SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 49
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
What are they looking for? Scans for OpenID Connect Configuration
Published: 2023-12-19
Last Updated: 2023-12-20 00:03:45 UTC
by Johannes Ullrich (Version: 1)
Update: Thanks to our reader Dustin Decker for pointing out that these scans are likely looking for Citrix devices. The recent "CitrixBleed" vulnerability is exploited using the OpenID connect URL (CVE-2023-4966, CVE-2023-4967). An attack would also include an oversized Host header in a request to the OpenID URL. The scans I have observed do not appear to include this oversized Host header. Looks like they are just looking for possible targets to exploit later.
One of our honeypots received unusually many requests for an OpenID connect configuration file. This honeypot is configured a bit differently as it is more experimental to test new software, so the logs do not show up on our main site. Overall, there are only a few requests targeting this specific URL.
OpenID connected is an authentication scheme often used by websites to facilitate features like "Log in with Facebook/Google...". The specification asks for a configuration file, .well-known/openid-configuration, to facilitate the automatic discovery of OpenID connect capabilities.
Read the full entry:
https://isc.sans.edu/diary/What+are+they+looking+for+Scans+for+OpenID+Connect+Configuration/30498/
An Example of RocketMQ Exploit Scanner
Published: 2023-12-16
Last Updated: 2023-12-16 06:31:05 UTC
by Xavier Mertens (Version: 1)
A few months ago, RocketMQ, a real-time message queue platform, suffered of a nasty vulnerability referred as CVE-2023-33246. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score:2/60 (SHA256:70710c630390dbf74a97162ab61aae78d3e18eacb41e16d3dd6bbd872fee66c5).
This script is a Bash script has two main parts: First, it will prepare its environment by creating a random directory ...
Then, it will install some dependencies using yum or apt. The dependencies will allow the tool to download and compile on the fly a copy of the masscan port scanner ...
Read the full entry:
https://isc.sans.edu/diary/An+Example+of+RocketMQ+Exploit+Scanner/30492/
Internet Storm Center Entries
Increase in Exploit Attempts for Atlassian Confluence Server (CVE-2023-22518) (2023.12.20)
CSharp Payload Phoning to a CobaltStrike Server (2023.12.15)
https://isc.sans.edu/diary/CSharp+Payload+Phoning+to+a+CobaltStrike+Server/30490/
T-shooting Terraform for DShield Honeypot in Azure [Guest Diary] (2023.12.13)
https://isc.sans.edu/diary/Tshooting+Terraform+for+DShield+Honeypot+in+Azure+Guest+Diary/30484/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2022-3236 - Sophos Firewall Code Injection Vulnerability
CVE-2023-36019 - Microsoft Power Platform Connector Spoofing Vulnerability
CVE-2023-35618 - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2023-22518 - Confluence Data Center and Server versions are vulnerable, but Atlassian Cloud sites are not affected.
CVE-2023-4966 - NetScaler ADC and NetScaler Gateway configured as a Gateway or AAA virtual server may reveal sensitive information.
CVE-2023-33246 - RocketMQ versions 5.1.0 and below are vulnerable to remote command execution due to leaked components lacking permission verification.
CVE-2023-36649 - ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users by inserting sensitive information in the centralized logging system and reading JWT tokens from logs or the Loki REST API.
CVE-2023-49581 - SAP GUI for Windows and SAP GUI for Java have an unauthenticated access and data modification vulnerability that compromises restricted information and allows database table writing with potential impact on availability.
CVE-2023-49583 - The SAP BTP Security Services Integration Library ([Node.js] @sap/xssec) versions < 3.6.0 allow an unauthenticated attacker to escalate privileges and gain arbitrary permissions within the application.
CVE-2023-50422 - The SAP BTP Security Services Integration Library (cloud-security-services-integration-library) below version 2.17.0 and from version 3.0.0 to before 3.3.0 allows an unauthenticated attacker to escalate privileges and gain arbitrary permissions within the application.
CVE-2023-50423 - The SAP BTP Security Services Integration Library ([Python] sap-xssec) versions < 4.1.0 allows unauthenticated attackers to escalate privileges and obtain arbitrary permissions within the application.
CVE-2023-50424 - The SAP BTP Security Services Integration Library allows an unauthenticated attacker to escalate privileges and obtain arbitrary permissions within the application in versions < 0.17.0.
CVE-2023-41117 - EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0 allows search_path attacks due to inadequate security measures in packages, standalone packages, and functions with SECURITY DEFINER.
CVE-2023-48427 - SINEC INS (All versions < V1.0 SP2 Update 2) does not properly validate UMC server certificates, allowing interception of credentials and escalation of privileges by attackers.
CVE-2023-46454 - GL.iNET GL-AR300M routers with firmware v4.3.7 are vulnerable to arbitrary shell command injection via a crafted package name.
CVE-2023-46456 - GL.iNET GL-AR300M routers with firmware 3.216 allow arbitrary shell command injection through the OpenVPN client file upload feature.
CVE-2023-6593 - Devolutions Remote Desktop Manager 2023.3.4.0 and earlier on iOS allows unrestricted execution of SQL data source entries by an attacker with application access.
CVE-2013-2513 - The flash_tool gem through 0.6.0 for Ruby allows command execution via shell metacharacters in the name of a downloaded file.
Product: flash_tool Gem for RubyCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2013-2513NVD References: - https://github.com/advisories/GHSA-6325-6g32-7p35- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/flash_tool/CVE-2013-2513.ymlCVE-2023-43364 - main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution.Product: Arjunsharda SearchorCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-43364NVD References: - https://github.com/ArjunSharda/Searchor/commit/16016506f7bf92b0f21f51841d599126d6fcd15b- https://github.com/ArjunSharda/Searchor/pull/130- https://github.com/advisories/GHSA-66m2-493m-crh2- https://github.com/nexis-nexis/Searchor-2.4.0-POC-Exploit-- https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-InjectionCVE-2023-48225 - Laf cloud development platform is vulnerable to information leakage in secret and configmap due to insufficient control of LAF app enV prior to version 1.0.0-beta.13.Product: Laf CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48225NVD References: - https://github.com/labring/laf/blob/main/server/src/application/environment.controller.ts#L50- https://github.com/labring/laf/blob/main/server/src/instance/instance.service.ts#L306- https://github.com/labring/laf/security/advisories/GHSA-hv2g-gxx4-fwxpCVE-2023-50252 - php-svg-lib prior to version 0.5.1 suffers from a PHAR Deserialization vulnerability due to unsanitized href attribute in the <use> tag.Product: Dompdf Php-Svg-LibCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50252NVD References: - https://github.com/dompdf/php-svg-lib/commit/08ce6a96d63ad7216315fae34a61c886dd2dc030- https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-jq98-9543-m4crCVE-2023-47577 - Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 allow unauthorized password changes without checking the current password.Product: Relyum RELY-PCIeCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47577NVD References: https://www.relyum.com/web/support/vulnerability-report/CVE-2023-6723 - Repbox allows an attacker to achieve full system compromise by exploiting an unrestricted file upload vulnerability in the transforamationfileupload function.Product: Europeana RepoxCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6723NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repoxCVE-2023-42495 - Dasan Networks - W-Web versions 1.22-1.27 allows OS command injection due to improper neutralization of special elements.Product: Dasan Networks W-WebCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-42495NVD References: https://www.gov.il/en/Departments/faq/cve_advisoriesCVE-2023-6756 - Thecosy IceCMS 2.0.1 is vulnerable to improper restriction of excessive authentication attempts in the Captcha Handler component's /login function, allowing for remote attacks due to a disclosed exploit (VDB-247884).Product: Thecosy IceCMSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6756NVD References: - http://124.71.147.32:8082/IceCMS2.html- https://vuldb.com/?ctiid.247884- https://vuldb.com/?id.247884CVE-2023-49363 - Rockoa <2.3.3 is vulnerable to SQL Injection. The problem exists in the indexAction method in reimpAction.php.Product: Rockoa CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49363NVD References: https://github.com/wednesdaygogo/Vulnerability-recurrence/blob/main/rockoa%20less%20than%202.3.3%20sql%20injection%20vulnerability.pdfCVE-2023-6765 - SourceCodester Online Tours & Travels Management System 1.0 is susceptible to a critical SQL injection vulnerability in the email_setup.php file's prepare function (CVE-2021-247895).Product: Mayurik Online Tours & Travels Management SystemCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6765NVD References: - https://blog.csdn.net/xitanging/article/details/134903112- https://vuldb.com/?ctiid.247895- https://vuldb.com/?id.247895CVE-2023-46726 - GLPI versions 10.0.0 to 10.0.11 on PHP 7.4 only allow arbitrary code execution via the LDAP server configuration form using previously uploaded GLPI documents.Product: GLPI-Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46726NVD References: - https://github.com/glpi-project/glpi/commit/42ba2b031bec0b3889317db25f3adf9080fc11b2- https://github.com/glpi-project/glpi/releases/tag/10.0.11- https://github.com/glpi-project/glpi/security/advisories/GHSA-qc92-gxc6-5f95CVE-2023-46727 - GLPI allows SQL injection via the inventory endpoint before version 10.0.11.Product: GLPI-ProjectCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46727NVD References: - https://github.com/glpi-project/glpi/commit/ee2d674481ebef177037e8e14d35c9455b5cfd46- https://github.com/glpi-project/glpi/releases/tag/10.0.11- https://github.com/glpi-project/glpi/security/advisories/GHSA-v799-2mp3-wgfrCVE-2023-6771 - SourceCodester Simple Student Attendance System 1.0 is vulnera…
CVE-2023-48225 - Laf cloud development platform is vulnerable to information leakage in secret and configmap due to insufficient control of LAF app enV prior to version 1.0.0-beta.13.
CVE-2023-50252 - php-svg-lib prior to version 0.5.1 suffers from a PHAR Deserialization vulnerability due to unsanitized href attribute in the <use> tag.
CVE-2023-47577 - Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 allow unauthorized password changes without checking the current password.
CVE-2023-6723 - Repbox allows an attacker to achieve full system compromise by exploiting an unrestricted file upload vulnerability in the transforamationfileupload function.
CVE-2023-42495 - Dasan Networks - W-Web versions 1.22-1.27 allows OS command injection due to improper neutralization of special elements.
CVE-2023-6756 - Thecosy IceCMS 2.0.1 is vulnerable to improper restriction of excessive authentication attempts in the Captcha Handler component's /login function, allowing for remote attacks due to a disclosed exploit (VDB-247884).
CVE-2023-49363 - Rockoa <2.3.3 is vulnerable to SQL Injection. The problem exists in the indexAction method in reimpAction.php.
CVE-2023-6765 - SourceCodester Online Tours & Travels Management System 1.0 is susceptible to a critical SQL injection vulnerability in the email_setup.php file's prepare function (
CVE-2023-46726 - GLPI versions 10.0.0 to 10.0.11 on PHP 7.4 only allow arbitrary code execution via the LDAP server configuration form using previously uploaded GLPI documents.
CVE-2023-46727 - GLPI allows SQL injection via the inventory endpoint before version 10.0.11.
CVE-2023-6771 - SourceCodester Simple Student Attendance System 1.0 is vulnerable to SQL injection through the manipulation of the argument sid in the function save_attendance of actions.class.php (CVE-2021-XXXX).
CVE-2023-40921 - Common Services soliberte before v4.3.03 allows attackers to obtain sensitive information by exploiting an SQL Injection vulnerability in functions/point_list.php through the lat and lng parameters.
CVE-2023-31546 - Cross Site Scripting (XSS) vulnerability in DedeBIZ v6.0.3 allows attackers to run arbitrary code via the search feature.
CVE-2023-44709 - PlutoSVG commit 336c02997277a1888e6ccbbbe674551a0582e5c4 and before was discovered to contain an integer overflow via the component plutosvg_load_from_memory.
Product: PlutoSVGCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44709NVD References: - https://gist.github.com/sunwithmoon/3f810c27d2e553f9d31bd7c50566f15b#file-cve-2023-44709- https://github.com/sammycage/plutosvg/issues/7CVE-2023-48084 - Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.Product: Nagios XICVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48084NVD References: https://www.nagios.com/products/security/CVE-2023-48085 - Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.Product: Nagios XICVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48085NVD References: https://www.nagios.com/products/security/CVE-2023-40629, CVE-2023-49707, CVE-2023-49708 - Multiple SQLi vulnerabilities affecting JoomlaProduct: JoomlaCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-40629NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49707NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49708NVD References: https://extensions.joomla.org/extension/lms-lite/NVD References: https://extensions.joomla.org/extension/s5-register/NVD References: https://extensions.joomla.org/extension/starshop/CVE-2023-46348 - SunnyToo sturls before version 1.1.13 has an SQL injection vulnerability allowing attackers to gain higher privileges and access sensitive information through StUrls::hookActionDispatcher and StUrls::getInstanceId methods.Product: SunnyToo SturlsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46348NVD References: https://security.friendsofpresta.org/modules/2023/12/07/sturls.htmlCVE-2023-48925 - Buy Addons bavideotab before version 1.0.6 is vulnerable to an SQL injection attack via BaVideoTabSaveVideoModuleFrontController::run() method, enabling privilege escalation and unauthorized access to sensitive information.Product: Buy-Addons BavideotabCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48925NVD References: https://security.friendsofpresta.org/modules/2023/12/07/bavideotab.htmlCVE-2023-0757 - PHOENIX CONTACT MULTIPROG and PHOENIX CONTACT ProConOS eCLR (SDK) have an Incorrect Permission Assignment vulnerability, allowing remote attackers to upload malicious code and gain full device access.Product: PHOENIX CONTACT MULTIPROG and PHOENIX CONTACT ProConOSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0757NVD References: https://cert.vde.com/en/advisories/VDE-2023-051/CVE-2023-46141 - PHOENIX CONTACT classic line products allow remote unauthenticated attacker to gain full access due to incorrect permission assignment for critical resource.Product: PHOENIX CONTACTCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46141NVD References: https://cert.vde.com/en/advisories/VDE-2023-055/CVE-2023-50073 - EmpireCMS v7.5 was discovered to contain a SQL injection vulnerability via the ftppassword parameter at SetEnews.php.Product: Leadscloud EmpireCMSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50073NVD References: https://github.com/leadscloud/EmpireCMS/issues/7CVE-2023-50563 - Semcms v4.8 was discovered to contain a SQL injection vulnerability via the AID parameter at SEMCMS_Function.php.Product: Sem-Cms SemcmsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50563NVD References: https://github.com/SecBridge/Cms_Vuls_test/blob/main/Semcms/Semcms_Sql_Inject.mdCVE-2023-47261 - Dokmee ECM 7.4.6 allows remote code execution due to privileged SQL Server database access and xp_cmdshell enablement through the connection string in the response to a GettingStarted/SaveSQLConnectionAsync /#/gettingstarted request.Product: Dokmee Enterprise Content ManagementCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47261NVD References: - https://h3x0s3.github.io/CVE2023~47261/- https://www.dokmee.com/Support-Learn/Updates-Change-LogCVE-2023-48371 - ITPison OMICARD EDM allows an unauthenticated remote attacker to upload and run arbitrary executable files, potentially leading to arbitrary system commands or service disruption.Product: ITPison OMICARD EDMCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48371NVD References: https://www.twcert.org.tw/tw/cp-132-7590-55002-1.htmlCVE-2023-48372 - ITPison OMICARD EDM's SMS-related function allows unauthenticated remote attackers to inject arbitrary SQL commands and gain unauthorized access, modify, and delete the database data.Product: ITPison OMICARD EDMCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48372NVD References: https://www.twcert.org.tw/tw/cp-132-7591-07c51-1.htmlCVE-2023-48376 - SmartStar Software CWS allows unauthenticated remote attackers to upload arbitrary files and perform arbitrary commands or disrupt service due to a lack of file type restrictions in its file uploading function.Product: SmartStar Software CWSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4837…
CVE-2023-48084 - Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.
CVE-2023-48085 - Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.
CVE-2023-40629, CVE-2023-49707, CVE-2023-49708 - Multiple SQLi vulnerabilities affecting Joomla
CVE-2023-46348 - SunnyToo sturls before version 1.1.13 has an SQL injection vulnerability allowing attackers to gain higher privileges and access sensitive information through StUrls::hookActionDispatcher and StUrls::getInstanceId methods.
CVE-2023-48925 - Buy Addons bavideotab before version 1.0.6 is vulnerable to an SQL injection attack via BaVideoTabSaveVideoModuleFrontController::run() method, enabling privilege escalation and unauthorized access to sensitive information.
CVE-2023-0757 - PHOENIX CONTACT MULTIPROG and PHOENIX CONTACT ProConOS eCLR (SDK) have an Incorrect Permission Assignment vulnerability, allowing remote attackers to upload malicious code and gain full device access.
CVE-2023-46141 - PHOENIX CONTACT classic line products allow remote unauthenticated attacker to gain full access due to incorrect permission assignment for critical resource.
CVE-2023-50073 - EmpireCMS v7.5 was discovered to contain a SQL injection vulnerability via the ftppassword parameter at SetEnews.php.
CVE-2023-50563 - Semcms v4.8 was discovered to contain a SQL injection vulnerability via the AID parameter at SEMCMS_Function.php.
CVE-2023-47261 - Dokmee ECM 7.4.6 allows remote code execution due to privileged SQL Server database access and xp_cmdshell enablement through the connection string in the response to a GettingStarted/SaveSQLConnectionAsync /#/gettingstarted request.
CVE-2023-48371 - ITPison OMICARD EDM allows an unauthenticated remote attacker to upload and run arbitrary executable files, potentially leading to arbitrary system commands or service disruption.
CVE-2023-48372 - ITPison OMICARD EDM's SMS-related function allows unauthenticated remote attackers to inject arbitrary SQL commands and gain unauthorized access, modify, and delete the database data.
CVE-2023-48376 - SmartStar Software CWS allows unauthenticated remote attackers to upload arbitrary files and perform arbitrary commands or disrupt service due to a lack of file type restrictions in its file uploading function.
CVE-2023-46279 - Apache Dubbo 3.1.5 is vulnerable to deserialization of untrusted data.
CVE-2023-48384 - ArmorX Spam from ArmorX Global Technology Corporation is vulnerable to SQL injection due to insufficient validation of user input within a special function, allowing unauthenticated remote attackers to access, modify, and delete the database.
CVE-2023-48388 - Multisuns EasyLog web+ allows remote attackers to perform arbitrary system operations or disrupt service by exploiting the vulnerability of using hard-coded credentials.
CVE-2023-48390 - Multisuns EasyLog web+ allows unauthenticated remote attackers to inject code and gain unauthorized access or disrupt service.
CVE-2023-48392 - Kaifa Technology WebITR online attendance system is vulnerable to an unauthenticated remote attacker generating a valid token parameter and exploiting a hard-coded encryption key, allowing unauthorized access to arbitrary user accounts, including the administrator's account, enabling execution of login account's permissions and retrieving relevant information.
CVE-2023-6553 - The Backup Migration plugin for WordPress up to version 1.3.7 is vulnerable to unauthenticated Remote Code Execution via the /includes/backup-heart.php file.
CVE-2023-33218 through CVE-2023-33220 - Multiple vulnerabilities in Idemia-SA-2023-05 Access and Time Biometric Terminals could lead to result in Remote Code execution.
CVE-2023-46116 - Tutanota (Tuta Mail) fails to block harmful URL schemes, allowing malicious actors to gain code execution on a victim's computer.
CVE-2023-50089 - NETGEAR WNR2000v4 version 1.0.0.70 is susceptible to command injection, allowing unauthorized command execution after successful SOAP authentication over HTTP.
CVE-2023-50917 - MajorDoMo before 0662e5e allows command execution via thumb.php shell metacharacters.
CVE-2023-50918 - app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.
CVE-2023-4020 - Silicon Labs TrustZone implementation allows unauthorized access to secure memory from non-secure memory.
CVE-2023-50469 - Shenzhen Libituo Technology Co., Ltd LBT-T300-T310 v2.2.2.6 was discovered to contain a buffer overflow via the ApCliEncrypType parameter at /apply.cgi.
CVE-2023-6848 - Kalcaddle kodbox up to 1.48 is vulnerable to remote command injection in the function check of the file plugins/officeViewer/controller/libreOffice/index.class.php using the argument soffice, allowing attackers to exploit the system; upgrading to version 1.48.04 (patch identifier: 63a4d5708d210f119c24afd941d01a943e25334c) is advised.
CVE-2023-6849 - Kalcaddle kodbox up to 1.48 is vulnerable to server-side request forgery through manipulation of the argument path in the function cover of the file plugins/fileThumb/app.php, allowing remote attackers to launch attacks; upgrading to version 1.48.04 and applying the patch 63a4d5708d210f119c24afd941d01a943e25334c is recommended.
CVE-2023-6850 - Kalcaddle KodExplorer up to 4.51.03 is vulnerable to unrestricted upload in the API Endpoint Handler component, allowing remote attackers to initiate attacks by manipulating the argument path/file in the /index.php?pluginApp/to/yzOffice/getFile file.
CVE-2023-6851 - Kalcaddle KodExplorer up to 4.51.03 is vulnerable to code injection through the function unzipList of the component ZIP Archive Handler, allowing remote attackers to initiate attacks with an exploit that has been publicly disclosed.
CVE-2023-6852 - Kalcaddle KodExplorer up to 4.51.03 allows remote attackers to launch a server-side request forgery via an unknown function in plugins/webodf/app.php.
CVE-2023-6853 - Kalcaddle KodExplorer up to 4.51.03 is vulnerable to server-side request forgery in the function index of the file plugins/officeLive/app.php, allowing remote attackers to exploit the issue which has been publicly disclosed, but it can be addressed by upgrading to version 4.52.01 (patch identifier: 5cf233f7556b442100cf67b5e92d57ceabb126c6; vulnerability identifier: VDB-248221).
CVE-2023-6559 - The MW WP Form plugin for WordPress is prone to arbitrary file deletion, allowing unauthenticated attackers to delete critical files such as wp-config.php, potentially leading to site takeover and remote code execution.
CVE-2023-6885 - Tongda OA 2017 up to 11.10 is affected by a critical vulnerability in the file general/vote/manage/delete.php, allowing for SQL injection via manipulation of the DELETE_STR argument (VDB-248245).
CVE-2023-6898 - SourceCodester Best Courier Management System 1.0 allows SQL injection via the id parameter in manage_user.php, leading to critical vulnerability (VDB-248256).
CVE-2023-6906 - The Totolink A7100RU 7.4cu.2313_B20191024 is vulnerable to a critical buffer overflow through the manipulation of the flag argument in the main function, allowing for remote attack.
CVE-2023-6483 - ADiTaaS version 5.1 allows an unauthenticated remote attacker to gain full access to customer data by exploiting an improper authentication vulnerability in the backend API.
CVE-2023-32725 - URL Widget in the website allows unauthorized access to frontend through session cookie manipulation.
CVE-2023-48738 - Porto Theme - Functionality is vulnerable to SQL Injection before version 2.12.1.
CVE-2023-49750 - Couponis - Affiliate & Submitting Coupons WordPress Theme version n/a before 2.2 is vulnerable to SQL Injection due to improper neutralization of special elements in SQL commands.
CVE-2023-6928 - EuroTel ETL3100 versions v01c01 and v01x37 allow unlimited attempts to guess administrative credentials in remote password attacks, enabling full system control.
CVE-2023-6930 - EuroTel ETL3100 versions v01c01 and v01x37 allow unauthenticated users to download configuration and log files, leading to disclosure of sensitive information and potential authentication bypass, privilege escalation, and full system access.
CVE-2023-50707 - The vulnerable product can be exploited to send custom requests that lead to a denial-of-service condition through active user sessions.
CVE-2023-21740 - Windows Media Remote Code Execution Vulnerability
CVE-2023-35621 - Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability
CVE-2023-35622 - Windows DNS Spoofing Vulnerability
CVE-2023-35624 - Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2023-35628 - Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-35630 - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-35631 - Win32k Elevation of Privilege Vulnerability
CVE-2023-35632 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2023-35633 - Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-35634 - Windows Bluetooth Driver Remote Code Execution Vulnerability
CVE-2023-35638 - DHCP Server Service Denial of Service Vulnerability
CVE-2023-35639 - Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2023-35641 - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-35643 - DHCP Server Service Information Disclosure Vulnerability
CVE-2023-35644 - Windows Sysmain Service Elevation of Privilege
CVE-2023-36004 - Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability
CVE-2023-36005 - Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2023-36006 - Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-36010 - Microsoft Defender Denial of Service Vulnerability
CVE-2023-36011 - Win32k Elevation of Privilege Vulnerability
CVE-2023-36020 - Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2023-36391 - Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2023-36696 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2023-50164 - Struts is vulnerable to file upload parameter manipulation leading to Remote Code Execution, and users should upgrade to Struts 2.5.33 or Struts 6.3.0.2 or newer versions for a fix.
Sponsors
Delinea
*********** Sponsored By Delinea ***********Explore Delinea's 'Conversational Cyber Insurance' eBook for key insights into cyber insurance complexities and solutions. Stay ahead in cyber risk management with expert guidance.
SANS
SANS Spring Cyber Solutions Fest 2024 | Join us on April 17 - 19 for three days of highly technical talks exploring the latest cybersecurity solutions, technologies, and techniques. Led by SANS experts, and invited solutions providers, you'll walk away with new methods, strategies, and key takeaways you can immediately leverage in your work. | Save your seat:
PAS, part of Hexagon
Identify, Evaluate & Prioritize Industrial Cyber Risk | Join Dean Parsons on Jan 10 at 1:00pm ET as he evaluates PAS Cyber Integrity, a new offering from PAS Hexagon designed to harden OT assets against cyber-threats, identify critical endpoint vulnerabilities and risks, enable rapid recovery, and more. | Register now:
Dragos
2023 OT Cybersecurity Year in Review Executive Briefing | Join Dragos CEO and SANS Senior Instructor Robert M. Lee on Feb 23 at 10:30am ET for a look at the most important OT cybersecurity events and lessons learned in 2023. | Register now: