Security experts from Check Point Research unveiled the findings in a new advisory
Monthly Archives: January 2023
US Family Planning Non-Profit MFHS Confirms Ransomware Attack
The non-profit said its systems were compromised between August 2021 and April 2022
Remote Vulnerabilities in Automobiles
Centos Web Panel 7 Unauthenticated Remote Code Execution – CVE-2022-44877
Posted by Numan TÜRLE on Jan 06
[+] Centos Web Panel 7 Unauthenticated Remote Code Execution
[+] Centos Web Panel 7 – < 0.9.8.1147
[+] Affected Component ip:2031/login/index.php?login=$(whoami)
[+] Discoverer: Numan Türle @ Gais Cyber Security
[+] Vendor: https://centos-webpanel.com/ – https://control-webpanel.com/changelog#1669855527714-450fb335-6194
[+] CVE: CVE-2022-44877
Description
————–
Bash commands can be run because double quotes are used to log incorrect…
14 UK schools suffer cyberattack, highly confidential documents leaked
More than a dozen schools in the UK have suffered a cyberattack which has led to highly confidential documents being leaked online by cybercriminals. That’s according to a report from the BBC which claimed that children’s SEN information, child passport scans, staff pay scales and contract details have been stolen by notorious cybercrime group Vice Society, known for disproportionately targeting the education sector with ransomware attacks in the UK and other countries.
Passport, contract data stolen and posted on dark web
Pates Grammar School in Gloucestershire is one of 14 to have been impacted by the data breach, the BBC reported, with Vice Society hackers using generic search terms to steal documents. “One folder marked ‘passports’ contains passport scans for pupils and parents on school trips going back to 2011, whereas another marked ‘contract’ contains contractual offers made to staff alongside teaching documents on muscle contractions. Another folder marked ‘confidential’ contains documents on the headmaster’s pay and student bursary fund recipients,” the BBC wrote. The hack at Pates is estimated to have taken place on September 28 before data was published on the dark web. The UK Information Commissioner’s Office (ICO) and Gloucestershire Police confirmed they were investigating the alleged breaches in 2022.
CVE-2014-125049
** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in typcn Blogile. Affected is the function getNav of the file server.js. The manipulation of the argument query leads to sql injection. The name of the patch is cfec31043b562ffefe29fe01af6d3c5ed1bf8f7d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217560. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2014-125048
A vulnerability, which was classified as critical, has been found in kassi xingwall. This issue affects some unknown processing of the file app/controllers/oauth.js. The manipulation leads to session fixiation. The name of the patch is e9f0d509e1408743048e29d9c099d36e0e1f6ae7. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217559.
Twitter’s mushrooming data breach crisis could prove costly
Since Elon Musk purchased Twitter in late October, non-stop turmoil and controversy have dogged the company, from massive staff firings and resignations to reputational damage from Musk’s careless and often bizarre tweets. Now, mushrooming concern around a possible data breach stemming from a now-fixed Twitter flaw is poised to drive the company further down unless Twitter takes quick action.
Even as regulators in Europe begin to probe what appears to be a massive Twitter data breach, Twitter and Elon Musk have failed to comment publicly on the true extent of the breach. Experts say that unless Twitter gets ahead of the curve, informs regulators of the facts, and notifies users of how much of their public and private information has been exposed, the company could suffer serious financial and operating consequences.
CVE-2014-125047
A vulnerability classified as critical has been found in tbezman school-store. This affects an unknown part. The manipulation leads to sql injection. The name of the patch is 2957fc97054216d3a393f1775efd01ae2b072001. It is recommended to apply a patch to fix this issue. The identifier VDB-217557 was assigned to this vulnerability.
UK Schools Hit by Mass Leak of Confidential Data
Confidential data including child passport scans and staff pay scales have been leaked following cyber-attacks in 2022