Missing authentication in the StudentPopupDetails_Timetable method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction sensitive student data by unauthenticated attackers.  

Discovered by Melodi Dey on behalf of The Missing Link Security

**Vulnerability Details**

Missing authentication in the StudentPopupDetails\_Timetable method in IDAttend’s IDWeb application 3.1.013 allows extraction sensitive student data by unauthenticated attackers.   

**Affected Versions**

Discovered in: 3.1.013

**Fixed Versions**

Fixed in: 3.1.053

CVE-2023-26570: Missing Authentication In IDAttend’s IDWeb Application

Missing authentication in the SearchStudents method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction sensitive student data by unauthenticated attackers. 

Discovered by Melodi Dey on behalf of The Missing Link Security

**Vulnerability Details**

Missing authentication in the SearchStudents method in IDAttend’s IDWeb application 3.1.013 allows extraction sensitive student data by unauthenticated attackers.   

**Affected Versions**

Discovered in: 3.1.013

**Fixed Versions**

Fixed in: 3.1.053

CVE-2023-26574: Missing Authentication In IDAttend’s IDWeb Application

Missing authentication in the SetStudentNotes  method in IDAttend’s IDWeb application 3.1.052 and earlier allows modification of student data by unauthenticated attackers.  

Discovered by Melodi Dey on behalf of The Missing Link Security

**Vulnerability Details**

Missing authentication in the SetStudentNotes method in IDAttend’s IDWeb application 3.1.013 allows modification of student data by unauthenticated attackers. 

**Affected Versions**

Discovered in: 3.1.013

**Fixed Versions**

Fixed in: 3.1.053

CVE-2023-26571: Missing Authentication In IDAttend’s IDWeb Application

Missing authentication in the SetDB method in IDAttend’s IDWeb application 3.1.052 and earlier allows denial of service or theft of database login credentials.  

Discovered by Jack Misiura on behalf of The Missing Link Security

**Vulnerability Details**

Missing authentication in the SetDB method in IDAttend’s IDWeb application 3.1.013 allows denial of service or theft of database login credentials.   

**Affected Versions**

Discovered in: 3.1.013

**Fixed Versions**

Fixed in: 3.1.053

CVE-2023-26573: Missing Authentication In IDAttend’s IDWeb Application

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component.

**CMSmadesimple Stored XSS v2.2.18****Author: (Sergio)**

**Description:** Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory in the File Picker Menu.

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the Top Directory of "File Picker Menu" allows injecting JavaScript code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "File Picker extensions- Top Directory." section off General Menu.

We edit that Top Directory Menu that we have created and see that we can inject arbitrary Javascript code in the Global Meatadata field.

**XSS Payload:**

""\><svg/onload\=alert('FilePicker')\>

In the following image you can see the embedded code that executes the payload in the main web. 

  
**Additional Information:**

http://www.cmsmadesimple.org/

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43360: GitHub - sromanhu/CVE-2023-43360-CMSmadesimple-Stored-XSS---File-Picker-extension: Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a 

By Deeba Ahmed
Yet another day, more unprotected data left in the Cloud without password or security measures.
This is a post from HackRead.com Read the original post: Database Mess Up: 7TB of Healthcare Data Leak Affects 12 Million Patients

The database was owned by Redcliffe Labs, a popular Indian medical diagnostics company located in Noida, Uttar Pradesh.

Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database containing over 12 million records. The data included sensitive patient data such as medical diagnostic scans, test results, and other medical records. Fowler reported his findings to WebsitePlanet.

While investigating, Fowler found that the medical test results contained extensive personal details of patients, including their names, doctors’ names, health-related details, and whether the patient had undergone at-home testing or got tested at the medical facility. These documents belonged to an Indian medical diagnostics firm, Redcliffe Labs. 

The database’s total size was 7TB, and it contained around 12,347,297 records. There were folders marked “Reports” that contained 1,180,000 objects (620.5GB). Documents folder marked Smart Report Storage had 1,164,000 objects (1.5GB), the folder titled Test Results had 6,090,852 objects (2.2TB), and other folders contained miscellaneous documents like internal documents, PDFs, logs, and app files. In total, these folders had 3,912,445 objects (2.7 GB).

Apart from the vast data trove, the exposed database also contained development files from the company’s mobile app. These files control the app’s functionality and data transmission.

Screenshots from the data leak (Image vi: Jeremiah Fowler)

For your information, Redcliffe Labs is among the leading diagnostic centers in India, offering over 3600 different wellness and illness tests. According to Redcliffe Labs’ website, the facility has a user base of 2.5 million. The company offers at-home testing sample collection services in 220+ Indian cities and boasts over 2000 Walk-in Wellness and Collection Centers across the country.

Endorsing the responsible disclosure practice, Fowler contacted the company, who responded swiftly. According to Folwer’s blog post, the database’s public access was restricted on the same day. However, it is unclear for how long this database remained exposed and whether any unauthorized individual had accessed it.

Such breaches can have far-reaching consequences for the patients, as they may be exposed to identity theft, medical fraud, and extortion. If mobile app-related data gets into the wrong hands, cybercriminals can exploit it to launch cyberattacks, disrupt the app’s functionality, and jeopardize mobile users’ security.

The biggest risk factor is the exposure of application code, which threat actors can manipulate to inject malicious code and compromise the app, add unauthorized features, and inject malware. The exposure can put millions at risk because the exposed code can be used to assess/reverse engineer the app to reveal vulnerabilities, leading to further exploitation.

Redcliffe Labs has not clarified if it has notified relevant authorities or the impacted individuals about the data exposure. Also, there’s no indication that the company’s mobile app is compromised or someone had already accessed patient data before it was restricted. Hackread.com will post an update once the company shares more details on this incident.

****_More Findings by Jeremiah Fowler_****

1.  Z2U Market Leak Exposes Access to Illicit Services and Malware
2.  Researcher Exposes Cryptocurrency Scam Network of 300 Domains
3.  Brazil’s Top Escort Service Exposes Millions of Escort and Client Data
4.  Database Mess Up Exposed PII and Photos of 2.3M Dating App Users
5.  Major CRM Provider Really Simple Systems Leaked 3M Customer Records
6.  Data Leak Exposes 572 GB of Student, Faculty Info from Accreditation Org
7.  Contractor Database Leak Exposes 500K Irish Police Vehicle Seizure Records

Database Mess Up: 7TB of Healthcare Data Leak Affects 12 Million Patients

A recent breach of authentication giant Okta has impacted nearly 200 of its clients. But repeated incidents and the company’s delayed disclosure have security experts calling foul.

On Friday, October 20, the identity management platform Okta said it suffered an intrusion in its customer support system. As an access and authentication service, a breach of Okta always comes with risks to other organizations, and the company confirmed that “certain Okta customers” were affected. Okta tells WIRED that it notified “around 1 percent” of its 18,400 customers that they were impacted.

The password manager 1Password, an Okta customer, said this week that it had notified the company on September 29 of suspicious activity that ultimately was tied to the support system incident. BeyondTrust, another identity and access management firm and also an Okta customer, said last week that it had similarly flagged concerning behavior in its Okta administrator account and notified the company about the issue on October 2. Internet infrastructure company Cloudflare also said last week that it had detected a similar incident in its Okta systems on October 18 and notified the company as well.

Companies like Okta that provide crucial digital services to a large population of prominent customers are always going to be prime targets for attacks because they can serve as a sort of one-stop shop for hackers looking to compromise numerous organizations. And as tech giants like Microsoft have shown, some of these attacks may well lead to breaches even if the vast majority are blocked. The breach at Okta is particularly concerning because it shares many features with a security incident the company dealt with in 2022, in which attackers compromised a subprocessor that Okta had trusted to do customer support work.

“What I find surprising in this case is that, after the 2022 breach, you'd think Okta would be on high alert for any externally exposed systems or personnel who may be targeted—and yet something has happened again,” says Adam Chester, a senior security consultant at TrustedSec.

The latest incident directly affected Okta's internal customer support service rather than one provided by a third-party partner. In this case, attackers used stolen login credentials to compromise an Okta support account, and then leveraged this access to steal cookies and session tokens used to give customer support providers access to clients' systems for troubleshooting. With these access tokens, attackers could then compromise Okta customer accounts directly.

1Password, BeyondTrust, and Cloudflare all said that they were able to detect and block the intrusions before any of their own customers were affected, but they all highlighted the fact that they had notified Okta about the situation before Okta warned them—in some cases weeks before Okta's public disclosure.

“This is the second time Cloudflare has been impacted by a breach of Okta’s systems,” a group of Cloudflare engineers wrote on Friday. They went on to share a list of recommendations for how Okta can improve its security posture: “Take any report of compromise seriously and act immediately to limit damage. Provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them. Require hardware keys to protect all systems, including third-party support providers.”

The Cloudflare engineers added that they view taking protective steps like these as “table stakes” for a company like Okta that provides such crucial security services to so many organizations.

When WIRED asked Okta a series of questions about what steps it is taking to improve customer service defenses in the wake of the two breaches, and why there appears to be a lack of urgency when the company receives reports of potential incidents, the company declined to comment. A spokesperson said it would share more information about these subjects soon.

“I really want to know what technical controls Okta had implemented following the 2022 breach, and why this time will be different,” says Evan Johnson, cofounder of RunReveal, which develops a system visibility and incident detection tool. “My hunch is they did not roll out hardware security keys, or didn’t roll them out for their contractors doing support.”

Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security, emphasizes that “the issue is bigger than Okta,” noting that software supply chain attacks and the volume of hacks companies must defend against is significant. “It's unfortunately common for service providers of any size to have trouble believing they are the source of an incident until definitive proof is offered,” he says.

Still, Williams adds, “there's a pattern here with Okta, and it involves outsourced support.” He also notes that one of the remediations Okta suggested to customers in the wake of the recent incident—carefully removing support session tokens that could be compromised from troubleshooting data—is not realistic.

“Okta's suggestion—that somehow the customer must be responsible for stripping session tokens from the files they specifically request for troubleshooting purposes—is absurd,” he says. “That's like handing a knife to a toddler and then blaming the toddler for bleeding.”

Okta's Latest Security Breach Is Haunted by the Ghost of Incidents Past

We have too much cybersecurity awareness. It's time to implement repeatable, real-world practice that ingrains positive habits and security behaviors.

I know I shouldn't drink Diet Coke, but every few weeks I find myself happily sipping from another silver can. I'm not oblivious to the health risks. I've read the latest WHO report on aspartame. Heck, it even says right on the can, "Warning: Contains phenylalanine." (If I can't pronounce it, and Coca-Cola has to warn me about it, _surely_ it can't be good for me.) But awareness of some mysterious chemical isn't going to stop me from enjoying an occasional Diet Coke; I need help changing my behavior.

To borrow a line from social scientists, "abundant research shows that people who are simply given more information are unlikely to change their beliefs or behavior." And yet, here we are again, another Cybersecurity _Awareness_ Month: the industry's Hallmark holiday that promotes spending on cybersecurity training videos, phishing simulators, and free lunches to feed employees a smorgasbord of security education, training, and awareness.

**Awareness Isn't the Issue**

But employees are already aware of cybersecurity. Whether it's the obligatory training they suffer through, the fake phishing traps we send, the steady drip of cyberattacks making headlines, or the family member who was recently scammed online, cybersecurity awareness has never been greater. And yet, it's made little difference in reducing the volume of successful cyberattacks involving the human element.

It's time to shift our collective efforts from awareness to actual behaviors. Instead of a month-long campaign, we should focus on creating real-world opportunities for employees to build and flex their cyber judgment muscle memory all year long.

Consider the 15-year-old pursuing that coveted freedom of a driver's license. With an outsized motivation to learn, they start in a classroom, absorbing everything they possibly can about driving, observing adults driving, and passing a written test to obtain a permit. But, that first time behind the wheel, a new learning curve begins — one with higher, real-world stakes. It ultimately takes months of practice, driving in all sorts of conditions, to prepare someone to drive safely on their own.

Why assume cybersecurity is any different?

**Training Isn't the Answer**

The universal approach to addressing the human element of cybersecurity has been to "train" employees to deal with whatever threat du jour occupies our attention. Training is preventative, theoretical, and out of context: a memo, a webinar, a campy click-through video with a quiz — all in hopes that an employee will remember _exactly_ what they are supposed to do should a similar situation arise in some unknown future. This is not how we learn in any other context, but for some reason, we continue to pursue this failed approach in cybersecurity. Why? To check a box in a compliance audit?

To create true, lasting security behavior change, we must put our employees behind the wheel on the open Internet superhighway. This seems hard and scary, I know. But it doesn't have to be. Small, simple changes in how we engage employees and intervene with cybersecurity information can have an outsized impact.

For example, instead of arbitrarily "training" employees in October to use multifactor authentication (MFA) on all of their accounts and hoping they'll remember to do so when they sign up for a new generative AI tool in July, that message should arrive at the moment they create a new account, while they're in the right context. With additional bits of information, such as the benefits of using MFA or preempting questions or doubts, we can further encourage the desired behavior and thus, desired security outcomes.

**It's Time to Take the Next Step**

We have reached a collective fever pitch of cybersecurity awareness. We don't need more of the same this month. It's time to take the next step toward implementing repeatable, real-world practice that ingrains positive habits and security behaviors. By leveraging our modern understanding of neuropsychology and behavioral science, lessons learned from other industries and disciplines, and emerging human-centered cybersecurity technologies, we can make cybersecurity understanding a reality today and every day.

Cybersecurity Awareness Doesn't Cut It; It's Time to Focus on Behavior

Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine.

Wednesday, October 25, 2023 12:10

Cisco Talos has disclosed 17 vulnerabilities over the past two weeks, including nine that exist in a popular VPN software.  

Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine.  

Talos’ Vulnerability Research team also found a cross-site scripting (XSS) vulnerability in the Peplink Surf series of home and wireless routers that could allow an attacker to manipulate HTML elements into executing arbitrary JavaScript. However, this vulnerability is not considered to be particularly serious, with a CVSS severity score of only 3.4 out of 10. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**SoftEther VPN client **

_Discovered by Lilith >\_>._ 

The SoftEther VPN client contains multiple vulnerabilities that could lead to a variety of conditions, including allowing an adversary to cause a denial of service or execute arbitrary code on the targeted machine. SoftEther is an open-source, cross-platform, multi-protocol VPN managed as part of an academic project at the University of Tsukuba in Japan. 

Four of the vulnerabilities Talos disclosed last week exist when an adversary sends a specific set of packets to the targeted device, and can cause the software to crash entirely, leading to a denial of service: 

*   TALOS-2023-1736 (CVE-2023-22325) 
*   TALOS-2023-1741 (CVE-2023-23581) 
*   TALOS-2023-1737 (CVE-2023-22308) 
*   TALOS-2023-1743 (CVE-2023-25774) 

The most serious of these issues is TALOS-2023-1735 (CVE-2023-27395), a vulnerability in the VPN that could lead to a heap-based buffer overflow, potentially allowing an attacker to execute arbitrary code. This vulnerability is considered critical, with a CVSS score of 9.0 out of 10.  

Two other vulnerabilities — TALOS-2023-1755 (CVE-2023-32634) and TALOS-2023-1754 (CVE-2023-27516) — could allow an adversary to gain unauthorized access to the VPN session by viewing the default RPC server credentials. This opens the door for the attackers to install certificates and carry out man-in-the-middle attacks or dump the VPN’s authentication settings and further compromise the endpoint connected to the VPN session. 

A man-in-the-middle attack could also be used to exploit TALOS-2023-1768 (CVE-2023-31192) and TALOS-2023-1753 (CVE-2023-32275), which leads to the disclosure of sensitive information in certain packets. 

**JustSystems Ichitaro word processor remote code execution vulnerabilities **

_Discovered by a Cisco Talos researcher._ 

Talos researchers recently found four vulnerabilities in the JustSystems Ichitaro word processor that could lead to arbitrary code execution, albeit with varying paths. 

Ichitaro is one of the most popular word processing systems in the Japanese market and utilizes the ATOK input method. An adversary could exploit these vulnerabilities by tricking the targeted user into opening a specially crafted, malicious file in the program. 

The vulnerabilities all exist in various parsers in the software: 

*   TALOS-2023-1758 (CVE-2023-34366) 
*   TALOS-2023-1808 (CVE-2023-38127) 
*   TALOS-2023-1809 (CVE-2023-38128) 
*   TALOS-2023-1825 (CVE-2023-35126) 

**XSS, command injection vulnerabilities in SOHO router **

_Discovered by Matt Wiseman._ 

A stored cross-site scripting vulnerability exists in the Peplink Surf line of small and home office (SOHO) wireless routers that can lead to the execution of arbitrary JavaScript in another user’s browser. 

An attacker could trigger TALOS-2023-1781 (CVE-2023-34354) or TALOS-2023-1782 (CVE-2023-35194 and CVE-2023-35193) by making an authenticated HTTP request. 

The Surf routers also contain three vulnerabilities that could allow an attacker to execute arbitrary commands in the context of the router’s operating system. To exploit TALOS-2023-1778 (CVE-2023-34356), TALOS-2023-1779 (CVE-2023-28381) and TALOS-2023-1780 (CVE-2023-27380), an attacker first needs to be authenticated on the device and then make a specially crafted HTTP request.

9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution

Categories: Business
Categories: Exploits and vulnerabilities
Categories: News
Tags: VMWare

Tags:  vCenter Server

Tags:  CVE-2023-34056

Tags:  CVE-2023-34048

Tags:  DCE/RPC

Tags:  out of bounds write

Tags:  information disclosure

Tags:  remote code execution

VMWare has issued an update to address out-of-bounds write and information disclosure vulnerabilities in its server management software, vCenter Server.



(Read more...)




The post Update vCenter Server now! VMWare fixes critical vulnerability appeared first on Malwarebytes Labs.

VMWare has issued an update to address one out-of-bounds write and one information disclosure vulnerability in its server management software, vCenter Server.

Since there are no in-product workarounds, customers are advised to apply the updates urgently.

The affected products are VMware vCenter Server versions 7.0 and 8.0  and VMware Cloud Foundation versions 5.x and 4.x.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are CVE-2023-34048 and CVE-2023-34056.

CVE-2023-34048, an out-of-bounds write vulnerability in the vCenter Server's implementation of the DCERPC protocol. A malicious actor with network access to could trigger an out-of-bounds write, potentially leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.8 out of 10.

DCE/RPC, which is short for "Distributed Computing Environment / Remote Procedure Calls", is the remote procedure call system developed to allow programmers to write distributed software as if it were all working on the same computer, without having to worry about the underlying network code.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

VMware is not currently aware of exploitation “in the wild,” but urges customers to considered this an emergency change, and your organization should consider acting quickly.

CVE-2023-34056, a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server could use this issue to access unauthorized data. It has a CVSS score 4.3 out of 10.

**Patching**

While VMware normally does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and the lack of a workaround, VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1.

**Fixed version(s) and release notes:**

**VMware vCenter Server 8.0U2**  
Downloads and Documentation:  
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U2&productId=1345&rPId=110105

**VMware vCenter Server 8.0U1d**  
Downloads and Documentation:  
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U1D&productId=1345&rPId=112378

**VMware vCenter Server 7.0U3o**  
Downloads and Documentation:  
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3O&productId=974&rPId=110262****

**Cloud Foundation 5.x/4.x**  
https://kb.vmware.com/s/article/88287****

VMWare also published an FAQ about this update.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Tag

#auth