S)]

  - https://pkg.go.dev/github.com/whilp/git-urls v1.0.0

[AFFECTED AND/OR FIXED VERSION(S)]

  - v1.0.0
  - Status: not fixed

[VULNERABILITY] 

6en6ar

The regex on line 10. inside https://github.com/teomantuncer/node-email-check/blob/main/main.js is vulnerable to a Regex Denial of Service 
if a malicious string is provided causing the application using the package to hang.

Proof of concept code to test it:

const emailCheck = require('node-email-check');

// async request with mx check
//await emailCheck.isValid('[email protected]');
// sync request without mx check

6en6ar

Regex Denial of service in urlnorm package on https://crates.io/crates/urlnorm

The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs.

The regex defined on line 37. in https://github.com/progscrape/urlnorm/blob/main/src/lib.rs used for trimming .html and other 
extensions when normalizing the url is vulnerable to a Regex Denial of Service when malicious input is provided.
Poc Code:

'''
use url::Url;

6en6ar

radare2

load without any analysis (file header at offset 0x0): r2 -n /path/to/file

• analyze all: aa
• show sections: iS
• list functions: afl
• list imports: ii
• list entrypoints: ie
• seek to function: s sym.main