Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Some things never change ? such as SQL Authentication ?encryption?

Published: 2023-08-10

Last Updated: 2023-08-10 11:26:47 UTC

by Bojan Zdrnja (Version: 1)

Fat client applications running on (usually) Windows are still extremely common in enterprises. When I look at internal penetration tests or red team engagements for any larger enterprise, it is almost 100% guaranteed that one will stumble upon such an application.

These fat client applications have also usually been originally written many, many years ago, when security was maybe not one of the primary requirements. Whenever one encounters such a fat client application, or if this is perhaps part of your penetration test, one of the primary goals is to analyze how the application communicates with the rest of the world (or, usually, other internal systems).

While modern applications that you might encounter will most of the time consume some web services (usually SOAP, but I can see modern RESTful interfaces being consumed more and more), “traditional” fat client applications will most of the time connect directly to a database (again, since we’re looking at Windows environment primarily here, this will be most of the time a Microsoft SQL Server database). Such setup will appear quite simple...

The first step in identifying such an application will usually be to inspect its network traffic. In 99% of cases, this will be trivial to perform by using a tool such as Wireshark. This will allow not only to identify the target MS SQL Server, but also to inspect traffic on the wire. We will be looking for any traffic with destination TCP port set to 1433.

Again, due to the age of such applications, in almost every case I worked on, the data on the wire is most of the time sent in plain text, without any encryption. This is, obviously, very bad as we could easily perform a MitM attack (see more below), but the TDS protocol will, luckily, have one step encrypted: authentication.

Read the full entry:

https://isc.sans.edu/diary/Some+things+never+change+such+as+SQL+Authentication+encryption/30112/

A Gentle Reminder: The Evolving Nature of Digital Scams

Published: 2023-08-16

Last Updated: 2023-08-16 08:45:06 UTC

by Yee Ching Tok (Version: 1)

Considering the global turbulence from destabilizing events such as physical conflicts, freak weather and pandemics, financial wealth has never been more critical for a nation and its citizens so that daily life can continue. Money is needed for daily necessities such as food, medication, appropriate clothing and fuel. When faced with unexpected events such as retrenchment and newly detected health issues, citizens would also have to tap on the monetary buffer that should have been built up during less challenging times. Considering the current state of international affairs and employment prospects, one potential way to disrupt a nation’s peace and stability could be stealing their citizens’ monetary savings via financial scams and fraud.

Unlike conventional cyber-attacks such as phishing, where adversaries target to harvest credentials to gain access to accounts, digital scams aim to bypass the harvesting of credentials but instead attempt to convince the victim to authenticate and part with their assets directly. A multitude of factors could cause this change. For example, end users have gotten savvier about phishing attacks and stopped interacting with such messages that try to masquerade as a well-known entity (e.g. shipping companies/social media sites). Applications could also have implemented additional security controls such as two-factor authentication (2FA), preventing adversaries from directly using credentials to authenticate with the target application. The main issue is that adversaries are likely to employ some means to wire away a victim’s hard-earned money and keep on doing so should these tactics be successful.

Read the full entry:

https://isc.sans.edu/diary/A+Gentle+Reminder+The+Evolving+Nature+of+Digital+Scams/30130/

Internet Storm Center Entries


PDFiD: False Positives Revisited (2023.08.14)

https://isc.sans.edu/diary/PDFiD+False+Positives+Revisited/30122/



DShield Sensor Monitoring with a Docker ELK Stack [Guest Diary] (2023.08.12)

https://isc.sans.edu/diary/DShield+Sensor+Monitoring+with+a+Docker+ELK+Stack+Guest+Diary/30118/



Show me All Your Windows! (2023.08.11)

https://isc.sans.edu/diary/Show+me+All+Your+Windows/30116/

Recent CVEs




The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.



CVE-2023-38180 - .NET and Visual Studio Denial of Service Vulnerability

Product: Microsoft .Net

CVSS Score: 7.5

** KEV since 2023-08-09 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38180

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180




CVE-2023-21709 - Microsoft Exchange Server Elevation of Privilege Vulnerability

Product: Microsoft Exchange Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21709

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21709




CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 - Microsoft Message Queuing Remote Code Execution Vulnerabilities

Product: Microsoft Windows 10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35385

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36910

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36911

MSFT Details: 

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35385

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36910

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36911




CVE-2023-37483 - SAP PowerDesigner version 16.7 allows unauthenticated attackers to run arbitrary queries against the back-end database via Proxy due to improper access control.

Product: Sap Powerdesigner

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37483

NVD References: 

- https://me.sap.com/notes/3341460

- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html




CVE-2023-37490 - The SAP Business Objects Installer (versions 420, 430) allows an authenticated attacker within the network to compromise the system by overwriting an executable file during installation, leading to complete confidentiality, integrity, and availability compromise.

Product: Sap Businessobjects Business Intelligence

CVSS Score: 9.0 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37490

NVD References: 

- https://me.sap.com/notes/3317710

- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html




CVE-2023-39439 - SAP Commerce Cloud allows unauthorized login without a passphrase by accepting an empty passphrase for user ID and passphrase authentication.

Product: Sap Commerce Cloud

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39439

NVD References: 

- https://me.sap.com/notes/3346500

- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html




CVE-2023-39976 - log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered.

Product: Clusterlabs Libqb

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39976

NVD References: 

- https://github.com/ClusterLabs/libqb/commit/1bbaa929b77113532785c408dd1b41cd0521ffc8

- https://github.com/ClusterLabs/libqb/compare/v2.0.7...v2.0.8

- https://github.com/ClusterLabs/libqb/pull/490




CVE-2023-3526 - PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT versions prior to 2.07.2 and CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 are vulnerable to unauthenticated remote code execution via reflective XSS in the license viewer page.

Product: Phoenixcontact Cloud Client 1101T-Tx

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3526

NVD References: 

- http://packetstormsecurity.com/files/174152/Phoenix-Contact-TC-Cloud-TC-Router-2.x-XSS-Memory-Consumption.html

- http://seclists.org/fulldisclosure/2023/Aug/12

- https://cert.vde.com/en/advisories/VDE-2023-017




CVE-2023-3572 - PHOENIX CONTACTs WP 6xxx series web panels prior to 4.0.10 allow remote attackers with low privileges to gain full access utilizing a specific HTTP POST request attribute for date/time operations.

Product: Phoenixcontact Pp 6070-Wvps

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3572

NVD References: https://cert.vde.com/en/advisories/VDE-2023-018/




CVE-2023-3898 - mAyaNet E-Commerce Software before 1.1 is vulnerable to SQL Injection.

Product: Mayanets E-Commerce

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3898

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0440




CVE-2022-40510 - Memory corruption due to buffer copy without checking size of input in Audio while voice call with EVS vocoder.

Product: Qualcomm Apq8009

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-40510

NVD References: https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin




CVE-2023-28561 - Memory corruption in QESL while processing payload from external ESL device to firmware.

Product: Qualcomm Qcn7606

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28561

NVD References: https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin




CVE-2023-37372 - RUGGEDCOM CROSSBOW (All versions < V5.4) is susceptible to SQL injection, permitting unauthenticated remote attackers to execute arbitrary SQL queries on the server database.

Product: Siemens Ruggedcom Crossbow

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37372

NVD References: https://cert-portal.siemens.com/productcert/pdf/ssa-472630.pdf




CVE-2023-3717 - Farmakom Remote Administration Console before 1.02 is vulnerable to SQL Injection.

Product: Farmakom Remote Administration Console

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3717

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0441




CVE-2023-37682 - Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php-jms/deductScores.php.

Product: Judging Management System Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37682

NVD References: 

- https://github.com/rt122001/CVES/blob/main/CVE-2023-37682.txt

- https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html




CVE-2023-3716 - Oduyo Online Collection Software before 1.0.1 is vulnerable to SQL Injection.

Product: Oduyo Online Collection

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3716

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0442




CVE-2023-3651 - Digital Ant E-Commerce Software before 11 is vulnerable to SQL injection, enabling the injection of malicious SQL commands.

Product: Digital-Ant Digital Ant

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3651

NVD References: https://https://www.usom.gov.tr/bildirim/tr-23-0443




CVE-2023-3386 - The a2 Camera Trap Tracking System before 3.1905 allows SQL Injection.

Product: A2Technology Camera Trap Tracking System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3386

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0444




CVE-2023-3522 - License Portal System before 1.48 is vulnerable to SQL injection allowing improper neutralization of special elements used in an SQL command.

Product: A2Technology License Portal System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3522

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0445




CVE-2023-39532 - SES is vulnerable to a confinement hole that allows guest programs to access the host's dynamic import, potentially leading to information exfiltration or execution of arbitrary code.

Product: Agoric SES

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39532

NVD References: 

- https://github.com/endojs/endo/commit/fc90c6429604dc79ce8e3355e236ccce2bada041

- https://github.com/endojs/endo/security/advisories/GHSA-9c4h-3f7h-322r




CVE-2023-36534 - Zoom Desktop Client for Windows before 5.14.7 allows unauthenticated users to escalate privileges via network access due to path traversal vulnerability.

Product: Zoom 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36534

NVD References: https://explore.zoom.us/en/trust/security/security-bulletin/




CVE-2023-39216 - Zoom Desktop Client for Windows before version 5.14.7 allows unauthenticated users to escalate privileges through network access due to improper input validation.

Product: Zoom 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39216

NVD References: https://explore.zoom.us/en/trust/security/security-bulletin/




CVE-2023-40041 - The TOTOLINK T10_v2 5.9c.5061_B20200511 router is vulnerable to a stack-based buffer overflow in setWiFiWpsConfig in /lib/cste_modules/wps.so, allowing attackers to control the return address and execute code via crafted data in an MQTT packet through the pin parameter.

Product: Totolink T10 V2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-40041

NVD References: https://github.com/Korey0sh1/IoT_vuln/blob/main/TOTOLINK/T10_V2/lib-cste_modules-wps.md




CVE-2023-40042 - TOTOLINK T10_v2 5.9c.5061_B20200511 is vulnerable to a stack-based buffer overflow, allowing attackers to control the return address and execute arbitrary code by sending crafted data via an MQTT packet's comment parameter in setStaticDhcpConfig function in /lib/cste_modules/lan.so.

Product: Totolink T10 V2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-40042

NVD References: 

- http://www.totolink.cn

- https://github.com/Korey0sh1/IoT_vuln/blob/main/TOTOLINK/T10_V2/setStaticDhcpConfig.md

- https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/172/ids/36.html




CVE-2023-39213 - The Zoom Desktop and VDI Clients before 5.15.2 allow unauthorized users to escalate privileges via network access.

Product: Zoom Virtual Desktop Infrastructure

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39213

NVD References: https://explore.zoom.us/en/trust/security/security-bulletin/




CVE-2023-26310 - There is a command injection problem in the old version of the mobile phone backup app.

Product: Oppo Coloros

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26310

NVD References: https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1684402464721477632




CVE-2023-33934 - Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.

Product: Apache Traffic Server

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33934

NVD References: https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc




CVE-2023-3632 - Kunduz - Homework Helper App before 6.2.3 is vulnerable to Authentication Abuse and Bypass due to the use of a hard-coded cryptographic key.

Product: Kunduz 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3632

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0446




CVE-2023-34545 - CSZCMS 1.3.0 is vulnerable to SQL injection, enabling remote attackers to execute arbitrary SQL commands through the p parameter or the search URL.

Product: Cskaza Cszcms

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-34545

NVD References: 

- https://gist.github.com/komomon/24d3ea391af6f067c044fa47cb6c20d8

- https://www.cszcms.com/




CVE-2023-39969 -  uthenticode version 1.0.9 allows attackers to modify code within a binary without changing its Authenticode hash, making it appear valid.

Product: uthenticode

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39969

NVD References: 

- https://github.com/trailofbits/uthenticode/commit/8670b7bb9154d79c276483dcb7c9e9fd5e66455b

- https://github.com/trailofbits/uthenticode/pull/84

- https://github.com/trailofbits/uthenticode/security/advisories/GHSA-rc7g-99x7-4p9g




CVE-2023-38997 - OPNsense before 23.7 is vulnerable to directory traversal, enabling attackers to achieve root-level command execution by exploiting the Captive Portal template.

Product: OPNsense 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38997

NVD References: 

- https://github.com/opnsense/core/commit/448762d440b51574f1906c0ec2f5ea6dc4f16eb2

- https://logicaltrust.net/blog/2023/08/opnsense.html




CVE-2023-39001 - OPNsense before 23.7 is vulnerable to command injection, allowing attackers to execute arbitrary commands via a crafted backup configuration file.

Product: OPNsense 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39001

NVD References: 

- https://github.com/opnsense/core/commit/e800097d0c287bb665f0751a98a67c75ef7b45e5

- https://logicaltrust.net/blog/2023/08/opnsense.html




CVE-2023-39004 - OPNsense before 23.7 has insecure permissions in its configuration directory (/conf/) allowing access to sensitive information and potential privilege escalation.

Product: OPNsense 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39004

NVD References: 

- http://opnsense.com

- https://logicaltrust.net/blog/2023/08/opnsense.html




CVE-2023-39007 - /ui/cron/item/open in the Cron component of OPNsense before 23.7 allows XSS.

Product: OPNsense 

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39007

NVD References: 

- https://github.com/opnsense/core/commit/5edff49db1cd8b5078611e2f542d91c02af2b25c

- https://logicaltrust.net/blog/2023/08/opnsense.html




CVE-2023-39008 - A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense before 23.7 allows attackers to execute arbitrary system commands.

Product: OPNsense 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39008

NVD References: 

- https://github.com/opnsense/core/commit/e800097d0c287bb665f0751a98a67c75ef7b45e5

- https://logicaltrust.net/blog/2023/08/opnsense.html




CVE-2023-37068 - Code-Projects Gym Management System V1.0 is vulnerable to remote SQL Injection attacks through the login form, enabling unauthorized access and potential data manipulation.

Product: Sherlock Gym Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37068

NVD References: https://github.com/Mr-Secure-Code/My-CVE/blob/main/CVE-2023-37068-Exploit.md




CVE-2023-33241 - Crypto wallets implementing the GG18 or GG20 TSS protocol have a vulnerability that enables an attacker to extract a full ECDSA private key by injecting a malicious pallier key and manipulating the range proof, potentially exfiltrating private key shares of other parties.

Product: No vendor or product name is mentioned in the given vulnerability description. 

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33241

NVD References: 

- https://eprint.iacr.org/2019/114.pdf

- https://eprint.iacr.org/2020/540.pdf

- https://github.com/fireblocks-labs/mpc-ecdsa-attacks-23

- https://github.com/fireblocks-labs/safeheron-gg20-exploit-poc

- https://www.fireblocks.com/blog/gg18-and-gg20-paillier-key-vulnerability-technical-report/




CVE-2023-33242 - Crypto wallets implementing the Lindell17 TSS protocol have a vulnerability that could enable an attacker to retrieve the entire ECDSA private key by exfiltrating a single bit in each signature attempt due to failure in handling aborts as assumed by the paper's security proof.

Product: Crypto wallets implementing the Lindell17 TSS protocol 

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33242

NVD References: 

- https://eprint.iacr.org/2017/552.pdf

- https://github.com/fireblocks-labs/mpc-ecdsa-attacks-23

- https://github.com/fireblocks-labs/zengo-lindell17-exploit-poc

- https://www.fireblocks.com/blog/lindell17-abort-vulnerability-technical-report/




CVE-2023-30699 - Libsimba library prior to SMR Aug-2023 Release 1 allows remote code execution due to an out-of-bounds write vulnerability in the parser_hvcC function.

Product: Samsung Android

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30699

NVD References: https://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=08




CVE-2023-26309 - A remote code execution vulnerability in the webview component of OnePlus Mall app.

Product: OnePlus Store

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26309

NVD References: https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1689464826201645056




CVE-2023-26311 - A remote code execution vulnerability in the webview component of OPPO Store app.

Product: OPPO Store

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26311

NVD References: https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1689584995217448960




CVE-2023-37069 - Code-Projects Online Hospital Management System V1.0 is vulnerable to SQL Injection (SQLI) attacks due to lack of input validation in the login id and password fields, allowing an attacker to manipulate the SQL queries.

Product: Online Hospital Management System Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37069

NVD References: 

- https://code-projects.org/online-hospital-management-system-in-php-with-source-code/

- https://github.com/Mr-Secure-Code/My-CVE/blob/main/CVE-2023-37069-Exploit.md




CVE-2023-39776 - PHPJabbers Ticket Support Script v3.2 is vulnerable to arbitrary code execution due to a file upload vulnerability.

Product: PHPJabbers Ticket Support Script

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39776

NVD References: 

- https://medium.com/@milfortutz/multiple-vulnerabilities-in-phpjabbers-part-2-4fa5e2ccfe2e

- https://www.phpjabbers.com/ticket-support-script




CVE-2023-36311 - There is a SQL injection (SQLi) vulnerability in the "column" parameter of index.php in PHPJabbers Document Creator v1.0.

Product: PHPJabbers Document Creator

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36311

NVD References: 

- https://medium.com/@milfortutz/multiple-vulnerabilities-in-phpjabbers-part-1-6703becb4cd4

- https://www.phpjabbers.com/document-creator




CVE-2023-32566 - Version 6.4.0 of the vulnerable product allows an attacker to execute a resource-based DoS attack or leak sensitive data.

Product: Ivanti Avalanche

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32566

NVD References: https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US




CVE-2023-32567 - Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.

Product: Ivanti Avalanche

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32567

NVD References: https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US




CVE-2023-32562 - Avalanche versions 6.3.x and below have an unrestricted file upload vulnerability, enabling attackers to execute remote code; fixed in version 6.4.1.

Product: Ivanti Avalanche

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32562

NVD References: https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US




CVE-2023-32563 - An unauthenticated attacker could achieve the code execution through a RemoteControl server.

Product: Ivanti Avalanche

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32563

NVD References: https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US




CVE-2023-32564 - Avalanche versions 6.4.1 and below have an unrestricted file upload vulnerability, enabling attackers to achieve remote code execution.

Product: Ivanti Avalanche

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32564

NVD References: https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US




CVE-2023-32565 - Version 6.4.0 of the vulnerable product allows an attacker to execute a resource-based DoS attack or leak sensitive data.

Product: Ivanti Avalanche

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32565

NVD References: https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US




CVE-2023-39805 - iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php.

Product: Idreamsoft iCMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39805

NVD References: 

- http://icms.com

- http://icmsdev.com

- https://gist.github.com/ChubbyZ/3ad434bd5fc2ab1242dd32500384cfb5




CVE-2023-39806 - iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the bakupdata function.

Product: Idreamsoft iCMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39806

NVD References: 

- http://icms.com

- http://icmsdev.com

- https://gist.github.com/ChubbyZ/27fa6f43699c9964ddfa701614fc4d5e




CVE-2023-40256 - Veritas NetBackup Snapshot Manager before 10.2.0.1 allows untrusted clients to interact with the RabbitMQ service, impacting the confidentiality and integrity of backup and restore jobs and potentially causing service unavailability.

Product: Veritas NetBackup Snapshot Manager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-40256

NVD References: https://www.veritas.com/content/support/en_US/security/VTS23-011




CVE-2023-3824 - PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 allow for a stack buffer overflow and potential RCE when reading PHAR directory entries while loading a phar file due to insufficient length checking.

Product: PHP

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3824

NVD References: 

- https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/




CVE-2023-3452 - The Canto plugin for WordPress is vulnerable to Remote File Inclusion and Local File Inclusion, allowing unauthenticated attackers to execute arbitrary code on the server.

Product: Canto WordPress

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3452

NVD References: 

- https://plugins.trac.wordpress.org/browser/canto/trunk/includes/lib/tree.php?rev=2841358#L5

- https://plugins.trac.wordpress.org/changeset/2951888/canto/trunk/includes/lib/tree.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/a76077c6-700a-4d21-a930-b0d6455d959c?source=cve




CVE-2023-3259 - The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass, allowing a malicious agent to gain administrator privileges and perform unauthorized actions such as power manipulation, user account modification, and confidential user information extraction.

Product: Dataprobe iBoot PDU

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3259

NVD References: https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html




CVE-2023-3260 - Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to command injection, allowing authenticated malicious agents to execute arbitrary commands on the Linux OS.

Product: Dataprobe iBoot PDU

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3260

NVD References: https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html




CVE-2023-3261 - The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to a buffer overflow in the librta.so.0.0.0 library, potentially leading to denial of service or unexpected behavior in all interactions involving the targeted binary and web server login.

Product: Dataprobe iBoot PDU

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3261

NVD References: https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html




CVE-2023-3265 - CyberPower PowerPanel Enterprise allows an authentication bypass, enabling an attacker to login as an administrator with default credentials.

Product: CyberPower PowerPanel Enterprise

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3265

NVD References: https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html




CVE-2023-3266 - CyberPower PowerPanel Enterprise allows an unauthenticated attacker to bypass authentication checks by selecting LDAP authentication and logging in as an administrator with knowledge of at least one username on the device.

Product: CypberPower PowerPanel Enterprise

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3266

NVD References: https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html




CVE-2023-3267 - CyberPower PowerPanel Enterprise server allows authenticated users to execute arbitrary code with system-level access by passing OS commands through the username field when adding a remote backup location.

Product: CyberPower PowerPanel Enterprise

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3267

NVD References: https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html




CVE-2023-40020 - PrivateUploader open source image hosting server allows unauthorized users to continue processing requests without proper verification if they are an administrator or moderator, leading to potential updates/changes, addressed in version 3.2.49.

Product: PrivateUploader image hosting server

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-40020

NVD References: 

- https://github.com/PrivateUploader/PrivateUploader/commit/869657d61e3c7a518177106fe63ea483082b0d3e

- https://github.com/PrivateUploader/PrivateUploader/security/advisories/GHSA-vhrw-2472-rrjx




The following vulnerability needs a manual review:


CVE-2023-32019 - Windows Kernel Information Disclosure Vulnerability

Product: Windows Kernel

CVSS Score: 4.7

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32019

NVD References: 

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32019

- https://packetstormsecurity.com/files/173310/Windows-Kernel-KTM-Registry-Transactions-Non-Atomic-Outcomes.html