Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-37940

**Liferay Portal and Liferay DXP have Cross-site Scripting vulnerability in edit Service Access Policy page**

Moderate severity GitHub Reviewed Published Dec 18, 2024 to the GitHub Advisory Database • Updated Dec 18, 2024

**Package**

maven com.liferay.portal:release.dxp.bom (Maven)

**Affected versions**

\>= 7.0, < 7.3.10.u30

\>= 7.4, < 7.4.13.u88

**Patched versions**

7.3.10.u30

7.4.13.u88

maven com.liferay.portal:release.portal.bom (Maven)

Published to the GitHub Advisory Database

Dec 18, 2024

Last updated

Dec 18, 2024

GHSA-px38-239g-x5mg: Liferay Portal and Liferay DXP have Cross-site Scripting vulnerability in edit Service Access Policy page

A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-6mpx-pmgp-ww49: Keycloak vulnerable to Cleartext Transmission of Sensitive Information

A vulnerability has been discovered that could allow an attacker to acquire disk access with privileges equivalent to those of pghoard, allowing for unintended path traversal.  Depending on the permissions/privileges assigned to pghoard, this could allow disclosure of sensitive information.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-m9hc-vxjj-4x6q: PGHoard Path Traversal vulnerability

Databricks JDBC Driver before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile.

GHSA-jxw2-jvxf-5vrp: Databricks JDBC Driver Command Injection vulnerability

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field

GHSA-4hxr-28mv-q729: Liferay Portal and Liferay DXP vulnerable to Criss-site Scripting

An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.

GHSA-5mpw-4546-2wcr: Elasticsearch Incorrect Authorization vulnerability

The cyberattack impacts at least 1.4 million patients, as tranches of highly sensitive personal, medical, and financial data fall into the hands of cyber crooks who have everything they need to carry out convincing social engineering and fraud attacks.

Source: Kirby Lee via Alamy Stock Photo

NEWS BRIEF

Texas Tech University's Health Sciences Centers (HSCs) in Lubbock and El Paso are the latest victims of a disruptive cyberattack. The incident impacted the data of 1.4 million patients, exposing a treasure trove of valuable information that could be used for convincing follow-up social engineering attacks, identity theft, and more.

The attackers had access to the university's medical environments between Sept. 17 and 29, during which time they made off with "certain files and folders from the HSCs' network," according to a website notice.

**Cyberattackers Steal Reams of Sensitive Patient Data**

The folders contained patient names, dates of birth, Social Security numbers, driver's license numbers, financial data, medical information, billing and insurance data, medical records numbers, and more.

"The health and social-care sector has always been a popular target for cybercriminals," Brian Higgins, security specialist at Comparitech, said via email. "The combination of plentiful data points along with the often very sensitive nature of some of the information serves not only to add increased pressure on breached organizations to settle any ransom demands, but also to render individual client-side victims more susceptible to follow-up attacks seeking password or logon access and other personal information."

Related:Microsoft Teams Vishing Spreads DarkGate RAT

In October, a ransomware group called Interlock claimed to be behind the hack, saying that it stole 3.2 terabytes of data from the Red Raiders.

"The group posted images of what it says are stolen documents on its leak site," Paul Bischoff, consumer privacy advocate at Comparitech, said via email. "TTHUSC hasn't verified that claim, but no other groups have claimed responsibility at this time. Interlock is a new ransomware gang that first started adding targets to its leak site in October. This was one of the biggest medical data breaches of 2024."

**Texas Tech's Block & Tackle Incident Response**

For its part, the school is offering somewhat boilerplate information: "The HSCs are in the process of notifying individuals whose information may be involved in this incident," according to the notice, which added that free credit monitoring is available. "To help prevent a recurrence, the HSCs are reviewing existing security policies and procedures as part of the investigation and are implementing additional safeguards to enhance system protection and monitoring."

It also noted that affected individuals should monitor their credit reports and bank accounts for evidence of identity theft and fraud, review account statements, and scrutinize health care and health insurance billing statements for suspicious activity or errors.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

"One can only hope that Texas Tech will offer a decent level of security mitigation measures … to try to alleviate what is an incredibly stressful situation for all involved," Higgins noted. "It's reasonable, after so many documented attacks, that users should expect high-risk sectors to harden, but that doesn't seem to be happening with the force and frequency necessary to combat the threat."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Texas Tech Fumbles Medical Data in Massive Breach

Yet another day, yet another data leak tied to Cisco!

****SUMMARY:****

*   **Partial Data Leak**: Hackers leaked 2.9GB of Cisco’s data on _Breach Forums_ on December 16, 2024.

*   **Exposed Records**: The leaked data is part of a 4.5TB dataset that was allegedly left unprotected by Cisco in October 2024.

*   **Previous Incident**: IntelBroker previously claimed responsibility for accessing the exposed data and attempted to sell it, including sensitive information from companies like Verizon, AT&T, and Microsoft.

*   **Cisco’s Response**: Cisco previously denied any compromise of core systems, attributing the issue to a misconfigured public-facing DevHub resource.

*   **Proof of Legitimacy**: IntelBroker released this partial leak to demonstrate the validity of their claims and attract buyers for the remaining data.

**RIBridges Breach**: Hackers infiltrated Rhode Island’s health and benefits system, demanding ransom and threatening to leak sensitive data.

On Monday, December 16, 2024, hackers leaked what they referred to as “partial data” belonging to technology and cybersecurity giant Cisco. The leak occurred on the cybercrime and data breach platform Breach Forums, where IntelBroker, a notorious hacker and the forum’s owner, released 2.9 GB of data for download.

****Important Background****

The leaked data is part of the 4.5TB content that hackers claim was left exposed by Cisco without any password protection or security authentication, allowing them to download the entire dataset in October 2024.

Hackread.com exclusively reported on the incident on October 14, 2024, when IntelBroker attempted to sell the data, which allegedly included source codes, confidential documents, and credentials belonging to global firms like Verizon, AT&T, Microsoft, and others.

At the time, Cisco did not respond to Hackread.com but denied any compromise of their core systems, attributing the incident to a misconfigured public-facing DevHub resource. However, IntelBroker maintained they had access until October 18 and provided evidence to Hackread.com showing they exploited an exposed token for JFrog, a software supply chain platform, to access the exposed content.

****What’s in the Leaked Data?****

This time, IntelBroker has leaked a portion of the data in an attempt to prove its legitimacy to potential buyers. “Hopefully, this proves the legitimacy of the breach to others wanting to buy the full version,” the hacker stated.

The 2.9GB leak reportedly contains the following:

*   **Cisco ISE (Identity Services Engine)**: A security policy platform that provides secure network access control and identity management.

*   **Cisco SASE (Secure Access Service Edge)**: A cloud-delivered solution that combines networking and security functions for secure access from anywhere.

*   **Cisco Webex**: A collaboration platform offering video conferencing, messaging, and calling solutions for teams and businesses.

*   **Cisco Umbrella**: A cloud-based DNS security solution that protects users from threats by securing internet access and blocking malicious domains.

*   **Cisco IOS XE & XR**: Network operating systems used in Cisco routers and switches, enabling advanced networking, automation, and programmability.

*   **Cisco C9800-SW-iosxe-wlc.16.11.01**: A software-based Wireless LAN Controller (WLC) image that manages and controls wireless networks running on Cisco Catalyst 9800 Series platforms.

Here’s a screenshot from Breach Forums showing what the hackers have leaked and the claims they are making:

IntelBroker on Breach Forums (Screenshot credit: Hackread.com)

****Intel Broker and Previous Breaches****

Intel Broker is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Nevertheless, the partial leak goes on to show ongoing exploitation of misconfigured systems and exposed data. The scale of exploitation is evident, as even high-profile hackers like ShinyHunters and Nemesis **have targeted** misconfigured servers and S3 buckets.

While Cisco has yet to respond to this latest development, IntelBroker’s actions also show how such incidents can escalate into extortion attempts. Whether the remaining 4.5TB dataset will be sold, leaked, or resolved remains to be seen, but it’s a reminder for organizations to maintain their security practices and protect sensitive data.

1.  IntelBroker Claim Access to Nokia Internal Data, Selling for $20K
2.  Europol Hacked: IntelBroker Claims Major Law Enforcement Breach
3.  IntelBroker Space-Eyes Breach, Targeting US National Security Data
4.  IntelBroker Claims Breach of Top Cybersecurity Firm, Selling Access
5.  AMD Data Breach: IntelBroker Claims Theft of Employee, Product Info

Hackers Leak Partial Cisco Data from 4.5TB of Exposed Records

Actions direct agencies to deploy specific security configurations to reduce cyber-risk.

PRESS RELEASE

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) today issued Binding Operational Directive (BOD) 25-01, Implementing Secure Practices for Cloud Services to safeguard federal information and information systems. This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.

Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services. As part of CISA and the broad U.S. government's effort to move the federal civilian enterprise to a more defensible posture, this Directive will further reduce the attack surface of the federal government networks.

"Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access. The actions required by agencies in this Directive are an important step in reducing risk to the federal civilian enterprise," said CISA Director Jen Easterly. "While this Directive only applies to federal civilian agencies, the threat to cloud environments extends to every sector. We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play."

As federal civilian agencies implement this mandate, CISA will monitor and support agency adherence and provide additional resources as required. CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.

The new Directive can be found at Binding Operational Directive (BOD) 25-01. To learn more about CISA Directives, visit Cybersecurity Directives webpage.

CISA Directs Federal Agencies to Secure Cloud Environments

PRESS RELEASE

SAN FRANCISCO--(BUSINESS WIRE)-- Delinea, a pioneering provider of solutions for securing identities through centralized authorization, today announced it has been authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CVE Numbering Authority (CNA).

The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. CNAs are organizations responsible for regularly assigning CVE Identifiers (CVE IDs) to vulnerabilities and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. Delinea proudly joins a list of partners, including 420+ organizations from 40 countries, to further expand the community-driven CVE Program.

As a CNA, Delinea is authorized to review and assign CVE IDs to newly discovered zero-day vulnerabilities in the company’s software products. This will allow Delinea to directly establish new CVEs, streamline the reporting process, and continue to foster collaboration with the industry as a whole.

“Joining the CVE Program as a CNA reinforces our commitment and dedication to collaborating with the global cybersecurity community to identify and address emerging threats and shape the future of cybersecurity,” said Phil Calvin, Chief Product Officer at Delinea. “As identity security becomes the new frontline in cyber defense, safeguarding identities and governing their interactions is more critical than ever. Delinea’s involvement in this program will ensure our identity security solutions continue to be the most reliable in the market.”

Delinea provides the only identity security platform that enables organizations to seamlessly govern interactions across the modern enterprise through intelligent authorization. It applies context and intelligence throughout the identity lifecycle, eliminating threats while boosting productivity.

**A community-based approach to strengthening cybersecurity**

The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS) and is operated by the MITRE Corporation in close collaboration with international industry, academic, and government stakeholders. It is an international, community-based effort to discover vulnerabilities and then assign and publish them to the CVE List, which CNAs build.

Use of CVE Records enables information technology and cybersecurity professionals to ensure they are discussing the same issue and coordinate their efforts to prioritize and address vulnerabilities, resulting in significant time and cost savings.

For more information on Delinea’s responsible disclosure program, visit its Trust Center: https://trust.delinea.com

Latest News