Category Archives: Advisories

CVE-2020-9420

Read Time:10 Second

The login password of the web administrative dashboard in Arcadyan Wifi routers VRV9506JAC23 is sent in cleartext, allowing an attacker to sniff and intercept traffic to learn the administrative credentials to the router.

Read More

Trojan-Dropper.Win32.Decay.dxv (CyberGate v1.00.0) / Insecure Proprietary Password Encryption

Read Time:18 Second

Posted by malvuln on Dec 13

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/618f28253d1268132a9f10819a6947f2.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln
Backup media: infosec.exchange/@malvuln

Threat: Trojan-Dropper.Win32.Decay.dxv (CyberGate v1.00.0)
Vulnerability: Insecure Proprietary Password Encryption
Family: CyberGate
Type: PE32
MD5: 618f28253d1268132a9f10819a6947f2
Vuln ID:…

Read More

Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh

Read Time:12 Second

Posted by Thomas Weber on Dec 13

CyberDanube Security Research 20221009-0
——————————————————————————-

               title| Authenticated Command Injection
             product| Intelbras WiFiber 120AC inMesh
  vulnerable version| 1.1-220216
       fixed version| 1-1-220826
          CVE number| CVE-2022-40005
              impact| High
           …

Read More

SEC Consult SA-20221213-0 :: Privilege Escalation Vulnerabilities (UNIX Insecure File Handling) in SAP Host Agent (saposcol)

Read Time:15 Second

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Dec 13

SEC Consult Vulnerability Lab Security Advisory < 20221213-0 >
=======================================================================
title: Privilege Escalation Vulnerabilities (UNIX Insecure File
Handling)
product: SAP® Host Agent (saposcol)
vulnerable version: see section “Vulnerable / tested versions”
fixed version: see SAP security note 3159736
CVE…

Read More

Vulnerabilities Disclosure – Shoplazza Stored XSS

Read Time:20 Second

Posted by Andrey Stoykov on Dec 13

# Exploit Title: Shoplazza 1.1 – Stored Cross Site Scripting
# Exploit Author: Andrey Stoykov
# Software Link: https://github.com/Shoplazza/LifeStyle
# Version: 1.1
# Tested on: Ubuntu 20.04

Stored XSS #1:

To reproduce do the following:

1. Login as normal user account
2. Browse “Blog Posts” -> “Manage Blogs” -> “Add Blog Post”
3. Select “Title” and enter payload…

Read More

Multiple Vulnerabilities in VMware vRealize Network Insight (vRNI) Could Allow for Arbitrary Code Execution

Read Time:37 Second

Multiple vulnerabilities have been discovered in VMware vRealize Network Insight (vRNI), the most severe of which could result in arbitrary code execution. VMware vRealize Network Insight (vRNI) is an IT management platform which enables visibility, optimization and management of an organization’s physical, virtual and cloud infrastructure. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution

Read Time:39 Second

Multiple vulnerabilities have been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution.

Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Mozilla Thunderbird is an email client.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

IPS Spike Observed in “TP-Link.Tapo.C200.IP.Camera.Command.Injection”

Read Time:1 Minute, 25 Second

On December 11th, 2022, FortiGuard Labs observed a significant spike in IPS signature “TP-Link.Tapo.C200.IP.Camera.Command.Injection”. The IPS signature is for CVE-2021-4045 and detects an attack to exploit a Command Injection vulnerability in TP-Link Tapo C200 IP Camera. Successful exploitation of the vulnerability allows remote attackers to gain control of vulnerable devices.Why is this Significant?This is significant due to the detection spike in our IPS signature, which indicates attackers are attempting to exploit TP-Link Tapo C200 IP Camera devices vulnerable to CVE-2021-4045. Also, proof-of-concept (PoC) code for CVE-2021-4045 is readily available. As such, firmware updates need to be applied to the vulnerable devices as soon as possible.What is CVE-2021-4045?CVE-2021-4045 is a Command Injection vulnerability in TP-Link Tapo C200 IP Camera. Successful exploitation of the vulnerability allows remote attackers to gain control of vulnerable devices. CVE-2021-4045 impacts Tapo C200 version 1.15 and below and has a CVSS score of 9.8. How Widespread is the Attack?Based on the telemetry collected by FortiGuard Labs last 24 hours, 24.55% of the detected exploit attempts came from unidentified countries, followed by Japan (22.48%) and the United States (13.95%).Top 10 Countries where “TP-Link.Tapo.C200.IP.Camera.Command.Injection” was Detected last 24 hours

Country
Percentage

Unknown
24.55%

Japan
22.48%

United States
13.95%

Italy
5.43%

Austria
3.88%

Switzerland
2.84%

Netherlands
2.58%

Germany
2.33%

Belgium
2.07%

Canada
2.07%
Has the Vendor Released a Patch for CVE-2021-4045?Yes, the vendor released firmware with a fix.

Read More

Cobalt Mirage Affiliate Deployed Drokbk Malware

Read Time:1 Minute, 22 Second

FortiGuard Labs is aware of a report that the “Cluster B” group who is an alleged affiliate to the Iranian threat actor “Cobalt Mirage” deployed Drokbk malware to victims’ machines. Drokbk uses Github to retrieve a Command-and-Control (C2) server location. According to the report, the Cluster B threat actor was observed to have used Drokbk in an attack against a U.S. government network in early 2022.Why is this Significant?This is significant because Drokbk malware was reportedly deployed to a compromised U.S. government networks in early 2022. Security vendor Secureworks attributed Drokbk to the “Cluster B” group who is an affiliate to an alleged Iranian threat actor “Cobalt Mirage”.What is Drokbk Malware?Drokbk is a .NET malware which prime functionality is to execute remote commands served from its Command-and-Control (C2) servers. The malware is designed to retrieve C2 locations from publicly available services such as Github.According to Secureworks, Drokbk was deployed to a U.S. government network in early February 2022 compromised by leveraging Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).FortiGuard Labs previously released Outbreak Alert and Threat Signal for Log4j vulnerabilities. See the Appendix for a link to “Outbreak Alert: Apache Log4j2 Vulnerability” and “Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228)”.What is the Status of Coverage?FortiGuard Labs detect available samples in the report with the following AV signatures:MSIL/Agent.3606!trW64/MaliceyElie.84DB!trW32/PossibleThreatPossibleThreatFortiGuard Labs has IPS coverage in place for CVE-2021-44228 and CVE-2021-45046:Apache.Log4j.Error.Log.Remote.Code.ExecutionAll network IOCs in the report are blocked by Webfiltering.

Read More