ETS Soft ybc_blog before v4.4.0 was discovered to contain a SQL injection vulnerability via the component Ybc_blogBlogModuleFrontController::getPosts().

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “BLOG - Drive High Traffic & Boost SEO” (ybc\_blog) in version up to 3.3.8 from PrestaHero (ETS Soft) for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-43979
*   **Published at**: 2023-11-14
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: ybc\_blog
*   **Impacted release**: <= 3.3.8 (4.4.0 fixed the vulnerability)
*   **Product author**: PrestaHero (ETS Soft)
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method Ybc_blogBlogModuleFrontController::getPosts() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

Reminder : Core method Validate::isCleanHtml() is useless against CWE-89, it only targets CWE-79

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 3.3.8**

    --- 3.3.8/modules/ybc_blog/controllers/front/blog.php
    +++ 4.4.0/modules/ybc_blog/controllers/front/blog.php
    ...
            } elseif (($tag = trim(Tools::getValue('tag'))) != '' && Validate::isCleanHtml($tag)) {
                if ($this->module->friendly && Tools::strpos($_SERVER['REQUEST_URI'], 'tag') !== false && Tools::strpos($_SERVER['REQUEST_URI'], 'ybc_blog') !== false)
                    $this->module->redirect($this->module->getLink('blog', array('tag' => $tag)));
                $md5tag = md5(urldecode(trim(Tools::strtolower($tag))));
    -           $filter .= " AND p.id_post IN (SELECT id_post FROM `" . _DB_PREFIX_ . "ybc_blog_tag` WHERE tag = '$tag' AND id_lang = " . $this->context->language->id . ")";
    +           $filter .= " AND p.id_post IN (SELECT id_post FROM `" . _DB_PREFIX_ . "ybc_blog_tag` WHERE tag = '" . pSQL($tag) . "' AND id_lang = " . $this->context->language->id . ")";
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **ybc\_blog**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-05-21

Issue discovered during a code review by TouchWeb.fr

2023-05-21

Contact PrestaShop Addons security Team to confirm version scope by author

2023-05-22

PrestaShop Addons security Team confirm version scope

2023-09-21

Request a CVE ID

2023-09-27

Received CVE ID

2023-11-14

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-43979: [CVE-2023-43979] Improper neutralization of SQL parameter in PrestaHero (ETS Soft) - BLOG - Drive High Traffic & Boost SEO module for PrestaShop

Improper Access Control in SMI handler vulnerability in Phoenix SecureCore™ Technology™ 4 allows SPI flash modification.
This issue affects SecureCore™ Technology™ 4:


  *  from 4.3.0.0 before 4.3.0.203
  *  

from 

4.3.1.0 before 4.3.1.163
  *  

from 

4.4.0.0 before 4.4.0.217
  *  

from 

4.5.0.0 before 4.5.0.138






**Phoenix Technologies SPI SMM Driver Vulnerability**

November 14, 2023

CVE-2023-31100

Phoenix Technologies has been notified by IOActive researchers of a security issue in its SecureCore Technology SPI SMM Driver that could allow unauthorized access to the SPI flash on some platforms.

Read More »

**The BlackLotus Campaign**

October 26, 2023

Microsoft Incident Report | CVE-2022-21894

In April 2023, cybersecurity researchers at Microsoft identified a dangerous UEFI bootkit (CVE-2022-21894), dubbed “BlackLotus”. It operates at computer startup, compromising systems and disabling OS security mechanisms.

Read More »

**Sunburst and SolarWinds Data Breach**

January 7, 2021

Alert (AA20-352A) – US-Cert – CISA

In December 2020, cybersecurity researchers at FireEye discovered and reported a supply chain attack on SolarWinds software.

Read More »

**WinFlash and WinFlash32 Drivers**

August 3, 2019

CVE-2019-18279

In May 2019, Phoenix was contacted by researchers from Eclypsium about a security concern regarding our WinFlash and WinFlash32 drivers.

Read More »

**LoJax Rootkit**

September 27, 2018

On September 27, 2018, security researchers from ESET publicly disclosed the discovery of a UEFI rootkit named “LoJax” that was “found in the wild.”

Read More »

**AMD Silicon (MASTERKEY, RYZENFALL, FALLOUT and CHIMERA)**

March 13, 2018

CVE-2018-8930, CVE-2018-8931, CVE-2018-8932, CVE-2018-8933, CVE-2018-8934, CVE-2018-8935, CVE-2018-8936

On March 13, 2018, security researchers from CTS Labs publicly disclosed vulnerabilities discovered in certain AMD silicon, named MASTERKEY, RYZENFALL, FALLOUT, and CHIMERA. Phoenix’s UEFI firmware is not vulnerable to these attacks.

Read More »

CVE-2023-31100: Security Notifications - Phoenix Technologies - Leading PC Innovation since 1979

When a particular process flow is initiated, an attacker may be able to gain unauthorized elevated privileges on the affected system when having control over a specific file.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-41718: Ivanti Community

A security vulnerability has been identified in EPMM Versions 11.10, 11.9 and 11.8 and older allowing an unauthenticated threat actor to impersonate any existing user during the device enrollment process. This issue poses a significant security risk, as it enables unauthorized access and potential misuse of user accounts and resources.

CVE-2023-39335: Ivanti Community

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Matthew Muro Restrict Categories plugin <= 2.6.4 versions.

**Solution**

 No fix

No patched version is available.

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Restrict Categories Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47518: WordPress Restrict Categories plugin <= 2.6.4  - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin <= 1.23.11.6 versions.

**Solution**

 No fix

No patched version is available. This plugin has been closed as of November 3, 2023 and is not available for download. This closure is temporary, pending a full review.

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress SendPress Newsletters Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 4 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47517: WordPress SendPress Newsletters plugin <= 1.23.11.6 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

An authenticated Denial-of-Service (DoS) vulnerability exists in the CLI service. Successful exploitation of this vulnerability results in the ability to interrupt the normal

operation of the affected access point.



CVE-2023-45627

MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API.

Recently, Mikrotik added a REST server as a new API for managing the router. It is a nice alternative to their proprietary API when automating RouterOS.

However, young software usually contains bugs. Sometimes, these bugs are security-related, and, together with not-so-safe defaults, they may create a vulnerability.

This vulnerability has been assigned the ID CVE-2023-41570.

**Background**

RouterOS (from Mikrotik) is a closed-source Linux-based operating system for network appliances, specifically switches, routers and firewalls. It is used in Mikrotik appliances (such as RouterBOARD), but it can be downloaded and installed on other devices and virtual machines.

The management interfaces of RouterOS include SSH, MAC-Telnet, Winbox (a proprietary Windows-only tool), Webfig (a web user interface), and a proprietary API (additionally, ISPs have also TR-069). Since version v7.1beta4, RouterOS also includes a REST server. The REST server is started as a sub-resource of Webfig at /rest. More information on the RouterOS REST API web page.

**Authentication**

RouterOS supports local and remote user authentication and authorization databases (via RADIUS). Users belong to _groups_, each with its own permissions set. The resulting permission set is additive – it is the sum of all permissions granted by groups.

By default, only the local database is used, and three groups are present: full, with unlimited access to the router; write, with almost complete access except for file transfer (to/from the router itself) and user policies, and read, with read-only access (plus reboot privileges). Also, by default, rest-api is a specific permission granted to all groups.

Users may be restricted to logging in only from specific IP addresses or networks.

**The vulnerability**

REST APIs are protected by HTTP Basic authentication. You should provide a valid username and password pair. The username must have the rest-api (which, by default, is granted to all groups).

The vulnerability lies in the fact that, while other interfaces (SSH, Webfig, etc.) check whether the user is authorized to log in from that specific IP address, this is not the case for the REST server. **Users can access the REST server from any IP address**, even if they are not authorized in the users’ database.

To exploit this vulnerability:

*   the attacker must have a username and password pair that has rest-api permission (but no permission to log in from the attacker IP address);
*   the firewall should allow access to the web user interface from the IP address of the attacker;
*   Webfig (the web UI) must be enabled: the REST server is part of Webfig.

Note that, by default, all groups have the rest-api permission (any user is allowed to use REST APIs), and Webfig is enabled. There is no way to disable the REST server, as it is integrated into Webfig. This is unexpected; usually, services like SSH or proprietary APIs are under the “IP” -> “Services” menu with their independent entry. At the very least, there should be a flag in the Webfig service www to enable the REST server selectively (defaulting off).

So, I think the majority of those who left Webfig active don’t realize that they are exposing the REST endpoint too, and that every user can access it, regardless of the IP filter configured in the user database.

To exacerbate the problem, the read group has some dangerous permissions: sniff (to intercept traffic), reboot, and sensitive (read sensitive information, such as Wi-Fi passwords or IPSec pre-shared keys). I certainly do not expect a “read” user to reboot the router.

**Mikrotik advisory and solution**

Mikrotik released RouterOS version 7.12 with the fix (the changelog contains only a generic reference to “www - fixed allowed address setting for REST API users”).

**Timeline**

I followed the responsible disclosure process described in the “Responsible disclosure of discovered vulnerabilities” page. I reported the vulnerability at 2023-08-19 09:46:00 UTC and received the ACK at 2023-08-24 07:43:00 UTC. The fix was released in version 7.12 at 2023-11-09 09:45:00 UTC (time point from RouterOS changelog).

CVE-2023-41570: CVE-2023-41570: Access Control vulnerability in MikroTik REST API

By Waqas
The FBI arrested the operator of the IPStorm botnet, a Russian-Moldovan national, in Spain.
This is a post from HackRead.com Read the original post: Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US

The IPStorm botnet targeted Windows, Linux, Mac, and Android devices and claimed victims in Asia, Europe, North America, and South America.

A Russian-Moldovan national has pleaded guilty to operating an illegal botnet proxy service called IPStorm, responsible for infecting thousands of internet-connected devices worldwide.

Sergei Makinin, 32, of Moscow, Russia, was arrested by the F.B.I. with the cooperation of law enforcement authorities in Spain and Bitdefender, which provided cybersecurity consulting, resources, and guidance to track the suspect.

Makinin pleaded guilty to “three counts of violating 18 U.S.C. § 1030(a)(5)(A) Fraud and Related Activity in Connection with Computers,” in a district court in Puerto Rico as per the U.S. Department of Justice press release.

Makinin was suspected of running an extensive botnet-for-rent operation called Interplanetary Storm (IPStorm) used for illegal activities from June 2019 through December 2022. Bitdefender first documented the operation in a research paper in October 2020.

The botnet targeted Windows, Linux, Mac, and Android devices and claimed victims in Asia, Europe, North America, and South America. IPStorm anonymized its users’ internet traffic, allowing them to conduct malicious activities such as hacking, identity theft, and fraud.

Countries targeted by IPStorm botnet based on the number of victims (Credit: Bitdefender)

In his guilty plea, Makinin admitted that he and his accomplices ran IPStorm from 2015 to 2019 and successfully compromised over 40,000 devices using the IPStorm malware and 23,000 “highly anonymous” proxies. The domains used by Makinin is the scam were proxx.io and proxx.net.

The IPStorm malware allowed Makinin hijack the devices and use them as a proxy. Cybercriminals preferred the service because it was inexpensive, easy to use, and effectively anonymized their internet traffic. Makinin also admitted to developing/distributing malware for infecting the devices, earning $550,0000, and laundering the money.

Makinin is the first to be charged in connection with IPStorm. He faces up to 10 years in prison and will have to forfeit the cryptocurrency wallets linked with the scam. The sentencing is yet to be scheduled. Meanwhile, the F.B.I. and DoJ will continue to investigate the service.

Prices offered by Makinin (Screenshot credit: Hackread.com)

Commenting on this development is the operation’s lead researcher and Bitdefender’s Investigation and Forensics Unit’s senior director, Alexandru Catalin Cosoi. Cosoi shared with Hackread.com that IPStorm was a “complex” botnet rented by cybercriminals for various nefarious activities:

“The Interplanetary Storm botnet was complex and used to power various cybercriminal activities by renting it as a proxy as a service system over infected IoT devices. Our initial research back in 2020 uncovered valuable clues to the culprit behind its operation, and we are extremely pleased it helped lead to arrests,” Cosio explained.

“This investigation is another primary example of law enforcement and the private cybersecurity sector working together to shut down illegal online activities and bring those responsible to justice.”

Makinin’s conviction is a significant victory for law enforcement in the fight against cybercrime. Botnet proxy services remain a serious threat because they are used to committing cybercrimes. This development sends a strong message to other cybercriminals that they will be held accountable for their actions sooner or later.

****_RELATED ARTICLES_****

1.  **Russian Cybercriminal Pleads Guilty to Operating Kelihos Botnet**
2.  **Man whose DDoS attacks took down entire country’s Internet jailed**
3.  **Luminosity RAT author pleads guilty to creating, selling hacking tool**
4.  **2 Russians charged in Mt. Gox Bitcoin heist, BTC-e money laundering**
5.  **No Prison for Student who Developed Spam Botnet to Pay College Fee**

Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US

Microsoft today released updates to fix more than five dozen security holes in its Windows operating systems and related software, including three "zero day" vulnerabilities that Microsoft warns are already being exploited in active attacks.

**Microsoft** today released updates to fix more than five dozen security holes in its **Windows** operating systems and related software, including three “zero day” vulnerabilities that Microsoft warns are already being exploited in active attacks.

The zero-day threats targeting Microsoft this month include CVE-2023-36025, a weakness that allows malicious content to bypass the Windows SmartScreen Security feature. SmartScreen is a built-in Windows component that tries to detect and block malicious websites and files. Microsoft’s security advisory for this flaw says attackers could exploit it by getting a Windows user to click on a booby-trapped link to a shortcut file.

**Kevin Breen**, senior director of threat research at **Immersive Labs**, said emails with .url attachments or logs with processes spawning from .url files “should be a high priority for threat hunters given the active exploitation of this vulnerability in the wild.”

The second zero day this month is CVE-2023-36033, which is a vulnerability in the “DWM Core Library” in Microsoft Windows that was exploited in the wild as a zero day and publicly disclosed prior to patches being available. It affects Microsoft Windows 10 and later, as well as Microsoft Windows Server 2019 and subsequent versions.

“This vulnerability can be exploited locally, with low complexity and without needing high-level privileges or user interaction,” said **Mike Walters**, president and co-founder of the security firm **Action1**. “Attackers exploiting this flaw could gain SYSTEM privileges, making it an efficient method for escalating privileges, especially after initial access through methods like phishing.”

The final zero day in this month’s Patch Tuesday is a problem in the “Windows Cloud Files Mini Filter Driver” tracked as CVE-2023-36036 that affects Windows 10 and later, as well as Windows Server 2008 at later. Microsoft says it is relatively straightforward for attackers to exploit CVE-2023-36036 as a way to elevate their privileges on a compromised PC.

Beyond the zero day flaws, Breen said organizations running **Microsoft Exchange Server** should prioritize several new Exchange patches, including CVE-2023-36439, which is a bug that would allow attackers to install malicious software on an Exchange server. This weakness technically requires the attacker to be authenticated to the target’s local network, but Breen notes that a pair of phished Exchange credentials will provide that access nicely.

“This is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other vulnerable internal targets – just because your Exchange Server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said.

Breen said this vulnerability goes hand in hand with three other Exchange bugs that Microsoft designated as “exploitation more likely:” CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035.

Finally, the **SANS Internet Storm Center** points to two additional bugs patched by Microsoft this month that aren’t yet showing signs of active exploitation but that were made public prior to today and thus deserve prioritization. Those include: CVE-2023-36038, a denial of service vulnerability in **ASP.NET Core**, with a CVSS score of 8.2; and CVE-2023-36413: A **Microsoft Office** security feature bypass. Exploiting this vulnerability will bypass the protected mode when opening a file received via the web.

Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.

Tag

#auth