Volume 23 – Number 05

Internet Storm Center Spotlight

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.https://isc.sans.edu/about.html

Detecting (Malicious) OneNote Files

Published: 2023-02-01

Last Updated: 2023-02-01 08:57:26 UTC

by Didier Stevens (Version: 1)

We are starting to see malicious OneNote documents (cfr. Xavier's diary entry "A First Malicious OneNote Document"https://isc.sans.edu/diary/A+First+Malicious+OneNote+Document/29470).

OneNote files have their own binary fileformat: [MS-ONESTORE].

A OneNote file starts with GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}.

Files contained in a OneNote file start with a header (FileDataStoreObject) followed by the embedded file itself. This header also starts with a GUID: {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}.

Hence, to detect OneNote files with embedded files, look for files that start with byte sequence E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 (that's GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}) and contain one ore more instances of byte sequence E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC (that's GUID {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}).

This allows you to detect OneNote files with embedded files. Which are not necessarily malicious ... Because an embedded file can just be a picture, for example.

Read the full entry:

https://isc.sans.edu/diary/Detecting+Malicious+OneNote+Files/29494/

Decoding DNS over HTTP(s) Requests

Published: 2023-01-30

Last Updated: 2023-01-30 16:51:54 UTC

by Johannes Ullrich (Version: 1)

I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard.

Read the full entry:

https://isc.sans.edu/diary/Decoding+DNS+over+HTTPs+Requests/29488/

Live Linux IR with UAC

Published: 2023-01-26

Last Updated: 2023-01-26 23:07:32 UTC

by Tom Webb (Version: 1)

The other day, I was looking for Linux IR scripts and ran across the tool Unix-like Artifacts Collector or UAC(1) created by Thiago Lahr. As you would expect, it gathers most live stats but also collects Virtual box and Docker info and other data on the system. It can dump results files to SFTP, Azure, S3, and IBM storage natively.

With any tool, you should always test to understand how it affects your system. I ran a simple file timeline collection before and after to see what changes were made.

Read the full entry:

https://isc.sans.edu/diary/Live+Linux+IR+with+UAC/29480/

Internet Storm Center Entries

Rotating Packet Captures with pfSense (2023.02.01)

https://isc.sans.edu/diary/Rotating+Packet+Captures+with+pfSense/29500/

DShield Honeypot Setup with pfSense (2023.01.31)

https://isc.sans.edu/diary/DShield+Honeypot+Setup+with+pfSense/29490/

Recent CVEs

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2022-47966 - Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

** KEV since 2023-01-23 **

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-47966

ISC Podcast:https://isc.sans.edu/podcastdetail.html?podcastid=8340

CVE: CVE-2022-42475 - A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

** KEV Since 2022-12-23 **

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-42475

CVE-2022-45639 - OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-45639

NVD References:

-https://www.binaryworld.it/

-https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639

CVE-2022-25894 - All versions of the package com.bstek.uflo:uflo-core are vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to improper user input validation.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-25894

NVD References:

-https://fmyyy1.github.io/2022/10/23/uflo2rce/

-https://security.snyk.io/vuln/SNYK-JAVA-COMBSTEKUFLO-3091112

CVE-2022-3094 - Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.

CVSS Score: 7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-3094

ISC Podcast:https://isc.sans.edu/podcastdetail.html?podcastid=8344

NVD References:https://kb.isc.org/docs/cve-2022-3094

CVE-2022-3572 - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.

CVSS Score: 9.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-3572

NVD References:

-https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3572.json

-https://gitlab.com/gitlab-org/gitlab/-/issues/378214

-https://hackerone.com/reports/1727985

CVE-2022-45808 - SQL Injection vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.

CVE-2022-45820 - SQL Injection (SQLi) vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.

CVE-2022-47615 - Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.

CVSS Scores: 9.1 - 9.9

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L; N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L; N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

NVD References:https://patchstack.com/articles/multiple-critical-vulnerabilities-fixed-in-learnpress-plugin-version/

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-45808

NVD References:https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-wordpress-lms-plugin-plugin-4-1-7-3-2-sql-injection?_s_id=cve

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-45820

NVD References:https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-4-1-7-3-2-auth-sql-injection-sqli-vulnerability?_s_id=cve

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-47615

NVD References:https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-4-1-7-3-2-local-file-inclusion?_s_id=cve

CVE-2023-0321 - Campbell Scientific dataloggers CR6, CR300, CR800, CR1000 and CR3000 may allow an attacker to download configuration files, which may contain sensitive information about the internal network. From factory defaults, the mentioned datalogges have HTTP and PakBus enabled. The devices, with the default configuration, allow this situation via the PakBus port. The exploitation of this vulnerability may allow an attacker to download, modify, and upload new configuration files.

CVSS Score: 9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-0321

NVD References:

-https://www.hackplayers.com/2023/01/cve-2023-0321-info-sensible-campbell.html

-https://www.incibe-cert.es/en/early-warning/ics-advisories/disclosure-sensitive-information-campbell-scientific-products

CVE-2023-0452 - All versions of Econolite EOS traffic control software are vulnerable to CWE-328: Use of Weak Hash, and use a weak hash algorithm for encrypting privileged user credentials. A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-0452

NVD References:https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-02

CVE-2023-22482 - Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds.

CVSS Score: 9.0

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-22482

NVD References:https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc

CVE-2023-23619 - Modelina is a library for generating data models based on inputs such as AsyncAPI, OpenAPI, or JSON Schema documents. Versions prior to 1.0.0 are vulnerable to Code injection. This issue affects anyone who is using the default presets and/or does not handle the functionality themself. This issue has been partially mitigated in version 1.0.0, with the maintainer's GitHub Security Advisory (GHSA) noting "It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not encounter this issue. Further similar situations are NOT seen as a security issue, but intended behavior." The suggested workaround from the maintainers is "Fully custom presets that change the entire rendering process which can then escape the user input."

CVSS Score: 9.9

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-23619

NVD References:https://github.com/asyncapi/modelina/security/advisories/GHSA-4jg2-84c2-pj95

CVE-2023-24022 - Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.)

CVSS Score: 10.0

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-24022

NVD References:

-https://baicells.zendesk.com/hc/en-us/articles/6188324645780-2023-1-17-Hard-Coded-Credential-Crypt-Vulnerability

-https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG

-https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf

CVE-2023-0556 - The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to obtain the blog metadata (via the function cstu_get_metadata) that includes the plugin's contentstudio_token. Knowing this token allows for other interactions with the plugin such as creating posts in versions prior to 1.2.5, which added other requirements to posting and updating.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-0556

NVD References:

-https://plugins.trac.wordpress.org/browser/contentstudio/tags/1.2.1/contentstudio-plugin.php#L517

- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2851006%40contentstudio%2Ftrunk&old=2844028%40contentstudio%2Ftrunk&sfp_email=&sfph_mail=

- https://www.wordfence.com/threat-intel/vulnerabilities/id/52db8d41-859a-4d68-8b83-3d3af8f1bf64

CVE-2022-27596 - A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS hero, QTS: QuTS hero h5.0.1.2248 build 20221215 and later QTS 5.0.1.2234 build 20221201 and later

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-27596

NVD References:https://www.qnap.com/en/security-advisory/qsa-23-01

CVE-2022-32513 - A CWE-521: Weak Password Requirements vulnerability exists that could allow an attacker to gain control of the device when the attacker brute forces the password. Affected Products: C-Bus Network Automation Controller - LSS5500NAC (Versions prior to V1.10.0), Wiser for C-Bus Automation Controller - LSS5500SHAC (Versions prior to V1.10.0), Clipsal C-Bus Network Automation Controller - 5500NAC (Versions prior to V1.10.0), Clipsal Wiser for C-Bus Automation Controller - 5500SHAC (Versions prior to V1.10.0), SpaceLogic C-Bus Network Automation Controller - 5500NAC2 (Versions prior to V1.10.0), SpaceLogic C-Bus Application Controller - 5500AC2 (Versions prior to V1.10.0)

CVE-2022-32514 - A CWE-287: Improper Authentication vulnerability exists that could allow an attacker to gain control of the device when logging into a web page. Affected Products: C-Bus Network Automation Controller - LSS5500NAC (Versions prior to V1.10.0), Wiser for C-Bus Automation Controller - LSS5500SHAC (Versions prior to V1.10.0), Clipsal C-Bus Network Automation Controller - 5500NAC (Versions prior to V1.10.0), Clipsal Wiser for C-Bus Automation Controller - 5500SHAC (Versions prior to V1.10.0), SpaceLogic C-Bus Network Automation Controller - 5500NAC2 (Versions prior to V1.10.0), SpaceLogic C-Bus Application Controller - 5500AC2 (Versions prior to V1.10.0)

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-32513

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-32514

NVD References:https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-06_C-Bus_Home_Automation_Products_Security_Notification.pdf

CVE-2022-32522 - A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted mathematically reduced data request messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32523 - A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted online data request messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32524 - A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted time reduced data messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32525 - A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted alarm data messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32526 - A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted setting value messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32527 - A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted alarm cache data messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32529 - A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted log data request messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-32522

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-32523

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-32524

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-32525

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-32526

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-32527

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-32529

NVD References:https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-01_IGSS_Security_Notification_V2.pdf

CVE-2022-24324 - A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22073)

CVE-2022-2329 - A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22073)

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-24324

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-2329

NVD References:https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-102-01_IGSS_Security_Notification_V2.0.pdf

CVE-2022-42970 - A CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261)

CVE-2022-42971 - A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261)

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-42970

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-42971

NVD References:https://download.schneider-electric.com/files?p_Doc_SEVD-2022-347-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-347-01_Easy_UPS_Online_Monitoring_Software_Security_Notification.pdf

CVE-2022-39060 - ChangingTech MegaServiSignAdapter component has a vulnerability of improper input validation. An unauthenticated remote attacker can exploit this vulnerability to access and modify HKEY_CURRENT_USER subkey (ex: AutoRUN) in Registry where malicious scripts can be executed to take control of the system or to terminate the service.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-39060

NVD References:https://www.twcert.org.tw/tw/cp-132-6887-6ed4f-1.html

CVE-2023-22900 - Efence login function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify or delete database.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-22900

NVD References:https://www.twcert.org.tw/tw/cp-132-6885-d679e-1.html

CVE-2023-22610 - A CWE-285: Improper Authorization vulnerability exists that could cause Denial of Service against the Geo SCADA server when specific messages are sent to the server over the database server TCP port. Affected Products: EcoStruxure™ Geo SCADA Expert 2019, EcoStruxure™ Geo SCADA Expert 2020, EcoStruxure™ Geo SCADA Expert 2021 (All versions prior to October 2022), ClearSCADA (All Versions).

CVSS Score: 9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-22610

NVD References:https://www.se.com/ww/en/download/document/SEVD-2023-010-02/

CVE-2023-23924 - Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.

CVSS Score: 10.0

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H

NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-23924

NVD References:

-https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85

-https://github.com/dompdf/dompdf/releases/tag/v2.0.2

-https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg

CVE-2023-21538 - .NET Denial of Service Vulnerability

CVSS Score: 7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-21538

MSFT Details:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21538