Security Vulnerability Alert Archives

December 5, 2024December 5, 2024

@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 47

@RISK: The Consensus Security Vulnerability Alert
December 5, 2024 – Vol. 24, Num. 47

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Credential Guard and Kerberos delegation
Published: 2024-12-02.
Last Updated: 2024-12-02 08:47:36 UTC
by Bojan Zdrnja (Version: 1)

The vast majority of red team exercises that I (and my team, of course) have been doing lately are assumed breach scenarios. In an assumed breach scenario (and we cover this in the amazing SEC565: Red Team Operations and Adversary Emulation SANS course that I also teach!) red team is usually given access as a non-privileged domain user, simulating an attacker that has someone already established the first foothold in the organization.

This works quite well as we know that eventually the attacker will succeed and perhaps get a victim (most of the time through some kind of social engineering) to execute their binary. So the first part in such an engagement is to create a malicious binary (an implant) that will evade security controls in the target organization. Most of red teams will have specialists for this.

The next step includes delivery of implant and execution in context of a regular, non-privileged domain user, on the workstation designated for the red team exercise. And if everything works well, we’ll get that beacon communicating to our front end servers.

What now? While there are many things we do next, such as getting some awareness about the organization, setting up persistence, trying to move laterally, there are cases when we would like to fetch the user’s password, or their TGT (Ticket Granting Ticket) for Kerberos. Some actions will not need this, as we can use the builtin Windows authentication of the process our beacon is running under, but if you want, for example, to start a SOCKS proxy and tunnel some tools from your office, we will need to authenticate to target services, and for that we will either need the user’s password, their password hash or TGT. How do we get one through our implant, considering that we do not have local administrator privileges yet? …

Read the full entry: https://isc.sans.edu/diary/Credential+Guard+and+Kerberos+delegation/3148/

The strange case of disappearing Russian servers
Published: 2024-11-25.
Last Updated: 2024-11-25 13:34:45 UTC
by Jan Kopriva (Version: 1)

Few months ago, I noticed that something strange was happening with the number of servers seen by Shodan in Russia…

In order to identify any unusual changes on the internet that might be worth a closer look, I have put together a simple script few years ago. It periodically goes over data that was gathered from the Shodan search engine by my TriOp tool, and looks for significant changes in the number of public IP addresses with various services enabled on them. This script alerts me any time there seems to be something unusual – i.e., if Shodan detects more than a 10 % increase in the number of HTTPS servers during the course of a week, or if there is more than a 20 % decrease in the number of e-mail servers in a specific country in the course of a month.

Around the beginning of August, the script started alerting me to a decrease in the number of basically all types of servers that Shodan detected in Russia.

Since internet-wide scanning and service identification that is performed by Shodan, Censys and similar search engines, is hardly an exact science, the number of systems that they detect can oscillate significantly in the short term, and a single alert by my script therefore seldom means that a real change is occurring. Nevertheless, the alerts kept coming for multiple days and weeks in a row, and so I decided to take a closer look at the underlying data… And, indeed, from the point of view of Shodan, it looked as if significant portions of the Russian internet were disappearing.

My theory was that it might have been caused by introduction of some new functionality into the internet filtering technology that is used by Russia in order to censor internet traffic and block access to various external services, which started interfering with Shodan probes. And while I still believe that this might be the case, looking at the data now, when the number of Russian servers has been more or less stable for about 6 weeks, it seems that the cause for the decrease was at least partially different …

Read the full entry: https://isc.sans.edu/diary/The+strange+case+of+disappearing+Russian+servers/31476/

OTHER INTERNET STORM CENTER ENTRIES
Data Analysis: The Unsung Hero of Cybersecurity Expertise [Guest Diary] (2024.12.04)
https://isc.sans.edu/diary/Data+Analysis+The+Unsung+Hero+of+Cybersecurity+Expertise+Guest+Diary/31494/

Extracting Files Embedded Inside Word Documents (2024.12.03)
https://isc.sans.edu/diary/Extracting+Files+Embedded+Inside+Word+Documents/31486/

From a Regular Infostealer to its Obfuscated Version (2024.11.30)
https://isc.sans.edu/diary/From+a+Regular+Infostealer+to+its+Obfuscated+Version/31484/

Quickie: Mass BASE64 Decoding (2024.11.29)
https://isc.sans.edu/diary/Quickie+Mass+BASE64+Decoding/31470/

SANS ISC Internship Setup: AWS DShield Sensor + DShield SIEM [Guest Diary] (2024.11.26)
https://isc.sans.edu/diary/SANS+ISC+Internship+Setup+AWS+DShield+Sensor+DShield+SIEM+Guest+Diary/31480/

[Guest Diary] Using Zeek, Snort, and Grafana to Detect Crypto Mining Malware (2024.11.26)
https://isc.sans.edu/diary/Guest+Diary+Using+Zeek+Snort+and+Grafana+to+Detect+Crypto+Mining+Malware/31472/

Quick & Dirty Obfuscated JavaScript Analysis (2024.11.24)
https://isc.sans.edu/diary/Quick+Dirty+Obfuscated+JavaScript+Analysis/31468/

Decrypting a PDF With a User Password (2024.11.23)
https://isc.sans.edu/diary/Decrypting+a+PDF+With+a+User+Password/31466

Wireshark 4.4.2 Released (2024.11.23)
https://isc.sans.edu/diary/Wireshark+442+Released/31460/

An Infostealer Searching for <> Data (2024.11.22)
https://isc.sans.edu/diary/An+Infostealer+Searching+for+BIP0039+Data/31464/

Increase In Phishing SVG Attachments (2024.11.21)
https://isc.sans.edu/diary/Increase+In+Phishing+SVG+Attachments/31456/

RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-49039 – Windows Task Scheduler Elevation of Privilege Vulnerability
Product: Microsoft Windows Task Scheduler
CVSS Score: 0
** KEV since 2024-11-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49039
ISC Podcast: https://isc.sans.edu/podcastdetail/9240

CVE-2024-11680 – ProjectSend versions prior to r1720 have an improper authentication vulnerability that can be exploited by remote attackers to unauthorized modify the application’s configuration, create accounts, upload webshells, and embed malicious JavaScript.
Product: ProjectSend
CVSS Score: 9.8
** KEV since 2024-12-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11680
NVD References:
– https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml
– https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744
– https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb
– https://vulncheck.com/advisories/projectsend-bypass
– https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf

CVE-2023-45727 – Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier are vulnerable to remote XML External Entity (XXE) attacks, allowing an unauthenticated attacker to read arbitrary server files containing sensitive account information.
Product: Northgrid Proself
CVSS Score: 0
** KEV since 2024-12-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45727

CVE-2024-11667 – Zyxel ATP, USG FLEX, and USG20(W)-VPN series firmware versions are vulnerable to directory traversal allowing attackers to download/upload files via a crafted URL.
Product: Zyxel ATP series
CVSS Score: 7.5
** KEV since 2024-12-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11667
NVD References: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

CVE-2024-49803 – IBM Security Verify Access Appliance 10.0.0 through 10.0.8 allows remote authenticated attackers to execute arbitrary commands via a specially crafted request.
Product: IBM Security Verify Access Appliance
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49803
ISC Podcast: https://isc.sans.edu/podcastdetail/9238
NVD References: https://www.ibm.com/support/pages/node/7177447

CVE-2024-49805 & CVE-2024-49806 – IBM Security Verify Access Appliance 10.0.0 through 10.0.8 has hard-coded credentials that can be exploited for authentication and data encryption.
Product: IBM Security Verify Access Appliance
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49805
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49806
ISC Podcast: https://isc.sans.edu/podcastdetail/9238
NVD References: https://www.ibm.com/support/pages/node/7177447

CVE-2024-49804 – IBM Security Verify Access Appliance versions 10.0.0 through 10.0.8 allow a locally authenticated non-administrative user to escalate privileges through unnecessary permissions.
Product: IBM Security Verify Access Appliance
CVSS Score: 7.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49804
ISC Podcast: https://isc.sans.edu/podcastdetail/9238
NVD References: https://www.ibm.com/support/pages/node/7177447

CVE-2024-52787 – Libre-chat v0.0.6 is vulnerable to path traversal attacks through the upload_documents method when a malicious filename is supplied in an uploaded file.
Product: libre-chat
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52787
NVD References:
– https://gist.github.com/jxfzzzt/276a6e8cfbc54d2c2711bb51d8d3dff3
– https://github.com/vemonet/libre-chat/commit/dbb8e3400e5258112179783d74c9cc54310cb72b
– https://github.com/vemonet/libre-chat/issues/10
– https://github.com/vemonet/libre-chat/pull/9

CVE-2024-50672 – Adapt Learning Adapt Authoring Tool <= 0.11.3 is vulnerable to a NoSQL injection that allows unauthenticated attackers to reset passwords and take over the administrator account, potentially leading to remote code execution on the server.
Product: Adapt Learning Adapt Authoring Tool
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50672
NVD References:
– https://github.com/adaptlearning/adapt_authoring
– https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2024-50672

CVE-2024-28038 – Canon mageRUNNER ADVANCE’s web interface processes a cookie value improperly, leading to a stack buffer overflow when a too long character string is given to the MFPSESSIONID parameter.
Product: Canon mageRUNNER ADVANCE
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28038
NVD References:
– https://global.sharp/products/copier/info/info_security_2024-05.html
– https://jp.sharp/business/print/information/info_security_2024-05.html
– https://jvn.jp/en/vu/JVNVU93051062/
– https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html
– https://www.toshibatec.co.jp/information/20240531_02.html
– https://www.toshibatec.com/information/20240531_02.html

CVE-2024-33610 – “Sessionlist.html and sys_trayentryreboot.html allow unauthorized access to sensitive user session data and device reboot function.”
Product: Micro Focus ArcSight Logger
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33610
NVD References:
– https://global.sharp/products/copier/info/info_security_2024-05.html
– https://jp.sharp/business/print/information/info_security_2024-05.html
– https://jvn.jp/en/vu/JVNVU93051062/
– https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html
– https://www.toshibatec.co.jp/information/20240531_02.html
– https://www.toshibatec.com/information/20240531_02.html

CVE-2024-35244 – Siemens SCALANCE X Switches have hidden accounts that can be accessed by maintenance engineers to re-configure the device if their passwords are known.
Product: Siemens SCALANCE X Switches
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35244
NVD References:
– https://global.sharp/products/copier/info/info_security_2024-05.html
– https://jp.sharp/business/print/information/info_security_2024-05.html
– https://jvn.jp/en/vu/JVNVU93051062/
– https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html
– https://www.toshibatec.co.jp/information/20240531_02.html
– https://www.toshibatec.com/information/20240531_02.html

CVE-2024-36248 – Sharp / Toshiba Tec MFP Hard-coded credentials: “API keys for some cloud services are hardcoded in the “main” binary of [Product], posing a security risk.”
Product: Sharp / Toshiba Tec MFP
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36248
NVD References:
– https://global.sharp/products/copier/info/info_security_2024-05.html
– https://jp.sharp/business/print/information/info_security_2024-05.html
– https://jvn.jp/en/vu/JVNVU93051062/
– https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html
– https://www.toshibatec.co.jp/information/20240531_02.html
– https://www.toshibatec.com/information/20240531_02.html
– https://vuldb.com/?id.286095

CVE-2017-11076 – Google Chrome may experience invalid memory access by the decoder due to incorrect frame size on certain hardware revisions with hardware-accelerated VP9 decoding.
Product: Google Chrome
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-11076
NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2018-bulletin.html

CVE-2017-17772 – In multiple functions that process 802.11 frames, out-of-bounds reads can occur due to insufficient validation.
Product: Cisco Aironet Wireless Access Points
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-17772
NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2018-bulletin.html

CVE-2018-11922 – Wrong configuration in Touch Pal application can collect user behavior data without awareness by the user.
Product: TouchPal application
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-11922
NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2018-bulletin.html

CVE-2024-50370 through CVE-2024-50375 – Multiple Advantech’s devices vulnerable to OS command injection
Product: Advantech EKI-6333AC devices
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50370
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50371
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50372
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50373
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50374
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50375
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50370
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50371
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50372
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50373
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50374
NVD References: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50375

CVE-2024-11693 – Firefox, Thunderbird, and Windows operating systems were vulnerable to not receiving an executable file warning when downloading .library-ms files.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11693
NVD References:
– https://bugzilla.mozilla.org/show_bug.cgi?id=1921458
– https://www.mozilla.org/security/advisories/mfsa2024-63/
– https://www.mozilla.org/security/advisories/mfsa2024-64/
– https://www.mozilla.org/security/advisories/mfsa2024-67/
– https://www.mozilla.org/security/advisories/mfsa2024-68/

CVE-2024-11698 – Firefox, Thunderbird, and their respective ESR versions may become stuck in fullscreen mode when a modal dialog is opened during a fullscreen transition on macOS, disrupting the browsing experience until the application is restarted.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11698
NVD References:
– https://bugzilla.mozilla.org/show_bug.cgi?id=1916152
– https://www.mozilla.org/security/advisories/mfsa2024-63/
– https://www.mozilla.org/security/advisories/mfsa2024-64/
– https://www.mozilla.org/security/advisories/mfsa2024-67/
– https://www.mozilla.org/security/advisories/mfsa2024-68/

CVE-2024-11703 – Firefox on Android <133 may have allowed unauthorized access to saved passwords without PIN authentication.
Product: Mozilla Firefox
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11703
NVD References:
– https://bugzilla.mozilla.org/show_bug.cgi?id=1928779
– https://www.mozilla.org/security/advisories/mfsa2024-63/

CVE-2024-11704 – Firefox and Thunderbird versions below 133 are vulnerable to a double-free issue in `sec_pkcs7_decoder_start_decrypt()`, leading to potential memory corruption.
Product: Mozilla Firefox
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11704
NVD References:
– https://bugzilla.mozilla.org/show_bug.cgi?id=1899402
– https://www.mozilla.org/security/advisories/mfsa2024-63/
– https://www.mozilla.org/security/advisories/mfsa2024-67/

CVE-2024-11705 – Firefox and Thunderbird versions lower than 133 crash due to `NSC_DeriveKey` incorrectly assuming `phKey` is always non-NULL.
Product: Mozilla Firefox
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11705
NVD References:
– https://bugzilla.mozilla.org/show_bug.cgi?id=1921768
– https://www.mozilla.org/security/advisories/mfsa2024-63/
– https://www.mozilla.org/security/advisories/mfsa2024-67/

CVE-2024-11145 – Valor Apps Easy Folder Listing Pro is vulnerable to deserialization, allowing an attacker to run arbitrary code without authentication in Joomla! versions prior to 3.8 and 4.5.
Product: Valor Apps Easy Folder Listing Pro
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11145
NVD References:
– https://github.com/cisagov/CSAF/blob/develop/csaf_files/IT/white/2024/va-24-331-01.json
– https://www.valorapps.com/web-products/easy-folder-listing-pro.html

CVE-2024-49038 – Copilot Studio is vulnerable to Cross-site Scripting, allowing unauthorized attackers to gain elevated privileges over the network.
Product: Copilot Studio
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49038
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49038

CVE-2024-53676 – A directory traversal vulnerability in Hewlett Packard Enterprise Insight Remote Support may allow remote code execution.
Product: Hewlett Packard Enterprise Insight Remote Support
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53676
NVD References: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04731en_us

CVE-2024-42327 – Zabbix allows non-admin user accounts with API access to exploit an SQLi vulnerability in the CUser class.
Product: Zabbix
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42327
NVD References: https://support.zabbix.com/browse/ZBX-25623

CVE-2024-42330 – HttpRequest object vulnerability: Unencoded server response strings enable access to hidden object properties.
Product: Microsoft ASP.NET Core
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42330
NVD References: https://support.zabbix.com/browse/ZBX-25626

CVE-2024-53604 – PHPGurukul COVID 19 Testing Management System v1.0 is vulnerable to SQL Injection via the mobnumber POST parameter, potentially enabling remote code execution.
Product: PHPGurukul COVID 19 Testing Management System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53604
NVD References: https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/COVID19/SQL%20Injection%20vulnerability%20mo.pdf

CVE-2024-46054 – OpenVidReview 1.0 allows any user to upload files without authentication due to Incorrect Access Control at the /upload route.
Product: OpenVidReview 1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46054
NVD References:
– https://github.com/b1d0ws/CVEs/blob/main/CVE-2024-46054.md
– https://github.com/davidguva/OpenVidReview
– https://github.com/davidguva/OpenVidReview/blob/main/routes/upload.js

CVE-2024-53920 – GNU Emacs through 30.0.92 allows attackers to execute arbitrary code by invoking elisp-completion-at-point on untrusted Emacs Lisp source code.
Product: GNU Emacs
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53920
NVD References:
– https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
– https://git.savannah.gnu.org/cgit/emacs.git/tag/?h=emacs-30.0.92
– https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4
– https://news.ycombinator.com/item?id=42256409
– https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg%40mail.gmail.com/

CVE-2024-52338 – The Apache Arrow R package versions 4.0.0 through 16.1.0 are vulnerable to arbitrary code execution through the deserialization of untrusted data in IPC and Parquet readers.
Product: Apache Software Foundation Apache Arrow R package
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52338
NVD References:
– https://github.com/apache/arrow/commit/801de2fbcf5bcbce0c019ed4b35ff3fc863b141b
– https://lists.apache.org/thread/0rcbvj1gdp15lvm23zm601tjpq0k25vt
– http://www.openwall.com/lists/oss-security/2024/11/28/3

CVE-2024-11979 – DreamMaker from Interinfo is vulnerable to Path Traversal and unrestricted file uploads, enabling remote attackers to execute arbitrary code.
Product: Interinfo DreamMaker
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11979
NVD References:
– https://www.twcert.org.tw/en/cp-139-8272-13a13-2.html
– https://www.twcert.org.tw/tw/cp-132-8271-29871-1.html

CVE-2024-11482 – ESM 11.6.10 allows unauthenticated access to its internal Snowservice API, leading to remote code execution as root user.
Product: ESM 11.6.10
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11482
NVD References: https://thrive.trellix.com/s/article/000014058#h2_0

CVE-2024-11992 – Quick.CMS version 6.7 suffers from an absolute path traversal vulnerability, allowing remote users to download or delete files outside of the server’s document root via the admin.php page.
Product: Quick.cms version 6.7
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11992
NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-vulnerability-quickcms

CVE-2024-52777 through CVE-2024-52782 – DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L,<=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/basic/license_update.php.
Product: DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L,<=9.3.5.26, and DCME-720 <=9.1.5.11
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52777
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52778
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52779
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52780
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52781
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52782
NVD References: https://ba1100n.tech/%E6%BC%8F%E6%B4%9E%E6%8A%A5%E5%91%8A/dcme-all-series-rcessix-one/

CVE-2024-49360 – Sandboxie allows an authenticated user with no privileges to read all files created in sandbox belonging to other users, posing a risk of unauthorized access to sensitive information.
Product: Sandboxie
CVSS Score: 9.2
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49360
NVD References: https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-4chj-3c28-gvmp

CVE-2024-35366 – FFmpeg n6.1.1 is vulnerable to an Integer Overflow in the parse_options function of sbgdec.c within the libavformat module, allowing negative duration values to be accepted without proper validation.
Product: FFmpeg library
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35366
NVD References:
– https://gist.github.com/1047524396/1e72f170d58c2547ebd4db4cdf6cfabf
– https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavformat/sbgdec.c#L389
– https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6

CVE-2024-35367 – FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer
Product: FFmpeg library
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35367
NVD References:
– https://gist.github.com/1047524396/9754a44845578358f6a403447c458ca4
– https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavcodec/ppc/vp8dsp_altivec.c#L53
– https://github.com/ffmpeg/ffmpeg/commit/09e6840cf7a3ee07a73c3ae88a020bf27ca1a667

CVE-2024-35368 – FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c.
Product: FFmpeg library
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35368
NVD References:
– https://gist.github.com/1047524396/7e6e47220ae2b2d2fb4611f0d8a31ec5
– https://github.com/FFmpeg/FFmpeg/blob/n7.0/libavcodec/rkmppdec.c#L466
– https://github.com/ffmpeg/ffmpeg/commit/4513300989502090c4fd6560544dce399a8cd53c

CVE-2024-36610 – Symfony v7.0.3’s VarDumper module is vulnerable to deserialization attacks through the Stub class due to handling issues with null or uninitialized properties, allowing attackers to execute unauthorized code.
Product: Symfony VarDumper
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36610
NVD References:
– https://gist.github.com/1047524396/24e93f2905850235e42ad7db6e878bd5
– https://github.com/symfony/symfony/blob/v7.0.3/src/Symfony/Component/VarDumper/Cloner/Stub.php#L53
– https://github.com/symfony/symfony/commit/3ffd495bb3cc4d2e24e35b2d83c5b909cab7e259

CVE-2024-53504 through CVE-2024-53507 – SQL injection vulnerabilities has been identified in Siyuan 3.1.11.
Product: Siyuan 3.1.11
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53504
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53505
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53506
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53507
NVD References: https://github.com/siyuan-note/siyuan/issues/13058
NVD References: https://github.com/siyuan-note/siyuan/issues/13059
NVD References: https://github.com/siyuan-note/siyuan/issues/13060
NVD References: https://github.com/siyuan-note/siyuan/issues/13057
NVD References: https://github.com/siyuan-note/siyuan/issues/13077

CVE-2024-10905 – IdentityIQ is vulnerable to HTTP access to static content in its application directory that should be protected in versions 8.4 and prior.
Product: SailPoint IdentityIQ
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10905
NVD References: https://www.sailpoint.com/security-advisories/

CVE-2024-46909 – WhatsUp Gold versions released before 2024.0.1 allow remote unauthenticated attackers to execute code using the service account.
Product: WhatsUp Gold
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46909
NVD References:
– https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024
– https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html
– https://www.progress.com/network-monitoring

CVE-2024-8785 – WhatsUp Gold versions released before 2024.0.1 allow a remote unauthenticated attacker to manipulate registry values via NmAPI.exe.
Product: WhatsUp Gold
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8785
NVD References:
– https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024
– https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html
– https://www.progress.com/network-monitoring

CVE-2024-10542 – The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation allowing for potential remote code execution.
Product: CleanTalk Spam protection, Anti-Spam, FireWall
Active Installations: 200,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10542
NVD References:
– https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/tags/6.43.2/lib/Cleantalk/ApbctWP/RemoteCalls.php#L41
– https://plugins.trac.wordpress.org/changeset/3179819/cleantalk-spam-protect#file631
– https://www.wordfence.com/threat-intel/vulnerabilities/id/d7eb5fad-bb62-4f0b-ad52-b16c3e442b62?source=cve

CVE-2024-11024 – The AppPresser Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover due to improper validation of password reset codes.
Product: AppPresser Mobile App Framework plugin for WordPress
Active Installations: 1,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11024
NVD References:
– https://plugins.trac.wordpress.org/changeset/3192531/apppresser
– https://www.wordfence.com/threat-intel/vulnerabilities/id/43cb0399-4add-43d5-863c-30e11803bd90?source=cve

CVE-2024-11925 – The JobSearch WP Job Board plugin for WordPress allows unauthenticated attackers to gain admin privileges by exploiting a user_account_activation function flaw.
Product: JobSearch WP Job Board plugin
Active Installations: 6,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11925
NVD References:
– https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856
– https://www.wordfence.com/threat-intel/vulnerabilities/id/04bc8101-2676-4695-a498-f79be8221617?source=cve

CVE-2024-11082 – The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads, allowing authenticated attackers with Author-level access and above to upload malicious files and potentially execute remote code.
Product: Tumult Hype Animations
Active Installations: 1,000+
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11082
NVD References:
– https://github.com/tumult/hype-wordpress-plugin/commit/1702d3d4fd0fae9cb9fc40cdfc3dfb8584d5f04c
– https://plugins.trac.wordpress.org/browser/tumult-hype-animations/trunk/includes/adminpanel.php#L277
– https://plugins.trac.wordpress.org/changeset/3197761/
– https://wordpress.org/plugins/tumult-hype-animations/#developers
– https://www.wordfence.com/threat-intel/vulnerabilities/id/be3a0b4b-cce5-4d78-99d5-697f2cf04427?source=cve

CVE-2024-11103 – The Contest Gallery plugin for WordPress allows for privilege escalation through account takeover in versions up to 24.0.7, enabling unauthenticated attackers to change passwords and gain access to any user account.
Product: Contest Gallery
Active Installations: 1,000+
Product: WordPress
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11103
NVD References:
– https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-lost-password.php#L31
– https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-password-reset.php#L88
– https://plugins.trac.wordpress.org/changeset/3196011/contest-gallery/tags/24.0.8/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-lost-password.php?old=3190068&old_path=contest-gallery%2Ftags%2F24.0.7%2Fv10%2Fv10-admin%2Fusers%2Ffrontend%2Flogin%2Fajax%2Fusers-login-check-ajax-lost-password.php
– https://www.wordfence.com/threat-intel/vulnerabilities/id/0df7f413-2631-46d9-8c0b-d66f05a02c01?source=cve

CVE-2024-8672 – The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders, allowing authenticated attackers with contributor-level access and above to execute code on the server.
Product: The Widget Options Widget & Block Control Plugin
Active Installations: 100,000+
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8672
NVD References:
– https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/pagebuilders/beaver/beaver.php#L825
– https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/pagebuilders/elementor/render.php#L379
– https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/widgets/gutenberg/gutenberg-toolbar.php#L718
– https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3192921%40widget-options&new=3192921%40widget-options&sfp_email=&sfph_mail=
– https://www.wordfence.com/threat-intel/vulnerabilities/id/8d03af4d-a1f9-4c15-a62e-f4cdbcfc9af7?source=cve

CVE-2024-52475 – Wawp 3.0.18 and earlier versions are vulnerable to an Authentication Bypass using an Alternate Path or Channel.
Product: Automation Web Platform Wawp
Active Installations: 500+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52475
NVD References: https://patchstack.com/database/wordpress/plugin/automation-web-platform/vulnerability/wordpress-wawp-plugin-3-0-18-account-takeover-vulnerability?_s_id=cve

CVE-2024-52490 – Pathomation allows for the unrestricted upload of files with dangerous types, leading to the potential upload of a web shell onto a web server.
Product: Pathomation
Active Installations: 2,000+
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-52490
NVD References: https://patchstack.com/database/wordpress/plugin/pathomation/vulnerability/wordpress-pathomation-plugin-2-5-1-arbitrary-file-upload-vulnerability?_s_id=cve

February 16, 2023December 5, 2024

@RISK: The Consensus Security Vulnerability Alert: Vol. 23, Num. 07

@RISK: The Consensus Security Vulnerability Alert
February 16, 2023 – Vol. 23, Num. 07

Microsoft February 2023 Patch Tuesday
Published: 2023-02-14
Last Updated: 2023-02-15 01:19:13 UTC
by Johannes Ullrich (Version: 1)

Microsoft today patched 80 different vulnerabilities. This includes the Chromium vulnerabilities affecting Microsoft Edge. Nine vulnerabilities are rated as “Critical” by Microsoft.

Three of the vulnerabilities, all rated “important”, are already being exploited:

CVE-2023-21715: Microsoft Publisher Security Feature Bypass. This vulnerability will allow the execution of macros bypassing policies blocking them.

CVE-2023-23376: Windows Common Log File Ssytem Driver Elevation of Privilege Vulnerability

CVE-2023-21823: Windows Graphics Component Remote Code Execution Vulnerability. Patches for this vulnerability may only be available via the Microsoft Store. Make sure you have these updates enabled.

Some additional vulnerabilities of interest:

CVE-2023-21803: Windows iSCSI Discovery Service Remote Code Execution Vulnerability. Likely not the most common issue to be patched this month, but something that may easily be missed. This vulnerability, if exploited, could be used for lateral movement.

CVE-2023-21716 – Microsoft Word Remote Code Execution VulnerabilityCVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21716
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716

CVE-2023-21803 – Windows iSCSI Discovery Service Remote Code Execution VulnerabilityCVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21803
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21803

CVE-2023-21692 – Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution VulnerabilitiesCVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21689
– https://nvd.nist.gov/vuln/detail/CVE-2023-21690
– https://nvd.nist.gov/vuln/detail/CVE-2023-21692
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21689
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21690
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21692

CVE-2022-31249 – A Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-31249
NVD References: https://bugzilla.suse.com/show_bug.cgi?id=1200299

CVE-2022-43757 – A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.CVSS Score: 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43757
NVD References: https://bugzilla.suse.com/show_bug.cgi?id=1205295

CVE-2022-24990 – TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending “User-Agent: TNAS” to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.CVSS Score: 0
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
** KEV since 2023-02-10 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24990
NVD References:
– https://forum.terra-master.com/en/viewforum.php?f=28
– https://github.com/0xf4n9x/CVE-2022-24990
– https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
– https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732

CVE-2023-24813 – Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it’s possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24813
NVD References:
– https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
– https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75

CVE-2022-43761 – Missing authentication when creating and managing the B&R APROL database in versions < R 4.2-07 allows reading and changing the system configuration.CVE-2022-43764 – Insufficient validation of input parameters when changing configuration on Tbase server in B&R APROL versions < R 4.2-07 could result in buffer overflow. This may lead to Denial-of-Service conditions or execution of arbitrary code.CVSS Score: 9.4 – 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L and 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2022-43761
– https://nvd.nist.gov/vuln/detail/CVE-2022-43764
NVD References:https://www.br-automation.com/downloads_br_productcatalogue/assets/1674823095245-en-original-1.0.pdf

CVE-2023-25168 – Wings is Pterodactyl’s server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with `GHSA-p8r3-83r8-jwj5` to overwrite files on the host system. In order to use this exploit, an attacker must have an existing “server” allocated and controlled by Wings. This vulnerability has been resolved in version `v1.11.4` of Wings, and has been back-ported to the 1.7 release series in `v1.7.4`. Anyone running `v1.11.x` should upgrade to `v1.11.4` and anyone running `v1.7.x` should upgrade to `v1.7.4`. There are no known workarounds for this issue.CVSS Score: 9.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25168
NVD References:
– https://github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25d83d
– https://github.com/pterodactyl/wings/security/advisories/GHSA-66p8-j459-rq63
– https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5

CVE-2023-0776 – Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0776
NVD References: https://baicells.com/Service/Firmware

CVE-2022-25729 – Memory corruption in modem due to improper length check while copying into memoryCVE-2022-33232 – Memory corruption due to buffer copy without checking size of input while running memory sharing tests with large scattered memory.CVE-2022-33279 – Memory corruption due to stack based buffer overflow in WLAN having invalid WNM frame length.CVE-2022-40514 – Memory corruption due to buffer copy without checking the size of input in WLAN Firmware while processing CCKM IE in reassoc response frame.CVSS Score: 9.3 – 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2022-25729
– https://nvd.nist.gov/vuln/detail/CVE-2022-33232
– https://nvd.nist.gov/vuln/detail/CVE-2022-33279
– https://nvd.nist.gov/vuln/detail/CVE-2022-40514
NVD References: https://www.qualcomm.com/company/product-security/bulletins/february-2023-bulletin

CVE-2023-23551 – Control By Web X-600M devices run Lua scripts and are vulnerable to code injection, which could allow an attacker to remotely execute arbitrary code.CVSS Score: 9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23551
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-01

CVE-2023-24482 – A vulnerability has been identified in COMOS V10.2 (All versions), COMOS V10.3.3.1 (All versions < V10.3.3.1.45), COMOS V10.3.3.2 (All versions < V10.3.3.2.33), COMOS V10.3.3.3 (All versions < V10.3.3.3.9), COMOS V10.3.3.4 (All versions < V10.3.3.4.6), COMOS V10.4.0.0 (All versions < V10.4.0.0.31), COMOS V10.4.1.0 (All versions < V10.4.1.0.32), COMOS V10.4.2.0 (All versions < V10.4.2.0.25). Cache validation service in COMOS is vulnerable to Structured Exception Handler (SEH) based buffer overflow. This could allow an attacker to execute arbitrary code on the target system or cause denial of service condition.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24482
NVD References: https://cert-portal.siemens.com/productcert/pdf/ssa-693110.pdf

CVE-2023-21528 – Microsoft SQL Server Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21528
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21528

CVE-2023-21529 – Microsoft Exchange Server Remote Code Execution VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21529
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529

CVE-2023-21564 – Azure DevOps Server Cross-Site Scripting VulnerabilityCVSS Score: 7.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21564
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21564

CVE-2023-21568 – Microsoft SQL Server Integration Service (VS extension) Remote Code Execution VulnerabilityCVSS Score: 7.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21568
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21568

CVE-2023-21684 – Microsoft PostScript Printer Driver Remote Code Execution VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21684
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21684

CVE-2023-21685 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21685
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21685

CVE-2023-21686 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21686
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21686

CVE-2023-21688 – NT OS Kernel Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21688
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21688

CVE-2023-21691 – Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21691
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21691

CVE-2023-21695 – Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21695
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21695

CVE-2023-21701 – Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21701
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21701

CVE-2023-21700 – Windows iSCSI Discovery Service Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21700
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21700

CVE-2023-21702 – Windows iSCSI Service Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21702
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21702

CVE-2023-21704 – Microsoft ODBC Driver for SQL Server Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21704
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21704

CVE-2023-21705 and CVE-2023-21713 – Microsoft SQL Server Remote Code Execution VulnerabilitiesCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21705
– https://nvd.nist.gov/vuln/detail/CVE-2023-21713
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21705
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21713

CVE-2023-21710 – Microsoft Exchange Server Remote Code Execution VulnerabilitiesCVSS Scores: 7.2 – 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21706
– https://nvd.nist.gov/vuln/detail/CVE-2023-21707
– https://nvd.nist.gov/vuln/detail/CVE-2023-21710
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21706
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21707
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21710

CVE-2023-21717 – Microsoft SharePoint Server Elevation of Privilege VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21717
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21717

CVE-2023-21718 – Microsoft SQL ODBC Driver Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21718
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21718

CVE-2023-21777 – Azure App Service on Azure Stack Hub Elevation of Privilege VulnerabilityCVSS Score: 8.7
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21777
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21777

CVE-2023-21797 and CVE-2023-21798 – Microsoft ODBC Driver Remote Code Execution VulnerabilitiesCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21797
– https://nvd.nist.gov/vuln/detail/CVE-2023-21798
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21797
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21798

CVE-2023-21799 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21799
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21799

CVE-2023-21800 – Windows Installer Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21800
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21800

CVE-2023-21801 – Microsoft PostScript Printer Driver Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21801
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21801

CVE-2023-21802 – Windows Media Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21802
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21802

CVE-2023-21804 – Windows Graphics Component Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21804
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21804

CVE-2023-21805 – Windows MSHTML Platform Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21805
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21805

CVE-2023-21806 – Power BI Report Server Spoofing VulnerabilityCVSS Score: 8.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21806
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21806

CVE-2023-21809 – Microsoft Defender for Endpoint Security Feature Bypass VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21809
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21809

CVE-2023-21811 – Windows iSCSI Service Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21811
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21811

CVE-2023-21812 – Windows Common Log File System Driver Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21812
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21812

CVE-2023-21813 – Windows Secure Channel Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21813
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21813

CVE-2023-21816 – Windows Active Directory Domain Services API Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21816
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21816

CVE-2023-21817 – Windows Kerberos Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21817
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21817

CVE-2023-21818 and CVE-2023-21819 – Windows Secure Channel Denial of Service VulnerabilitiesCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21818
– https://nvd.nist.gov/vuln/detail/CVE-2023-21819
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21818
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21819

CVE-2023-21820 – Windows Distributed File System (DFS) Remote Code Execution VulnerabilityCVSS Score: 7.4
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21820
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21820

CVE-2023-21822 – Windows Graphics Component Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21822
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21822

CVE-2023-23374 – Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityCVSS Score: 8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23374
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23374

CVE-2023-23377 – 3D Builder Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23377
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23377

CVE-2023-23378 – Print 3D Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23378
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23378

CVE-2023-23390 – 3D Builder Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23390
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23390

CVE-2023-21553 – Azure DevOps Server Remote Code Execution VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21553
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21553

CVE-2023-21566 – Visual Studio Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21566
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21566

CVE-2023-21778 – Microsoft Dynamics Unified Service Desk Remote Code Execution VulnerabilityCVSS Score: 8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21778
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21778

CVE-2023-21808 – .NET and Visual Studio Remote Code Execution VulnerabilityCVSS Score: 8.4
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21808
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21808

CVE-2023-21815 and CVE-2023-23381 – Visual Studio Remote Code Execution VulnerabilitiesCVSS Score: 8.4
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21815
– https://nvd.nist.gov/vuln/detail/CVE-2023-23381
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21815
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23381

CVE-2019-15126 – Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN deviceCVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-15126
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-15126

February 9, 2023February 22, 2023

@RISK: The Consensus Security Vulnerability Alert: Vol. 23, Num. 06

@RISK: The Consensus Security Vulnerability Alert
February 9, 2023 – Vol. 23, Num. 06

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

Simple HTML Phishing via Telegram Bot
Published: 2023-02-08
Last Updated: 2023-02-08 13:56:11 UTC
by Johannes Ullrich (Version: 1)

Monday, I wrote about the use of IP lookup APIs by bots. It turns out that it is not just bots using these APIs, but phishing e-mails are also taking advantage of them.

The phish itself is not particularly remarkable. It is arriving as an email claiming to include a payment confirmation. The email includes a small thread of messages likely to make it more plausible. The best I can guess, the email is supposed to make the recipient curious to open the attachment. The attachment itself is a simple HTML file simulating an Office 365 page.

Read the full entry:
https://isc.sans.edu/diary/Simple+HTML+Phishing+via+Telegram+Bot/29528/

Earthquake in Turkey and Syria: Be Aware of Possible Donation Scams
Published: 2023-02-06
Last Updated: 2023-02-06 18:40:43 UTC
by Johannes Ullrich (Version: 1)

Last night, Turkey and Syria were affected by a significant earthquake. Sadly, experience teaches us that disasters like this will often be abused. The most common scam involves fake donation websites. But you may also see malware disguised as a video or images from the affected region.

Here are some tips to share:

Do not donate to organizations you have not heard of before the event. Only donate to organizations that have an established track record.
If you have contacts in the affected area: Try to reach out to them to find out how to help them.
Scams may target people with links to the affected region. Be careful with phone calls or emails claiming to ask for money on behalf of a relative or friend. Scammers may use social media data and may contact you via social media.
Do not blindly believe requests for help on social media.
Do not just Google for ways to donate money.

Read the full entry: https://isc.sans.edu/diary/Earthquake+in+Turkey+and+Syria+Be+Aware+of+Possible+Donation+Scams/29518/

Assemblyline as a Malware Analysis Sandbox
Published: 2023-02-04
Last Updated: 2023-02-04 23:53:30 UTC
by Guy Bruneau (Version: 1)

If you are looking for a malware sandbox that is easy to install and maintain, Assenblyline (AL) [1] is likely the system you want to be part of your toolbox. “Once a file is submitted to Assemblyline, the system will automatically perform multiple checks to determine how to best process the file. One of Assemblyline’s most powerful functionalities is its recursive analysis model.”[2]

First step, install the server. My server configuration is as follow:

Ubuntu 22.04
Ubuntu Server (minimized)
8+ Cores
16+ GB RAM
100 GB
100+ GB /var/lib/docker
Static IP

Read the full entry:
https://isc.sans.edu/diary/Assemblyline+as+a+Malware+Analysis+Sandbox/29510/

=========================================================
OTHER INTERNET STORM CENTER ENTRIES
=========================================================

A Survey of Bluetooth Vulnerabilities Trends (2023 Edition) (2023.02.07)
https://isc.sans.edu/diary/A+Survey+of+Bluetooth+Vulnerabilities+Trends+2023+Edition/29522

APIs Used by Bots to Detect Public IP address (2023.02.06)
https://isc.sans.edu/diary/APIs+Used+by+Bots+to+Detect+Public+IP+address/29516/

Video: Analyzing Malicious OneNote Documents (2023.02.05)
https://isc.sans.edu/diary/Video+Analyzing+Malicious+OneNote+Documents/29512/

Check out a couple of my older posts (2023.02.02)
https://isc.sans.edu/diary/Check+out+a+couple+of+my+older+posts/29504/

=========================================================
RECENT CVEs
=========================================================

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2023-22501 – An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances_._ With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: * If the attacker is included on Jira issues or requests with these users, or * If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users. Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.CVSS Score: 0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22501
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8356
NVD References: https://jira.atlassian.com/browse/JSDSERVER-12312

CVE-2022-21129 – Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the ‘module.exports.setup’ function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium dependencies.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-21129
NVD References:
– https://github.com/paypal/nemo-appium/commit/aa271d36dd5c81baae3c43aa2616c84f0ee4195f
– https://security.snyk.io/vuln/SNYK-JS-NEMOAPPIUM-3183747

CVE-2022-45789 – A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. Affected Products: EcoStruxure™ Control Expert (All Versions), EcoStruxure™ Process Expert (Version V2020 & prior), Modicon M340 CPU (part numbers BMXP34*) (All Versions), Modicon M580 CPU (part numbers BMEP* and BMEH*) (All Versions), Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (All Versions)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45789
NVD References: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-010-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-010-06_Modicon_Controllers_Security_Notification.pdf

CVE-2022-24324 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22073)CVE-2022-2329 – A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22073)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24324
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-2329
NVD References: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-102-01_IGSS_Security_Notification_V2.0.pdf

CVE-2022-42970 – A CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GS-01-22261)CVE-2022-42971 – A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GS-01-22261)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42970
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42971
NVD References: https://download.schneider-electric.com/files?p_Doc_SEVD-2022-347-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-347-01_Easy_UPS_Online_Monitoring_Software_Security_Notification.pdf

CVE-2022-39060 – ChangingTech MegaServiSignAdapter component has a vulnerability of improper input validation. An unauthenticated remote attacker can exploit this vulnerability to access and modify HKEY_CURRENT_USER subkey (ex: AutoRUN) in Registry where malicious scripts can be executed to take control of the system or to terminate the service.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39060
NVD References: https://www.twcert.org.tw/tw/cp-132-6887-6ed4f-1.html

CVE-2023-22900 – Efence login function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify or delete database.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22900
NVD References: https://www.twcert.org.tw/tw/cp-132-6885-d679e-1.html

CVE-2022-24963 – Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.CVE-2022-25147 – Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24963
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-25147
NVD References: https://lists.apache.org/thread/np5gjqlohc4f62lr09vrn61vl44cylh8

CVE-2022-47035 – Buffer Overflow Vulnerability in D-Link DIR-825 v1.33.0.44ebdd4-embedded and below allows attacker to execute arbitrary code via the GetConfig method to the /CPE endpoint.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47035
NVD References:
– https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10314
– https://www.dlink.com/en/security-bulletin/

CVE-2022-47780 – SQL Injection vulnerability in Bangresto 1.0 via the itemID parameter.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47780
NVD References: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto

CVE-2023-24162 – Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter.CVE-2023-24163 – SQL Inection vulnerability in Dromara hutool v5.8.11 allows attacker to execute arbitrary code via the aviator template engine.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24162
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24163
NVD References:
– https://gitee.com/dromara/hutool/issues/I6AEX2
– https://github.com/dromara/hutool/issues/2855
– https://gitee.com/dromara/hutool/issues/I6AJWJ#note_15801868

CVE-2022-47697 – COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Account takeover. Anyone can reset the password of the admin accounts.CVE-2022-47699 – COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Incorrect Access Control.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47697
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47699

CVE-2022-45297 – EQ v1.5.31 to v2.2.0 was discovered to contain a SQL injection vulnerability via the UserPwd parameter.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45297
NVD References: https://github.com/tlfyyds/EQ

CVE-2022-47873 – Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47873

CVE-2023-23924 – Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing “ tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23924
NVD References:
– https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85
– https://github.com/dompdf/dompdf/releases/tag/v2.0.2
– https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg

CVE-2023-24241 – Forget Heart Message Box v1.1 was discovered to contain a SQL injection vulnerability via the name parameter at /admin/loginpost.php.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24241
NVD References: https://github.com/Mortalwangxin/lives/issues/1

CVE-2023-23928 – reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23928
NVD References:
– https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5
– https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2
– https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7

CVE-2022-47769 – An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell.CVE-2022-47770 – Serenissima Informatica Fast Checkin version v1.0 is vulnerable to Unauthenticated SQL Injection.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47769
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47770
NVD References:
– https://www.swascan.com/it/security-advisory-serenissima-informatica-fastcheckin/
– https://fast.com

CVE-2023-0587 – A file upload vulnerability in exists in Trend Micro Apex One server build 11110. Using a malformed Content-Length header in an HTTP PUT message sent to URL /officescan/console/html/cgi/fcgiOfcDDA.exe, an unauthenticated remote attacker can upload arbitrary files to the SampleSubmission directory (i.e., \PCCSRV\TEMP\SampleSubmission) on the server. The attacker can upload a large number of large files to fill up the file system on which the Apex One server is installed.CVSS Score: 9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0587
NVD References: https://www.tenable.com/security/research/tra-2023-5

CVE-2023-22374 – In BIG-IP starting in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5 on their respective branches, a format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVSS Score: 7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22374
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8356
NVD References: https://my.f5.com/manage/s/article/K000130415

CVE-2022-22486 – IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226328.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-22486
NVD References:
– https://exchange.xforce.ibmcloud.com/vulnerabilities/226328
– https://www.ibm.com/support/pages/node/6890697