An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated users.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-38874

**events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability**

Moderate severity GitHub Reviewed Published Jun 21, 2024 to the GitHub Advisory Database • Updated Jun 21, 2024

**Package**

composer jweiland/events2 (Composer)

**Affected versions**

< 8.3.8

\>= 9.0.0, < 9.0.6

**Patched versions**

8.3.8

9.0.6

**Description**

Published to the GitHub Advisory Database

Jun 21, 2024

Last updated

Jun 21, 2024

GHSA-cchp-3rq6-69wj: events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability

An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the captcha integration for the ext:form extension.

**FriendlyCaptcha Plugin for TYPO3 Captcha Check Bypass**

Moderate severity GitHub Reviewed Published Jun 21, 2024 to the GitHub Advisory Database • Updated Jun 21, 2024

GHSA-jg62-h7pv-hxgv: FriendlyCaptcha Plugin for TYPO3 Captcha Check Bypass

A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild.
The vulnerability, tracked as CVE-2024-28995 (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine.
Affecting all versions of the software prior to and including Serv-U 15.4.2

Vulnerability / Data Protection

A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild.

The vulnerability, tracked as **CVE-2024-28995** (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine.

Affecting all versions of the software prior to and including Serv-U 15.4.2 HF 1, it was addressed by the company in version Serv-U 15.4.2 HF 2 (15.4.2.157) released earlier this month.

The list of products susceptible to CVE-2024-28995 is below -

*   Serv-U FTP Server 15.4
*   Serv-U Gateway 15.4
*   Serv-U MFT Server 15.4, and
*   Serv-U File Server 15.4

Security researcher Hussein Daher of Web Immunify has been credited with discovering and reporting the flaw. Following the public disclosure, additional technical details and a proof-of-concept (PoC) exploit have since been made available.

Cybersecurity firm Rapid7 described the vulnerability as trivial to exploit and that it allows external unauthenticated attackers to read any arbitrary file on disk, including binary files, assuming they know the path to that file and it's not locked.

"High-severity information disclosure issues like CVE-2024-28995 can be used in smash-and-grab attacks where adversaries gain access to and attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims," it said.

"File transfer products have been targeted by a wide range of adversaries the past several years, including ransomware groups."

Indeed, according to threat intelligence firm GreyNoise, threat actors have already begun to conduct opportunistic attacks weaponizing the flaw against its honeypot servers to access sensitive files like /etc/passwd, with attempts also recorded from China.

With previous flaws in Serv-U software exploited by threat actors, it's imperative that users apply the updates as soon as possible to mitigate potential threats.

"The fact that attackers are using publicly available PoCs means the barrier to entry for malicious actors is incredibly low," Naomi Buckwalter, director of product security at Contrast Security, said in a statement shared with The Hacker News.

"Successful exploitation of this vulnerability could be a stepping stone for attackers. By gaining access to sensitive information like credentials and system files, attackers can use that information to launch further attacks, a technique called 'chaining.' This can lead to a more widespread compromise, potentially impacting other systems and applications."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SolarWinds Serv-U Vulnerability Under Active Attack - Patch Immediately

“Immediately stop using [Kaspersky] and switch to an alternative” warned the Commerce Secretary in a new US ban of the antivirus provider.

The US government will ban the sale of Kaspersky antivirus products to new customers in the United States starting July 20, with a follow-on deadline to prohibit the cybersecurity company from providing users with software updates after September 29.

The move follows years of allegations that the cybersecurity firm served as a hacking conduit for Russian intelligence agencies—allegations that the company has consistently denied.  

While current US Kaspersky customers will see no immediate impact from the ban, the September 29 software update deadline signals a bigger change. Without available updates, any cybersecurity product becomes less secure over time, and means the company won’t be able to protect customers against the newest threats.

In a briefing call with reporters on Thursday, US Department of Commerce Secretary Gina Raimondo offered consolation and advice to current customers of the antivirus products:

> “You have done nothing wrong, and you are not subject to any criminal or civil penalties. However, I would encourage you, in as strong as possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”

Kaspersky rebuffed the Biden Administration’s decision in a statement shared on social media Thursday.

“Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted US interested and allies,” the company said. “The company intends to purse all legally available options to preserve its current operations and relationships.”

The ban, first reported by Reuters and released Thursday, includes “AO Kaspersky Lab,” “OOO Kaspersky Group,” and “Kaspersky Labs Limited.”

According to the US Department of Commerce, all three Kaspersky entities are being banned “for their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives.”

In October 2017, The New York Times reported that Israeli intelligence officers managed to catch Russian government hackers using Kaspersky to conduct clandestine searches across the globe. That reporting followed a bombshell investigation from The Wall Street Journal that claimed that Russian hackers stole classified NSA materials from a contractor’s personal computer which had Kaspersky software installed on it.

That reported hacking incident allegedly resulted in the US government’s decision that same year to remove Kaspersky antivirus software from US government devices.

In the same Thursday briefing call, Secretary Raimondo cited the threat of Russian influence in the Department’s decision to ban Kaspersky:

> “Russia has shown it has the capacity and… the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans and that is why we are compelled to take the action that we are taking today.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 US bans Kaspersky, warns: “Immediately stop using that software&#8221; 

IntelBroker is offering source code from major companies for sale. Are they demonstrating the value of a zero-day they are also selling?

A moderator of the notorious data breach trading platform BreachForums is offering data for sale they claim comes from a data breach at T-Mobile.

The moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images, Terraform data, t-mobile.com certifications, and “Siloprograms.” (We’ve not heard of siloprograms, and can’t find a reference to them anywhere, so perhaps it’s a mistranslation or typo.)

Post offereing data for sale supposedly from a T-Mobile internal breach

To prove they had the data, IntelBroker posted several screenshots showing access with administrative privileges to a Confluence server and T-Mobile’s internal Slack channels for developers.

But according to sources known to BleepingComputer, the data shared by IntelBroker actually consists of older screenshots. These screenshots show T-Mobile’s infrastructure, posted at a known—yet unnamed—third-party vendor’s servers, from where they were stolen.

When we looked at the screenshots IntelBroker attached to their post, we spotted something interesting in one of them.

Found CVE-2024-1597

This screenshot shows a search query for a critical vulnerability in Jira, a project management tool used by teams to plan, track, release and support software. It’s typically a place where you could find the source code of works in progress.

The search returns the result CVE-2024-1597, a SQL injection vulnerability. SQL injection happens when a cybercriminal injects malicious SQL code into a form on a website, such as a login page, instead of the data the form is asking for. The vulnerability affects Confluence Data Center and Server according to Atlassian’s May security bulletin.

For a better understanding, it’s important to note that Jira and Confluence are both products created by Atlassian, where Jira is the project management and issue tracking tool and Confluence is the collaboration and documentation tool. They are often used together.

If IntelBroker has a working exploit for the SQL injection vulnerability, this could also explain their claim that they have the source code of three internal tools used at Apple, including a single sign-on authentication system known as AppleConnect.

This theory is supported by the fact that IntelBroker is also offering a Jira zero-day for sale.

IntelBroker selling zero-day for JIra

> “I’m selling a zero-day RCE for Atlassian’s Jira.
> 
> Works for the latest version of the desktop app, as well as Jira with confluence.
> 
> No login is required for this, and works with Okta SSO.”

If this is true then this exploit, or its fruits, might be used for data breaches that involve personal data.

Meanwhile, T-Mobile has denied it has suffered a breach, saying it is investigating whether there has been a breach at a third-party provider.

> “We have no indication that T-Mobile customer data or source code was included and can confirm that the bad actor’s claim that T-Mobile’s infrastructure was accessed is false.”

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Was T-Mobile compromised by a zero-day in Jira? 

ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.

**ClassGraph XML External Entity Reference**

Moderate severity GitHub Reviewed Published Jun 21, 2024 to the GitHub Advisory Database • Updated Jun 21, 2024

GHSA-v2xm-76pq-phcf: ClassGraph XML External Entity Reference

The U.S. Department of Commerce's Bureau of Industry and Security (BIS) on Thursday announced a "first of its kind" ban that prohibits Kaspersky Lab's U.S. subsidiary from directly or indirectly offering its security software in the country.
The blockade also extends to the cybersecurity company's affiliates, subsidiaries and parent companies, the department said, adding the action is based on

Software Security / Threat Intelligence

The U.S. Department of Commerce's Bureau of Industry and Security (BIS) on Thursday announced a "first of its kind" ban that prohibits Kaspersky Lab's U.S. subsidiary from directly or indirectly offering its security software in the country.

The blockade also extends to the cybersecurity company's affiliates, subsidiaries and parent companies, the department said, adding the action is based on the fact that its operations in the U.S. posed a national security risk. News of the ban was first reported by Reuters.

"The company's continued operations in the United States presented a national security risk — due to the Russian Government's offensive cyber capabilities and capacity to influence or direct Kaspersky's operations — that could not be addressed through mitigation measures short of a total prohibition," the BIS said.

It further said Kaspersky is subject to the jurisdiction and control of the Russian government and that its software provides Kremlin access to sensitive U.S. customer information as well as allows for installing malicious software or withholding critical updates.

"The manipulation of Kaspersky software, including in U.S. critical infrastructure, can cause significant risks of data theft, espionage, and system malfunction," it noted. "It can also risk the country's economic security and public health, resulting in injuries or loss of life."

As part of the ban, Kaspersky will be barred from selling its software to American consumers and businesses starting on July 20. However, the company can still provide software and antivirus signature updates to existing customers until September 29.

It's also urging current individual and business customers to find suitable replacements within the 100-day time period so as to ensure that there are no gaps in security protections. That said, it's worth noting that they can continue to use the products should they choose to do so.

"Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information, and we will continue to use every tool at our disposal to safeguard U.S. national security and the American people," Secretary of Commerce Gina Raimondo said.

That's not all. Kaspersky has also been added to the Entity List for their "cooperation with Russian military and intelligence authorities in support of the Russian Government's cyber intelligence objectives."

The Moscow-headquartered firm, which serves over 400 million customers and 240,000 corporate clients across 200 countries including Piaggio, Volkswagen Group Retail Spain, and the Qatar Olympic Committee, has long been in the crosshairs of the U.S. government over its ties to Russia.

In September 2017, its products were banned from being used in federal networks, citing national security concerns. Weeks after that announcement, a Wall Street Journal report alleged Russian government hackers had stolen U.S. classified hacking tools stored on a National Security Agency (NSA) contractor's home computer because it was running Kaspersky software.

The New York Times reported days later that Israeli officials notified the U.S. of the espionage operation after they hacked into Kaspersky's network in 2015. The company responded saying it came across the code in 2014 when its antivirus software flagged a 7-Zip file as malicious on a U.S.-based computer.

The tool, later attributed to the Equation Group, was deleted and no third-parties saw the code, the company said at the time following an internal investigation. Equation Group is the name assigned by Kaspersky to a hacking crew with suspected ties to the NSA's Tailored Access Operations (TAO) cyberwarfare unit.

Nearly five years later, Kaspersky was added to the Federal Communications Commission's (FCC) "Covered List" of companies that pose an "unacceptable risk to the national security" of the country. Germany and Canada have enacted similar restrictions in recent years.

Responding to the latest move from the U.S. government, Kaspersky said the Commerce Department made its decision based on the current geopolitical climate and theoretical concerns, adding it "unfairly ignores" evidence of the transparency measures implemented by the company to demonstrate integrity and trustworthiness.

"The primary impact of these measures will be the benefit they provide to cybercrime," it said. "International cooperation between cybersecurity experts is crucial in the fight against malware, and yet this will restrict those efforts."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Bans Kaspersky Software, Citing National Security Risks

CDK Global, which makes software for car dealers, experienced a cyber incident that halted vehicle sales and service across the US.

Source: Joe Hendrickson via Alamy Stock Photo

A supply chain cyberattack on software provider CDK Global forced thousands of car dealerships to shut down Wednesday, a traditionally busy day for sales with the Juneteenth holiday.

Reports said the first dealerships started getting booted offline around 2 a.m. Eastern Time on Wednesday, June 19. Some shut down altogether, unable to access critical information, while others maintained some services by relying on paper records.

On Thursday morning, CDK said that there had been a second cyber incident.

"Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems," CDK said in a statement provided to Dark Reading. "In partnership with third party experts, we are assessing the impact and providing regular updates to our customers."

CDK's statement added that it took systems offline as a precaution.

"We are continuing to conduct extensive tests on all other applications, and we will provide updates as we bring those applications back online," CDK said in its statement. "Our first priority is always the security of our customers, and our actions reflect our obligation to them as a trusted partner."

**Looking for Answers**

The specific nature of the supply chain cyber incident and whether systems have been restored remains unclear. However, Roger Grimes, data-driven defense evangelist with KnownBe4, said he suspects ransomware.

"It hasn't been released what type of 'cyber incident' this is, but there's a good chance it's related to ransomware," Grimes said in a statement. "When more details are released, I hope part of the details include how the cyber threat made its way into CDK's systems (e.g., social engineering, unpatched software or firmware, etc.). Because in order to mitigate future occurrences you need to start with how the current incident was caused."

According to Andrew Costis, chapter lead on the adversary research team at AttackIQ, the cyber incident is far from over for dealerships that rely on CDK software.

"CDK is suffering from not one, but two cyberattacks that have caused the SaaS provider to shut down IT systems," he told Dark Reading in a statement. "Given the extensive reliance on this third-party vendor, the fallout from this attack reverberates throughout the entire automotive industry."

Thousands of Car Dealerships Stalled Out After Software Provider Cyberattack

The notorious cyber espionage group has been harrying French interests for years, and isn't flagging now as the Paris Olympics approach.

Source: Paul Ward via Alamy Stock Photo

Midnight Blizzard, the Russia-backed advanced persistent threat (APT) behind the 2016 US elections interference and the 2020 SolarWinds attacks, has been taking aim at French diplomatic entities since at least 2021 — and it remains an active threat, according to French CERT.

Russia, which not coincidentally is banned from the upcoming Summer Olympics in Paris, shows no sign of easing off of its cyberattack activities, particularly against Ukraine and European friends of Ukraine, IT companies, and US critical infrastructure.

Now, CERT-FR has warned in a recent alert that Midnight Blizzard (aka Nobelium, APT29, Cozy Bear, and The Dukes) has been consistently attempting to exfiltrate strategic intelligence from embassies and diplomats, in an activity cluster it calls "Diplomatic Orbiter." The targets have included the French Ministry of Culture, the National Agency for Territorial Cohesion, the French Ministry of Foreign Affairs, the country's embassy in Ukraine, and others.

"Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies, and consulates," according to the CERT-FR alert (PDF). "These activities are also publicly described as a campaign called 'Diplomatic Orbiter.' The lure documents used in these attacks are typically forged to target diplomatic staff."

Once gaining initial access, the operators attempt to deliver custom, first-stage loaders to execute public tools such as Cobalt Strike or Brute Ratel C4. The ultimate goal is to access the victim's network, ensure persistence, and exfiltrate data. Many of the attacks have been unsuccessful, the organization stressed.

**About the Author(s)**

Russia's Midnight Blizzard Seeks to Snow French Diplomats

The old, but newly disclosed, vulnerability is buried deep inside personal computers, servers, and mobile devices, and their supply chains, making remediation a headache.

Source: Alexander Cimbal via Alamy Stock Photo

A vast swath of computers is likely to be affected by a newly published vulnerability in Intel processors.

CVE-2024-0762, unfortunately nicknamed "UEFIcanhazbufferoverflow," is a buffer overflow issue affecting multiple versions of Phoenix Technologies' SecureCore Unified Extensible Firmware Interface (UEFI) firmware. First disclosed by the vendor in May, it has now been described in detail by Eclypsium researchers in a blog post.

They first spotted it back in November, while analyzing UEFI images in Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen laptops. The problem lies in an unsafe call to the GetVariable() runtime service, used for reading the contents of a UEFI variable. A lack of adequate checks could allow an attacker to feed it too much data, thereby causing an overflow. From there, the attacker could take advantage by escalating privileges and executing code in a targeted machine during runtime.

Even worse than the severity of the bug, though, is its spread. Intel supplies the majority of PC processors sold around the world, and SecureCore firmware runs on 10 different generations of Intel chips. Eclypsium estimates it could affect hundreds of PC models across a wide spectrum of vendors.

**The Rub With UEFI**

There are few areas of a machine where malicious attacks are so effective, and so difficult to excise, as UEFI and its predecessor, BIOS. As the firmware interface that controls how a system boots, it is the first and most privileged code that runs once a user hits the power button on their device.

Its special status has attracted attackers far and wide in recent years, allowing them to nab root-level privileges, establish persistence through reboots, bypass security programs that might otherwise catch more traditional malware, and more.

"It's not not really the greatest place to hack into, but it is a really good place to set up shop," explains Nate Warfield, director of threat research and intelligence with Eclypsium.

"If you have code execution during that stage of a computer booting, you can drop something into the boot sector. Or you can use this vector to inject malware into Windows before it starts." He points to the recent CosmicStrand UEFI rootkit as a case in point. It's also what makes UEFIcanhazbufferoverflow so dangerous.

Still, it was only assigned a "high" 7.5 out of 10 in the CVSS scoring system. That, Warfield says, comes down to a couple of factors.

First, it requires that an attacker already have access to their targeted machine. 

Additionally, unlike your typical headline vulnerability, exploits in this case may need to be customized to a certain degree depending on the targeted computer model's configuration, and the permissions assigned to the problematic variable, adding a certain degree of complexity to the whole affair.

**The Good News and (More) Bad**

Unfortunately, this same complexity extends to vendors developing patches.

"The vulnerability we found affected a whole bunch of different versions of \[Phoenix's\] UEFI code. So they had to patch all of those for their customers, and now everyone has to go and pull those and package them up for all the versions of their BIOS," Warfield explains. "They may end up having to fix 10, 15, or 20 different tiny differences \[in architecture\] because this one supports this many GPUs, this one supports different hardware configurations for the motherboard. It's impossible to know."

Lenovo — which coordinated with the researchers in recent months — started releasing fixes last month, though some computers will remain exposed until later in the summer. Other, more recently informed original equipment and design manufacturers will surely take even longer. Organizations using Intel-powered computers can do little more than twiddle their thumbs in the meantime.

"This is the whole supply chain problem in a nutshell," Warfield says. "We informed the vendor. We have to wait for them to tell their customers' OEMs, who have to package their fixes and deliver it to their customers, who are the end users."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Latest News