@RISK: The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

A Survey of Scans for GeoServer Vulnerabilities

Published: 2024-08-06.

Last Updated: 2024-08-06 14:20:15 UTC

by Johannes Ullrich (Version: 1)

A little bit over a year ago, I wrote about scans for GeoServer. GeoServer is a platform to process geographic data. It makes it easy to share geospatial data in various common standard formats. Recently, new vulnerabilities were discovered in GeoServer, prompting me to look again at what our honeypots pick up.

Let's first look at the "big picture": How many scans did we see? The total number of requests for URLs starting with "/geoserver" was 211,143 since the beginning of the year ...

Interest in GeoServer started in 2023. It ceased after August but then came back early this year. After the latest SQL exploit was discovered (July 5th), scans for GeoServer surged.

When I wrote about the GeoServer scans last year, a reader noted that Shadowserver had just started scanning for GeoServer. Indeed, most of the time, all GeoServer scans on particular days can be attributed to researchers. In addition to Shadowserver, Internet Census (associated with BitSight) is scanning for GeoServer instances. Personally, I think this is a good thing. Shadowserver will notify ISPs who host insecure instances, and they will find them before the bad guys.

Read the full entry:

https://isc.sans.edu/diary/A+Survey+of+Scans+for+GeoServer+Vulnerabilities/31148/

OOXML Spreadsheets Protected By Verifier Hashes

Published: 2024-08-03.

Last Updated: 2024-08-04 07:23:41 UTC

by Didier Stevens (Version: 1)

When I wrote about the internal file format of protected spreadsheets, I mentioned a simple 16-bit hash for .xls files in diary entry "16-bit Hash Collisions in .xls Spreadsheets" and a complex hash based on SHA256 for .xlsx files in diary entry "Protected OOXML Spreadsheets".

But what happens if you open a protected spreadsheet in OLE format (.xls) and save it in OOXML format (.xlsx)?

In that exceptional case, the XML protection elements in the OOXML file will store the 16-bit hash taken from the OLE file ...

Read the full entry:

https://isc.sans.edu/diary/OOXML+Spreadsheets+Protected+By+Verifier+Hashes/31072/

Even Linux users should take a look at this Microsoft KB article.

Published: 2024-08-02.

Last Updated: 2024-08-02 20:07:36 UTC

by Johannes Ullrich (Version: 1)

Secure boot has been a standard feature since at least Windows 8. As the name implies, the feature protects the boot process. The integrity of the boot process is ensured by digitally signing any software ("firmware") used during the boot process. As with any digital signature, this process requires the use of certificates to verify the validity of the signatures.

One issue with Secure Boot has been that not all boot loaders are necessarily properly signed, even if they are not malicious. In particular, open-source operating systems like Linux initially had problems with Secure Boot support. However, this has mostly been mitigated with major distributions like Ubuntu and Redhat (among others) supporting Secure Boot.

However, as always, when certificates are involved, there is the possibility of certificates expiring. Microsoft currently relies on certificates known as "Windows Production CA 2011". There are two of them, and as the name implies, this certificate was first used around 2011. Windows 8 was released in 2012. Let's look at one of the two certificates ...

Read the full entry:

https://isc.sans.edu/diary/Even+Linux+users+should+take+a+look+at+this+Microsoft+KB+article/31140/

Same Scripts, Different Day: What My DShield Honeypot Taught Me About the Importance of Security Fundamentals [Guest Diary] (2024.08.07)

https://isc.sans.edu/diary/Same+Scripts+Different+Day+What+My+DShield+Honeypot+Taught+Me+About+the+Importance+of+Security+Fundamentals+Guest+Diary/31150/

Script obfuscation using multiple instances of the same function (2024.08.05)

https://isc.sans.edu/diary/Script+obfuscation+using+multiple+instances+of+the+same+function/31144/

Tracking Proxy Scans with IPv4.Games (2024.08.01)

https://isc.sans.edu/diary/Tracking+Proxy+Scans+with+IPv4Games/31136/

Increased Activity Against Apache OFBiz CVE-2024-32113 (2024.07.31)

https://isc.sans.edu/diary/Increased+Activity+Against+Apache+OFBiz+CVE202432113/31132/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-36401 - GeoServer allows Remote Code Execution by unauthenticated users prior to versions 2.23.6, 2.24.4, and 2.25.2 due to unsafely evaluating property names as XPath expressions.

Product: Open Geospatial Consortium GeoServer

CVSS Score: 0

** KEV since 2024-07-15 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36401

ISC Diary: https://isc.sans.edu/diary/31148

CVE-2024-37085 - VMware ESXi is vulnerable to an authentication bypass, allowing a malicious actor with AD permissions to gain full access to a previously configured host by recreating a deleted AD group.

Product: VMware ESXi

CVSS Score: 0

** KEV since 2024-07-30 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37085

ISC Podcast: https://isc.sans.edu/podcastdetail/9076

CVE-2024-6366 - The User Profile Builder WordPress plugin before 3.11.8 allows unauthenticated users to upload media files.

Product: WordPress User Profile Builder

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6366

NVD References: https://wpscan.com/vulnerability/5b90cbdd-52cc-4e7b-bf39-bea0dd59e19e/

CVE-2024-37906 - Admidio before version 4.3.9 is vulnerable to SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file, allowing compromise of the application's database through the `ecard_recipients `POST parameter.

Product: Admidio Application

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37906

NVD References:

- https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248

- https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3

CVE-2024-38529 - Admidio is vulnerable to Remote Code Execution due to lack of file extension verification in the Message module, allowing malicious PHP files to be uploaded and accessed publicly.

Product: Admidio Application

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38529

NVD References:

- https://github.com/Admidio/admidio/commit/3b1cc1cda05747edebe15f2825b79bc5a673d94c

- https://github.com/Admidio/admidio/security/advisories/GHSA-g872-jwwr-vggm

CVE-2024-28805 - An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. There is Incorrect Access Control.

Product: Italtel i-MCS NFV

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28805

NVD References: https://www.gruppotim.it/it/footer/red-team.html

CVE-2024-37858 - Lost and Found Information System 1.0 is vulnerable to SQL Injection, allowing a remote attacker to escalate privileges through the id parameter.

Product: Lost and Found Information System 1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37858

NVD References:

- http://lost.com

- https://packetstormsecurity.com/files/179079/Lost-And-Found-Information-System-1.0-SQL-Injection.html

- https://www.sourcecodester.com/

CVE-2024-40782 - iOS, iPadOS, Safari, watchOS, tvOS, visionOS, and macOS Sonoma versions 16.7.9, 17.6, 10.6, and 14.6 were vulnerable to a use-after-free issue, possibly leading to a process crash when processing malicious web content.

Product: Apple Safari

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-40782

NVD References:

- https://support.apple.com/en-us/HT214116

- https://support.apple.com/en-us/HT214117

- https://support.apple.com/en-us/HT214119

- https://support.apple.com/en-us/HT214121

- https://support.apple.com/en-us/HT214122

- https://support.apple.com/en-us/HT214123

- https://support.apple.com/en-us/HT214124

CVE-2024-5765 - The WpStickyBar WordPress plugin is vulnerable to SQL injection due to inadequate sanitization of user input in AJAX actions accessible to unauthenticated users.

Product: WpStickyBar WordPress plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5765

NVD References: https://wpscan.com/vulnerability/0b73f84c-611e-4681-b362-35e721478ba4/

CVE-2024-5975 - The CZ Loan Management WordPress plugin is vulnerable to SQL injection through an AJAX action allowing unauthenticated users to exploit unescaped parameters in SQL statements.

Product: CodeZero Loan Management WordPress plugin

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5975

NVD References: https://wpscan.com/vulnerability/68f81943-b007-49c8-be9c-d0405b2ba4cf/

CVE-2023-48396 - Apache SeaTunnel is vulnerable to an authentication flaw where an attacker can use a hardcoded JWT key to forge tokens and gain unauthorized access to user accounts.

Product: Apache SeaTunnel

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48396

NVD References:

- http://www.openwall.com/lists/oss-security/2024/07/30/1

- https://lists.apache.org/thread/1tdxfjksx0vb9gtyt77wlr6rdcy1qwmw

CVE-2024-41702 - SiberianCMS - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product: SiberianCMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41702

NVD References: https://www.gov.il/en/Departments/faq/cve_advisories

CVE-2024-38909 - Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control, enabling attackers to copy unauthorized files between directories and potentially perform remote code execution.

Product: Studio 42 elFinder

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38909

NVD References:

- http://elfinder.com

- https://github.com/B0D0B0P0T/CVE/blob/main/CVE-2024-38909

CVE-2024-36572 - Allpro form-manager 0.7.4 is vulnerable to prototype pollution, enabling attackers to execute arbitrary code and induce other risks through setDefaults, mergeBranch, and Object.setObjectValue functions.

Product: Allpro form-manager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36572

NVD References:

- https://gist.github.com/mestrtee/1771ab4fba733ca898b6e2463dc6ed19

- https://github.com/allpro/form-manager/issues/1

CVE-2024-38984 - lukebond json-override 0.2.0 is vulnerable to Prototype Pollution, allowing attackers to execute arbitrary code or cause a DoS via the __proto__ property.

Product: lukebond json-override

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38984

NVD References: https://gist.github.com/mestrtee/97a9a7d73fc8b38fcf01322239dd5fb1

CVE-2024-38986 - 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a DoS via lodash merge methods.

Product: Lodash 75lb deep-merge

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38986

NVD References: https://gist.github.com/mestrtee/b20c3aee8bea16e1863933778da6e4cb

CVE-2024-39010 - chase-moskal snapstate v0.0.9 is vulnerable to prototype pollution, potentially enabling attackers to execute unauthorized code or trigger a denial of service.

Product: chase-moskal snapstate

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39010

NVD References: https://gist.github.com/mestrtee/af7a746df91ab5e944bd7a186816c262

CVE-2024-39011 - chargeover redoc v2.0.9-rc.69 is vulnerable to Prototype Pollution, allowing attackers to execute arbitrary code or cause a DoS via the mergeObjects function.

Product: chargeover redoc

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39011

NVD References: https://gist.github.com/mestrtee/693ef1c8b0a5ff1ae19f253381711f3e

CVE-2024-41610 - D-Link DIR-820LW REVB FIRMWARE PATCH 2.03.B01_TC allows attackers to remotely access the Telnet service with hardcoded credentials.

Product: D-Link DIR-820LW

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41610

NVD References:

- https://github.com/Nop3z/CVE/blob/main/dlink/dir-820/Dlink-820LW-hardcoded-vulnerability.md

- https://www.dlink.com/en/security-bulletin/

CVE-2024-41611 - D-Link DIR-860L REVA FIRMWARE PATCH 1.10..B04 is vulnerable to remote attacks due to hardcoded Telnet service credentials.

Product: D-Link DIR-860L

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41611

NVD References:

- https://github.com/Nop3z/CVE/blob/main/dlink/dir-820/Dlink-860L-hardcoded-vulnerability.md

- https://www.dlink.com/en/security-bulletin/

CVE-2024-38983 - alykoshin mini-deep-assign v0.0.8 is vulnerable to Prototype Pollution, allowing an attacker to execute arbitrary code or cause a DoS via the _assign() method in /lib/index.js.

Product: alykoshin mini-deep-assign

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38983

NVD References: https://gist.github.com/mestrtee/f82d0c3a8fe3a125f06425caef5d22ed

CVE-2024-6695 - User registration on the targeted site can allow an attacker to gain administrative access without a valid account.

Product: Vendor: WordPress Product: WordPress software

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6695

NVD References: https://wpscan.com/vulnerability/4afa5c85-ce27-4ca7-bba2-61fb39c53a5b/

CVE-2024-37901 - XWiki Platform is vulnerable to arbitrary remote code execution via user profile or page edits, compromising the confidentiality, integrity, and availability of the installation until patched in versions 14.10.21, 15.5.5, and 15.10.2.

Product: XWiki XWiki Platform

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37901

NVD References:

- https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b

- https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e

- https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4

- https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5

- https://jira.xwiki.org/browse/XWIKI-21473

CVE-2024-41947 - XWiki Platform allows for the execution of malicious JavaScript snippets on other user's pages, compromising the system's security.

Product: XWiki Platform

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41947

NVD References:

- https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f

- https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x

- https://jira.xwiki.org/browse/XWIKI-21626

CVE-2024-41660 - slpd-lite is a vulnerable unicast SLP UDP server in OpenBMC systems that allows nefarious users to cause memory overflow issues by sending SLP packets to BMC using UDP port 427.

Product: OpenBMC slpd-lite

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41660

NVD References: https://github.com/openbmc/slpd-lite/security/advisories/GHSA-wmgv-jffg-v3xr

CVE-2024-38182 - Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.

Product: Microsoft Dynamics 365

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38182

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38182

CVE-2024-7332 - TOTOLINK CP450 is vulnerable to a critical exploit allowing for remote initiation with a hard-coded password in the Telnet Service component at /web_cste/cgi-bin/product.ini.

Product: TOTOLINK CP450

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7332

NVD References:

- https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/CP450/product.md

- https://vuldb.com/?ctiid.273255

- https://vuldb.com/?id.273255

- https://vuldb.com/?submit.378357

CVE-2024-41961 - Elektra, an opinionated Openstack Dashboard, contained a code injection vulnerability in its live search functionality allowing authenticated users to execute Ruby code via crafted search terms.

Product: Elektra

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41961

NVD References:

- https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d

- https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02

- https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q

CVE-2024-38770 - Backup and Staging by WP Time Capsule allows Privilege Escalation and Authentication Bypass from n/a through 1.22.20.

Product: Backup and Staging by WP Time Capsule

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38770

NVD References: https://patchstack.com/database/vulnerability/wp-time-capsule/wordpress-backup-and-staging-by-wp-time-capsule-plugin-1-22-20-authentication-bypass-and-privilege-escalation-vulnerability?_s_id=cve

CVE-2024-39619 - ListingPro is vulnerable to an improper limitation of a pathname, allowing PHP Local File Inclusion attacks from n/a through 2.9.3.

Product: CridioStudio ListingPro

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39619

NVD References: https://patchstack.com/database/vulnerability/listingpro-plugin/wordpress-listingpro-plugin-2-9-3-unauthenticated-local-file-inclusion-vulnerability?_s_id=cve

CVE-2024-41259 - Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information.

Product: Gravatar Navidrome

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41259

NVD References: https://gist.github.com/nyxfqq/d192af10b53a363e2d9e430068333e04

CVE-2024-7314 - Anji-plus AJ-Report is vulnerable to authentication bypass, allowing remote attackers to execute arbitrary Java code by appending ";swagger-ui" to HTTP requests.

Product: anji-plus AJ-Report

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7314

NVD References:

- https://gitee.com/anji-plus/report/pulls/166/files

- https://github.com/vulhub/vulhub/tree/master/aj-report/CNVD-2024-15077

- https://github.com/yuebusao/AJ-REPORT-EXPLOIT

- https://vulncheck.com/advisories/aj-report-swagger

- https://xz.aliyun.com/t/14460

CVE-2024-38882 - Horizon Business Services Inc. Caterease versions 16.0.1.1663 through 24.0.1.2405 are vulnerable to remote command line execution through SQL Injection.

Product: Horizon Business Services Inc. Caterease

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38882

NVD References:

- http://caterease.com

- http://horizon.com

- https://vuldb.com/?id.273366

CVE-2024-38883 - Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and potentially later versions are vulnerable to a Drop Encryption Level attack, allowing remote attackers to exploit a less secure algorithm during negotiation.

Product: Horizon Business Services Inc. Caterease

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38883

NVD References:

- http://caterease.com

- http://horizon.com

- https://vuldb.com/?id.273367

CVE-2024-42348 - FOG Server 1.5.10.41.2 can leak AD username and password when registering a computer, fixed in versions 1.5.10.41.3 and 1.6.0-beta.1395.

Product: FOG Project FOG Server

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42348

NVD References: https://github.com/FOGProject/fogproject/security/advisories/GHSA-456c-4gw3-c9xw

CVE-2024-7257 - YayExtra – WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code on the affected site's server.

Product: YayThemes WooCommerce Extra Product Options

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7257

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/753a4f7a-7bd4-43a4-b8fb-9e982239ba0e?source=cve

CVE-2024-6915 - JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, and 7.55.18 are vulnerable to Improper Input Validation, posing a risk of cache poisoning.

Product: JFrog Artifactory

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6915

NVD References: https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories

CVE-2024-6782 - Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.

Product: Calibre

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6782

NVD References:

- https://github.com/kovidgoyal/calibre/commit/38a1bf50d8cd22052ae59c513816706c6445d5e9

- https://starlabs.sg/advisories/24/24-6782/

CVE-2024-32113 - Apache OFBiz is vulnerable to an improper limitation of a pathname, allowing unauthorized access to restricted directories before version 18.12.13.

Product: Apache OFBiz

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32113

ISC Podcast: https://isc.sans.edu/podcastdetail/9078

CVE-2024-22064 - The ZTE ZXUN-ePDG product is vulnerable to information leakage due to its use of non-unique cryptographic keys during secure connections with mobile devices.

Product: ZTE ZXUN-ePDG

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-22064

ISC Podcast: https://isc.sans.edu/podcastdetail/9076