Improper buffer restrictions in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® NUC Firmware Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® NUCs may allow escalation of privilege.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-24382

Description: Improper input validation in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-24297

Description: Improper buffer restrictions in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-21237

Description: Improper buffer access in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

**Affected Products:**

Intel® NUC products with BIOS before version listed in table below are affected:

Product

BIOS Fixed Version Download Link

Intel® NUC M15 Laptop Kit - LAPBC510, LAPBC710

BCTGL357.0065

Intel® NUC X15 Laptop Kits - LAPKC71F, LAPKC71E, LAPKC51E

KCTGL357.0040

Intel® NUC Extreme Compute Element NUC11DBBi9 and NUC11DBBi7, and Intel® NUC 11 Extreme Kit NUC11BTMi7 and NUC11BTMi9

DBTGL579.0055

Intel® NUC 11 Compute Element CM11EBC4W, CM11EBi38W, CM11EBi58W, CM11EBi716W

EBTGL357.0057

Intel® NUC Kits NUC11PAQ, NUC11PAH, NUC11PA

PATGL357.0042

Intel® NUC Boards/Kits NUC11TN\[x\]i3, NUC11TN\[x\]i5, NUC11TN\[x\]i7

TNTGL357.0059

Intel® NUC11PHKi7C, NUC11PHKi7CAA

PHTGL579.0064

Intel® NUC 9 Pro Compute Element - NUC9V7QNB, NUC9VXQNB

Intel® NUC 9 Pro Kit - NUC9V7QNX, NUC9VXQNX

QNCFLX70.0064

Intel® NUC9i5QN, NUC9i7QN, NUC9i9QN

QXCFL579.0064

Intel® NUC Kits NUC8i3CYSM and NUC8i3CYSN

CYCNLi35.86A.0050

Intel® NUC 8 Compute Element CM8CCB, CM8i3CB, CM8i5CB, CM8i7CB, CM8PCB

CBWHL.0095

Intel® NUC Kit NUC8i7BE, NUC8i5BE, and NUC8i3B

BECFL357.0089

**Recommendations:**

Intel recommends updating the affected Intel® NUC BIOS firmware to the latest version (see provided table above).

Updates are available for download at the locations listed in the provided table above.

**Acknowledgements:**

Intel would like to thank Yngweijw (CVE-2022-24382) and Dmitry Frolov (CVE-2022-24297, CVE-2022-21237) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-24297: INTEL-SA-00654

Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the `file:` URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as `ftp:`, `smb:`, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim's computer. Version 3.118.2 contains a patch for this issue.

**Summary**

Tutanota allows users to open links in emails in external applications. It correctly blocks the file: URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as ftp:, smb:, etc. which can also be used.

**Details**

*   Observe that on #L423 in src/desktop/ApplicationWindow.ts, the parsedUrl parameter is passed into a shell.openExternal function call.
*   Observe that on #L417 in src/desktop/ApplicationWindow.ts, only the file: scheme is blocked.
*   An attacker can craft a malicious email, containing a hyperlink using schemes such as ftp:, smb:, ms-msdt:, search-ms:, etc. to gain RCE on a victims computer when clicked.

**Steps to Reproduce**

**This PoC uses Ubuntu with the XFCE desktop environment, since it is least complicated to reproduce using this setup**

*   Execute and authenticate to the Tutanota desktop version 3.118.8 AppImage on a Ubuntu Desktop with the XFCE environment.  
    
*   On another machine, host an FTP server with anonymous access enabled. Create and place a pwn.desktop file in the FTP root, with the following content:

    [Desktop Entry]
    Exec=xcalc
    Type=Application
    

*   Send an email to the email account logged in on tutanota containing a hyperlink pointing to the pwn.desktop file on the FTP server. Replace the corresponding values in the hyperlink: ftp://username:password@ip-address/pwn.desktop.  
    
*   On the tutanota desktop application, click on the hyperlink in the email received. Observe that the calculator application opens. You may need to confirm execution of the application in some cases.

**PoC**

*   Video PoC for the final stage of the exploit (victim clicks on link in email):  
    https://user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4

**Impact**

Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victims computer.

**References**

*   https://positive.security/blog/url-open-rce
*   https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps#rce-via-shell.openexternal

CVE-2023-46116: Remote Code Execution via insufficiently sanitized call to shell.openExternal

The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector

CVE-2022-1589

Current defenses are able to protect against today's AI-enhanced cybersecurity threats, but that won't be the case for long as these attacks become more effective and sophisticated.

Artificial intelligence and machine learning (AI/ML) models have already shown some promise in increasing the sophistication of phishing lures, creating synthetic profiles, and creating rudimentary malware, but even more innovative applications of cyberattacks will likely come in the near future.

Malware developers have already started toying with code generation using AI, with security researchers demonstrating that a full attack chain could be created. 

The Check Point Research team, for example, used current AI tools to create a complete attack campaign, starting with a phishing email generated by OpenAI's ChatGPT that urges a victim to open an Excel document. The researchers then used the Codex AI programming assistant to create an Excel macro that executes code downloaded from a URL and a Python script to infect the targeted system. 

Each step required multiple iterations to produce acceptable code, but the eventual attack chain worked, says Sergey Shykevich, threat intelligence group manager at Check Point Research.

"It did require a lot of iteration," he says. "At every step, the first output was not the optimal output — if we were a criminal, we would have been blocked by antivirus. It took us time until we were able to generate good code."

Over the past six weeks, ChatGPT — a large language model (LLM) based on the third iteration of OpenAI's generative pre-trained transformer (GPT-3) — has spurred a variety of what-if scenarios, both optimistic and fearful, for the potential applications of artificial intelligence and machine learning. The dual-use nature of AI/ML models have left businesses scrambling to find ways to improve efficiency using the technology, while digital-rights advocates worry over the impact the technology will have on organizations and workers. 

Cybersecurity is no different. Researchers and cybercriminal groups have already experimented with using GPT technology for a variety of tasks. Purportedly novice malware authors have used ChatGPT to write malware, although developers attempts to use the ChatGPT service to produce applications, while sometimes successful, often produce code with bugs and vulnerabilities.

Yet AI/ML is influencing other areas of security and privacy as well. Generative neural networks (GNNs) have been used to create photos of synthetic humans, which appear authentic but do not depict a real person, as a way to enhance profiles used for fraud and disinformation. A related model, known as a generative adversarial network (GAN), can create fake video and audio of specific people, and in one case, allowed fraudsters to convince accountants and human resources departments to wire $35 million to the criminals' bank account.

The AI systems will only improve over time, raising the specter of a variety of enhanced threats that can fool existing defensive strategies.

**Variations on a (Phishing) Theme**

For now, cybercriminals often use the same or similar template to create spear-phishing email messages or construct landing pages for business email compromise (BEC) attacks, but using a single template across a campaign increases the chance that defensive software could detect the attack.

So, one main initial use of LLMs like ChatGPT will be as a way to produce more convincing phishing lures, with more variability and in a variety of languages, that can dynamically adjust to the victim's profile.

To demonstrate the point, Crane Hassold, a director of threat intelligence at email security firm Abnormal Security, requested that ChatGPT generate five variations on a simple phishing email request. The five variations differed significantly from each other but kept the same content — a request to the human resources department about what information a fictional company would require to change the bank account to which a paycheck is deposited. 

**Fast, Undetectable Implants**

While a novice programmer may be able to create a malicious program using an AI coding assistant, errors and vulnerabilities still get in the way. AI systems' coding capabilities are impressive, but ultimately, they do not rise to the level of being able to create working code on their own.

Still, advances could change that in the future, just as malware authors used automation to create a vast number of variants of viruses and worms to escape detection by signature-scanning engines. Similarly, attackers could use AI to quickly create fast implants that use the latest vulnerabilities before organizations can patch.

"I think it is a bit more than a thought experiment," says Check Point's Shykevich. "We were able to use those tools to create workable malware."

**Passing the Turing Test?**

Perhaps the best application of AI system may be the most obvious: the ability to function as artificial humans. 

Already, many of the people who interact with ChatGPT and other AI systems — including some purported experts — believe that the machines have gained some form of sentience. Perhaps most famously, Google fired a software engineer, Blake Lemoine, who claimed that the company's LLM, dubbed LaMDA, had reached consciousness.

"People believe that these machines understand what they are doing, conceptually," says Gary McGraw, co-founder and CEO at the Berryville Institute of Machine Learning, which studies threats to AI/ML systems. "What they are doing is incredible, statistical predictive auto-associators. The fact that they can do what they do is mind boggling — that they can have that much cool stuff happening. But it is not understanding."

While these auto-associative systems do not have sentience, they may be good enough to fool workers at call centers and support lines, a group that often represents the last line of defense against account takeover, a common cybercrime.

**Slower Than Predicted**

Yet while cybersecurity researchers have quickly developed some innovative cyberattacks, threat actors will likely hold back. While ChatGPT's technology is "absolutely transformative," attackers will likely only adopt ChatGPT and other forms of artificial intelligence and machine learning, if it offers them a faster path to monetization, says Abnormal Security's Hassold. 

"AI cyberthreats have been a hot topic for years," Hassold says. "But when you look at financially motivated attackers, they do not want to put a ton of effort or work into facilitating their attacks, they want to make as much money as possible with the least amount of effort."

For now, attacks conducted by humans require less effort than attempting to create AI-enhanced attacks, such as deepfakes or GPT-generated text, he says.

**Defense Should Ignore the AI Fluff**

Just because cyberattackers make use of the latest artificial intelligence system does not mean the attacks are harder to detect, for now. Current malicious content produced by AI/ML models are typically icing on the cake — they make text or images appear more human, but by focusing on the technical indicators, cybersecurity products can still recognize the threat, Hassold stresses.

"The same sort of behavioral indicators that we use to identify malicious emails are all still there," he says. "While the email may look more legitimate, the fact that the email is coming from an email address that does not belong to the person who is sending it or that a link may be hosted on a domain that has been recently registered — those are indicators that will not change."

Similarly, processes in place to double check requests to change a bank account for payment and paycheck remittance would defeat even the most convincing deepfake impersonation, unless the threat group had access or control over the additional layers of security that have grown more common.

Better Phishing, Easy Malicious Implants: How AI Could Change Cyberattacks

Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.

CVE-2019-15232

Dell Command | Monitor versions prior to 10.9 contain an arbitrary folder delete vulnerability during uninstallation. A locally authenticated malicious user may potentially exploit this vulnerability leading to arbitrary folder deletion.

**Vaikutus**

Medium

**Tiedot**

**Proprietary Code CVEs**

**Description**

**More Information**

CVE-2023-24573

Dell Command | Monitor versions prior to 10.9 contain an arbitrary folder delete vulnerability during uninstallation. A locally authenticated malicious user may potentially exploit this vulnerability leading to arbitrary folder deletion.

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 

See NVD (http://nvd.nist.gov/)  for additional details.

**Proprietary Code CVEs**

**Description**

**More Information**

CVE-2023-24573

Dell Command | Monitor versions prior to 10.9 contain an arbitrary folder delete vulnerability during uninstallation. A locally authenticated malicious user may potentially exploit this vulnerability leading to arbitrary folder deletion.

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 

See NVD (http://nvd.nist.gov/)  for additional details.

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2023-24573

Dell Command | Monitor

Versions before 10.9

10.9

https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=5RFFM

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2023-24573

Dell Command | Monitor

Versions before 10.9

10.9

https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=5RFFM

**Kiitokset**

**CVE-2023-24573**: Dell Technologies would like to thank ycdxsb for reporting this issue.

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2023-02-07

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

08 helmik. 2023

CVE-2023-24573: DSA-2023-033: Dell Command | Monitor Security Update for an Arbitrary Folder Deletion Vulnerability

New web targets for the discerning hacker

New web targets for the discerning hacker

This month’s big news was the Uber hack that saw the breach of the ride-sharing app firm’s internal networks, which appeared to have been carried out via a social engineering attack targeting an employee.

The attacker also gained access to an employee’s HackerOne account before commenting on multiple tickets, implying that they had accessed highly sensitive bug bounty reports that could reveal security vulnerabilities in Uber products and infrastructure.

A 17-year-old in the UK has been arrested in connection with the breach, the City of London Police confirmed.

This incident wasn’t Uber’s only embarrassment this month, as its former security head Joe Sullivan stood trial in the US.

Former Uber engineers testified about their concerns over Sullivan’s decision to treat a 2016 hack as a white hat bounty and pay the hackers $100,000 – thus avoiding scrutiny from the Federal Trade Commission.

In bug bounty news, Immunefi says it has paid out $60 million in bounties and helped to avoid $25 billion worth of losses from web3 hacks averted.

The company connects web3 projects that need their code checked and secured with whitehat hackers, offering rewards that can reach as much as $10 million.

Meanwhile, NFT marketplace OpenSea says it has paid out $200,000 to two ethical hackers for finding vulnerabilities, at least one of which was rated critical. The details of the flaws weren’t revealed, but the company says it has moved fast to fix them.

Finally, bounty hunter Sam Curry of Yuga Labs was baffled to receive a $250,000 bounty from Google this month. The only problem? He hadn't submitted any bug report.

According to a company spokesperson – and no doubt disappointingly for Curry – the payment was made in error, and Google planned to ask for it back.

And finally, a survey conducted by SANS Institute and cybersecurity firm Bishop Fox found that the typical ethical hacker can uncover a vulnerability that offers a route beyond the network perimeter in less than 10 hours.

Moreover, 58% can hack into an environment in under five hours once a security flaw has been identified.

**The latest bug bounty programs for October 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**ALSCO**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$1,500

**Outline:  
**Network security provider ALSCO is asking ethical hackers to look for vulnerabilities in its domain.

**Notes:  
**All rewards are based on the CVSS standard. However, ALSCO says that these are general guidelines and payouts are decided at its discretion.

Check out the ALSCO bug bounty page for more details

**Aptos Petra Wallet**

**Program provider:  
**Immunefi

**Program type:  
**Public

**Max reward:  
**$100,000

**Outline:  
**Aptos Petra Wallet is offering a bumper bounty of $100,000 for the most critical vulnerabilities in its websites and applications.

**Notes:  
**It’s worth checking out the list of top targets on the bug bounty page that could earn the hunter the top prize.

Check out the Aptos Petra Wallet’s bug bounty page for more details

**Bing Xchange**

**Program provider:  
**HackenProof

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**Bing Xchange, a crypto social trading exchange that offers spot, derivatives, and copy trading services to more than 100 countries worldwide, is asking for vulnerability reports on two domains, two apps, and its web API.

**Notes:  
**There is an extensive list of out-of-scope targets, so these should be consulted before trying your hand at any targets.

Check out Bing Xchange’s bug bounty page for more details

**Caisse d'Epargne Normandie**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**€2,000

**Outline:  
**The European bank has a number of web applications and APIs to target, and is offering up to €2,000 for the most critical bugs.

**Notes:  
**The bank has noted that any issue in Yousign or mangopay is not in scope, and therefore should not be targeted.

Check out the Caisse d'Epargne Normandie bug bounty page for more details

**LinkTree**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**Social media link sharing tool LinkTree is opening multiple domains and two of its mobile apps to bug bounty hunters looking for security flaws.

**Notes:  
**There are 14 different domains to target and two mobile apps, offering plenty of chances to partake.

Check out the LinkTree bug bounty page for more details

**MongoDB**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**MongoDB is asking for reports on security vulnerabilities in two of its domains and its GitHub repositories.

**Notes:  
**There are detailed instructions for bug bounty hunters on how to submit reports, so make sure to read these beforehand.

Check out the MongoDB bug bounty page for more details

**Poloniex**

**Program provider:  
**HackerOne

Program type: Public

**Max reward:  
**$5,000

**Outline:  
**Cryptocurrency exchange Poloniex is asking researchers to look for issues in five of its web domains.

**Notes:  
**The most critical bugs can potentially net bug bounty hunters £5,000.

Check out the Poloniex bug bounty page for more details

**Stader for NEAR**

**Program provider:  
**Immunefi

**Program type:  
**Public

**Max reward:  
**$1 million

**Outline:  
**Ethical hackers are being offered the chance to bag an eye-watering one million dollars for vulnerabilities in Stader, a “non-custodial smart contract-based staking platform that helps you conveniently discover and access staking solutions”.

**Notes:  
**Bug severities – and therefore payouts – are classified according to Immunefi’s own scoring system.

Check out the Stader for NEAR bug bounty page for more details

Curated by Jessica Haworth. Additional reporting by Emma Woollacott.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for September 2022

Bug Bounty Radar // The latest bug bounty programs for October 2022

The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans

Timestamp:

04/05/2022 12:27:06 PM (4 weeks ago)

isaumya

Message:

Adding nonce support for deletion of banned users  

Location:

ad-invalid-click-protector/trunk/inc

Files:

  

*   admin\_setup.php (1 diff)
*   banned\_user\_table.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **ad-invalid-click-protector/trunk/inc/admin\_setup.php**
    
    r2656496
    
    r2705068
    
     
    
    523
    
    523
    
                $bannedUserTableOBJ = new AICP\_BANNED\_USER\_TABLE();
    
    524
    
    524
    
                $aicpOBJ = new AICP();
    
    525
    
     
    
                if( 'delete'=== $bannedUserTableOBJ->current\_action() ) {
    
    526
    
     
    
                    global $wpdb;
    
    527
    
     
    
                    $fetchedID = $\_REQUEST\['id'\];
    
    528
    
     
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
    529
    
     
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
    530
    
     
    
                    } else { //for singel delete just the id will return
    
    531
    
     
    
                                $selectedID = '%d';
    
    532
    
     
    
                    }
    
    533
    
     
    
                    if( empty( $selectedID ) ) {
    
    534
    
     
    
                        $this->delete\_notice( false );
    
    535
    
     
    
                    } else {
    
    536
    
     
    
                        $query = $wpdb->prepare(
    
    537
    
     
    
                                    "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
    538
    
     
    
                                    $fetchedID
    
    539
    
     
    
                                );
    
    540
    
     
    
                        $wpdb->query( $query );
    
    541
    
     
    
                        $this->delete\_notice( true );
    
    542
    
     
    
                    }
    
    543
    
     
    
                }
    
    544
    
     
    
                /\* End of handelling the deletion process \*/
    
    545
    
     
    
                /\* Now it's time to show our data \*/
    
     
    
    525
    
                if( ( 'delete'=== $bannedUserTableOBJ->current\_action() ) && isset( $\_REQUEST\['nonce'\] ) && wp\_verify\_nonce( $\_REQUEST\['nonce'\], 'delete\_banned\_user' ) ) {
    
     
    
    526
    
                    global $wpdb;
    
     
    
    527
    
                    $fetchedID = $\_REQUEST\['id'\];
    
     
    
    528
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
     
    
    529
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
     
    
    530
    
                    } else { //for singel delete just the id will return
    
     
    
    531
    
                        $selectedID = '%d';
    
     
    
    532
    
                    }
    
     
    
    533
    
                    if( empty( $selectedID ) ) {
    
     
    
    534
    
                        $this->delete\_notice( false );
    
     
    
    535
    
                    } else {
    
     
    
    536
    
                        $query = $wpdb->prepare(
    
     
    
    537
    
                            "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
     
    
    538
    
                            $fetchedID
    
     
    
    539
    
                        );
    
     
    
    540
    
                        $wpdb->query( $query );
    
     
    
    541
    
                $this->delete\_notice( true );
    
     
    
    542
    
                    }
    
     
    
    543
    
                }
    
     
    
    544
    
                /\* End of handelling the deletion process \*/
    
     
    
    545
    
                /\* Now it's time to show our data \*/
    
    546
    
    546
    
                ?>
    
    547
    
    547
    
                <div class="wrap">
    
*   **ad-invalid-click-protector/trunk/inc/banned\_user\_table.php**
    
    r1565011
    
    r2705068
    
     
    
    34
    
    34
    
            public function column\_ip( $item ) {
    
    35
    
    35
    
                $actions = array(
    
    36
    
     
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id ),
    
     
    
    36
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s&nonce=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id, wp\_create\_nonce( 'delete\_banned\_user' ) ),
    
    37
    
    37
    
                );
    
    38
    
    38
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-0191: Changeset 2705068 – WordPress Plugin Repository

As the US reconfigures its rules on abortion after the overturning of Roe v Wade, our podcast guests explain how to keep your data private.
The post In post-Roe US, experts share how to keep your data private appeared first on Malwarebytes Labs.

In the weeks since the Supreme Court of the United States removed a nationwide right to choose to have an abortion, millions of Americans have been forced to relearn what is and isn’t safe to do online, as their actions, words, and choices—many of which are tracked digitally—could potentially be used as evidence of wrongdoing in the future.

Complicating the matter is that, immediately after the Court released its decision on June 24, cybersecurity experts and novices alike flooded social media with a brand-new set of rules for those seeking and supporting abortions: Delete your period-tracking app, use a “burner” phone when attending a protest, change how you search for abortion providers, download a new secure messenger app, maybe download entirely new online tools altogether.

Pretty much, change your life.

But according to Cooper Quintin, senior staff technologist with Electronic Frontier Foundation, some of the more common pieces of advice that were first spread online, while well-intentioned, are not entirely practical or useful.

“The advice to delete your period-tracking app or use a burner phone, I think just completely misses the mark,” Quintin said on the latest episode of the Lock and Code podcast from Malwarebytes. “It’s somehow both an oversimplification and an over-complication, and \[it\] completely fails to understand the threats that people seeking abortions are actually facing.”

On Lock and Code last week, we discussed those exact threats with Quintin and his colleague, staff attorney Saira Hussain. The full discussion, which can be heard below, reveals how the Supreme Court’s most recent decision could impact data privacy practices for millions of people in the United States.

Underpinning much of this potential shift in data privacy is, of course, the new, legal uncertainty sweeping across the country.  

Myriad, statewide legislative efforts to ban abortion outright or to place new restrictions around it have moved forward, with neighboring states sometimes implementing different rules just miles apart. In Alabama, South Dakota, Arkansas, and Missouri, abortion is now banned with no exceptions for rape or incest, and in North Dakota, Tennessee, and Wyoming, similarly broad abortion bans are expected this summer. But in Louisiana, Kentucky, and Utah, wide-ranging abortion bans been challenged in court, with judges in each state placing temporary holds on those laws before they may go into effect.

How these laws will overlap, or how individual states will enforce their own laws across state lines—if at all—is unknown, Hussain said.

“This is what legal experts and reproductive rights experts have been warning about for years—that our system is not equipped to handle issues like this,” Hussain said on the podcast, explaining that the federal right to choose to have an abortion at least provided somewhat a bulwark against decades of state interventions to restrict and limit access to abortions. “Now, all of that has been undone, and the entire question of whether somebody can seek an abortion or somebody can help provide abortion services has been left entirely to the states.”

Succinctly, Hussain warned: “It’s essentially legal chaos.”

With few answers on what will and won’t be explicitly illegal, both Hussain and Quintin shared the following, key pieces of advice on Lock and Code for those who are worried about how to secure their reproductive choices:

*   Above all else, limit any sensitive information that you share with others and that you store on your own devices.
*   Practice extra caution on social media and don’t post about seeking or providing abortion services.
*   Use a privacy-preserving search engine that won’t record your history when looking up abortion services.
*   Use a secure messenger app with disappearing messages when discussing abortion with friends or family.
*   Read the resources on abortion and reproductive health privacy provided by Digital Defense Fund and Electronic Frontier Foundation.

The next year in America could include not only a test of legal theories, but of data privacy, as law enforcement agencies will potentially rely on forms of data that are everywhere around them but that, at least until now, have not been used at an immense scale to prove whether or not someone obtained or performed an abortion.

For Hussain, the lack of clarity is worrying.

“We don’t know what the landscape will look like in this post-Roe world, but as a privacy attorney, I’m deeply concerned about the surveillance tools that law enforcement will use to investigate alleged abortions.”

****It’s about more than period-tracking apps****

The weekend after the Supreme Court issued its decision in Dobbs v. Jackson Women’s Health Organization, users of period-tracking apps scrambled to either delete their data or find a way to lock it down. The companies that make period-tracking apps themselves also responded to the new landscape, with at least one company promising to provide an anonymous mode for users so that any legal requests for user data could not meaningfully be fulfilled.

On Lock and Code, Quintin said that, while the supposed catch-all advice for users to delete period-tracking apps lacks some nuance, the concern around these apps makes sense.

“The reason that people are worried about period-tracking apps, in specific, is that these apps are collecting a ton of data about you, which, could potentially be used to prove that you were at some point pregnant, and then, at some point, stopped being pregnant, without actually having a child,” Quintin said.

But, Quintin added, “period-tracking apps aren’t the only apps that are problematic.”

“The fact is that the majority of apps are harvesting data about you. Location data, data that you put into the apps, personal data. And that data is being fed to data brokers, to people who sell location data, to advertisers, to analytics companies, and we’re building these giant warehouses of data that could eventually be trawled through by law enforcement for dragnet searches.”

In recent years, this data has been used to not only reveal pregnancies and advertise around them, but to also target those who potentially considered receiving an abortion.

In 2012, the New York Times reported that a teenager’s pregnancy had been revealed to her father because of her shopping habits at Target. By analyzing the teenager’s recently purchased items, Target determined that she was likely pregnant and then, as a follow up, sent coupons to her home for things like cribs and baby clothes.

In 2015, the evangelical adoption agency Bethany Christian Services, which opposes abortion, found a way to send anti-abortion ads to the phones of women who physically visited Planned Parenthood locations.

In 2016, after a woman diligently tracked her pregnancy in a pregnancy-tracking app, she miscarried. But along the way, the app she used had been sharing her data with marketing groups. But her miscarriage, which she also reported, was not shared with those same groups, and so, weeks before what would have been her due date, she received a package of baby formula in the mail, under a likely assumption that all pregnancies end the same way, with a baby.

Though the stories could alarm people, Quintin and Hussain stressed that this type of algorithmic data matching is far from the norm for how most abortions are revealed. Instead of any behind-the-scenes technology, Hussain said that when law enforcement have investigated an allegedly illegal abortion, they have first been tipped off by an informant.

Quintin added:

“If you talk to the people on the front lines of the abortion fight, they’ll tell you that the way people are being prosecuted right now is first and foremost through informants. Friends, family, spouses, medical professionals—who disagree with their decision—deciding to notify law enforcement.”

Once an informant has shared information with law enforcement, then, Quintin said, will “secondary evidence come into play.” That includes things like Google search history, posts and direct messages on social media, text messages, and emails.

“Those pieces of information are what’s being used to build a case and convict somebody, typically after they’ve already been informed on,” Quintin said.

To limit that information, our guests offered several recommendations.

****Limit your circle of trust****

Both Hussain and Quintin emphasized that one of the most important things that people can do right now to secure their reproductive choices is to limit their circle of trust. That means that people should be careful with any online and digital interactions that could reveal whether or not they plan to get an abortion.

In practice, Quintin said that means not posting about getting an abortion or providing abortion services on social media. That also means not talking about the same topics over text messages.

But the information shared with other people isn’t the only type of information that should be locked down, said Quintin. People concerned with their digital privacy should also find ways to limit the data they have on their own devices that could be used as evidence by law enforcement.

For starters, people can look up abortion services using a search engine that does not record their search history, Quintin said, naming the service DuckDuckGo.

Second, people can also download a secure messenger app with disappearing messages, so that even if people are discussing abortion options with one another, the messages themselves will disappear. Here, Quintin named the end-to-end encrypted app Signal.

Quintin stressed that these are not necessarily easy changes to make, as many are based on changing a person’s behavior as much as they are about adopting new technologies. In a society that has trained the public to broadcast so many parts of their day-to-day lives, choosing silence can be unfamiliar, Quintin said, and that includes the many individuals who are merely trying to show support on social media even if they are not personally considering an abortion.

“I think part of the reason people are doing this, and part of what’s so hard right now, is that ever since social media has become ubiquitous in our culture, we’ve been incentivized into sort of shout about everything we do,” Quintin said. “The culture has shifted to be one of always saying what you’re doing.”

But Quintin stressed the importance of this moment to change habits and to opt for saying less online. Not only could these posts get people in trouble, Quintin said, but they could also make it harder for people to find help from the organizations that are already doing this work and have been doing it, quietly, for years.

“I think that shouting that you have a whisper network is not the way to go about this,” Quintin said.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

In post-Roe US, experts share how to keep your data private

Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 2.5k

*   Code
*   Issues 741
*   Pull requests 84
*   Actions
*   Projects 1
*   Wiki
*   Security
*   Insights

Moderate

louislam published GHSA-553g-fcpf-m3wp

Feb 13, 2023

**Package**

No package listed

**Affected versions**

<= 1.19.6

**Description**

**Summary**

Uptime Kuma status page allows persistent XSS.

**PoC**

1.  Run Uptime Kuma with version 1.19.2
2.  Create a new status page with the following name:  "><script>alert('XSS discovered by Manuel')</script>
3.  Press "Next" --> The payload is executed.
4.  The payload is also executed when you select the new generated status page.

**Impact**

https://cwe.mitre.org/data/definitions/79.html

**Screenshots**

  
  

**Severity**

**CVSS base metrics**

User interaction

Required

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

**Weaknesses**

Search

lenovo warranty check/lookup | check warranty status | lenovo support us