Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Page Specific Metadata and Smarty data parameters in the Content Manager Menu component.

**CMSmadesimple Stored XSS v2.2.18****Author: (Sergio)**

**Description:** Multiple cross-site scripting (XSS) vulnerabilites in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Page Specific Metadata and Smarty data in the Content Manager Menu.

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the "Content Manager Menu" allows injecting JavaScript code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "Content- Content Manager Menu." section off General Menu.

We edit that Content Manager Menu that we have created and see that we can inject arbitrary Javascript code in the Page Specific Metadata and Smarty data

**XSS Payload:**

<object data\=javascript&colon;\\u0061&#x6C;&#101%72t('Metadata')\>

<object data\=javascript&colon;\\u0061&#x6C;&#101%72t('Smarty')\>

In the following image you can see the embedded code that executes the payload in the main web. 

  
**Additional Information:**

http://www.cmsmadesimple.org/

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43359: GitHub - sromanhu/CVE-2023-43359-CMSmadesimple-Stored-XSS----Content-Manager: Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a craft

Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the SEO - Meta description parameter in the Pages Menu component.

**Quick CMS Stored XSS v6.7****Author: (Sergio)**

**Description:** A Cross-Site Scripting (XSS) vulnerabiliti in Quick CMS v6.7 allows a local attacker to execute arbitrary code via a crafted script to the to the SEO - Meta description in the Pages Menu.

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the Meta description of "Pages- SEO" allows injecting JavaScript code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "Pages - SEO ." section off General Menu.

We edit that SEO Settings and see that we can inject arbitrary Javascript code in the Meta Description field.

**XSS Payload:**

'"><svg/onload=alert('XSS')\>

In the following image you can see the embedded code that executes the payload in the main web. 

  
**Additional Information:**

https://opensolution.org/cms-system-quick-cms.html

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43344: GitHub - sromanhu/CVE-2023-43344-Quick-CMS-Stored-XSS---SEO-Meta-description: Quick CMS 6.7 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code vi

Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Languages Menu component.

**Quick CMS Stored XSS v6.7****Author: (Sergio)**

**Description:** A Cross-Site Scripting (XSS) vulnerability in Quick CMS v6.7 allows a local attacker to execute arbitrary code via a crafted script to the to the Front and back end - Pages in the Languages Menu.

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the Pages of "Languages- Front and back end" allows injecting JavaScript code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "Languages - Front and back end ." section off General Menu.

We edit that Front and back end Settings and see that we can inject arbitrary Javascript code in the Pages field.

**XSS Payload:**

'"><svg/onload=alert('Pages')\>

In the following image you can see the embedded code that executes the payload in the main web. 

  
**Additional Information:**

https://opensolution.org/cms-system-quick-cms.html

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43342: GitHub - sromanhu/CVE-2023-43342-Quick-CMS-Stored-XSS---Languages-Frontend: Quick CMS 6.7 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via 

Cross-site scripting (XSS) vulnerability in evolution evo v.3.2.3 allows a local attacker to execute arbitrary code via a crafted payload injected uid parameter.

**Evolution CMS Reflected XSS v3.2.3****Author: (Sergio)**

**Description:** A cross-site scripting (XSS) reflected vulnerability in the evolution v.3.2.3 installation process connection allows a local attacker to execute arbitrary web scripts via a crafted payload injected into the uid parameter.

**Attack Vectors:** A vulnerability in the sanitization of the uid parameter of the Database installation process allows JavaScript code to be injected.

**POC:**

During the installation process we enter the XSS payload in the uid parameter and when we click on next, we will obtain the XSS pop-up.

**XSS Payload:**

'"><svg/onload=alert('XSS')\>

In the following image you can see the embedded code that executes the payload in the instalaltion process. 

And the result will be reflected with the pop-up of the following evidence:

  
**Additional Information:**

https://evo.im/

CVE-2023-43341: GitHub - sromanhu/CVE-2023-43341-Evolution-Reflected-XSS---Installation-Connection-: Evolution CMS 3.2.3 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbi

An issue discovered in IXP Data EasyInstall 6.6.14907.0 allows attackers to gain escalated privileges via static Cryptographic Key.

CVE-2023-30132: EasyInstall CVE Issue

By Waqas
E-Root marketplace had its domain seized in 2020.
This is a post from HackRead.com Read the original post: E-Root Marketplace Admin Extradited to US on Computer Fraud Charge

E-Root sold access to compromised devices and had more than 350,000 compromised computer credentials for sale.

A man from Moldova, Sandu Diaconu (31), has been extradited to the United States to face charges related to his operation of the E-Root marketplace, a website that sold access to compromised computers worldwide.

It’s worth noting that the E-Root marketplace had its domain seized in 2020 following a coordinated operation by international law enforcement authorities.

On October 16, 2023, Diaconu was extradited from the UK and appeared in a federal court in Florida the following day. He is charged with conspiring to commit computer and access device fraud, wire fraud, money laundering, and additional computer and access device fraud. If found guilty on all counts, Diaconu could potentially face a maximum sentence of 20 years in prison.

The indictment alleges that Diaconu served as an administrator of the E-Root Marketplace, a website that provided access to compromised computers for an extended period, including servers owned by American businesses and individuals.

To safeguard the privacy of its administrators, customers, and vendors, the Marketplace implemented certain measures. Through E-Root, buyers could search for compromised computer credentials, such as RDP and SSH access, tailored to their preferences, including criteria like price, location, operating system, and internet service provider.

The Marketplace also utilized Bitcoin and the online payment service Perfect Money to conceal the money paid by customers. The platform additionally offered a conversion service between Bitcoin and Perfect Money through its separate cryptocurrency exchange, which was also seized by the authorities.

According to the DoJ’s press release, the Marketplace had over 350,000 compromised computer credentials available for sale. Victims spanned across multiple industries and regions, including various companies, businesses, and at least one local government agency.

Furthermore, several of the affected companies experienced Ransomware attacks with extensive ramifications for victims, and some of the pilfered credentials listed on the Marketplace were linked to tax fraud schemes involving stolen identities.

Domain Seizure Notice for E-Root.

The IRS-CI Cyber Crimes Unit in Washington, D.C., and the FBI-Tampa Division jointly spearheaded the investigation. Several key entities played a substantial role in this effort, including the Tampa Field Office of the IRS-Criminal Investigation, the Department of Justice’s Office of International Affairs, IRS-CI and FBI International Operations at Mission UK, the United Kingdom’s National Extradition Unit, the United Kingdom’s Central Authority, and the Tampa Field Office of the United States Marshals Service.

This case is a reminder of the growing threat of cybercrime and the importance of international cooperation in combating it. The United States Department of Justice is committed to working with its partners around the world to bring perpetrators of cybercrime to justice.

****_RELATED ARTICLES_****

1.  Finnish Dark Web Marketplace PIILOPUOTI Seized
2.  Student Ran Germany’s Largest Dark Web Market DiDW
3.  8 Online Best Dark Web Search Engines for Tor Browser
4.  179 Dark Web vendors arrested, 500kg worth of drugs seized
5.  Domain, server of DoubleVPN used by ransomware gangs seized

E-Root Marketplace Admin Extradited to US on Computer Fraud Charge

**PRESS RELEASE**

**AUSTIN, Texas** – **Oct. 10, 2023** – SailPoint Technologies, Inc., a leader in enterprise identity security, today released the findings from the 2023 edition of its annual research report, ‘The Horizons of Identity Security,’ at Navigate 2023. Produced in collaboration between SailPoint and Accenture, a leading global professional services company, the report is based on insights from more than 375 global cybersecurity executives across the Americas, Europe and Asia. The goal was to examine the current state and future direction of the identity security market.

With 90% of cybersecurity breaches being identity related, identity security is the most important security aspect that every organization must get right. Yet, findings from the Horizons of Identity Security report show that 44% of companies are still at the beginning of their identity journeys. And, concerningly, even mature companies cover less than 70% of the identities in their organizations through foundational governance capabilities. However, respondents noted that communicating the business value of identity security to executives is a key challenge. This underscores the need for identity security advocates to build executive-friendly business cases that are tailored to their audiences’ strategic priorities and value-driven mindset.

A worrying 77% of respondents indicate that “limited executive sponsorship or focus” is a primary obstacle to investment in identity security, second only to budgetary constraints (91%). However, report findings clearly demonstrate that a strong identity security program can power business agility and innovation, risk mitigation, efficiency gains, and advancement of tech initiatives. For example, it can accelerate organizational change by as much as 30% through quicker integration of identities, applications, data and infrastructure. 

“A strong identity security program can generate real value for today’s organizations, but that value isn’t always obvious to business stakeholders,” said Matt Mills, President of Worldwide Field Operations, SailPoint. “In today’s threat landscape, stopping just one breach can save millions of dollars in lost revenue, regulatory fines, and reputational damage. It’s important for security teams to have the information they need to communicate their needs in an outcomes-based way. Focusing on the business value that identity security drives is going to resonate best with executives and help them understand the pressing need to accelerate their identity maturity if they want to avoid becoming the next major victim.”

Identity ecosystems are becoming increasingly complex and a preferred attack vector for threat actors. According to the report findings, on average more than 30% of the identities in an organization are not properly covered by identity solutions, with particular gaps around third-party identities, machine identities and data. Bringing those identities under the umbrella of a strong identity management program is essential for breach avoidance. Foundational security capabilities accelerate incident response, prevent bad actors from authenticating into internal systems and limit excessive access rights for employees — which survey respondents selected as the most common security deficiency enabling breaches.

Among other notable findings in the report was the fact that AI-based solutions have proven to be a potent accelerator, helping businesses add advanced new capabilities and drive greater agility. Encouragingly, the report shows a growing number of organizations are exploring AI-backed dynamic trust models to evolve access based on user behavior. The findings also show that companies leveraging SaaS, AI and automation scale a notable 10-30% faster and get more value for their security investment through increased capability utilization. More specifically, an identity platform leveraging automation and AI enables companies to scale identity-related capabilities up to 37% faster than companies without AI enablement. 

“Organizations are facing unprecedented challenges when it comes to managing their complex identity environments and massive data sets,” said Damon McDougald, the global Security Digital Identity lead at Accenture. “While advanced technologies like artificial intelligence and generative AI are making it easier to expedite, manage and scale identity security initiatives many organizations are still at the start of their journeys. Organizations should view this as an opportunity to accelerate their identity maturity timetable and establish a foundation for a secure digital transformation.”

**Adoption Assessment tool**

SailPoint is launching a new adoption assessment tool that can help organizations assess their current capabilities, as well as how they stack up against their peers. The tool can help businesses identify what their greatest barriers to stronger identity security are, and how they can generate greater business value by investing in identity. To access the adoption assessment tool, click here. 

SailPoint’s flagship ‘Navigate: Identity Security Accelerated’ conference kicks off in Austin, Texas on October 9th, and will be followed by a series of global events in London, Singapore, Sydney, Washington DC, Toronto and São Paulo. To register, visit the Navigate website.

**2023 Horizons of Identity Security Resources**

*   To download a copy of the 2023 Horizons of Identity Report, click here. 
*   Read more about the report’s top findings in this SailPoint blog. 
*   For a snapshot of the report’s key findings, click here. 
*   To reference the 2022 Horizons of Identity Report or take the maturity assessment, click here. 

**About SailPoint**

SailPoint is a leading provider of identity security for the modern enterprise. Enterprise security starts and ends with identities and their access, yet the ability to manage and secure identities today has moved well beyond human capacity. Using a foundation of artificial intelligence and machine learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities and resources at the right time—matching the scale, velocity, and environmental needs of today’s cloud-oriented enterprise. Our intelligent, autonomous, and integrated solutions put identity security at the core of digital business operations, enabling even the most complex organizations across the globe to build a security foundation capable of defending against today’s most pressing threats.

SailPoint Unveils Annual 'Horizons of Identity Security' Report

Known threat groups Diamond Sleet and Onyx Sleet focus on cyber espionage, data theft, network sabotage, and other malicious actions, Microsoft says.

Two North Korean state-backed threat groups, whom Microsoft is tracking as Diamond Sleet and Onyx Sleet, are actively exploiting CVE-2023-42793, a critical remote code execution (RCE) bug in on-premises versions of JetBrains TeamCity continuous integration and delivery server.

The attackers are leveraging the bug to drop backdoors and other implants for carrying out a wide range of malicious activities, including cyber espionage, data theft, financially motivated attacks, and network sabotage, Microsoft said in a report this week. TeamCity is a platform that some 30,000 organizations — including several major brands like Citibank, Nike, and Ferrari — use to automate software build, test, and deployment processes.

**Critical Authentication Bypass Vulnerability**

Based on previous campaigns, Diamond Sleet presents a threat mainly to organizations in IT services, media, and defense-related sectors globally. Onyx Fleet has a somewhat narrower focus and has mostly targeted defense and IT services entities in the US, South Korea, and India. "While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation," Microsoft said.

JetBrains disclosed CVE-2023-42793 on Sept. 30 and assigned it a near-maximum severity score of 9.8 out of 10 on the CVSS scale. The software vendor described the vulnerability as enabling an unauthenticated attack to perform a RCE attack and gain administrative privileges on an affected, Internet-exposed TeamCity server. The vulnerability is present in all on-premises versions of TeamCity.

**ForestTiger Backdoor and Other Payloads**

In Diamond Fleet's attacks targeting the flaw, the threat actor has been using PowerShell to download two malicious payloads from legitimate infrastructure that the threat actor appears to have compromised previously. One of the payloads is a backdoor dubbed ForestTiger that the attacker uses to run scheduled tasks on compromised systems and also to dump credentials. The other malicious payload is a configuration file for the malware that contains information on its command-and-control (C2) infrastructure and other parameters.

Microsoft said it also observed Diamond Sleet actors leveraging PowerShell to download a malicious dynamic link library (DLL), a technique that threat actors often use to execute unauthorized code on compromised systems.

Meanwhile, Onyx Sleet's tactic after exploiting CVE-2023-42793 has been to create a new user account on compromised systems with a name that appears designed to impersonate the legitimate Kerberos Ticket Granting Ticket Account, Microsoft said. The attacker has then been adding the account to the Local Administrators Group and using it to download and decrypt an embedded Portable Executable (PE) resource which is then loaded and launched in memory. "The inner payload is a proxy tool that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure," Microsoft noted.

**Trivial to Find and Exploit**

Stefan Schiller, vulnerability researcher at Sonar, which discovered and reported CVE-2023-42793 to JetBrains, says the vulnerability is very easy for a threat actor to find and abuse. The version of a TeamCity instance can be determined by simply visiting the login page and determining whether the specific version is 2023.05.3 and below, which would mean it is vulnerable. "Once a vulnerable instance is identified, the exploitation is straightforward. Neither authentication nor any kind of user interaction is necessary to exploit the vulnerability," Schiller says.

Due to the nature of the vulnerability, its exploitation is also very reliable. "This makes it very likely that all publicly exposed, vulnerable instances are successfully exploited," he says.

The attacks are the latest manifestation of growing threat actor interest in software development pipelines as an initial access vector and avenue for stealing source code and secrets from companies and for potentially poisoning software and apps in SolarWinds-like fashion.

Vulnerabilities such as CVE-2023-42793 in a CI/CD platform enable supply chain attacks that can have far reaching consequences, says Henrik Plate, security researcher at application security company Endor Labs. It's often not just the organization using the affected software that feels the impact but also any downstream users that might download and execute software built on the system. "The worst-case scenario is probably one where attackers silently manipulate the software created by TeamCity, as this would affect all the users running such infected software," he says. "Such attacks are comparable to the SolarWinds incident, where compromised versions of SolarWinds were downloaded and run by numerous organizations."

**Addressing Supply Chain Risks**

At a high-level, software organizations should try and establish a traceable and verifiable link between the source code and the final build artifact that will be distributed to consumers, Plate says. They need to be able to answers questions like what version of the source code was used as input, which tools were used to compile and transform the various inputs, and what were their configurations. Resources such as the SLSA project and NIST's Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipeline offer actionable advice on the steps software teams can take to address CI/CD security, Plate notes.

In addition, implementing practices such as Reproducible builds can help in post-compromise situations, because they produce bit-identical software artifacts, as long as the same inputs and environment are used. "However, making builds reproducible can take a considerable effort and must have been put in place before the incident," Plate says.

JetBrains released a fixed version of TeamCity (version 2023.05.4) at time of vulnerability disclosure and strongly urged organizations to upgrade to it, to mitigate exposure to the threat. The company also released a security patch that organizations — which cannot update to the new version immediately — can plug in to their existing TeamCity version to address the RCE.

North Korean State Actors Attack Critical Bug in TeamCity Server








In Weintek's cMT3000 HMI Web CGI device, the cgi-bin command_wb.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login authentication.



CVE-2023-38584

By Deeba Ahmed
It is unclear how long Cisco will take to release a patch.
This is a post from HackRead.com Read the original post: Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices

The US had the most compromised devices (4,659) with a backdoor installed as a result of the Cisco Web UI vulnerability followed by the Philippines (over 3,200).

****_KEY FINDINGS_****

**Cisco released a security advisory on October 16 to warn users about a critical zero-day privilege escalation vulnerability in its IOS XE Web UI software.**

**As per Censys, the company tracking the vulnerability, by October 18 the number of infections had increased from the previously reported 34,140 to 41,983 hosts, while 34,140 had backdoor installed**

**It is tracked as CVE-2023-20198 and has been used to exploit tens of thousands of devices.**

**The US had the highest number of compromised devices followed by the Philippines.**

A critical cybersecurity threat disclosed by Cisco has resulted in mass exploitation of its devices, with the number of impacted systems surpassing 40,000 hosts worldwide. Nonprofit security group Shadowserver has detected over 32,800 devices compromised so far.

On the other hand, Censys has been tracking this vulnerability and in its blog post, the company explained that due to active exploitation of this security flaw tens of thousands of devices could be affected.

The company scanned the impacted Cisco devices and found that most belonged to telecom firms offering internet services to business and home users, including AT&T. The US had the highest number of compromised devices with a backdoor installed (4,659) followed by the Philippines (over 3,200).

Hackread.com had reported that the vulnerability, tracked as CVE-2023-20198, was discovered in the Cisco IOS XE software’s Web UI feature. Cisco warned customers about the vulnerability affecting Cisco RV320 and RV325 routers, explaining that it allows a remote unauthorized attacker to create an account on the compromised system with privilege level 15 access and go on to gain full control of the device. 

The vulnerability affects the IOS XE Software Web UI feature because it is enabled by default in the devices. Cisco recommends users disable the HTTP server feature on every internet-connected system to prevent exploitation. Attackers exploiting this flaw are hijacking routers from telecom firms. Cisco has confirmed that since at least mid-September, threat actors have been exploiting it as a zero-day.

The vulnerability was first discovered in March 2023, and an uptick in attacks exploiting it was observed from mid-September. Moreover, a highly sophisticated actor is suspected to be exploiting it, which hints at the launch of a targeted and coordinated campaign while Cisco is still working on a patch to fix it.

In its threat advisory published on October 16th, 2023, Cisco stated that the actor exploited the old, already patched vulnerability (CVE-2021-1435) to install the implant after obtaining access to the device.

> _“We have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as-of-yet undetermined mechanism.”_
> 
> CISCO

It is a serious security threat as the vulnerability has the highest criticality score of 10. The IOS XE software is an essential component of Cisco switches, wireless controller products, and routers. The vulnerability is critical enough to enable a complete takeover of Cisco devices, granting threat actors the ability to effortlessly monitor network traffic or present phishing pages loaded with harmful malware.

Reportedly, 469 of the compromised devices were registered at AT&T for residential and business clients. The company uses enterprise-grade Cisco XE routers, so small-sized organizations and individuals would likely be vulnerable to this threat instead of large corporations.

The risks posed by the vulnerability are wide-ranging, as attackers can leverage access to compromised devices to disrupt network operations, steal sensitive data, and launch new attacks against other systems on the network.

It is unclear how long Cisco will take to release a patch. Meanwhile, users must scan their devices for infection and disable the HTTP server feature, implement network segmentation, and monitor network traffic for suspicious activity.

****_RELATED ARTICLES_****

1.  Cisco’s new tool will detect malware in encrypted traffic
2.  New 19 CISA Advisories Highlight Vulnerabilities in Top ICS Products
3.  New Akira Ransomware Targets Businesses via Exploited CISCO VPNs
4.  Ex-employee hacked Cisco’s AWS Infrastructure; erased virtual machines
5.  Unpatched Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks

Tag

#auth