By Waqas
BazarCall Evolves: Unraveling the Complexities of Google Forms in the Latest Phishing Tactics!
This is a post from HackRead.com Read the original post: Scammers Weaponize Google Forms in New BazarCall Attack

Google Forms is the latest Google product to be abused by threat actors, this time for a new variant of the BazarCall attack

Cybersecurity researchers at Abnormal Security have identified a new attack campaign in which scammers use the **BazarCall technique (BazaCall or Callback phishing)** to target victims. This time, however, the notorious phishing attack method has taken a sophisticated turn by incorporating Google Forms to enhance its deceptive strategies.

Here, it is worth noting that Abnormal Security’s findings came just a couple of weeks after the **FBI warned users** of the Silent Ransom Group (SRG), also identified as Luna Moth, employing Callback phishing techniques for network hacks.

In the usual scenario, the BazarCall attack typically begins with a phishing email masquerading as a payment notification or subscription confirmation from familiar brands. The email prompts recipients to call a provided phone number to dispute charges or cancel a service, creating a sense of urgency. However, the real objective is to **trick victims into installing malware** during the phone call, exposing organizations to future cyber threats.

What sets this BazarCall variant apart is its utilization of Google Forms to elevate the authenticity of malicious emails. The attacker crafts a Google Form, adding details about a fake transaction, including an invoice number and payment information. The response receipt option is then activated, sending a copy of the completed form to the target’s email address.

In a **blog post**, Mike Britton Chief Information Security Officer at Abnormal Security that the attacker manipulates the process further by sending the form invitation to themselves, completing it with the target’s email address, and making it look like a payment confirmation for a product or service. Using Google Forms, sent from a legitimate Google address, enhances the attack’s legitimacy, making it harder to detect.

> _“Because the email is sent directly from Google Forms, the sender address is forms-receipts-noreply@googlecom, and the sender display name is “Google Forms.” Not only does this contribute to the appearance of legitimacy, it increases the chances of the message being successfully delivered as the email is from a legitimate and trusted domain.”_
> 
> Mike Britton – Abnormal Security

The uniqueness of this BazarCall lies in its difficulty to be identified by traditional email security tools. Unlike typical threats with malicious links or attachments, this attack relies on Google Forms, a trusted service for surveys and quizzes.

Actual email sent by threat actors using Google Forms (Image credit: Abnormal Security)

The dynamic nature of Google Forms URLs further complicates detection, as they frequently change, evading static analysis and signature-based detection used by many security tools. Mike further noted that legacy email security tools, such as secure email gateways (SEGs), struggle to discern the malicious intent behind these emails, leading to potential threats slipping through the cracks.

However, modern **AI-native email security solutions** equipped with behavioural AI and content analysis can accurately identify and thwart such attacks by recognizing brand impersonation and phishing attempts.

In navigating the evolving landscape of cyber threats, staying informed about sophisticated attack methods like this BazarCall variant is crucial. Adopting advanced email security solutions that leverage artificial intelligence is paramount to effectively protect organizations and individuals from the ever-changing tactics of cybercriminals.

****_RELATED ARTICLES_****

1.  **New BEC 3.0 Attack Exploiting Dropbox for Phishing**
2.  **Phishers Exploiting Google Docs to Harvest Crypto Credentials**
3.  **Iran’s MuddyWater Group Targets Israelis with Fake Memo Phishing**
4.  **USPS Delivery Phishing Scam Exploits SaaS Providers to Steal Data**
5.  **Hotel booking phishing scam uses PDF links to spread MrAnon Stealer**

Scammers Weaponize Google Forms in New BazarCall Attack

In November, ransomware gangs attacked at least 457 victims—the highest monthly count in 2023, after May's record numbers.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In November there were 457 total ransomware victims, making it the most active month for ransomware gangs in 2023 so far besides May. The top stories of the month include ALPHV’s shutdown, an increased focus on the healthcare sector, and high-profile attacks on Toyota, Boeing, and more using a Citrix Bleed vulnerability (CVE-2023-4966).

We’ve written about a few ransomware gangs getting shut down this year, including Hive in January and RansomedVC in October, but ALPHV is the latest—and arguably biggest—name to be crossed off of law enforcements’ hit list in 2023. The fate of the gang was sealed in early December, when their data leak sites suddenly became unavailable. Shortly thereafter, researchers at RedSense confirmed that law enforcement was indeed behind the takedown action.

ALPHV’s shutdown represents a huge blow to the ransomware world—and a big win for defenders. With a total of 573 victims since February 2022, it’s no exaggeration to say that ALPHV was second only to LockBit in being organizations’ biggest ransomware threat. The demise of ALPHV can be examined through a few different lenses. For one, it’s a reminder that no ransomware gang—however prolific or well-resourced—is immune to downfall.

The good news in all this is that today’s _who’s who_ can be tomorrow’s _nobody_. The bad news? That same logic works in reverse as well: Today’s nobody can be tomorrows who’s who.

This is the case we’ve seen with gangs like Medusa or 8BASE. For every head lopped of off the ransomware Hydra, it feels like three more grow in its place. However, none of this is to say that decisive law enforcement action doesn’t deter ransomware gangs to some extent—it does. One can hope that ransomware gangs see a Goliath like ALPHV get felled and think twice about wantonly attacking organizations at the rate we’ve been seeing lately.

In other news, attacks on the healthcare sector last month reached an all-time high at 38 total attacks.

The record follows a steady uptick in attacks on the sector we’ve observed over the past year. According to the findings released by the Department of Health and Human Services last month, there has been a 278% increase in ransomware attacks on health sector over the past four years. “The large breaches reported this year have affected over 88 million individuals, a 60% increase from last year,” the agency also said.

Ransomware attacks on healthcare, 03/22 to 011/23

An attack on Ardent Health Services last month stands as a devastating reification of the trend. The attack, which occurred on Thanksgiving Day, left emergency rooms in multiple hospitals across four US states shut down for five days.

What explains the rise and focus on attacks on the healthcare sector? Well, for one thing, there isn’t a clear bias of one gang disproportionately targeting health care—our data shows LockBit is consistently at the top of the list, as they are likely for most sectors. The explanation, then, likely resides in a combination of facts:

1.  Ransomware attacks are up overall for all sectors
2.  Healthcare is easy to attack (Large number of weak points due to use of legacy systems, third-party vendors, etc).
3.  Healthcare might be more likely to pay (Higher desire to protect sensitive patient data).

Pair this up with a Thanksgiving holiday, and a bigger increase in attacks on health care is somewhat expected.

In other news, ransomware gangs rushed to exploit the Citrix Bleed vulnerability last month, taking advantage of a massive attack surface with over 8,300 vulnerable devices. LockBit led the fray by using the vulnerability to breach the likes of the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing. Reported to have been in use as a zero-day since late August, Citrix Bleed provides attackers with the capability to bypass multi-factor authentication (MFA) and hijack legitimate user sessions. It is also said to be very easy to exploit.

Known ransomware attacks by gang, November 2023

Known ransomware attacks by country, November 2023

Known ransomware attacks by industry, November 2023

One of the most interesting developments last month were new reports reinforcing claims that Rhysida may be a rebrand of the infamous Vice Society ransomware gang. Not only does Rhysida share many operational and technical patterns with Vice Society—including using NTDSUtil for backups in ‘temp\_l0gs’ and SystemBC for C2 communications—but the distribution of their monthly attacks lines up as well. Vice Society hasn’t been active since June 2023—the same month we witnessed the rise of Rhysida.

Vice Society vs Rhysidia monthly ransomware attacks. Rhysida seems to pick up right where Vice Society dropped off

That being said, a rebrand isn’t confirmed. Perhaps Rhysida is a splinter group. Whatever the explanation, however, it’s almost certain this pattern is no mere coincidence—especially considering the victimology of the two groups is extremely similar (a focus on education and healthcare sectors).

**New Player: MEOW**

First detected in August 2022, Meow ransomware, linked to the Conti v2 variant, reappeared after vanishing in February 2023. The group published nine victims to its leak site in November.

Operating as MeowCorp or MeowCorp2022, it encrypts files with a “.MEOW” extension and sends ransom notes demanding contact via email or Telegram. Using ChaCha20 and RSA-4096 encryption, Meow is related to other malware strains originating from the leaked Conti variant. Its dark web site shows a limited victim list, including the high-profile entity Sloan Kettering Cancer Center.

**Preventing Ransomware with ThreatDown**

ThreatDown detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

ThreatDown Bundles combinesthe technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down ransomware gangs:

*   **ThreatDown Core Bundle**: Next-gen AV and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.
*   **ThreatDown Advanced Bundle**: Everything included in core plus Managed Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.
*   **ThreatDown Elite Bundle**: Everything in Advanced plus 24/7/365 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.
*   **ThreatDown Ultimate Bundle**: Everything in Elite plus protection from whole categories of malicious websites. Perfect for teams looking for a one-and-done shortcut to cybersecurity done right.

**Try ThreatDown bundles today**

 Ransomware review: December 2023 

An OS command injection vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated API user to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

Palo Alto Networks Security Advisories / CVE-2023-6792

Urgency **REDUCED**

Response Effort **LOW**

Recovery **AUTOMATIC**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **PRESENT**

Automatable **NO**

User Interaction **NONE**

Product Confidentiality **HIGH**

Product Integrity **LOW**

Product Availability **NONE**

Privileges Required **HIGH**

Subsequent Confidentiality **NONE**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-156560**

Discovered **externally**

**Description**

An OS command injection vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated API user to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

None

All

PAN-OS 10.2

None

All

PAN-OS 10.1

< 10.1.6

\>= 10.1.6

PAN-OS 10.0

< 10.0.12

\>= 10.0.12

PAN-OS 9.1

< 9.1.15

\>= 9.1.15

PAN-OS 9.0

< 9.0.17

\>= 9.0.17

PAN-OS 8.1

< 8.1.24

\>= 8.1.24

Prisma Access

None

All

**Required Configuration for Exposure**

This issue is applicable only to PAN-OS configurations that have XML API access enabled.

You can find more information about the XML API here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/enable-api-access

**Severity: MEDIUM**

CVSSv4.0 Base Score: 5.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

**Solution**

This issue is fixed in PAN-OS 8.1.24, PAN-OS 9.0.17, PAN-OS 9.1.15, PAN-OS 10.0.12, PAN-OS 10.1.6, and all later PAN-OS versions.

**Workarounds and Mitigations**

Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 91715 (introduced in Applications and Threats content update 8473).

This issue requires the attacker to have authenticated access to the PAN-OS XML API. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

Palo Alto Networks thanks Ethan Shackelford of IOActive for discovering and reporting this issue.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6792: CVE-2023-6792 PAN-OS: OS Command Injection Vulnerability in the XML API

A credential disclosure vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to obtain the plaintext credentials of stored external system integrations such as LDAP, SCP, RADIUS, TACACS+, and SNMP from the web interface.

Palo Alto Networks Security Advisories / CVE-2023-6791

Urgency **REDUCED**

Response Effort **LOW**

Recovery **USER**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **NONE**

Automatable **NO**

User Interaction **NONE**

Product Confidentiality **LOW**

Product Integrity **NONE**

Product Availability **NONE**

Privileges Required **HIGH**

Subsequent Confidentiality **HIGH**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-193370**

Discovered **externally**

**Description**

A credential disclosure vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to obtain the plaintext credentials of stored external system integrations such as LDAP, SCP, RADIUS, TACACS+, and SNMP from the web interface.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

< 11.0.1

\>= 11.0.1

PAN-OS 10.2

< 10.2.4

\>= 10.2.4

PAN-OS 10.1

< 10.1.9

\>= 10.1.9

PAN-OS 10.0

< 10.0.12

\>= 10.0.12

PAN-OS 9.1

< 9.1.16

\>= 9.1.16

PAN-OS 9.0

< 9.0.17

\>= 9.0.17

PAN-OS 8.1

< 8.1.24-h1

\>= 8.1.24-h1

Prisma Access

None

All

**Severity: MEDIUM**

CVSSv4.0 Base Score: 6.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:U/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-701: Weakness Introduced During Design

**Solution**

This issue is fixed in PAN-OS 8.1.24-h1, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions.

You should issue new credentials for the impacted external integrations after you upgrade your PAN-OS software to a fixed version to prevent the misuse of previously exposed credentials.

**Workarounds and Mitigations**

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

Palo Alto Networks thanks Kajetan Rostojek for discovering and reporting this issue.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6791: CVE-2023-6791 PAN-OS: Plaintext Disclosure of External System Integration Credentials

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a malicious authenticated read-write administrator to store a JavaScript payload using the web interface. Then, when viewed by a properly authenticated administrator, the JavaScript payload executes and disguises all associated actions as performed by that unsuspecting authenticated administrator.

Palo Alto Networks Security Advisories / CVE-2023-6789

Urgency **REDUCED**

Response Effort **LOW**

Recovery **AUTOMATIC**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **NONE**

Automatable **NO**

User Interaction **PASSIVE**

Product Confidentiality **LOW**

Product Integrity **LOW**

Product Availability **LOW**

Privileges Required **HIGH**

Subsequent Confidentiality **NONE**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-216216, PAN-193369 and PAN-170882**

Discovered **externally**

**Description**

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a malicious authenticated read-write administrator to store a JavaScript payload using the web interface. Then, when viewed by a properly authenticated administrator, the JavaScript payload executes and disguises all associated actions as performed by that unsuspecting authenticated administrator.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

< 11.0.2

\>= 11.0.2

PAN-OS 10.2

< 10.2.5

\>= 10.2.5

PAN-OS 10.1

< 10.1.11

\>= 10.1.11

PAN-OS 10.0

All

None

PAN-OS 9.1

< 9.1.17

\>= 9.1.17

PAN-OS 9.0

< 9.0.17-h4

\>= 9.0.17-h4

PAN-OS 8.1

< 8.1.26

\>= 8.1.26

Prisma Access

None

All

**Severity: MEDIUM**

CVSSv4.0 Base Score: 4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

**Solution**

This issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.11, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions.

**Workarounds and Mitigations**

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

Palo Alto Networks thanks Md Sameull Islam of Beetles Cyber Security LTD, Kajetan Rostojek, and an external reporter for discovering and reporting this issue.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6789: CVE-2023-6789 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface

An OS command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

Palo Alto Networks Security Advisories / CVE-2023-6795

Urgency **REDUCED**

Response Effort **LOW**

Recovery **AUTOMATIC**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **PRESENT**

Automatable **YES**

User Interaction **NONE**

Product Confidentiality **HIGH**

Product Integrity **LOW**

Product Availability **NONE**

Privileges Required **HIGH**

Subsequent Confidentiality **NONE**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-166315**

Discovered **externally**

**Description**

An OS command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

None

All

PAN-OS 10.2

None

All

PAN-OS 10.1

< 10.1.3

\>= 10.1.3

PAN-OS 10.0

< 10.0.9

\>= 10.0.9

PAN-OS 9.1

< 9.1.12

\>= 9.1.12

PAN-OS 9.0

< 9.0.17

\>= 9.0.17

PAN-OS 8.1

< 8.1.24-h1

\>= 8.1.24-h1

Prisma Access

None

All

**Severity: MEDIUM**

CVSSv4.0 Base Score: 5.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-78 OS Command Injection

**Solution**

This issue is fixed in PAN-OS 8.1.24-h1, PAN-OS 9.0.17, PAN-OS 9.1.12, PAN-OS 10.0.9, PAN-OS 10.1.3, and all later PAN-OS versions.

**Workarounds and Mitigations**

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

Palo Alto Networks thanks an external reporter for discovering and reporting this issue.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6795: CVE-2023-6795 PAN-OS: OS Command Injection Vulnerability in the Web Interface

An arbitrary file upload vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

Palo Alto Networks Security Advisories / CVE-2023-6794

Urgency **REDUCED**

Response Effort **LOW**

Recovery **AUTOMATIC**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **PRESENT**

Automatable **NO**

User Interaction **NONE**

Product Confidentiality **HIGH**

Product Integrity **LOW**

Product Availability **NONE**

Privileges Required **HIGH**

Subsequent Confidentiality **NONE**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-139152 and PAN-131835**

Discovered **internally**

**Description**

An arbitrary file upload vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

None

All

PAN-OS 10.2

None

All

PAN-OS 10.1

None

All

PAN-OS 9.1

< 9.1.14

\>= 9.1.14

PAN-OS 9.0

< 9.0.17-h1

\>= 9.0.17-h1

PAN-OS 8.1

< 8.1.26

\>= 8.1.26

Prisma Access

None

All

**Severity: MEDIUM**

CVSSv4.0 Base Score: 5.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-434 Unrestricted Upload of File with Dangerous Type

**Solution**

This issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h1, PAN-OS 9.1.14, and all later PAN-OS versions.

**Workarounds and Mitigations**

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

This issue was found by Palo Alto Networks during an internal security review.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6794: CVE-2023-6794 PAN-OS: File Upload Vulnerability in the Web Interface

An improper privilege management vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to revoke active XML API keys from the firewall and disrupt XML API usage.

Palo Alto Networks Security Advisories / CVE-2023-6793

Urgency **REDUCED**

Response Effort **LOW**

Recovery **USER**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **NONE**

Automatable **YES**

User Interaction **NONE**

Product Confidentiality **NONE**

Product Integrity **NONE**

Product Availability **LOW**

Privileges Required **HIGH**

Subsequent Confidentiality **NONE**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-220267 and PAN-220269**

Discovered **externally**

**Description**

An improper privilege management vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to revoke active XML API keys from the firewall and disrupt XML API usage.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

< 11.0.2

\>= 11.0.2

PAN-OS 10.2

< 10.2.5

\>= 10.2.5

PAN-OS 10.1

< 10.1.11

\>= 10.1.11

PAN-OS 10.0

All

None

PAN-OS 9.1

< 9.1.17

\>= 9.1.17

PAN-OS 9.0

< 9.0.17-h4

\>= 9.0.17-h4

PAN-OS 8.1

None

All

Prisma Access

None

All

**Required Configuration for Exposure**

This issue is applicable only to PAN-OS configurations that have XML API access enabled.

You can find more information about the XML API here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/enable-api-access

**Severity: MEDIUM**

CVSSv4.0 Base Score: 5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-269 Improper Privilege Management

**Solution**

This issue is fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.11, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions.

**Workarounds and Mitigations**

This issue requires the attacker to have authenticated access to the PAN-OS XML API. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

Palo Alto Networks thanks an external reporter for discovering and reporting this issue.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6793: CVE-2023-6793 PAN-OS: XML API Keys Revoked by Read-Only PAN-OS Administrator

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

Skip to content

Sign in

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

glpi-project / **glpi** Public

*   Notifications
*   Fork 1.2k
*   Star 3.5k
    

*   Code
*   Issues 137
*   Pull requests 62
*   Actions
*   Projects 1
*   Security
*   Insights

Additional navigation options

Moderate

trasher published GHSA-94c3-fw5r-3362

Dec 13, 2023

**Package**

glpi (glpi)

**Affected versions**

\>= 10.0.0

**Patched versions**

10.0.11

**Description**

**Impact**

The saved search feature can be used to perform a SQL injection.

**Patches**

Upgrade to 10.0.11.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Severity**

Moderate

6.5

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**CVE ID**

CVE-2023-43813

**Weaknesses**

CWE-89

**Credits**

*    bhopkins0 Reporter

CVE-2023-43813: Authenticated SQL Injection

Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

**Tokens stored in plain text by PaaSLane Estimate Plugin**

Moderate severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023

Tag

#auth