Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT




ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html


Supply Chain Compromise or False Positive: The Intriguing Case of efile.com [updated - confirmed malicious code]

Published: 2023-04-03

Last Updated: 2023-04-03 19:08:14 UTC

by Johannes Ullrich (Version: 1)


[Added an update at the end with more details regarding the "update.exe" file. I think it is safe to say at this point, that efile.com has been compromised.]


Last week, related to the 3CX compromise, I mentioned how difficult it can be to determine if an overall trusted resource is compromised. This weekend, our reader Drew sent us a note that there is some talk about efile.com being possibly compromised. Users are reporting a popup that offers a file "update.exe." This in itself is, of course, highly suspicious. But I was not able to reproduce the issue. Drew also linked to an any.run analysis showing the behavior.


The update.exe was apparently uploaded to Virustotal. As I checked earlier today, only two engines flagged the file: Crowdstrike and Cynet. I just redid the analysis and did not get any additional positives. The file appears to have been uploaded on March 17th, and the creation time is March 17th as well. A post on Reddit also observed the behavior on March 17th.


Let's take a closer look at efile.com. The site uses common modern technologies: Bootstrap, jQuery, and Google Analytics [4]. Nothing too special about this. But things get a bit more interesting looking at the sources downloaded by the browser.


Read the complete entry: https://isc.sans.edu/diary/Supply+Chain+Compromise+or+False+Positive+The+Intriguing+Case+of+efilecom+updated+confirmed+malicious+code/29708/





Analyzing the efile.com Malware "efail"

Published: 2023-04-04

Last Updated: 2023-04-04 13:28:51 UTC

by Johannes Ullrich (Version: 1)


Yesterday, I wrote about efile.com serving malicious ake "Browser Updates" to some of its users. This morning, efile.com finally removed the malicious code from its site. The attacker reacted a bit faster and removed some of the additional malware. But luckily, I was able to retrieve some of the malware last evening before it was removed.


Depending on the browser, you may have received one of two binaries. "update.exe" or "installer.exe." These binaries are quite different. I will focus on "update.exe" for two reasons: It was used for Chrome users, which is the vast majority compared to the other option, Firefox. Secondly, "update.exe" is written in Python, making it much easier to analyze.


Read the complete entry: https://isc.sans.edu/diary/Analyzing+the+efilecom+Malware+efail/29712/





Use of X-Frame-Options and CSP frame-ancestors security headers on 1 million most popular domains

Published: 2023-03-31

Last Updated: 2023-03-31 12:57:26 UTC

by Jan Kopriva (Version: 1)


In my last Diary, I shortly mentioned the need for correctly set Content Security Policy and/or the obsolete X-Frame-Options HTTP security headers (not just) in order to prevent phishing pages, which overlay a fake login prompt over a legitimate website, from functioning correctly. Or, to be more specific, to prevent them from dynamically loading a legitimate page in an iframe under the fake login prompt, since this makes such phishing websites look much less like a legitimate login page and thus much less effective.


Discussion of the aforementioned headers has led me to a question of how common use of these headers is and how they are commonly set. Which is what we will take a short look at today.


Although data about general trends in the use of these headers may be found online, I wanted to go a little bit more in-depth. I have therefore written a short Python script, which would go through the current Tranco list of one million most popular domains[5] and gather data about which HTTP security-related headers were used on each one (provided the domains pointed to a HTTP server).


In total, the script gathered data about 21 different headers (e.g., X-XSS-Protection, Strict-Transport-Security, Cross-Origin-Resource-Policy, etc.) and their specific settings. Since results for the other headers might be interesting as well, I might write another diary discussing those once I’ve had more time to go over the data. For now, however, let us take a look at how common the use of the two headers which may be used to set restrictions for embedding a websites in an iframe or other object is. Specifically, we will look at the use of X-Frame-Options header and the use of CSP policies containing the frame-ancestors directive (since CSP doesn’t block the behavior we are interested in – the so called “framing attacks” – without this directive in place, we will only focus on CSP headers in which the directive is present).


Read the complete entry: https://isc.sans.edu/diary/Use+of+XFrameOptions+and+CSP+frameancestors+security+headers+on+1+million+most+popular+domains/29698/

Internet Storm Center Entries





Exploration of DShield Cowrie Data with jq (2023.04.05)

https://isc.sans.edu/diary/Exploration+of+DShield+Cowrie+Data+with+jq/29714/


Tax Season Risks (2023.04.03)

https://isc.sans.edu/diary/Tax+Season+Risks/29706/


YARA v4.3.0 Release (2023.04.02)

https://isc.sans.edu/diary/YARA+v430+Release/29702/


Update: oledump & MSI Files (2023.04.02)

https://isc.sans.edu/diary/Update+oledump+MSI+Files/29700/


Using Linux grep and Windows findstr to Manipulate Files (2023.03.31)

https://isc.sans.edu/diary/Using+Linux+grep+and+Windows+findstr+to+Manipulate+Files/29696/


Bypassing PowerShell Strong Obfuscation (2023.03.30)

https://isc.sans.edu/diary/Bypassing+PowerShell+Strong+Obfuscation/29692/


Extracting Multiple Streams From OLE Files (2023.03.29)

https://isc.sans.edu/diary/Extracting+Multiple+Streams+From+OLE+Files/29688/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.


CVE-2022-47986 - IBM Aspera Faspex 4.4.1 has a YAML deserialization flaw allowing remote code execution via an obsolete API call.

Product: IBM Aspera Faspex

CVSS Score: 0

** KEV since 2023-02-21 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47986

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8432




CVE-2022-3686 - A vulnerability exists in a SDM600 endpoint. An attacker could exploit this vulnerability by running multiple parallel requests, the SDM600 web services become busy rendering the application unresponsive. This issue affects: All SDM600 versions prior to version 1.2 FP3 HF4 (Build Nr. 1.2.23000.291)

Product: Hitachi Energy SDM600

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3686

NVD References: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000138&LanguageCode=en&DocumentPartId=&Action=Launch




CVE-2023-28326 - Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room

Product: Apache OpenMeetings

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28326

NVD References: https://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9




CVE-2023-27821 - Databasir v1.0.7 was discovered to contain a remote code execution (RCE) vulnerability via the mockDataScript parameter.

Product: Databasir 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27821

NVD References: 

- https://github.com/luelueking/Databasir-1.0.7-vuln-poc

- https://github.com/vran-dev/databasir/issues/269




CVE-2022-0194 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ad_addcomment function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15876.

Product: Netatalk Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-0194

NVD References: 

- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html

- https://www.zerodayinitiative.com/advisories/ZDI-22-530/




CVE-2022-23121 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15819.

Product: Netatalk Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23121

NVD References: 

- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html

- https://www.zerodayinitiative.com/advisories/ZDI-22-527/




CVE-2022-23122 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15837.

Product: Netatalk Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23122

NVD References: 

- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html

- https://www.zerodayinitiative.com/advisories/ZDI-22-529/




CVE-2022-23123 - This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getdirparams method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15830.

Product: Netatalk Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23123

NVD References: 

- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html

- https://www.zerodayinitiative.com/advisories/ZDI-22-528/




CVE-2022-23124 - This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the get_finderinfo method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15870.

Product: Netatalk Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23124

NVD References: 

- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html

- https://www.zerodayinitiative.com/advisories/ZDI-22-525/




CVE-2022-23125 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869.

Product: Netatalk Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23125

NVD References: 

- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html

- https://www.zerodayinitiative.com/advisories/ZDI-22-526/




CVE-2022-24673 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Canon imageCLASS MF644Cdw 10.02 printers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the SLP protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15845.

Product: Canon D1620

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24673

NVD References: 

- https://www.usa.canon.com/support/canon-product-advisories/canon-laser-printer-inkjet-printer-and-small-office-multifunctional-printer-measure-against-buffer-overflow

- https://www.zerodayinitiative.com/advisories/ZDI-22-515/




CVE-2022-46387 - ConEmu through 220807 and Cmder before 1.3.21 report the title of the terminal, including control characters, which allows an attacker to change the title and then execute it as commands.

Product: Cmder Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46387

NVD References: 

- https://github.com/cmderdev/cmder/blob/master/CHANGELOG.md




CVE-2023-1674 - A vulnerability was found in SourceCodester School Registration and Fee System 1.0 and classified as critical. This issue affects some unknown processing of the file /bilal final/login.php of the component POST Parameter Handler. The manipulation of the argument username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224231.

Product: School Registration And Fee System Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1674

NVD References: 

- https://github.com/saintone98/bug_report/blob/main/vendors/hemedy99/School%20Registration%20and%20Fee%20System/SQLi-1.md

- https://vuldb.com/?ctiid.224231

- https://vuldb.com/?id.224231




CVE-2023-1675 - A vulnerability was found in SourceCodester School Registration and Fee System 1.0. It has been classified as critical. Affected is an unknown function of the file /bilal final/edit_stud.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-224232.

Product: School Registration And Fee System Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1675

NVD References: 

- https://github.com/saintone98/bug_report/blob/main/vendors/hemedy99/School%20Registration%20and%20Fee%20System/SQLi-2.md

- https://vuldb.com/?ctiid.224232

- https://vuldb.com/?id.224232




CVE-2023-27394 - The Osprey Pump Controller version 1.01 is vulnerable to unauthenticated OS command injection.

Product: Osprey Pump Controller

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27394

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06




CVE-2023-27886 - Osprey Pump Controller version 1.01 allows unauthenticated OS command injection through the index.php script.

Product: Osprey Pump Controller

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27886

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06




CVE-2023-28398 - Osprey Pump Controller version 1.01 allows unauthorized access by an unauthenticated user creating an account and bypassing authentication.

Product: Osprey Pump Controller

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28398

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06




CVE-2023-28654 - Osprey Pump Controller version 1.01 has a hidden admin account with a hardcoded password, providing full access to the web management interface configuration.

Product: Osprey Pump Controller

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28654

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06




CVE-2023-27229 - TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the upBw parameter at /setting/setWanIeCfg.

Product: TOTOlink A7100Ru

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27229

NVD References: https://github.com/Am1ngl/ttt/tree/main/30




CVE-2023-27231 - TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the downBw parameter at /setting/setWanIeCfg.

Product: TOTOlink A7100Ru

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27231

NVD References: https://github.com/Am1ngl/ttt/tree/main/31




CVE-2023-27232 - TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wanStrategy parameter at /setting/setWanIeCfg.

Product: TOTOlink A7100Ru

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27232

NVD References: https://github.com/Am1ngl/ttt/tree/main/32




CVE-2023-1684 - A vulnerability was found in HadSky 7.7.16. It has been classified as problematic. This affects an unknown part of the file upload/index.php?c=app&a=superadmin:index. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-224241 was assigned to this vulnerability.

Product: HadSky 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1684

NVD References: 

- https://gitee.com/wkstestete/cve/blob/master/upload/HadSky.md

- https://vuldb.com/?ctiid.224241

- https://vuldb.com/?id.224241




CVE-2023-28731 - AnyMailing Joomla Plugin Enterprise below 8.3.0 allows unauthenticated remote code execution via unrestricted file upload.

Product: AnyMailing Joomla Plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28731

NVD References: 

- https://www.acymailing.com/change-log/

- https://www.bugbounty.ch/advisories/CVE-2023-28731




CVE-2023-25076 - SNIProxy is vulnerable to a buffer overflow that can be exploited by a specially crafted packet, leading to arbitrary code execution.

Product: SNIProxy

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25076

NVD References: 

- https://github.com/dlundquist/sniproxy/commit/f8d9a433fe22ab2fa15c00179048ab02ae23d583

- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1731




CVE-2023-26482 - Nextcloud server allows unauthorized users to execute remote code due to a missing scope validation.

Product: Nextcloud server

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26482

NVD References: 

- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h3c9-cmh8-7qpj

- https://github.com/nextcloud/server/commit/5a06b50b10cc9278bbe68bbf897a0c4aeb0c4e60




CVE-2023-1738 - A vulnerability has been found in SourceCodester Young Entrepreneur E-Negosyo System 1.0 and classified as critical. This vulnerability affects unknown code of the file index.php?q=product. The manipulation of the argument search leads to sql injection. The attack can be initiated remotely. VDB-224626 is the identifier assigned to this vulnerability.

Product: Young Entrepreneur E-Negosyo System Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1738

NVD References: 

- https://vuldb.com/?ctiid.224626

- https://vuldb.com/?id.224626




CVE-2023-1739 - A vulnerability was found in SourceCodester Simple and Beautiful Shopping Cart System 1.0 and classified as critical. This issue affects some unknown processing of the file upload.php. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224627.

Product: Simple And Beautiful Shopping Cart System Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1739

NVD References: 

- https://gitee.com/misak7in/cve/blob/master/simple%20and%20beautiful%20shopping%20cart%20system/simple%20and%20beautiful%20shopping%20cart%20system%20upload.php%20has%20a%20file%20upload%20vulnerability.pdf

- https://vuldb.com/?ctiid.224627

- https://vuldb.com/?id.224627




CVE-2023-1740 - A vulnerability was found in SourceCodester Air Cargo Management System 1.0. It has been classified as critical. Affected is an unknown function of the file admin/user/manage_user.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-224628.

Product: Air Cargo Management System Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1740

NVD References: 

- https://github.com/west9b/bug_report/blob/main/SQLi-1.md

- https://vuldb.com/?ctiid.224628

- https://vuldb.com/?id.224628




CVE-2023-28727 - Panasonic AiSEG2 versions 2.00J through 2.93A allows adjacent attackers bypass authentication due to mishandling of X-Forwarded-For headers.

Product: Panasonic AiSEG2

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28727

NVD References: https://www2.panasonic.biz/jp/densetsu/aiseg/firmup_info.html




CVE-2023-1770 - A vulnerability has been found in SourceCodester Grade Point Average GPA Calculator 1.0 and classified as critical. Affected by this vulnerability is the function get_scale of the file Master.php. The manipulation of the argument perc leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224671.

Product: Grade Point Average (GPA) Calculator Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1770

NVD References: 

- https://vuldb.com/?ctiid.224671

- https://vuldb.com/?id.224671




CVE-2023-0344 - Akuvox E11 uses a custom version of dropbear SSH server with an insecure option not present in the official version.

Product: Akuvox E11

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0344

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-068-01




CVE-2023-28843 - The PrestaShop paypal module from release 3.12.0 to 3.16.3 is vulnerable to SQL injection, allowing a remote attacker to gain privileges and modify data.

Product: op paypal module

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28843

NVD References: 

- https://github.com/202ecommerce/paypal/commit/2f6884ea1d0fe4b58441699fcc1d6c56c7d733eb

- https://github.com/202ecommerce/paypal/security/advisories/GHSA-66pc-8gh8-mx7m




CVE-2023-1785 - A vulnerability was found in SourceCodester Earnings and Expense Tracker App 1.0. It has been classified as critical. Affected is an unknown function of the file manage_user.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-224700.

Product: Earnings And Expense Tracker App Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1785

NVD References: 

- https://github.com/web-zxl/img/blob/main/4.png

- https://vuldb.com/?ctiid.224700

- https://vuldb.com/?id.224700




CVE-2022-47190 - Generex UPS CS141 below 2.06 version allows a remote attacker to execute arbitrary code as root via uploading a webshell firmware file.

Product: Generex UPS CS141

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47190

NVD References: 

- https://www.generex.de/support/changelogs/cs141/2-12

- https://www.generex.de/support/changelogs/cs141/page:2

- https://www.incibe-cert.es/en/early-warning/ics-advisories/update-03032023-multiple-vulnerabilities-generex-ups-cs141




CVE-2022-42447 - HCL Compass is vulnerable to Cross-Origin Resource Sharing (CORS). This vulnerability can allow an unprivileged remote attacker to trick a legitimate user into accessing a special resource and executing a malicious request.

Product: HCL Compass

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42447

NVD References: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0103581




CVE-2023-26119 - Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.

Product: UNKNOWN UNKNOWN

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26119

NVD References: 

- https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b

- https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500

- https://siebene.github.io/2022/12/30/HtmlUnit-RCE/




CVE-2023-1765 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Akbim Computer Panon allows SQL Injection.This issue affects Panon: before 1.0.2.

Product: Akbim Computer Panon

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1765

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0193




CVE-2023-1728 - Unrestricted Upload of File with Dangerous Type vulnerability in Fernus Informatics LMS allows OS Command Injection, Server Side Include (SSI) Injection.This issue affects LMS: before 23.04.03.

Product: Fernus Informatics LMS

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1728

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0194




CVE-2023-1671 - A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.

Product: Sophos Web Appliance

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1671

NVD References: https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce




CVE-2023-1748 - The listed versions of Nexx Smart Home devices use hard-coded credentials. An attacker with unauthenticated access to the Nexx Home mobile application or the affected firmware could view the credentials and access the MQ Telemetry Server (MQTT) server and the ability to remotely control garage doors or smart plugs for any customer.

Product: Nexx Smart Home devices

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1748

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01




CVE-2023-23413, CVE-2023-24867, CVE-2023-24907, CVE-2023-24909, CVE-2023-24876 - Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerabilities

Product: Microsoft PostScript and PCL6 Class Printer Driver

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23413

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23413

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24867

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24867

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24907

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24907

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24909

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24909

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24876

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24876