Improper authorization in the custom URL scheme handler in "Rikunabi NEXT" App for Android prior to ver. 11.5.0 allows a malicious intent to lead the vulnerable App to access an arbitrary website.

Published:2023/08/09  Last Updated:2023/08/09

**Overview**

"Rikunabi NEXT" App for Android provided by Recruit Co., Ltd. fails to restrict custom URL schemes properly.

**Products Affected**

*   "Rikunabi NEXT" App for Android prior to ver. 11.5.0

**Description**

"Rikunabi NEXT" App for Android provided by Recruit Co., Ltd. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.

**Impact**

A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

**Solution**

**Update the Application**  
Update the application to the latest version according to the information provided by the developer.  
The developer has released the following version that fixes the vulnerability.

*   "Rikunabi NEXT" App for Android ver. 11.5.0

**Vendor Status**

Vendor

Status

Last Update

Vendor Notes

Recruit Co., Ltd.

Vulnerable

2023/08/09

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Nao Komatsu of LAC Co., Ltd. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2023-39507: "Rikunabi NEXT" App for Android fails to restrict custom URL schemes properly

Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization.

Expand Up

@@ -29,6 +29,7 @@ import { getTooltipDiv, updateTooltipPosition } from "../components/Tooltip";

import { getSelectedElements } from "../scene";

import { isPointHittingElementBoundingBox } from "./collision";

import { getElementAbsoluteCoords } from "./";

import { isLocalLink, normalizeLink } from "../data/url";

  

import "./Hyperlink.scss";

import { trackEvent } from "../analytics";

Expand Down Expand Up

@@ -166,7 +167,7 @@ export const Hyperlink = ({

/\>

) : (

<a

href\={element.link || ""}

href\={normalizeLink(element.link || "")}

className\={clsx("excalidraw-hyperlinkContainer-link", {

"d-none": isEditing,

})}

Expand All

@@ -177,7 +178,13 @@ export const Hyperlink = ({

EVENT.EXCALIDRAW\_LINK,

event.nativeEvent,

);

onLinkOpen(element, customEvent);

onLinkOpen(

{

...element,

link: normalizeLink(element.link),

},

customEvent,

);

if (customEvent.defaultPrevented) {

event.preventDefault();

}

Expand Down Expand Up

@@ -231,21 +238,6 @@ const getCoordsForPopover = (

return { x, y };

};

  

export const normalizeLink \= (link: string) \=> {

link \= link.trim();

if (link) {

// prefix with protocol if not fully-qualified

if (!link.includes("://") && !/^\[\[\\\\/\]/.test(link)) {

link \= \`https://${link}\`;

}

}

return link;

};

  

export const isLocalLink \= (link: string | null) \=> {

return !!(link?.includes(location.origin) || link?.startsWith("/"));

};

  

export const actionLink \= register({

name: "hyperlink",

perform: (elements, appState) \=> {

Expand Down

CVE-2023-26140: fix: stronger enforcement of normalizeLink (#6728) · excalidraw/excalidraw@b33fa6d

The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notify_ping_remote' AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. This was partially patched in version 1.2.12 and fully patched in version 1.2.13.

Timestamp:

08/15/2023 01:59:03 PM (15 hours ago)

frogerme

Message:

v1.2.13  

Location:

wp-remote-users-sync/trunk

Files:

  

*   inc/api/class-wprus-api-abstract.php (1 diff)
*   readme.txt (1 diff)
*   wprus.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **wp-remote-users-sync/trunk/inc/api/class-wprus-api-abstract.php**
    
    r2946667
    
    r2953845
    
     
    
    879
    
    879
    
                'token'     => $this->get\_token( $url, $data\['username'\], 'post' ),
    
    880
    
    880
    
            );
    
    881
    
     
    
            $response = wp\_remote\_post(
    
     
    
    881
    
            $response = wp\_safe\_remote\_post(
    
    882
    
    882
    
                trailingslashit( $url ) . 'wprus/' . trailingslashit( $endpoint ),
    
    883
    
    883
    
                array(
    
*   **wp-remote-users-sync/trunk/readme.txt**
    
    r2946667
    
    r2953845
    
     
    
    169
    
    169
    
    More help can be found on <a href="https://wordpress.org/support/plugin/wp-remote-users-sync/">the WordPress support forum</a> for general inquiries and on <a href="https://github.com/froger-me/wp-remote-users-sync">Github</a> for advanced troubleshooting. 
    
    170
    
    170
    
    171
    
     
    
    Help is provided for general enquiries and bug fixes only: feature requests, extra integration or conflict resolution with third-party themes or plugins, and specific setup troubleshooting requests will not be addressed (Webiste administrators must cont).
    
     
    
    171
    
    Help is provided for general enquiries and bug fixes only: feature requests, extra integration or conflict resolution with third-party themes or plugins, and specific setup troubleshooting requests will not be addressed (Website administrators must contact a third-party developer).
    
    172
    
    172
    
    173
    
    173
    
    \== Changelog ==
    
     
    
    174
    
     
    
    175
    
    \= 1.2.13 =
    
     
    
    176
    
    \* Use \`wp\_safe\_remote\_post\` instead of \`wp\_remote\_post\`
    
    174
    
    177
    
    175
    
    178
    
    \= 1.2.12 =
    
*   **wp-remote-users-sync/trunk/wprus.php**
    
    r2946667
    
    r2953845
    
     
    
    4
    
    4
    
    Plugin URI: https://github.com/froger-me/wp-remote-users-sync
    
    5
    
    5
    
    Description: Synchronise WordPress Users across Multiple Sites.
    
    6
    
     
    
    Version: 1.2.12
    
     
    
    6
    
    Version: 1.2.13
    
    7
    
    7
    
    Author: Alexandre Froger
    
    8
    
    8
    
    Author URI: https://froger.me/
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-3958: Changeset 2953845 for wp-remote-users-sync – WordPress Plugin Repository

The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'refresh_logs_async' functions in versions up to, and including, 1.2.11. This makes it possible for authenticated attackers with subscriber privileges or above, to view logs.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-4374: WP Remote Users Sync <= 1.2.11 - Missing Authorization to Authenticated (Subscriber+) Log View — Wordfence Intelligence

Pikachu v1.0 was discovered to contain a SQL injection vulnerability via the $username parameter at \inc\function.php.

    

“如果你想搞懂一个漏洞，比较好的方法是：你可以自己先制造出这个漏洞（用代码编写），然后再利用它，最后再修复它”。

  
\# pikachu

Pikachu是一个带有漏洞的Web应用系统，在这里包含了常见的web安全漏洞。 如果你是一个Web渗透测试学习人员且正发愁没有合适的靶场进行练习，那么Pikachu可能正合你意。  

**Pikachu上的漏洞类型列表如下：  
**

*   Burt Force(暴力破解漏洞)  
    
*   XSS(跨站脚本漏洞)  
    
*   CSRF(跨站请求伪造)  
    
*   SQL-Inject(SQL注入漏洞)  
    
*   RCE(远程命令/代码执行)  
    
*   Files Inclusion(文件包含漏洞)  
    
*   Unsafe file downloads(不安全的文件下载)  
    
*   Unsafe file uploads(不安全的文件上传)  
    
*   Over Permisson(越权漏洞)  
    
*   ../../../(目录遍历)  
    
*   I can see your ABC(敏感信息泄露)  
    
*   PHP反序列化漏洞  
    
*   XXE(XML External Entity attack)  
    
*   不安全的URL重定向  
    
*   SSRF(Server-Side Request Forgery)  
    
*   管理工具  
    
*   More...(找找看?..有彩蛋!)  
    

管理工具里面提供了一个简易的xss管理后台,供你测试钓鱼和捞cookie,还可以搞键盘记录！~  
后续会持续更新一些新的漏洞进来,也欢迎你提交漏洞案例给我,最新版本请关注pikachu  
每类漏洞根据不同的情况又分别设计了不同的子类  
同时,为了让这些漏洞变的有意思一些,在Pikachu平台上为每个漏洞都设计了一些小的场景,点击漏洞页面右上角的"提示"可以查看到帮助信息。  

**如何安装和使用**

Pikachu使用世界上最好的语言PHP进行开发-\_-  
数据库使用的是mysql，因此运行Pikachu你需要提前安装好"PHP+MYSQL+中间件（如apache,nginx等）"的基础环境，建议在你的测试环境直接使用 一些集成软件来搭建这些基础环境,比如XAMPP,WAMP等,作为一个搞安全的人,这些东西对你来说应该不是什么难事。接下来:  
\-->把下载下来的pikachu文件夹放到web服务器根目录下;  
\-->根据实际情况修改inc/config.inc.php里面的数据库连接配置;  
\-->访问h ttp://x.x.x.x/pikachu,会有一个红色的热情提示"欢迎使用,pikachu还没有初始化，点击进行初始化安装!",点击即可完成安装。

如果阁下对Pikachu使用上有什么疑问，可以在QQ群：532078894（已满），973351978（未满） 咨询，虽然咨询了，也不一定有人回答-\_-。

**Docker**

使用已有构建：

docker run -d -p 8765:80 8023/pikachu-expect:latest

本地构建：

如果你熟悉docker,也可以直接用docker部署
docker build -t "pikachu" .
docker run -d -p 8080:80 pikachu

**切记**

"少就是多,慢就是快"

**WIKI**

点击进入

CVE-2023-39849: GitHub - zhuifengshaonianhanlu/pikachu: 一个好玩的Web安全-漏洞测试平台

Schoolmate v1.3 was discovered to contain multiple SQL injection vulnerabilities via the $courseid and $teacherid parameters at DeleteFunctions.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-39850: vulnerability-report/Schoolmate_CVE-2023-39850 at main · KLSEHB/vulnerability-report

webchess v1.0 was discovered to contain a SQL injection vulnerability via the $playerID parameter at mainmenu.php.

CVE-2023-39851: vulnerability-report/webchess_CVE-2023-39851 at main · KLSEHB/vulnerability-report

DVWA v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at blind\source\high.php.

CVE-2023-39848: GitHub - digininja/DVWA: Damn Vulnerable Web Application (DVWA)

Doctormms v1.0 was discovered to contain a SQL injection vulnerability via the $userid parameter at myAppoinment.php.

CVE-2023-39852: vulnerability-report/Doctormms_CVE-2023-39852 at main · KLSEHB/vulnerability-report

Missing encryption in the RFID tag of Suleve 5-in-1 Smart Door Lock v1.0 allows attackers to create a cloned tag via brief physical proximity to the original device.

Skip to content

The details below discuss the vulnerabilities found in the following devices:

*   Suleve 5-in-1 Smart Door Lock (firmware v1.0)
*   Digoo DG-HAMB Smart Home Security System (firmware v1.0)
*   Etekcity 3-in-1 Smart Door Lock (firmware v1.0)

The use of low-frequency (LF) RFID tags is a significant security issue. These tags do not support any form of encryption and so can be read using an NFC-equipped mobile phone or dedicated reader in under a second. The only information encoded is a number, and so using software to write to blank tags it is possible to create any number of duplicate tags possessing the same permissions as the original. In addition, no indication would be given to the owner of the original tag that it had been compromised.

As of 5th August, 2023, none of the devices has been issued with a fix for this issue. Given that this is a vulnerability with the device hardware, we do not believe that this can be rectified with software updates.

**Post navigation**

Source

CVE