Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.

 Hi all, 

I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. I was not the administrator of the scanner just had access to creating the target and running the scan. Our administrator was having access to all functionalities, Including downloading the reports and targets etc. 

Lets get to the technical details.

**Vulnerable Version:** 13.0.201217092 and before

**Fixed Version:** 14 and 14+

**\# Software description:**

Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security.

**\# Technical Details & Impact:**

It was observed that **Target** page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks:

Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524.

Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website.

Exfiltrating contents from the spreadsheet, or other open spreadsheets.

**\# POC**

To start the scan in Acunetix version 13.0.201217092 you have to add the target.

1.  Click on "Add Target"
2.  Add any target address and in description add CSV Injection Payloads for test I have used **"=10+20+cmd|' /C calc'!A0"**
3.  ![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7Ad0y5kr3v5AqE2R5tMWz4ax0_1c0b95OwkEXxymKa0tjsJnu0c-6-J2-QEuIQO6-RMx6fVNY6A_MyyvkIIjzKRYKz2xNmEmkbeeqICVyLiKVc7mvX4xcey0T7HtW3aSaimNEyYZCmNYFBQSM1I1O9NTL6zj7UkUqmKVqg_lFXuW6yvW8XKEcRUnR/w640-h344/Embedd-csv-payload.jpg)
    
      
    
4.  Click on **Save** button
5.  The target with malicious payload will be shown in description column. 
6.  Click on **Export CSV** button
7.  ![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcuUH2WvOEfpFGX9mjasXHY9AmpYIzhBq18lqIQIgLzt7Wd94plK0G7caX-FY6URk1QTalW8MBVWIHtUyfuDbL0EbCIQx6VUtQHnaeKrUnwLK00EK6zdpKPOqvJoeRnlL7f_dHIeteKl1JyzFkgsooOGVeS2Wv8ttWN_N24ZPk33g1P2FtQ0Lc7eqe/w640-h254/save-the-scan-click-export-csv.jpg)
    
      
    
8.  CSV will be download and upon opening it will ask for Enable execution 
9.  Click on enable as the Admin will always trust the downloaded since it downloaded from trusted source, Once enabled it will execute the payload

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpw6bGT67rxowuT7IzEKhL_p3IvG-wA7w39cFWlXp3wfbOPuyUAh9HI9cDlbaAWMgTnl1wO2BuR2p8AnXFQlEAPeFqp7Fc1ezAwg1FST5tApOfIXseIzVTKb1t7_V1blmc3cHde27dDBWNrXe7IjF3ZCUTOwRgUxyOwFcF14jKGfADMssd8nhIOPv7/w400-h246/2022-04-11%2012_04_09-DNS-Allzones.xlsx%20-%20Excel.png)

Vulnerability was reported to Acunetix they silently fixed in latest version after 13.0. I have verified its fixed on 14.7.22xxxx

Thanks

CVE-2022-29315: CSV Injection in Acunetix version 13.0.201217092

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

The increased adoption of cloud infrastructure by companies looking to improve agility and support a hybrid workforce has led to more development teams adopting security-as-code as a way to build security into software and products.

Over the past year, for example, Google has pushed security-as-code as a fundamental component of its cloud offerings, identifying in January "software-defined infrastructure" as one of the eight megatrends driving the security of the cloud. Encoding security configuration as code that can be an input into development and deployment processes lets organizations analyze their security configuration, change and redeploy easily, and continuously monitor the state of their security configuration to evaluate whether it matches policies.

The result is analyzable security configuration and continuously verifiable controls, says Phil Venables, vice president at Google and CISO for Google Cloud.

"The great thing about security-as-code is that you know the configuration that you have deployed exactly corresponds to what you had specified and analyzed as meeting your security requirements," he says. "Many breaches out there are not necessarily the result of an unknown risk, but are usually the result of some control that the organization thought they had not being deployed and operating when they needed it the most."

Security-as-code is an extension of the infrastructure-as-code movement that has come about as software-defined networks and systems have become more popular. DevOps teams have adopted infrastructure-as-code as the de facto standard for building and deploying software, containers, and virtual machines, but now companies are betting that the shift to cloud-native infrastructure will make security-as-code a key part of a sustainable approach to security.

**How Security-as-Code Works**  
In 2021, consulting firm McKinsey and Company identified security-as-code as perhaps the only way to secure cloud application and infrastructure at the speed at which modern businesses move.

"Capturing value in the cloud requires most companies to build a transformation engine ... to integrate cloud into business and technologies, drive adoption in priority business domains, and establish the foundational capabilities required to scale cloud usage safely and economically," the consulting firm wrote in a position paper. "SaC is the mechanism for developing foundational capabilities in cloud security and risk management."

Google intends to make the concept much more functional and part of any cloud infrastructure. In November, the company's Cybersecurity Action Team announced a Risk and Compliance as Code (RCaC) solution.

Companies that have embraced DevOps know that repeatable software builds rely on being able to specify the configuration of infrastructure elements — whether software applications, pipeline builds, or containers — as code in a file. This infrastructure-as-code approach allows developers and operations specialists to express and analyze the configuration before it is deployed.

Security-as-code aims to do the same thing for security, in an approach that many have called DevSecOps. Security-as-code expresses the security configuration of a variety of elements, including what security testing should be performed, the criteria for vulnerability scanning, encryption requirements, and access controls.

**How Does it Affect SBOMs?**  
Google sees the current efforts to make software bills of materials (SBOMs) more explicit and functional as a key component of the future of software-as-code. The components of a software program could be analyzed during any build and the policies described in the security-as-code file would be applied. Using a component that is vulnerable to a specific threat, such as Log4j, could stop the build. Other requirements, such as a high level in the Supply Chain Levels for Software Artifacts (SLSA), could also be specified, Google's Venable says.

"This mechanism allows you to start making richer decisions," he says. "This programmability of the environment to enforce security policy is pretty transformational compared to what any of us used to be able to do in traditional on-premise environments."

Google is joined by others blazing a trail into the security-as-code arena. The growing movement to encode security as a configuration file that can be incrementally improved led security firm Tenable Network Security to acquire Accurics, a maker of security-as-code technology.

"It's far more effective to find and fix the issues at the point of creation in code, rather than where they manifest in the cloud," Renaud Deraison, chief technology officer for Tenable Network Security, said in a blog announcing the acquisition. "In this way, we can ensure that what is deployed is secure by default and that any fixes are a simple merge request rather than a patch or operational afterthought."

Not everyone is convinced that security configurations will be ensconced in code anytime soon. While configuration files traveling along with software-defined infrastructure components could bring significant benefits — such as the audit ability and improved change management — companies are still too reactionary to adopt the technology, says Brian Fox, chief technology officer and co-founder of Sonatype, a software-management and security firm.

Software composition analysis (SCA) services that can automate the identification of risky software components — a service that Sonatype provides — provides some of the automated benefits of security-as-code. Most businesses have no idea of even what components make up their software, Fox says.

"We are super early in the adoption cycle with this," he says. "All the reasons that infrastructure-as-code made sense will make sense with security-as-code, but the industry is not quite there yet, because so many people do not have the mechanisms to even do this, never mind doing it as code."

Security-as-Code Gains More Support, but Still Nascent

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

CVE-2022-29457: ADSelfService Plus Release Notes

An Insecure Direct Object Reference issue exists in the Tyler Odyssey platform before 17.1.20. This may allow an external party to access sensitive case records.

CVE-2022-26665: What Happened With Tyler Technologies

Google patches a critical flaw in its Chrome browser, bringing its count of zero-day vulnerabilities fixed in 2022 to four.

Google fixed two vulnerabilities in its Chrome web browser as part of an emergency update this week, including a type confusion vulnerability that is already being exploited in the wild.

The type confusion vulnerability (CVE-2022-1364) impacts the JavaScript and WebAssembly engine in the browser. With this kind of flaw, a program will allocate a resource (such as a pointer or object) using one type but will later try to access the resource using an incompatible type. The vulnerability can be exploited to cause the browser to crash, trigger logical errors, or even execute arbitrary code.

"Google is aware that an exploit for CVE-2022-1364 exists in the wild," the company wrote in the alert. Details will be restricted until a majority of users have updated to Chrome version 100.0.4896.127 across the Windows, Linux, and Mac platforms.

The issues also affect other Chromium-based browsers, such as Microsoft Edge, Brave, and Vivaldi.

The second issue that was fixed appears to be related to issues that were uncovered internally. The alert calls it "various fixes from internal audits, fuzzing, and other initiatives."

This is the third emergency update for Chrome in 2022, and the third zero-day vulnerability patched so far this year. In March, Google (along with Microsoft) fixed a critical flaw to the Chromium v8 JavaScript engine (CVE-2022-1096) that was being actively exploited.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Emergency Update Fixes Chrome Zero-Day

A zero-code remote code injection vulnerability via configuration.php in Chamilo LMS v1.11.13 allows attackers to upload arbitrary code in the form of a new plugin.

CVE-2022-27427: Security issues - Chamilo LMS

Chemical companies are the latest to be targeted by the well-known North Korean group, which has targeted financial firms, security researchers, and technology companies in the past.

The North Korean-linked Lazarus group sent fake job offers to targets in the chemical sector and information technology firms, which — when opened — install Trojan horse programs to collect information and send it back to the attackers, technology provider Broadcom's security arm Symantec stated in an advisory on April 14.

The attack is part of a long-running campaign — dubbed Operation Dream Job — that sends targets in specific industries malicious Web files disguised as job offers, which when opened attempts to compromise the system. While the current set of attacks focuses on South Korean chemical companies and their IT service providers, other targets have included industries and government agencies in Europe, Asia, and the United States. This campaign marks a shift, as Lazarus in the past targeted the defense, government, and engineering sectors.

The attacks have, at various times, targeted defense contractors, engineering firms, government agencies, and even pharmaceutical companies during the height of the pandemic, says Dick O’Brien, principal intelligence analyst for Symantec's threat-hunting team.

"North Korea-linked attackers have a long history of targeting intellectual property, presumably to assist strategically important engineering or technology projects," he says, adding: "Across all attacks, we’ve seen a range of data theft \[and\] data exfiltration tools deployed on infected computers. We’re assuming that they take what they need before moving on."

Other security and technology firms have also documented Lazarus's involvement in Operation Dream Job, which some researchers track as Operation AppleJeus. In early 2021, the Lazarus group targeted security researchers with similar offers of high-level jobs in the industry. And, earlier this year, the attackers targeted more than 250 individuals working for news media, software vendors, and Internet infrastructure providers, using job offers that appeared to come from Disney, Google, and Oracle, according to Google, which tracked the campaign.

A related campaign targeted cryptocurrency and financial technology and services firms, Adam Weidemann, a researcher with Google's Threat Analysis Group, stated in a late March blog post.

"We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques," he wrote. "It is possible that other North Korean government-backed attackers have access to the same exploit kit."

**Long-Running Campaign  
**The April 14 advisory from Symantec noted that the campaign started at least as early as August 2020, albeit with a different set of targets. While the current campaign targets the chemical sector, campaigns discovered in 2020 had focused on government agencies and defense contractors, the company stated in its advisory.

"Operation Dream Job involves Lazarus using fake job offers as a means of luring victims into clicking on malicious links or opening malicious attachments that eventually lead to the installation of malware used for espionage," the company said.

Symantec's threat team outlined the steps in a successful attack in January 2022, which completed less than four days after the target received the file until the final execution of a program that collected and exfiltrated system data. After the targeted user opened the fake job offer, the attack exploited a vulnerability in one of two software packages, the INISAFE Web EX Client for system management or MagicLine, a gym management program, says Symantec's O'Brien.

"They’re not household names for us but our working assumption is they’re widely used in the industry or sector they’re currently targeting," he says. "An alternative hypothesis is they installed the software themselves in order to inject into it, but we haven’t seen any evidence of that."

While companies not running either application may not have to worry about this particular attack, cyber-espionage groups such as Lazarus are very good at tailoring attacks to match their target's environment, he says.

For that reason, no single solution will help prevent cyber-espionage attacks, O'Brien stressed. Instead, companies should take a layered approach to defense, using network detection, endpoint security, and hardening technologies — such as multifactor authentication — to protect against multiple vectors of attack, he says.

"We’d also advise implementing proper audit and control of administrative account usage, \[and\] you could also introduce one-time credentials for administrative work to help prevent theft and misuse of admin credentials," O'Brien says. "We’d also suggest creating profiles of usage for admin tools, \[because\] many of these tools are used by attackers to move laterally undetected through a network."

Lazarus Targets Chemical Sector With 'Dream Jobs,' Then Trojans

Authenticated (admin+) Stored Cross-Site Scripting (XSS) in WP Maintenance (WordPress plugin) <= 6.0.4 affects multiple inputs.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

The WP Maintenance plugin allows you to put your website on the waiting time for you to do maintenance or launch your website. Personalize this page, pictures and countdown with:

**Features**

*   Choice texts colors and fonts
*   Upload logo picture
*   Upload background picture or pattern
*   Slider
*   Countdown
*   Google Analytics ready
*   Social Networks ready
*   Customize CSS
*   Insert for shorcode (Newletter or Contact form)
*   Enable “503 Service temporarily unavailable”
*   Choose access by Roles and Capabilities
*   Choose access by IP address
*   Choose access by ID Pages

wp-maintenance.pot file available

1.  Upload the full directory into your ‘/wp-content/plugins’ directory
2.  Activate the plugin at the plugin administration page

You will find ‘WP Maintenance’ menu in your WordPress admin panel

**WP Maintenance Needs Your Support**

It is hard to continue development and support for this free plugin without contributions from users like you. If you enjoy using WP Maintenance and find it useful, please consider making a donation. Your donation will help encourage and support the plugin’s continued development and better user support.

**I have activated plugin and don’t see any changes, looks like plugin is not working.**

This is normal because you are logged in as an administrator. Try a different browser or use the preview link. If you have registered as a wordpress user, you see the site in normal mode.

**I have disabled plugin but I don’t see any changes, I have always the maintenance page, looks like plugin is not working.**

You have a cache plugin ? Try to purge it and try again.

**Where can I find out the login page to get to the site?**

You can use your administrator access or create new user in wordpress dashboard  
https://yousite.com/wp-admin/

**Can I change the plugin code?**

Yes. Thank you for submitting your changes to update the plugin.

**Translations**

You can translate WP Maintenance on **translate.wordpress.org**.

![](https://secure.gravatar.com/avatar/946618013301e878c15dfae30ec48371?s=60&d=retro&r=g)

très bon plugin, seul bémol il ne fonctionne pas sur les mobiles, impossible de l'activer sur les mobiles

![](https://secure.gravatar.com/avatar/9e0b3d7edb75cfc783ba50ff3bde118a?s=60&d=retro&r=g)

Propre, efficace, maintenue, gratuite, que demander de + ? Merci au dev !

![](https://secure.gravatar.com/avatar/191a96f2e67c1a008cfa911bc4e9a17c?s=60&d=retro&r=g)

Efficace et pratique. Merci à l'Auteur

![](https://secure.gravatar.com/avatar/777791c35a3b67af57ad92f5a1c9a04c?s=60&d=retro&r=g)

Je pensais avoir trouvé un super widget avec celle-ci, mais elle réagit vraiment bizarrement au point ou parfois on perd du temps pour savoir si des choses marchent. La page rs notamment. On dit que l'on peut mettre ses propres images rs. Cela ne marche pas... et je ne sais pas pourquoi... d'autant que l'appli semble vous aider en ajoutant l'url du dossier de destination. Mais quand vous complétez le chemin et enregistrez... ben il commence forcement l'enregistrement par https... parmi les icônes proposées une série fonctionne pas... tout ça est bien dommage. Enfin si l'auteur peut déjà "clarifier" et comment on met ses propres icones ce serait cool.

![](https://secure.gravatar.com/avatar/8eb9aa5197a2b8f4b8831a0b604c685e?s=60&d=retro&r=g)

Отличный дизайн плагина и полный перевод на русский язык. Спасибо!

![](https://secure.gravatar.com/avatar/4844bf0f6d567a7f19e682f820c11d26?s=60&d=retro&r=g)

3 mn chrono pour ma page ! Bravo.

Read all 71 reviews

“WP Maintenance” is open source software. The following people have contributed to this plugin.

Contributors

*   ![](https://secure.gravatar.com/avatar/a6c69172b8ad02376d02ce8a4b62b41e?s=32&d=mm&r=g) Florent Maillefaud

CVE-2021-36828: WP Maintenance

Nyron 1.0 is affected by a SQL injection vulnerability through Nyron/Library/Catalog/winlibsrch.aspx. To exploit this vulnerability, an attacker must inject '"> on the thes1 parameter.

    # Exploit Title: Nyron 1.0 - SQLi (Unauthenticated)
    # Google Dork: inurl:"winlib.aspx"
    # Date: 01/18/2021
    # Exploit Author: Miguel Santareno
    # Vendor Homepage: http://www.wecul.pt/
    # Software Link: http://www.wecul.pt/solucoes/bibliotecas/
    # Version: < 1.0
    # Tested on: windows
    
    # 1. Description
    
    Unauthenticated user can exploit SQL Injection vulnerability in thes1 parameter.
    
    
    # 2. Proof of Concept (PoC)
    
    https://vulnerable_webiste.com/Nyron/Library/Catalog/winlibsrch.aspx?skey=C8AF11631DCA40ADA6DE4C2E323B9989&pag=1&tpp=12&sort=4&cap=&pesq=5&thes1='">
    
    
    # 3. Research:
    https://miguelsantareno.github.io/edp.pdf

Tag

#google