View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 6.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: PowerChute Serial Shutdown
Vulnerability: Improper Authentication
2. RISK EVALUATION
Successful exploitation of this vulnerability could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports the following versions of PowerChute Serial Shutdown are affected:
PowerChute Serial Shutdown: Versions 1.2.0.301 and prior
3.2 Vulnerability Overview
3.2.1 IMPROPER AUTHENTICATION CWE-287
An improper authentication vulnerability exists that could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.
CVE-2024-10511 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2024-10511. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER
Schneider Electric reported this vulnerability to CISA.
4. MITIGATIONS
Schneider Electric recommends the following mitigations for the affected product:
PowerChute Serial Shutdown: Versions v1.2.0.301 and prior: Update to PowerChute Serial Shutdown: Version 1.3
For users to be informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric's security notification service here:
https://www.se.com/ww/en/work/support/cybersecurity/notification-contact.jsp
Schneider Electric strongly recommend the following industry cybersecurity best practices:
Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the "Program" mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-345-01 in PDF and CSAF.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
January 10, 2025: Initial Publication

Schneider Electric PowerChute Serial Shutdown

SUMMARY Cybersecurity researchers at Check Point detected a new version of Banshee Stealer in late September 2024, distributed…

**SUMMARY**

*   **Banshee Stealer targets macOS users, distributed via fake GitHub repositories and phishing sites.**

*   **The malware steals browser credentials, cryptocurrency wallets, 2FA codes, and system details.**

*   **It evades detection using Apple’s XProtect algorithm and deceptive system pop-ups.**

*   **Threat actors expanded targets by removing regional restrictions in the malware.**

*   **Source code leaked in November 2024, but risks remain with evolving cyber threats.**

Cybersecurity researchers at Check Point detected a new version of Banshee Stealer in late September 2024, distributed via phishing websites and fake GitHub repositories. According to their investigation, shared exclusively with Hackread.com this infostealer resembles popular software like Google Chrome, Telegram, and TradingView.

For your information, Banshee macOS Stealer targets macOS users and steals browser credentials, cryptocurrency wallets, and other sensitive data. It was first detected by Elastic Security Labs in August 2024 and was advertised on underground forums like XSS, Exploit, and Telegram, as a “stealer-as-a-service”. 

This newly discovered version includes a string encryption algorithm “stolen” from Apple’s own XProtect antivirus engine, which allowed it to evade detection for over two months. In addition, it doesn’t include its Russian language check, which was previously used to prevent the malware from targeting specific regions, indicating an expansion in its potential targets.

Check Point has identified multiple campaigns distributing the malware through phishing websites, although it’s unclear if they are carried out by previous customers. Threat actors utilized GitHub repositories for Banshee distribution, targeting macOS users with Banshee and Windows users with Lumma Stealer. Malicious repositories were created over three waves, appearing legitimate with stars and reviews, and luring users into downloading malware

Screenshot via CPR

Banshee Stealer can harvest data from web browsers, cryptocurrency wallets, and files with specific extensions, including stealing login credentials from web browsers like Chrome, Brave, Edge, and Vivaldi. It also targets browser extensions, specifically those for cryptocurrency wallets, potentially compromising your digital assets.

Additionally, it can capture your Two-Factor Authentication (2FA) credentials, bypassing an extra layer of security for your accounts. Furthermore, it drains off software and hardware details from your device, along with your external IP address and macOS passwords, giving attackers a complete picture of your system.

Also, Banshee Stealer utilizes deceptive pop-ups that mimic legitimate system prompts. These pop-ups can trick you into unknowingly revealing your macOS password, granting the malware administrative access to your system. The malware employs anti-analysis techniques to avoid detection by security tools.

This makes it difficult to identify its presence on your device using traditional methods. Once stolen, your data is sent to the attacker’s command-and-control servers through encrypted and encoded channels, making it challenging to track or intercept. Its source code leaked online in November 2024, leading to its shutdown. Still, it highlights how cyber threats are evolving continually. 

“Businesses must recognize the broader risks posed by modern malware, including costly data breaches that compromise sensitive information and damage reputations, targeted attacks on cryptocurrency wallets that threaten digital assets, and operational disruptions caused by stealthy malware that evades detection and inflicts long-term harm before being identified,” CPR researchers noted in the blog post.

Ms. Ngoc Bui, Cybersecurity Expert at Menlo Security, a Mountain View, Calif.-based provider of browser security commented on the latatest development stating, _“_This new Banshee Stealer variant exposes a critical gap in Mac security. While companies are increasingly adopting Apple ecosystems, the security tools haven’t kept pace. Even leading EDR solutions have limitations on Macs, leaving organizations with significant blind spots. We need a multi-layered approach to security, including more trained hunters on Mac environments._“_

1.  **Fake Google Meet Alerts Install Malware on Windows, macOS**
2.  **“HM Surf” macOS Flaw Lets Attackers Access Camera and Mic**
3.  **Hackers Could Exploit Microsoft Teams on macOS to Steal Data**
4.  **TodoSwift Malware Targets macOS, Disguised as Bitcoin PDF App**
5.  **Lazarus Group Hits macOS with RustyAttr Trojan in Fake Job PDFs**

Banshee Stealer Hits macOS Users via Fake GitHub Repositories

SUMMARY: Do Hyeong Kwon (Do Kwon), the 33-year-old co-founder and former CEO of Terraform Labs, has been extradited…

****SUMMARY:****

*   **Extradition**: Terraform Labs founder Do Kwon has been extradited from Montenegro to the United States.

*   **Fraud Charges**: Kwon faces federal charges, including fraud and money laundering, linked to the collapse of Terraform’s cryptocurrencies.

*   **Investor Losses**: The indictment alleges Kwon’s schemes caused over $40 billion in investor losses.

*   **Potential Sentence**: If convicted on all nine charges, Kwon could face up to 130 years in prison.

*   **Court Appearance**: Kwon appeared in a Manhattan court on December 31, 2024, to respond to the charges.

Do Hyeong Kwon (Do Kwon), the 33-year-old co-founder and former CEO of Terraform Labs, has been extradited from Montenegro to the United States to face federal fraud charges. 

It is worth noting that in March 2023, **Do Kwon was apprehended** at an airport in Montenegro’s capital while attempting to use falsified documents. However, Kwon arrived in the U.S. on December 31, 2024, and appeared in a Manhattan court, where a superseding indictment alleges that he engaged in multiple schemes to deceive investors and fraudulently inflate the value of Terraform’s cryptocurrencies, resulting in over $40 billion in investor losses.

The indictment accuses Kwon of orchestrating various schemes between 2018 and 2022, including making false and misleading claims about the stability and long-term benefits of Terraform’s cryptocurrency stablecoin protocol, its **use of blockchain technology**, and the development of reliable financial technologies.

Kwon allegedly manipulated Terraform products to create the illusion of a functioning, stable, and decentralized financial system while personally benefiting from the inflated value of Terraform’s cryptocurrencies.

The **indictment** (PDF) against Do Kwon outlines several specific misrepresentations regarding the Terra ecosystem. Among them are the _**Stablecoin Misrepresentation**s_, where Kwon falsely claimed the Terra Protocol could maintain TerraUSD’s (UST) value at $1, despite secretly relying on a high-frequency trading firm to artificially support its peg.

Similarly, the _**LFG Misrepresentations**_ revealed Kwon’s false assertions about the Luna Foundation Guard (LFG) being independently managed, while he actually controlled it and misappropriated hundreds of millions of its assets.

Additionally, the _**Mirror Misrepresentations**_ showed Kwon’s claims of the Mirror Protocol being decentralized were untrue, as he and Terraform Labs manipulated synthetic asset prices through trading bots.

Other notable misrepresentations include the _**Chai Misrepresentations**_, where Kwon falsely claimed Terra blockchain’s integration with Chai facilitated billions of dollars in transactions, though Chai operated via traditional financial systems.

Lastly, the _**Genesis Coin Misrepresentations**_ revealed Kwon’s misuse of $145 million worth of stablecoins, originally allocated at Terra’s launch, to fund fake Chai blockchain transactions and manipulate synthetic asset prices through trading bots. Together, these indictments allege the deceptive practices used to artificially inflate the Terra ecosystem’s credibility and value.

It is worth noting that at its peak in the spring of 2022, the total apparent market value of UST and another Terraform cryptocurrency, LUNA, exceeded $50 billion. However, in May 2022, the value of UST and LUNA crashed, resulting in over $40 billion in investor losses. Following the crash, Kwon allegedly attempted to cover up his crimes by distributing a misleading “third-party audit” report and sought to launder the proceeds of his fraud through various means.

_“_This fraud and the crash of Terraform’s cryptocurrencies… erased over $40 billion in investor assets, causing devastating losses,_“_ US Attorney Daniel M. Gitner for the Southern District of New York stated in a **press release**.

James E. Dennehy, Assistant Director in Charge of the FBI New York Field Office, described Kwon as a “puppet master” who maintained a false image of his company for years to lure investors

Kwon faces a total of nine charges, including commodities fraud, securities fraud, wire fraud, and money laundering conspiracy. If convicted on all counts, he could face a maximum penalty of 130 years in prison. The case is being investigated by the FBI, with assistance from various international and domestic agencies, as well as the U.S. Securities and Exchange Commission and the Commodity Futures Trading Commission.

1.  **DoJ seizes $1B in BTC linked to Silk Road marketplace**
2.  **NY Couple Pleads Guilty to $4.5B Bitcoin Theft in Bitfinex Hack**
3.  **Russian Extradited to US, Face Charges in Phobos Ransomware**
4.  **E-Root Market Admin Extradited to US on Computer Fraud Charge**
5.  **Dark Web Drug Lord Pleads Guilty, Forfeits $150M Cryptocurrency**

Terraform Labs Founder Do Kwon Extradited to US, Faces 130-Year Sentence

Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.

Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being **Kiberphant0m**, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from **AT&T** and **Verizon**. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.

One of several selfies on the Facebook page of Cameron Wagenius.

**Cameron John Wagenius** was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records.

The sparse, two-page indictment (PDF) doesn’t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius’ mother — Minnesota native **Alicia Roen** — filled in the gaps.

Roen said that prior to her son’s arrest he’d acknowledged being associated with **Connor Riley Moucka**, a.k.a. “**Judische**,” a prolific cybercriminal from Canada who was arrested in late October for stealing data from and extorting dozens of companies that stored data at the cloud service **Snowflake**.

In an interview with KrebsOnSecurity, Judische said he had no interest in selling the data he’d stolen from Snowflake customers and telecom providers, and that he preferred to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was responsible for hacking into at least 15 telecommunications firms, including AT&T and Verizon.

On November 26, KrebsOnSecurity published a story that followed a trail of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea.

Ms. Roen said Cameron worked on radio signals and network communications at an Army base in South Korea for the past two years, returning to the United States periodically. She said Cameron was always good with computers, but that she had no idea he might have been involved in criminal hacking.

“I never was aware he was into hacking,” Roen said. “It was definitely a shock to me when we found this stuff out.”

Ms. Roen said Cameron joined the Army as soon as he was of age, following in his older brother’s footsteps.

“He and his brother when they were like 6 and 7 years old would ask for MREs from other countries,” she recalled, referring to military-issued “meals ready to eat” food rations. “They both always wanted to be in the Army. I’m not sure where things went wrong.”

Immediately after news broke of Moucka’s arrest, Kiberphant0m posted on the hacker community **BreachForums** what they claimed were the AT&T call logs for **President-elect** **Donald J. Trump** and for **Vice President Kamala Harris**.

“In the event you do not reach out to us @ATNT all presidential government call logs will be leaked,” Kiberphant0m threatened, signing their post with multiple “#FREEWAIFU” tags. “You don’t think we don’t have plans in the event of an arrest? Think again.”

Kiberphant0m posting what he claimed was a “data schema” stolen from the NSA via AT&T.

On that same day, Kiberphant0m posted what they claimed was the “data schema” from the **U.S. National Security Agency**.

On Nov. 5, Kiberphant0m offered call logs stolen from Verizon’s push-to-talk (PTT) customers — mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a “SIM-swapping” service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target’s phone calls and text messages to a device they control.

The profile photo on Wagenius’ Facebook page was deleted within hours of my Nov. 26 story identifying Kiberphant0m as a likely U.S. Army soldier. Still, many of his original profile photos remain, including several that show Wagenius in uniform while holding various Army-issued weapons.

Several profile photos visible on the Facebook page of Cameron Wagenius.

November’s story on Kiberphant0m cited his own Telegram messages saying he maintained a large botnet that was used for distributed denial-of-service (DDoS) attacks to knock websites, users and networks offline. In 2023, Kiberphant0m sold remote access credentials for a major U.S. defense contractor.

**Allison Nixon,** chief research officer at the New York-based cybersecurity firm Unit 221B, helped track down Kiberphant0m’s real life identity. Nixon was among several security researchers who faced harassment and specific threats of violence from Judische and his associates.

“Anonymously extorting the President and VP as a member of the military is a bad idea, but it’s an even worse idea to harass people who specialize in de-anonymizing cybercriminals,” Nixon told KrebsOnSecurity. She said the investigation into Kiberphant0m shows that law enforcement is getting better and faster at going after cybercriminals — especially those who are actually living in the United States.

“Between when we, and an anonymous colleague, found his opsec mistake on November 10th to his last Telegram activity on December 6, law enforcement set the speed record for the fastest turnaround time for an American federal cyber case that I have witnessed in my career,” she said.

Nixon asked to share a message for all the other Kiberphant0ms out there who think they can’t be found and arrested.

“I know that young people involved in cybercrime will read these articles,” Nixon said. “You need to stop doing stupid shit and get a lawyer. Law enforcement wants to put all of you in prison for a long time.”

The indictment against Wagenius was filed in Texas, but the case has been transferred to the U.S. District Court for the Western District of Washington in Seattle.

U.S. Army Soldier Arrested in AT&T, Verizon Extortions

SUMMARY A sophisticated attack campaign has compromised at least 16 Chrome browser extensions, exposing over 600,000 users to…

****SUMMARY****

*   **Large-Scale Breach**: Over 16 Chrome extensions were compromised, exposing 600,000+ users to data and credential theft.

*   **Phishing Attack**: Developers were tricked into granting access to a malicious OAuth app via fake Chrome Web Store emails.

*   **Cyberhaven Impact**: Attackers used admin credentials to deploy a malicious update stealing sensitive user data.

*   **Widespread Impact**: Many extensions across categories are linked to the same malicious infrastructure.

*   **Response & Recommendations**: Revoke credentials, monitor logs, and secure extensions; investigations continue.

A sophisticated attack campaign has compromised at least 16 Chrome browser extensions, exposing over 600,000 users to data theft and credential theft. The attack targeted extension publishers through phishing emails that mimicked official communications from the Chrome Web Store.

These emails, designed to create a sense of urgency, tricked developers into granting malicious applications access to their accounts. This allowed attackers to inject malicious code into legitimate extensions.

The recipient was directed to accept the policies by clicking a link, which then led them to a page for granting permissions to a malicious OAuth application called “Privacy Policy Extension.

Cyberhaven, a cybersecurity firm specializing in data loss prevention, was among the impacted firms and the first to publicly disclose its compromise. The attack occurred on December 24 and involved phishing a company employee to gain access to their Chrome Web Store admin credentials. 

According to Cyberhaven, the attackers compromised the “single admin account for the Google Chrome Store” and managed to publish a malicious update to their popular Chrome extension. This update, deployed on Christmas Day, was designed to steal sensitive user data, including passwords, session tokens, Facebook account credentials, and cookies.

The malicious extension, version 24.10.4, remained active for over 31 hours before being detected and removed from the Chrome Web Store. “Our security team detected this compromise at 11:54 PM UTC on December 25 and removed the malicious package within 60 minutes,” the company’s disclosure read.

Cyberhaven immediately released a legitimate update (version 24.10.5), hired Mandiant to develop an incident response plan and also notified federal law enforcement agencies for investigation. The company has confirmed that its systems, including CI/CD processes and code signing keys, were not compromised.

In an email sent to its customers, Cyberhaven has advised users to revoke and rotate passwords and text-based credentials, such as API tokens, and review their logs for malicious activity. This is due to the potential for stolen session tokens and cookies to bypass security measures, allowing hackers to access logged-in accounts without a password or two-factor code. However, the company has not disclosed the method of the breach or the corporate security policies that allowed the account compromise. 

Following the Cyberhaven breach, security researchers discovered numerous other compromised extensions exhibiting similar malicious behaviour. These extensions, spanning various categories including AI assistants, VPNs, and productivity tools, were found to be communicating with the same command-and-control servers.

> Regarding the Cyberhaven chrome extension compromise I have reasons to believe there are other extensions affected. Pivoting by the ip address there are more domains created within the same time range resolving to the same ip address as cyberhavenextpro (cont)
> 
> — Jaime Blasco (@jaimeblascob) December 27, 2024

Other extensions found to have been compromised, according to Secure Annex, a browser extension security platform, include the following:

Name

ID

VPNCity

nnpnnpemnckcfdebeekibpiijlicmpom

Parrot Talks

kkodiihpgodmdankclfibbiphjkfdenh

Uvoice

oaikpkmjciadfpddlpjjdapglcihgdle

Internxt VPN

dpggmcodlahmljkhlmpgpdcffdaoccni

Bookmark Favicon Changer

acmfnomgphggonodopogfbmkneepfgnh

Castorus

mnhffkhmpnefgklngfmlndmkimimbphc

Wayin AI

cedgndijpacnfbdggppddacngjfdkaca

Search Copilot AI Assistant for Chrome

bbdnohkpnbkdkmnkddobeafboooinpla

VidHelper – Video Downloader

egmennebgadmncfjafcemlecimkepcle

AI Assistant – ChatGPT and Gemini for Chrome

bibjgkidgpfbblifamdlkdlhgihmfohh

Vidnoz Flex – Video recorder & Video share

cplhlgabfijoiabgkigdafklbhhdkahj

TinaMind – The GPT-4o-powered AI Assistant!

befflofjcniongenjmbkgkoljhgliihe

Bard AI chat

pkgciiiancapdlpcbppfkmeaieppikkk

Reader Mode

llimhhconnjiflfimocjggfjdlmlhblm

Primus (prev. PADO)

oeiomhmbaapihbilkfkhmlajkeegnjhe

Tackker – online keylogger tool

ekpkdmohpdnebfedjjfklhpefgpgaaji

AI Shop Buddy

epikoohpebngmakjinphfiagogjcnddm

Sort by Oldest

miglaibdlgminlepgeifekifakochlka

Rewards Search Automator

eanofdhdfbcalhflpbdipkjjkoimeeod

Earny – Up to 20% Cash Back

ogbhbgkiojdollpjbhbamafmedkeockb

ChatGPT Assistant – Smart Search

bgejafhieobnfpjlpcjjggoboebonfcg

Keyboard History Recorder

igbodamhgjohafcenbcljfegbipdfjpk

Email Hunter

mbindhfolmpijhodmgkloeeppmkhpmhc

Visual Effects for Google Meet

hodiladlefdpcbemnbbcpclbmknkiaem

Cyberhaven security extension V3

pajkjnmeojmbapicmbpliphjmcekeaac

This means that it is a well-thought-after large-scale attack. Security researchers are still searching for more exposed extensions, but the sophistication and scope of the attack have increased the importance for organizations to secure their browser extensions. The identity of the attacker remains unclear.

1.  **Fake ChatGPT Extension Hijacks Facebook Accounts**
2.  **Chrome Extensions Harboring Dormant Colors Malware**
3.  **EmailGPT Flaw Puts User Data at Risk: Remove the Extension NOW**
4.  **Fake Ads Manager Malicious Extensions Target Facebook Accounts**
5.  **Ad-blocker Chrome extension AllBlock injected ads in Google searches**

16 Chrome Extensions Hacked in Large-Scale Credential Theft Scheme

An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.

**TCPDF has incorrect comparison**

Moderate severity GitHub Reviewed Published Dec 27, 2024 to the GitHub Advisory Database • Updated Dec 27, 2024

GHSA-w95c-7994-ghpr: TCPDF has incorrect comparison

An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.

**TCPDF missing character escape on error messages**

Moderate severity GitHub Reviewed Published Dec 27, 2024 to the GitHub Advisory Database • Updated Dec 27, 2024

GHSA-qx95-cwh6-9mvq: TCPDF missing character escape on error messages

An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-9mgx-552f-59p6: TCPDF missing certificate validation

An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.

GHSA-4p8j-vhjm-6pvw: TCPDF lacks SVG sanitization

An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed.

**tecnickcom/tc-lib-pdf-font mishandles fonts**

Moderate severity GitHub Reviewed Published Dec 27, 2024 to the GitHub Advisory Database • Updated Dec 27, 2024

Tag

#pdf