## Multiple Critical Vulnerabilities in Planet Enterprises Ltd - Planet eStream - **Title**: Multiple Critical Vulnerabilities - **Product**: Planet Enterprises Ltd - Planet eStream - **Vulnerable Version**: <6.72.10.07 - **Fixed Version**: 6.72.10.07 - **CVE Numbers**: - CVE-2022-45896 - CVE-2022-45893 - CVE-2022-45891 - CVE-2022-45889 - CVE-2022-45890 - CVE-2022-45894 - CVE-2022-45895 - **Unit**: SEC Consult Vulnerability Lab - **Impact**: Critical - **Homepage**: [Planet eStream](http://www.planetestream.co.uk) - **Found**: 01.09.2022 - **By**: Timon Vogel, Philipp Espermanyber, Hroje Folakovic ### Vulnerability Overview 1. **Arbitrary File Upload Leading to Remote Code Execution (CVE-2022-45896)** - Attackers can upload arbitrary malicious files and execute arbitrary code, leading to full system compromise. 2. **Account Takeover (CVE-2022-45893)** - Low-privileged users can bypass authentication and authorization by modifying the value of the ON cookie, gaining elevated privileges. 3. **Access Control Vulnerability (CVE-2022-45891)** - Flawed authorization scheme allows users to access restricted functionalities. 4. **SQL Injection (CVE-2022-45889)** - Due to insufficient input validation, the application allows direct injection of SQL commands. 5. **Multiple Stored Cross-Site Scripting (XSS) (CVE-2022-45892)** - User input in multiple locations is not properly sanitized or encoded, leading to stored XSS vulnerabilities. 6. **Reflected Cross-Site Scripting (XSS) (CVE-2022-45890)** - The application returns user input data without filtering or escaping, resulting in reflected XSS vulnerabilities. 7. **Path Traversal (CVE-2022-45894)** - Attackers can exploit path traversal to access other files and directories on the server. 8. **Information Disclosure (CVE-2022-45895)** - Although accessing such information under normal circumstances does not pose a direct security threat, certain components of the platform disclose sensitive information of other users. ### Remediation Advice The vendor has released a new version fixing all reported vulnerabilities. Affected users should verify they are running the latest patched version, v6.72.10.07. ### Incident Response - **Report Date**: September 2, 2022 - **Initial Contact**: October 3, 2022, via direct email to the vendor - **Vendor Fix Validation**: - October 24, 2022: Vendor’s patched software version resolved all reported vulnerabilities. - November 18, 2022: Vendor provided updated version number including all fixes. - **Advisory Release**: November 30, 2022 — coordinated security advisory published.