sql injection | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a new campaign that's exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads. The activity entails the exploitation of  CVE-2023-48788  (CVSS score: 9.3), a critical SQL injection flaw that could permit an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests. Cybersecurity firm Forescout is  tracking  the campaign under the codename  Connect:fun  owing to the use of ScreenConnect and Powerfun for post-exploitation. The intrusion, which targeted an unnamed media company that had its vulnerable FortiClient EMS device exposed to the internet, took place shortly after the  release  of a proof-of-concept (PoC) exploit for the flaw on March 21, 2024. Over the next couple of days, the unknown adversary was observed leveraging the flaw to unsuccessfully download ScreenConnect and then install the remote desktop s

A critical security flaw impacting the LayerSlider plugin for WordPress could be abused to extract sensitive information from databases, such as password hashes. The flaw, designated as  CVE-2024-2879 , carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as a case of SQL injection impacting versions from 7.9.11 through 7.10.0. The issue has been addressed in version 7.10.1 released on March 27, 2024, following responsible disclosure on March 25. "This update includes important security fixes," the maintainers of LayerSlider  said  in their release notes. LayerSlider is a visual web content editor, a graphic design software, and a digital visual effects that allows users to create animations and rich content for their websites. According to its own site, the plugin is  used  by "millions of users worldwide." The flaw discovered in the tool stems from a case of insufficient escaping of user supplied parameters and the absence of  wpdb::pr

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday  placed  three security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerabilities added are as follows - CVE-2023-48788  (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability CVE-2021-44529  (CVSS score: 9.8) - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability CVE-2019-7256  (CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection Vulnerability The shortcoming impacting Fortinet FortiClient EMS  came to light  earlier this month, with the company describing it as a flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests. Fortinet has since revised its advisory to confirm that it has been exploited in the wild, although no other details regarding the nature of the attacks are currently available. CVE-20

Atlassian has released patches for  more than two dozen security flaws , including a critical bug impacting Bamboo Data Center and Server that could be exploited without requiring user interaction. Tracked as  CVE-2024-1597 , the vulnerability carries a CVSS score of 10.0, indicating maximum severity. Described as an SQL injection flaw, it's rooted in a dependency called org.postgresql:postgresql, as a result of which the company said it "presents a lower assessed risk" despite the criticality. "This org.postgresql:postgresql dependency vulnerability [...] could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction," Atlassian  said . According to a  description  of the flaw in the NIST's National Vulnerability Database (NVD), "pgjdbc, the PostgreSQL JDBC Driver, allows attac

Fortinet has warned of a critical security flaw impacting its FortiClientEMS software that could allow attackers to achieve code execution on affected systems. "An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests," the company  said  in an advisory. The vulnerability, tracked as CVE-2023-48788, carries a CVSS rating of 9.3 out of a maximum of 10. It impacts the following versions - FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above) FortiClientEMS 7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above) Horizon3.ai, which  plans  to release additional technical details and a proof-of-concept (PoC) exploit next week, said the shortcoming could be exploited to obtain remote code execution as SYSTEM on the server. Fortinet has credited Thiago Santana from the Forticlient

A critical security flaw has been disclosed in a popular WordPress plugin called  Ultimate Member  that has more than 200,000 active installations. The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a maximum of 10. Security researcher Christiaan Swiers has been credited with discovering and reporting the flaw. In an advisory published last week, WordPress security company Wordfence  said  the plugin is "vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query." As a result, unauthenticated attackers could take advantage of the flaw to append additional SQL queries into already existing queries and extract sensitive data from the database. It's worth noting that the issue only affects users who have checked the "Enable custom table for usermeta" option in the plugin settings.

Employment agencies and retail companies chiefly located in the Asia-Pacific (APAC) region have been targeted by a previously undocumented threat actor known as  ResumeLooters  since early 2023 with the goal of stealing sensitive data. Singapore-headquartered Group-IB said the hacking crew's activities are geared towards job search platforms and the theft of resumes, with as many as 65 websites compromised between November 2023 and December 2023. The stolen files are estimated to contain 2,188,444 user data records, of which 510,259 have been taken from job search websites. Over two million unique email addresses are present within the dataset. "By using SQL injection attacks against websites, the threat actor attempts to steal user databases that may include names, phone numbers, emails, and DoBs, as well as information about job seekers' experience, employment history, and other sensitive personal data," security researcher Nikita Rostovcev  said  in a report sh

Ivanti has released security updates to address a critical flaw impacting its Endpoint Manager (EPM) solution that, if successfully exploited, could result in remote code execution (RCE) on susceptible servers. Tracked as CVE-2023-39336, the vulnerability has been rated 9.6 out of 10 on the CVSS scoring system. The shortcoming impacts EPM 2021 and EPM 2022 prior to SU5. "If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication," Ivanti  said  in an advisory. "This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server." The disclosure arrived weeks after the company  resolved  nearly two dozen security flaws in its Avalanche enterprise mobile device management (MDM) solution. Of the 21 issues, 13 are rated critical (CVSS scores: 9.8

Web Application Security consists of a myriad of security controls that ensure that a web application: Functions as expected. Cannot be exploited to operate out of bounds. Cannot initiate operations that it is not supposed to do. Web Applications have become ubiquitous after the expansion of Web 2.0, which Social Media Platforms, E-Commerce websites, and email clients saturating the internet spaces in recent years.  As the applications consume and store even more sensitive and comprehensive data, they become an ever more appealing target for attackers.  Common Attack Methods The three most common vulnerabilities that exist in this space are Injections (SQL, Remote Code), Cryptographic Failures (previously sensitive data exposure), and Broken Access Control (BAC). Today, we will focus on Injections and Broken Access Control.  Injections  SQL is the most common Database software that is used, and hosts a plethora of payment data, PII data, and internal business records. A SQ

A previously unknown hacker outfit called  GambleForce  has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023. "GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials," Singapore-headquartered Group-IB  said  in a report shared with The Hacker News. The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful. The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch , sqlmap , tinyproxy , and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive

A coordinated law enforcement operation has led to the arrest of key individuals in Ukraine who are alleged to be a part of several ransomware schemes. "On 21 November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne, and Vinnytsia, resulting in the arrest of the 32-year-old ringleader," Europol  said  in a statement today. "Four of the ringleader's most active accomplices were also detained." The  development  comes more than two years after  12 people were apprehended  in connection with the same operation. The individuals are primarily linked to LockerGoga, MegaCortex, and Dharma ransomware families. The suspects are estimated to have targeted over 1,800 victims across 71 countries since 2019. They have also been accused of deploying the now-defunct  Hive ransomware  against high-profile organizations. Some of the co-conspirators are believed to be involved in penetrating IT networks by orchestrating brute-force attacks, SQL injectio

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given a November 17, 2023, deadline for federal agencies and organizations to apply mitigations to secure against a number of security flaws in Juniper Junos OS that came to light in August. The agency on Monday  added  five vulnerabilities to the Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation - CVE-2023-36844  (CVSS score: 5.3) - Juniper Junos OS EX Series PHP External Variable Modification Vulnerability CVE-2023-36845  (CVSS score: 5.3) - Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability CVE-2023-36846  (CVSS score: 5.3) - Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability CVE-2023-36847  (CVSS score: 5.3) - Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability CVE-2023-36851  (CVSS score: 5.3) - Juniper Junos OS SRX Series Missing Authentication for Critical

Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer. In addition, Progress Software has patched two other high-severity vulnerabilities. The identified SQL injection vulnerability, tagged as CVE-2023-36934 , could potentially allow unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database. SQL injection vulnerabilities are a well-known and dangerous security flaw that allows attackers to manipulate databases and run any code they want. Attackers can send specifically designed payloads to certain endpoints of the affected application, which could change or expose sensitive data in the database. The reason CVE-2023-36934 is so critical is that it can be exploited without having to be logged in. This means that even attackers without valid credentials can potentially exploit the vulnerability. However, as of now, there have been no reports of

MITRE has released its annual list of the Top 25 "most dangerous software weaknesses" for the year 2023. "These weaknesses lead to serious vulnerabilities in software," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  said . "An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working." The  list  is based on an  analysis  of public vulnerability data in the National Vulnerability Data ( NVD ) for root cause mappings to CWE weaknesses for the previous two years. A total of 43,996 CVE entries were examined and a score was attached to each of them based on prevalence and severity. Coming out top is Out-of-bounds Write, followed by Cross-site Scripting, SQL Injection, Use After Free, OS Command Injection, Improper Input Validation, Out-of-bounds Read, Path Traversal, Cross-Site Request Forgery (CSRF), and Unrestricted Upload of File with Dangerous Type. Out-of

Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems. "These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements," SonarSource researcher Thomas Chauchefoin  said , adding they could result in RCE on Soko because of a "misconfiguration of the database." The  two   issues , which were discovered in the search feature of Soko, have been collectively tracked as CVE-2023-28424 (CVSS score: 9.1). They were addressed within 24 hours of responsible disclosure on March 17, 2023. Soko is a Go software module that powers  packages.gentoo.org , offering users an easy way to search through different Portage packages that are available for Gentoo Linux distribution. But the shortcomings identified in the service meant that it could have been possible for a malicious actor to  inject specially crafted code , resulting in the expo

Cybersecurity researchers have disclosed details of now-patched flaws in Zendesk Explore that could have been exploited by an attacker to gain unauthorized access to information from customer accounts that have the feature turned on. "Before it was patched, the flaw would have allowed threat actors to access conversations, email addresses, tickets, comments, and other information from Zendesk accounts with Explore enabled," Varonis  said  in a report shared with The Hacker News. The cybersecurity firm said there was no evidence to suggest that the issues were actively exploited in real-world attacks. No action is required on the part of the customers. Zendesk Explore is a  reporting and analytics solution  that allows organizations to "view and analyze key information about your customers, and your support resources." According to the security software company, exploitation of the shortcoming first requires an attacker to register for the  ticketing service  

Network security company SonicWall on Friday rolled out fixes to mitigate a critical SQL injection (SQLi) vulnerability affecting its Analytics On-Prem and Global Management System (GMS) products. The vulnerability, tracked as  CVE-2022-22280 , is rated 9.4 for severity on the CVSS scoring system and stems from what the company describes is an "improper neutralization of special elements" used in an SQL command that could lead to an unauthenticated SQL injection. "Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data," MITRE  notes  in its description of SQL injection. "This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands." H4lo and Catalpa of DBappSecurity HAT Lab have been credited with discov

Cybersecurity researchers on Monday tied a  string of attacks  targeting Accellion File Transfer Appliance (FTA) servers over the past two months to data theft and extortion campaign orchestrated by a cybercrime group called UNC2546 . The attacks, which began in mid-December 2020, involved exploiting multiple zero-day vulnerabilities in the legacy FTA software to install a new web shell named DEWMODE on victim networks and exfiltrating sensitive data, which was then published on a data leak website operated by the CLOP ransomware gang. But in a twist, no ransomware was actually deployed in any of the recent incidents that hit organizations in the U.S., Singapore, Canada, and the Netherlands, with the actors instead resorting to extortion emails to threaten victims into paying bitcoin ransoms. According to  Risky Business , some of the companies that have had their data listed on the site include Singapore's telecom provider  SingTel , the American Bureau of Shipping, law firm 

If your online e-commerce business is running over the Magento platform, you must pay attention to this information. Magento yesterday released new versions of its content management software to address a total of 37 newly-discovered security vulnerabilities. Owned by Adobe since mid-2018, Magento is one of the most popular content management system (CMS) platform that powers 28% of websites across the Internet with more than 250,000 merchants using the open source e-commerce platform. Though most of the reported issues could only be exploited by authenticated users, one of the most severe flaws in Magento is an SQL Injection vulnerability which can be exploited by unauthenticated, remote attackers. The flaw, which does not have a CVE ID but internally labeled "PRODSECBUG-2198," could allow remote hackers to steal sensitive information from the databases of vulnerable e-commerce websites, including admin sessions or password hashes that could grant hackers access