Valve fixes a bug which allowed hackers to access its users account

Valve’s Steam, an American video game development and digital distribution company headquartered in Bellevue, Washington, United States which has millions of accounts all over the world, has fixed a loophole which could allow an attacker easily take over an arbitrary account by using account's username.

According to a report published in Master Herald, a flaw in the Steam’s password recovery feature was the reason behind the exploitation. As per a demonstration in a video posted on YouTube, the feature sends a recovery code to the registered e-mail address linked with the account. The code needs to be entered on a form through the Steam website.

However, the attacker could skip that code entry step, leaving the recovery code area blank, and have full access to the password change dialog. Although, the company has fixed the loophole, the vulnerability had done a lot of damages many users’ account.

“Now, the users, who actively trade on the Steam Market, are worried as they think their accounts have been compromised.

However, it is said that the Valve hasn’t commented on the situation yet.

The company has urged its users to keep an eye on their e-mail accounts. If an e-mail related to password recovery is received, the user should definitely not ignore it, and proceed to verify that their account is still accessible.

It is important to note that the information contained in the e-mail itself is not necessary to carry out the attack.


“Receiving this e-mail is simply a sign that the user is being targeted with the attack. However, some have reported that even changing their password has been ineffective, as the hackers are able to simply keep resetting it over and over again, and there was no good way to stop them,” the report added.

Your life is in the hands of the hackers, they can remotely hijack your Jeep


Image Credits: Wired
When we think of a term ‘hacking’, computers, bank accounts and websites are the things which come in our mind. One can barely think of hacked vehicles. However, a recent case in which a car was hijacked by hackers has shown that the hackers have left nothing safe in our life.

According to a report published on Wired, zero-day exploit for Chrysler vehicles allow hackers to control everything from the engine to the air-conditioning over the Internet, overriding the driver at the dashboard.

It has been found out that the Uconnect software, which manages the vehicle’s entertainment and navigation systems, provides a Wi-Fi hotspot, and allows drivers to make phone calls. It is said that if anyone who knows the car's IP address can hijack the car.

In the report, Andy Greenberg, senior writer, explained that he signed up to be a guinea pig for security researchers Charlie Miller and Chris Valasek. He was strapped into a Jeep and directed to head onto the highway. From 10 miles away, Miller and Valasek proceeded to hack into his car's software, toggling the windshield wipers, blasting the radio, and, eventually, cutting the transmission.

“Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun,” Greenberg said.

After that, the hackers successfully took over the jeep’s brakes as a result it went into a ditch.

“Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route,” he explained.

According to the news report, on Tuesday Senators Ed Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) announced legislation that would ensure automobile companies to meet privacy measures to protect against cyber attacks.

In order to prevent the car hacking, Miller and Valasek reported about the flaw in the vehicles to the company concerned, months ago.

The Chrysler has come up with an updated version of the software however, the company has to manually download it and upgrade their cars through a USB drive.

United Airlines awards hackers millions of miles for reporting bugs

United Airlines  has awarded “millions of frequent flier miles” to hackers who have found out gaps in the carrier's web security, in a first for the U.S. airline industry, according to a report published on Reuters.

However, some tweets from those hackers have said that they have got small awards than the company had announced.  

“Well that answers that question. Found out which of my two bugs was worth a million because the other is apparently worth 250k,” one of the tweets posted by Jordan Wiens @psifertex.

It is also said that some terms of the agreement does not allow Wiens from disclosing the bug he had discovered.

On the other hand, the company concerned confirmed with Reuters that it has paid out two awards worth 1 million miles each, worth dozens of free domestic flights on the airline.

 "We believe that this program will further bolster our security and allow us to continue to provide excellent service," the United said on its website.

“It has hoped to trailblaze in the area of airline web security by offering "bug bounties" for uncovering cyber risks. Through the program, researchers flag problems before malicious hackers can exploit them. The cost can be less than hiring outside consultancies,” the news report read.

The Trade group Airlines for America said in a statement that all the United State carriers should conduct tests to make sure, if their systems are secure.

Beyond the Bug bounty program, the company also has tested systems internally and engaged cyber security firms to keep its websites secure.


Software bug affects cars, opens doors without warning

A software bug has been discovered by Land Rover in two of its cars. The issue is about a bug in the system that can unlock the doors of the car without warning to the driver.

The company will recall vehicles and do the necessary repairs without any charge to the customers.

The bug affects two models of Land Rover, the Range Rover and Range Rover Sport. 65,000 vehicles have been recalled due to this.

The company has placed ads in newspapers and is contacting the owners to call them in for the recall.

Disable Java in your browsers, if installed as researchers spotted new Java based Zero-day Exploit


Researchers from Trend Micro have found out suspicious URLs that hosted a newly discovered Zero-day exploit, which refers to a hole in software that is exploited by hackers before the vendor becomes aware of it, in Java.

Brooks Li, a threat analyst and Feike Hacquebord, a senior threat researcher, who spotted this exploit, said that this was the first time in nearly two years that a new Java zero-day vulnerability was reported.

The researchers came to know about this exploit after receiving a feedback in their  Smart Protection Network.

According to the report, this new zero-day Java Exploit is being used in spear-phishing attacks targeting a certain forces of NATO country and a US Defence Organization
This zero-day bug affects only the latest Java version 1.8.0.45 not the older versions, Java 1.6 and 1.7.
The vulnerability is still not patched by the company concerned.

According to the report, the URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015.

The researchers have asked the users to disable Java in browsers if installed due to an application.

Update Your Flash Player or Remove from Plugins

(PC- Google images)
Adobe has issued another update for Flash Player to patch a critical vulnerability which has been revealed in documents disclosed from the spyware maker Hacking Team.

The Adobe Flash update patches 36-CVE listed flaws including the Hacking Team’s CVE-2015-5119 bug in which a malicious flash file, can run malware on a user’s computer. The other 35 security flaws allow hackers to create remote-coded execution attacks on vulnerable computers.

Users of Windows, Linux, and OS X were advised to updated to the latest version of Adobe Flash. The update is considered essential for both OS X and Windows users.

The alternative to this is uninstalling Adobe Flash or disabling the plugin. You can also set your web browser to run Flash files only if you right-click on them and select “run this plugin.”

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These update address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been publicly published”, Adobe quoted in its security Bulletin.

Adobe’s Security Bulletin https://helpx.adobe.com/security/products/flash-player/apsb15-16.html#table gives the security updates for the Adobe Flash Player.

Trend Micro discovers vulnerability in Android debugger "Debuggerd"


Trend Micro has found a new vulnerability that exists in phones running Android IceCream Sandwich to Lollipop.

The vulnerability in the debugging program of Android, Debuggered, allows a hacker to view the device's memory and the data stored on it.

You can create a special ELF (Executable and Linkable Format) file to crash the debugger and then you can view the dumps and log files of content stored on the memory.

The glitch in itself is not a big threat but the type of data it can give a hacker access to can lead to a difficult situation.

Google is said to be working on a fix in the next version of Android for this.

Vulnerability found in Apple devices that puts your password at risk

A group of security researchers have come forward with startling news that passwords and other data on your Apple devices might not be safe. The group has published their findings in a paper where they explain how Apple's devices could be hacked.

The paper explains that the way Apple writes its code to communicate between devices, they were able to hack in to the system by uploading an app with malware onto the Apple Store.

The app in turn downloaded secure data, that should not be accessible to anyone, to the hacker. The confidential data that the app was able to steal included passwords of bank accounts, emails and iCloud.

The team's lead researcher said that his team was able to gain unauthorized access to other applications on a Apple device.

The devices affected by this problem are the iPhone, iPad and Mac.

Researcher discloses a flaw in Samsung Keyboard leaves 600m Android devices vulnerable to hacking attack

A flaw has been disclosed by a security researcher in Samsung's Android, including the recently released Galaxy S6, keyboard installed on over 600 million Samsung mobile device users that could allow hackers to take full control over the smartphones or tablet.

Ryan Welton, a mobile security researcher at NowSecure, who discovered the vulnerability, wrote in the blog, “A remote attacker capable of controlling a user’s network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target’s phone. The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited.”

Researcher said that the vulnerability was discovered last year. Samsung was notified in December 2014. However, Samsung asked NowSecure not to disclose the flaw until it could fix the problem.

NowSecure also notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team.

 The researcher pointed out the flaw could attacker to do:

-         - Access sensors and resources like GPS, camera and microphone.
-         -  Secretly install malicious app(s) without the user knowing.
-          - Tamper with how other apps work or how the phone works.
-          - Eavesdrop on incoming/outgoing messages or voice calls.
-          - Attempt to access sensitive personal data like pictures and text messages.

According to the researcher, the defected keyboard application can’t be uninstalled. Similarly, it is not easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update.

“However, in order to reduce the risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing,” the researcher added.

Zomato fixed a Security bug that allowed hackers to access Personal data of 62 Million users


Zomato, an online restaurant search and discovery service providing information on home delivery, dining-out, caf├ęs and nightlife to various cities across India and 21 other countries, has fixed a bug which could allow an attacker to gain access to personal information of million users.

Anand Prakash, discovered Insecure Direct Object Reference(IDOR) vulnerability in the Zomato website.

IDOR occurs when an application provides direct access to objects based on user-supplied input. The vulnerability allows the attackers to bypass authorization and access resources in the system directly by modifying the value of a parameter used to directly point to an object, for example database records or files.

One of the API calls used for retrieving the users information is insecurely coded.  It gets the information only based on the "browser_id" parameter passed in a HTTP GET request and fails to verify the user is authorized to access the requested data.

By sequentially changing the 'browser_id' value, an attacker is able to access the users' personal information, such as Names, Email addresses, phone numbers, Date of birth.

"The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users,” Prakash wrote in his blog.

Prakash reported the vulnerability to Deepinder Goyal, CEO of Zomato, On June 1. And the next day (June 2), the flaw was fixed by Gunjan Patidar along with his engineering team.

You can also check the Proof of concept Video:


Privacy bug found in Gaana.com allows hackers to access your details


A Privacy bug was found in the largest Indian online music streaming service Gaana website, which allowed access to private details of users including the date of birth.

A Security researcher Avinash, found an Insecure direct object reference vulnerability, and reported it to the Gaana.com. Gaana.com fixed the bugs after three weeks.

Avinash said a bug in an Internal API gave him access to 11 Million records.  A simple HTTP Get request with the corresponding User ID is enough to get their details.

The researcher said he was able to access full name, profile picture, email address, date of birth and last song they listened on Gaana. 

In his blog post, he wrote “ On 12th of May I had discovered a vulnerability on Gaana.com. I contacted their team and it was fixed recently.”

When EHN contacted the author about why the original article has been removed from the blog by the author. He replied that "he removed it after getting a request from Gaana.com."

You can find the cached version of the Blog post in Google Cache

Emerson fixes SQL injection bug in AMS Device Manager


Emerson Process Management has released a patch for SQL Injection vulnerability in its AMS Device Manager application.

Emerson AMS Device Manager is a software used worldwide primarily in the oil and gas and chemical industries.

The Advisory (ICSA-15-111-01) released on the ICS-CERT website quoted that the vulnerability is not exploitable remotely and cannot be exploited without user interaction. It also stated that an attacker’s access to the vulnerability is of medium difficulty level.

"Successful attack results in administrative access to the application and its data files but not to the underlying computer system." The advisory reads.

The vulnerability affects AMS Device Manager, V12.5 and earlier.


Emerson advises the users of this application to take some steps to avoid exploitation to this vulnerability.

For AMS Device Manager application v12.5; it suggests the users to apply a patch, upgrade to v13, or apply the workaround below. For the earlier versions, the software can be configured by adding another user with full administrative privileges and making the default administrative user have read-only privileges.

ICS-CERT also recommends the users to limit user privileges on ICS running software machines, reduce network exposure for all control system device, locate control system networks and remote devices behind firewalls, and isolate them from the business network.

Security and Privacy flaw in UC Browser leaks personally identifiable information


A visual summary of privacy and security issues presented by UC Browser. PC: Citizen Lab
A report has shown that a security and privacy flaw in a popular mobile web browser in India and China - Transmits users' personal and other information without encryption.

The report titled “A Chatty Squirrel: An Analysis of Privacy and Security Issues with UC Browser” has revealed that Chinese and English-language versions of UC Browser for Android, a mobile web browser which is owned by a China-based company Alibaba.com, allows any network operator or in-path actor on the network to get the user’s personally identifiable information like location, search details and mobile subscriber and device ids.

The application is using symmetric AES/CBC encryption for sending device IDs,location data, Wi-Fi Mac Address, SSID and other information rather than encryption. The key 'autonavi_amaploc' used for the encryption is Hard-coded in the application.

"The use of symmetric encryption with a hard-coded key means that anyone who knows the key can decrypt UC Browser (Chinese) traffic in transit. Moreover, key holders can also retroactively decrypt any historical data that they have collected or obtained." The report reads.

Personal identifiers like IMEI, IMSI, android id, build serial number is being transferred to Umeng (a mobile analytics service) in an unecrypted form.

The transmission of unencrypted search engine queries enables third parties to monitor searches. Sensitive personal information can be inferred from search results including health conditions like pregnancy, disease, mental and psychological conditions, marital relations, and medical information. Third parties can use it to develop, use, and sell user profiles and by corporate or government agents to modify or prevent access to certain search results.

“We informed our findings to Alibab on April 15, 2015 and we would publish this report on or after April 29, 2015. The company responded on April 19, 2015, indicating that Alibaba security engineers were investigating the issue. We followed up on April 23, 2015 to reiterate our intention to publish this report on or after April 29, 2015,” the report said.

The report added that on May 19, 2015 they tested version 10.4.1-576 of the Chinese language version of UC Browser, which was downloaded from the uc.cn website. However, the version does not appear to send location data insecurely to AMAP.

Security Explorations reveals several vulnerabilities in Google App Engine


Security Explorations, a Poland-based security firm, on May 15 disclosed technical details and Proof of Concept (PoC) codes for unconfirmed and unpatched vulnerabilities presence in Google App Engine for Java.

In October 2012, the company started its research on Google App Engine for Java however it could not continue it. Then, in October 2014, it resumed the project.

The company confirmed more than 30 vulnerabilities in December.

According to a report published on SecurityWeek, it had identified and reported a total of 41 issues to the authority concerned, but the Google said it internally fixed those flaws.

“That does not speak well about Google GAE engineers and their Java security skills in particular,” Adam Gowdiak, founder and CEO of Security Explorations, told SecurityWeek.

Till the date, Google has confirmed a total of 36 vulnerabilities. However, the Security Explorations confirmed that a few of them were still left unpatched.

Although, in Mid-March Security Exploration revealed 31 flaws which were later fixed by Google, Gowdiak, wrote in a mail that there are seven different vulnerabilities still exist in the Google service which he briefly discussed in his mail.

He said that the flaws have been reported to Google three weeks ago. However, he has not received confirmation from the Google officials. Nor, the authority concerned has not fixed any of them.

"It has been three weeks and we haven't heard any official confirmation or denial from Google with respect to Issues 37-41," Gowdiak wrote. "It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code.”

He added that it is easy to exploit the flaws by attackers. They could use the freely available cloud platform to run a malicious Java application. The app would then break out of the first sandboxing layer and execute code in the highly restricted native environment.

The hackers could use the restricted environment to attack lower-level assets and to retrieve sensitive information from Google servers.

Google had decided to award Security Explorations with $70,000 for disclosing the vulnerabilities. The total amount of $50,000 was already paid to the company on March 20.

Gowdiak said that now, Google might not give them remaining $20,000 as they have disclosed the unpatched and unconfirmed vulnerabilities. However, the company believes that rewards cannot influence the way a vulnerability handling/disclosure of a security research is made.


“We need to treat all vendors equal. In the past, unconfirmed, denied or silently fixed issues were the subject to an immediate release by us,” he said.

Venom Vulnerability allows hackers to escape from VM and hack Host Machine

 
CrowdStrike’s senior security researcher Jason Geffner disclosed the vulnerability in the virtual Floppy Drive Code used by many computer virtualization platforms.

Vulnerability VENOM, CVE-2015-3456, attacker can easily escape from the confines of virtual machine guest and exploit the code-execution access to the host. This may result in  elevated access to the host’s local network and adjacent systems.

By exploiting  the VENOM vulnerability one can get access to corporate intellectual property (IP), sensitive and personally identifiable information (PII), which will potentially affect thousands of organizations and millions of end user’s connectivity, storage, security, and privacy.

According to the researcher, the bug is in QEMU’s virtual Floppy Disk Controller (FDC), notably used in  Xen, KVM, and the native QEMU client. Whereas VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by this vulnerability.

“The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase“ wrote Jason Geffner in his blog post.

Cisco releases software updates to address serious flaws in TelePresence products

Cisco has released software updates to address several vulnerabilities that have been identified in its TelePresence products, which can be exploited by hackers to compromise a vulnerable system.

It has also urged its customers to update their TelePresence software. Similarly, they are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Cisco said in an advisory published on May 13 that the workarounds that mitigate the vulnerabilities, which have been identified by during its internal tests and product security reviews, are not available.

“The vulnerability in the web framework of multiple Cisco TelePresence products could allow an authenticated or remote attacker to inject arbitrary commands that are executed with the privileges of the root user,” Cisco said in its advisory.

“The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected parameter in a web page."

"Administrative privileges are required in order to access the affected parameter. A successful exploit could allow an attacker to execute system commands with the privileges of the root user,” the advisory added.

Cisco said that although, this is a serious vulnerability with a CVSS score of 9.0, it hasn’t found evidence that shows flaw has been leveraged for malicious purposes.

PHP Object Injection Vulnerability in Bomgar Remote Support Portal

A security vulnerability has been found in the Bomgar Remote Support Portal version 14.3.1 and earlier versions, which is the part of Bomgar's appliance-based remote support software,  deserialize untrusted data without verifying the validity of the resulting data.

The data can be exploited by both authenticated as well as unauthenticated attackers.

An unauthenticated attacker can inject arbitrary input at one point in vulnerable PHP file, while authenticated attacker can inject at multiple points.

To exploit this vulnerability, the attacker has to find the appropriate classes with beneficial  effects,  if there is no classes with beneficial effects, it is not exploitable.

"One way to exploit this vulnerability is by utilizing the Tracer class. It is used to write stack trace information to a log using a Logger instance, which wraps an instance of PEAR's Log class. By using a Log_file instance as an instance of Log, it is possible to write the arbitrary data to the arbitrary file." The researcher wrote in his blog post.

Update your Wordpress, Prevent Your website from Being Hacked

WordPress has come up with its 4.2.2 version in order to increase its users security. It has also urged people to update their sites immediately.

Samuel Sidler, researcher at WordPress.org, wrote that the new version is aimed to address two security issues.

The first one is the Genericons icon font package, used in themes and plugins, which contained an HTML file vulnerable to a cross-site scripting attack. 

On May 7 all affected themes and plugins including twenty fifteen default theme have been updated by the WordPress security team after a DOM-based Cross-Site Scripting (XSS) vulnerability was discovered.

Security researchers from Sucuri warned that the vulnerability is being exploited in the wild days before disclosure.

Robert Abela of Netsparker reported that in a bid to protect other Genericons usage, WordPress 4.2.2 scans the wp-content directory for this HTML file and removes it.

Secondly, WordPress versions 4.2 and previous versions are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. So, WordPress 4.2.2 includes a comprehensive fix for this issue according to a separate report by Rice Adu and Tong Shi.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2.

People just have to download WordPress 4.2.2 or venture over to Dashboard. Then click “Update Now” button. 

Sites that support automatic background updates have begun to update to WordPress 4.2.2.

Major vulnerability in medical equipment poses security risk


The Internet enabled PCA3 drug infusion pump manufactured by Hospira suffers from authorization vulnerabilities that can allow unauthenticated users to remotely access and modify pump configurations, drug libraries and software updates.

The Hospira Life care infusion pump, version 5.0 and prior runs "SW ver 412". It does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23. By attaching any device to the pump via Ethernet, one can easily extract the wireless encryption keys stored in plain text on the device and thus gain access to the keys Life critical network.

The attacker can then impact the pump configurations or medical libraries by conducting firmware updates, command execution, and drug library updates.  However, Hospira maintained that the Operation of the Life Care PCA Infusion pump required the physical presence of a clinician to manually program the dosage into the pump for administration.

Even if credentials are implemented on the Telnet port there are still web services which allow a remote attacker to carry out the remote modifications. Even if that was made secure there are additional services like FTP that are open with hard coded accounts. 

Billy Rios, the independent researcher who discovered these vulnerabilities has been co-ordinating with Hospira since May 2014. A new version has been developed by Hospira which mitigates these vulnerabilities and is under U.S. Food and Drug Administration (FDA) review.

In defense, ICS-CERT  has advised organizations to ensure closure of unused ports, use of VPN, detaching of the pump from insecure networks and use of good design practices with network segmentation.

Impact of the vulnerability varies depending on each organization, so individual organizations need to evaluate and secure themselves based on their operational environment.

Multiple vulnerabilities in TheCartPress WordPress plugin

Multiple vulnerabilities has been discovered in TheCartPress WordPress plugin by the High-Tech Bridge Security Research Lab.

The vulnerabilities can be exploited to execute arbitrary PHP code, disclose sensitive data, improper access control, and to perform Cross-Site Scripting attacks against users.

To exploit the local PHP File Inclusion vulnerability, an attacker needs to have administrator privileges on WordPress installation. PHP does not properly verify the URL before being used in  ‘include()’ function , and can be abused to include arbitrary local files via directory traversal sequences.

HTTP POST parameters are supplied by many users during the checkout process. These parameters are not being sanitized before being stored in the local database.  Which can be easily exploited by a non-authenticated attacker, they  may inject malicious HTML and JS code that will be stored in the application database, and made available to any non-authenticated user on the following URL:
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der

Due to broken authentication mechanism any non-authenticated user may browse orders of other users. They easily predict the order ID, enables them to steal all currently-existing orders.

The vulnerability can be reproduced by opening the  following URL:
http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]

And full details of the orders can be viewed by opening the following URL
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der

Inputs  can be passed via the "search_by", "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email", "post_id" and "rel_type", and "post_type"  GET parameter. These are not properly verified before being returned to the user. An attacker can logged-in as  administrator to open a link, and execute arbitrary HTML and script code in browser in context of the vulnerable website.