In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.


CVE-2023-5763: Eclipse GlassFish Security Guide, Release 7

A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems.
"These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said.
All the counterfeit packages have been published by

Software Security / Malware

A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems.

"These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said.

All the counterfeit packages have been published by an npm user named hktalent (GitHub, X). As of writing, 39 of the packages uploaded by the author are still available for download.

The attack chain is triggered post the installation of the package via an install hook in the package.json that calls a JavaScript code to establish a reverse shell to rsh.51pwn\[.\]com.

"In this particular case, the attacker published dozens of benign-sounding packages with several layers of obfuscation and deceptive tactics in an attempt to ultimately deploy a reverse shell on any machine that simply installs one of these packages," Phylum said.

The findings arrive close on the heels of revelations that two packages published to the Python Package Index (PyPI) under the garb of simplifying internationalization incorporated malicious code designed to siphon sensitive Telegram Desktop application data and system information.

The packages, named localization-utils and locute, were found to retrieve the final payload from a dynamically generated Pastebin URL and exfiltrate the information to an actor-controlled Telegram channel.

The development highlights the increasing interest of threat actors in open-source environments, which allows them to set up impactful supply chain attacks that can target several downstream customers all at once.

"These packages show a dedicated and elaborate effort to avoid detection via static analysis and visual inspection by employing a variety of obfuscation techniques," Phylum said, adding they "serve as yet another stark reminder of the critical nature of dependency trust in our open-source ecosystems."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems

Rogic No-Code Database Builder's file uploading function has insufficient filtering for special characters. A remote attacker with regular user privilege can inject JavaScript to perform XSS (Stored Cross-Site Scripting) attack.

:::

*   勒索軟體防護專區
*   遠距辦公資安專區
*   回首頁
*   網站導覽
*   訂閱電子報
*   English

****

*   資安通報
*   Wannacry
*   駭客
*   勒索
*   手機

*   新聞公告News
    *   公告事項
    *   資安新聞
    *   資安活動
    *   電子報
*   資安服務Services
    *   資安通報
        *   一般資安通報
    *   資安聯盟
        *   資安聯盟簡介
        *   規章及會員申請暨異動申請
    *   台灣漏洞揭露平台 (TVN)
        *   TVN (Taiwan Vulnerability Note) 漏洞公告
        *   漏洞揭露政策
        *   漏洞通報
    *   惡意檔案檢測服務 (Virus Check)
    *   網路釣魚通報 (Phishing Check)
        *   網路釣魚通報
        *   釣魚網站列表
*   資安宣導Advocacy
    *   勒索軟體威脅防護專區
    *   遠距辦公資安專區
    *   企業資安事件應變處理指南
    *   威脅分析報告
    *   資安小知識
    *   資訊安全宣導
    *   資安宣導影音
    *   公開文件
*   相關網站Links
    *   國內資安組織
    *   國際資安組織
    *   網路資源
*   關於我們About us
    *   中心簡介
    *   活動紀事
        *   歷年年會活動網站
        *   活動花絮
    *   PGP KEY
    *   聯絡我們
    *   合作夥伴

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202311001

CVE ID

CVE-2023-41343

CVSS

5.4 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

影響產品

企業雲端資料庫: 修補前所有版本

問題描述

立即科技 Ragic 企業雲端資料庫檔案上傳功能未過濾特殊字元。遠端攻擊者以一般使用者權限登入後，可注入JavaScript語法，進行儲存式XSS(Stored Cross-site scripting)攻擊。

解決方法

更新系統至最新版本

漏洞通報者

Vicky Tsai (Acer Cyber Security)

公開日期

2023-11-03

CVE-2023-41343: 立即科技 Ragic 企業雲端資料庫 - Stored XSS

Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient measures to prevent multiple failed authentication attempts. An unauthenticated remote attacker can execute a crafted Javascript to expose captcha in page, making it very easy for bots to bypass the captcha check and more susceptible to brute force attacks.

:::

*   勒索軟體防護專區
*   遠距辦公資安專區
*   回首頁
*   網站導覽
*   訂閱電子報
*   English

****

*   資安通報
*   Wannacry
*   駭客
*   勒索
*   手機

*   新聞公告News
    *   公告事項
    *   資安新聞
    *   資安活動
    *   電子報
*   資安服務Services
    *   資安通報
        *   一般資安通報
    *   資安聯盟
        *   資安聯盟簡介
        *   規章及會員申請暨異動申請
    *   台灣漏洞揭露平台 (TVN)
        *   TVN (Taiwan Vulnerability Note) 漏洞公告
        *   漏洞揭露政策
        *   漏洞通報
    *   惡意檔案檢測服務 (Virus Check)
    *   網路釣魚通報 (Phishing Check)
        *   網路釣魚通報
        *   釣魚網站列表
*   資安宣導Advocacy
    *   勒索軟體威脅防護專區
    *   遠距辦公資安專區
    *   企業資安事件應變處理指南
    *   威脅分析報告
    *   資安小知識
    *   資訊安全宣導
    *   資安宣導影音
    *   公開文件
*   相關網站Links
    *   國內資安組織
    *   國際資安組織
    *   網路資源
*   關於我們About us
    *   中心簡介
    *   活動紀事
        *   歷年年會活動網站
        *   活動花絮
    *   PGP KEY
    *   聯絡我們
    *   合作夥伴

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202311006

CVE ID

CVE-2023-41350

CVSS

7.5 (High)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

影響產品

NOKIA G-040W-Q: G040WQR201207

問題描述

中華電信 NOKIA G-040W-Q 的含有Excessive Authentication Attempts漏洞，未經驗證的遠端攻擊者可發送特殊 Javascript指令取得CAPTCHA內容，並通過執行自動化程式輕易繞過驗證碼檢查，容易受到 brute force attack。

解決方法

更新韌體版本至G040WQR231013

漏洞通報者

Ta-Lun Yen(TXOne Networks)

公開日期

2023-11-03

CVE-2023-41350: 中華電信 NOKIA G-040W-Q Excessive Authentication Attempts

IBM CICS TX Standard 11.1, Advanced 10.1, 11.1, and TXSeries for Multiplatforms 8.1, 8.2, 9.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  266059.

  

**Summary**

"Cross Site Scripting" affects IBM CICS TX Standard and IBM CICS TX Advanced. IBM CICS TX Standard and IBM CICS TX Advanced have addressed the applicable vulnerability.

**Vulnerability Details**

**CVEID:**   CVE-2023-42029  
**DESCRIPTION:**   IBM CICS TX is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 4.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266059 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM CICS TX Advanced

10.1

IBM CICS TX Advanced

11.1

IBM CICS TX Standard

11.1

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

31 Oct 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSZ5810","label":"CICS TX"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"10.1,11.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2023-42029: Security Bulletin: "Cross Site Scripting" affects IBM CICS TX Standard and IBM CICS TX Advanced

An information leak in Daiky-value.Fukueten v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

Your browser does not support JavaScript! Please try to use a different browser to access this page.

CVE-2023-39050: ダイキョーバリュー福江店

An information leak in Hattoriya v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE-2023-39053: 服部屋

An information leak in shouzu sweets oz v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE-2023-39047: shouzu sweets oz

By Deeba Ahmed
MuddyWater (aka Mango Sandstorm and Static Kitten) is a cyberespionage group that's believed to be active since 2017.
This is a post from HackRead.com Read the original post: Iran’s MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing

MuddyWater is using a fake memo from the Israeli Civil Service Commission as a lure to trick victims into downloading a RAT.

Iranian state-sponsored threat group MuddyWater is targeting Israeli entities in a spear-phishing campaign, reports cybersecurity firm Deep Instinct.

According to Deep Instinct’s treat intelligence researcher, Simon Kenin, MuddyWater is using a fake memo from the Israeli Civil Service Commission as a lure to trick victims into downloading a remote administration tool called Advanced Monitoring Agent (AMA).

This malware lets hackers remotely access their victims’ computers to steal data, disrupt their systems, and perform spying. The threat actor is targeting two Israeli entities to deploy the AMA, a legitimate remote administration tool from N-able.

The fake memo used by MuddyWater hackers (Credit: Deep Instinct)

In their blog post, researchers noted updated TTPs (techniques, tactics, and procedures) in this campaign compared to the group’s previous activities. For instance, the group has used similar attack chains in the past and focused on distributing remote access tools like ScreenConnect, Syncro, RemoteUtilities, SimplyHelp, etc.

However, in this spear-phishing campaign, MuddyWater has used a new technique called ‘eN-Able,’ which is a new type of phishing email designed to evade standard email security filters because the emails combine HTML and JavaScript and appear legitimate. These emails contain malicious code to exploit vulnerabilities in operating systems and email clients.

Another new tactic is called ‘spray and pray.’ This technique is akin to a phishing attack in which a large number of phishing emails are sent to a large number of targets. However, through the spray and pray technique, the chances of success increase dramatically, even if a fraction of the targets fall for the lure.

Furthermore, the group has used a new file-sharing service called Storyblok to launch the multi-stage infection vector containing hidden files, an LNK file that initiates the infection, and an executable to launch the malware. After the victim is compromised, the attacker connects to the infected host using the legit remote administration tool and starts reconnaissance.

In addition to these new TTPs, Deep Instinct notices that the group is leveraging a new C2 framework called Muddy2Go. Using new TTPs indicates that MuddyWater is trying to improve its modus operandi. These findings have been confirmed separately by another cybersecurity firm, Group-IB.

Campaign overview (Credit: Deep Instinct)

MuddyWater (aka Mango Sandstorm and Static Kitten) is a cyberespionage group that’s believed to be active since 2017. It represents a unit of Iran’s Ministry of Intelligence and Security (MOIS), like other groups, including Agrius, OilRig, and Scarred Manticore.

It is worth noting that this campaign is the latest in a series of targeted cyberattacks against Israeli entities by MuddyWater. In fact, since the escalation of tension between Israel and Palestine, many state-sponsored actors have become active in targeting Israel.

Recently, Hackread reported that Hamas hackers have developed a dangerous new malware dubbed BiBi-Linux to target Israeli systems. This malware can overwrite critical system files, making it impossible to boot up infected systems. The malware was distributed via spear-phishing emails designed to be from legitimate Israeli organizations.

Another spyware campaign was detected in October 2023 in which pro-Palestine hackers delivered malware to unsuspecting Israeli citizens using the rocket alert app.

1.  Israel’s Channel 10 TV Station Hacked by Hamas
2.  Hamas hacked the smartphones of over 100 IDF soldiers
3.  Hamas posed as women to con IDF into downloading malware
4.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
5.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
6.  Hamas hacked phones of IDF soldiers with seductive phones of women

Iran’s MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing

Reportico 7.1.21 is vulnerable to Cross Site Scripting (XSS).

Cross-site scripting (XSS) is a web application vulnerability that permits an attacker to inject code, (typically HTML or JavaScript), into the contents of an outside website. When a victim views an infected page on the website, the injected code executes in the victim’s browser. Consequently, the attacker has bypassed the browser’s same origin policy and is able to steal private information from a victim associated with the website.

Steps:

1.  Login into the Reportico-7.1 admin module
2.  Under create report in project, enter the XSS payload in title section.
3.  The payload will execute once it's saved.

Tag

#java