{"malwarebytes": [{"lastseen": "2021-01-20T20:37:19", "bulletinFamily": "blog", "cvelist": [], "description": "Metadata, which [gives background information on pieces of data](<https://blog.malwarebytes.com/glossary/metadata/>), is typically hidden. It becomes a problem when accidentally revealed. Often tied to [photography mishaps](<https://en.wikipedia.org/wiki/Exif>), it can be [timestamps](<https://www.complex.com/life/2020/10/trump-staging-photos-walter-reed-hospital>). It might be [location](<https://hotforsecurity.bitdefender.com/blog/229-drug-dealers-caught-after-failing-to-remove-photo-exif-metadata-16679.html>). In some cases, it can be [log analysis](<https://www.newscientist.com/article/dn25430-criminal-gang-connections-mapped-via-phone-metadata/>). Many tutorials exist to [strip this information out](<https://galaxyreporters.com/how-to-delete-metadata-from-photos-before-posting-online/>). This is because it can reveal more than intended when it hits the public domain. Default settings are often to blame. For example, a mobile photography app or camera may embed GPS data by default.\n\nSome people may find this useful; quite a few more may object to it as a creepy privacy invasion.\n\nWell, that\u2019s metadata. Now you have an idea what kind of things can lurk without knowledge. We can see what happens when we _deliberately_ enable a data / tagging related function.\n\n### Watermarking: what's the deal?\n\nAn interesting story has recently emerged on The Intercept, of [_voluntary_ data](<https://theintercept.com/2021/01/18/leak-zoom-meeting/>) (in the form of watermarks) wrapped into Zoom recordings, which could cause headaches in unexpected ways. Watermarks aren't hidden\u2014they're right there by design, if people choose to use them. And the visual side of this data is _supposed_ to be viewable during the call.\n\nThe Intercept talks about accidental identity reveals, via data embedded into calls, in relation to the ever-present videoconferencing tool. You'd be forgiven for thinking the identity reveal referenced in the article had something to do with the watermarks, but no.\n\nThe reveal happened because someone recorded a video call and [dropped it online](<https://blog.timesunion.com/capitol/archives/291186/what-happens-in-vegas-stays-in-vegas-democrat-leaks-video-of-secret-conference-meeting/>), with participant\u2019s faces on display. The people involved appear to be at least reasonably well known. The secret identity game was up _regardless_ of what was under the hood.\n\n### Cause and effect\n\nWhat the _rest_ of the article is about, is theorising on the ways embedded metadata could cause issues for participants. Zoom allows for [video](<https://support.zoom.us/hc/en-us/articles/209605273-Adding-a-Watermark>) and [audio](<https://support.zoom.us/hc/en-us/articles/360021839031-Audio-Watermark>) watermarking, with video of course being visual and so easier to spot. Video displays a portion of a user\u2019s email address when someone is sharing their screen. Audio embeds the information of anyone _recording_ the call into the audio, and Zoom lets you know who shared it. You must ask Zoom to do this, and the clip has to be more than 2 minutes in length.\n\nEssentially, video watermarking is to help you know who is sharing and talking during the call. Audio watermarking is to allow you to figure out if someone is sharing without permission. The Intercept explores ways this could cause problems where confidentiality is a concern.\n\n### Some identity caveats\n\nIf Zoom content is shared online without permission, it may not matter much if revealing metadata is included, unless the video call is audio only. This is because people can be easy to identify visually. Is a public figure of some sort involved? The game is already lost. If they\u2019re not normally a public facing persona, people could still find them via reverse image search or other matching tools. And if they can't, a well-known location, or a name-badge, could give them away. There are so many variables at work, only the participants may know for sure.\n\n### Hunting the leaker: does it matter?\n\nWhile the other concern of identifying the leaker is still important, your mileage may vary in terms of how useful it is, versus how much of an inadvertent threat it presents. It\u2019s possible the leaker may not care much if they're revealed. They may have used a fake identity, or even compromised a legitimate account in order to do the leaking. \n\nIt\u2019s also possible that someone with a grudge could leak something then pretend _they\u2019d_ been compromised. If this happened, would you have a way of being able to determine the truth of the matter? Or would you simply take their word for it?\n\n### Weighing up the risk\n\nAll good questions, and a valuable reminder to consider which videoconferencing tools you want to make use of. For some organisations and individuals, there\u2019s a valid use for the metadata dropped into the files. For others, it might be safer on balance to leave them out. It might even be worth using a [virtual background](<https://support.zoom.us/hc/en-us/articles/210707503-Virtual-Background>) instead of something which reveals personal information. It might be worth asking if you even need video at all, depending on sensitivity of call.\n\nThe choice, as always, is yours.\n\nThe post [Zoom watermarking: pros and cons](<https://blog.malwarebytes.com/privacy-2/2021/01/zoom-watermarking-pros-and-cons/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2021-01-20T19:13:42", "published": "2021-01-20T19:13:42", "id": "MALWAREBYTES:2682D205B659484CAC841491C84DB861", "href": "https://blog.malwarebytes.com/privacy-2/2021/01/zoom-watermarking-pros-and-cons/", "type": "malwarebytes", "title": "Zoom watermarking: pros and cons", "cvss": {"score": 0.0, "vector": "NONE"}}], "rst": [{"lastseen": "2020-11-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **sf-2007[.]official-org.com/c/p/tc/16679/82d85030-6f69-4347-b39f-112dfe3a3665-794cfec9-b20a-482f-a5d0-c900c7ebad13** in [RST Threat Feed](https://rstcloud.net/profeed) with score **18**.\n First seen: 2020-11-03T03:00:00, Last seen: 2020-11-04T03:00:00.\n IOC tags: **phishing**.\nIOC could be a **False Positive** (Resource unavailable).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-03T00:00:00", "id": "RST:23874BA4-9A49-3101-988B-19AB113FD5E0", "href": "", "published": "2020-11-05T00:00:00", "title": "RST Threat feed. IOC: sf-2007.official-org.com/c/p/tc/16679/82d85030-6f69-4347-b39f-112dfe3a3665-794cfec9-b20a-482f-a5d0-c900c7ebad13", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **188[.]127.224.179** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **36**.\n First seen: 2020-08-01T03:00:00, Last seen: 2020-08-28T03:00:00.\n IOC tags: **malware**.\nASN 56694: (First IP 188.127.224.0, Last IP 188.127.241.255).\nASN Name \"DHUB\" and Organisation \"\".\nASN hosts 16679 domains.\nGEO IP information: City \"\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-01T00:00:00", "id": "RST:E596D3FA-F76D-3544-B926-BF91E47473A4", "href": "", "published": "2020-08-29T00:00:00", "title": "RST Threat feed. IOC: 188.127.224.179", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **188[.]127.224.177** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **36**.\n First seen: 2020-08-01T03:00:00, Last seen: 2020-08-28T03:00:00.\n IOC tags: **malware**.\nASN 56694: (First IP 188.127.224.0, Last IP 188.127.241.255).\nASN Name \"DHUB\" and Organisation \"\".\nASN hosts 16679 domains.\nGEO IP information: City \"\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-01T00:00:00", "id": "RST:6D7458C5-9CE9-3E99-8B57-169127C4C64D", "href": "", "published": "2020-08-29T00:00:00", "title": "RST Threat feed. IOC: 188.127.224.177", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **188[.]127.224.197** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **36**.\n First seen: 2020-08-01T03:00:00, Last seen: 2020-08-28T03:00:00.\n IOC tags: **malware**.\nASN 56694: (First IP 188.127.224.0, Last IP 188.127.241.255).\nASN Name \"DHUB\" and Organisation \"\".\nASN hosts 16679 domains.\nGEO IP information: City \"\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-01T00:00:00", "id": "RST:3F2BA8CC-676E-3770-844B-6A0B5ADA4F09", "href": "", "published": "2020-08-29T00:00:00", "title": "RST Threat feed. IOC: 188.127.224.197", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **188[.]127.231.169** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **29**.\n First seen: 2020-06-27T03:00:00, Last seen: 2020-08-04T03:00:00.\n IOC tags: **generic**.\nASN 56694: (First IP 188.127.224.0, Last IP 188.127.241.255).\nASN Name \"DHUB\" and Organisation \"\".\nASN hosts 16679 domains.\nGEO IP information: City \"\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-06-27T00:00:00", "id": "RST:3430F874-2C7D-331A-9A39-545073DF5768", "href": "", "published": "2020-08-25T00:00:00", "title": "RST Threat feed. IOC: 188.127.231.169", "type": "rst", "cvss": {}}], "cve": [{"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T07:12:54", "description": "Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.", "edition": 8, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-09-21T20:15:00", "title": "CVE-2019-16679", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16679"], "modified": "2019-09-23T22:15:00", "cpe": [], "id": "CVE-2019-16679", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16679", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:36:39", "description": "URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2017-12-12T14:29:00", "title": "CVE-2017-16679", "type": "cve", "cwe": ["CWE-601"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16679"], "modified": "2018-01-04T19:40:00", "cpe": ["cpe:/o:sap:sap_kernel:7.22ext", "cpe:/o:sap:sap_kernel:7.21ext", "cpe:/o:sap:sap_kernel:7.45", "cpe:/o:sap:sap_kernel:7.49", "cpe:/o:sap:sap_kernel:7.22", "cpe:/o:sap:sap_kernel:7.21", "cpe:/o:sap:sap_kernel:7.52"], "id": "CVE-2017-16679", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16679", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:o:sap:sap_kernel:7.22:*:*:*:*:*:*:*", "cpe:2.3:o:sap:sap_kernel:7.21ext:*:*:*:*:*:*:*", "cpe:2.3:o:sap:sap_kernel:7.49:*:*:*:*:*:*:*", "cpe:2.3:o:sap:sap_kernel:7.52:*:*:*:*:*:*:*", "cpe:2.3:o:sap:sap_kernel:7.21:*:*:*:*:*:*:*", "cpe:2.3:o:sap:sap_kernel:7.22ext:*:*:*:*:*:*:*", "cpe:2.3:o:sap:sap_kernel:7.45:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2019-09-23T11:45:49", "description": "", "published": "2019-09-23T00:00:00", "type": "exploitdb", "title": "Gila CMS < 1.11.1 - Local File Inclusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16679"], "modified": "2019-09-23T00:00:00", "id": "EDB-ID:47407", "href": "https://www.exploit-db.com/exploits/47407", "sourceData": "# Exploit Title: Authenticated Local File Inclusion(LFI) in GilaCMS\r\n# Google Dork: N/A\r\n# Date: 04-08-2019\r\n# Exploit Author: Sainadh Jamalpur\r\n# Vendor Homepage: https://github.com/GilaCMS/gila\r\n# Software Link: https://github.com/GilaCMS/gila\r\n# Version: 1.10.9\r\n# Tested on: XAMPP version 3.2.2 in Windows 10 64bit,\r\n# CVE : CVE-2019-16679\r\n\r\n*********** *Steps to reproduce the Vulnerability* *************\r\n\r\nLogin into the application as an admin user or equivalent user and go the\r\nbelow link\r\n\r\nhttp://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts\r\n\r\n################################################################", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/47407"}], "zdt": [{"lastseen": "2019-12-04T14:25:09", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2019-09-23T00:00:00", "title": "Gila CMS < 1.11.1 - Local File Inclusion Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16679"], "modified": "2019-09-23T00:00:00", "id": "1337DAY-ID-33271", "href": "https://0day.today/exploit/description/33271", "sourceData": "# Exploit Title: Authenticated Local File Inclusion(LFI) in GilaCMS\r\n# Google Dork: N/A\r\n# Exploit Author: Sainadh Jamalpur\r\n# Vendor Homepage: https://github.com/GilaCMS/gila\r\n# Software Link: https://github.com/GilaCMS/gila\r\n# Version: 1.10.9\r\n# Tested on: XAMPP version 3.2.2 in Windows 10 64bit,\r\n# CVE : CVE-2019-16679\r\n\r\n*********** *Steps to reproduce the Vulnerability* *************\r\n\r\nLogin into the application as an admin user or equivalent user and go the\r\nbelow link\r\n\r\nhttp://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts\r\n\r\n################################################################\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "sourceHref": "https://0day.today/exploit/33271"}], "packetstorm": [{"lastseen": "2019-09-24T06:46:41", "description": "", "published": "2019-09-23T00:00:00", "type": "packetstorm", "title": "Gila CMS Local File Inclusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16679"], "modified": "2019-09-23T00:00:00", "id": "PACKETSTORM:154578", "href": "https://packetstormsecurity.com/files/154578/Gila-CMS-Local-File-Inclusion.html", "sourceData": "`# Exploit Title: Authenticated Local File Inclusion(LFI) in GilaCMS \n# Google Dork: N/A \n# Date: 04-08-2019 \n# Exploit Author: Sainadh Jamalpur \n# Vendor Homepage: https://github.com/GilaCMS/gila \n# Software Link: https://github.com/GilaCMS/gila \n# Version: 1.10.9 \n# Tested on: XAMPP version 3.2.2 in Windows 10 64bit, \n# CVE : CVE-2019-16679 \n \n*********** *Steps to reproduce the Vulnerability* ************* \n \nLogin into the application as an admin user or equivalent user and go the \nbelow link \n \nhttp://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts \n \n################################################################ \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/154578/gilacms-lfi.txt"}], "exploitpack": [{"lastseen": "2020-04-01T20:40:01", "description": "\nGila CMS 1.11.1 - Local File Inclusion", "edition": 1, "published": "2019-09-23T00:00:00", "title": "Gila CMS 1.11.1 - Local File Inclusion", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16679"], "modified": "2019-09-23T00:00:00", "id": "EXPLOITPACK:6AF15532B326A6AA34B31F684757B409", "href": "", "sourceData": "# Exploit Title: Authenticated Local File Inclusion(LFI) in GilaCMS\n# Google Dork: N/A\n# Date: 04-08-2019\n# Exploit Author: Sainadh Jamalpur\n# Vendor Homepage: https://github.com/GilaCMS/gila\n# Software Link: https://github.com/GilaCMS/gila\n# Version: 1.10.9\n# Tested on: XAMPP version 3.2.2 in Windows 10 64bit,\n# CVE : CVE-2019-16679\n\n*********** *Steps to reproduce the Vulnerability* *************\n\nLogin into the application as an admin user or equivalent user and go the\nbelow link\n\nhttp://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts\n\n################################################################", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4845"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity None (N)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1338"], "description": "Symbolic links and hadlinks vulnerability in log files, privilege escalation.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14720", "title": "apport security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4886"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-028]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4886\r\nCVSS Information\r\nCVSS Base Score: 6.4 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Low (L)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/copxml\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32653", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32653", "title": "[ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}