This will lead to privilege escalation from AP officers account to the System Administrator account. and gain more functionality such as Create/Update Companies. Install/Update Languages. Install/Activate Extensions. Install/Activate Themes. Install/Activate Chart of Accounts. Software Upgrade.

@@ -25,7 +25,7 @@ function can\_process() {

$Auth\_Result = hook\_authenticate($\_SESSION\['wa\_current\_user'\]->username, $\_POST\['cur\_password'\]);

  

if (!isset($Auth\_Result)) // if not used external login: standard method

$Auth\_Result = get\_user\_auth($\_SESSION\['wa\_current\_user'\]->username, md5($\_POST\['cur\_password'\]));

$Auth\_Result = authenticate\_user($\_SESSION\['wa\_current\_user'\]->username, $\_POST\['cur\_password'\]);

  

if (!$Auth\_Result) {

display\_error( \_('Invalid password entered.'));

@@ -57,7 +57,7 @@ function can\_process() {

if ($SysPrefs\->allow\_demo\_mode)

display\_warning(\_('Password cannot be changed in demo mode.'));

else {

update\_user\_password($\_SESSION\['wa\_current\_user'\]->user, $\_SESSION\['wa\_current\_user'\]->username, md5($\_POST\['password'\]));

update\_user\_password($\_SESSION\['wa\_current\_user'\]->user, $\_SESSION\['wa\_current\_user'\]->username, password\_hash($\_POST\['password'\], PASSWORD\_DEFAULT));

display\_notification(\_('Your password has been updated.'));

}

$Ajax\->activate('\_page\_body');

@@ -86,4 +86,4 @@ function can\_process() {

  

submit\_center( 'UPDATE\_ITEM', \_('Change password'), true, '', 'default');

end\_form();

end\_page();

end\_page();

@@ -20,7 +20,7 @@

  

page(\_($help\_context = 'Create/Update Company'));

  

$comp\_subdirs = array('images', 'pdf\_files', 'backup','js\_cache', 'reporting', 'attachments');

$comp\_subdirs = array('images', 'pdf\_files', 'backup', 'js\_cache', 'reporting', 'attachments');

  

simple\_page\_mode(true);

/\*

@@ -107,7 +107,7 @@ function handle\_submit($selected\_id) {

  

$conn = $db\_connections\[$selected\_id\];

if (($db = db\_create\_db($conn)) === false) {

display\_error(\_('Error creating Database: ') . $conn\['dbname'\] . \_(', Please create it manually'));

display\_error(\_('Error creating Database: ').$conn\['dbname'\].\_(', Please create it manually'));

$error = true;

}

else {

@@ -120,7 +120,7 @@ function handle\_submit($selected\_id) {

else {

if (!isset($\_POST\['admpassword'\]) || $\_POST\['admpassword'\] == '')

$\_POST\['admpassword'\] = 'password';

update\_admin\_password($conn, md5($\_POST\['admpassword'\]));

update\_admin\_password($conn, password\_hash($\_POST\['admpassword'\]), PASSWORD\_DEFAULT);

}

}

if ($error) {

@@ -350,4 +350,4 @@ function display\_company\_edit($selected\_id) {

  

end\_form();

  

end\_page();

end\_page();

@@ -112,12 +112,29 @@ function delete\_user($id) {

  

//-----------------------------------------------------------------------------------------------

  

function get\_user\_auth($user\_id, $password) {

function authenticate\_user($user\_id, $password) {

  

$sql = "SELECT \* FROM ".TB\_PREF."users WHERE user\_id = ".db\_escape($user\_id)." AND"

." password=".db\_escape($password);

$sql1 = "SELECT password FROM ".TB\_PREF."users WHERE user\_id = ".db\_escape($user\_id);

  

return db\_num\_rows(db\_query($sql, 'could not get validate user login for '.$user\_id)) != 0;

$result = db\_query($sql1, 'could not get user login for '.$user\_id);

  

if(db\_num\_rows($result) == 0)

return false;

  

$hash = db\_fetch($result)\[0\];

  

// The user's password hash may have been created long ago by md5 password algorithm on the old NotrinosERP versions

if(password\_verify($password, $hash) || $hash == md5($password)) {

if(password\_needs\_rehash($hash, PASSWORD\_DEFAULT) === true) {

$new\_hash = password\_hash($password, PASSWORD\_DEFAULT);

$sql2 = "UPDATE ".TB\_PREF."users SET password = ".db\_escape($new\_hash)." WHERE user\_id = ".db\_escape($user\_id);

db\_query($sql2, 'could not update password hash for '.$user\_id);

}

  

return true;

}

  

return false;

}

  

//-----------------------------------------------------------------------------------------------

@@ -56,12 +56,12 @@ function can\_process($new) {

update\_user\_prefs($selected\_id, get\_post(array('user\_id', 'real\_name', 'phone', 'email', 'role\_id', 'language', 'print\_profile', 'rep\_popup' => 0, 'pos')));

  

if ($\_POST\['password'\] != '')

update\_user\_password($selected\_id, $\_POST\['user\_id'\], md5($\_POST\['password'\]));

update\_user\_password($selected\_id, $\_POST\['user\_id'\], password\_hash($\_POST\['password'\], PASSWORD\_DEFAULT));

  

display\_notification\_centered(\_('The selected user has been updated.'));

}

else {

add\_user($\_POST\['user\_id'\], $\_POST\['real\_name'\], md5($\_POST\['password'\]), $\_POST\['phone'\], $\_POST\['email'\], $\_POST\['role\_id'\], $\_POST\['language'\], $\_POST\['print\_profile'\], check\_value('rep\_popup'), $\_POST\['pos'\]);

add\_user($\_POST\['user\_id'\], $\_POST\['real\_name'\], password\_hash($\_POST\['password'\], PASSWORD\_DEFAULT), $\_POST\['phone'\], $\_POST\['email'\], $\_POST\['role\_id'\], $\_POST\['language'\], $\_POST\['print\_profile'\], check\_value('rep\_popup'), $\_POST\['pos'\]);

$id = db\_insert\_id();

// use current user display preferences as start point for new user

$prefs = $\_SESSION\['wa\_current\_user'\]->prefs\->get\_all();

@@ -69,11 +69,11 @@ class current\_user {

  

// Use external authentication source if any.

// Keep in mind you need to have user data set for $loginname

// in FA users table anyway to successfully log in.

// in NotrinosERP users table anyway to successfully log in.

$Auth\_Result = hook\_authenticate($loginname, $password);

  

if (!isset($Auth\_Result)) // if not used: standard method

$Auth\_Result = get\_user\_auth($loginname, md5($password));

$Auth\_Result = authenticate\_user($loginname, $password);

if ($SysPrefs\->login\_delay > 0)

write\_login\_filelog($loginname, $Auth\_Result);

if ($Auth\_Result) {

@@ -151,7 +151,7 @@ class current\_user {

if ($user != false) {

  

$password = generate\_password();

$hash = md5($password);

$hash = password\_hash($password);

  

update\_user\_password($user\['id'\], $user\['user\_id'\], $hash);

  

**0 comments on commit 1b9903f**

Please sign in to comment.

CVE-2022-2921: changed password hash method from md5 to bcrypt. · notrinos/NotrinosERP@1b9903f

Organizations in the Spanish-speaking nations of Mexico and Spain are in the crosshairs of a new campaign designed to deliver the Grandoreiro banking trojan. 
"In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute '

Organizations in the Spanish-speaking nations of Mexico and Spain are in the crosshairs of a new campaign designed to deliver the **Grandoreiro** banking trojan.

"In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler said in a report.

The ongoing attacks, which commenced in June 2022, have been observed to target automotive, civil and industrial construction, logistics, and machinery sectors via multiple infection chains in Mexico and chemicals manufacturing industries in Spain.

Attack chains entail leveraging spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archive, from which is extracted a loader that masquerades as a PDF document to trigger the execution.

The phishing messages prominently incorporate themes revolving around payment refunds, litigation notifications, cancellation of mortgage loans, and deposit vouchers, to activate the infections.

"This \[loader\] is responsible for downloading, extracting and executing the final 400MB 'Grandoreiro' payload from a Remote HFS server which further communicates with the \[command-and-control\] Server using traffic identical to LatentBot," Zscaler researcher Niraj Shivtarkar said.

That's not all. The loader is also designed to gather system information, retrieve a list of installed antivirus solutions, cryptocurrency wallets, banking, and mail apps, and exfiltrate the information to a remote server.

Observed in the wild for at least six years, Grandoreiro is a modular backdoor with an array of functionalities that allows it to record keystrokes, execute arbitrary commands, mimic mouse and keyboard movements, restrict access to specific websites, auto-update itself, and establish persistence via a Windows Registry change.

What's more, the malware is written in Delphi and utilizes techniques like binary padding to inflate the binary size by 200MB, CAPTCHA implementation for sandbox evasion, and C2 communication using subdomains generated via a domain generation algorithm (DGA).

The CAPTCHA technique, in particular, requires the manual completion of the challenge-response test to execute the malware in the compromised machine, meaning that the implant is not run unless and until the CAPTCHA is solved by the victim.

The findings suggest that Grandoreiro is continuously evolving into a sophisticated malware with novel anti-analysis characteristics, granting the attackers full remote access capabilities and posing significant threats to employees and their organizations.

The development also arrives a little over a year after Spanish law enforcement agencies apprehended 16 individuals belonging to a criminal network in connection with operating Mekotio and Grandoreiro in July 2021.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers

A heap-based buffer over write vulnerability was found in GhostScript's lp8000_print_page() function in gdevlp8k.c file. An attacker could trick a user to open a crafted PDF file, triggering the heap buffer overflow that could lead to memory corruption or a denial of service.

'701844?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-27792: Invalid Bug ID

APTs continue to exploit the dynamic job market and the persistent phenomenon of remote working, as explored by PwC at Black Hat USA.

Fake job offers have become a top phishing tactic for state-sponsored threat actors to lure in unsuspecting targets in the wake of the COVID-19 pandemic, as many reconsider their careers amid growing demand for skilled workers and managers.

The cyber-threat analyst team at PwC, which has followed a prime example of this (the Lazarus Group's Operation In(ter)ception) closely, presented a detailed account of the Lazarus campaign and how the group implemented the strategy during last week's Black Hat USA 2022 conference in Las Vegas.

PwC principal threat analyst Sveva Vittoria Scenarelli, who studies advanced persistent threats (APTs) in the Asia-Pacific region with an emphasis on North Korea, noted that the stakes are high.

"This is an espionage-motivated campaign that is incredibly persistent in targeting the aerospace sector, the defense industrial base, manufacturing chemical sector, for everything from military secrets to intellectual property to confidential information of strategic interest," Scenarelli explained during her presentation at Black Hat, called "Talent Need Not Apply: Tradecraft and Objectives of Job-themed APT Social Engineering."

The Cybersecurity & Infrastructure Security Agency (CISA) agrees, and has warned that the threat actors (aka APT38, Black Artemis, BlueNoroff, Hidden Cobra, and Stardust Chollima) "employ malicious cyberactivity to collect intelligence, conduct attacks, and generate revenue."

Scenarelli explained that Lazarus follows up with its targets via messaging apps such as WhatsApp.

This is "to make sure that the victims do open the malicious viewer documents or the malicious executables that the threat actor has sent," she said. "Black Artemis will also set up domains. This can be for command and control of its malicious implants to send emails that appear to come from on a legit site, or indeed to perform Web exploitation as an initial access method."

Scenarelli explained that Black Artemis creates domains that spoof prominent job search websites like Indeed, with attractive positions at high-profile companies such as Google and Oracle. She underscored that many sites look legitimate, though there are obvious signs they are fake. For instance, the Indeed decoy site URL is Indeed.US.org, she said. Scenarelli noted that the job descriptions disguised as .docx, .pdf, or .rtx files launch when the victims click on the documents, which may enable macros.

Similarly, Scenarelli recalled another attack by the group, which made off with $625 million in cryptocurrency. She warned that this variant, which PwC researchers call "Black Alicanto," is financially motivated and dangerous. In the wake of Microsoft recently disabling macros in Office documents, Scenarelli said this malware might use .lnk files, perhaps embedded in password-protected Microsoft Word documents.

"Threat actors are having to pivot a bit in their initial access techniques and using more and more .lnk files, ISO files, MSI installers, and stuff like that," she said. But in the background, she noted, the .lnk file is calling MSHDA.exe, which connects to a remote server to pull down a malicious JavaScript script that PwC calls "Cabbage Loader."

This script places a .lnk file in the victim's startup folder "to ensure persistence and then pulls down a whole series of other JavaScript payloads," she explained. "These are essentially profilers that want to make sure that the actual person that's interacting with them is not a sandbox, is not a researcher, but it's actually a target of interest."

Scenarelli concluded that Lazarus and other North Korea-based threat actors continue to exploit the growing demand for skilled people, who, despite their training and awareness of threats, can be caught off guard.

"The job market right now is a really key area for North Korea-based threat actors," she said. "So, keep your eyes peeled, make sure you're aware of whom you're interviewing. And for the love of all that is holy, don't open those links that you get sent on LinkedIn, do not open them."

State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims

Spring4Shell and Veeam RCE exploit topped the list in Q1 2022

Spring4Shell and Veeam RCE exploit topped the list in Q1 2022

API-related security vulnerabilities continue to be a thorn in the side of organizations, with access control flaws now associated with high-severity CVEs.

According to a new whitepaper published by API security firm Wallarm, titled ‘API vulnerabilities discovered and exploited in Q1-2022’, a total of 48 API-related vulnerabilities were found and reported in the first quarter.

Based on industry standards, 18 were considered high-risk and 19 were labeled as of medium severity, the report (PDF) says.

The critical vulnerabilities disclosed publicly earned themselves CVSS v3 scores ranging from 8.1 and 10.

**Top API threats**

Merging both OWASP Top 10 and OWASP API Security Top 10 standards, the cybersecurity firm categorized the most significant API threat disclosures as issues relating to broken access controls (or broken function level authorization, depending on the OWASP standard), as well as injection attacks.

While security flaws including cryptographic failures, insecure design, excessive data exposure, and misconfigurations also made the list, the most dangerous, exploited API vulnerabilities disclosed in Q1 2022 relate to injection attacks, incorrect authorization or a complete bypass, and incorrect permission assignment.

Topping the list of the four most dangerous API vulnerabilities disclosed and reported in the first quarter of 2022 is CVE-2022-22947, also known as ‘Spring4Shell.’

**BACKGROUND** Spring4Shell: Microsoft, CISA warn of limited, in-the-wild exploitation

Spring4Shell is linked to two vulnerabilities – CVE-2022-22963, a SpEL expression injection bug in Spring Cloud Function, and CVE-2022-22947, a code injection attack leading to remote code execution (RCE) in Spring Framework’s Java-based Core module.

A developer publicly released exploit code for the critical bug in March, and although promptly deleted, the release of working RCE code ensured Spring4Shell became a headache for developers who needed to apply Spring’s emergency patch quickly.

The vulnerability was compared to Log4j due to the Spring Framework’s popularity. Before long, Microsoft and CISA warned of active exploitation of the zero-day flaw. Attackers then harnessed the bug to grow the Mirai botnet.

**Enterprise technologies targeted**

The second vulnerability at the top of the API vulnerability list is CVE-2022-26501 (CVSS 9.8), an improper authentication bug in Veeam Backup and Replication that allows attackers to execute arbitrary code remotely without authentication. Veeam supports over 400,000 customers, many of which are enterprise firms.

According to Nikita Petrov, the Positive Technologies researcher who disclosed the critical bug alongside two others, CVE-2022-26501 had the potential to “be exploited in real attacks and put many organizations at significant risk”.

The third flaw, another assigned a CVSS score of 9.8, impacts Zabbix, an enterprise-grade open source network tool. Tracked as CVE-2022-23131, when a non-default setting to enable SAML SSO authentication was in use, the tool’s front end was susceptible to privilege escalation and admin session hijacking – as long as an attacker knew the admin’s username.

**YOU MIGHT ALSO LIKE** SOS.dev program launched to help protect critical upstream software

Fourth is CVE-2022-24327, a lower-grade bug assigned a CVSS score of 7.8 but still considered a severe vulnerability. Found in the JetBrains suite hub, the bug related to developer accounts integrated into the hub which inadvertently exposed API keys with excessive permissions, potentially leading to account takeover or hijacking.

Finally, Wallarm has bundled a category of API security threats as a common denominator in many cyber-attacks today. Described by Mitre as “CWE-639: Authorization Bypass Through User-Controlled Key”, the issues surround system authorization functionality which allows key values to be tampered and users to access other users’ data or records without permission.

APIs, as key communication methods between functions, will remain a target for cyber-attackers as long as they are in use due to their critical roles in modern networks and services.

In recent API security news, open source hacking tool GoTestWAF has introduced API security platform evaluation capabilities, emulating OWASP and API exploits to test API security defenses.

**RECOMMENDED** Vulnerability in open source identity management system Free IPA could lead to XXE attacks

API security: Broken access controls, injection attacks plague the enterprise security landscape in 2022

Unsafe Parsing of a PNG tRNS chunk in FastStone Image Viewer through 7.5 results in a stack buffer overflow.

CVE-2022-36947: FastStone Image Viewer - Powerful and Intuitive Photo Viewer, Editor and Batch Converter

Lazarus continues to expand an aggressive, ongoing spy campaign, using fake Coinbase job openings to lure in victims.

North Korean advanced persistent threat (APT) Lazarus is casting a wider net with its ongoing Operation In(ter)ception campaign, targeting Macs with Apple's M1 chip.

The state-sponsored group is continuing its favored approach of launching phishing attacks under the guise of fake job opportunities. Threat researchers at endpoint detection provider ESET warned this week that it discovered a Mac executable camouflaged as a job description for an engineering manager position at the popular cryptocurrency exchange operator Coinbase.

According to ESET's warning on Twitter, Lazarus uploaded the bogus job offer to VirusTotal from Brazil. Lazarus designed the latest iteration of the malware, Interception.dll, to execute on Macs by loading three files: a PDF document with the fake Coinbase job posting and two executables, FinderFontsUpdater.app and safarifontsagent, according to the alert. The binary can compromise Macs powered both with Intel processors and with Apple's new M1 chipset.

ESET researchers started investigating Operation In(ter)ception nearly three years ago when its researchers discovered attacks against aerospace and military companies. They determined that the campaign's primary goal was espionage, although it also found instances of the attackers using a victim's email account via a business email compromise (BEC) to complete the operation. The Interception.dll malware renders compelling but fake job offers to lure unsuspecting victims, often using LinkedIn.

The Mac attack is the latest in an ongoing barrage of efforts by Lazarus to accelerate Operation In(ter)ception, which has escalated in recent months. ESET published a detailed white paper on the tactic by Lazarus two years ago.

**Risk Mitigated by Apple**

Ironically, the appealing Coinbase job posting targets technically oriented people.

"We suspect that the attackers were in direct contact, so the victim was probably instructed to click whatever popup windows showed up in order to see the 'dream job' offer from Coinbase," Peter Kalnai, a senior malware researcher for ESET, explains to Dark Reading.

Apple revoked the certificate that would enable the malware to execute late last week after ESET alerted the company of the campaign. So now, computers with macOS Catalina v10.15 or later are protected, presuming the user has basic security awareness, Kalnai notes.

"The certificate has been revoked, so it's not possible to execute it until the user adds it to allowed applications," he said. "Only then this remains a threat when the attackers start to be convincing enough to trick the victim to overcome those obstacles with execution. Moreover, when the attackers approach their victim, they very likely verify that the certificate is not revoked, and in case it is, they may create a new, unrevoked certificate."

The ongoing campaign and others from North Korea remain frustrating for government officials. The FBI blamed Lazarus for stealing $625 million in cryptocurrency from Ronin Network, which operates a blockchain platform for the popular NFT game Axie Infinity.

Andrew Grotto, who served as the senior director for cybersecurity policy at the White House in both the Obama and Trump administrations, says North Korea has arisen from an aspiring antagonist into one of the most aggressive threat actors in the world.

"North Korea has been able to acquire skills that may be required to craft really fast," says Grotto, who is now director of the Center for International Security and Cooperation at Stanford University's program on geopolitics, technology and governance. "They quickly emerged as one of the top, if not the top, cyber operators when it comes to high-end potential crimes."

Mac Attack: North Korea's Lazarus APT Targets Apple's M1 Chip

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives -- which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction -- state that the user's account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

Scammers are using invoices sent through **PayPal.com** to trick recipients into calling a number to dispute a pending charge. The missives — _which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction_ — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

A copy of the phishing message included in the PayPal.com invoice.

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:

The phony PayPal invoice, which was sent and hosted by PayPal.com.

The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport\[.\]com to download a remote administration tool. It was clear then where the rest of this call was going.

I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.

PayPal said in a written statement that phishing attempts are common and can take many forms.

“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”

It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.

Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

PayPal Phishing Scam Uses Invoices Sent Via PayPal

FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php.

@@ -312,7 +312,7 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ if ($fax\_file\_extension != "pdf" && $fax\_file\_extension != "tif") { chdir($dir\_fax\_temp); $command = $IS\_WINDOWS ? '' : 'export HOME=/tmp && '; $command .= 'libreoffice --headless --convert-to pdf --outdir '.$dir\_fax\_temp.' '.$dir\_fax\_temp.'/'.$fax\_name.'.'.$fax\_file\_extension; $command .= 'libreoffice --headless --convert-to pdf --outdir '.$dir\_fax\_temp.' '.$dir\_fax\_temp.'/'.escapeshellarg($fax\_name).'.'.escapeshellarg($fax\_file\_extension); exec($command); @unlink($dir\_fax\_temp.'/'.$fax\_name.'.'.$fax\_file\_extension); } @@ -322,7 +322,7 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ chdir($dir\_fax\_temp);  
//convert pdf to tif $cmd = exec('which gs')." -q -r".$gs\_r." -g".$gs\_g." -dBATCH -dPDFFitPage -dNOSAFER -dNOPAUSE -dBATCH -sOutputFile=".correct\_path($fax\_name).".tif -sDEVICE=tiffg4 -Ilib stocht.ps -c \\"{ .75 gt { 1 } { 0 } ifelse} settransfer\\" -- ".correct\_path($fax\_name).".pdf -c quit"; $cmd = exec('which gs')." -q -r".$gs\_r." -g".$gs\_g." -dBATCH -dPDFFitPage -dNOSAFER -dNOPAUSE -dBATCH -sOutputFile=".escapeshellarg($fax\_name).".tif -sDEVICE=tiffg4 -Ilib stocht.ps -c \\"{ .75 gt { 1 } { 0 } ifelse} settransfer\\" -- ".escapeshellarg($fax\_name).".pdf -c quit"; // echo($cmd . "<br/>\\n"); exec($cmd); @unlink($dir\_fax\_temp.'/'.$fax\_name.'.pdf'); @@ -672,17 +672,17 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){  
//send the fax $fax\_file = $dir\_fax\_sent."/".$fax\_instance\_uuid.".tif"; $common\_variables .= "fax\_queue\_uuid='" . $fax\_queue\_uuid . "',"; $common\_variables .= "fax\_queue\_uuid='" . escapeshellarg($fax\_queue\_uuid) . "',"; $common\_variables = "for\_fax=1,"; $common\_variables .= "accountcode='" . $fax\_accountcode . "',"; $common\_variables .= "sip\_h\_X-accountcode='" . $fax\_accountcode . "',"; $common\_variables .= "domain\_uuid=" . $\_SESSION\["domain\_uuid"\] . ","; $common\_variables .= "domain\_name=" . $\_SESSION\["domain\_name"\] . ","; $common\_variables .= "origination\_caller\_id\_name='" . $fax\_caller\_id\_name . "',"; $common\_variables .= "origination\_caller\_id\_number='" . $fax\_caller\_id\_number . "',"; $common\_variables .= "fax\_ident='" . $fax\_caller\_id\_number . "',"; $common\_variables .= "fax\_header='" . $fax\_caller\_id\_name . "',"; $common\_variables .= "fax\_file='" . $fax\_file . "',"; $common\_variables .= "accountcode='" . escapeshellarg($fax\_accountcode) . "',"; $common\_variables .= "sip\_h\_X-accountcode='" . escapeshellarg($fax\_accountcode) . "',"; $common\_variables .= "domain\_uuid=" . escapeshellarg($\_SESSION\["domain\_uuid"\]) . ","; $common\_variables .= "domain\_name=" . escapeshellarg($\_SESSION\["domain\_name"\]) . ","; $common\_variables .= "origination\_caller\_id\_name='" . escapeshellarg($fax\_caller\_id\_name) . "',"; $common\_variables .= "origination\_caller\_id\_number='" . escapeshellarg($fax\_caller\_id\_number) . "',"; $common\_variables .= "fax\_ident='" . escapeshellarg($fax\_caller\_id\_number) . "',"; $common\_variables .= "fax\_header='" . escapeshellarg($fax\_caller\_id\_name) . "',"; $common\_variables .= "fax\_file='" . escapeshellarg($fax\_file) . "',";  
foreach ($fax\_numbers as $fax\_number) {  
@@ -704,16 +704,16 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ $fax\_uri = $route\_array\[0\]; $fax\_variables = ""; foreach($\_SESSION\['fax'\]\['variable'\] as $variable) { $fax\_variables .= $variable.","; $fax\_variables .= escapeshellarg($variable).","; } }  
//build the fax dial string $dial\_string = $common\_variables; $dial\_string .= $fax\_variables; $dial\_string .= "mailto\_address='" . $mail\_to\_address . "',"; $dial\_string .= "mailfrom\_address='" . $mail\_from\_address . "',"; $dial\_string .= "fax\_uri=" . $fax\_uri . ","; $dial\_string .= "mailto\_address='" . escapeshellarg($mail\_to\_address) . "',"; $dial\_string .= "mailfrom\_address='" . escapeshellarg($mail\_from\_address) . "',"; $dial\_string .= "fax\_uri=" . escapeshellarg($fax\_uri) . ","; $dial\_string .= "fax\_retry\_attempts=1" . ","; $dial\_string .= "fax\_retry\_limit=20" . ","; $dial\_string .= "fax\_retry\_sleep=180" . ",";

CVE-2022-35153: Security use escapeshellarg · fusionpbx/fusionpbx@de22a91

A SQL injection vulnerability in CustomerDAO.java in sazanrjb InventoryManagementSystem 1.0 allows attackers to execute arbitrary SQL commands via the parameter 'customerCode.'

**InventoryManagementSystem**

A software developed using Java SE which provides as easy way to track the products, suppliers, customers as well as purchase and sales information. It also records the stock currently available in the store. There are basically two users, Administrator and Normal User. Both the users can manage suppliers, products, customers and purchase and sell products. The only difference between the two users is that the administrator can also view sales report and can also manage other users.

Download .sql file for this application: https://drive.google.com/file/d/0Bw-qNYNSGhdCN09YZDV6SmtRN00/view?usp=sharing&resourcekey=0-g98Gi5ErSgzV-Jit-4Ow6Q

Download required third party plugins (includes JCalender, JTattoo and SQLConnector) : https://drive.google.com/file/d/0Bw-qNYNSGhdCMU1mekN4SmRCb1E/view?usp=sharing&resourcekey=0-mynFCWwHM0l7oUuBwDIVbw

Download the software only: https://drive.google.com/file/d/0Bw-qNYNSGhdCbVdSdzZHX0pZOFE/view?usp=sharing&resourcekey=0-Q9wY-we5-vgs26YpPMrYaQ

Download full documentation for free:

*   https://www.scribd.com/doc/296989740/InventoryManagementSystem-Sajan-Rajbhandari
*   Inventory-Management-System-Sajan-Rajbhandari.pdf

Credentials:

After importing the above sql file and adding the plugins, try using the credential username: user4 and password: test123

Also make sure your mysql is username: root and password: root. If not change the credential in ../ims/src/com/inventory/database/ConnectionFactory.java line no. 36 and 44.

CVE-2022-35606: GitHub - sazanrjb/InventoryManagementSystem: A software developed using Java SE which provides as easy way to track the products, suppliers, customers as well as purchase and sales information. It als

Tag

#pdf