On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2022-27878

An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later

<< Back to Security Advisory List

*   **Release date:** May 6, 2022
*   **Security ID:** QSA-22-16
*   **Severity:** High
*   **CVE identifier:** CVE-2021-44051 | CVE-2021-44052 | CVE-2021-44053 | CVE-2021-44054
*   **Affected products:** Certain QNAP NAS
*   **Status:** Resolved

**Summary**

Multiple vulnerabilities have been reported to affect QTS, QuTS hero, and QuTScloud: 

*   CVE-2021-44051: Command injection vulnerability
    *   If exploited, this vulnerability allows remote attackers to run arbitrary commands.

*   CVE-2021-44052: Improper link resolution before file access ("link following") vulnerability
    *   If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite files.

*   CVE-2021-44053: Cross-site scripting (XSS) vulnerability
    *   If exploited, this vulnerability allows remote attackers to inject malicious code.

*   CVE-2021-44054: Open redirect vulnerability
    *   If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware.

We have already fixed the vulnerabilities in the following versions of QTS, QuTS hero, and QuTScloud:

*   QTS 5.0.0.1986 build 20220324 and later
*   QTS 4.5.4.1991 build 20220329 and later
*   QTS 4.3.6.1965 build 20220302 and later
*   QTS 4.3.4.1976 build 20220303 and later
*   QTS 4.3.3.1945 build 20220303 and later
*   QTS 4.2.6 build 20220304 and later
*   QuTS hero h5.0.0.1986 build 20220324 and later
*   QuTS hero h4.5.4.1971 build 20220310 and later
*   QuTScloud c5.0.1.1998 and later

**Recommendation**

To fix the vulnerabilities, we recommend updating your QNAP operating system to one of the above versions or later.

**Updating QTS, QuTS hero, or QuTScloud**

1.  Log on to QTS, QuTS hero, or QuTScloud as administrator.
2.  Go to **Control Panel** > **System** > **Firmware Update**.
3.  Under **Live Update**, click **Check for Update**.  
    QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.

**Tip:** You can also download the update from the QNAP website. Go to **Support** > **Download Center** and then perform a manual update for your specific device.

**Acknowledgements:** Enio Pena Navarro and Michael Messner from Siemens Energy AG

**Revision History:** V1.0 (May 6, 2022) - Published

CVE-2021-44054: Multiple Vulnerabilities in QTS, QuTS hero, and QuTScloud - Security Advisory

Scamming, phishing and other data theft is all part of Nigeria Tesla's portfolio.
The post Nigerian Tesla: 419 scammer gone malware distributor unmasked appeared first on Malwarebytes Labs.

Agent Tesla is a well-known data stealer written in .NET that has been active since 2014 and is perhaps one of the most popular payloads observed in malspam campaigns.

While looking for threats targeting Ukraine, we identified a group we call “Nigerian Tesla” that has been dabbling into phishing and other data theft activities for a number of years. Ironically, one of the main threat actors seemingly compromised his own computer with an Agent Tesla binary.

In this blog, we expose some of the activities from a scammer who started off with classic advance-fee schemes and is now successfully running Agent Tesla campaigns. In the past two years, this threat actor was able to collect close to a million credentials from his victims.

**Spam campaign**

Our investigation started with an email targeting titled _Остаточний платіж.msg_ (Ukrainian for _Final payment.msg_). It contained a link to a file sharing site that downloads an archive containing an executable file.

Figure 1: Spam email with Agent Tesla

This executable is actually an Agent Tesla stealer, capable of exfiltrating data in multiple ways, though most commonly using SMTP. The technique is really simple as it only requires an email account that sends messages to itself containing stolen credentials for each victim that executed the malware on their computer.

**Test successful!**

The attacker sent a number of messages containing the body “Test successful!” from the same machine. Those emails should have been deleted for obvious reasons but this threat actor did not and leaked his own IP address allowing us to locate them in Lagos, Nigeria.

Figure 2: Test emails sent by the attacker

These messages are checks done by the threat actor to make sure communication with Agent Tesla is configured properly. This is typical and is often described in hacking forums where users ask for help with the ‘software’.

Figure 3: Forum post complaining about issue not receiving logs

There were an additional 26 emails sent from the same IP address that weren’t test emails but came from a real Agent Tesla execution. We don’t know exactly how, but the attacker managed to infect his own machine.

Figure 4: Information exfiltrated from the attacker’s machine

Here is a list containing some of the services that the Nigerian Tesla threat actor used:

*   PerfectMoney
*   Glassdoor signupanywhere (could be a source to get victims emails)
*   omail.io (service for extracting emails)
*   warzone.ws (Warzone RAT)
*   worldwiredlabs (NetWire RAT)
*   le-vpn.com and bettervpn.com zenmate.com tigervpn hotvpn (VPN provider)
*   securitycode.eu cassandra.pw (Code Protector)
*   esco.pw (office document protection)
*   monovm hostwinds.com firevps dynu 4server.su (VPS and dedicated servers)
*   dnsomatic.com cloudns.net (DNS services)
*   spam-lab.su
*   filesend.io 4shared (hosting files)
*   avcheck.net (offline av test)
*   bitshacking.com
*   archive.org (used like cloud storage)
*   xss.is hackforums.net exploit.in
*   titan.email (.pw accounts, various scams)

Rita Bent, Lee Chen and John Cooper are some of the names that have been used in the past along with dozens of different email accounts with passwords containing the string ‘1985’. The following image shows the activity from user rita398 in hackforums asking about Esco Crypter:

Figure 5: Rita398 interested in Esco Crypter

In that case, we see Rita complaining about some RDP suspension that happened eventually to one of his registered domains.

Figure 6: RDP shutdown complain

The following email accounts were used in various phishing and data stealing operations:

*   along.aalahajirazak.ibrahim@gmail.com
*   administracion@romexpert.es
*   administracioneforce@eforce.es
*   soceanwave244@gmail.com
*   barristeradamssetien@gmail.com
*   catalinafuster@palmaprocura.com
*   david01smith@yandex.com
*   davidsmith.ntx31@yandex.com
*   davids27smith@yandex.com
*   elisabet.valenti@ag.barymont.com
*   gestor3@afectadosvolkswagenabogados.com
*   info@borrellacerrajeros.com
*   info@crmarismas.org
*   info@cristaleriagandia.com
*   infogestinsur@grupogestinsur.com
*   instalaciones@gopamar.com
*   isabel@grupoatu.com
*   m.lopez@forestadent.es
*   nacho@alasvigilnevot.com
*   restaurante@elsecretodechimiche.com
*   soceanwave244@gmail.com
*   tienda@di-tempo.com
*   torremolinos3@copiplus.es
*   v.reino@gooddental.es
*   victor@sugesol.com
*   vives@viveselectricitat.com

Based on these profiles, we can see this threat actor has an extensive criminal record starting at least from 2014. Back then, they performed classic scams under the Rita Bent moniker.

Figure 7: Scam conducted by the same attacker in the past

One of their preferred scams was phishing for Adobe login pages. We have records indicating that several Adobe fake pages were deployed from 2015 until recently. Landing pages looked like the following:

Figure 8: Fake Adobe login page

Fast forward to 2020, and the threat actor has graduated to malware distributor. He protects his binaries with the Cassandra Protector obfuscator and then checks them against AVcheck\[.\]net.

Figure 9: Cassandra Protector

Figure 10: AVcheck\[.\]net

**Who is behind these attacks?**

The threat actor shared photos of himself back in 2016 and for some reason forgot about them.

Figure 11: Photos of the threat actor

E.K. was born in 1985 according to his driver license. Remember that 1985 was used in a lot of passwords collected from accounts that conducted these illegal activities.

Figure 12: Threat actor’s drivers license

At the moment, we do not have much information about other members in the team. But E. K. seems to be the most relevant figure, at least the one who started the scheme.

**From 419 scams to Agent Tesla**

Nigerian Tesla stole more than 800,000 different credentials from about 28,000 victims. This shows how simple and yet effective running one of these campaigns can be. In this case we see an interesting evolution from a threat actor that was performing the classic advance-fee scam (419 scam) before moving into the malware distribution world, more or less for the same end goal.

Malwarebytes users are protected against Agent Tesla. We detect this sample as Spyware.Password.Stealer.

Nigerian Tesla: 419 scammer gone malware distributor unmasked

Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .

Permalink

Browse files

attachment: set CSP header in the serving endpoint (#6926)

*   Loading branch information

1 parent 2a8f561 commit bc77440b301ac8780698be91dff1ac33b7cee850

Showing with **1 addition** and **0 deletions**.

1.  +1 −0 internal/cmd/web.go

@@ -314,6 +314,7 @@ func runWeb(c \*cli.Context) error {

}

defer fr.Close()

  

c.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")

c.Header().Set("Cache-Control", "public,max-age=86400")

c.Header().Set("Content-Disposition", fmt.Sprintf(\`inline; filename="%s"\`, attach.Name))

  

**0 comments on commit bc77440**

Please sign in to comment.

CVE-2022-1464: attachment: set CSP header in the serving endpoint (#6926) · gogs/gogs@bc77440

Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.

@@ -1,18 +1,6 @@ /\*\* \* Copyright (c) 2006-2012, JGraph Ltd \*/ // Workaround for allowing target="\_blank" in HTML sanitizer // see https://code.google.com/p/google-caja/issues/detail?can=2&q=&colspec=ID%20Type%20Status%20Priority%20Owner%20Summary&groupby=&sort=&id=1296 if (typeof html4 !== 'undefined') { html4.ATTRIBS\['a::target'\] \= 0; html4.ATTRIBS\['source::src'\] \= 0; html4.ATTRIBS\['video::src'\] \= 0; // Would be nice for tooltips but probably a security risk... //html4.ATTRIBS\['video::autoplay'\] = 0; //html4.ATTRIBS\['video::autobuffer'\] = 0; }  
// Workaround for handling named HTML entities in mxUtils.parseXml // LATER: How to configure DOMParser to just ignore all entities? (function() @@ -1670,62 +1658,21 @@ Graph.removePasteFormatting = function(elt) };  
/\*\* \* Sanitizes the given HTML markup. \* Sanitizes the given HTML markup, allowing target attributes and \* data: protocol links to pages and custom actions. \*/ Graph.sanitizeHtml \= function(value, editing) { // Uses https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer // NOTE: Original minimized sanitizer was modified to support // data URIs for images, mailto and special data:-links. // LATER: Add MathML to whitelisted tags function urlX(link) { if (link != null && link.toString().toLowerCase().substring(0, 11) !== 'javascript:') { return link; }  
return null; }; function idX(id) { return id };  
return html\_sanitize(value, urlX, idX); return DOMPurify.sanitize(value, {ADD\_ATTR: \['target'\], ALLOWED\_URI\_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp|data):|\[^a-z\]|\[a-z+.\\-\]+(?:\[^a-z+.\\-:\]|$))/i}); };  
/\*\* \* Removes all script tags and attributes starting with on. \* Sanitizes the SVG in the given DOM node in-place. \*/ Graph.sanitizeSvg \= function(div) { // Removes all attributes starting with on var all \= div.getElementsByTagName('\*');  
for (var i \= 0; i < all.length; i++) { for (var j \= 0; j < all\[i\].attributes.length; j++) { var attr \= all\[i\].attributes\[j\];  
if (attr.name.length \> 2 && attr.name.toLowerCase().substring(0, 2) \== 'on') { all\[i\].removeAttribute(attr.name); } } }  
function removeAllTags(tagName) { var nodes \= div.getElementsByTagName(tagName);  
while (nodes.length \> 0) { nodes\[0\].parentNode.removeChild(nodes\[0\]); } };  
removeAllTags('meta'); removeAllTags('script'); removeAllTags('metadata'); return DOMPurify.sanitize(div, {IN\_PLACE: true}); };  
/\*\* @@ -13734,12 +13681,12 @@ if (typeof mxVertexHandler !== 'undefined') mxEvent.consume(evt); }));  
this.linkHint.appendChildGraph.createRemoveIcon(mxResources.get('removeIt', this.linkHint.appendChild(Graph.createRemoveIcon(mxResources.get('removeIt', \[mxResources.get('link')\]), mxUtils.bind(this, function(evt) { this.graph.setLinkForCell(this.state.cell, null); mxEvent.consume(evt); })); }))); } }

CVE-2022-1575: 18.0.0 release · jgraph/drawio@f768ed7

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.

GitLab 15.0 is launching on May 22! This version brings many exciting improvements, but also removes deprecated features and introduces **breaking changes** that may impact your workflow. To see what is being deprecated and removed, please visit Breaking changes in 15.0 and Deprecations.

CVE-2022-29940: Tags · LibreHealth / LibreHealth EHR / LibreHealth EHR Base · GitLab

Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss...

CVE-2022-1592

A vulnerability was found in Bludit 3.13.1. It has been declared as problematic. This vulnerability affects the endpoint /admin/new-content of the New Content module. The manipulation of the argument content with the input <script>alert(1)</script> leads to cross site scripting. The attack can be initiated remotely but requires an authentication. The exploit has been disclosed to the public and may be used.

CVE-2022-1590

Attackers could use the flaw to steal credentials with no authentication required

Attackers could use the flaw to steal credentials with no authentication required

Developers have patched a critical vulnerability in Snipe-IT that could be exploited to send users malicious password reset requests.

Grokability’s Snipe-IT is a cloud-based, open source project for user asset management.

The popular system has been designed to replace sometimes clunky and ineffective Excel spreadsheets and accounts for roughly 3.4 million users, as well as over 6.7 million managed assets.

**RECOMMENDED** Zero-day bug in uClibc library could leave IoT devices vulnerable to DNS poisoning attacks

Snipe-IT’s GitHub repository has over 200 contributors and over 2,100 forks at the time of writing. Adopters can choose to have their Snipe-IT builds hosted by Grokability or they can manage it themselves.

On May 2, the project disclosed CVE-2022-23064, a critical vulnerability that has been awarded a CVSS severity score of 8.8.

**Server-side woes**

The vulnerability is described as a host header injection bug. Host header issues occur when server communication is handled in an unsafe way and can lead to a variety of problems including web cache poisoning, server-side request forgery (SSRF), or SQL injection attacks.

In Snipe-IT’s case, CVE-2022-23064 allowed attackers to send crafted host headers to the reset password request functionality of the system.

Target users could be sent password reset links that would, once clicked, lead them to an attacker-controlled server rather than a trusted domain managed by Snipe-IT users.

Read more of the latest security research news from around the world

The developers say that it would then be possible to steal password reset tokens, leading to account hijacking.

According to White Source, an example attack scenario is an attacker selecting ‘I forgot my password’ and submitting the selected victim’s username.

The request would be intercepted after clicking ‘email password reset’, and the host header would then be modified. If the would-be victim clicks the email link, complete with a modified base URL, the reset token is then logged and compromised.

**Protect your targets**

While user interaction is required to trigger a cyber-attack, no authentication or privileges are required to exploit the flaw.

Snipe-IT versions 3.0-alpha to v5.3.7 are vulnerable. Users are urged to upgrade to at least version v5.3.8.

One of the latest builds available – v.5.4.3 (v.5.4.4 was released on May 4) – also includes a patch to resolve a potential cross-site scripting (XSS) vulnerability in user requestable results.

Speaking to _The Daily Swig_, Grokability CTO Brady Wetherington said there is no evidence of any in-the-wild exploits. Furthermore, “our hosted platform was never vulnerable to the exploit, due to its configuration”.

**YOU MIGHT ALSO LIKE** State Bar of Georgia reels from cyber-attack

Serious Snipe-IT bug exploitable to send password reset email traps

Cross-site Scripting (XSS) in GitHub repository contao/contao prior to 4.13.3. Attacker can execute Malicious JS in Application :)

@@ -230,12 +230,12 @@ protected function prepare($objPage)

$this\->Template\->pageTitle = str\_replace('\[-\]', '', $this\->Template\->pageTitle);

  

// Meta robots tag

$this\->Template\->robots = $headBag\->getMetaRobots();

$this\->Template\->robots = htmlspecialchars($headBag\->getMetaRobots());

  

// Canonical

if ($objPage\->enableCanonical)

{

$this\->Template\->canonical = $headBag\->getCanonicalUriForRequest($request);

$this\->Template\->canonical = htmlspecialchars($headBag\->getCanonicalUriForRequest($request));

}

  

// Fall back to the default title tag

Tag

#xss