Security Vulnerability Alert Archives - Page 2 of 33

February 2, 2023February 22, 2023

@RISK: The Consensus Security Vulnerability Alert: Vol. 23, Num. 05

@RISK: The Consensus Security Vulnerability Alert
February 2, 2023 – Vol. 23, Num. 05

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Detecting (Malicious) OneNote Files
Published: 2023-02-01
Last Updated: 2023-02-01 08:57:26 UTC
by Didier Stevens (Version: 1)

We are starting to see malicious OneNote documents (cfr. Xavier’s diary entry “A First Malicious OneNote Document”).

OneNote files have their own binary fileformat: [MS-ONESTORE].

A OneNote file starts with GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}.

Files contained in a OneNote file start with a header (FileDataStoreObject) followed by the embedded file itself. This header also starts with a GUID: {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}.

Hence, to detect OneNote files with embedded files, look for files that start with byte sequence E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 (that’s GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}) and contain one ore more instances of byte sequence E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC (that’s GUID {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}).

This allows you to detect OneNote files with embedded files. Which are not necessarily malicious … Because an embedded file can just be a picture, for example.

Read the full entry:
https://isc.sans.edu/diary/Detecting+Malicious+OneNote+Files/29494/

Decoding DNS over HTTP(s) Requests
Published: 2023-01-30
Last Updated: 2023-01-30 16:51:54 UTC
by Johannes Ullrich (Version: 1)

I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the “Big Chinese Firewall”. Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard.

Read the full entry:
https://isc.sans.edu/diary/Decoding+DNS+over+HTTPs+Requests/29488/

Live Linux IR with UAC
Published: 2023-01-26
Last Updated: 2023-01-26 23:07:32 UTC
by Tom Webb (Version: 1)

The other day, I was looking for Linux IR scripts and ran across the tool Unix-like Artifacts Collector or UAC(1) created by Thiago Lahr. As you would expect, it gathers most live stats but also collects Virtual box and Docker info and other data on the system. It can dump results files to SFTP, Azure, S3, and IBM storage natively.

With any tool, you should always test to understand how it affects your system. I ran a simple file timeline collection before and after to see what changes were made.

Read the full entry: https://isc.sans.edu/diary/Live+Linux+IR+with+UAC/29480/

=========================================================
OTHER INTERNET STORM CENTER ENTRIES
=========================================================

Rotating Packet Captures with pfSense (2023.02.01)
https://isc.sans.edu/diary/Rotating+Packet+Captures+with+pfSense/29500/

DShield Honeypot Setup with pfSense (2023.01.31)
https://isc.sans.edu/diary/DShield+Honeypot+Setup+with+pfSense/29490/

=========================================================
RECENT CVEs
=========================================================

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2022-47966 – Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
** KEV since 2023-01-23 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47966
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8340

CVE-2022-42475 – A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
** KEV Since 2022-12-23 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42475

CVE-2022-45639 – OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45639
NVD References:
– https://www.binaryworld.it/
– https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639

CVE-2022-25894 – All versions of the package com.bstek.uflo:uflo-core are vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to improper user input validation.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-25894
NVD References:
– https://fmyyy1.github.io/2022/10/23/uflo2rce/
– https://security.snyk.io/vuln/SNYK-JAVA-COMBSTEKUFLO-3091112

CVE-2022-3094 – Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don’t intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.CVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3094
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8344
NVD References: https://kb.isc.org/docs/cve-2022-3094

CVE-2022-3572 – A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.CVSS Score: 9.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3572
NVD References:
– https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3572.json
– https://gitlab.com/gitlab-org/gitlab/-/issues/378214
– https://hackerone.com/reports/1727985

CVE-2022-45808 – SQL Injection vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.CVE-2022-45820 – SQL Injection (SQLi) vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.CVE-2022-47615 – Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.CVSS Scores: 9.1 – 9.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L; N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L; N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
NVD References: https://patchstack.com/articles/multiple-critical-vulnerabilities-fixed-in-learnpress-plugin-version/
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45808
NVD References: https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-wordpress-lms-plugin-plugin-4-1-7-3-2-sql-injection?_s_id=cve
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45820
NVD References: https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-4-1-7-3-2-auth-sql-injection-sqli-vulnerability?_s_id=cve
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47615
NVD References: https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-4-1-7-3-2-local-file-inclusion?_s_id=cve

CVE-2023-0321 – Campbell Scientific dataloggers CR6, CR300, CR800, CR1000 and CR3000 may allow an attacker to download configuration files, which may contain sensitive information about the internal network. From factory defaults, the mentioned datalogges have HTTP and PakBus enabled. The devices, with the default configuration, allow this situation via the PakBus port. The exploitation of this vulnerability may allow an attacker to download, modify, and upload new configuration files.CVSS Score: 9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0321
NVD References:
– https://www.hackplayers.com/2023/01/cve-2023-0321-info-sensible-campbell.html
– https://www.incibe-cert.es/en/early-warning/ics-advisories/disclosure-sensitive-information-campbell-scientific-products

CVE-2023-0452 – All versions of Econolite EOS traffic control software are vulnerable to CWE-328: Use of Weak Hash, and use a weak hash algorithm for encrypting privileged user credentials. A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0452
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-02

CVE-2023-22482 – Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD’s configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD’s configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token’s `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds.CVSS Score: 9.0
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22482
NVD References: https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc

CVE-2023-23619 – Modelina is a library for generating data models based on inputs such as AsyncAPI, OpenAPI, or JSON Schema documents. Versions prior to 1.0.0 are vulnerable to Code injection. This issue affects anyone who is using the default presets and/or does not handle the functionality themself. This issue has been partially mitigated in version 1.0.0, with the maintainer’s GitHub Security Advisory (GHSA) noting “It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not encounter this issue. Further similar situations are NOT seen as a security issue, but intended behavior.” The suggested workaround from the maintainers is “Fully custom presets that change the entire rendering process which can then escape the user input.”CVSS Score: 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23619
NVD References: https://github.com/asyncapi/modelina/security/advisories/GHSA-4jg2-84c2-pj95

CVE-2023-24022 – Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.)CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24022
NVD References:
– https://baicells.zendesk.com/hc/en-us/articles/6188324645780-2023-1-17-Hard-Coded-Credential-Crypt-Vulnerability
– https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG
–https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf

CVE-2023-0556 – The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to obtain the blog metadata (via the function cstu_get_metadata) that includes the plugin’s contentstudio_token. Knowing this token allows for other interactions with the plugin such as creating posts in versions prior to 1.2.5, which added other requirements to posting and updating.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0556
NVD References:
– https://plugins.trac.wordpress.org/browser/contentstudio/tags/1.2.1/contentstudio-plugin.php#L517
– https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2851006%40contentstudio%2Ftrunk&old=2844028%40contentstudio%2Ftrunk&sfp_email=&sfph_mail=
– https://www.wordfence.com/threat-intel/vulnerabilities/id/52db8d41-859a-4d68-8b83-3d3af8f1bf64

CVE-2022-27596 – A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS hero, QTS: QuTS hero h5.0.1.2248 build 20221215 and later QTS 5.0.1.2234 build 20221201 and laterCVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-27596
NVD References: https://www.qnap.com/en/security-advisory/qsa-23-01

CVE-2022-32513 – A CWE-521: Weak Password Requirements vulnerability exists that could allow an attacker to gain control of the device when the attacker brute forces the password. Affected Products: C-Bus Network Automation Controller – LSS5500NAC (Versions prior to V1.10.0), Wiser for C-Bus Automation Controller – LSS5500SHAC (Versions prior to V1.10.0), Clipsal C-Bus Network Automation Controller – 5500NAC (Versions prior to V1.10.0), Clipsal Wiser for C-Bus Automation Controller – 5500SHAC (Versions prior to V1.10.0), SpaceLogic C-Bus Network Automation Controller – 5500NAC2 (Versions prior to V1.10.0), SpaceLogic C-Bus Application Controller – 5500AC2 (Versions prior to V1.10.0)CVE-2022-32514 – A CWE-287: Improper Authentication vulnerability exists that could allow an attacker to gain control of the device when logging into a web page. Affected Products: C-Bus Network Automation Controller – LSS5500NAC (Versions prior to V1.10.0), Wiser for C-Bus Automation Controller – LSS5500SHAC (Versions prior to V1.10.0), Clipsal C-Bus Network Automation Controller – 5500NAC (Versions prior to V1.10.0), Clipsal Wiser for C-Bus Automation Controller – 5500SHAC (Versions prior to V1.10.0), SpaceLogic C-Bus Network Automation Controller – 5500NAC2 (Versions prior to V1.10.0), SpaceLogic C-Bus Application Controller – 5500AC2 (Versions prior to V1.10.0)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32513
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32514
NVD References: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-06_C-Bus_Home_Automation_Products_Security_Notification.pdf

CVE-2022-32522 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted mathematically reduced data request messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32523 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted online data request messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32524 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted time reduced data messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32525 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted alarm data messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32526 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted setting value messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32527 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted alarm cache data messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32529 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted log data request messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32522
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32523
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32524
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32525
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32526
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32527
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32529
NVD References: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-01_IGSS_Security_Notification_V2.pdf

CVE-2022-24324 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22073)CVE-2022-2329 – A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22073)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24324
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-2329
NVD References: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-102-01_IGSS_Security_Notification_V2.0.pdf

CVE-2022-42970 – A CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GS-01-22261)CVE-2022-42971 – A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GS-01-22261)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42970
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42971
NVD References: https://download.schneider-electric.com/files?p_Doc_SEVD-2022-347-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-347-01_Easy_UPS_Online_Monitoring_Software_Security_Notification.pdf

CVE-2022-39060 – ChangingTech MegaServiSignAdapter component has a vulnerability of improper input validation. An unauthenticated remote attacker can exploit this vulnerability to access and modify HKEY_CURRENT_USER subkey (ex: AutoRUN) in Registry where malicious scripts can be executed to take control of the system or to terminate the service.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39060
NVD References: https://www.twcert.org.tw/tw/cp-132-6887-6ed4f-1.html

CVE-2023-22900 – Efence login function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify or delete database.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22900
NVD References: https://www.twcert.org.tw/tw/cp-132-6885-d679e-1.html

CVE-2023-22610 – A CWE-285: Improper Authorization vulnerability exists that could cause Denial of Service against the Geo SCADA server when specific messages are sent to the server over the database server TCP port. Affected Products: EcoStruxure™ Geo SCADA Expert 2019, EcoStruxure™ Geo SCADA Expert 2020, EcoStruxure™ Geo SCADA Expert 2021 (All versions prior to October 2022), ClearSCADA (All Versions).CVSS Score: 9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22610
NVD References: https://www.se.com/ww/en/download/document/SEVD-2023-010-02/

CVE-2023-23924 – Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing “ tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23924
NVD References:
– https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85
– https://github.com/dompdf/dompdf/releases/tag/v2.0.2
– https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg

CVE-2023-21538 – .NET Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21538
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21538

CVE-2023-21712 – Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCVSS Score: 8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21712
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21712

CVE-2022-34689 – Windows CryptoAPI Spoofing Vulnerability.CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-34689
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8344

CVE-2023-23560 – In certain Lexmark products through 2023-01-12, SSRF can occur because of a lack of input validation.CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23560
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8342

January 26, 2023February 22, 2023

@RISK: The Consensus Security Vulnerability Alert: Vol. 23, Num. 04

@RISK: The Consensus Security Vulnerability Alert
January 26, 2023 – Vol. 23, Num. 04

A First Malicious OneNote Document
Published: 2023-01-25
Last Updated: 2023-01-25 08:45:41 UTC
by Xavier Mertens (Version: 1)

Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns[1]. OneNote files (ending the extension “.one”) are handled automatically by computers that have the Microsoft Office suite installed. Yesterday, my honeypot caught a first sample. This is a good opportunity to have a look at these files. The file, called “delivery-note.one”, was delivered as an attachment to a classic phishing email.

Read the complete entry:
https://isc.sans.edu/diary/A+First+Malicious+OneNote+Document/29470/

Importance of signing in Windows environments
Published: 2023-01-20
Last Updated: 2023-01-20 09:29:29 UTC
by Bojan Zdrnja (Version: 1)

NTLM relaying has been a plague in Windows environments for many years – and we have witnessed many exploits that rely on the fact that it is possible to relay NTLM authentication attempts to various target services.

While there are many potential targets here, in most red team engagements my colleagues and myself are relaying credentials to other SMB, LDAP or HTTP(S) services (especially on AD CS server, used for issuing certificates). So one of the mandatory “health check” activities should be to verify if your systems really have signing enabled. Here are two *very simple* ways on how I do it when I encounter large number of internal assets.

Read the complete entry:
https://isc.sans.edu/diary/Importance+of+signing+in+Windows+environments/29456/

SPF and DMARC use on 100k most popular domains
Published: 2023-01-19
Last Updated: 2023-01-19 11:16:28 UTC
by Jan Kopriva (Version: 1)

Not too long ago, I wrote a diary discussing SPF and DMARC use on GOV subdomains in different ccTLDs around the world[1]. The results weren’t too optimistic – it turned out that only about 42% of gov.cctld domains had a valid SPF record published and only about 19% of such domains had a valid DMARC record published.

Since I created a quick script for gathering SPF and DMARC records for an arbitrary list of domains for that diary, I thought it might be interesting to use it again this week, hopefully to get some more optimistic data. Specifically, I used it to take a look at SPF and DMARC adoption on world’s most popular domains – the top 100 thousand (as well as th top 10 thousand and the top 1 thousand) most visited domains according to the Tranco list[2].

Read the complete entry:
https://isc.sans.edu/diary/SPF+and+DMARC+use+on+100k+most+popular+domains/29452/

=========================================================
OTHER INTERNET STORM CENTER ENTRIES
=========================================================

Apple Updates (almost) Everything: Patch Overview (2023.01.24)
https://isc.sans.edu/diary/Apple+Updates+almost+Everything+Patch+Overview/29472/

Who’s Resolving This Domain? (2023.01.23)
https://isc.sans.edu/diary/Whos+Resolving+This+Domain/29462/

Wireshark 4.0.3 Released (2023.01.22)
https://isc.sans.edu/diary/Wireshark+403+Released/29460/

DShield Sensor JSON Log to Elasticsearch (2023.01.21)
https://isc.sans.edu/diary/DShield+Sensor+JSON+Log+to+Elasticsearch/29458/

=========================================================
RECENT CVEs
=========================================================

CVE-2022-47966 – Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.CVSS Score: 0
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
** KEV since 2023-01-23 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47966
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8334
NVD References:
– https://github.com/apache/santuario-xml-security-java/tags?after=1.4.6
– https://manageengine.com
– https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html

CVE-2022-42856 – A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1. ** KEV since 2022-12-14 **
CVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42856
Reference: https://support.apple.com/en-us/HT213597

CVE-2022-3970 – A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3970
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3970

CVE-2023-0332 – A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been classified as critical. Affected is an unknown function of the file admin/manage_user.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-218472.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0332
NVD References:
– https://github.com/qyhmsys/cve-list/blob/master/Online%20Food%20Ordering%20System%20manage_user.php%20has%20SQLinject.md
– https://vuldb.com/?id.218472

CVE-2023-22279 – MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allow a remote unauthenticated attacker to execute an arbitrary OS command.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22279
NVD References:
– https://jvn.jp/en/jp/JVN99957889/index.html
– https://www.ate-mahoroba.jp/netdevancer/manual/

CVE-2023-22303 – TP-Link SG105PE firmware prior to ‘TL-SG105PE(UN) 1.0_1.0.0 Build 20221208’ contains an authentication bypass vulnerability. Under the certain conditions, an attacker may impersonate an administrator of the product. As a result, information may be obtained and/or the product’s settings may be altered with the privilege of the administrator.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22303
NVD References:
– https://jvn.jp/en/jp/JVN78481846/index.html
– https://www.tp-link.com/en/business-networking/easy-smart-switch/tl-sg105pe/
– https://www.tp-link.com/jp/support/download/tl-sg105pe/v1/#Firmware

CVE-2023-22357 – Active debug code exists in OMRON CP1L-EL20DR-D all versions, which may lead to a command that is not specified in FINS protocol being executed without authentication. A remote unauthenticated attacker may read/write in arbitrary area of the device memory, which may lead to overwriting the firmware, causing a denial-of-service (DoS) condition, and/or arbitrary code execution.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22357
NVD References: https://jvn.jp/en/vu/JVNVU97575890/index.html

CVE-2015-10060 – A vulnerability was found in MNBikeways database and classified as critical. This issue affects some unknown processing of the file Data/views.py. The manipulation of the argument id1/id2 leads to sql injection. The name of the patch is 829a027aca7c17f5a7ec1addca8dd5d5542f86ac. It is recommended to apply a patch to fix this issue. The identifier VDB-218417 was assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10060
NVD References:
– https://github.com/MNBikeways/database/commit/829a027aca7c17f5a7ec1addca8dd5d5542f86ac
– https://vuldb.com/?id.218417

CVE-2017-20170 – A vulnerability was found in ollpu parontalli. It has been classified as critical. Affected is an unknown function of the file httpdocs/index.php. The manipulation of the argument s leads to sql injection. The name of the patch is 6891bb2dec57dca6daabc15a6d2808c8896620e5. It is recommended to apply a patch to fix this issue. VDB-218418 is the identifier assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20170
NVD References:
– https://github.com/ollpu/parontalli/commit/6891bb2dec57dca6daabc15a6d2808c8896620e5
– https://vuldb.com/?id.218418

CVE-2013-10013 – A vulnerability was found in Bricco Authenticator Plugin. It has been declared as critical. This vulnerability affects the function authenticate/compare of the file src/java/talentum/escenic/plugins/authenticator/authenticators/DBAuthenticator.java. The manipulation leads to sql injection. Upgrading to version 1.39 is able to address this issue. The name of the patch is a5456633ff75e8f13705974c7ed1ce77f3f142d5. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218428.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2013-10013
NVD References:
– https://github.com/Bricco/authenticator-plugin/commit/a5456633ff75e8f13705974c7ed1ce77f3f142d5
– https://github.com/Bricco/authenticator-plugin/releases/tag/1.39
– https://vuldb.com/?id.218428

CVE-2015-10061 – A vulnerability was found in evandro-machado Trabalho-Web2. It has been classified as critical. This affects an unknown part of the file src/java/br/com/magazine/dao/ClienteDAO.java. The manipulation leads to sql injection. The name of the patch is f59ac954625d0a4f6d34f069a2e26686a7a20aeb. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218427.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10061
NVD References:
– https://github.com/evandro-machado/Trabalho-Web2/commit/f59ac954625d0a4f6d34f069a2e26686a7a20aeb
– https://vuldb.com/?id.218427

CVE-2016-15021 – A vulnerability was found in nickzren alsdb. It has been rated as critical. This issue affects some unknown processing. The manipulation leads to sql injection. Upgrading to version v2 is able to address this issue. The name of the patch is cbc79a68145e845f951113d184b4de207c341599. It is recommended to upgrade the affected component. The identifier VDB-218429 was assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-15021
NVD References:
– https://github.com/nickzren/alsdb/commit/cbc79a68145e845f951113d184b4de207c341599
– https://github.com/nickzren/alsdb/releases/tag/v2
– https://vuldb.com/?id.218429

CVE-2015-10062 – A vulnerability, which was classified as problematic, was found in galaxy-data-resource up to 14.10.0. This affects an unknown part of the component Command Line Template. The manipulation leads to injection. Upgrading to version 14.10.1 is able to address this issue. The name of the patch is 50d65f45d3f5be5d1fbff2e45ac5cec075f07d42. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218451.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10062
NVD References:
– https://github.com/blankenberg/galaxy-data-resource/commit/50d65f45d3f5be5d1fbff2e45ac5cec075f07d42
– https://github.com/blankenberg/galaxy-data-resource/releases/tag/v14.10.1
– https://vuldb.com/?id.218451

CVE-2015-10063 – A vulnerability was found in saemorris TheRadSystem and classified as critical. This issue affects the function redirect of the file _login.php. The manipulation of the argument user/pass leads to sql injection. The attack may be initiated remotely. The name of the patch is bfba26bd34af31648a11af35a0bb66f1948752a6. It is recommended to apply a patch to fix this issue. The identifier VDB-218453 was assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10063
NVD References:
– https://github.com/saemorris/TheRadSystem/commit/bfba26bd34af31648a11af35a0bb66f1948752a6
– https://vuldb.com/?id.218453

CVE-2015-10064 – A vulnerability was found in VictorFerraresi pokemon-database-php. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to sql injection. The name of the patch is dd0e1e6cdf648d6a3deff441f515bcb1d7573d68. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218455.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10064
NVD References:
– https://github.com/VictorFerraresi/pokemon-database-php/commit/dd0e1e6cdf648d6a3deff441f515bcb1d7573d68
– https://vuldb.com/?id.218455

CVE-2022-23739 – An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that are not tied to a repository regardless of granted permissions, such as users and organization-wide projects. Resources associated with repositories were not impacted, such as repository file content, repository-specific projects, issues, or pull requests. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.1 and was fixed in versions 3.3.16, 3.4.11, 3.5.8, 3.6.4, 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.CVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23739
NVD References:
– https://docs.github.com/en/enterprise-server@3.3/admin/release-notes#3.3.16
– https://docs.github.com/en/enterprise-server@3.4/admin/release-notes#3.4.11
– https://docs.github.com/en/enterprise-server@3.5/admin/release-notes#3.5.8
– https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.4
– https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.1

CVE-2022-47853 – TOTOlink A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection Vulnerability in the httpd service. An attacker can obtain a stable root shell through a specially constructed payload.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47853
NVD References: https://github.com/Am1ngl/ttt/tree/main/16

CVE-2022-36760 – Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-36760
NVD References: https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2022-46475 – D-Link DIR 645A1 1.06B01_Beta01 was discovered to contain a stack overflow via the service= variable in the genacgi_main function.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46475
NVD References: https://github.com/Insight8991/iot/blob/main/DIR-645%20genacgi%20Stack%20overflow.md

CVE-2023-22727 – CakePHP is a development framework for PHP web apps. In affected versions the `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods are vulnerable to SQL injection if passed un-sanitized user request data. This issue has been fixed in 4.2.12, 4.3.11, 4.4.10. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by using CakePHP’s Pagination library. Manually validating or casting parameters to these methods will also mitigate the issue.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22727
NVD References:
– https://bakery.cakephp.org/2023/01/06/cakephp_4211_4311_4410_released.html
– https://github.com/cakephp/cakephp/commit/3f463e7084b5a15e67205ced3a622577cca7a239
– https://github.com/cakephp/cakephp/security/advisories/GHSA-6g8q-qfpv-57wp

CVE-2023-22732 – Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22732
NVD References:
– https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
– https://github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6
– https://github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f

CVE-2014-125081 – A vulnerability, which was classified as critical, has been found in risheesh debutsav. This issue affects some unknown processing. The manipulation leads to sql injection. The name of the patch is 7a8430df79277c613449262201cc792db894fc76. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218459.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2014-125081
NVD References:
– https://github.com/risheesh/debutsav/commit/7a8430df79277c613449262201cc792db894fc76
– https://vuldb.com/?id.218459

CVE-2015-10065 – A vulnerability classified as critical was found in AenBleidd FiND. This vulnerability affects the function init_result of the file validator/my_validator.cpp. The manipulation leads to buffer overflow. The name of the patch is ee2eef34a83644f286c9adcaf30437f92e9c48f1. It is recommended to apply a patch to fix this issue. VDB-218458 is the identifier assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10065
NVD References:
– https://github.com/AenBleidd/FiND/commit/ee2eef34a83644f286c9adcaf30437f92e9c48f1
– https://vuldb.com/?id.218458

CVE-2017-20171 – A vulnerability classified as critical has been found in PrivateSky apersistence. This affects an unknown part of the file db/sql/mysqlUtils.js. The manipulation leads to sql injection. The name of the patch is 954425f61634b556fe644837a592a5b8fcfca068. It is recommended to apply a patch to fix this issue. The identifier VDB-218457 was assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20171
NVD References:
– https://github.com/PrivateSky/apersistence/commit/954425f61634b556fe644837a592a5b8fcfca068
– https://vuldb.com/?id.218457

CVE-2022-23521 – Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.CVE-2022-41903 – Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `–format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log –format=…`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config –global daemon.uploadArch false`.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2022-23521
– https://nvd.nist.gov/vuln/detail/CVE-2022-41903
NVD References:
– https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76
– https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89
– https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst
– https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem
– https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76
– https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq

CVE-2014-125082 – A vulnerability was found in nivit redports. It has been declared as critical. This vulnerability affects unknown code of the file redports-trac/redports/model.py. The manipulation leads to sql injection. The name of the patch is fc2c1ea1b8d795094abb15ac73cab90830534e04. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-218464.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2014-125082
NVD References:
– https://github.com/nivit/redports/commit/fc2c1ea1b8d795094abb15ac73cab90830534e04
– https://vuldb.com/?id.218464

CVE-2015-10066 – A vulnerability was found in tynx wuersch and classified as critical. Affected by this issue is the function packValue/getByCustomQuery of the file backend/base/Store.class.php. The manipulation leads to sql injection. The name of the patch is 66d4718750a741d1053d327a79e285fd50372519. It is recommended to apply a patch to fix this issue. VDB-218462 is the identifier assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10066
NVD References:
– https://github.com/tynx/wuersch/commit/66d4718750a741d1053d327a79e285fd50372519
– https://vuldb.com/?id.218462

CVE-2023-21890 – Vulnerability in the Oracle Communications Converged Application Server product of Oracle Communications (component: Core). Supported versions that are affected are 7.1.0 and 8.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via UDP to compromise Oracle Communications Converged Application Server. Successful attacks of this vulnerability can result in takeover of Oracle Communications Converged Application Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21890
NVD References: https://www.oracle.com/security-alerts/cpujan2023.html

CVE-2022-41989 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not validate the length of RTLS report payloads during communication. This allows an attacker to send an exceedingly long payload, resulting in an out-of-bounds write to cause a denial-of-service condition or code execution.CVE-2022-43483 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the monitor services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands.CVE-2022-45444 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 contains hard-coded passwords for select users in the application’s database. This could allow a remote attacker to login to the database with unrestricted access.CVE-2022-47911 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the backup services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands.CVSS Scores: 9.0 – 10.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2022-41989
– https://nvd.nist.gov/vuln/detail/CVE-2022-43483
– https://nvd.nist.gov/vuln/detail/CVE-2022-45444
– https://nvd.nist.gov/vuln/detail/CVE-2022-47911
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01

CVE-2023-0397 – A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buffer_size_complete.CVSS Score: 9.6
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0397
NVD References: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wc2h-h868-q7hj

CVE-2023-22741 – Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute’s type and length value, the length will be used directly to copy from the heap, regardless of the message’s left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22741
NVD References:
– https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764
– https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54

CVE-2023-20025 – A vulnerability in the web-based management interface of Cisco Small Business RV042 Series Routers could allow an unauthenticated, remote attacker to bypass authentication on the affected device. This vulnerability is due to incorrect user input validation of incoming HTTP packets. An attacker could exploit this vulnerability by sending crafted requests to the web-based management interface. A successful exploit could allow the attacker to gain root privileges on the affected device.CVSS Score: 9.0
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20025
NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5

CVE-2023-23607 – erohtar/Dasherr is a dashboard for self-hosted services. In affected versions unrestricted file upload allows any unauthenticated user to execute arbitrary code on the server. The file /www/include/filesave.php allows for any file to uploaded to anywhere. If an attacker uploads a php file they can execute code on the server. This issue has been addressed in version 1.05.00. Users are advised to upgrade. There are no known workarounds for this issue.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23607
NVD References:
– https://github.com/erohtar/Dasherr/commit/445325c7cf1148a8cd38af3a90789c6cbf6c5112
– https://github.com/erohtar/Dasherr/security/advisories/GHSA-6rgc-2×44-7phq

CVE-2023-0052 – SAUTER Controls Nova 200–220 Series with firmware version 3.3-006 and prior and BACnetstac version 4.2.1 and prior allows the execution of commands without credentials. As Telnet and file transfer protocol (FTP) are the only protocols available for device management, an unauthorized user could access the system and modify the device configuration, which could result in the unauthorized user executing unrestricted malicious commands.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0052
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-05

CVE-2023-22809 – In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a “–” argument that defeats a protection mechanism, e.g., an EDITOR=’vim — /path/to/extra/file’ value.CVSS Score: 0
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22809
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8332
NVD References:
– https://www.openwall.com/lists/oss-security/2023/01/19/1
– https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html
– https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH/
– https://www.debian.org/security/2023/dsa-5321
– https://www.sudo.ws/security/advisories/sudoedit_any/
– https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf

CVE-2023-21796 – Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilitiesCVE-2023-21719 – Microsoft Edge (Chromium-based) Security Feature Bypass VulnerabilityCVSS Scores: 6.5 – 8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C, 3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C, 3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21775
– https://nvd.nist.gov/vuln/detail/CVE-2023-21795
– https://nvd.nist.gov/vuln/detail/CVE-2023-21796
– https://nvd.nist.gov/vuln/detail/CVE-2023-21719
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21775
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21795
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21796
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21719

CVE-2022-41120 and CVE-2022-44704 – Microsoft Windows Sysmon Elevation of Privilege Vulnerabilities.CVSS Score: 0
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2022-41120
– https://nvd.nist.gov/vuln/detail/CVE-2022-44704
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8334

January 19, 2023February 22, 2023

@RISK: The Consensus Security Vulnerability Alert: Vol. 23, Num. 03

@RISK: The Consensus Security Vulnerability Alert
January 19, 2023 – Vol. 23, Num. 03

Malicious Google Ad –> Fake Notepad++ Page –> Aurora Stealer malware
Published: 2023-01-18
Last Updated: 2023-01-18 07:31:54 UTC
by Brad Duncan (Version: 1)

Introduction

Google ads are a common vector for malware distribution. Do a Google search for any popular free software download. Review any search results marked “Ad” or “Sponsored,” then check the link to see if anything is unusual.

I’ve already written two diaries and authored various tweets about this type of activity:

https://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376
https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344
https://twitter.com/Unit42_Intel/status/1615470858067222568
https://twitter.com/Unit42_Intel/status/1608567622856998912

Others have also reported his activity. Recent posts include:

https://www.bleepingcomputer.com/news/security/google-ad-for-gimporg-served-info-stealing-malware-via-lookalike-site/
https://heimdalsecurity.com/blog/google-ads-exploited-to-spread-malware/
https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
https://www.hackread.com/google-ads-malware-nft-crypto-wallet/

One example of free software routinely spoofed for Google ads is Notepad++. Almost without fail, I can find a fake webpage for Notepad++ every day through Google ads. For today’s diary, I found a Google ad for a malicious site at notopod-plos-plus[.]com.

Read the complete entry:
https://isc.sans.edu/diary/Malicious+Google+Ad+Fake+Notepad+Page+Aurora+Stealer+malware/29448/

PSA: Why you must run an ad blocker when using Google
Published: 2023-01-16
Last Updated: 2023-01-16 13:50:18 UTC
by Johannes Ullrich (Version: 1)

Today, I just have a short public service announcement: You MUST run an adblocker while using Google. It may be best just to keep the adblocker enabled all the time.

Ads have been important in supporting many good (and, of course, bad) content on the web. It has been a long standing “social contract” to allow ads to help support creators of valuable content. But sadly, ad networks have not provided any due diligence verification of the ad buys they accept. As a result, in particular, ads displayed as part of Google search results are often used to distribute malicious software impersonating popular products. Open-source and free products are particularly vulnerable. They usually cannot pay for competing for ads to reduce the effectiveness of malicious advertisements.

Read the complete entry:
https://isc.sans.edu/diary/PSA+Why+you+must+run+an+ad+blocker+when+using+Google/29438/

Elon Musk Themed Crypto Scams Flooding YouTube Today
Published: 2023-01-15
Last Updated: 2023-01-15 17:09:34 UTC
by Johannes Ullrich (Version: 1)

I noticed several videos posted to YouTube today attempting to direct users to crypto coin scam websites. The overall ruse is quite old: The scam promises that Elon Musk, or an organization associated with him, is giving away crypto coins. The catch: You first have to send crypto coins to the address to receive multiple of them back.

It all starts with a video promising a live stream of Elon Musk covering current developments around SpaceX. The channel being used for these videos, SpaceXMission, has over 2 Million subscribers right now and around 430 Million views. Interestingly, this is not a new channel, but it started on August 25th, 2008. Currently, around 4 thousand users are watching the “live streams”.

During the video, a QR code is displayed alongside an image that claims to show a tweet by Elon Musk promising crypto coins.

Read the complete entry:
https://isc.sans.edu/diary/Elon+Musk+Themed+Crypto+Scams+Flooding+YouTube+Today/29434/

=========================================================
OTHER INTERNET STORM CENTER ENTRIES
=========================================================

Finding that one GPO Setting in a Pool of Hundreds of GPOs (2023.01.17)
https://isc.sans.edu/diary/Finding+that+one+GPO+Setting+in+a+Pool+of+Hundreds+of+GPOs/29442/

Prowler v3: AWS & Azure security assessments (2023.01.12)
https://isc.sans.edu/diary/Prowler+v3+AWS+Azure+security+assessments/29430/

=========================================================
RECENT CVEs
=========================================================

CVE-2023-21674 – Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
** KEV since 2023-01-10 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21674
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21674

CVE-2023-0014 – SAP NetWeaver ABAP Server and ABAP Platform – versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0014
NVD References:
– https://launchpad.support.sap.com/#/notes/3089413
– https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVE-2023-0017 – An unauthenticated attacker in SAP NetWeaver AS for Java – version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0017
NVD References:
– https://launchpad.support.sap.com/#/notes/3268093
– https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVE-2017-20166 – Ecto 2.2.0 lacks a certain protection mechanism associated with the interaction between is_nil and raise.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20166
NVD References:
– https://github.com/advisories/GHSA-2xxx-fhc8-9qvq
– https://github.com/elixir-ecto/ecto/commit/db55b0cba6525c24ebddc88ef9ae0c1c00620250
– https://github.com/elixir-ecto/ecto/pull/2125
– https://groups.google.com/forum/#!topic/elixir-ecto/0m4NPfg_MMU

CVE-2023-22903 – api/views/user.py in LibrePhotos before e19e539 has incorrect access control.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22903
NVD References: https://github.com/LibrePhotos/librephotos/commit/e19e539356df77f6f59e7d1eea22d452b268e120

CVE-2022-43514 – A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions < V6.0 SP9 Upd4). The affected component does not correctly validate the root path on folder related operations, allowing to modify files and folders outside the intended root directory. This could allow an unauthenticated remote attacker to execute file operations of files outside of the specified root folder. Chained with CVE-2022-43513 this could allow Remote Code Execution.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43514
NVD References: https://cert-portal.siemens.com/productcert/pdf/ssa-476715.pdf

CVE-2022-3792 – This issue affects: Terminal Operating System versions before 5.0.13CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3792
NVD References:
– https://fordefence.com/cve-2022-3792-gullseye-terminal-operation-system/
– https://omrylmz.com/cve-2022-3792-terminal-operation-system/
– https://www.usom.gov.tr/bildirim/tr-22-0747-2

CVE-2022-4422 – This issue affects: Bulutses Bilgi Teknolojileri LTD. ?T?. BULUTDESK CALLCENTER versions prior to 3.0.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4422
NVD References: https://www.usom.gov.tr/bildirim/tr-22-0747

CVE-2016-15017 – A vulnerability has been found in fabarea media_upload and classified as critical. This vulnerability affects the function getUploadedFileList of the file Classes/Service/UploadFileService.php. The manipulation leads to pathname traversal. Upgrading to version 0.9.0 is able to address this issue. The name of the patch is b25d42a4981072321c1a363311d8ea2a4ac8763a. It is recommended to upgrade the affected component. VDB-217786 is the identifier assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-15017
NVD References:
– https://github.com/fabarea/media_upload/commit/b25d42a4981072321c1a363311d8ea2a4ac8763a
– https://github.com/fabarea/media_upload/issues/6
– https://github.com/fabarea/media_upload/releases/tag/0.9.0
– https://vuldb.com/?ctiid.217786
– https://vuldb.com/?id.217786

CVE-2014-125073 – A vulnerability was found in mapoor voteapp. It has been rated as critical. Affected by this issue is the function create_poll/do_poll/show_poll/show_refresh of the file app.py. The manipulation leads to sql injection. The name of the patch is b290c21a0d8bcdbd55db860afd3cadec97388e72. It is recommended to apply a patch to fix this issue. VDB-217790 is the identifier assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2014-125073
NVD References:
– https://github.com/mapoor/voteapp/commit/b290c21a0d8bcdbd55db860afd3cadec97388e72
– https://vuldb.com/?ctiid.217790
– https://vuldb.com/?id.217790

CVE-2022-4337 – An out-of-bounds read in Organization Specific TLV was found in various versions of OpenvSwitch.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4337
NVD References:
– https://github.com/openvswitch/ovs/pull/405
– https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html
– https://www.debian.org/security/2023/dsa-5319
– https://www.openwall.com/lists/oss-security/2022/12/21/4

CVE-2022-4338 – An integer underflow in Organization Specific TLV was found in various versions of OpenvSwitch.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4338
NVD References:
– https://github.com/openvswitch/ovs/pull/405
– https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html
– https://www.debian.org/security/2023/dsa-5319
– https://www.openwall.com/lists/oss-security/2022/12/21/4

CVE-2021-3966 – usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.CVSS Score: 9.6
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-3966
NVD References: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hfxq-3w6x-fv2m

CVE-2022-47865 – Lead Management System v1.0 is vulnerable to SQL Injection via the id parameter in removeOrder.php.CVE-2022-47866 – Lead management system v1.0 is vulnerable to SQL Injection via the id parameter in removeBrand.php.CVE-2022-47859 – Lead Management System v1.0 is vulnerable to SQL Injection via the user_id parameter in changePassword.php.CVE-2022-47860 – Lead Management System v1.0 is vulnerable to SQL Injection via the id parameter in removeProduct.php.CVE-2022-47861 – Lead Management System v1.0 is vulnerable to SQL Injection via the id parameter in removeLead.php.CVE-2022-47862 – Lead Management System v1.0 is vulnerable to SQL Injection via the customer_id parameter in ajax_represent.php.CVE-2022-47864 – Lead Management System v1.0 is vulnerable to SQL Injection via the id parameter in removeCategories.php.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47865
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47866
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47859
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47860
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47861
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47862
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47864
NVD References:
– https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20removeOrder.php.md
– https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20removeBrand.php.md
– https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20changePassword.php.md
– https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20removeProduct.php.md
– https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20removeLead.php.md
– https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20ajax_represent.php%20.md
– https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20removeCategories.php.md
– https://www.sourcecodester.com/php/15933/lead-management-system-php-open-source-free-download.html

CVE-2022-39184 – EXFO – BV-10 Performance Endpoint Unit authentication bypass User can manually manipulate access enabling authentication bypass.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39184
NVD References: https://www.gov.il/en/Departments/faq/cve_advisories

CVE-2022-39185 – EXFO – BV-10 Performance Endpoint Unit Undocumented privileged user. Unit has an undocumented hard-coded privileged user.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39185
NVD References: https://www.gov.il/en/Departments/faq/cve_advisories

CVE-2023-22600 – InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-284: Improper Access Control. They allow unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send and receive messages to and from that topic. This includes the ability to send GET/SET configuration commands, reboot commands, and push firmware updates.CVE-2023-22601 – InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-330: Use of Insufficiently Random Values. They do not properly randomize MQTT ClientID parameters. An unauthorized user could calculate this parameter and use it to gather additional information about other InHand devices managed on the same cloud platform.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22600
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22601
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

CVE-2022-41778 – Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-DataCollect service port without proper verification. An attacker could provide malicious serialized objects to execute arbitrary code upon deserialization.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41778
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-07

CVE-2023-22495 – Izanami is a shared configuration service well-suited for micro-service architecture implementation. Attackers can bypass the authentication in this application when deployed using the official Docker image. Because a hard coded secret is used to sign the authentication token (JWT), an attacker could compromise another instance of Izanami. This issue has been patched in version 1.11.0.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22495
NVD References:
– https://github.com/MAIF/izanami/releases/tag/v1.11.0
– https://github.com/MAIF/izanami/security/advisories/GHSA-9r7j-m337-792c

CVE-2022-43462 – Auth. SQL Injection (SQLi) vulnerability in Adeel Ahmed’s IP Blacklist Cloud plugin <= 5.00 versions.CVSS Score: 9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43462
NVD References: https://patchstack.com/database/vulnerability/ip-blacklist-cloud/wordpress-ip-blacklist-cloud-plugin-5-00-auth-sql-injection-sqli-vulnerability?_s_id=cve

CVE-2023-22731 – Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. Users are advised to upgrade. Users of major versions 6.1, 6.2, and 6.3 may also receive this fix via a plugin.CVSS Score: 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22731
NVD References:
– https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
– https://github.com/shopware/platform/commit/89d1ea154689cb6202e0d3a0ceeae0febb0c09e1
– https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w

CVE-2022-41903 – Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `–format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log –format=…`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config –global daemon.uploadArch false`.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41903
NVD References:
– https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst
– https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem
– https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76
– https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq

CVE-2022-46732 – Even if the authentication fails for local service authentication, the requested command could still execute regardless of authentication status.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46732
NVD References:
– https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01
– https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01

CVE-2022-41989 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not validate the length of RTLS report payloads during communication. This allows an attacker to send an exceedingly long payload, resulting in an out-of-bounds write to cause a denial-of-service condition or code execution.CVE-2022-43483 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the monitor services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands.CVE-2022-47911 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the backup services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands.CVE-2022-45444 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 contains hard-coded passwords for select users in the application’s database. This could allow a remote attacker to login to the database with unrestricted access.CVSS Scores: 9.0 – 10.0
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, 3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41989
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43483
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47911
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45444
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01