homepage
Open menu
Contact Sales

@RISK

The Consensus Security Vulnerability Alert

August 24, 2023  |  Vol. 23, Num. 33

Internet Storm Center SpotlightInternet Storm Center EntriesRecent CVEs

Internet Storm Center Spotlight

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

More Exotic Excel Files Dropping AgentTesla

Published: 2023-08-23

Last Updated: 2023-08-23 07:22:57 UTC

by Xavier Mertens (Version: 1)

Excel is an excellent target for attackers. The Microsoft Office suite is installed on millions of computers, and people trust these files. If we have the classic xls, xls, xlsm file extensions, Excel supports many others! Just check your local registry.

Attackers like to use more “exotic” extensions to increase chances of evading simple and stupid rules at mail gateways. This time, the extension used was “.xlam”. I spotted several emails (probably from the same campaign) that delivered .xlam files to potential victims.

An XLAM file is a macro-enabled add-in used to add new features to Excel. The icon looks like Excel and should make the user confident to open it...

Read the full entry:

https://isc.sans.edu/diary/More+Exotic+Excel+Files+Dropping+AgentTesla/30150/

SystemBC Malware Activity

Published: 2023-08-20

Last Updated: 2023-08-20 21:34:41 UTC

by Guy Bruneau (Version: 1)

This month, my DShield sensor captured for the first time this request: /systembc/password.php. I checked back for the past 6 months and only have noticed this request this 5 times this month from 4 different sources. According to some references, this is likely the SystemBC Remote Access Trojan (RAT), all 4 IPs are part of the Digital Ocean ASN and only one has been reported as likely malicious. Several samples have been reported to Any.run this month.

To verified if there was some kind of change, I reviewed DShield logs submission for the past year and noticed nothing really significant until the beginning of Jan 2023 looking for this directory. However, starting on the 3rd of Aug 2023, there a significant change in the daily report for this directory going from an average of 30 submission to 445 and overing in the hundred since then.

Read the full entry:

https://isc.sans.edu/diary/SystemBC+Malware+Activity/30138/

From a Zalando Phishing to a RAT

Published: 2023-08-18

Last Updated: 2023-08-18 06:11:34 UTC

by Xavier Mertens (Version: 1)

Phishing remains a lucrative threat. We get daily emails from well-known brands (like DHL, PayPal, Netflix, Microsoft, Dropbox, Apple, etc). Recently, I received a bunch of phishing emails targeting Zalando customers. Zalando is a German retailer of shoes, fashion across Europe. It was the first time that I saw them used in a phishing campaign.

Read the full entry:

https://isc.sans.edu/diary/From+a+Zalando+Phishing+to+a+RAT/30136/

Internet Storm Center Entries

Have You Ever Heard of the Fernet Encryption Algorithm? (2023.08.22)

https://isc.sans.edu/diary/Have+You+Ever+Heard+of+the+Fernet+Encryption+Algorithm/30146/

Quick Malware Triage With Inotify Tools (2023.08.21)

https://isc.sans.edu/diary/Quick+Malware+Triage+With+Inotify+Tools/30142/

Command Line Parsing - Are These Really Unique Strings? (2023.08.17)

https://isc.sans.edu/diary/Command+Line+Parsing+Are+These+Really+Unique+Strings/30126/

Recent CVEs

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2023-38035 - Ivanti MobileIron Sentry versions 9.18.0 and below are vulnerable to an authentication bypass due to an insufficiently restrictive Apache HTTPD configuration in MICS Admin Portal.

Product: Ivanti MobileIron Sentry

CVSS Score: 0

** KEV since 2023-08-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38035

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8626

NVD References: https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface




CVE-2023-35082 - Ivanti EPMM 11.10 and older allow unauthorized users to access restricted functionality or resources without authentication.

Product: Ivanti Endpoint Manager Mobile

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35082

NVD References: https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US




CVE-2023-21709 - Microsoft Exchange Server Elevation of Privilege Vulnerability

Product: Microsoft Exchange Server

CVSS Score: 9.8 AtRiskScore 40

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21709




CVE-2023-38860 - An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter.

Product: LangChain 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38860

NVD References: https://github.com/hwchase17/langchain/issues/7641




CVE-2023-38896 - Harrison Chase langchain v.0.0.194 and earlier versions allow remote attackers to execute arbitrary code through from_math_prompt and from_colored_object_prompt functions.

Product: LangChain 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38896

NVD References: 

- https://github.com/hwchase17/langchain/issues/5872

- https://github.com/hwchase17/langchain/pull/6003

- https://twitter.com/llm_sec/status/1668711587287375876




CVE-2023-39659 - Langchain-ai v.0.0.232 and before allows remote code execution through a crafted script in PythonAstREPLTool._run component.

Product: LangChain 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39659

NVD References: 

- https://github.com/langchain-ai/langchain/issues/7700

- https://github.com/langchain-ai/langchain/pull/5640




CVE-2023-38915 - File Upload vulnerability in Wolf-leo EasyAdmin8 v.1.0 allows a remote attacker to execute arbtirary code via the upload type function.

Product: Wolf18 EasyAdmin8

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38915

NVD References: https://github.com/wolf-leo/EasyAdmin8/issues/1




CVE-2023-39661 - An issue in pandas-ai v.0.9.1 and before allows a remote attacker to execute arbitrary code via the _is_jailbreak function.

Product: gabrieleventuri pandas-ai

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39661

NVD References: https://github.com/gventuri/pandas-ai/issues/410




CVE-2023-39662 - llama_index v.0.7.13 and earlier versions allow remote attackers to execute arbitrary code via the `exec` parameter in the PandasQueryEngine function.

Product: llama_index Project 

CVSS Score: 9.8 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39662

NVD References: https://github.com/jerryjliu/llama_index/issues/7054




CVE-2023-38861 - Wavlink WL_WNJ575A3 v.R75A3_V1410_220513 is vulnerable to remote code execution through the username parameter of the adm.cgi set_sys_adm function. 

Product: Wavlink Wl-Wn575A3

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38861

NVD References: https://github.com/TTY-flag/my_iot_vul/tree/main/WAVLINK/WL-WN575A3




CVE-2023-38862 - COMFAST CF-XR11 v.2.7.2 is vulnerable to arbitrary code execution via the destination parameter of sub_431F64 function in bin/webmgnt.

Product: COMFAST CF-XR11

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38862

NVD References: https://github.com/TTY-flag/my_iot_vul/tree/main/COMFAST/CF-XR11/Command_Inject1




CVE-2023-38863 -  COMFAST CF-XR11 v.2.7.2 is vulnerable to arbitrary code execution through the ifname and mac parameters in the sub_410074 function at bin/webmgnt.

Product: COMFAST CF-XR11

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38863

NVD References: https://github.com/TTY-flag/my_iot_vul/tree/main/COMFAST/CF-XR11/Command_Inject4




CVE-2023-38865 - COMFAST CF-XR11 V2.7.2 is vulnerable to command injection at function sub_4143F0, enabling attackers to inject commands into parameter timestr via POST request messages to /usr/bin/webmgnt.

Product: COMFAST CF-XR11

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38865

NVD References: https://github.com/TTY-flag/my_iot_vul/tree/main/COMFAST/CF-XR11/Command_Inject5




CVE-2023-38864 - COMFAST CF-XR11 v.2.7.2 allows arbitrary code execution due to a vulnerability in the protal_delete_picname parameter in the sub_41171C function at bin/webmgnt.

Product: COMFAST CF-XR11

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38864

NVD References: https://github.com/TTY-flag/my_iot_vul/tree/main/COMFAST/CF-XR11/Command_Inject3




CVE-2023-38866 - COMFAST CF-XR11 V2.7.2 is vulnerable to command injection at function sub_415588, allowing attackers to execute arbitrary commands by exploiting the parameter interface and display_name in POST request messages sent to /usr/bin/webmgnt.

Product: COMFAST CF-XR11

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38866

NVD References: https://github.com/TTY-flag/my_iot_vul/tree/main/COMFAST/CF-XR11/Command_Inject2




CVE-2023-4323 - Broadcom RAID Controller web interface is vulnerable to improper session management of active sessions on Gateway setup

Product: Broadcom Raid Controller Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4323

NVD References: https://www.broadcom.com/support/resources/product-security-center




CVE-2023-4324 - Broadcom RAID Controller web interface is vulnerable due to insecure defaults of lacking HTTP Content-Security-Policy  headers

Product: Broadcom Raid Controller Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4324

NVD References: https://www.broadcom.com/support/resources/product-security-center




CVE-2023-4325 - Broadcom RAID Controller web interface is vulnerable due to usage of Libcurl with LSA has known vulnerabilities

Product: Broadcom Raid Controller Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4325

NVD References: https://www.broadcom.com/support/resources/product-security-center




CVE-2023-4329 - The Broadcom RAID Controller web interface lacks proper HTTP configuration, rendering it vulnerable by not securing the SESSIONID cookie with the SameSite attribute.

Product: Broadcom Raid Controller Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4329

NVD References: https://www.broadcom.com/support/resources/product-security-center




CVE-2023-4336 - The Broadcom RAID Controller web interface is vulnerable to cookie hijacking due to an insecure default of HTTP configuration.

Product: Broadcom Raid Controller Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4336

NVD References: https://www.broadcom.com/support/resources/product-security-center




CVE-2023-4337 - Broadcom RAID Controller web interface is vulnerable to improper session handling of managed servers on Gateway installation

Product: Broadcom Raid Controller Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4337

NVD References: https://www.broadcom.com/support/resources/product-security-center




CVE-2023-4338 - Broadcom RAID Controller web interface is vulnerable due to insecure default of HTTP configuration that does not provide X-Content-Type-Options Headers

Product: Broadcom Raid Controller Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4338

NVD References: https://www.broadcom.com/support/resources/product-security-center




CVE-2023-4340 - Broadcom RAID Controller is vulnerable to Privilege escalation by taking advantage of the Session prints in the log file

Product: Broadcom Raid Controller Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4340

NVD References: https://www.broadcom.com/support/resources/product-security-center




CVE-2023-4341 - Broadcom RAID Controller is vulnerable to Privilege escalation to root due to creation of insecure folders by Web GUI

Product: Broadcom Raid Controller Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4341

NVD References: https://www.broadcom.com/support/resources/product-security-center




CVE-2023-4342 - Broadcom RAID Controller web interface is vulnerable due to insecure defaults of lacking HTTP strict-transport-security  policy

Product: Broadcom Raid Controller Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4342

NVD References: https://www.broadcom.com/support/resources/product-security-center




CVE-2023-4344 - Broadcom RAID Controller web interface is vulnerable to insufficient randomness due to improper use of ssl.rnd to setup CIM connection

Product: Broadcom Raid Controller Web Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4344

NVD References: https://www.broadcom.com/support/resources/product-security-center




CVE-2023-39852 - Doctormms v1.0 was discovered to contain a SQL injection vulnerability via the $userid parameter at myAppoinment.php.

Product: Doctor Appointment System Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39852

NVD References: 

- https://github.com/KLSEHB/vulnerability-report/blob/main/Doctormms_CVE-2023-39852

- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html




CVE-2023-39850 - Schoolmate v1.3 was discovered to contain multiple SQL injection vulnerabilities via the $courseid and $teacherid parameters at DeleteFunctions.php.

Product: Schoolmate Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39850

NVD References: 

- https://github.com/KLSEHB/vulnerability-report/blob/main/Schoolmate_CVE-2023-39850

- https://sourceforge.net/projects/schoolmate




CVE-2023-39851 - webchess v1.0 was discovered to contain a SQL injection vulnerability via the $playerID parameter at mainmenu.php.

Product: Webchess Project 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39851

NVD References: 

- https://github.com/KLSEHB/vulnerability-report/blob/main/webchess_CVE-2023-39851

- https://sourceforge.net/projects/webchess




CVE-2020-26037 - Even Balance Punkbuster version 1.902 before 1.905 allows remote attackers to execute arbitrary code through a directory traversal vulnerability in the server functionality.

Product: Even Balance Punkbuster

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-26037

NVD References: 

- http://even.com

- http://punkbuster.com

- https://medium.com/@prizmant/hacking-punkbuster-e22e6cf2f36e




CVE-2023-32493 - Dell PowerScale OneFS, 9.5.0.x, has a protection mechanism bypass vulnerability that could allow an unprivileged, remote attacker to cause denial of service, disclose information, and remotely execute code.

Product: Dell PowerScale OneFS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32493

NVD References: https://www.dell.com/support/kbdoc/en-us/000216717/dsa-2023-269-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities




CVE-2023-33663 - PrestaShop's ai-dev module "Customization fields fee for your store" (aicustomfee) is vulnerable to SQL injection up to 0.2.0, but the issue has been addressed in release 0.2.1. Product: Ai-Dev Aicustomfee

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33663

NVD References: 

- https://security.friendsofpresta.org/modules/2023/08/16/aicustomfee.html

- https://www.boutique.ai-dev.fr/en/customization/62-customization-fee.html




CVE-2023-39115 - install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document.

Product: Campcodes Complete Online Matrimonial Website System Script

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39115

NVD References: 

- http://packetstormsecurity.com/files/173950/Campcodes-Online-Matrimonial-Website-System-3.3-Cross-Site-Scripting.html

- https://github.com/Raj789-sec/CVE-2023-39115

- https://www.campcodes.com/projects/php/online-matrimonial-website-system-script-in-php/

- https://www.exploit-db.com/exploits/51656




CVE-2023-39846 - An issue in Konga v0.14.9 allows attackers to bypass authentication via a crafted JWT token.

Product: Pantsel Konga

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39846

NVD References: https://abyssaler.github.io/post/konga%20Unauthorized%20access




CVE-2023-33238 - TN-4900 and TN-5900 Series firmware versions v1.2.4 and prior and v3.3 and prior are susceptible to command injection due to insufficient input validation in the certificate management function, enabling remote code execution by malicious actors.

Product: MOXA TN-5900

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33238

NVD References: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities




CVE-2023-33239 - The TN-4900 and TN-5900 series firmware versions v1.2.4 and prior and v3.3 and prior respectively are vulnerable to a command injection vulnerability due to insufficient input validation in the key-generation function, allowing remote code execution on affected devices.

Product: MOXA TN-5900

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33239

NVD References: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities




CVE-2023-34213 - The TN-5900 Series firmware versions v3.3 and prior suffer from a command-injection vulnerability, enabling remote code execution due to inadequate input validation and improper authentication in the key-generation function.

Product: MOXA TN-5900

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-34213

NVD References: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities




CVE-2023-34214 - The TN-4900 and TN-5900 Series firmware versions v1.2.4 and prior and v3.3 and prior are vulnerable to command-injection, enabling remote code execution through insufficient input validation in the certificate-generation function.

Product: MOXA TN-5900

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-34214

NVD References: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities




CVE-2023-2917 - The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability allowing unauthenticated remote attackers to upload arbitrary files and potentially achieve remote code execution.

Product: Rockwell Automation Thinmanager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2917

NVD References: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1140471




CVE-2023-37914 - XWiki Platform allows unauthorized users to execute arbitrary script macros, leading to remote code execution and unrestricted read and write access to all wiki contents.

Product: XWiki Platform

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37914

NVD References: 

- https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7954-6m9q-gpvf

- https://jira.xwiki.org/browse/XWIKI-20421




CVE-2023-40171 - Dispatch, an open source security incident management tool, is vulnerable to an authentication bypass exploit that allows any account to be taken over within the user's own instance by using the JWT Secret Key included in the server response error message.

Product: Dispatch Plugin

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-40171

NVD References: 

- https://github.com/Netflix/dispatch/commit/b1942a4319f0de820d86b84a58ebc85398b97c70

- https://github.com/Netflix/dispatch/pull/3695

- https://github.com/Netflix/dispatch/releases/tag/latest

- https://github.com/Netflix/dispatch/security/advisories/GHSA-fv3x-67q3-6pg7




CVE-2023-25914 - Due to improper restriction, attackers could retrieve and read system files of the underlying server through the XML interface.

Product: DANFOSS AK-SM800A

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25914

NVD References: 

- https://csirt.divd.nl/CVE-2023-25914

- https://csirt.divd.nl/DIVD-2023-00025




CVE-2023-25915 - Due to improper input validation, a remote attacker could execute arbitrary commands on the target system.

Product: DANFOSS AK-SM800A 

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25915

NVD References: 

- https://csirt.divd.nl/CVE-2023-25915

- https://csirt.divd.nl/DIVD-2023-00025




CVE-2023-4404 - The Donation Forms by Charitable plugin for WordPress up to version 1.7.0.12 allows unauthenticated attackers to escalate privileges and specify their own user role during registration.

Product: Donation Forms by Charitable plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4404

NVD References: 

- https://plugins.trac.wordpress.org/browser/charitable/tags/1.7.0.12/includes/users/class-charitable-user.php#L866

- https://www.wordfence.com/threat-intel/vulnerabilities/id/522ecc1c-5834-4325-9234-79cf712213f3?source=cve




CVE-2023-36787 - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Product: Microsoft Edge (Chromium-based)

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36787

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36787

      



CVE-2023-36898 - Tablet Windows User Interface Application Core Remote Code Execution Vulnerability

Product: Microsoft Tablet Windows User Interface Application Core

CVSS Score: 7.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36898

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36898




CVE-2023-32315 - Openfire XMPP server's administrative console is vulnerable to a path traversal attack, allowing unauthenticated users to access restricted pages reserved for administrators.

Product: Openfire

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32315

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8628