Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Molongui Author Box, Guest Author and Co-Authors for Your Posts – Molongui allows Stored XSS.This issue affects Author Box, Guest Author and Co-Authors for Your Posts – Molongui: from n/a through 4.6.19.



**Solution**

 Update to fix

Update the WordPress Molongui plugin to the latest available version (at least 4.6.20).

Abdullah Mudzakir discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Molongui Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 4.6.20.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-39921: WordPress Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors – Molongui plugin <= 4.6.19 - Cross Site Scripting (XSS) vulnerability - Patchstack

Missing Authorization vulnerability in WPOmnia KB Support – WordPress Help Desk and Knowledge Base allows Accessing Functionality Not Properly Constrained by ACLs. Users with a role as low as a subscriber can view other customers.This issue affects KB Support – WordPress Help Desk and Knowledge Base: from n/a through 1.5.88.



**Solution**

 Update to fix

 vPatch available

Update the WordPress KB Support plugin to the latest available version (at least 1.5.89).

Found this useful? Thank Rafshanzani Suhada for reporting this vulnerability. Buy a coffee ☕

Rafshanzani Suhada discovered and reported this Broken Access Control vulnerability in WordPress KB Support Plugin. A broken access control issue refers to a missing authorization, authentication or nonce token check in a function that could lead to an unprivileged user to executing a certain higher privileged action. This vulnerability has been fixed in version 1.5.89.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37890: WordPress KB Support – WordPress Help Desk plugin <= 1.5.88 - Missing Authorization vulnerability - Patchstack

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Leap13 Premium Addons PRO.This issue affects Premium Addons PRO: from n/a through 2.9.0.



**Solution**

 Update to fix

Update the WordPress Premium Addons PRO plugin to the latest available version (at least 2.9.1).

Found this useful? Thank Rafie Muhammad (Patchstack) for reporting this vulnerability. Buy a coffee ☕

Rafie Muhammad (Patchstack) discovered and reported this Sensitive Data Exposure vulnerability in WordPress Premium Addons PRO Plugin. This vulnerability has been fixed in version 2.9.1.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37868: WordPress Premium Addons PRO plugin <= 2.9.0 - Sensitive Data Exposure vulnerability - Patchstack

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Gopi Ramasamy Email download link.This issue affects Email download link: from n/a through 3.7.



**Solution**

 No fix available

 vPatch available

No patched version is available.

Found this useful? Thank Rafshanzani Suhada for reporting this vulnerability. Buy a coffee ☕

Rafshanzani Suhada discovered and reported this Sensitive Data Exposure vulnerability in WordPress Email download link Plugin. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-36523: WordPress Email download link plugin <= 3.7 - Sensitive Data Exposure - Patchstack

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Libsyn Libsyn Publisher Hub.This issue affects Libsyn Publisher Hub: from n/a through 1.3.2.



**Solution**

 Update to fix

 vPatch available

Update the WordPress Libsyn Publisher Hub plugin to the latest available version (at least 1.4.1).

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Sensitive Data Exposure vulnerability in WordPress Libsyn Publisher Hub Plugin. This vulnerability has been fixed in version 1.4.1.

**Other vulnerabilities in this plugin**

 2 present

 1 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-25057: WordPress Libsyn Publisher Hub plugin 1.3.2 - Sensitive Data Exposure vulnerability - Patchstack

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.1.



**Solution**

 Update to fix

Update the WordPress Zippy plugin to the latest available version (at least 1.6.2).

Junsu Yeo discovered and reported this Sensitive Data Exposure vulnerability in WordPress Zippy Plugin. This vulnerability has been fixed in version 1.6.2.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-26533: WordPress Zippy plugin <= 1.6.1 - Sensitive Data Exposure vulnerability - Patchstack

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Repute Infosystems BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin.This issue affects BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin: from n/a through 1.0.64.



**Solution**

 Update to fix

 vPatch available

Update the WordPress BookingPress plugin to the latest available version (at least 1.0.65).

Paul Goodchild discovered and reported this Sensitive Data Exposure vulnerability in WordPress BookingPress Plugin. This vulnerability has been fixed in version 1.0.65.

**Other vulnerabilities in this plugin**

 0 present

 4 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-36507: WordPress BookingPress plugin <= 1.0.64 - Unauth. Server Information Disclosure vulnerability - Patchstack

Plus: Major security patches from Microsoft, Mozilla, Atlassian, Cisco, and more.

The holiday season is here, but software firms are still busy issuing fixes for major security flaws. Microsoft, Google, and enterprise software firm Atlassian have released patches for vulnerabilities already being used in attacks. Cisco also patched a bug deemed so serious, it was given a near-maximum CVSS score of 9.9.

Here’s everything you need to know about the patches released in November.

Google Chrome

Google ended November with a bang after issuing seven security fixes for Chrome, including an emergency patch for an issue already being used in real-life attacks. Tracked as CVE-2023-6345, the already exploited flaw is an integer overflow issue in Skia, an open source 2D graphics library. “Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the browser maker said in an advisory.

Little is known about the fix at the time of writing; however, it was reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group, indicating the exploit could be spyware-related.

The six other flaws fixed by Google and rated as having a high impact include CVE-2023-6348, a type-confusion bug in Spellcheck, and CVE-2023-6351, a use-after-free issue in libavif.

Earlier in the month, Google released fixes for 15 security issues in its widely used browser. Among the bugs fixed by the software giant are three rated as having a high severity. Tracked as CVE-2023-5480, the first is an inappropriate implementation issue in Payments, while the second, CVE-2023-5482, is an insufficient data validation flaw in USB with a CVSS score of 8.8. The third high-severity bug, CVE-2023-5849, is an integer overflow issue in USB.

Mozilla Firefox

Chrome competitor Firefox has fixed 10 vulnerabilities in the browser, six of which are rated as having a high impact. CVE-2023-6204 is an out-of-bound memory access flaw in WebGL2 blitFramebuffer, while CVE-2023-6205 is a use-after-free issue in MessagePort.

Meanwhile, CVE-2023-6206 could allow clickjacking permission prompts using the full-screen transition. “The black fade animation when exiting full screen is roughly the length of the anti-clickjacking delay on permission prompts,” Firefox owner Mozilla said. “It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear.”

CVE-2023-6212 and CVE-2023-6212 are Memory safety bugs, both with a CVSS score of 8.8, in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5.

Google Android

Google's November Android Security Bulletin details fixes patched in this month, including eight in the Framework, six of which are elevation of privilege bugs. The worst flaw could lead to local escalation of privilege with no additional execution privileges needed, Google said in an advisory.

Google also fixed seven issues in the System, six of which are rated as having a high severity and one marked as critical. Tracked as CVE-2023-40113, the critical bug could lead to local information disclosure with no additional execution privileges needed.

Google's Pixel devices have already received the November update, along with some additional fixes. The November Android Security Bulletin has also started to roll out to some of Samsung’s Galaxy line.

Microsoft

Microsoft has a Patch Tuesday every month, but November's is worth notice. The update fixes 59 vulnerabilities, two of which are already being exploited in real-life attacks. Tracked as CVE-2023-36033, the first is an elevation of privilege vulnerability in Windows DWM Core Library marked as important, with a CVSS score of 7.8. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said.

Meanwhile, CVE-2023-36036 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver with a CVSS score of 7.8. Also fixed in November’s update cycle is the already exploited libWep flaw previously fixed in Chrome and other browsers, which also impacts Microsoft’s Edge, tracked as CVE-2023-4863.

Another notable flaw is CVE-2023-36397, a remote code execution vulnerability in Windows Pragmatic General Multicast marked as critical with a CVSS score of 9.8. “When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” Microsoft said.

Cisco

Enterprise software firm Cisco has issued fixes for 27 security flaws, including one rated as critical with a near maximum CVSS score of 9.9. Tracked as CVE-2023-20048, the vulnerability in the web services interface of Cisco Firepower Management Center Software could allow an authenticated, remote attacker to execute unauthorized configuration commands on a Firepower Threat Defense device managed by the FMC Software.

However, to successfully exploit the vulnerability, an attacker would need valid credentials on the FMC Software, Cisco said.

A further seven of the flaws fixed by Cisco are rated as having a high impact, including CVE-2023-20086—a denial-of-service flaw with a CVSS score of 8.6—and CVE-2023-20063, a code-injection vulnerability with a CVSS score of 8.2.

Atlassian

Atlassian has released a patch to fix a serious flaw already being used in real-life attacks. Tracked as CVE-2023-22518, the improper-authorization vulnerability issue in Confluence Data Center and Server is being used in ransomware attacks. “As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware,” it said.

Security outfit Trend Micro reported the Cerber ransomware group is using the flaw in attacks. “This is not the first time that Cerber has targeted Atlassian—in 2021, the malware re-emerged after a period of inactivity and focused on exploiting remote code execution vulnerabilities in Atlassian's GitLab servers,” Trend Micro said.

All versions of Confluence Data Center and Server are affected by the flaw, which allows an unauthenticated attacker to reset Confluence and create an administrator account. “Using this account, an attacker can perform all administrative actions available to a Confluence instance administrator, leading to a full loss of confidentiality, integrity and availability,” Atlassian said.

SAP

Enterprise software giant SAP has released its November Security Patch Day, fixing three new flaws. Tracked as CVE-2023-31403 and with a CVSS score of 9.6, the most serious issue is an improper access control vulnerability flaw in SAP Business One. As a result of exploiting the issue, a malicious user could read and write to the SMB shared folder, the software giant said.

Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now

No Iranian bank customers are safe from financially motivated cybercriminals wielding convincing but fake mobile apps.

Source: Stephen Barnes/Finance via Alamy Stock Photo

A mammoth campaign targeting Iran's banking sector has grown in magnitude in recent months, with nearly 300 malicious Android apps targeting users for their account credentials, credit cards, and crypto wallets.

Four months ago, researchers from Sophos detailed a lengthy campaign involving 40 malicious banking apps designed to harvest credentials belonging to unwitting customers. By imitating four of the Islamic Republic's most significant financial institutions — Bank Mellat, Bank Saderat, Resalat Bank, and the Central Bank of Iran — hackers were able to install and hide their copycat apps on victims' phones, harvesting logins, intercepting SMS messages with one-time passcodes, and stealing sensitive financial information, including credit cards.

Apparently, that was just the opening salvo. A new blog post from Zimperium has revealed 245 more apps associated with the same, clearly ongoing campaign, 28 of which had not previously been recorded on VirusTotal.

And this new trove isn't just bigger — it's more diverse, and more sophisticated than the first 40 were, featuring new kinds of targets, and tactics for stealth and persistence.

**285 Fake Banking Apps**

The 245 new apps discovered since the summer extend beyond the bounds of the original 40 by actively targeting four new Iranian banks, with some evidence that they have another four more in their sights.

Besides banks, the attackers have also started probing for data relating to sixteen cryptocurrency platforms, including such popular ones as Metamask, KuCoin, and Coinbase.

To facilitate the targeting of a dozen banks and 16 crypto hubs, the attackers have also added some new tools to their arsenal. For example, one little trick they use to avoid infrastructure takedowns involves a command-and-control server with the lone purpose of distributing phishing links. As the researchers explained, this "allows for the server URL to be hardcoded on the application without the risk of being taken down."

The group's most notable new tactic, however, is how its apps abuse accessibility services. 

"While using the accessibility API, they get a way to programmatically access the UI's elements," explains Nico Chiaraviglio, chief scientist of Zimperium. He explains that attackers can invisibly interact with the device in some of the same ways a user can, to malicious effect. For example, "they can request for dangerous permissions (such as reading SMS) and when the user is prompted to accept the permission, they click on 'Accept' before the user even sees the notification. Or they prevent uninstallation by clicking on 'Cancel' when the user tries to uninstall the app."

Thus far the fake apps have been limited to Android devices. But among the attackers' belongings, the researchers did uncover phishing websites mimicking banking apps' Apple App Store pages, indicating that the campaign may expand to iPhones in the near future.

Long before that happens, the campaign will have touched thousands. "Based on the information obtained from one of their Telegram channels, we know that there are thousands of victims. But we could only access one of the channels used (since one of them is private) and there is no guarantee that they didn't use other channels in the past." 

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Deluge of Nearly 300 Fake Apps Floods Iranian Banking Sector

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Libsyn Libsyn Publisher Hub.This issue affects Libsyn Publisher Hub: from n/a through 1.4.4.



**Solution**

 No fix available

No patched version is available. No reply from the vendor.

Found this useful? Thank minhtuanact for reporting this vulnerability. Buy a coffee ☕

minhtuanact discovered and reported this Sensitive Data Exposure vulnerability in WordPress Libsyn Publisher Hub Plugin. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 1 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#auth