Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Cobalt Strike's "Runtime Configuration"

Published: 2023-12-05

Last Updated: 2023-12-05 08:00:19 UTC

by Didier Stevens (Version: 1)

I published an update for my 1768.py tool, a tool to extract the configuration from Cobalt Strike beacons.

1768.py tries to extract the beacon configuration from payloads and process memory dumps. It looks for the embedded configuration, the TLV table that is XOR encoded (0x2E version 4).

Prior this version (0.0.20), process memory dumps were just handled as raw files.

This new version also looks for the "runtime configuration": this is a C/C++ array found on the heap, created by the beacon code by parsing the embedded configuration. This array contains values (integers and pointers) for each configuration item. An example can be found in this blog post.

For example, the portnumber is configuration item 2, and is stored as an integer in the third position of the array (array[2]).

The public key is configuration item 7, a binary sequence (ASN1 DER encoded). It is stored as a pointer (to the binary sequence) in the eigtht position of the array (array[7]). The binary sequence representing the public key, is also stored on the heap. Since we are dealing with pointer in C/C++, we have 32-bit and 64-bit implementations.

Since address translations need to take place, 1768.py require the python module minidump to be installed.

If it is not installed and a runtime configuration is found, a warning will be displayed...

Read the full entry:

https://isc.sans.edu/diary/Cobalt+Strikes+Runtime+Configuration/30426/

Apple Patches Exploited WebKit Vulnerabilities in iOS/iPadOS/macOS

Published: 2023-11-30

Last Updated: 2023-12-01 17:21:37 UTC

by Johannes Ullrich (Version: 1)

Apple today released patches for two WebKit vulnerabilities affecting macOS, iPadOS and iOS. I would expect standalone Safari updates for older macOS versions in the future. At this point, only the most recent operating system versions received patches.

The vulnerabilities have been exploited against versions of iOS before 16.7.1. iOS 16.7.2 is the latest iOS 16 release, released in late October. It is not clear if it is vulnerable. Apple just states which versions were successfully exploited.

Read the full entry:

https://isc.sans.edu/diary/Apple+Patches+Exploited+WebKit+Vulnerabilities+in+iOSiPadOSmacOS/30444/

Zarya Hacktivists: More than just Sharepoint.

Published: 2023-12-04

Last Updated: 2023-12-04 16:38:58 UTC

by Johannes Ullrich (Version: 1)

Last week, I wrote about a system associated with pro-Russian hacktivist scanning for vulnerable Sharepoint servers [1]. Thanks to @DonPasci on X for pointing me to an article by Radware about the same group using Mirai [2][3]. This group has been active for a while, using various low-hanging fruit exploits to hunt for defacement targets.

The group calls itself "Zarya" (). The Cyrillic alphabet does not contain the letter "z." After Russian troops used the "Z" symbol to mark their vehicles in their push on Kyiv early in 2022, the character became a popular symbol to express support for the war in Russia. It has often been used to replace the letter "," which is pronounced like the English "Z." Therefore, the name of the hacktivist group is likely supposed to be pronounced as "," or "dawn" in English.

But let's return to the IP address we identified last week: 212.113.106.100. This IP address has not been idle since then. We have observed several different exploits with our honeypots.

Many of them are just simple recognizance. Requests for "/" to retrieve index pages. These are likely just used to identify possible targets.

There are also some directory traversal attempts. I have no idea if they will work with reasonably up-to-date systems. In particular, requests like "/../../../../etc/passwd"...

https://isc.sans.edu/diary/Zarya+Hacktivists+More+than+just+Sharepoint/30450/

Internet Storm Center Entries


Whose packet is it anyway: a new RFC for attribution of internet probes (2023.12.06)

https://isc.sans.edu/diary/Whose+packet+is+it+anyway+a+new+RFC+for+attribution+of+internet+probes/30456/

Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today (2023.11.30)

https://isc.sans.edu/diary/Prophetic+Post+by+Intern+on+CVE20231389+Foreshadows+Mirai+Botnet+Expansion+Today/30442/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2023-1389 - TP-Link Archer AX21 firmware versions prior to 1.1.4 Build 20230219 have a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint, allowing an attacker to run commands as root.

Product: TP-Link Archer

CVSS Score: 0

** KEV since 2023-05-01 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1389

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8760




CVE-2023-6345 - Chromium: CVE-2023-6345 Integer overflow in Skia

Product: Google Chrome

CVSS Score: 0

** KEV since 2023-11-30 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6345

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-6345

NVD References: 

- https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html

- https://crbug.com/1505053

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T7ABNYMOI4ZHVCSPCNP7HQTOLGF53A2/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C7XQNYZZA3X2LBJF57ZHKXWOMJKNLZYR/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJROPNKWW65R34J4IYGTJ7A3OBPUL4IQ/

- https://www.debian.org/security/2023/dsa-5569




CVE-2023-42916 - iOS, iPadOS, macOS, and Safari before versions 17.1.2, 14.1.2, and 17.1.2 respectively, allow out-of-bounds reads during web content processing, potentially revealing sensitive data, with a possibility of exploitation on earlier iOS versions before 16.7.1.

Product: Apple Safari

CVSS Score: 0

** KEV since 2023-12-04 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-42916

ISC Diary: https://isc.sans.edu/diary/30444

NVD References: 

- http://www.openwall.com/lists/oss-security/2023/12/05/1

- https://support.apple.com/en-us/HT214031

- https://support.apple.com/en-us/HT214032

- https://support.apple.com/en-us/HT214033




CVE-2023-42917 - iOS, iPadOS, macOS Sonoma and Safari versions prior to 17.1.2, 14.1.2, and 17.1.2 respectively are susceptible to arbitrary code execution through web content processing, with Apple acknowledging potential exploitation in iOS versions before 16.7.1.

Product: Apple  Safari

CVSS Score: 0

** KEV since 2023-12-04 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-42917

ISC Diary: https://isc.sans.edu/diary/30444

NVD References: 

- http://www.openwall.com/lists/oss-security/2023/12/05/1

- https://support.apple.com/en-us/HT214031

- https://support.apple.com/en-us/HT214032

- https://support.apple.com/en-us/HT214033




CVE-2023-33063 - Memory corruption in DSP Services during a remote call from HLOS to DSP.

Product: No vendor name or vulnerable product name can be inferred from the given vulnerability description: "Memory corruption in DSP Services during a remote call from HLOS to DSP." 

CVSS Score: 7.8

** KEV since 2023-12-05 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33063

NVD References: https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin




CVE-2023-33106 - Memory corruption while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.

Product: Qualcomm

CVSS Score: 8.4

** KEV since 2023-12-05 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33106

NVD References: https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin




CVE-2023-33107 - Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.

Product: Graphics Linux 

CVSS Score: 8.4

** KEV since 2023-12-05 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33107

NVD References: https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin




CVE-2023-47503 - jflyfox jfinalCMS v.5.1.0 is vulnerable to remote code execution due to a crafted script in the login.jsp component of the template management module.

Product: Jflyfox Jfinal Cms

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47503

NVD References: https://github.com/jflyfox/jfinal_cms/issues/58




CVE-2023-3368 - Chamilo LMS v1.11.20 is vulnerable to command injection in `/main/webservices/additional_webservices.php`, allowing unauthenticated attackers to execute remote code due to improper neutralisation of special characters, bypassing CVE-2023-34960.

Product: Chamilo 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3368

NVD References: 

- https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657a

- https://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48b

- https://starlabs.sg/advisories/23/23-3368/

- https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368




CVE-2023-3533 - Chamilo LMS <= v1.11.20 allows unauthenticated attackers to execute remote code and perform stored XSS attacks through a path traversal vulnerability in the file upload functionality of `/main/webservices/additional_webservices.php`.

Product: Chamilo 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3533

NVD References: 

- https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657a

- https://starlabs.sg/advisories/23/23-3533/

- https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-124-2023-07-13-Critical-impact-High-risk-Unauthenticated-Arbitrary-File-Write-RCE-CVE-2023-3533




CVE-2023-3545 - Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to obtain remote code execution by uploading a malicious `.htaccess` file.

Product: Chamilo 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3545

NVD References: 

- https://github.com/chamilo/chamilo-lms/commit/dc7bfce429fbd843a95a57c184b6992c4d709549

- https://starlabs.sg/advisories/23/23-3545/

- https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-125-2023-07-13-Critical-impact-Moderate-risk-Htaccess-File-Upload-Security-Bypass-on-Windows-CVE-2023-3545




CVE-2023-48022 - Anyscale Ray 2.6.3 and 2.8.0 allows remote code execution via job submission API disregarding vendor's stance on its usage.

Product: Anyscale Ray

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48022

NVD References: 

- https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0

- https://docs.ray.io/en/latest/ray-security/index.html




CVE-2023-48023 - Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF, disregarding the product's intended use within a strictly controlled network environment.

Product: Anyscale Ray

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48023

NVD References: 

- https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0

- https://docs.ray.io/en/latest/ray-security/index.html




CVE-2023-49313 - XMachOViewer 0.04 allows attackers to compromise integrity by injecting unauthorized code into processes, potentially leading to remote control and unauthorized access to sensitive user data.

Product: Horsicq XMachOViewer

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49313

NVD References: 

- https://github.com/horsicq/XMachOViewer

- https://github.com/louiselalanne/CVE-2023-49313




CVE-2023-49314 - Asana Desktop 2.1.0 on macOS allows code injection due to inadequate protection against specific Electron Fuses.

Product: Asana Desktop

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49314

NVD References: 

- https://asana.com/pt/download

- https://github.com/electron/fuses

- https://github.com/louiselalanne/CVE-2023-49314

- https://github.com/r3ggi/electroniz3r

- https://www.electronjs.org/docs/latest/tutorial/fuses




CVE-2023-46589 - Apache Tomcat is vulnerable to an Improper Input Validation vulnerability that allows request smuggling when behind a reverse proxy, and can be fixed by upgrading to a version starting from 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards, or 8.5.96 onwards.

Product: Apache Tomcat

CVSS Score: 7.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46589

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8756

NVD References: https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr

NVD References: https://www.openwall.com/lists/oss-security/2023/11/28/2




CVE-2023-41264 - Netwrix Usercube before 6.0.215 allows authentication bypass and privilege escalation if certain configuration fields are omitted.

Product: Netwrix Usercube

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-41264

NVD References: 

- https://www.netwrix.com/identity_governance_and_administration_solution.html

- https://www.synacktiv.com/advisories/usercube-netwrix-multiple-vulnerabilities




CVE-2023-48193 - JumpServer GPLv3 v.3.8.0 is vulnerable to Insecure Permissions, enabling remote attackers to execute arbitrary code by bypassing the command filtering function.

Product: Fit2Cloud Jumpserver

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48193

NVD References: 

- http://jumpserver.com

- https://github.com/296430468/lcc_test/blob/main/jumpserver_BUG.md

- https://github.com/jumpserver/jumpserver




CVE-2023-23324 - Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials for the Administrator account.

Product: Zumtobel Netlink CCD

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23324

NVD References: 

- http://zumtobel.com

- https://yoroi.company/en/research/cve-advisory-partial-disclosure-zumtobel-multiple-vulnerabilities/




CVE-2023-23325 - Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain a command injection vulnerability via the NetHostname parameter.

Product: Zumtobel Netlink CCD

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23325

NVD References: 

- http://zumtobel.com

- https://yoroi.company/en/research/cve-advisory-partial-disclosure-zumtobel-multiple-vulnerabilities/




CVE-2023-46886 - Dreamer CMS before version 4.0.1 allows Directory Traversal, enabling unauthorized access to sensitive files.

Product: Dreamer CMS Project 

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46886

NVD References: https://gitee.com/iteachyou/dreamer_cms/issues/I6NOFN




CVE-2023-47462 - GL.iNet AX1800 v.3.215 and earlier versions have an insecure permissions vulnerability that enables remote attackers to execute arbitrary code through the file sharing function.

Product: GL.iNet AX1800

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47462

NVD References: https://github.com/gl-inet/CVE-issues/blob/main/3.215/Arbitrary%20File%20Read%20through%20file%20share.md




CVE-2023-45479 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the list parameter in the function sub_49E098.

Product: Tenda AC10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45479

NVD References: 

- https://github.com/l3m0nade/IOTvul/blob/master/assets/sub_49E098_code.png

- https://github.com/l3m0nade/IOTvul/blob/master/sub_49E098.md




CVE-2023-45480 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the src parameter in the function sub_47D878.

Product: Tenda AC10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45480

NVD References: 

- https://github.com/l3m0nade/IOTvul/blob/master/assets/sub_47d878_code.png

- https://github.com/l3m0nade/IOTvul/blob/master/sub_47D878.md




CVE-2023-45481 -  Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the firewallEn parameter in the function SetFirewallCfg.

Product: Tenda AC10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45481

NVD References: 

- https://github.com/l3m0nade/IOTvul/blob/master/SetFirewallCfg.md

- https://github.com/l3m0nade/IOTvul/blob/master/assets/setFirewallCfg_code.png




CVE-2023-45482 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the urls parameter in the function get_parentControl_list_Info.

Product: Tenda AC10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45482

NVD References: 

- https://github.com/l3m0nade/IOTvul/blob/master/assets/get_parentControl_list_Info_code.png

- https://github.com/l3m0nade/IOTvul/blob/master/get_parentControl_list_Info.md




CVE-2023-45483 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the time parameter in the function compare_parentcontrol_time.

Product: Tenda AC10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45483

NVD References: 

- https://github.com/l3m0nade/IOTvul/blob/master/assets/compare_parentcontrol_time_code.png

- https://github.com/l3m0nade/IOTvul/blob/master/compare_parentcontrol_time.md




CVE-2023-45484 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the shareSpeed parameter in the function fromSetWifiGuestBasic.

Product: Tenda AC10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45484

NVD References: 

- https://github.com/l3m0nade/IOTvul/blob/master/assets/fromSetWifiGuestBasic_code.png

- https://github.com/l3m0nade/IOTvul/blob/master/fromSetWifiGusetBasic.md




CVE-2023-49654 - Jenkins MATLAB Plugin versions 2.11.0 and earlier lack permission checks, enabling attackers to exploit Jenkins for XML file parsing from the controller file system.

Product: Jenkins Matlab

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49654

NVD References: 

- http://www.openwall.com/lists/oss-security/2023/11/29/1

- https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3193




CVE-2023-49656 - Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Product: Jenkins Matlab

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49656

NVD References: 

- http://www.openwall.com/lists/oss-security/2023/11/29/1

- https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3193




CVE-2022-42536 - Remote code execution

Product: Google Android

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42536

NVD References: https://source.android.com/docs/security/bulletin/chromecast/2023-07-01




CVE-2022-42537 - Remote code execution

Product: Google Android

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42537

NVD References: https://source.android.com/docs/security/bulletin/chromecast/2023-07-01




CVE-2022-42538 - Elevation of privilege

Product: Google Android

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42538

NVD References: https://source.android.com/docs/security/bulletin/chromecast/2023-07-01




CVE-2022-42540 - Elevation of privilege

Product: Google Android

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42540

NVD References: https://source.android.com/docs/security/bulletin/chromecast/2023-07-01




CVE-2022-42541 - Remote code execution

Product: Google Android

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42541

NVD References: https://source.android.com/docs/security/bulletin/chromecast/2023-07-01




CVE-2023-49693 - NETGEAR ProSAFE Network Management System has a remotely accessible Java Debug Wire Protocol (JDWP) on port 11611, enabling unauthenticated users to execute arbitrary code.

Product: NETGEAR ProSAFE Network Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49693

NVD References: 

- https://kb.netgear.com/000065886/Security-Advisory-for-Sensitive-Information-Disclosure-on-the-NMS300-PSV-2023-0126

- https://www.tenable.com/security/research/tra-2023-39




CVE-2023-3741 - NEC Platforms DT900 and DT900S Series all versions are vulnerable to OS Command injection, allowing unauthorized execution of commands.

Product: NEC Itk-6Dgs-1\\(Bk\\)Tel

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3741

NVD References: https://https://jpn.nec.com/security-info/secinfo/nv23-011_en.html




CVE-2023-35138 - Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 allow unauthenticated attackers to execute OS commands via crafted HTTP POST requests in the "show_zysync_server_contents" function.

Product: Zyxel NAS326 and NAS542 firmware

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35138

NVD References: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products




CVE-2023-4473 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 are susceptible to command injection, enabling unauthorized execution of operating system commands via a manipulated URL.

Product: Zyxel NAS326 and NAS542 firmware

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4473

NVD References: 

- https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/

- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products




CVE-2023-4474 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 improperly neutralize special elements, allowing unauthenticated attackers to execute OS commands via a crafted URL.

Product: Zyxel NAS326 and NAS542 firmware

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4474

NVD References: 

- https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/

- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products




CVE-2023-47463 - GL.iNet AX1800 version 4.0.0 before 4.5.0 allows remote code execution due to insecure permissions in the gl_nas_sys authentication function.

Product: GL.iNet AX1800

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47463

NVD References: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/an%20unauthenticated%20remote%20code%20execution.md




CVE-2023-47418 - O2oa version 8.1.2 and before allows remote attackers to execute JavaScript through the creation of a new interface in the service management function.

Product: Zoneland O2Oa

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47418

NVD References: 

- https://gist.github.com/Onlyning/0cf7b1c597a36dd3a2e9ec948b881ac8

- https://github.com/Onlyning/O2OA




CVE-2022-45135 - Apache Cocoon is vulnerable to an SQL Injection attack from version 2.2.0 to 2.3.0.

Product: Apache Cocoon

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45135

NVD References: 

- http://www.openwall.com/lists/oss-security/2023/11/30/3

- https://lists.apache.org/thread/lsvd1hmr2t2q823x21d5ygzgbj9jpvjp




CVE-2023-49733 - Apache Cocoon is vulnerable to an improper restriction of XML external entity reference issue, which can be fixed by upgrading to version 2.3.0.

Product: Apache Cocoon

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49733

NVD References: 

- http://www.openwall.com/lists/oss-security/2023/11/30/5

- https://lists.apache.org/thread/t87nntzt6dxw354zbqr9k7l7o1x8gq11




CVE-2023-49701 - Memory Corruption in SIM management while USIMPhase2init  

Product: Asrmicro Asr1803

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49701

NVD References: https://www.asrmicro.com/en/goods/psirt?cid=31




CVE-2023-5965 -  EspoCRM version 7.2.5 allows an authenticated privileged attacker to execute arbitrary PHP code by uploading a maliciously crafted zip through the update form.

Product: EspoCRM 

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5965

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrm




CVE-2023-5966 - EspoCRM server in version 7.2.5 allows authenticated privileged attackers to execute arbitrary PHP code by uploading a malicious zip file via the extension deployment form.

Product: EspoCRM

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5966

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrm




CVE-2023-6026 - elijaa/phpmemcachedadmin version 1.3.0 allows an attacker to delete server files through unsanitized user input.

Product: Elijaa Phpmemcachedadmin

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6026

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-phpmemcachedadmin




CVE-2023-6360 - My Calendar WordPress Plugin, version < 3.4.22, is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.

Product: Joedolson My Calendar

CVSS Score: 9.8 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6360

NVD References: https://www.tenable.com/security/research/tra-2023-40




CVE-2023-31176 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to an Insufficient Entropy vulnerability, enabling an unauthenticated remote attacker to bypass authentication by brute-forcing session tokens.

Product: Selinc SEL-451

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-31176

NVD References: 

- https://selinc.com/support/security-notifications/external-reports/

- https://www.nozominetworks.com/blog/




CVE-2023-34388 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to improper authentication, enabling a remote unauthenticated attacker to hijack sessions and bypass authentication.

Product: Selinc SEL-451

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-34388

NVD References: 

- https://selinc.com/support/security-notifications/external-reports/

- https://www.nozominetworks.com/blog/




CVE-2023-39226 - Delta Electronics InfraSuite Device Master v.1.0.7 allows unauthenticated attackers to execute arbitrary code through a single UDP packet.

Product: Delta Electronics InfraSuite Device Master

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39226

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-331-01




CVE-2023-47207 - Delta Electronics InfraSuite Device Master v.1.0.7 allows unauthenticated attackers to execute code with local administrator privileges.

Product: Delta Electronics InfraSuite Device Master

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47207

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-331-01




CVE-2023-5908 - KEPServerEX is vulnerable to a buffer overflow, potentially causing product crashes or information leakage.

Product: KEPServerEX Buffer Overflow

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5908

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03




CVE-2023-5634 - ArslanSoft Education Portal before v1.1 is vulnerable to an SQL injection attack.

Product: ArslanSoft Education Portal

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5634

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0670




CVE-2023-5636 - ArslanSoft Education Portal before v1.1 allows Command Injection via Unrestricted Upload of Dangerous File Type.

Product: ArslanSoft Education Portal

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5636

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0670




CVE-2023-44382 - October CMS before 3.4.15 allows authenticated backend users with specific permissions to execute arbitrary PHP code by bypassing the Twig sandbox using specific Twig code.

Product: No vendor or product name is mentioned in the vulnerability description. 

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44382

NVD References: https://github.com/octobercms/october/security/advisories/GHSA-p8q3-h652-65vx




CVE-2023-49093 - HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSLT, allowing an attacker to execute arbitrary code when visiting their malicious webpage.

Product: HtmlUnit

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49093

NVD References: 

- https://github.com/HtmlUnit/htmlunit/security/advisories/GHSA-37vq-hr2f-g7h7

- https://www.htmlunit.org/changes-report.html#a3.9.0




CVE-2023-49291 - The `tj-actions/branch-names` Github Action improperly references context variables, allowing for arbitrary code execution and potential theft of secrets.

Product: tj-actions branch-names

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49291

NVD References: 

- https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337

- https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815

- https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060

- https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf

- https://securitylab.github.com/research/github-actions-untrusted-input




CVE-2023-48316 - Azure RTOS NetX Duo allows remote code execution due to memory overflow vulnerabilities in RTOS v6.2.1 and below, affecting snmp, smtp, ftp, and dtls processes/functions; solution: upgrade to NetX Duo release 6.3.0.

Product: Azure RTOS NetX Duo

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48316

NVD References: https://github.com/azure-rtos/netxduo/security/advisories/GHSA-3cmf-r288-xhwq




CVE-2023-48692 - Azure RTOS NetX Duo is vulnerable to remote code execution due to memory overflow vulnerabilities in processes/functions related to icmp, tcp, snmp, dhcp, nat, and ftp in RTOS v6.2.1 and below, with fixes available in NetX Duo release 6.3.0, requiring users to upgrade as there are no known workarounds.

Product: Azure RTOS NetX Duo

CVSS Score: 9.0 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48692

NVD References: https://github.com/azure-rtos/netxduo/security/advisories/GHSA-m2rx-243p-9w64




CVE-2023-33054 - Cryptographic issue in GPS HLOS Driver while downloading Qualcomm GNSS assistance data.

Product: Qualcomm GPS HLOS Driver

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33054

NVD References: https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin




CVE-2023-33082 - Memory corruption while sending an Assoc Request having BTM Query or BTM Response containing MBO IE.

Product: BTM

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33082

NVD References: https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin




CVE-2023-33083 - Memory corruption in WLAN Host while processing RRM beacon on the AP.

Product: WLAN Host AP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33083

NVD References: https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin




CVE-2023-6269 - Atos Unify OpenScape products "Session Border Controller" (SBC) and "Branch", before version V10 R3.4.0, and OpenScape "BCF" before versions V10R10.12.00 and V10R11.05.02 are vulnerable to argument injection, allowing unauthenticated attackers to gain root access and bypass authentication for administrative access.

Product: Atos Unify OpenScape SBC

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6269

NVD References: 

- https://networks.unify.com/security/advisories/OBSO-2310-01.pdf

- https://r.sec-consult.com/unifyroot




CVE-2023-6448 - Unitronics Vision Series PLCs and HMIs have default administrative passwords, allowing an unauthenticated attacker to gain administrative control over the system.

Product: Unitronics Vision Series PLCs and HMIs

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6448

NVD References: https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems




CVE-2023-36035 - Microsoft Exchange Server Spoofing Vulnerability

Product: Microsoft Exchange Server

CVSS Score: 8.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36035

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36035




CVE-2023-29357 - Microsoft SharePoint Server Elevation of Privilege Vulnerability

Product: Microsoft SharePoint Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29357

MSFT References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357


      


Manual Review Needed:


CVE-2023-45124

References:

- https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-scam-tricks-users-into-installing-backdoor-plugin/

- https://www.bleepingcomputer.com/news/security/fake-wordpress-security-advisory-pushes-backdoor-plugin/