Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

PacketCrypt Classic Cryptocurrency Miner on PHP Servers

Published: 2025-01-07.

Last Updated: 2025-01-07 11:40:39 UTC

by Yee Ching Tok (Version: 1)

The SANS DShield project receives a wide variety of logs submitted by participants of the DShield project. Looking at the “First Seen” URLs page, I observed an interesting URL and dived deeper to investigate. The URL recorded is as follows ...

Let’s make it more readable via the quintessential CyberChef or another web proxy tool such as Burp Decoder ...

Interesting. As the name implies, it looks like an executable that is designed to download a secondary payload. A quick search of the filename yielded a recent VirusTotal (VT) submission and a SHA256 hash ...

Some brief dynamic malware reverse engineering yielded very interesting observations ...

Read the full entry:

https://isc.sans.edu/diary/PacketCrypt+Classic+Cryptocurrency+Miner+on+PHP+Servers/31564/

Make Malware Happy

Published: 2025-01-06.

Last Updated: 2025-01-06 07:10:28 UTC

by Xavier Mertens (Version: 1)

When I teach FOR610, I like to use a funny quotation with my students: “Make malware happy!” What does it mean? Yes, we like malware, and we need to treat it in a friendly way. To help the malware work or detonate successfully, it’s recommended that we replicate the environment where it was discovered (or at least, as much as possible). This is not always easy because we often receive a sample outside of its context.

Some examples?

Respect the user rights, are administrator rights required?

Respect the path of files used by the malware (or its own path)

Respect the OS or tools versions

Respect the binary name

Some sandboxes launch samples in a VM from the same directory and with the same name like "c:\temp\sample.exe". From a malware point of view, it’s a piece of cake to detect if the environment changed!

First example, detect the name of the executable file in .Net ...

Read the full entry:

https://isc.sans.edu/diary/Make+Malware+Happy/31560/

Goodware Hash Sets

Published: 2025-01-02.

Last Updated: 2025-01-02 15:21:40 UTC

by Xavier Mertens (Version: 1)

In the cybersecurity landscape, we all need hashes! A hash is the result of applying a special mathematical function (a “hash function”) that transforms an input (such as a file or a piece of text) into a fixed-size string or number. This output, often called a “hash value,” “digest,” or “checksum,” uniquely represents the original data. In the context of this diary, hashes are commonly used for data integrity checks. There are plenty of them (MD5, SHA-1, SHA-2, SHA-256, …), SHA256 being the most popular for a while because older like MD5 are considered as broken because researchers have demonstrated practical collision attacks.

Hashes are a nice way to identify malware samples, payload, or any type of suspicious files (I usually share the hash of the malware analyzed in my diaries). In your threat-hunting process, you can search for interesting files across your infrastructure via sets of malware hashes. Some of them are freely available like on Malware Bazaar.

But, other sets of hashes are also interesting when they contain hashes for safe files. The approach is the same: Instead of searching for malicious files, you verify that files on your hosts are good.

Exacorn has released an interesting ZIP archive[2] with “good ware” (as opposed to “malware”). The file (2GB) provides 12M hashes and filenames ...

Read the full entry:

https://isc.sans.edu/diary/Goodware+Hash+Sets/31556/

Internet Storm Center Entries


SwaetRAT Delivery Through Python (2025.01.03)

https://isc.sans.edu/diary/SwaetRAT+Delivery+Through+Python/31554/

No Holiday Season for Attackers (2024.12.31)

https://isc.sans.edu/diary/No+Holiday+Season+for+Attackers/31552/

Changes in SSL and TLS support in 2024 (2024.12.30)

https://isc.sans.edu/diary/Changes+in+SSL+and+TLS+support+in+2024/31550/

Phishing for Banking Information (2024.12.27)

https://isc.sans.edu/diary/Phishing+for+Banking+Information/31548/

Capturing Honeypot Data Beyond the Logs (2024.12.26)

https://isc.sans.edu/diary/Capturing+Honeypot+Data+Beyond+the+Logs/31546/

Compiling Decompyle++ For Windows (2024.12.25)

https://isc.sans.edu/diary/Compiling+Decompyle+For+Windows/31544/

More SSH Fun! (2024.12.24)

https://isc.sans.edu/diary/More+SSH+Fun/31542/

Modiloader From Obfuscated Batch File (2024.12.23)

https://isc.sans.edu/diary/Modiloader+From+Obfuscated+Batch+File/31540/

Christmas "Gift" Delivered Through SSH (2024.12.20)

https://isc.sans.edu/diary/Christmas+Gift+Delivered+Through+SSH/31538/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-12356 - Privileged Remote Access (PRA) and Remote Support (RS) products are vulnerable to unauthenticated attackers injecting commands as a site user.

Product: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS)

CVSS Score: 0

** KEV since 2024-12-19 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12356

ISC Podcast: https://isc.sans.edu/podcastdetail/9268

CVE-2024-4577 - PHP-CGI OS Command Injection Vulnerability

Product: Fedora Project Fedora 40

CVSS Score: 0

** KEV since 2024-06-12 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4577

ISC Diary: https://isc.sans.edu/diary/31564

CVE-2024-11972 - The Hunk Companion WordPress plugin before 1.9.0 allows unauthenticated users to install and activate arbitrary plugins from the WordPress.org repo.

Product: WordPress Hunk Companion WordPress plugin

Active Installations: 10,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11972

NVD References: https://wpscan.com/vulnerability/4963560b-e4ae-451d-8f94-482779c415e4/

CVE-2024-12106 - In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.

Product: Progress WhatsUp Gold

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12106

NVD References: https://www.progress.com/network-monitoring

CVE-2024-12108 - WhatsUp Gold versions released before 2024.0.2 are vulnerable to attackers gaining server access via the public API.

Product: Progress WhatsUp Gold

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12108

NVD References: https://www.progress.com/network-monitoring

CVE-2024-13061 - The Electronic Official Document Management System from 2100 Technology suffers from an Authentication Bypass vulnerability that allows unauthenticated remote attackers to obtain user tokens and log into the system.

Product: 2100 Technology Electronic Official Document Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13061

NVD References:

- https://www.chtsecurity.com/news/255984da-6630-4e25-ba9b-5ce6933935a6

- https://www.chtsecurity.com/news/ade9e9af-61d0-4e3c-8aa0-e8524ee2cfbc

- https://www.twcert.org.tw/en/cp-139-8340-d8b16-2.html

- https://www.twcert.org.tw/tw/cp-132-8339-570fa-1.html

CVE-2024-56039, CVE-2024-56040, CVE-2024-56042 through CVE-2024-56046 - Multiple vulnerabilities in VibeThemes VibeBP and VibeThemes WPLMS

Products: VibeThemes VibeBP and WPLMS

Active Installations: 1,000+

CVSS Scores: 9.3 - 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56039

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56040

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56042

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56043

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56044

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56045

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56046

NVD References:

- https://patchstack.com/database/wordpress/plugin/vibebp/vulnerability/wordpress-vibebp-plugin-1-9-9-7-7-unauthenticated-sql-injection-vulnerability

- https://patchstack.com/database/wordpress/plugin/vibebp/vulnerability/wordpress-vibebp-plugin-1-9-9-4-1-unauthenticated-privilege-escalation-vulnerability

- https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-unauthenticated-sql-injection-vulnerability

- https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-unauthenticated-privilege-escalation-vulnerability

- https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-unauthenticated-arbitrary-user-token-generation-vulnerability

- https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-unauthenticated-arbitrary-directory-deletion-vulnerability

- https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-unauthenticated-arbitrary-file-upload-vulnerability

CVE-2024-56064 - Azzaroco WP SuperBackup allows for the unrestricted upload of dangerous files, such as web shells, posing a threat to web servers running versions n/a through 2.3.3.

Product: Azzaroco WP SuperBackup

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56064

NVD References: https://patchstack.com/database/wordpress/plugin/indeed-wp-superbackup/vulnerability/wordpress-wp-superbackup-plugin-2-3-3-unauthenticated-arbitrary-file-upload-vulnerability

CVE-2024-56066 - Missing Authorization vulnerability in Inspry Agency Toolkit allows Privilege Escalation.This issue affects Agency Toolkit: from n/a through 1.0.23.

Product: Inspry Agency Toolkit

Active Installations: 100+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56066

NVD References: https://patchstack.com/database/wordpress/plugin/agency-toolkit/vulnerability/wordpress-agency-toolkit-plugin-1-0-23-privilege-escalation-vulnerability

CVE-2024-56829 - Huang Yaoshi Pharmaceutical Management Software through 16.0 is vulnerable to arbitrary file upload via a .asp filename in SOAP requests to /XSDService.asmx.

Product: Huang Yaoshi Pharmaceutical Management Software

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56829

CVE-2024-56249 - Webdeclic WPMasterToolKit is vulnerable to unrestricted upload of file with dangerous type, allowing attackers to upload a web shell to a web server.

Product: Webdeclic WPMasterToolKit

Active Installations: 800+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56249

NVD References: https://patchstack.com/database/wordpress/plugin/wpmastertoolkit/vulnerability/wordpress-wpmastertoolkit-plugin-1-13-1-arbitrary-file-upload-vulnerability

CVE-2024-53842 - The vulnerability in cc_SendCcImsInfoIndMsg of cc_MmConManagement.c could result in remote code execution without requiring user interaction.

Product: Android

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53842

NVD References: https://source.android.com/security/bulletin/pixel/2024-12-01

CVE-2025-22275 - iTerm2 versions 3.5.6 through 3.5.10 can be exploited by remote attackers to access sensitive information via the /tmp/framer.txt file in certain configurations, such as it2ssh and SSH Integration.

Product: iTerm2

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22275

NVD References:

- https://gitlab.com/gnachman/iterm2/-/wikis/SSH-Integration-Information-Leak

- https://iterm2.com/downloads/stable/iTerm2-3_5_11.changelog

- https://news.ycombinator.com/item?id=42579472

CVE-2024-9140 - Moxa's cellular routers, secure routers, and network security appliances are susceptible to a critical vulnerability, CVE-2024-9140, allowing attackers to execute arbitrary code through OS command injection.

Product: Moxa cellular routers

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9140

NVD References: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo

CVE-2024-55078 - WukongCRM-11.0-JAVA v11.3.3 is vulnerable to arbitrary file upload in /adminUser/updateImg, allowing for code execution through malicious file uploads.

Product: WukongCRM-11.0-JAVA

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55078

NVD References:

- https://gist.github.com/summerxxoo/8a0c9905feda6e192c10b860888afd26

- https://github.com/summerxxoo/VulnPoc/blob/main/WukongCRM-11.0-JAVA%20-File%20upload%20across%20directories.md

CVE-2024-55507 - An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component.

Product: CodeAstro Complaint Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55507

NVD References: https://github.com/CV1523/CVEs/blob/main/CVE-2024-55507.md

CVE-2025-22376 - Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl uses a weak default nonce generated from a 32-bit integer.

Product: Perl Net::OAuth

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22376

NVD References:

- https://metacpan.org/release/KGRENNAN/Net-OAuth-0.28/source/lib/Net/OAuth/Client.pm#L260

- https://metacpan.org/release/RRWO/Net-OAuth-0.29/changes

CVE-2024-12583 - The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read through Twig Server-Side Template Injection up to version 1.3.23, allowing authenticated attackers with Contributor-level access to execute code on the server.

Product: Microsoft Dynamics 365 Integration plugin

Active Installations: 800+

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12583

NVD References:

- https://plugins.trac.wordpress.org/browser/integration-dynamics/trunk/src/Shortcode/Twig.php#L53

- https://plugins.trac.wordpress.org/changeset/3210927/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3dac5a-9ff8-4e8c-8c73-422123e121d8

CVE-2024-20148 - In wlan STA FW, there is a possible out of bounds write due to improper input validation. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Product: Mediatek wlan STA FW

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-20148

NVD References: https://corp.mediatek.com/product-security-bulletin/January-2025

CVE-2024-5594 - OpenVPN before 2.6.11 allows attackers to inject unexpected arbitrary data into third-party executables or plug-ins through improperly sanitized PUSH_REPLY messages.

Product: OpenVPN

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5594

NVD References:

- https://community.openvpn.net/openvpn/wiki/CVE-2024-5594

- https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html

CVE-2025-21613 - Go-git versions prior to v5.13 are vulnerable to argument injection, allowing attackers to set arbitrary values to git-upload-pack flags when using the file transport protocol.

Product: go-git

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21613

NVD References: https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m

CVE-2024-46622 - SecureAge Security Suite software versions 7.0.x, 7.1.x, 8.0.x, and 8.1.x allow arbitrary file manipulation due to an Escalation of Privilege vulnerability.

Product: SecureAge Security Suite

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46622

NVD References:

- https://www.secureage.com/

- https://www.secureage.com/blog/resolved-escalation-of-privilege

CVE-2024-54879 & CVE-2024-54880 - SeaCMS V13.1 Incorrect Access Control vulnerabilities.

Product: SeaCMS V13.1

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54879

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54880

NVD References:

- http://seacms.com

- https://blog.csdn.net/weixin_46686336/article/details/144797242

- https://blog.csdn.net/weixin_46686336/article/details/144797063

CVE-2024-55529 - Z-BlogPHP 1.7.3 is vulnerable to arbitrary code execution via \zb_users\theme\shell\template.

Product: Z-BlogPHP 1.7.3

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55529

NVD References: https://github.com/fengyijiu520/Z-Blog-

CVE-2024-12402 - The Themes Coder plugin for WordPress allows unauthenticated attackers to perform privilege escalation via account takeover by changing arbitrary user passwords up to version 1.3.4.

Product: Themes Coder Create Android & iOS Apps For Your Woocommerce Site

Active Installations: **This plugin has been closed as of January 2, 2025 and is not available for download. This closure is temporary, pending a full review.**

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12402

NVD References:

- https://plugins.trac.wordpress.org/browser/tc-ecommerce/trunk/controller/app_user.php#L338

- https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec14b1e-6d1a-4451-9fce-ac064623d92f

CVE-2024-12252 - The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite, allowing unauthenticated attackers to achieve remote code execution.

Product: WordPress SEO LAT Auto Post plugin

Active Installations: **This plugin has been closed as of December 30, 2024 and is not available for download. This closure is temporary, pending a full review.**

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12252

NVD References:

- https://wordpress.org/plugins/seo-beginner-auto-post/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/67df10cc-ce3c-4157-9860-7e367062f710

CVE-2024-12264 - The PayU CommercePro Plugin for WordPress allows unauthenticated attackers to create administrative user accounts by exploiting privilege escalation vulnerabilities.

Product: PayU CommercePro Plugin

Active Installations: 6,000

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12264

NVD References:

- https://plugins.trac.wordpress.org/browser/payu-india/tags/3.8.3/includes/class-payu-shipping-tax-api-calculation.php#L187

- https://www.wordfence.com/threat-intel/vulnerabilities/id/bf037e4a-2dd7-4296-b86b-635901d2d68f

CVE-2024-12470 - The School Management System – SakolaWP plugin for WordPress allows unauthenticated attackers to register as an administrative user due to privilege escalation vulnerability in versions up to 1.0.8.

Product: WordPress SakolaWP plugin

Active Installations: **This plugin has been closed as of December 31, 2024 and is not available for download. This closure is temporary, pending a full review.**

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12470

NVD References:

- https://wordpress.org/plugins/sakolawp-lite/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/db1c581b-5cc9-46c0-ba5d-605642697729

CVE-2024-8855 - The WordPress Auction Plugin WordPress plugin through 3.7 is vulnerable to SQL injection attacks due to unsanitized input.

Product: WordPress Auction Plugin WordPress Plugin

Active Installations: 700

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8855

NVD References: https://wpscan.com/vulnerability/04084f2a-45b8-4249-a472-f156fad0c90a/

CVE-2024-43243 - ThemeGlow JobBoard Job listing allows unrestricted upload of file with dangerous type, enabling attackers to upload a web shell to a web server, affecting versions from n/a through 1.2.6.

Product: ThemeGlow JobBoard Job listing

Active Installations: 100+

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43243

NVD References: https://patchstack.com/database/wordpress/plugin/job-board-light/vulnerability/wordpress-jobboard-job-listing-plugin-1-2-6-arbitrary-file-upload-vulnerability

CVE-2024-49222 - WPGuppy by Amento Tech Pvt ltd is vulnerable to object injection through deserialization of untrusted data from versions n/a to 1.1.0.

Product: Amento Tech Pvt ltd WPGuppy

Active Installations: 800

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49222

NVD References: https://patchstack.com/database/wordpress/plugin/wpguppy-lite/vulnerability/wordpress-wpguppy-plugin-1-1-0-php-object-injection-vulnerability

CVE-2024-49649 - Abdul Hakeem Build App Online is vulnerable to PHP Local File Inclusion due to an improper control of filename in include/require statement issue, affecting versions from n/a through 1.0.23.

Product: Abdul Hakeem Build App Online

Active Installations: 700+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49649

NVD References: https://patchstack.com/database/wordpress/plugin/build-app-online/vulnerability/wordpress-build-app-online-plugin-1-0-23-local-file-inclusion-vulnerability

CVE-2024-56278 - WP Ultimate Exporter is vulnerable to Code Injection via PHP Remote File Inclusion from version n/a through 2.9.1.

Product: Smackcoders WP Ultimate Exporter

Active Installations: 10,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56278

NVD References: https://patchstack.com/database/wordpress/plugin/wp-ultimate-exporter/vulnerability/wordpress-wp-ultimate-exporter-plugin-2-9-1-remote-code-execution-rce-vulnerability

CVE-2024-56290 - Multiple Shipping And Billing Address For Woocommerce from n/a through 1.2 allows SQL Injection.

Product: silverplugins217 Multiple Shipping And Billing Address For Woocommerce

Active Installations: 200+

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56290

NVD References: https://patchstack.com/database/wordpress/plugin/different-shipping-and-billing-address-for-woocommerce/vulnerability/wordpress-multiple-shipping-and-billing-address-for-woocommerce-plugin-1-2-unauthenticated-sql-injection-vulnerability

CVE-2025-21624 - ClipBucket V5 has a file upload vulnerability in Manage Playlist functionality, pre 5.5.1 - 239, allowing attackers to upload malicious PHP files in place of images.

Product: ClipBucket V5

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21624

NVD References:

- https://github.com/MacWarrior/clipbucket-v5/commit/893bfb0f1236c4a59b5e2843ab8d27a1e491b12b

- https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-98vm-2xqm-xrcc

- https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-98vm-2xqm-xrcc

CVE-2025-22133 - WeGIA, a web manager for charitable institutions, had a critical vulnerability prior to version 3.2.8 in the file upload endpoint, allowing malicious files to be executed by the server.

Product: WeGIA web manager

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22133

NVD References:

- https://github.com/nilsonLazarin/WeGIA/commit/a08f04de96d3caec85496d7a89a5b82d1960d9dd

- https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mjgr-2jxv-v8qf

CVE-2024-50603 - Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996 allows an unauthenticated attacker to execute arbitrary code by sending shell metacharacters to certain API endpoints.

Product: Aviatrix Controller

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50603

NVD References:

- https://docs.aviatrix.com/documentation/latest/network-security/index.html

- https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllers

- https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/

CVE-2024-43405 - Nuclei is vulnerable to a signature verification bypass vulnerability in its template system, allowing attackers to execute malicious code via custom code templates, affecting CLI and SDK users up to version 3.3.2.

Product: ProjectDiscovery Nuclei

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43405

ISC Podcast: https://isc.sans.edu/podcastdetail/9268

NVD References:

- https://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60a

- https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmm

CVE-2024-6387 - OpenSSH's server (sshd) contains a race condition that allows unauthenticated remote attackers to trigger unsafe signal handling by failing to authenticate within a specific time frame (CVE-2006-5051).

Product: Netbsd

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6387

ISC Podcast: https://isc.sans.edu/podcastdetail/9268