The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Increase in exploits against Joomla

Published: 2023-03-08

Last Updated: 2023-03-08 18:08:20 UTC

by Johannes Ullrich (Version: 1)

About three weeks ago, Joomla fixed a vulnerability in the Joomla content management system, patching a trivial to exploit access control vulnerability. The vulnerability allowed access to the Joomla username/password database.

The patch deployed to mitigate the issue tells us a bit about what happened...

Read the full entry:

https://isc.sans.edu/diary/Increase+in+exploits+agains+Joomla+CVE202323752/29614/

Hackers Love This VSCode Extension: What You Can Do to Stay Safe

Published: 2023-03-07

Last Updated: 2023-03-07 15:04:31 UTC

by Johannes Ullrich (Version: 1)

[David Boyd, a SANS.edu undergraduate intern, submitted this post]

Have you ever considered that a VSCode extension you rely on could also be the very tool that puts your sensitive data in the hands of attackers? As fellow developers, we often can be seen when using the popular open-source platform Visual Studio Code (VSCode)--and even if you do not, you will know someone who does.

On February 19, 2023, an attempted exploit was identified in my DShield's honeypot weblogs. The attack targeted a security vulnerability in the VSCode-SFTP extension, which allows users to synchronize a local directory with a remote server via the web request...

Read the full entry:

https://isc.sans.edu/diary/Hackers+Love+This+VSCode+Extension+What+You+Can+Do+to+Stay+Safe/29610/

Scanning s3 buckets (2023.03.06)

https://isc.sans.edu/diary/Scanning+s3+buckets/29606/

YARA: Detect The Unexpected ... (2023.03.02)

https://isc.sans.edu/diary/YARA+Detect+The+Unexpected/29598/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2023-21716 - Microsoft Word Remote Code Execution Vulnerability

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21716

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8398

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716

CVE-2023-0339 - Relative Path Traversal vulnerability in ForgeRock Access Management Web Policy Agent allows Authentication Bypass. This issue affects Access Management Web Policy Agent: all versions up to 5.10.1

CVE-2023-0511 - Relative Path Traversal vulnerability in ForgeRock Access Management Java Policy Agent allows Authentication Bypass. This issue affects Access Management Java Policy Agent: all versions up to 5.10.1

CVSS Score: 9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0339

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0511

NVD References:

- https://backstage.forgerock.com/downloads/browse/am/featured/web-agents

- https://backstage.forgerock.com/knowledge/kb/article/a21576868

CVE-2023-20946 - In onStart of BluetoothSwitchPreferenceController.java, there is a possible permission bypass due to a confused deputy. This could lead to remote escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-244423101

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20946

NVD References: https://source.android.com/security/bulletin/2023-02-01

CVE-2023-27372 - SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27372

NVD References:

- https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html

- https://git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266

- https://git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409d

- https://www.debian.org/security/2023/dsa-5367

CVE-2023-1099 - A vulnerability was found in SourceCodester Online Student Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file eduauth/edit-class-detail.php?editid=1. The manipulation of the argument editideditid leads to sql injection. The attack may be launched remotely. VDB-222002 is the identifier assigned to this vulnerability.

CVE-2023-1100 - A vulnerability classified as critical has been found in SourceCodester Online Catering Reservation System 1.0. This affects an unknown part of the file /reservation/add_message.php of the component POST Parameter Handler. The manipulation of the argument fullname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222003.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1099

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1100

NVD References:

- https://vuldb.com/?ctiid.222002

- https://vuldb.com/?id.222002

- https://github.com/jackswordsz/bug_report/blob/main/vendors/emoblazz/Online%20Catering%20Reservation%20System/SQLi-1.md

- https://vuldb.com/?ctiid.222003

- https://vuldb.com/?id.222003

CVE-2023-20032 - On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the HFS+ partition file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to execute arbitrary code. This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition. For a description of this vulnerability, see the ClamAV blog ["https://blog.clamav.net/"].

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20032

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy

CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750 - There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system.

- There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVE-2023-22751 and CVE-2023-22752 - There are stack-based buffer overflow vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22747

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22748

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22749

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22750

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22751

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22752

NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt

CVE-2023-1064 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Uzay Baskul Weighbridge Automation Software allows SQL Injection.This issue affects Weighbridge Automation Software: before 1.1.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1064

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0115

CVE-2023-1114 - Improper Input Validation vulnerability in Eskom Bilgisayar e-Belediye allows Information Elicitation.This issue affects e-Belediye: from 1.0.0.95 before 1.0.0.100.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1114

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0113-2

CVE-2021-3854 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before 5.1.0.15.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-3854

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0120

CVE-2023-0839 - Improper Protection for Outbound Error Messages and Alert Signals vulnerability in ProMIS Process Co. InSCADA allows Account Footprinting.This issue affects inSCADA: before 20230115-1.

CVSS Score: 10.0

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0839

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0127

CVE-2023-0979 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MedData Informatics MedDataPACS.This issue affects MedDataPACS : before 2023-03-03.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0979

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0129

CVE-2022-3760 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mia Technology Mia-Med.This issue affects Mia-Med: before 1.0.0.58.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3760

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0130

CVE-2023-1097 - Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.

CVSS Score: 9.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1097

NVD References:

- https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756

- https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin

CVE-2023-26477 - XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.

CVSS Score: 10.0

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26477

NVD References:

- https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg

- https://jira.xwiki.org/browse/XWIKI-19757

CVE-2023-26055 - XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.

CVSS Score: 9.9

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26055

NVD References:

- https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h

- https://jira.xwiki.org/browse/XCOMMONS-2498

- https://jira.xwiki.org/browse/XWIKI-19793

- https://jira.xwiki.org/browse/XWIKI-19794

CVE-2023-26471 - XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin. This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. The only known workaround consists of applying a patch and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`.

CVSS Score: 9.9

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26471

NVD References:

- https://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9cqm-5wf7-wcj7

- https://jira.xwiki.org/browse/XWIKI-20234

CVE-2023-26472 - XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with certain content. This can be done by creating a new page or even through the user profile for users not having edit right. The issue has been patched in XWiki 14.9, 14.4.6, and 13.10.10. An available workaround is to fix the bug in the page `IconThemesCode.IconThemeSheet` by applying a modification from commit 48caf7491595238af2b531026a614221d5d61f38.

CVSS Score: 9.9

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26472

NVD References:

- https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vwr6-qp4q-2wj7

- https://jira.xwiki.org/browse/XWIKI-19731

CVE-2023-26474 - XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.

CVSS Score: 9.9

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26474

NVD References:

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3738-p9x3-mv9r

- https://jira.xwiki.org/browse/XWIKI-20373

CVE-2023-26475 - XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.

CVSS Score: 9.9

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26475

NVD References:

- https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr

- https://jira.xwiki.org/browse/XWIKI-20360

- https://jira.xwiki.org/browse/XWIKI-20384

CVE-2023-27479 - XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of UIX parameters. A proof of concept exploit is to log in, add an `XWiki.UIExtensionClass` xobject to the user profile page, with an Extension Parameters content containing `label={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}`. Then, navigating to `PanelsCode.ApplicationsPanelConfigurationSheet` (i.e., `<xwiki-host>/xwiki/bin/view/PanelsCode/ApplicationsPanelConfigurationSheet` where `<xwiki-host>` is the URL of your XWiki installation) should not execute the Groovy script. If it does, you will see `Hello from groovy!` displayed on the screen. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. For users unable to upgrade the issue can be fixed by editing the `PanelsCode.ApplicationsPanelConfigurationSheet` wiki page and making the same modifications as shown in commit `6de5442f3c`.

CVSS Score: 9.9

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27479

NVD References:

- https://github.com/xwiki/xwiki-platform/commit/6de5442f3c91c3634a66c7b458d5b142e1c2a2dc

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qxjg-jhgw-qhrv

- https://jira.xwiki.org/browse/XWIKI-20294

CVE-2023-27290 - Docker based datastores for IBM Instana (IBM Observability with Instana 239-0 through 239-2, 241-0 through 241-2, and 243-0) do not currently require authentication. Due to this, an attacker within the network could access the datastores with read/write access. IBM X-Force ID: 248737.

CVSS Score: 9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27290

NVD References:

- https://exchange.xforce.ibmcloud.com/vulnerabilities/248737

- https://www.ibm.com/support/pages/node/6959969

CVE-2023-26481 - authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking `request.context['is_restored']`), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. Regardless, for custom recovery flows it is recommended to add a policy that checks if the flow is restored, and skips the identification stage. This issue has been fixed in versions 2023.2.3, 2023.1.3 and 2022.12.2.

CVSS Score: 9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26481

NVD References:

- https://github.com/goauthentik/authentik/security/advisories/GHSA-3xf5-pqvf-rqq3

- https://goauthentik.io/docs/releases/2023.2#fixed-in-202323

CVE-2019-8720 - A vulnerability was found in WebKit. The flaw is triggered when processing maliciously crafted web content that may lead to arbitrary code execution. Improved memory handling addresses the multiple memory corruption issues.

CVSS Score: 0

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

** KEV since 2022-05-23 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-8720

NVD References:

- https://bugzilla.redhat.com/show_bug.cgi?id=1876611

- https://webkitgtk.org/security/WSA-2019-0005.html