OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

Zoho offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products. If you believe you have discovered a potential security vulnerability in any of Zoho's products or assets, let us know immediately, and we will make every effort to get the issues addressed as quickly as possible.

Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules. Zoho provides monetary rewards to vulnerability reporters at its discretion and the reward may vary based upon metrics including (but not limited to) vulnerability severity, impact, and exploitability.

You can share details of the suspected vulnerability with Zoho by clicking below;

Submit Bug

These Bug Bounty Terms and Conditions ("Bug Bounty Terms") govern your participation in the Zoho Bug Bounty Program ("Bug Bounty Program") and are a legally binding contract between you or the company you represent and Zoho. By submitting a vulnerability or participating in the program, you agree to be bound by the Terms.

The Bug Bounty Program enables you to submit security bugs or vulnerabilities discovered by you in eligible Zoho Services and earn rewards for your submissions. Service-specific terms of use that are applicable to specific Zoho Services ("Service-Specific Terms") shall be applicable to you in addition to the Bug Bounty Terms. In the event of a conflict between Bug Bounty Terms and Service-specific Terms, the Bug Bounty Terms shall prevail.

Participation in the Bug Bounty Program is open to all individuals unless:

*   You are below 14 years of age. If you are 14 years old or above, but you are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to your participation in the Bug Bounty Program after having read the Bug Bounty Terms;
    
*   You are a resident of any US sanctioned countries;
    
*   You are currently an employee of Zoho or you were employed by Zoho within six (6) months prior to your participation in the Bug Bounty Program; or
    
*   You are a family member of a Zoho employee.
    

You will follow the rules specified hereunder, failing which your participation in the Bug Bounty Program will be immediately terminated.

*   You will make all efforts to avoid privacy violations, degradation of user experience, degradation of Zoho Services, disruptions to Zoho's infrastructure and systems, and destruction of both Zoho's and users' data in the course of your security bug research.
    
*   You will report any security bug discovered by you ("Security Bug") to Zoho and provide Zoho with reasonable time to identify and mitigate the security bug before publicly disclosing it to others.
    
*   During your security bug research, if you have any inadvertent access to Zoho's or users' information, including sensitive, personal, or any other unauthorized information ("Unauthorized Information"), you must cease your Security Bug research to prevent further access to any Unauthorized Information by you and notify Zoho of any Unauthorized Information you accessed. Upon notifying Zoho of such access, delete all Unauthorized Information from your systems or devices.
    
*   You will always use your account, or an account for which you have explicit consent from the account owner, for testing the Security Bug.
    
*   You will use any security bug discovered by you only for testing, and you will not exploit the Security Bug in any manner.
    

If you have discovered an eligible security bug as specified in the scope, you may submit the bug through the website provided to you for submission.

Your submission shall include details such as vulnerability description, clear reproduction steps, and a proof-of-concept.

Upon receipt of your submission, Zoho will review and validate the submission within three (3) days from the date of your submission and will prioritize based on the severity of the vulnerability submitted and resolve the vulnerability accordingly. Zoho will notify you once the vulnerability is resolved and you may confirm whether the remedy resolves the vulnerability. If there is more than one submission for the same vulnerability from different parties, bounty will be paid to the first submission.

Zoho will pay a reward for your eligible submissions ("Bounty"). Bounties will be determined and granted only at Zoho's discretion. You can find the reward tiers here.

Zoho will fulfill the Bounty payments through the following payment modes:

*   For Indian participants, in INR through wire transfer;
    
*   For participants from outside India, in USD through PayPal; or
    
*   As an Amazon gift card in USD.
    

You understand that you are responsible for paying the taxes associated with Bounty payments. Bounties for Indian participants will be paid only after deducting TDS of 10% (Tax Deducted at Source).

Bounties shall be claimed by you within a period of three (3) months from the date of your entitlement to the reward.

You grant Zoho non-exclusive, irrevocable, worldwide, perpetual, and royalty-free license to review, assess, and use your submission to analyze and resolve the vulnerability submitted by you and for other related purposes.

ZOHO SHALL IN NO EVENT BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR OTHER LOSS OR DAMAGE WHATSOEVER OR FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, COMPUTER FAILURE, LOSS OF BUSINESS INFORMATION, OR OTHER LOSS ARISING OUT OF THE BUG BOUNTY PROGRAM.

*   All Zoho branded products and applications listed at zoho.com
    
*   All ManageEngine branded products and applications listed at manageengine.com (except SupportCenter Plus)
    
*   Site24x7
    
*   Qntrl
    
*   TrainerCentral
    
*   Zoho Corporation owned assets
    

*   Missing any best security practice that is not a vulnerability
    
*   Self XSS
    
*   Username or email address enumeration
    
*   Email bombing
    
*   HTML injection
    
*   XSS vulnerabilities on sandbox or user-content domains
    
*   Unvalidated or open redirects or tabnabbing
    
*   Clickjacking in unauthenticated pages or in pages with no significant state-changing action
    
*   Logout or unauthenticated CSRF
    
*   Missing cookie flags on non-sensitive cookies
    
*   Missing security headers that do not lead directly to a vulnerability
    
*   Unvalidated findings from automated tools or scans
    
*   "Back" button that keeps working after logout
    
*   Issues that do not affect the latest version of modern browsers or platforms
    
*   Attacks that require physical access to a user device
    
*   Social engineering
    
*   Hosting malware/arbitrary content on Zoho and causing downloads
    
*   Use of a known-vulnerable library (without evidence of exploitability)
    
*   Low-impact descriptive error pages and information disclosures without any sensitive information
    
*   Invalid or missing SPF/DKIM/DMARC/BIMI records
    
*   Password and account policies, such as (but not limited to) reset link expiration or password complexity
    
*   Non-critical issues in blog.zoho.com or other product blogs
    
*   CSV injection
    
*   Phishing risk via Unicode/Punycode or RTLO issues
    
*   Missing rate limitations on endpoints (without any security concerns)
    
*   Presence of EXIF information in file uploads
    
*   Ability to upload/download executables
    
*   Bypassing pricing/paid feature restrictions
    
*   0-day vulnerabilities in any third parties we use within 10 days of their disclosure
    
*   Any other issues determined to be of low or negligible security impact
    
*   Issues that do not affect the latest version of applications, modern browsers, or platforms
    
*   Vulnerabilities that resulted from implementation that does not follow our deployment guidelines
    
*   Usage of known vulnerable components without actual working exploit
    
*   Our intended features or accepted risks (including but not limited to the following) are not vulnerabilities and are thus excluded from our program:
    
*   Applications running as SYSTEM user
    
*   Features to execute queries, scripts, or workflows by privileged users
    
*   Usage of UDP-based unauthenticated protocols (which can be disabled by the user)
    

Severity

Bounty in USD (Up to)

Low

$ 50

Medium

$ 200

High

$ 800

Critical

$ 3000

We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.

Hall Of Fame for

CVE-2023-23076: BugBounty

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Django’s security policies.

As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).

**Issues under Django’s security process¶**

All security issues have been handled under versions of Django’s security process. These are listed below.

**June 2, 2021 - CVE-2021-33571¶**

Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses. Full description

**February 1, 2016 - CVE-2016-2048¶**

User with “change” but not “add” permission can create objects for ModelAdmin’s with save_as=True. Full description

**Versions affected¶**

*   Django 1.9 (patch)

**February 19, 2013 - No CVE¶**

Additional hardening of Host header handling. Full description

**December 10, 2012 - No CVE 2¶**

Additional hardening of redirect validation. Full description

**December 10, 2012 - No CVE 1¶**

Additional hardening of Host header handling. Full description

**September 9, 2011 - CVE-2011-4140¶**

Potential CSRF via Host header. Full description

**Versions affected¶**

This notification was an advisory only, so no patches were issued.

*   Django 1.2
*   Django 1.3

**Issues prior to Django’s security process¶**

Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.

CVE-2023-23969: Django

Description
-----------

When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables [same-site attackers](https://canitakeyoursubdomain.name/) to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.

Resolution
----------

Symfony removes all CSRF tokens from the session on successful login.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4) for branch 4.4.

Credits
-------

We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.

**Package**

composer symfony/security-bundle (Composer)

**Affected versions**

\>= 2.0.0, < 4.4.50

\>= 5.0.0, < 5.4.20

\>= 6.0.0, < 6.0.20

\>= 6.1.0, < 6.1.12

\>= 6.2.0, < 6.2.6

**Patched versions**

4.4.50

5.4.20

6.0.20

6.1.12

6.2.6

composer symfony/symfony (Composer)

\>= 2.0.0, < 4.4.50

\>= 5.0.0, < 5.4.20

\>= 6.0.0, < 6.0.20

\>= 6.1.0, < 6.1.12

\>= 6.2.0, < 6.2.6

4.4.50

5.4.20

6.0.20

6.1.12

6.2.6

**Description**

**Description**

When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.

**Resolution**

Symfony removes all CSRF tokens from the session on successful login.

The patch for this issue is available here for branch 4.4.

**Credits**

We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.

**References**

*   GHSA-3gv2-29qc-v67m
*   https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml
*   https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24895.yaml
*   https://symfony.com/cve-2022-24895

Last updated

Feb 1, 2023

Reviewed

Feb 1, 2023

Published to the GitHub Advisory Database

Feb 1, 2023

 fabpot published to symfony/symfony

Feb 1, 2023

GHSA-3gv2-29qc-v67m: Symfony vulnerable to Session Fixation of CSRF tokens

In Last Yard 22.09.8-1, the cookie can be stolen via via unencrypted traffic.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2022-47715**

Cookie missing secure flag In Last Yard 22.09.8-1, the cookie can be stolen via via unencrypted traffic.

Sample HTTP Response:

> \[Additional Information\] HTTP/2 200 OK Date: x, x x 2022 04:29:43 GMT Content-Type: text/html; charset=utf-8 Server: nginx X-Frame-Options: DENY Vary: Cookie
> 
> Set-Cookie: LastYardVersion=22.09.8-1; expires=Sat, x x 2023 04:29:43 GMT; Max-Age=31536000; Path=/. <----------------
> 
> Set-Cookie: csrftoken=TmSZIwAxuul6kpXWDYlZ96FnNs6HTT1nNFsfkMrUMYq3mekiXv1FjqSUI2TugG74; expires=Fri, x x 2023 04:29:43 GMT; Max-Age=31449600; Path=/; SameSite=Lax; Secure X-Request-Id: x

CVE-2022-47715: GitHub - l00neyhacker/CVE-2022-47715

VMware vRealize Operations (vROps) contains a CSRF bypass vulnerability. A malicious user could execute actions on the vROps platform on behalf of the authenticated victim user.

Advisory ID: VMSA-2023-0002

CVSSv3 Range: 6.5

Issue Date: 2023-01-31

Updated On: 2023-01-31 (Initial Advisory)

CVE(s): CVE-2023-20856

Synopsis: VMware vRealize Operations (vROps) update addresses a CSRF bypass vulnerability (CVE-2023-20856)

****1\. Impacted Products****

*   VMware vRealize Operations (vROps)

****2\. Introduction****

A vulnerability in VMware vRealize Operations (vROps) was privately reported to VMware. A patch is available to address this vulnerability in the affected VMware product.

****3\. VMware vRealize Operations (vROps) CSRF bypass vulnerability (CVE-2023-20856)****

vRealize Operations (vROps) contains a CSRF bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

A malicious user could execute actions on the platform on behalf of the authenticated victim user.

To remediate CVE-2023-20856 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

VMware would like to thank thiscodecc of MoyunSec TopBreaker Labs and Bing Liu of MoyunSec for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware vRealize Operations (vROps)

8.10

Any

CVE-2023-20856

N/A

N/A

Unaffected

N/A

N/A

VMware vRealize Operations (vROps)

8.6.x

Any

CVE-2023-20856

6.5

moderate

KB90672

None

NA

****4\. References****

****5\. Change Log****

**2023-01-31 VMSA-2023-0002  
**Initial security advisory.

****6\. Contact****

CVE-2023-20856: VMSA-2023-0002

The Chained Products WordPress plugin before 2.12.0 does not have authorisation and CSRF checks, as well as does not ensure that the option to be updated belong to the plugin, allowing unauthenticated attackers to set arbitrary options to 'no'

CVE-2022-4872

The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check when updating reseting moods which could allow attackers to make logged in admins perform such action via a CSRF attack and delete the lydl_posts & lydl_poststimestamp DB tables

CVE-2022-4553

The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

CVE-2022-4552

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Magento admin users with access to the customer media could execute code on the server. Versions 19.4.22 and 20.0.19 contain a patch for this issue.

This is an important security update release, it includes six security patches:

*   CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF
*   CVE-2021-41144 - GHSA-5j2g-3ph4-rgvm - Fix for authenticated remote code execution through layout update
*   CVE-2021-41143 - GHSA-5vpv-xmcj-9q85 - Fix for arbitrary file deletion in customer media allows for remote code execution
*   CVE-2021-41231 - GHSA-h632-p764-pjqm - DataFlow upload remote code execution vulnerability
*   CVE-2021-39217 - GHSA-c9q3-r4rv-mjm7 - Fix for arbitrary command execution in custom layout update through blocks
*   CVE-2023-23617 - GHSA-3p73-mm7v-4f6m - DoS vulnerability in MaliciousCode filter

All of these updates should be totally backward compatible, except one, CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF in fact **is a breaking change and you will need to take action** after upgrading to this version of OpenMage.

Specifically, you will have to modify the customer/form/resetforgottenpassword.phtml file of your custom theme (in case you have customized it) and add this code <input name="form_key" type="hidden" value="<?php echo $this->getFormKey(); ?>" /> after the <form open tag. Please refer to this link in case you want to see how the patch works and copy/paste the simple solution.

In case your custom theme does not have the customer/form/resetforgottenpassword.phtml or in case you are not using a custom theme then you will not have to do the aforementioned procedure.

CVE-2021-41143: Release v19.4.22 · OpenMage/magento-lts

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Adam Bannister 27 January 2023 at 16:48 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

“A far-reaching, catastrophic cyber event is likely in the next two years” according to 93% of cybersecurity experts and 86% of business leaders polled by the World Economic Forum (WEF).

Geopolitical instability and the enduring shortage of cybersecurity skills are making the situation more precarious and causing firms to rethink their presence in certain regions, revealed the WEF’s Global Cybersecurity Outlook 2023 report, which canvassed the views of 300 experts and C-suite executives.

In the meantime, we’re still seeing plenty of very, very bad cyber-attacks and breaches. Most recently, there’s been another mega breach at T-Mobile (37 million customers affected this time), the theft of source code and ensuing $10 million ransom demand from video games developer Riot Games, and the inadvertent exposure by an airline of the US government’s No Fly List, a roll call of suspected terrorists, from 2019.

The LastPass situation is also continuing to evolve following the November breach of its password vaults in November, with the latest update from the beleaguered password manager admitting that “a threat actor exfiltrated encrypted backups from a third-party cloud storage service”.

While rival services will no doubt spy an opportunity to grow their market share given the market leader’s reputational crash, the hack is also perhaps bringing unprecedented scrutiny to the hitherto highly regarded field. Indeed, The Daily Swig recently reported on how several popular password managers auto-filled credentials on untrusted websites, while Bitwarden responded to renewed criticism of its encryption scheme by enhancing its default security configuration.

A fruitful security audit of Git’s source code is another notable story we covered since the last edition of Deserialized.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   OpenText / Critical / Pre-auth RCEs via cs.exe and Java frontend plus multiple post-authentication vulnerabilities / Disclosed with patch January 17
*   Rancher API / Critical / A patch rolled out in September 2022 failed to stop secrets, encryption keys, and SSH keys from being stored in plaintext directly on Kubernetes objects like Clusters / Disclosed and patched January 26
*   Tiki Tiki CMS / Critical / Unauthenticated attackers could execute arbitrary code by combining CSRF with PHP object injection in the popular open source, wiki-based CMS / Patched August 23, disclosed January 9
*   VMware vRealize Log Insight / Critical / Directory traversal, broken access control, deserialization, information disclosure vulnerabilities / Disclosed with patch January 24
*   Zoho manageEngine / Critical / PoC and in-the-wild exploitation raises the stakes regarding patching on premise Zoho ManageEngine products against this RCE vulnerability after a surfaced / Disclosed and patched October 27

**Research and attack techniques**

*   Vulnerabilities in popular open source health records and medical practice management platform OpenEMR allowed remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data – and worse still, remote code execution (courtesy of Sonar)
*   Jerry Shah recounts how he found an API misconfiguration on a SwaggerUI endpoint in an unnamed web application on a private bug bounty program that leaked the authorization token from local storage
*   ChatGPT lowers the barriers to entry for threat actors with limited programming or technical skills, but state-backed miscreants are unlikely to gain operational efficiencies from the unnervingly sophisticated chatbot tool, according to Recorded Future
*   Maksym Yaremchuk – number 80 on HackerOne’s all-time leaderboard, no less – details a pair of critical severity account takeover exploits fashioned during an engagement with a private bug bounty program
*   GitHub researcher Man Yue Mo achieves arbitrary kernel code execution and root on a Google Pixel 6 mobile phone from an Android app

ChatGPT lowers the barriers to entry for cybercrime but is of little use to state-backed cybercrooks

**Bug bounty / vulnerability disclosure**

*   Security researchers can mathematically prove the existence of a software vulnerability without revealing details that in the wrong hands could lead to malicious exploitation, explains a recent New Scientist feature (paywall)
*   Intigriti has penned a blog post on the safe harbor clause for researchers created by the Belgian Act on the Protection of Whistleblowers
*   The Daily Swig recently reported on the upcoming third annual Hack The Pentagon challenge, CORS misconfigurations at Tesla and other, unnamed programs earning researchers a “few thousand dollars”, and Google Cloud Platform (GCP) project vulnerabilities netting researchers more than $22,000
*   Other recent writeups include a $3,000 bounty for a reflected XSS in Microsoft Forms, while Bug Bounty Switzerland’s inaugural ‘vulnerability of the month’ related to a time-limited private program and thousands of appliances exposed to the internet
*   Bug hunter interviews with British hacker and YouTuber ‘InsiderPhD’ and ‘TodayIsNew’ have been published by HackerOne and Bugcrowd, respectively

**New open source infosec/hacking tools**

*   Gato – or GitHub Attack Toolkit – evaluates the impact of compromised personal access tokens within GitHub development environments. Enables tracking of public repos that use self-hosted runners, which GitHub recommends are only deployed in private repos because otherwise “forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow”
*   Highlighter And Extractor (HaE) – Paris-based crowdsourced security platform YesWeHack has released a Burp Suite extension that collects, categorizes, and highlights requests and/or responses to help detect vulnerable code patterns, errors, reflections, and more in a passive enumeration process
*   PyCript – Another Burp Suite extension, this time allowing the bypassing of client-side encryption via custom logic for manual and automation testing with Python and NodeJS
*   SeeProxy – Golang reverse proxy with CobaltStrike malleable profile validation
*   CVE-2022-47966 Scanner – Assess your exposure to the critical RCE bug affecting at least 24 on-premise ManageEngine products and currently being actively exploited

**More industry news**

*   NIST trails potential updates (PDF) to the NIST Cybersecurity Framework and invites the infosec community to offer feedback
*   In other US federal agency news, the NSA issues IPv6 security guidance (PDF), CISA updates best practices for mapping to Mitre Attack Framework (PDF), and CISA, NSA, and MS-ISAC jointly warn (PDF) of malicious use of legitimate remote monitoring and management (RMM) software
*   Google documents progress on leveraging case randomization of DNS query names sent to authoritative nameservers in order to mitigate the impact of cache poisoning attacks
*   Google also follows through on its intention to drop TrustCor Systems as a root certificate authority (CA) for Chrome, confirming a timetable for ceasing to recognize its certificates
*   Cloud-based cyber-attacks jump 48% year on year as malicious hackers spy opportunities in digital transformation trend – Check Point report

PREVIOUS EDITION Deserialized web security roundup – Slack and Okta breaches, lax US government passwords report, and more

Tag

#csrf