The sophisticated and ever-evolving threat known as LodeInfo is being deployed against media, diplomatic, government, public sector, and think-tank targets.

Chinese-speaking threat actor APT10 has been using a sophisticated and sometimes fileless backdoor to target media, diplomatic, governmental, public sector, and think-tank targets, since at least March, researchers have found.

Researchers at Kaspersky have been tracking the LodeInfo malware family since 2019, they said in one of two blog posts  published Monday that lay out a two-part investigation on the emerging threat. The group is bent on espionage, primarily against Japanese targets to date.

However, as threat actors are constantly updating and modifying LodeInfo — particularly with anti-detection features and varying infection vectors — it's been difficult to stay on top of its use and deployment, the researchers said.

"LodeInfo and its infection methods have been constantly updated and improved to become a more sophisticated cyber-espionage tool while targeting organizations in Japan," the researchers wrote in one of their posts. "The LodeInfo implants and loader modules were also continuously updated to evade security products and complicate manual analysis by security researchers."

JPCERT/C first named LodeInfo in a blog post in February 2020, when it was the payload in a spear-phishing campaign targeting Japan, according to Kaspersky. The following year, Kaspersky researchers also shared new findings during the HITCON 2021 conference that covered LodeInfo activities from 2019 to 2020. At the time they attributed the malware to APT10 — also known as the "Cicada" group — with "high confidence," the researchers said.

Kaspersky's latest intelligence on LodeInfo in the first half of their report focuses on their identification of current versions of the malware — in which researchers detected v0.6.6 and v0.6.7 — and their various infection methods tracked between March and September in use against targets in Japan. The second part unveils an investigation of new versions of LodeInfo shellcode — including v0.5.9, v0.6.2, v0.6.3 and v0.6.5 — identified in March, April, and June, respectively, the researchers said.

**Varied Infections Methods**

Researchers outlined four different infection methods that threat actors are using to get the LodeInfo backdoor on victim systems.

The first, identified in March and used in previous attacks observed by Kaspersky, started with a spear-phishing email that included a malicious attachment installing malware persistence modules, the researchers said. These modules were comprised of a legitimate EXE file from the K7Security Suite software used for DLL sideloading, as well as a malicious DLL file loaded via the DLL sideloading technique.

The malicious DLL file includes a loader for the LodeInfo shellcode that contains a 1-byte XOR-encrypted LodeInfo shellcode internally identified by version 0.5.9, the researchers said.

Another infection method uses a self-extracting archive (SFX) file in RAR format that contains three files with self-extracting script commands. When a targeted user executes this SFX file, the archive drops other files opens a .docx containing just a few Japanese words as a decoy, the researchers said.

While this decoy file is being shown to the user, archive script executes a malicious DLL via DLL sideloading that start a process that eventually deploys LodeInfo v0.6.3, they said.

A third infection vector uses another SFX file, first seen spread via a spear-phishing campaign in June, that exploits the name of a well-known Japanese politician and uses self-extracting script and files similar to the previous vector. This initial infection method also includes an additional file that decrypts shellcode for the LodeInfo v0.6.3 backdoor, the researchers said.

"The file name and the decoy document suggest the target was the Japanese ruling party or a related organization," they explained, adding that they observed another SFX file with a similar method and payload on July 4.

The fourth infection vector that researchers outlined was observed in June and appears to be a brand-new method that threat actors added this year, they said. This vector uses a fileless downloader shellcode — dubbed "DOWNIISSA" by the researchers — delivered by a password-protected Microsoft Word file. The file includes malicious macro code completely different from previously investigated samples of LodeInfo, the researchers said.

"Unlike past samples … where the malicious VBA macro was used to drop different components of the DLL sideloading technique, in this case the malicious macro code injects and loads an embedded shellcode in the memory of the WINWORD.exe process directly," they explained. "This implant was not present in past activities, and the shellcode is also a newly discovered multi-stage downloader shellcode for LodeInfo v0.6.5."

**Advanced Evasion Tactics**

Kaspersky researchers also outlined the various advanced evasion tactics displayed in new versions of the malware's shellcode, demonstrating how threat actors are evolving the malware to increase the chances they won't be caught, the researchers said.

"These modifications may serve as a confirmation that the threat actors track publications by security researchers and learn how to update their TTPs \[tactics, techniques, and procedures\] and improve their malware," they wrote.

For example, the LodeInfo v0.5.6 shellcode demonstrates several enhanced evasion techniques for certain security products, as well as three new backdoor commands implemented by the developer, researchers said.

It also contains a hardcoded key, NV4HDOeOVyL, used later by an antiquated Vigenere cipher, and it generates random junk data "possibly to evade beaconing detection based on packet size," they noted.

Another shellcode, in LodeInfo v0.5.6, uses revised crypto-algorithms and backdoor command identifiers — obfuscated with a 2-byte XOR operation that that was defined as 4-byte hardcoded values in previous LodeInfo shellcodes, the researchers said.

"We also observed the actor implementing new backdoor commands such as 'comc,' 'autorun,' and 'config' in LodeInfo v0.5.6 and later versions," they explained. "Twenty-one backdoor commands, including three new commands, are embedded in the LodeInfo backdoor to control the victim host."

Other LodeInfo shellcodes, v0.6.2 and later versions specifically, include a curious geographic identifying feature that looks for the “en\_US” locale on the victim’s machine in a recursive function and halts execution if that locale is found, the researchers said, indicating that the threat actors are avoiding US targets.

Another core modification of the LodeInfo shellcode observed by Kaspersky was support for Intel 64-bit architecture, which expands the type of victim environments that threat actors can target, they said.

Overall, the updated TTPs and improvements in LodeInfo and related malware "indicate that the attacker is particularly focused on making detection, analysis, and investigation harder for security researchers," the researchers wrote.

Kaspersky shared various indicators of compromise in part two of its post on LodeInfo. The firm is encouraging other security researchers and the overall community in general to collaborate on identifying LodeInfo and related malware attacks in victim environments to prevent and mitigate further attacks.

China-Backed APT10 Supercharges Spy Game With Custom Fileless Backdoor

FitStack offers a SaaS-based platform — supporting both cloud native and on-prem environments — to take risk and vulnerability out of application development.

**MADISON, Wis., Nov. 1, 2022 /PRNewswire/ —** Today Varsity Venture Studio – a collaborative venture studio between the University of Wisconsin-Madison, the Wisconsin Alumni Research Foundation (WARF) and venture builder High Alpha Innovation – announced the public launch of FitStack (www.fitstack.dev), a proactive risk management solution for application development teams to address the ongoing challenges in managing software supply chain security.

To address these issues, co-founders Roger Cummings (CEO) and Dr. Mohannad Alhanahnah, Ph.D. (CTO) are positioning FitStack to streamline the overall DevSecOps process. Unlike passive tools that merely identify code and container vulnerability and configuration issues, the FitStack platform proactively addresses them, shows developers the changes that have been made, and ensures that modified applications will execute at runtime.

"In today's environment, it's essential for development teams to gain control, limit exposure, and reduce overall risk," explains Cummings. "FitStack is proactively driving security best practices into the earliest stages of the application development lifecycle. We are building FitStack to make sure our solution can fit into everyone's CICD pipeline in the most efficient manner. By reducing application attack surfaces, exposing application vulnerabilities, and generating compliance reports, we are protecting organizations from malicious events and delivering the insight they need to run their business."  

Cummings and Alhanahnah bring decades of leadership experience in the data, cloud, networking, and infrastructure computing industries. Cummings is a serial entrepreneur who has led five early-stage companies to successful acquisitions, assisted in raising over $1B in funding while scaling organizations worldwide. He previously served as CEO of Evidence IQ, an evidence-based data intelligence company. Alhanahnah has extensive experience in software security research with a focus on leveraging static analysis, dynamic analysis, and formal methods for securing application and machine learning. He recently completed post-doctoral research in the lab of Dr. Somesh Jha, a professor in the Department of Computer Sciences at UW-Madison and a co-founding advisor to FitStack. They have co-authored several papers on improving application safety, security and privacy.

WARF not only helped launch the company as a partner in Varsity Venture Studio, but also licensed the technology to FitStack. Greg Keenan, Senior Director of WARF Ventures, notes, "Helping campus innovators like Drs. Jha and Alhanahnah bring their patented technology to market delivers on our mission to support the commercialization of UW-Madison research for both commercial and societal impact. We are really excited about the market opportunity the company is addressing and look forward to seeing what the FitStack team accomplishes from here."

"Development teams who aren't addressing risk management are already behind the curve, but they can't do it alone," concludes Elliott Parker, CEO of High Alpha Innovation. "Roger and Mohannad's solution to such a pressing problem is the perfect fit for building a startup via Varsity Venture Studio."

**About Varsity Venture Studio**

Varsity Venture Studio, a University of Wisconsin-Madison-wide venture studio, turns ideas into funded software businesses. Varsity Venture Studio is a collaboration between the University of Wisconsin-Madison, Wisconsin Alumni Research Foundation (WARF) and venture builder High Alpha Innovation, and is the first university venture studio of its kind. Learn more about Varsity Venture Studio at varsityventurestudio.com, High Alpha Innovation at highalphainno.com, and about WARF at warf.org.

FitStack, a New Solution For Code and Container Risk Management, Launches With Support From Varsity Venture Studio

Major partnership program aims to break down barriers and empower underrepresented groups in cybersecurity across the globe.

**ALEXANDRIA, Va., Nov. 1, 2022 /PRNewswire/ —** (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today announced five key global partnerships in support of its diversity, equity and inclusion (DEI) initiative. The partners include the Australian Women in Security Network (AWSN), Cyversity, Blacks United in Leading Technology International (BUiLT), Women4Cyber and Chartered Institute of Information Security (CIISec).

Each partnership has unique objectives and will include support from (ISC)² in areas such as partnership promotion, co-branded and DEI-focused webinars, (ISC)² Certified in Cybersecurity promotion, grants for education and exams, along with co-branded toolkits and guides to assist both leaders, organizations and professionals on their DEI journeys and career development.

"It's no secret that the cybersecurity industry isn't nearly as diverse as it should be," said Dwan Jones, director of Diversity, Equity and Inclusion at (ISC)². "Our mission at (ISC)² is to not only enable individuals from all backgrounds to enter the cybersecurity industry but also to empower and equip them to excel in their positions and continuously grow in their careers. These five organizations have unique expertise and perspectives that will empower us to accomplish that mission and open new and diverse pathways for professionals looking to join the industry globally. Kicking off our DEI partnership program with this group of dedicated organizations is an exceptional opportunity to work together to transform this industry."

**Australian Women in Security Network**

The AWSN is a not-for-profit association and network of people aimed at increasing the number of women in the security community. Founded in 2015, it connects women, who often felt isolated in organizations and tertiary education institutions with like-minded individuals.

"(ISC)² is just the type of organization the cybersecurity industry needs today," said Jacqui Loustau, the founder and executive director of the AWSN. "At the AWSN, we believe partnering with membership organizations is a fundamental way to not only reach women we haven't been able to reach yet but also to introduce them to other women with similar interests, goals and aspirations. That shared passion is what's going to keep women in the field and make them want to share that passion with the next generation."

**Blacks United in Leading Technology International**

BUiLT is the largest community and nonprofit professional organization that focuses on black people in the technology industry. BUiLT is dedicated, with its allies, to increasing the representation and participation of black people in the technology industry by fostering the connection, development, and employment of its members.

"Diversity continues to lag in the tech and cyber industries – and in order to meet the workforce gap head on, we need to create racial equity by helping the black community explore new career possibilities within these fields," said Peter Beasley, executive director and chairman of the board, BUiLT. "Partnering with (ISC)² enables our members to explore new opportunities. It encourages a shift we need – to convert, train and educate adults already in the workforce to meet the open roles in the tech and cyber industries."

**Chartered Institute of Information Security**

CIISec is committed to raising the standard of professionalism in information and cybersecurity. CIISec provides a universally accepted focal point for the information cybersecurity profession. It is an independent not-for-profit body representing between 20,000-30,000 individuals in the information and cybersecurity industry. Governed by its members, it ensures standards of professionalism for training, qualifications, operating practices and individuals.

"Without diversity and inclusion, the industry will stagnate and be left unable to keep up with complex cyber threats," said Amanda Finch, CEO of CIISec. "To attract a pool of diverse professionals into cyber security, the industry needs to highlight the variety of roles available. From forensics to threat intelligence to researchers, there are opportunities out there for everyone. Cyber security can no longer be viewed as a 'boys-only club' where technical skills are valued above all. We need to move away from this and keep creating a culture where everyone can thrive, feel valued and be accepted.**"**

**Cyversity**

Cyversity is a diverse community of cybersecurity professionals whose mission is to achieve the consistent representation of women and underrepresented minorities in the cybersecurity industry through programs designed to diversify, educate, and empower. Cyversity tackles the 'great cyber divide' with scholarship opportunities, diverse workforce development, innovative outreach, and mentoring programs.

**Women4Cyber**

Women4Cyber is an initiative that aims to address the gender gap among cybersecurity professionals in Europe. In pursuing this objective, its main goal is to encourage and promote the skilling, up-skilling, and re-skilling of girls and women toward cybersecurity education and professions.

"These partnerships broaden our reach and open the doors to more women and underrepresented groups who are interested in pursuing a career in cybersecurity," said Clar Rosso, CEO at (ISC)². "We've been making huge strides as an organization in expanding cybersecurity training and education to more diverse groups. These partnerships help further that mission, ultimately addressing the global workforce talent gap we are facing today as an industry. There's only more to come."

In August, Rosso announced (ISC)²'s One Million Certified in Cybersecurity initiative at the Cyber Workforce and Education Summit at the White House. The initiative is a multi-year commitment to deliver free exams and educational resources to one million people looking to enter a career in cybersecurity. Of the one million pledged, 500,000 certifications will go to underrepresented groups, furthering the association's efforts to reduce the global cybersecurity skills gap through greater diversity and inclusion.

To learn more about (ISC)²'s diversity, equity and inclusion initiatives and access available resources, please visit https://www.isc2.org/DEI.

**About (ISC)²**  
(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates and members, more than 235,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.

(ISC)² Expands DEI Initiative with International Partnership Agreements

x86: unintended memory sharing between guests On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist between two guests.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-42327 / XSA-412 version 2 x86: unintended memory sharing between guests UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist between two guests. IMPACT ====== Guests are able to access an unintended shared memory page. Note the contents of the page are not interpreted by Xen or hardware. VULNERABLE SYSTEMS ================== Only Xen version 4.16 is vulnerable. Other Xen versions are not vulnerable. x86 HVM or PVH guests running on Intel systems with the "virtualize APIC accesses" feature are affected. This is believed to be all 64-bit capable Intel CPUs. x86 HVM or PVH guests running on AMD hardware, Arm or x86 PV guests are not affected. MITIGATION ========== Only running PV guests will mitigate the vulnerability on affected hardware. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa412.patch xen-unstable xsa412-4.16.patch Xen 4.16.x $ sha256sum xsa412\* 64107d4a185dc3cdbc59400d724fe2ada490d39c14ab354aa73bb67a94ca0f65 xsa412.meta 425c1cc3e25f67746a3074aa6304dd0d915f503ea57440b9ecdb583e1547a8fe xsa412.patch b030bebbc4798e1d1ad75d763294ce25609f9f895402272a1f354d781f6f5f00 xsa412-4.16.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNg+5sMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZF10H/2C2pgVmiJWW6iZNMTDHuV4EyZJTFPCBnKR3qirj 3fffRN15gjzPLZZH+Ivwj3ZeWyQBLkGqC1EFemLtWpQePYlcRoH4mCyE4jc8dx89 Ejh2Zfaib0GIJoHqqDYnRQV8/BusGjIRNgWG2zAEuj+ElHRYtXcd4G5/swtcmKyN /lSn5VMVrTGdfyGmQtcou24fK5sfzDrfCJm8pThUT6x+ERAUtCYWx2SG3fA1x55R hWc846qJPXay/BOI0F/d23QkOP+jZsCjhbe+xnTEfgGEq32ZvwhFgkz1/DuXHl0j hBrWjRzhLd8+mCmnXeXURDHbPmyg47TDsSg4n1VeRBJUKrc= =as4H -----END PGP SIGNATURE-----

CVE-2022-42327

Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: "given enough eyeballs, all bugs are shallow." This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying "all bugs are shallow" only true for

Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: "_given enough eyeballs, all bugs are shallow_." This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying "all bugs are shallow" only true for _shallow_ bugs and not ones that lie deeper? It turns out that security flaws in open source can be harder to find than we thought. Emil Wåreus, Head of R&D at Debricked, took it upon himself to look deeper into the community's performance. As the data scientist he is, he, of course, asked the data: _how good is the open source community at finding vulnerabilities in a timely manner_?

****The thrill of the (vulnerability) hunt****

Finding open source vulnerabilities is typically done by the maintainers of the open source project, users, auditors, or external security researchers. But despite these great code-archaeologists helping secure our world, the community still struggles to find security flaws.

On average, it takes _over 800 days_ to discover a security flaw in open source projects. For instance, the infamous Log4shell (CVE-2021-44228) vulnerability was undiscovered for a whopping 2649 days.

The analysis shows that 74% of security flaws are actually undiscovered for at least one year! Java and Ruby seem to have the most challenges here, as it takes the community more than 1000 days to find and disclose vulnerabilities. Our \[white\] hats go off to the PHP/Composer community, which slightly outperforms the others.

****The needle in a techstack****

Other interesting factors are that some of the different weakness types (CWE) seem to be harder to find and disclose, which actually contradicts Linus's law. The weakness types CWE-400 (Uncontrolled Resource Consumption) and CWE-502 (Deserialization of Untrusted Data) typically aren't localized to a single function or may appear as intended logic in the application. In other words, it can't be considered "a shallow bug."

It also seems that the developer community is a bit better at finding CWE-20 (Improper Input Validation), where the flaw most of the time is just a few lines of code in a single function.

****Solve vulnerabilities with powerful remediation****

Why does this matter? As consumers of open source, and that's about every company in the whole world, the problem of vulnerabilities in open source is an important one. The data tells us that we can't fully trust Linus' Law - not because open source is less secure than other software, but because **not all bugs are shallow**.

Luckily, there are powerful tools to perform at-scale analysis of a lot of open source projects at once. There have been \[white knight hackers disclose 1000's\] of vulnerabilities at once using these methods. It would be naive to not assume that ill-minded organizations and individuals do the same. As an ecosystem that lays the foundation for our software-centric world, the community must improve its ability to find, disclose, and fix security flaws in open source significantly.

Last year, Google committed $10 billion to an open source fund to help secure open source with a specific curator role to work alongside the maintainers with specific security efforts.

Furthermore, Debricked helps companies make these vulnerabilities actionable by scanning all your software, every branch, every push, and every commit, for new (open source) vulnerabilities. Debricked even continuously scans all your old commits for every new vulnerability, to make sure they bring up-to-date, accurate, and actionable intelligence on the open source you consume. Debricked even helps developers fix your security flaws with automated pull requests that won't cause dependency hell; pretty neat!

**The truth lies in the data**

So, knowing all this, what is the best way to protect your project or company against open source vulnerabilities? As we've seen in the case of Log4j and Spring4shell as well as the numbers, we can never really trust that the community will find and fix all risks. There's a good chance that there are lots and lots of undiscovered and undisclosed vulnerabilities in your code today, and there's not much you can do about it.

According to Debricked, the best way to mitigate this is by implementing continuous vulnerability scanning to your SDLC. By automatically scanning at every push of code, in combination with the machine learning-powered vulnerability database. This makes sure you're updated in real-time, you'll know about new vulnerabilities before anyone else does. As soon as there's a fix, you can generate a Fix Pull Request automatically or solve it manually with Debricked's help. _Currently, Debricked offers remediation for JavaScript and Go, with more language support is to come shortly._

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Last Years Open Source - Tomorrow's Vulnerabilities

** UNSUPPORTED WHEN ASSIGNED ** Oracle Solaris version 10 1/13, when using the Common Desktop Environment (CDE), is vulnerable to a privilege escalation vulnerability. A low privileged user can escalate to root by crafting a malicious printer and double clicking on the the crafted printer's icon.

CVE-2022-43752: .:: Phrack Magazine ::.

The application was vulnerable to a Server-Side Request Forgery attacks, allowing the backend server to interact with unexpected endpoints, potentially including internal and local services, leading to attacks in other downstream systems.

**CVE-2022-40296**

Discovered by Edward Prior on behalf of The Missing Link Security

**Vulnerability Details**

The application was vulnerable to a Server-Side Request Forgery attacks, allowing the backend server to interact with unexpected endpoints, potentially including internal and local services. Leading to attacks in other downstream systems.

**Affected Versions**

Discovered in: 19.0

**Fixed Versions**

Fixed In: Won’t fix.

Latest News

Recent data breaches and what your business can learn from them

Clearing up the complex world of penetration testing

How intelligent automation can help address ESG reporting challenges

See All News

CVE-2022-40296: Server-side request forgery (SSRF) in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.

The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks.

**CVE-2022-40295**

Discovered by Edward Prior on behalf of The Missing Link Security

**Vulnerability Details**

The application was vulnerable to an Authenticated Information Disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks.

**Affected Versions**

Discovered in: 19.0

**Fixed Versions**

Fixed In: Won’t fix.

Latest News

Recent data breaches and what your business can learn from them

Clearing up the complex world of penetration testing

How intelligent automation can help address ESG reporting challenges

See All News

CVE-2022-40295: Authenticated sensitive information disclosure in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.

The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers.

**CVE-2022-40294**

Discovered by Edward Prior on behalf of The Missing Link Security

**Vulnerability Details**

The application was identified to have an Authenticated Incubated Vulnerability in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers.

**Affected Versions**

Discovered in: 19.0

**Fixed Versions**

Fixed In: Won’t fix.

Latest News

Recent data breaches and what your business can learn from them

Clearing up the complex world of penetration testing

How intelligent automation can help address ESG reporting challenges

See All News

CVE-2022-40294: Authenticated incubated vulnerability in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.

Multiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.

**CVE-2022-39020**

Discovered by Nelson Fernandes on behalf of The Missing Link Security

**Vulnerability Details**

Multiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.

**Affected Versions**

Discovered in: 21.0.2

**Fixed Versions**

Fixed in: 21.0.3

Latest News

Recent data breaches and what your business can learn from them

Clearing up the complex world of penetration testing

How intelligent automation can help address ESG reporting challenges

See All News

Tag

#intel