PHPJabbers Time Slots Booking Calendar version 4.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: PHPJabbers Time Slots Booking Calendar v4.0 -Multiple Stored XSS# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/time-slots-booking-calendar/# Version: v4.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48828Descriptions:Multiple Stored Cross-Site Scripting (XSS) is a type of securityvulnerability that occurs when an application or website allows anattacker to inject malicious scripts into the content that ispermanently stored on the server. Unlike reflected XSS, where themalicious script is embedded in a URL and executed immediately, storedXSS involves the persistent storage of the malicious script on thetarget server, waiting for unsuspecting users to access thecompromised content.Steps to Reproduce:1. Login your panel2. Vulnerable parameters are "name, plugin_sms_api_key,plugin_sms_country_code, calendar_id, title, country name,customer_name".3. Go to System Menu then click SMS Settings.4. Then use any XSS Payload in "SMS API Key", "Default Country Code"input field and Save.5. You will see popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48828)

PHPJabbers Time Slots Booking Calendar 4.0 Cross Site Scripting

PHPJabbers Time Slots Booking Calendar version 4.0 suffers from an html injection vulnerability.

    # Exploit Title: PHPJabbers Time Slots Booking Calendar v4.0 - HTML Injection# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/time-slots-booking-calendar/# Version: v4.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48827Descriptions:HTML injection, also known as HTML code injection or cross-sitescripting (XSS), is a web security vulnerability that allows anattacker to inject malicious code into a web page that is then viewedby other users. This can lead to various attacks, such as stealingsensitive information, session hijacking, defacement of websites, ordelivering malware to users.Steps to Reproduce:1. Login your panel2. "name, plugin_sms_api_key, plugin_sms_country_code, calendar_id,title, country name, customer_name" parameters are vulnerable to htmlinjection.3. Go to System Menu then click SMS Settings.4. Then use any HTML Tag in "SMS API Key", "Default Country Code"input field and Save.5. You will see HTML code working here.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48827)

PHPJabbers Time Slots Booking Calendar 4.0 HTML Injection

SEMCMS 3.9 is vulnerable to SQL Injection. Due to the lack of security checks on the input of the application, the attacker uses the existing application to inject malicious SQL commands into the background database engine for execution, and sends some attack codes as commands or query statements to the interpreter. These malicious data can deceive the interpreter, so as to execute unplanned commands or unauthorized access to data.

*   ע��
*   ��¼

*   ��������
*   ʹ�÷���
*   �����ĵ�

*   ��ҳ
*   ����
*   ��ʾ
*   ����
*   ģ��
*   ��չ
*   ����
*   ����
*   ��̳

*   ģ��չʾ
*   �ͻ�����

CVE-2023-48863: ��ó��վ����,Ӣ����վ����,��ó��վ���

Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.

Forgejo v1.20.5-1 was released 25 November 2023.

This release contains _critical security fixes_ related to permissions enforcement of API endpoints.

This release also contains bug fixes, as detailed in the release notes.

**Recommended Action**

We _strongly recommend_ that all Forgejo installations are upgraded to the latest version as soon as possible.

**API and web endpoint vulnerable to manually crafted identifiers**

Some API endpoints, such as adding a reaction to a comment, rely on an identifier unique to an object (a comment in this example). There are similar cases for web endpoints which are used by the Forgejo web interface.

The permissions required for the user performing the action on the repository are properly enforced. But a check was missing to ensure that the object (a comment in the example) also belongs to the repository the permissions are checked against. Without this check it is possible both to perform destructive actions and to access information in repositories unrelated to the request, including private ones.

API and web endpoints have been analysed, and those that were missing such a verification can be exploited by a malicious actor to:

*   delete releases and tags
*   delete and modify issues or pull requests comments
*   reveal the content of issues or pull requests comments from private repositories
*   perform other non-destructive actions such as creating issues, moving pinned issues, or obtaining deploy public keys

The vulnerable endpoints were fixed and tests written to verify the fix is effective.

**docker login and 2FA**

When using docker login to authenticate against a Forgejo instance using basic authentication, there needs to be an additional verification if 2FA is activated for the user. That verification was missing for the API endpoint used by docker login, thus bypassing 2FA.

**Responsible disclosure to Gitea**

On 25 October 2023 the Forgejo security team identified that multiple API and web endpoints were not protected against manually crafted identifiers, and the Gitea security team was notified. A 30-day embargo was requested, after which a patch to the v1.20 point release could be published. Further research from both Gitea and Forgejo teams in the following days revealed more vulnerabilities. Initial fixes and tests verifying they are effective were exchanged, but after their last email on 31 October 2023 the Gitea security team stopped responding. Given the severity of the vulnerability, the Forgejo security team asked again for feedback on 16 November 2023, but did not get any reply. Having exhausted all options for cooperation, the Forgejo security team completed the security fix on its own. The resulting fix which is published in this release was sent to the Gitea security team encrypted in its final version on 24 November 2023. At the time of publication, there was still no response from the Gitea security team.

**Responsible disclosure to Gogs**

The Gogs developer was notified of the vulnerability on 25 October 2023. There is no encrypted channel and only a terse but unambiguous message was sent. There has been no response.

**Forgejo will give advance warning of security releases**

Similar to what is done when a Go release contains a security fix, Forgejo will now publish advance warning of security releases. They will not reveal the details of the vulnerability but will allow Forgejo admins to plan ahead and better secure their instance. Anyone can watch to the dedicated tracker or subscribe to the RSS feed.

**Gogs and Gitea upgrades to Forgejo**

Gitea admins are reminded that Forgejo is a 100% compatible drop-in replacement for Gitea. It is enough to replace the Gitea binary or the container image with Forgejo and restart. No configuration modification is necessary. They are encouraged to choose that option to get this security fix as soon as possible.

In the absence of a security fix for Gogs, it is also possible to try and upgrade Gogs to Forgejo. Note however that such an upgrade will require manual intervention and configuration changes because the upgrade path has not been tested.

**Contribute to Forgejo**

If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!

CVE-2023-49948: Forgejo Security Release 1.20.5-1

By Waqas
In addition to his prison sentence, Amir Hossein Golshan, the culprit, has been ordered to pay $1,218,526 in restitution to his victims.
This is a post from HackRead.com Read the original post: US Man Jailed 8 Years for SIM Swapping and Apple Support Impersonation

Golshan’s schemes involved SIM swapping, social media account takeovers, Zelle payment fraud, and impersonating Apple Support personnel.

A 25-year-old man from downtown Los Angeles has been sentenced to 8 years in federal prison for orchestrating a series of online scams that defrauded hundreds of victims of over $740,000.

Amir Hossein Golshan (PDF) was convicted of one count of unauthorized access to a protected computer to obtain information, one count of wire fraud, and one count of accessing a computer to defraud and obtain value.

Golshan’s schemes involved SIM swapping, social media account takeovers, Zelle payment fraud, and impersonating Apple Support personnel. He used these methods to steal money, NFTs, cryptocurrency, and other valuable digital property from his victims.

> It looks like the SIM swapper who impersonated Apple Support to steal $386K worth of crypto and NFTs (BAYC 9012) from @Mr312 last year was just sentenced to 8 years in prison + ordered to pay $1.2M in restitution.
> 
> How do we know it’s his scammer?
> 
> In the DOJ press release they… pic.twitter.com/qBrWBpROVg
> 
> — ZachXBT (@zachxbt) November 30, 2023

In one instance, Golshan targeted a Los Angeles-based model and influencer with over 100,000 Instagram followers. He gained access to her Instagram account and impersonated her to her friends, requesting them to send him money through Zelle, PayPal, and other online payment platforms.

Several of the victim’s friends sent Golshan money, totalling thousands of dollars, believing they were sending money to the victim. In another instance, Golshan impersonated Apple Support personnel to gain unauthorized access to several victims’ Apple iCloud accounts. He then stole NFTs, cryptocurrency, and other valuable digital property from these accounts.

In another case, he stole an NFT valued at approximately $319,000 and approximately $70,000 worth of cryptocurrency from a victim. U.S. District Judge Otis D. Wright II, who sentenced Golshan, stated that his crimes went “beyond just money” and that they showed a “wanton cruelty” that caused the victims to live in a state of “constant fear and worry.”

According to the US Department of Justice’s press release on Monday, November 27, 2023, Golshan has been in federal custody since June 2023 for violating the terms of his pretrial release. In addition to his prison sentence, he is ordered to pay $1,218,526 in restitution to his victims.

1.  **Police Dismantle SIM Swapping Gang in Spain**
2.  **Indian police & Microsoft busts tech support scam centers**
3.  **10 SIM-swapping hackers nabbed for targeting US celebrities**
4.  **Authorities take down scam campaign impersonating the WHO**
5.  **Man hacks Indian tech support scam call center; leaks CCTV footage**

US Man Jailed 8 Years for SIM Swapping and Apple Support Impersonation

The transmitter suffers from an improper access control that allows an unauthenticated actor to directly reference the system.cgi endpoint and disclose the clear-text password of the admin user allowing authentication bypass and FM station setup access.

Title: R Radio Network FM Transmitter 1.07 system.cgi Password Disclosure  
Advisory ID: ZSL-2023-5802  
Type: Local/Remote  
Impact: Exposure of Sensitive Information, Security Bypass  
Risk: (5/5)  
Release Date: 03.12.2023

**Summary**

R Radio FM Transmitter that includes FM Exciter and FM Amplifier parameter setup.

**Description**

The transmitter suffers from an improper access control that allows an unauthenticated actor to directly reference the system.cgi endpoint and disclose the clear-text password of the admin user allowing authentication bypass and FM station setup access.

**Vendor**

R Radio Network - http://www.pktc.ac.th

**Affected Version**

1.07

**Tested On**

CSBtechDevice

**Vendor Status**

\[09.10.2023\] Vulnerability discovered.  
\[10.10.2023\] Vendor contacted.  
\[10.10.2023\] Vendor responds asking more details.  
\[11.10.2023\] Sent details to the vendor.  
\[14.10.2023\] Vendor confirms the issue, working on a patch.  
\[29.10.2023\] Vendor releases version 1.09 to address this issue.  
\[03.12.2023\] Coordinated public security advisory released.

**PoC**

r\_transmitter\_pwd.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[03.12.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

R Radio Network FM Transmitter 1.07 system.cgi Password Disclosure

OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to be an author feature could perform a stored XSS attack against any other users visiting the posts by the author. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Title: OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting Vulnerability  
Advisory ID: ZSL-2023-5804  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (3/5)  
Release Date: 03.12.2023

**Summary**

OctoberCMS is a self-hosted content management system (CMS) based on the PHP programming language and Laravel web application framework. It supports MySQL, SQLite and PostgreSQL for the database back end and uses a flat file database for the front end structure. The October CMS covers a range of capabilities such as users, permissions, themes, and plugins, and is seen as a simpler alternative to WordPress.

**Description**

OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to be an author feature could perform a stored XSS attack against any other users visiting the posts by the author. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

October CMS - https://www.octobercms.com

**Affected Version**

3.4.0

**Tested On**

macOS Monterey 12.6.3  
Docker 4.12.0 (85629)  
PHP/8.1.6

**Vendor Status**

\[30.10.2023\] Vulnerability discovered.  
\[31.10.2023\] Contact with the vendor.  
\[06.11.2023\] Vendor asked for the details.  
\[07.11.2023\] Sent details to the vendor.  
\[11.11.2023\] Vendor asked for confirmation if the findings were within their scope.  
\[14.11.2023\] Confirmed the issues are within the scope.  
\[20.11.2023\] Vendor asked for further information on how exploits affect a public-facing website.  
\[22.11.2023\] Explained about impact of the findings in detail.  
\[29.11.2023\] Vendor didn't consider the findings as vulnerabilities.  
\[03.12.2023\] Public security advisory released.

**PoC**

octobercms\_xss(author).txt

**Credits**

Vulnerability discovered by Nazli Soysal Kuran - <nazli@zeroscience.mk\>

**References**

N/A

**Changelog**

\[03.12.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting Vulnerability

QR codes can be convenient—but they can also be exploited by malicious actors. Here’s how to protect yourself.

And you don’t need anything special to create a QR code. The tools are widely available and straightforward to use, and putting together a QR code of your own isn’t much more difficult than scanning one. If you wanted to create a QR code that points to a website that’s been put together for malicious purposes, it would only take a couple of minutes. The QR code could then be stuck on a wall, attached to an email, or printed on a document, ready to be scanned.

The aims of these websites are the same as they’ve always been: to get you to download something that will compromise the security of your accounts or your devices, or to get you to enter some login credentials that will then be relayed straight to the hackers (most probably using a spoof site set up to look like something genuine and trustworthy). The intended end results are the same as ever, but the method of getting there is different.

Avoiding QR Code Hacks

The security precautions you should already be using are the same ones that will keep you protected against QR code hacking. Just as you would with emails or instant messages, don’t trust QR codes if you’re not sure where they’ve come from—perhaps attached to suspicious-looking emails or on websites that you can’t verify. The QR code on the menu in your local restaurant, in contrast, is highly unlikely to have been generated by hackers.

Of course, there’s always the chance that the accounts of your friends, family, and colleagues have been compromised, so you can never be 100 percent sure that a message with a QR code in it is genuine. Scams will usually try to imply a sense of urgency and alarm: Scan this QR code to verify your identity or prevent the deletion of your account or take advantage of a time-limited offer.

You should get a preview of the link you’re visiting from a QR code.

Apple via David Nield

As always, your digital accounts should be as heavily protected as possible, so that if you do fall victim to a QR code trick, safety nets are in place. Switch on two-factor authentication for every account that offers it, make sure your personal details are up to date (such as backup email addresses and phone numbers that can be used to recover your accounts), and log out of devices you’re no longer using (you should also delete old accounts you no longer have any need for).

Finally, keep your software up to date—something that’s happily now very easy to do. The latest versions of popular mobile web browsers come with built-in tech for spotting fraudulent links: These integrated protections aren’t infallible, but the more up-to-date your browser and mobile OS are, the better your chances of getting a warning on screen if you’re about to visit an unsafe location on the web.

How to Not Get Hacked by a QR Code

Interpol has upgraded its biometric background check tech. It'll help catch criminals, but will it protect sensitive, immutable data belonging to the innocent?

Source: Huang Zheng via Shutterstock

In November, Interpol arrested a fugitive smuggler using a new biometric security system it plans to deploy across its 196 member countries.

The colorlessly named "Biometric Hub" collates Interpol's existing fingerprint and facial-recognition data into one place, allowing border control and frontline officers to query criminal biometric records in real time.

The system is backed with certain privacy guarantees, but questions remain about the extent of its reach, and of any organization's ability to keep a tight hold over such privileged data.

"This is going to be a super high-value target for somebody to get access to," John Gallagher, vice president at Viakoo, worries. "Any time you put together such valuable information, it's obviously going to get hacked and leaked."

**The First Criminal Caught by Biometric Hub**

Just a couple of weeks ago, a group of migrants was crossing the Balkans on their way to Western Europe. In their midst was a fugitive migrant smuggler.

The group encountered a police check in Sarajevo, Bosnia and Herzegovina.

"Wanted on organized crime and human trafficking charges since 2021, the smuggler presented himself as a fellow migrant under a false name, using a fraudulent identification document to avoid detection," Interpol recounted in a press release.

Unfortunately for the fugitive, this police check was among the first to utilize the new Biometric Hub out in the field. "When the smuggler’s photo was run through the Biometric Hub, it immediately flagged that he was wanted in another European country. He was arrested and is currently awaiting extradition."

There's little doubt that the Biometric Hub will streamline Interpol's criminal background checks. But does it provide sufficient security and privacy checks for the citizens who aren't trying to perform crimes across borders?

**Concerns Over Biometric Policing**

To assuage fears of a sci-fi dystopia, Interpol explained on Wednesday that its new biometrics system will abide by its "robust" data protection framework.

Of note, the agency added that "biometric data run through the Hub in a search is not added to INTERPOL's criminal databases, is not visible to other users and any data that does not result in a match is deleted following the search."

Dark Reading has reached out for comment to Interpol, and the vendor supporting Biometric Hub — Idemia — but hasn't yet received a response as of this publication.

Besides privacy, Gallagher points out, a system containing the most sensitive identifying information belonging to the most dangerous criminals out there is an inevitable target for cyberattackers. And a breach of such a system wouldn't be unprecedented.

In 2019, for example, a 23-gigabyte leak at a company contracted by UK police and other government agencies led to the exposure of somewhere around one million fingerprint and facial recognition records. Elsewhere, background checks have been accessed from the US Department of Homeland Security, images have been stolen from Customs and Border Patrol, and more.

"I'm not saying that authorities are doing the wrong thing here — I think they are doing the right thing," Gallagher says. Then he predicts all the many ways the system could fail.

"How frequently do things like the cameras themselves malfunction? And what happens if somebody gets to the camera network? Internet of Things (IoT) devices are the easiest in the universe to hack into," he says.

"My argument is that, in a few years, biometrics won't be trusted," he warns. "Because I pass a camera 100 times a day in my enterprise, and that enterprise might not be securing that camera data very well."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Interpol Arrests Smuggler With New Biometric Screening Database

By Waqas
Cyber Av3ngers, a group of hacktivists believed to be originating from Iran, conducted the cyber attack.
This is a post from HackRead.com Read the original post: Cyberattack Defaces Israeli-Made Equipment at US Water Agency, Brewing Firm

The targets included the Equipment used by the Municipal Water Authority of Aliquippa, Pennsylvania and Brewmation, a New York-based company specializing in turnkey brewing and distilling equipment.

U.S. officials have attributed a cyberattack on the Municipal Water Authority of Aliquippa, Pennsylvania, to the hacktivist group Cyber Av3ngers. This is the same group that previously claimed responsibility for targeting the Israeli oil refinery giant BAZAN with a series of DDoS attacks (distributed denial-of-service attacks).

According to Check Point Research and Google’s Mandiant reports, this group is believed to have ties to the Iranian government.

In its cyber attack on the Municipal Water Authority of Aliquippa on Saturday, Nov. 25, 2023, Cyber Av3ngers defaced the equipment used by the authority with a message of their own, stating that they were targeting Israeli-made equipment. Reportedly, the equipment that was targeted and disabled was manufactured by the Israeli company Unitronics.

Hackread.com can exclusively confirm that the group also targeted Brewmation, a New York-based company specializing in turnkey brewing and distilling equipment. The company’s brewery control system experienced a cyber attack over the Thanksgiving weekend.

The cyberattack on the equipment used by Bewmation saw the same deface image that was left by the hackers on the equipment used by the Municipal Water Authority of Aliquippa.

Evidence suggests that the hackers deliberately targeted the facility due to the equipment’s Israeli origin. A photo from the targeted organization shows a message from the hackers that read, _“**Every equipment ‘made in Israel’ is Cyber Av3ngers legal target.”**_

The attack targeted a device used to control water levels at the authority’s tanks automatically. However, it did not disrupt water service to customers. Still, the incident has raised concerns about the vulnerability of critical infrastructure to cyber threats.

Cybersecurity experts had warned that the ongoing conflict between Israel and Hamas may cause a spike in cyberattacks in Western Pennsylvania and other regions. The Western Pennsylvania All Hazards Fusion Center issued an alert warning that anti-Israel threat actors could target any critical infrastructure or key resources in the region.

In response to the attack, area representative Congressman Chris Deluzio has called for a full investigation into this incident while emphasizing the need for all organizations, including small local governments and private actors, to step up their cybersecurity systems. Deluzio noted that implementing sophisticated cyber defences is the need of the day.

Three Pennsylvania lawmakers have urged for an investigation by the U.S. Department of Justice to warn other water and sewage treatment utilities about possible threats and risks involved with vulnerable industrial control systems.

In a letter to Attorney General Merrick Garland, Senators John Fetterman and Bob Casey, along with Representative Chris Deluzio, raised concerns over the vulnerable nature of drinking water and other critical infrastructure.

They emphasized the need to protect these systems from foreign adversaries and terrorist organizations, urging the DoJ to investigate the incident thoroughly and also calling for a broader assessment of the nation’s cybersecurity posture.

Federal agencies are also involved in the investigation. The Cybersecurity and Infrastructure Security Agency (CISA) released a statement revealing that it is aware of the intrusion and is working with partners to understand the situation and provide support. The FBI did not confirm or deny that an investigation was underway. 

The Aliquippa Water Authority chairman, Matthew Mottes, stated that federal officials informed him of more hacking attempts from the same threat actor, targeting four of their utilities and an aquarium.

Cyber Av3ngers claimed to have hacked 10 water treatment stations in Israel on October 30 in a separate development. It is unclear whether any equipment was shut down due to these attacks.

Cyber Av3ngers on Telegram

Nevertheless, the cyberattack highlights the capabilities and skills hacktivists possess to deliver their message to adversaries. Cyber Av3ngers vow to continue targeting Israel and any company or business utilizing equipment manufactured or provided by the State of Israel.

****_RELATED ARTICLES_****

1.  **Israel’s Channel 10 TV Station Hacked by Hamas**
2.  **Hackers deface Airport screens in Iran with anti-govt messages**
3.  **LG Smart TV Screen Bricked After Android Ransomware Infection**
4.  **Iran State-Run TV’s Live Transmission Hacked by Edalate Ali Hackers**
5.  **TV broadcasts in California interrupted to show “end of the world” alert**

Tag

#auth