Information disclosure in SMU in Hitachi Vantara HNAS 14.8.7825.01 on Windows allows authenticated users to download sensitive files via Insecure Direct Object Reference (IDOR).


https://sso.hitachivantara.com/content/login-page.html?fromURI=https://hitachivantara.okta.com/app/hitachivantara\_supportconnectportaloag\_1/exk93s5svtkcaiA6I2p7/sso/saml

This site uses cookies from Hitachi and third parties for our own business purposes and to personalize your experience. By using this site, you agree to the use of cookies. For more information, visit Hitachi Cookies Policy.

CVE-2023-5808: Hitachi Vantara Support











The ACEManager
component of ALEOS 4.16 and earlier does not



validate uploaded
file names and types, which could potentially allow



an authenticated
user to perform client-side script execution within



ACEManager, altering
the device functionality until the device is



restarted.









Sierra Wireless was recently informed of six security vulnerabilities in ALEOS, the operating system used in certain Sierra Wireless AirLink Routers, including the MP70, RV50x, RV55, LX40, LX60, ES450 and GX450. The vulnerabilities are present in ALEOS 4.16 and earlier versions and have been remediated in ALEOS 4.17 released in October 2023. Please see the bulletin for details.

SWI-PSA-2023-006: Product Security Advisory: ALEOS Security Advisory

CVE-2023-40460: SWI-PSA-2023-006: Product Security Advisory: ALEOS Security Advisory

An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary commands via use of a crafted string in the ping utility.

CVE-2023-24046: Technical Advisory – Multiple Vulnerabilities in Connectize G6 AC2100 Dual Band Gigabit WiFi Router (CVE-2023-24046, CVE-2023-24047, CVE-2023-24048, CVE-2023-24049, CVE-2023-24050, CVE-2023-24051, CVE

The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.

CVE-2023-6063

The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server

CVE-2023-5953

The Word Balloon WordPress plugin before 4.20.3 does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to trick a logged in user to delete arbitrary avatars by clicking a link.

CVE-2023-5884

The Filr WordPress plugin before 1.2.3.6 is vulnerable from an RCE (Remote Code Execution) vulnerability, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges.

CVE-2023-5762

The Uploading SVG, WEBP and ICO files WordPress plugin through 1.2.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

CVE-2023-4460

By Waqas
WALA (Worldwide Australian Labradoodle Association) is headquartered in the United States and maintains offices in Asia, Europe, and Australia.
This is a post from HackRead.com Read the original post: Int’l Dog Breeding Org WALA Exposes 25GB of Pet Owners Data

The data leak occurred due to a cloud server misconfiguration and involved more than 56,000 documents, totaling 25 gigabytes in size.

In the latest cybersecurity incident, the private data of pet owners, dog microchip numbers, veterinarians, and testing laboratories affiliated with WALA (the Worldwide Australian Labradoodle Association) was leaked to the public.

WALA is a prominent worldwide dog breeding organization based in the United States. This breach occurred without any security authentication or password.

The incident was brought to light by cybersecurity researcher Jeremiah Fowler according to whom, the data leak was caused due to a **cloud server misconfiguration** at WALA. The leaky server exposed a trove of sensitive and personal information including over 56,000 documents with a total size of 25 gigabytes.

According to Fowler’s analysis, the exposed records included Personally Identifiable Information (PII) encompasses pet owners’ names, physical addresses, phone numbers, email addresses, dog microchip numbers and other medical-related information concerning the pets.

The screenshot shows the type of leaked records and how a simple search for a dog’s microchip number can expose critical private details to threat actors (Image credit: Jeremiah Fowler)

While WALA is an organization based in the United States, its customer base extends worldwide. The organization also maintains offices in various regions, including Asia, Europe, and Australia.

While having a broad customer base is advantageous for the company, it also highlights the significance of the database leak, which exposed user data of individuals across the globe. In a **blog post**, Fowler emphasized that the WALA data leak could have devastating consequences for affected users stating that,

> _“When we think of a data breach of health records, we may never consider the implications of pet medical data. However, there is a massive amount of money in the pet industry, and history has shown there are always potential risks when the possibility of financial gain is involved.”_
> 
> Jeremiah Fowler

****Potential Risks****

Although it is unclear if Fowler was the only one to get their hands on the exposed server, if the information has been accessed by a third party with malicious intent, it can also pose a massive privacy threat for victims.

The compromised data poses several significant risks, including but not limited to:

*   **Tracking:** Although highly unlikely, threat actors could potentially combine the information, especially microchip numbers for dogs, to track pets and engage in theft.
*   **Pet Insurance Fraud:** With access to comprehensive information about pets and their owners, malicious actors could exploit the data to commit pet insurance fraud, creating false claims or manipulating existing policies.
*   **Identity Theft:** The vast array of personal information exposed in the breach puts individuals at risk of identity theft. This information could be misused for various fraudulent activities, jeopardizing the financial and personal well-being of the affected parties.
*   **Other Security Threats:** The breach opens the door to an array of potential threats, including phishing attacks, financial scams, and other malicious activities that capitalize on the compromised data.

**Expert Advice**

At Hackread.com, we collaborate with researchers like Jeremiah Fowler to raise awareness about cybersecurity incidents and threats. We advise all WALA affiliates, including pet owners, veterinarians, and testing laboratories, to monitor their financial accounts, be cautious of unsolicited communications, and consider implementing additional security measures to mitigate the potential fallout from this extensive data exposure.

1.  **Cigna Health Data Leak: 17 Billion Records Exposed**
2.  **7TB of Healthcare Data Leak Affects 12 Million Patients**
3.  **Researcher Exposes Crypto Scam Network of 300 Domains**
4.  **Database Leak Exposes 500K Irish Police Vehicle Seizure Records**
5.  **Data Leak Exposes 572 GB of Student, Faculty Info from Accreditation Org**

Int’l Dog Breeding Org WALA Exposes 25GB of Pet Owners Data

23andMe has released new details about the credential stuffing attack that took place in October.

In October we reported that the data of as many as seven million 23andMe customers were for sale on criminal forums following a password attack against the genomics company.

Now, a filing with the US Securities and Exchange Commission (SEC) has provided some more insight into the data theft. The filed amendment supplements the original Form 8-K submitted by 23andMe.

The amendment says that an investigation showed that the attacker was able to directly access the accounts of roughly 0.1% of 23andMe’s users, which is about 14,000 of its 14 million customers. The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service. These combinations are usually stolen from another breach and then put up for sale on the dark web. Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.

With the breached accounts at their disposal, the attacker used 23andMe’s opt-in DNA Relatives (DNAR) feature—which matches users with their genetic relatives—to access information about millions of other users. According to a spokesperson the DNAR profiles of roughly 5.5 million customers could be accessed in this way, plus the Family Tree profile information of 1.4 million additional DNA Relative participants.

The 5.5 million DNAR Profiles contained sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships, and ancestry reports.

For a subset of these accounts, the stolen data might contain health-related information based upon the user’s genetics.

The 1.4 million Family Tree profiles contain display names and relationship labels, plus other information that a user may have added, including birth year and location.

23andMe is in the process of notifying users impacted by the incident. The company said it believes that the attacker activity is contained, and that it is working to have the publicly-posted information taken down.

When the breach was first announced, 23andMe urged its users to ensure they have strong passwords, to avoid reusing passwords from other sites, and to enable multi-factor authentication (MFA).

Our Mark Stockley noted at the time:

> “Respectfully, we would like to see 23andMe reach a different conclusion. Telling users to choose strong passwords and not to reuse them is great advice that just isn’t working. It’s good in theory but fails in practice. In a world where users have tens or even hundreds of logins to manage, password reuse and weak passwords that are easy to remember are inevitable.”

And it looks as if they listened to us. On the 23andMe blog the updated article about the breach now says:

> “We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers. The company will continue to invest in protecting our systems and data.”

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

Tag

#auth