SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 47
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Cobalt Strike's "Runtime Configuration"
Published: 2023-12-05
Last Updated: 2023-12-05 08:00:19 UTC
by Didier Stevens (Version: 1)
I published an update for my 1768.py tool, a tool to extract the configuration from Cobalt Strike beacons.
1768.py tries to extract the beacon configuration from payloads and process memory dumps. It looks for the embedded configuration, the TLV table that is XOR encoded (0x2E version 4).
Prior this version (0.0.20), process memory dumps were just handled as raw files.
This new version also looks for the "runtime configuration": this is a C/C++ array found on the heap, created by the beacon code by parsing the embedded configuration. This array contains values (integers and pointers) for each configuration item. An example can be found in this blog post.
For example, the portnumber is configuration item 2, and is stored as an integer in the third position of the array (array[2]).
The public key is configuration item 7, a binary sequence (ASN1 DER encoded). It is stored as a pointer (to the binary sequence) in the eigtht position of the array (array[7]). The binary sequence representing the public key, is also stored on the heap. Since we are dealing with pointer in C/C++, we have 32-bit and 64-bit implementations.
Since address translations need to take place, 1768.py require the python module minidump to be installed.
If it is not installed and a runtime configuration is found, a warning will be displayed...
Read the full entry:
https://isc.sans.edu/diary/Cobalt+Strikes+Runtime+Configuration/30426/
Apple Patches Exploited WebKit Vulnerabilities in iOS/iPadOS/macOS
Published: 2023-11-30
Last Updated: 2023-12-01 17:21:37 UTC
by Johannes Ullrich (Version: 1)
Apple today released patches for two WebKit vulnerabilities affecting macOS, iPadOS and iOS. I would expect standalone Safari updates for older macOS versions in the future. At this point, only the most recent operating system versions received patches.
The vulnerabilities have been exploited against versions of iOS before 16.7.1. iOS 16.7.2 is the latest iOS 16 release, released in late October. It is not clear if it is vulnerable. Apple just states which versions were successfully exploited.
Read the full entry:
https://isc.sans.edu/diary/Apple+Patches+Exploited+WebKit+Vulnerabilities+in+iOSiPadOSmacOS/30444/
Zarya Hacktivists: More than just Sharepoint.
Published: 2023-12-04
Last Updated: 2023-12-04 16:38:58 UTC
by Johannes Ullrich (Version: 1)
Last week, I wrote about a system associated with pro-Russian hacktivist scanning for vulnerable Sharepoint servers [1]. Thanks to @DonPasci on X for pointing me to an article by Radware about the same group using Mirai [2][3]. This group has been active for a while, using various low-hanging fruit exploits to hunt for defacement targets.
The group calls itself "Zarya" (). The Cyrillic alphabet does not contain the letter "z." After Russian troops used the "Z" symbol to mark their vehicles in their push on Kyiv early in 2022, the character became a popular symbol to express support for the war in Russia. It has often been used to replace the letter "," which is pronounced like the English "Z." Therefore, the name of the hacktivist group is likely supposed to be pronounced as "," or "dawn" in English.
But let's return to the IP address we identified last week: 212.113.106.100. This IP address has not been idle since then. We have observed several different exploits with our honeypots.
Many of them are just simple recognizance. Requests for "/" to retrieve index pages. These are likely just used to identify possible targets.
There are also some directory traversal attempts. I have no idea if they will work with reasonably up-to-date systems. In particular, requests like "/../../../../etc/passwd"...
https://isc.sans.edu/diary/Zarya+Hacktivists+More+than+just+Sharepoint/30450/
Internet Storm Center Entries
Whose packet is it anyway: a new RFC for attribution of internet probes (2023.12.06)
Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today (2023.11.30)
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2023-1389 - TP-Link Archer AX21 firmware versions prior to 1.1.4 Build 20230219 have a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint, allowing an attacker to run commands as root.
CVE-2023-6345 - Chromium:
CVE-2023-42916 - iOS, iPadOS, macOS, and Safari before versions 17.1.2, 14.1.2, and 17.1.2 respectively, allow out-of-bounds reads during web content processing, potentially revealing sensitive data, with a possibility of exploitation on earlier iOS versions before 16.7.1.
CVE-2023-42917 - iOS, iPadOS, macOS Sonoma and Safari versions prior to 17.1.2, 14.1.2, and 17.1.2 respectively are susceptible to arbitrary code execution through web content processing, with Apple acknowledging potential exploitation in iOS versions before 16.7.1.
CVE-2023-33063 - Memory corruption in DSP Services during a remote call from HLOS to DSP.
CVE-2023-33106 - Memory corruption while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
CVE-2023-33107 - Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.
CVE-2023-47503 - jflyfox jfinalCMS v.5.1.0 is vulnerable to remote code execution due to a crafted script in the login.jsp component of the template management module.
CVE-2023-3368 - Chamilo LMS v1.11.20 is vulnerable to command injection in `/main/webservices/additional_webservices.php`, allowing unauthenticated attackers to execute remote code due to improper neutralisation of special characters, bypassing
CVE-2023-3533 - Chamilo LMS <= v1.11.20 allows unauthenticated attackers to execute remote code and perform stored XSS attacks through a path traversal vulnerability in the file upload functionality of `/main/webservices/additional_webservices.php`.
CVE-2023-3545 - Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to obtain remote code execution by uploading a malicious `.htaccess` file.
CVE-2023-48022 - Anyscale Ray 2.6.3 and 2.8.0 allows remote code execution via job submission API disregarding vendor's stance on its usage.
CVE-2023-48023 - Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF, disregarding the product's intended use within a strictly controlled network environment.
CVE-2023-49313 - XMachOViewer 0.04 allows attackers to compromise integrity by injecting unauthorized code into processes, potentially leading to remote control and unauthorized access to sensitive user data.
CVE-2023-49314 - Asana Desktop 2.1.0 on macOS allows code injection due to inadequate protection against specific Electron Fuses.
Product: Asana DesktopCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49314NVD References: - https://asana.com/pt/download- https://github.com/electron/fuses- https://github.com/louiselalanne/CVE-2023-49314- https://github.com/r3ggi/electroniz3r- https://www.electronjs.org/docs/latest/tutorial/fusesCVE-2023-46589 - Apache Tomcat is vulnerable to an Improper Input Validation vulnerability that allows request smuggling when behind a reverse proxy, and can be fixed by upgrading to a version starting from 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards, or 8.5.96 onwards.Product: Apache TomcatCVSS Score: 7.5NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46589ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8756NVD References: https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxrNVD References: https://www.openwall.com/lists/oss-security/2023/11/28/2CVE-2023-41264 - Netwrix Usercube before 6.0.215 allows authentication bypass and privilege escalation if certain configuration fields are omitted.Product: Netwrix UsercubeCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-41264NVD References: - https://www.netwrix.com/identity_governance_and_administration_solution.html- https://www.synacktiv.com/advisories/usercube-netwrix-multiple-vulnerabilitiesCVE-2023-48193 - JumpServer GPLv3 v.3.8.0 is vulnerable to Insecure Permissions, enabling remote attackers to execute arbitrary code by bypassing the command filtering function.Product: Fit2Cloud JumpserverCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48193NVD References: - http://jumpserver.com- https://github.com/296430468/lcc_test/blob/main/jumpserver_BUG.md- https://github.com/jumpserver/jumpserverCVE-2023-23324 - Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials for the Administrator account.Product: Zumtobel Netlink CCDCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23324NVD References: - http://zumtobel.com- https://yoroi.company/en/research/cve-advisory-partial-disclosure-zumtobel-multiple-vulnerabilities/CVE-2023-23325 - Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain a command injection vulnerability via the NetHostname parameter.Product: Zumtobel Netlink CCDCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23325NVD References: - http://zumtobel.com- https://yoroi.company/en/research/cve-advisory-partial-disclosure-zumtobel-multiple-vulnerabilities/CVE-2023-46886 - Dreamer CMS before version 4.0.1 allows Directory Traversal, enabling unauthorized access to sensitive files.Product: Dreamer CMS Project CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46886NVD References: https://gitee.com/iteachyou/dreamer_cms/issues/I6NOFNCVE-2023-47462 - GL.iNet AX1800 v.3.215 and earlier versions have an insecure permissions vulnerability that enables remote attackers to execute arbitrary code through the file sharing function.Product: GL.iNet AX1800CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47462NVD References: https://github.com/gl-inet/CVE-issues/blob/main/3.215/Arbitrary%20File%20Read%20through%20file%20share.mdCVE-2023-45479 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the list parameter in the function sub_49E098.Product: Tenda AC10CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45479NVD References: - https://github.com/l3m0nade/IOTvul/blob/master/assets/sub_49E098_code.png- https://github.com/l3m0nade/IOTvul/blob/master/sub_49E098.mdCVE-2023-45480 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the src parameter in the function sub_47D878.Product: Tenda AC10CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45480NVD References: - https://github.com/l3m0nade/IOTvul/blob/master/assets/sub_47d878_code.png- https://github.com/l3m0nade/IOTvul/blob/master/sub_47D878.mdCVE-2023-45481 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the firewallEn parameter in the function SetFirewallCfg.Product: Tenda AC10CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45481NVD References: - https://github.com/l3m0nade/IOTvul/blob/master/SetFirewallCfg.md- https://github.com/l3m0nade/IOTvul/blob/master/assets/setFirewallCfg_code.pngCVE-2023-45482 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the urls parameter in the function get_parentControl_list_Info.Product: Tenda AC10CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45482NVD References: - https://github.com/l3m0nade/IOTvul/blob/master/assets/get_parentControl_list_Info_code.png- https://github.com/l3m0nade/IOTvul/blob/master/get_parentControl_list_Info.mdCVE-2023-45483 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the time parameter in th…
CVE-2023-46589 - Apache Tomcat is vulnerable to an Improper Input Validation vulnerability that allows request smuggling when behind a reverse proxy, and can be fixed by upgrading to a version starting from 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards, or 8.5.96 onwards.
CVE-2023-41264 - Netwrix Usercube before 6.0.215 allows authentication bypass and privilege escalation if certain configuration fields are omitted.
CVE-2023-48193 - JumpServer GPLv3 v.3.8.0 is vulnerable to Insecure Permissions, enabling remote attackers to execute arbitrary code by bypassing the command filtering function.
CVE-2023-23324 - Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials for the Administrator account.
CVE-2023-23325 - Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain a command injection vulnerability via the NetHostname parameter.
CVE-2023-46886 - Dreamer CMS before version 4.0.1 allows Directory Traversal, enabling unauthorized access to sensitive files.
CVE-2023-47462 - GL.iNet AX1800 v.3.215 and earlier versions have an insecure permissions vulnerability that enables remote attackers to execute arbitrary code through the file sharing function.
CVE-2023-45479 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the list parameter in the function sub_49E098.
CVE-2023-45480 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the src parameter in the function sub_47D878.
CVE-2023-45481 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the firewallEn parameter in the function SetFirewallCfg.
CVE-2023-45482 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the urls parameter in the function get_parentControl_list_Info.
CVE-2023-45483 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the time parameter in the function compare_parentcontrol_time.
CVE-2023-45484 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the shareSpeed parameter in the function fromSetWifiGuestBasic.
CVE-2023-49654 - Jenkins MATLAB Plugin versions 2.11.0 and earlier lack permission checks, enabling attackers to exploit Jenkins for XML file parsing from the controller file system.
CVE-2023-49656 - Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-42536 - Remote code execution
CVE-2022-42537 - Remote code execution
CVE-2022-42538 - Elevation of privilege
CVE-2022-42540 - Elevation of privilege
CVE-2022-42541 - Remote code execution
CVE-2023-49693 - NETGEAR ProSAFE Network Management System has a remotely accessible Java Debug Wire Protocol (JDWP) on port 11611, enabling unauthenticated users to execute arbitrary code.
CVE-2023-3741 - NEC Platforms DT900 and DT900S Series all versions are vulnerable to OS Command injection, allowing unauthorized execution of commands.
CVE-2023-35138 - Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 allow unauthenticated attackers to execute OS commands via crafted HTTP POST requests in the "show_zysync_server_contents" function.
CVE-2023-4473 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 are susceptible to command injection, enabling unauthorized execution of operating system commands via a manipulated URL.
cve-2023-4473 - and-
cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/">https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-productsCVE-2023-4474 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 improperly neutralize special elements, allowing unauthenticated attackers to execute OS commands via a crafted URL.Product: Zyxel NAS326 and NAS542 firmwareCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4474NVD References: - https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-productsCVE-2023-47463 - GL.iNet AX1800 version 4.0.0 before 4.5.0 allows remote code execution due to insecure permissions in the gl_nas_sys authentication function.Product: GL.iNet AX1800CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47463NVD References: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/an%20unauthenticated%20remote%20code%20execution.mdCVE-2023-47418 - O2oa version 8.1.2 and before allows remote attackers to execute JavaScript through the creation of a new interface in the service management function.Product: Zoneland O2OaCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47418NVD References: - https://gist.github.com/Onlyning/0cf7b1c597a36dd3a2e9ec948b881ac8- https://github.com/Onlyning/O2OACVE-2022-45135 - Apache Cocoon is vulnerable to an SQL Injection attack from version 2.2.0 to 2.3.0.Product: Apache CocoonCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45135NVD References: - http://www.openwall.com/lists/oss-security/2023/11/30/3- https://lists.apache.org/thread/lsvd1hmr2t2q823x21d5ygzgbj9jpvjpCVE-2023-49733 - Apache Cocoon is vulnerable to an improper restriction of XML external entity reference issue, which can be fixed by upgrading to version 2.3.0.Product: Apache CocoonCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49733NVD References: - http://www.openwall.com/lists/oss-security/2023/11/30/5- https://lists.apache.org/thread/t87nntzt6dxw354zbqr9k7l7o1x8gq11CVE-2023-49701 - Memory Corruption in SIM management while USIMPhase2init Product: Asrmicro Asr1803CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49701NVD References: https://www.asrmicro.com/en/goods/psirt?cid=31CVE-2023-5965 - EspoCRM version 7.2.5 allows an authenticated privileged attacker to execute arbitrary PHP code by uploading a maliciously crafted zip through the update form.Product: EspoCRM CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5965NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrmCVE-2023-5966 - EspoCRM server in version 7.2.5 allows authenticated privileged attackers to execute arbitrary PHP code by uploading a malicious zip file via the extension deployment form.Product: EspoCRMCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5966NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrmCVE-2023-6026 - elijaa/phpmemcachedadmin version 1.3.0 allows an attacker to delete server files through unsanitized user input.Product: Elijaa PhpmemcachedadminCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6026NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-phpmemcachedadminCVE-2023-6360 - My Calendar WordPress Plugin, version < 3.4.22, is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.Product: Joedolson My CalendarCVSS Score: 9.8 AtRiskScore 30NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6360NVD References: https://www.tenable.com/security/research/tra-2023-40CVE-2023-31176 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to an Insufficient Entropy vulnerability, enabling an unauthenticated remote attacker to bypass authentication by brute-forcing session tokens.Product: Selinc SEL-451CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-31176NVD References: - https://selinc.com/support/security-notifications/external-reports/- https://www.nozominetworks.com/blog/CVE-2023-34388 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to improper authentication, enabling a remote unauthenticated attacker to hijack sessions and bypass authentication.Product: Selinc SEL-451CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3438…
CVE-2023-4474 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 improperly neutralize special elements, allowing unauthenticated attackers to execute OS commands via a crafted URL.
cve-2023-4473 - and-
cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/">https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-productsCVE-2023-4474 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 improperly neutralize special elements, allowing unauthenticated attackers to execute OS commands via a crafted URL.Product: Zyxel NAS326 and NAS542 firmwareCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4474NVD References: - https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-productsCVE-2023-47463 - GL.iNet AX1800 version 4.0.0 before 4.5.0 allows remote code execution due to insecure permissions in the gl_nas_sys authentication function.Product: GL.iNet AX1800CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47463NVD References: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/an%20unauthenticated%20remote%20code%20execution.mdCVE-2023-47418 - O2oa version 8.1.2 and before allows remote attackers to execute JavaScript through the creation of a new interface in the service management function.Product: Zoneland O2OaCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47418NVD References: - https://gist.github.com/Onlyning/0cf7b1c597a36dd3a2e9ec948b881ac8- https://github.com/Onlyning/O2OACVE-2022-45135 - Apache Cocoon is vulnerable to an SQL Injection attack from version 2.2.0 to 2.3.0.Product: Apache CocoonCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45135NVD References: - http://www.openwall.com/lists/oss-security/2023/11/30/3- https://lists.apache.org/thread/lsvd1hmr2t2q823x21d5ygzgbj9jpvjpCVE-2023-49733 - Apache Cocoon is vulnerable to an improper restriction of XML external entity reference issue, which can be fixed by upgrading to version 2.3.0.Product: Apache CocoonCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49733NVD References: - http://www.openwall.com/lists/oss-security/2023/11/30/5- https://lists.apache.org/thread/t87nntzt6dxw354zbqr9k7l7o1x8gq11CVE-2023-49701 - Memory Corruption in SIM management while USIMPhase2init Product: Asrmicro Asr1803CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49701NVD References: https://www.asrmicro.com/en/goods/psirt?cid=31CVE-2023-5965 - EspoCRM version 7.2.5 allows an authenticated privileged attacker to execute arbitrary PHP code by uploading a maliciously crafted zip through the update form.Product: EspoCRM CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5965NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrmCVE-2023-5966 - EspoCRM server in version 7.2.5 allows authenticated privileged attackers to execute arbitrary PHP code by uploading a malicious zip file via the extension deployment form.Product: EspoCRMCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5966NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrmCVE-2023-6026 - elijaa/phpmemcachedadmin version 1.3.0 allows an attacker to delete server files through unsanitized user input.Product: Elijaa PhpmemcachedadminCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6026NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-phpmemcachedadminCVE-2023-6360 - My Calendar WordPress Plugin, version < 3.4.22, is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.Product: Joedolson My CalendarCVSS Score: 9.8 AtRiskScore 30NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6360NVD References: https://www.tenable.com/security/research/tra-2023-40CVE-2023-31176 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to an Insufficient Entropy vulnerability, enabling an unauthenticated remote attacker to bypass authentication by brute-forcing session tokens.Product: Selinc SEL-451CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-31176NVD References: - https://selinc.com/support/security-notifications/external-reports/- https://www.nozominetworks.com/blog/CVE-2023-34388 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to improper authentication, enabling a remote unauthenticated attacker to hijack sessions and bypass authentication.Product: Selinc SEL-451CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3438…
CVE-2023-47463 - GL.iNet AX1800 version 4.0.0 before 4.5.0 allows remote code execution due to insecure permissions in the gl_nas_sys authentication function.
CVE-2023-47418 - O2oa version 8.1.2 and before allows remote attackers to execute JavaScript through the creation of a new interface in the service management function.
CVE-2022-45135 - Apache Cocoon is vulnerable to an SQL Injection attack from version 2.2.0 to 2.3.0.
CVE-2023-49733 - Apache Cocoon is vulnerable to an improper restriction of XML external entity reference issue, which can be fixed by upgrading to version 2.3.0.
CVE-2023-49701 - Memory Corruption in SIM management while USIMPhase2init
CVE-2023-5965 - EspoCRM version 7.2.5 allows an authenticated privileged attacker to execute arbitrary PHP code by uploading a maliciously crafted zip through the update form.
CVE-2023-5966 - EspoCRM server in version 7.2.5 allows authenticated privileged attackers to execute arbitrary PHP code by uploading a malicious zip file via the extension deployment form.
CVE-2023-6026 - elijaa/phpmemcachedadmin version 1.3.0 allows an attacker to delete server files through unsanitized user input.
CVE-2023-6360 - My Calendar WordPress Plugin, version < 3.4.22, is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.
CVE-2023-31176 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to an Insufficient Entropy vulnerability, enabling an unauthenticated remote attacker to bypass authentication by brute-forcing session tokens.
CVE-2023-34388 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to improper authentication, enabling a remote unauthenticated attacker to hijack sessions and bypass authentication.
CVE-2023-39226 - Delta Electronics InfraSuite Device Master v.1.0.7 allows unauthenticated attackers to execute arbitrary code through a single UDP packet.
CVE-2023-47207 - Delta Electronics InfraSuite Device Master v.1.0.7 allows unauthenticated attackers to execute code with local administrator privileges.
CVE-2023-5908 - KEPServerEX is vulnerable to a buffer overflow, potentially causing product crashes or information leakage.
CVE-2023-5634 - ArslanSoft Education Portal before v1.1 is vulnerable to an SQL injection attack.
CVE-2023-5636 - ArslanSoft Education Portal before v1.1 allows Command Injection via Unrestricted Upload of Dangerous File Type.
CVE-2023-44382 - October CMS before 3.4.15 allows authenticated backend users with specific permissions to execute arbitrary PHP code by bypassing the Twig sandbox using specific Twig code.
CVE-2023-49093 - HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSLT, allowing an attacker to execute arbitrary code when visiting their malicious webpage.
CVE-2023-49291 - The `tj-actions/branch-names` Github Action improperly references context variables, allowing for arbitrary code execution and potential theft of secrets.
CVE-2023-48316 - Azure RTOS NetX Duo allows remote code execution due to memory overflow vulnerabilities in RTOS v6.2.1 and below, affecting snmp, smtp, ftp, and dtls processes/functions; solution: upgrade to NetX Duo release 6.3.0.
CVE-2023-48692 - Azure RTOS NetX Duo is vulnerable to remote code execution due to memory overflow vulnerabilities in processes/functions related to icmp, tcp, snmp, dhcp, nat, and ftp in RTOS v6.2.1 and below, with fixes available in NetX Duo release 6.3.0, requiring users to upgrade as there are no known workarounds.
CVE-2023-33054 - Cryptographic issue in GPS HLOS Driver while downloading Qualcomm GNSS assistance data.
CVE-2023-33082 - Memory corruption while sending an Assoc Request having BTM Query or BTM Response containing MBO IE.
CVE-2023-33083 - Memory corruption in WLAN Host while processing RRM beacon on the AP.
CVE-2023-6269 - Atos Unify OpenScape products "Session Border Controller" (SBC) and "Branch", before version V10 R3.4.0, and OpenScape "BCF" before versions V10R10.12.00 and V10R11.05.02 are vulnerable to argument injection, allowing unauthenticated attackers to gain root access and bypass authentication for administrative access.
CVE-2023-6448 - Unitronics Vision Series PLCs and HMIs have default administrative passwords, allowing an unauthenticated attacker to gain administrative control over the system.
CVE-2023-36035 - Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-29357 - Microsoft SharePoint Server Elevation of Privilege Vulnerability
Sponsors
Snyk
Don't let challenges of time and cost slow you down in the fast-paced world of digital transformation! Discover how Snyk, a modern security solution, purpose-built for cloud native apps, can provide the cost- and time-saving benefits with Migrations Playbook for Saving Money with Snyk + AWS.
SANS
SANS Research | There are only a few days left to complete the SANS 2024 Threat Hunting Survey. In this survey, we are asking organizations about how they approach threat hunting, the barriers to success, and how they measure their efforts. Share your thoughts with us for a chance to win a $400 Amazon gift card:
Sumo Logic | AWS
Upcoming webcast: Cloud Infrastructure Security for AWS | Tune in on Dec 7 at 10:30am ET to discover how to pinpoint common cloud vulnerabilities and risks, and explore built-in automated remediation workflows to accelerate security personnel. | Register now:
Anomali
Is Your SIEM Really Doing Its Job? How to Take Cybersecurity to the Next Level | Join us for this upcoming webcast on Dec 13 at 10:30am ET to learn how to accelerate your analysts' performance while reducing stress and overload. | Register now: