SQL Injection in GitHub repository francoisjacquet/rosariosis prior to 9.0.

@@ -53,6 +53,7 @@ Changes in 9.0 \- Add AttrEscape() function in Inputs.php \- Use AttrEscape() instead of htmlspecialchars(), program wide \- Maintain Advanced search when editing Timeframe in Percent.php \- Fix SQL injection escape DB identifier in RegistrationSave.fnc.php, Calendar.php, MarkingPeriods.php, SchoolFields.php, AddressFields.php, PeopleFields.php, StudentFields.php & UserFields.php  
Changes in 8.9.4 \----------------

CVE-2022-2067: Fix SQL injection escape DB identifier · francoisjacquet/rosariosis@15d5e87

Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+.

@@ -7,21 +7,13 @@ import Filter from '../../models/Filter'; import HookLog from '../../models/HookLog'; import { HookLogType } from 'nocodb-sdk';  
export function parseBody( template: string, user: any, data: any, payload: any ): string { export function parseBody(template: string, data: any): string { if (!template) { return template; }  
return Handlebars.compile(template, { noEscape: true })({ data, user, payload, env: process.env data }); }  
@@ -121,52 +113,43 @@ export async function handleHttpWebHook(apiMeta, user, data) { // } }  
export function axiosRequestMake(\_apiMeta, user, data) { export function axiosRequestMake(\_apiMeta, \_user, data) { const apiMeta \= { ...\_apiMeta }; if (apiMeta.body) { try { apiMeta.body \= JSON.parse(apiMeta.body, (\_key, value) \=> { return typeof value \=== 'string' ? parseBody(value, user, data, apiMeta) : value; return typeof value \=== 'string' ? parseBody(value, data) : value; }); } catch (e) { apiMeta.body \= parseBody(apiMeta.body, user, data, apiMeta); apiMeta.body \= parseBody(apiMeta.body, data); } } if (apiMeta.auth) { try { apiMeta.auth \= JSON.parse(apiMeta.auth, (\_key, value) \=> { return typeof value \=== 'string' ? parseBody(value, user, data, apiMeta) : value; return typeof value \=== 'string' ? parseBody(value, data) : value; }); } catch (e) { apiMeta.auth \= parseBody(apiMeta.auth, user, data, apiMeta); apiMeta.auth \= parseBody(apiMeta.auth, data); } } apiMeta.response \= {}; const req \= { params: apiMeta.parameters ? apiMeta.parameters.reduce((paramsObj, param) \=> { if (param.name && param.enabled) { paramsObj\[param.name\] \= parseBody(param.value, user, data, apiMeta); paramsObj\[param.name\] \= parseBody(param.value, data); } return paramsObj; }, {}) : {}, url: parseBody(apiMeta.path, user, data, apiMeta), url: parseBody(apiMeta.path, data), method: apiMeta.method, data: apiMeta.body, headers: apiMeta.headers ? apiMeta.headers.reduce((headersObj, header) \=> { if (header.name && header.enabled) { headersObj\[header.name\] \= parseBody( header.value, user, data, apiMeta ); headersObj\[header.name\] \= parseBody(header.value, data); } return headersObj; }, {}) @@ -208,24 +191,9 @@ export async function invokeWebhook( case 'Email': { const res \= await (await NcPluginMgrv2.emailAdapter())?.mailSend({ to: parseBody( notification?.payload?.to, user, data, notification?.payload ), subject: parseBody( notification?.payload?.subject, user, data, notification?.payload ), html: parseBody( notification?.payload?.body, user, data, notification?.payload ) to: parseBody(notification?.payload?.to, data), subject: parseBody(notification?.payload?.subject, data), html: parseBody(notification?.payload?.body, data) }); hookLog \= { ...hook, @@ -258,16 +226,9 @@ export async function invokeWebhook( const res \= await ( await NcPluginMgrv2.webhookNotificationAdapters(notification.type) ).sendMessage( parseBody( notification?.payload?.body, user, data, notification?.payload ), parseBody(notification?.payload?.body, data), JSON.parse(JSON.stringify(notification?.payload), (\_key, value) \=> { return typeof value \=== 'string' ? parseBody(value, user, data, notification?.payload) : value; return typeof value \=== 'string' ? parseBody(value, data) : value; }) );

CVE-2022-2063: Fix: Remove user reference from webhook context (#2337) · nocodb/nocodb@269a19c

An update for the virt:av and virt-devel:av modules is now available for Red Hat Enterprise Linux Advanced Virtualization 8.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2021-4206: QEMU: QXL: integer overflow in cursor_alloc() can lead to heap buffer overflow
* CVE-2021-4207: QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow
* CVE-2022-26353: QEMU: virtio-net: map leaking on error during receive
* CVE-2022-26354: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak


RHSA-2022:5002: Red Hat Security Advisory: virt:av and virt-devel:av security and bug fix update

In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.

CVE-2021-41749: craft-seomatic/CHANGELOG.md at develop · nystudio107/craft-seomatic

Plus: Russia rattles its cyber sword, a huge Facebook phishing operation is uncovered, feds take down the SSNDOB marketplace, and more.

How do you smuggle information into the USSR right under the nose of the KGB? Create your own encryption system, of course. That’s exactly what saxophonist and music professor Merryl Goldberg did during the 1980s. This week Goldberg revealed that she used musical notation to hide the names and addresses of activists and details of meetings on a rare trip to the Soviet Union. To do so, she cooked up her own encryption system. Each musical note and marking represented letters of the alphabet and helped disguise the sensitive information. When Soviet officers inspected the documents, no suspicions were raised.

Goldberg’s story was retold at the RSA Conference in San Francisco this week, where WIRED’s Lily Newman has been digging up stories. Also coming out of RSA: a warning that as ransomware becomes less profitable, attackers may turn to business email compromise (BEC) scams to make money—BEC attacks are already highly profitable.

Also this week, dark-web marketplace AlphaBay is about to complete its journey back to the top of the online underworld. The original AlphaBay site—home to more than 350,000 product listings, ranging from drugs to cybercrime services—was purged from the dark web in July 2017 as part of a huge law enforcement operation. However, AlphaBay’s second-in-command, an actor going by the name of DeSnake, survived the law enforcement operation and relaunched the site last year. Now AlphaBay is growing quickly and is on the verge of resuming its dominant dark-web market position.

Elsewhere, Apple held its annual Worldwide Developers Conference this week and revealed iOS 16, macOS Ventura and some new MacBooks—WIRED’s Gear team has you covered on everything Apple announced at WWDC. However, there are two standout new security features worth mentioning: Apple is replacing passwords with new cryptographic passkeys, and it’s introducing a safety check feature to help people in abusive relationships. Database firm MongoDB also held its own event this week, and while it might not have been as high-profile as WWDC, MongoDB’s new Queryable Encryption tool may be a key defense against preventing data leaks.

Also this week we’ve reported on a Tesla flaw that lets anyone create their own NFC car key. New research from the ​​Mozilla Foundation has found that disinformation and hate speech are flooding TikTok ahead of Kenya’s elections, which take place at the start of August. Elon Musk reportedly gained access to Twitter’s “fire hose,” raising privacy concerns. And we dove into the shocking new evidence televised by the House January 6 committee.

But that's not all, folks. Each week we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there.

For the past two years, state-sponsored hackers working on behalf of the Chinese government have targeted scores of communications technologies, ranging from home routers to large telecom networks. That’s according to the NSA, FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), which published a security advisory this week detailing the “widespread” hacking.

Since 2020, Chinese-backed actors have been exploiting publicly known software flaws in hardware and incorporating compromised devices into their own attack infrastructure. According to the US agencies, the attacks typically contained five steps. China’s hackers would use publicly available tools to scan for vulnerabilities in networks. They would then gain initial access through online services, access login details from the systems, get access to routers and copy network traffic, before finally “exfiltrating” victim data.

“Exploiting these vulnerabilities has allowed them to establish broad infrastructure networks to exploit a wide range of public- and private-sector targets,” the agencies say in their joint advisory.

Since the start of the war in Ukraine, Russia has been hacked at an unprecedented scale. Now, more than 100 days into the war, tensions around cyber activity are rising. On June 9, Russia’s Foreign Ministry said that its critical infrastructure and government bodies were being hit by cyberattacks and warned that it could lead to military confrontation with the West. “The militarization of the information space by the West, and attempts to turn it into an arena of interstate confrontation, have greatly increased the threat of a direct military clash with unpredictable consequences,” the Foreign Ministry said in a statement. From the moment Russian troops entered Ukraine, questions have been raised about the potential for escalation if people outside of Ukraine are involved in cyberattacks against Russia. Last week, the head of US Cyber Command told _Sky News_ that its military hackers have been involved in offensive operations that support Ukraine.

Phishing remains one of the most successful ways for criminals to break into people’s accounts and make money—and there’s no better example of this than a newly uncovered Facebook and Facebook Messenger phishing campaign. This week, security researchers at US firm PIXM revealed a huge network of at least 400 phishing pages that are raking in millions of views and have made its creators an estimated $59 million. The scam, which has been running since at least September 2021, directs people to false Facebook login pages where their credentials are hoovered up. What stands out, as noted by the Register, is that the phishing campaign has managed to avoid Facebook’s phishing detection methods more effectively than others.

So far in 2022, police and tech companies have been cracking down on cybercriminals with some success: Raidforums, ZLoader, and the dark-web market Hydra have all been shut down in recent months. That list got a little bit longer this week as the FBI and its international law enforcement took down a marketplace selling the personal information of around 24 million Americans, according to authorities. The SSNDOB marketplace, which was made up of four individual domains, was selling people’s names, dates of birth, and Social Security numbers. SSNDOB has existed for around a decade, and in 2013, details obtained from the organization were used in the takeover of Xbox Live accounts. It’s believed the website has made its unknown owners around $22 million since 2015.

How China Hacked US Phone Networks

Cloud migration, DevSecOps, cyber insurance, and more have emerged as important motivators for cybersecurity investment and focus.

RSA CONFERENCE — San Francisco — Security hygiene and software supply-chain/vendor risk have emerged as the top two security priorities for chief information security officers (CISOs) at medium-sized organizations, new research has revealed.

That's according to Forgepoint Capital, which surveyed CISOs across a spectrum of industries and sizes. For organizations with 50 to 1,000 employees, security hygiene is seen as particularly critical, according to the data.

"Most breaches are due to unpatched systems, misconfigurations, poor passwords, and other easily avoidable issues," the report, shared with Dark Reading at the 2022 RSA Conference this week, pointed out. "Typically, organizations of this size don’t have the budget to build multiple backups and failovers, with real scenarios where a security incident can put the company out of business."

That said, there was notable variance across industry segments. For instance, zero percent of respondents in the healthcare vertical cited security hygiene as a priority.

"It's not that they think that nurses don't need to worry about passwords," says Will Lin, managing director of Forgepoint. "It's that security responsibility is much more distributed than in other industries. If I'm, say, BlueCross BlueShield, I can't control the password requirements and security hygiene of all the subsidiaries I have. It's each one's own responsibility to do it. I have to prioritize what I can actually solve."

There's a different narrative for professional services firms, where more than 80% said security hygiene is a top focus.

"They're exactly the opposite from healthcare," Lin says. "They're responsible for the security of all their consultants. These are all my employees, I need to do it. So that's why it becomes the highest priority for this group."

**Cybersecurity Workforce Shortage**

Meanwhile, CISOs at organizations with less than 50 employees cited talent development and social-engineering awareness as their top two priorities, with the ongoing cybersecurity workforce shortage of particular concern.

"Talent departure and social-engineering attacks can have major ramifications," according to the report. "Due to the small size of their employee base, these companies can realistically affect more change by focusing on human capital than a large organization can. As companies grow larger, no matter how much access control is established, threat vectors will remain. Thus, the focus shifts from personnel to security automation and incident response."

When examining CISOs' views of security prioritization by industry, the survey found that all security professionals prioritize areas with the highest return on investment (ROI). For example, 50% of professional services companies marked security hygiene as an essential focus, but healthcare professionals are focused more on the software supply chain and third-party vendor risk, such as the security of connected medical devices, given its bigger tie to ROI in their field.

**Cloud Migration and Digital Transformation**

Forgepoint also found that cloud migration is driving security prioritization for medium-sized businesses in particular, with 73% of survey respondents noting that it's a factor in 75% or more of their efforts. In contrast, just 13% of very large businesses (more than 10,000 employees) and 43% of large businesses (1,000 to 10,000 employees) said the same. For businesses with fewer than 50 employees, half of them said the move to the cloud is driving 75% of their security choices.

"Very large companies, surprisingly enough, are actually the furthest behind cloud migration," Lin tells Dark Reading. "And the smaller companies are further along in cloud migration. The big companies have a lot of legacy infrastructure, so it's going to take them a much longer time to move to the cloud, while smaller companies are more cloud native, and they're trying to cut costs, which the cloud helps with."

Digital transformation also emerged as a top security motivator for CISOs in every industry except for professional services — likely due to the ongoing reality of remote working forcing businesses to embrace software-as-a-service and other corporate working apps.

This is driving a new security focus on securing application programming interfaces (APIs, cited by 62% of all respondents) and DevSecOps for embedding security into application development (cited by 54%).

**Areas of Control and Cyber Insurance**

Survey respondents said traditional access control areas like data security (40%) and identity (41%) are still top priorities for organizations. But more than a quarter (28%) of CISOs highlighted an emerging area, cyber insurance, as a top control area of interest.

With ransomware, malware, APTs, and other cyberattacks at all-time highs, organizations of all sizes are considering investing in cyber insurance — however, it's a painful process, Lin says, especially as many insurance firms don't cover ransomware incidents, and the application process can be onerous and dictate where precious security dollars are invested.

"The cost of cyber insurance is going up, and the coverage is going down," Lin says. "And perhaps most of all, the questionnaires that cyber insurance companies give companies to fill out in order to determine how expensive coverage will be don't provide a representational picture of how good of a bet insuring a company is."

For instance, many require companies to have multifactor authentication (MFA) on all accounts in order to qualify for affordable coverage — but its across-the-board implementation at the expense of other efforts (patching, for instance) may not be the best approach for defending the business.

"Companies themselves often don't know how effective their controls are, so how could a cyber insurance underwriter be predictive?" Lin says. "If the question is, do you have an MFA on everything, companies can never check yes to that. Because there are some places where you can't have MFA. It's just not physically possible. Or, in some cases the app that's doing all the authentication might not have an MFA feature enabled. So they have to click no, and when they do, they immediately see a premium increase."

Meanwhile, just 24% of all respondents cited monitoring threat intelligence as a priority — which is a function of it being perceived as difficult to operationalize, Lin says.

"The key issue is, even like organizations like Google have no idea what to do with all of the telemetry and data," Lin said. "Companies simply have a tough time figuring out what to do with their threat intel — it's just the actionability of it."

Overall, the survey also found that three-quarters (76%) of CISO survey respondents say they expect security budgets to increase this year.

"As cybersecurity budgets increase, it’s expected that budgets will become more flexible to accommodate new and emerging products that defy the limitations of the currently identified categories," Forgepoint concluded.

In a Quickly Evolving Landscape, CISOs Shift Their 2022 Priorities

By Waqas
The Kommersant FM’s online bulletin was suddenly interrupted to play Ukraine’s anthem and anti-war songs by anti-war hackers…
This is a post from HackRead.com Read the original post: Russian Radio Station Hacked to Broadcast Ukrainian National Anthem

****The Kommersant FM’s online bulletin was suddenly interrupted to play Ukraine’s anthem and anti-war songs by anti-war hackers to protest against Vladimir Putin’s invasion of Ukraine.****

The online bulletin broadcast of a Russian radio station, Kommersant FM, was interrupted on Wednesday. The content was replaced with the Ukrainian national anthem and antiwar songs. However, the broadcast was quickly taken off the air. The station released the following statement to confirm the hack:

> “The radio station has been hacked. The internet stream will soon be reinstated.”

Kommersant FM’s editor-in-chief, Alexey Vorobyov, told the state-owned news agency, Tass, that the online stream was hacked on Wednesday, and their technical specialists were figuring out the attack’s origin.

**Details of the Incident**

The hackers disrupted the lunchtime bulletin of the targeted radio station, which is Kommersant newspaper’s radio offshoot. BBC Monitoring reporter Francis Scarr tweeted that the radio station played the Ukrainian anthem “Oh, the Red Viburnum in the Meadow.”

Moreover, the hackers played Russian rock band Nogu Svelo! ‘s song titled “We Don’t Need a War,” featuring a quote from Russia’s foreign minister Sergei Lavrov which means “a tough guy always keeps his word.”

Check out the recording of the Ukrainian national anthem playing on Kommersant FM after the hacking.

**About Kommersant FM**

Uzbek billionaire Alisher Usmanov owns the hacked radio station. The US and the EU sanctioned him after the invasion of Ukraine due to his alleged link with the Russian president Putin. However, Usmanov has challenged the sanctions, and a decision is expected soon.

1.  Hackers disrupt Chicago police radios with anti-cop songs
2.  Someone hacked N. Korean Radio Station to Play “The Final Countdown”
3.  Anonymous hacked Russian TV and streaming services with war footage
4.  Hackers can take over & control emergency alarm system with a $35 radio
5.  Anonymous hacks Russian TV, EV charging station with pro-Ukraine messages

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Russian Radio Station Hacked to Broadcast Ukrainian National Anthem

A researcher found that a recent update lets anyone enroll their own key during the 130-second interval after the car is unlocked with an NFC card.

Last year, Tesla issued an update that made its vehicles easier to start after being unlocked with their NFC key cards. Now, a researcher has shown how the feature can be exploited to steal cars.

For years, drivers who used their Tesla NFC key card to unlock their cars had to place the card on the center console to begin driving. Following the update, which was reported here last August, drivers could operate their cars immediately after unlocking them with the card. The NFC card is one of three means for unlocking a Tesla; a key fob and a phone app are the other two.

Enrolling Your Own Key

Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, but it also put the car in a state to accept entirely new keys—with no authentication required and zero indication given by the in-car display.

"The authorization given in the 130-second interval is too general … it's not only for drive," Herfurt said in an online interview. "This timer has been introduced by Tesla … in order to make the use of the NFC card as a primary means of using the car more convenient. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: Within the 130-second period, not only the driving of the car is authorized, but also the enrolling of a new key."

The official Tesla phone app doesn't permit keys to be enrolled unless it's connected to the owner's account, but despite this, Herfurt found that the vehicle gladly exchanges messages with any Bluetooth Low Energy, or BLE, device that's nearby. So the researcher built his own app, named Teslakee, that speaks VCSec, the same language that the official Tesla app uses to communicate with Tesla cars.

A malicious version of Teslakee that Herfurt designed for proof-of-concept purposes shows how easy it is for thieves to surreptitiously enroll their own key during the 130-second interval. (The researcher plans to release a benign version of Teslakee eventually that will make such attacks harder to carry out.) The attacker then uses the Teslakee app to exchange VCSec messages that enroll the new key.

All that's required is to be within range of the car during the crucial 130-second window of it being unlocked with an NFC card. If a vehicle owner normally uses the phone app to unlock the car—by far the most common unlocking method for Teslas—the attacker can force the use of the NFC card by using a signal jammer to block the BLE frequency used by Tesla's phone-as-a-key app.

This video demonstrates the attack in action:

As the driver enters the car after unlocking it with an NFC card, the thief begins exchanging messages between the weaponized Teslakee and the car. Before the driver has even driven away, the messages enroll a key of the thief's choice with the car. From then on, the thief can use the key to unlock, start, and turn off the car. There is no indication from the in-car display or the legitimate Tesla app that anything is amiss.

Herfurt has successfully used the attack on Tesla Models 3 and Y. He hasn't tested the method on new 2021+ facelift models of the S and X, but he presumes they are also vulnerable because they use the same native support for phone-as-a-key with BLE.

Tesla didn't respond to an email seeking comment for this post.

Parlez-Vous VCSec?

The vulnerability is the result of the dual roles played by the NFC card. It not only opens a locked car and starts it; it's also used to authorize key management.

Herfurt said:

_The attack exploits Tesla's way of handling the unlock process via NFC card. This works because Tesla's authorization method is broken. There is no connection between the online account world and the offline BLE world. Any attacker who can see the Bluetooth LE advertisements of a vehicle may send VCSEC messages to it. This would not work with the official app, but an app that is also able to speak the Tesla-specific BLE protocol … allows attackers to enroll keys for arbitrary vehicles. Teslakee will communicate with any vehicle if it is told to._

Herfurt created Teslakee as part of Project Tempa, which “provides tools and information about the VCSEC protocol used by Tesla accessories and the Tesla app in order to control vehicles via Bluetooth LE.” Herfurt is a member of Trifinite Group, a research and hacker collective that focuses on BLE.

The attack is easy enough in technical aspects to carry out, but the mechanics of staking out an unattended vehicle, waiting for or forcing the owner to unlock it with an NFC card, and later catching up with the car and stealing it can be cumbersome. This method isn't likely to be practical in many theft scenarios, but for some, it seems viable.

With Tesla maintaining radio silence on this weakness, there's only so much that concerned owners can do. One countermeasure is to set up Pin2Drive to prevent thieves who use this method from starting a vehicle, but it will do nothing to prevent the thief from being able to enter the car when it's locked. Another protection is to regularly check the list of keys authorized to unlock and start the car through a process Tesla calls "whitelisting." Tesla owners may want to perform this check after giving an NFC card to an untrusted mechanic or valet parking attendant.

Based on the lack of response Herfurt said he received from Tesla regarding vulnerabilities he uncovered in 2019 and again last year, he's not holding his breath that the company will address the issue.

"My impression was that they always already knew and would not really change stuff," he said. "This time, there is no way that Tesla does not know about that poor implementation. So for me, there was no point in talking to Tesla beforehand."

_This story originally appeared on_ _Ars Technica__._

Hackers Can Steal Your Tesla by Creating Their Own Personal Keys

Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 9.0.1.

Permalink

Browse files

Fix stored XSS security issue: decode HTML entities from URL

*   Loading branch information

1 parent dfa51d8 commit 6e213b17e6ac3a3961e1eabcdaba1c892844398a

Showing **2 changed files** with **5 additions** and **1 deletion**.

*   CHANGES.md
*   *   PreparePHP\_SELF.fnc.php

  

@@ -1,6 +1,10 @@

# CHANGES

## RosarioSIS Student Information System

  

Changes in 9.0.1

\----------------

\- Fix stored XSS security issue: decode HTML entities from URL in PreparePHP\_SELF.fnc.php, thanks to @domiee13

  

Changes in 9.0

\--------------

\- CSS add length to previous meals select in DailyMenus.php

@@ -191,7 +191,7 @@ function( $match ) {

);

  

// Fix stored XSS security issue: decode HTML entities from URL.

$string = html\_entity\_decode( (string) $string );

$string = html\_entity\_decode( (string) $string, ENT\_QUOTES | ENT\_HTML5 );

  

$remove = \[

// Fix stored XSS security issue: remove inline JS from URL.

**0 comments on commit 6e213b1**

Please sign in to comment.

CVE-2022-2036: Fix stored XSS security issue: decode HTML entities from URL · francoisjacquet/rosariosis@6e213b1

A vulnerability classified as critical was found in Axios Italia Axios RE 1.7.0/7.0.0. This vulnerability affects unknown code of the file REDefault.aspx of the component Connection Handler. The manipulation of the argument DBIDX leads to privilege escalation. The attack can be initiated remotely.

Tag

#ios