FreshRSS

πŸ”’
❌ Secure Planet Training Courses Updated For 2019 - Click Here
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Yesterday β€” May 3rd 2024Full Disclosure

Live2D Cubism refusing to fix validation issue leading to heap corruption.

Posted by PT via Fulldisclosure on May 03

Live2D Cubism is the dominant "vtuber" software suite for 2D avatars for use in livestreaming and integrating them in
other software.
They publish various SDKs and a frameworks for integrating their libraries with your own program. You're supposed to
use those to deserialize and render/animate the models created with their main software - often untrusted files from
random people on the internet.
While their main java-based...
Before yesterdayFull Disclosure

Microsoft PlayReady white-box cryptography weakness

Posted by Security Explorations on May 01

Hello All,

There is yet another attack possible against Protected Media Path
process beyond the one involving two global XOR keys [1]. The new
attack may also result in the extraction of a plaintext content key
value.

The attack has its origin in a white-box crypto [2] implementation.
More specifically, one can devise plaintext content key from white-box
crypto data structures of which goal is to make such a reconstruction
difficult / not...

Defense in depth -- the Microsoft way (part 87): shipping more rotten software to billions of unsuspecting customers

Posted by Stefan Kanthak on Apr 24

Hi @ll,

this post is a continuation of
<https://seclists.org/fulldisclosure/2023/Oct/17> and
<https://seclists.org/fulldisclosure/2021/Oct/17>

With the release of .NET Framework 4.8 in April 2019, Microsoft updated
the following paragraph of the MSDN article "What's new in .NET Framework"
<https://msdn.microsoft.com/en-us/library/ms171868.aspx>

| Starting with .NET Framework 4.5, the clrcompression.dll assembly...

Response to CVE-2023-26756 - Revive Adserver

Posted by Matteo Beccati on Apr 24

CVE-2023-26756 has been recently filed against the Revive Adserver project.

The action was taken without first contacting us, and it did not follow
the security process that is thoroughly documented on our website. The
project team has been given no notice before or after the disclosure.

Our team has been made aware of this report by a community member via a
GitHub issue. All of this resulted in an inability for us to produce an
appropriate...

BACKDOOR.WIN32.DUMADOR.C / Remote Stack Buffer Overflow (SEH)

Posted by malvuln on Apr 19

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/6cc630843cabf23621375830df474bc5.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Dumador.c
Vulnerability: Remote Stack Buffer Overflow (SEH)
Description: The malware runs an FTP server on TCP port 10000. Third-party
adversaries who can reach the server can send a specially crafted payload
triggering...

SEC Consult SA-20240418-0 :: Broken authorization in Dreamehome app

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 19

SEC Consult Vulnerability Lab Security Advisory < 20240418-0 >
=======================================================================
title: Broken authorization
product: Dreamehome app
vulnerable version: <=2.1.5 (iOS)
fixed version: none, see solution
CVE number: -
impact: medium
homepage: https://www.dreametech.com
found: 2024-01-17...

MindManager 23 - full disclosure

Posted by Pawel Karwowski via Fulldisclosure on Apr 19

Resending! Thank you for your efforts.

GitHub - pawlokk/mindmanager-poc: public disclosure<https://github.com/pawlokk/mindmanager-poc>

Affected application: MindManager23_setup.exe

Platform: Windows

Issue: Local Privilege Escalation via MSI installer Repair Mode (EXE hijacking race condition)

Discovered and reported by: Pawel Karwowski and Julian Horoszkiewicz (Eviden Red Team)

Proposed mitigation:...

CVE-2024-31705

Posted by V3locidad on Apr 14

CVE ID: CVE-2024-31705

Title : RCE to Shell Commands" Plugin / GLPI Shell Command Management Interface

Affected Product : GLPI - 10.X.X and last version

Description: An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via
the insufficient validation of user-supplied input.

Affected Component : A remote code execution (RCE) vulnerability has been identified in the 'Shell...

SEC Consult SA-20240411-0 :: Database Passwords in Server Response in Amazon AWS Glue

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 14

SEC Consult Vulnerability Lab Security Advisory < 20240411-0 >
=======================================================================
title: Database Passwords in Server Response
product: Amazon AWS Glue
vulnerable version: until 2024-02-23
fixed version: as of 2024-02-23
CVE number: -
impact: medium
homepage: https://aws.amazon.com/glue/
found:...

[KIS-2024-03] Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability

Posted by Egidio Romano on Apr 10

------------------------------------------------------------------------------
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability
------------------------------------------------------------------------------

[-] Software Link:

https://invisioncommunity.com

[-] Affected Versions:

Version 4.7.16 and prior versions.

[-] Vulnerability Description:

The vulnerability is located in the...

[KIS-2024-02] Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability

Posted by Egidio Romano on Apr 10

--------------------------------------------------------------------
Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability
--------------------------------------------------------------------

[-] Software Link:

https://invisioncommunity.com

[-] Affected Versions:

All versions from 4.4.0 to 4.7.15.

[-] Vulnerability Description:

The vulnerability is located in the
/applications/nexus/modules/front/store/store.php script....

Multiple Issues in concretecmsv9.2.7

Posted by Andrey Stoykov on Apr 10

# Exploit Title: Multiple Web Flaws in concretecmsv9.2.7
# Date: 4/2024
# Exploit Author: Andrey Stoykov
# Version: 9.2.7
# Tested on: Ubuntu 22.04
# Blog: http://msecureltd.blogspot.com

Verbose Error Message - Stack Trace:

1. Directly browse to edit profile page
2. Error should come up with verbose stack trace

Verbose Error Message - SQL Error:

1. Page Settings > Design > Save Changes
2. Intercept HTTP POST request and place single...

OXAS-ADV-2024-0001: OX App Suite Security Advisory

Posted by Martin Heiland via Fulldisclosure on Apr 10

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at
https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0001.html.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH...

Trojan.Win32.Razy.abc / Insecure Permissions (In memory IPC)

Posted by malvuln on Apr 10

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/0eb4a9089d3f7cf431d6547db3b9484d.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Razy.abc
Vulnerability: Insecure Permissions (In memory IPC)
Family: Razy
Type: PE32
MD5: 0eb4a9089d3f7cf431d6547db3b9484d
SHA256: 3d82fee314e7febb8307ccf8a7396b6dd53c7d979a74aa56f3c4a6d0702fd098
Vuln ID: MVID-2024-0678...

CVE-2023-27195: Broken Access Control - Registration Code in TM4Web v22.2.0

Posted by ClΓ©ment Cruchet on Apr 10

CVE ID: CVE-2023-27195

Description:
An access control issue in Trimble TM4Web v22.2.0 allows
unauthenticated attackers to access a specific crafted URL path to
retrieve the last registration access code and use this access code to
register a valid account. If the access code was used to create an
Administrator account, attackers are also able to register new
Administrator accounts with full rights and privileges.

Vulnerability Type: Broken...

CVE-2024-30929: XSS Vulnerability in DerbyNet v9.0 via 'back' Parameter in playlist.php

Posted by Valentin Lobstein via Fulldisclosure on Apr 05

CVE ID: CVE-2024-30929

Description:
A Cross-Site Scripting (XSS) vulnerability has been found in DerbyNet version 9.0, affecting the `playlist.php`
component. This issue allows remote attackers to execute arbitrary code by exploiting the `back` parameter. The
application does not properly sanitize the `back` parameter before it is rendered on the page, thereby allowing the
injection and execution of arbitrary JavaScript code.

Vulnerability...

CVE-2024-30928: SQL Injection Vulnerability in DerbyNet v9.0 via 'classids' Parameter

Posted by Valentin Lobstein via Fulldisclosure on Apr 05

CVE ID: CVE-2024-30928

Description:
An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, particularly within the
`ajax/query.slide.next.inc` file. This vulnerability allows remote attackers to execute arbitrary code and disclose
sensitive information by exploiting the unvalidated `classids` parameter used in constructing SQL queries. This
parameter is not properly sanitized before being included in the SQL statement,...

CVE-2024-30927: XSS Vulnerability in DerbyNet v9.0 via racer-results.php

Posted by Valentin Lobstein via Fulldisclosure on Apr 05

CVE ID: CVE-2024-30927

Description:
A Cross-Site Scripting (XSS) vulnerability is present in DerbyNet version 9.0, specifically within the
`racer-results.php` component. This issue allows remote attackers to execute arbitrary code through the improper
handling of the `racerid` parameter. The vulnerability is notably present within the HTML `<title>` tag, where the
`racerid` parameter value is dynamically inserted directly into the page...

CVE-2024-30926: XSS Vulnerability in DerbyNet v9.0 via ./inc/kiosks.inc

Posted by Valentin Lobstein via Fulldisclosure on Apr 05

CVE ID: CVE-2024-30926

Description:
A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, affecting the
`./inc/kiosks.inc` component. This vulnerability permits remote attackers to execute arbitrary code by exploiting the
`address_for_current_kiosk()` function. The issue stems from the improper sanitization of user-supplied input via the
URL parameters `id` and `address`, which are directly utilized without...

CVE-2024-30925: XSS Vulnerability in DerbyNet v9.0 via photo-thumbs.php

Posted by Valentin Lobstein via Fulldisclosure on Apr 05

CVE ID: CVE-2024-30925

Description:
A Cross-Site Scripting (XSS) vulnerability exists in DerbyNet version 9.0, specifically within the `photo-thumbs.php`
component. This issue enables a remote attacker to execute arbitrary code through the improper handling of the
`racerid` and `back` parameters. The vulnerability arises because the application dynamically generates URLs for
navigation without adequately sanitizing these parameters, thus...

CVE-2024-30924: XSS Vulnerability in DerbyNet v9.0 via checkin.php

Posted by Valentin Lobstein via Fulldisclosure on Apr 05

CVE ID: CVE-2024-30924

Description:
A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically within the
`checkin.php` component. This vulnerability allows remote attackers to execute arbitrary code due to improper handling
of the `order` URL parameter. The flaw lies in the way the `order` parameter is embedded directly into a JavaScript
variable assignment without adequate sanitization or encoding,...

CVE-2024-30923: SQL Injection in DerbyNet v9.0 via print/render/racer.inc

Posted by Valentin Lobstein via Fulldisclosure on Apr 05

CVE ID: CVE-2024-30923

Description:
An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, specifically within the
`print/render/racer.inc` component. This vulnerability allows remote attackers to execute arbitrary code and disclose
sensitive information by exploiting improper sanitization of the `where` clause in Racer Document Rendering.

Vulnerability Type: SQL Injection

Vendor of Product: DerbyNet - Available on...

CVE-2024-30922: SQL Injection in DerbyNet v9.0 via print/render/award.inc

Posted by Valentin Lobstein via Fulldisclosure on Apr 05

CVE ID: CVE-2024-30922

Description:
A SQL Injection vulnerability has been identified in DerbyNet version 9.0, specifically affecting the 'where' clause in
Award Document Rendering through the component `print/render/award.inc`. This vulnerability allows remote attackers to
execute arbitrary code and disclose sensitive information without requiring authentication.

Vulnerability Type: SQL Injection

Vendor of Product: DerbyNet -...

[CFP] IEEE CSR Workshop on Cyber Forensics& Advanced Threat Investigations in Emerging Technologies 2024

Posted by Andrew Zayine on Apr 05

Dear Colleagues,

IEEE CSR Workshop on Cyber Forensics and Advanced Threat Investigations in
Emerging Technologies organizing committee is inviting you to submit your
research papers. The workshop will be held in Hybrid mode. The in-person
mode will held at Hilton London Tower Bridge, London from 2 to 4 September
2024

Topics include (but not limited to):
-Forensics and threat investigations in P2P, cloud/edge, SDN/NFV, VPN, and
social networks...

Backdoor.Win32.Agent.ju (PSYRAT) / Authentication Bypass RCE

Posted by malvuln on Apr 05

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/0e6e40aad3e8d46e3c0c26ccc6ab94b3.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.ju (PSYRAT)
Vulnerability: Authentication Bypass RCE
Family: PSYRAT
Type: PE32
MD5: 0e6e40aad3e8d46e3c0c26ccc6ab94b3
Vuln ID: MVID-2024-0677
Disclosure: 04/01/2024

Description: The PsyRAT 0.01 malware listens on...

CVE-2024-30921: Unauthenticated XSS Vulnerability in DerbyNet v9.0 via photo.php

Posted by Valentin Lobstein via Fulldisclosure on Apr 05

CVE ID: CVE-2024-30921

Description:
A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically affecting the
photo.php component. This vulnerability allows remote attackers to execute arbitrary code via crafted URLs, without
requiring authentication.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected...

CVE-2024-30920: XSS Vulnerability in DerbyNet v9.0 via render-document.php

Posted by Valentin Lobstein via Fulldisclosure on Apr 05

CVE ID: CVE-2024-30920

Description:
A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet v9.0, specifically within the
`render-document.php` component. This vulnerability allows a remote attacker to execute arbitrary code via crafted
URLs. The root cause of the vulnerability is the application's failure to properly sanitize user input in document
rendering paths, which permits the injection of malicious scripts....

SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in Visual Planning

Posted by Lennert Preuth via Fulldisclosure on Apr 05

Title
=====

SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in
Visual Planning

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-49234

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-006/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt

Affected products/vendor
========================

All versions prior to Visual Planning 8...

SCHUTZWERK-SA-2023-004: Authentication Bypass via Password Reset Functionality in Visual Planning

Posted by Lennert Preuth via Fulldisclosure on Apr 05

Title
=====

SCHUTZWERK-SA-2023-004: Authentication Bypass via Password Reset
Functionality in Visual Planning

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-49232

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-004/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-004.txt

Affected products/vendor
========================

All versions prior to Visual...

SCHUTZWERK-SA-2023-003: Authentication Bypass in Visual Planning REST API

Posted by Lennert Preuth via Fulldisclosure on Apr 05

Title
=====

SCHUTZWERK-SA-2023-003: Authentication Bypass in Visual Planning REST API

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-49231

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-003/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-003.txt

Affected products/vendor
========================

All versions prior to Visual Planning 8 (Build 240207) by...

Microsoft PlayReady deficiencies / content key sniffing on Windows

Posted by Security Explorations on Apr 02

Hello All,

It's been 1.5 years since Microsoft got a notification about PlayReady issues
affecting Canal+ VOD service in Poland [1].

Per information received from Microsoft back then:
1) "to maintain the integrity of the PlayReady ecosystem, the company takes
reports such as (ours) very seriously" (Oct 7, 2022),
2) the STB manufacturer committed to mitigate the incident (Nov 18, 2022).

However, as of late Mar 2024, no change...

Intel PowerGadget 3.6 Local Privilege Escalation

Posted by Julian Horoszkiewicz via Fulldisclosure on Mar 28

Vulnerability summary: Local Privilege Escalation from regular user to SYSTEM, via conhost.exe hijacking triggered by
MSI installer in repair mode
Affected Products: Intel PowerGadget
Affected Versions: tested on PowerGadget_3.6.msi (a3834b2559c18e6797ba945d685bf174), file signed on β€ŽMonday, β€ŽFebruary
β€Ž1, β€Ž2021 9:43:20 PM (this seems to be the latest version), earlier versions might be affected as well.
Affected Platforms: Windows...

Application is Vulnerable to Session Fixation

Posted by YOGESH BHANDAGE on Mar 27

*Vulnerability Name - *Application is Vulnerable to Session Fixation

*Vulnerable URL: *www.fusionpbx.com

*Overview of the Vulnerability*
Session fixation is a security vulnerability that occurs when an attacker
sets or fixes a user's session identifier, manipulating the authentication
process. Typically exploited in web applications, this vulnerability allows
the attacker to force a user's session ID to a known value, granting...

APPLE-SA-03-25-2024-1 Safari 17.4.1

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-03-25-2024-1 Safari 17.4.1

Safari 17.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214094.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WebRTC
Available for: macOS Monterey and macOS Ventura
Impact: Processing an image may lead to arbitrary code execution...

APPLE-SA-03-25-2024-2 macOS Sonoma 14.4.1

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-03-25-2024-2 macOS Sonoma 14.4.1

macOS Sonoma 14.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214096.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

CoreMedia
Available for: macOS Sonoma
Impact: Processing an image may lead to arbitrary code execution...

APPLE-SA-03-25-2024-3 macOS Ventura 13.6.6

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-03-25-2024-3 macOS Ventura 13.6.6

macOS Ventura 13.6.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214095.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

CoreMedia
Available for: macOS Ventura
Impact: Processing an image may lead to arbitrary code execution...

APPLE-SA-03-25-2024-4 iOS 17.4.1 and iPadOS 17.4.1

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-03-25-2024-4 iOS 17.4.1 and iPadOS 17.4.1

iOS 17.4.1 and iPadOS 17.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214097.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

CoreMedia
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad...

APPLE-SA-03-25-2024-5 iOS 16.7.7 and iPadOS 16.7.7

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-03-25-2024-5 iOS 16.7.7 and iPadOS 16.7.7

iOS 16.7.7 and iPadOS 16.7.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214098.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

CoreMedia
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro...

APPLE-SA-03-25-2024-6 visionOS 1.1.1

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-03-25-2024-6 visionOS 1.1.1

visionOS 1.1.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214093.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

CoreMedia
Available for: Apple Vision Pro
Impact: Processing an image may lead to arbitrary code execution
Description: An...

Escape sequence injection in util-linux wall (CVE-2024-28085)

Posted by Skyler Ferrante (RIT Student) via Fulldisclosure on Mar 27

Wall-Escape (CVE-2024-28085)

Skyler Ferrante: Escape sequence injection in util-linux wall

=================================================================
Summary
=================================================================

The util-linux wall command does not filter escape sequences from
command line arguments. The vulnerable code was introduced in
commit cdd3cc7fa4 (2013). Every version since has been
vulnerable.

This allows...

Win32.STOP.Ransomware (smokeloader) / Remote Code Execution (MITM)

Posted by malvuln on Mar 27

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/3b9e9e130d52fe95c8be82aa4b8feb74.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Win32.STOP.Ransomware (smokeloader)
Vulnerability: Remote Code Execution (MITM)
Family: Stop
Type: PE32
MD5 3b9e9e130d52fe95c8be82aa4b8feb74
Vuln ID: MVID-2024-0676
Disclosure: 03/22/2024
Description:
There are two roads to...

Circontrol EV Charger vulnerabilities (CVE-2020-8006, CVE-2020-8007)

Posted by Dariusz G on Mar 27

Circontrol EV Charger vulnerabilities.

1. CVE-2020-8006 Pre-Auth Stack Based Buffer Overflow
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10)

The server in Circontrol Raption through 5.11.2 has a pre-authentication
stack-based buffer overflow that can be exploited to gain run-time control
of the device as root.

When the server parses the HTTP headers and finds the Basic-Authentication
tag it will call a base64 decode function. This function...

[IWCC 2024] CfP: 13th International Workshop on Cyber Crime - Vienna, Austria, July 30 - Aug 02, 2024

Posted by Artur Janicki via Fulldisclosure on Mar 27

[APOLOGIES FOR CROSS-POSTING]

CALL FOR PAPERS
13th International Workshop on Cyber Crime (IWCC 2024 -
https://www.ares-conference.eu/iwcc/)
to be held in conjunction with the 19th International Conference on
Availability, Reliability and Security (ARES 2024 -
http://www.ares-conference.eu)

July 30 - August 02, 2024, Vienna, Austria

IMPORTANT DATES
Submission Deadline May 12, 2024
Author Notification May 29, 2024
Proceedings Version...

Backdoor.Win32.Emegrab.b / Remote Stack Buffer Overflow (SEH)

Posted by malvuln on Mar 19

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/19a14d0414aec62ef38378de2e8b259d.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Emegrab.b
Vulnerability: Remote Stack Buffer Overflow (SEH)
Family: Emegrab
Type: PE32
MD5: 19a14d0414aec62ef38378de2e8b259d
Vuln ID: MVID-2024-0675
ASLR: False
DEP: False
CFG: False
Safe SEH: False
Disclosure:...

MetaFox Remote Shell Upload Exploit

Posted by j0ck1ng@tempr.email on Mar 13

#!/usr/bin/env python3# Exploit Title: MetaFox Remote Shell Upload# Google Dork: "Social network for niche
communities"# Exploit Author: The Joker# Vendor Homepage: https://www.phpfox.com# Version: <= 5.1.8import jsonimport
requestsimport sysif len(sys.argv) != 4:Β Β  sys.exit("Usage: %s " % sys.argv[0])Β  Β 
requests.packages.urllib3.disable_warnings()endpoint = sys.argv[1] + "/api/v1/user/login"response =...

SEC Consult SA-20240307-0 :: Local Privilege Escalation via writable files in Checkmk Agent (CVE-2024-0670)

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Mar 13

SEC Consult Vulnerability Lab Security Advisory < 20240307-0 >
=======================================================================
title: Local Privilege Escalation via writable files
product: Checkmk Agent
vulnerable version: 2.0.0, 2.1.0, 2.2.0
fixed version: 2.1.0p40, 2.2.0p23, 2.3.0b1, 2.4.0b1
CVE number: CVE-2024-0670
impact: high
homepage: https://checkmk.com...

HNS-2024-05 - HN Security Advisory - Multiple vulnerabilities in RT-Thread RTOS

Posted by Marco Ivaldi on Mar 13

Hi,

Please find attached a security advisory that describes multiple
vulnerabilities we discovered in RT-Thread RTOS.

* Title: Multiple vulnerabilities in RT-Thread RTOS
* OS: RT-Thread <= 5.0.2
* Author: Marco Ivaldi <marco.ivaldi () hnsecurity it>
* Date: 2024-03-05
* CVE IDs and advisory URLs:
* CVE-2024-24334 - https://github.com/RT-Thread/rt-thread/issues/8282
* CVE-2024-24335 -...

APPLE-SA-03-12-2024-1 GarageBand 10.4.11

Posted by Apple Product Security via Fulldisclosure on Mar 13

APPLE-SA-03-12-2024-1 GarageBand 10.4.11

GarageBand 10.4.11 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT214090.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

GarageBand
Available for: macOS Ventura and macOS Sonoma
Impact: Processing a maliciously crafted file may lead to...

APPLE-SA-03-07-2024-7 visionOS 1.1

Posted by Apple Product Security via Fulldisclosure on Mar 13

APPLE-SA-03-07-2024-7 visionOS 1.1

visionOS 1.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214087.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: Apple Vision Pro
Impact: An app may be able to spoof system notifications and UI
Description: This...

APPLE-SA-03-07-2024-6 tvOS 17.4

Posted by Apple Product Security via Fulldisclosure on Mar 13

APPLE-SA-03-07-2024-6 tvOS 17.4

tvOS 17.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214086.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: A malicious app may be able to observe user data in log...

APPLE-SA-03-07-2024-5 watchOS 10.4

Posted by Apple Product Security via Fulldisclosure on Mar 13

APPLE-SA-03-07-2024-5 watchOS 10.4

watchOS 10.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214088.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: Apple Watch Series 4 and later
Impact: A malicious app may be able to observe user data in log...

APPLE-SA-03-07-2024-4 macOS Monterey 12.7.4

Posted by Apple Product Security via Fulldisclosure on Mar 13

APPLE-SA-03-07-2024-4 macOS Monterey 12.7.4

macOS Monterey 12.7.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214083.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Monterey
Impact: An app may be able to elevate privileges
Description: A...

APPLE-SA-03-07-2024-3 macOS Ventura 13.6.5

Posted by Apple Product Security via Fulldisclosure on Mar 13

APPLE-SA-03-07-2024-3 macOS Ventura 13.6.5

macOS Ventura 13.6.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214085.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Ventura
Impact: An app may be able to elevate privileges
Description: A...

APPLE-SA-03-07-2024-2 macOS Sonoma 14.4

Posted by Apple Product Security via Fulldisclosure on Mar 13

APPLE-SA-03-07-2024-2 macOS Sonoma 14.4

macOS Sonoma 14.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214084.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: macOS Sonoma
Impact: A malicious app may be able to observe user data in log entries...

APPLE-SA-03-07-2024-1 Safari 17.4

Posted by Apple Product Security via Fulldisclosure on Mar 13

APPLE-SA-03-07-2024-1 Safari 17.4

Safari 17.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214089.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Safari Private Browsing
Available for: macOS Monterey and macOS Ventura
Impact: Private Browsing tabs may be accessed without...

APPLE-SA-03-05-2024-2 iOS 16.7.6 and iPadOS 16.7.6

Posted by Apple Product Security via Fulldisclosure on Mar 13

APPLE-SA-03-05-2024-2 iOS 16.7.6 and iPadOS 16.7.6

iOS 16.7.6 and iPadOS 16.7.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214082.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Additional CVE entries coming soon.

Kernel
Available for: iPhone 8, iPhone 8 Plus, iPhone X,...

APPLE-SA-03-05-2024-1 iOS 17.4 and iPadOS 17.4

Posted by Apple Product Security via Fulldisclosure on Mar 13

APPLE-SA-03-05-2024-1 iOS 17.4 and iPadOS 17.4

iOS 17.4 and iPadOS 17.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214081.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Additional CVE entries coming soon.

Accessibility
Available for: iPhone XS and later, iPad Pro...

Backdoor.Win32.Beastdoor.oq / Unauthenticated Remote Command Execution

Posted by malvuln on Mar 13

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/6268df4c9c805c90725dde4fe5ef6fea.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Beastdoor.oq
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 1332, makes outbound
connections to SMTP port 25 and executes a PE file named svchost.exe
dropped in...

StimulusReflex CVE-2024-28121

Posted by lixts via Fulldisclosure on Mar 13

StimulusReflex CVE-2024-28121

Arbitrary code execution in StimulusReflex. This affects version 3.5.0 up to and including 3.5.0.rc2 and v3.5.0.pre10.

## Vulnerable code excerpt

stimulus_reflex/lib/stimulus_reflex/reflex.rb
```
# Invoke the reflex action specified by `name` and run all callbacks
def process(name, *args)
run_callbacks(:process) { public_send(name, *args) }
end
```

stimulus_reflex/app/channels/stimulus_reflex/channel.rb...

[Full Disclosure] CVE-2024-25228: Unpatched Command Injection in Vinchin Backup & Recovery Versions 7.2 and Earlier

Posted by Valentin Lobstein via Fulldisclosure on Mar 13

CVE ID: CVE-2024-25228

Title: Authenticated Command Injection Vulnerability in ManoeuvreHandler.class.php of Vinchin Backup & Recovery
Versions 7.2 and Earlier

Description:
A critical security vulnerability has been discovered in the `getVerifydiyResult` function within the
`ManoeuvreHandler.class.php` file of Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This
function, intended for validating IP addresses...
❌