In Real Player 20.0.7.309 and 20.0.8.310, external::Import() allows download of arbitrary file types and Directory Traversal, leading to Remote Code Execution. This occurs because it is possible to plant executables in the startup folder (DLL planting could also occur).

Real Player 'external::Import()' Arbitrary file download, Directory Traversal Vulnerabilities leads to Remote Code Execution

video demo: https://youtu.be/CONlijEgDLc

Real Player uses Microsoft Internet Explorer functionality and exposes properties and methods through a special mean which is application specific:

The 'external' object and it exposes several custom methods and properties.

The 'Import()' method is handled in unsafe way regarding the 'Copy to My Music' parameter, which allows for arbitrary file types downloading which could be unsafe as only audio/image/video types should be allowed to download to the user´s disk. Additionally it does not properly sanitize file paths allowing planting of arbitrary files on arbitrary locations. Even though it displays an error because it cannot render the downloaded file, the file remains until the user closes the dialog box. Additionally when opening new windows, Real Player looks for an old, obsolete IE library (shdoclc.dll), which can also be abused to run code automatically without needing to wait until reboot (true when file is planted in 'startup' folder).

The attacker needs to host the files to be copied/downloaded in an SMB or WebDav share. The directory 'appdata' must be placed in the share´s root.

Also a DOS condition in 'external.PreloadURL()' helps so that the files are not deleted by Real Player

The PoC will drop 'shdoclc.dll' (has simple code to run 'cmd.exe' at 'DllMain()' for demonstration purposes) to the user´s 'windowsapps' folder and 'write.exe' to 'startup' folder, so it works universally (any Windows version from at least XP up to 11)

tested on RP ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309

CVE-2022-32270: GitHub - Edubr2020/RP_Import_RCE

StarWind SAN and NAS v0.2 build 1914 allow remote code execution.

**Title:** CVE-2022-32268 Remote code execution in StarWind products

**Note:** StarWind will continue to update this vulnerability as new information becomes available.

**Vulnerability ID:** SW-20220531-0001

**Version:** 1.0

**Date:** 2022-05-31

**Status:** Final

*   Overview
*   Affected Products
*   Remediation
*   Revision History

****Summary****

REST command which allows changing hostname doesn’t check a new hostname parameter. It goes directly to bash as part of a script.

****Impact** **

The attacker can inject arbitrary data into the command that will be executed with root privileges.

****Vulnerability Scoring****

CVE

CVSS 2.0 Score

CVSS 3.x Score

CVE-2022-32268

**Vector****References**

Resource

Hyperlink

NVD

****Affected Products:****

StarWind SAN and NAS v0.2 build 1914

**Not affected products:**

StarWind VSAN for Hyper-V (all versions)

StarWind VSAN for vSphere (all versions)

StarWind SA (any setup)

StarWind VTLA (any setup)

StarWind VTL component (all versions)

StarWind V2V (all versions)

StarWind Tape Redirector component (all versions)

StarWind Deduplication Analyzer (all versions)

StarWind rPerf (all versions)

StarWind iSCSI Accelerator (all versions)

****Software Versions and Fixes****

StarWind SAN and NAS v0.2 build 1914

****Workaround****

Update StarWind SAN and NAS to the v1.2 build 2481 or higher

****Obtaining Software Fixes** **

Software updates will be available in StarWind release notes – https://www.starwindsoftware.com/release-notes-build. To update the software, perform the steps described at the following link  – https://knowledgebase.starwindsoftware.com/guidance/upgrading-from-any-starwind-version-to-any-starwind-version/ or contact support to perform an update. You can submit a support request using the following link https://www.starwindsoftware.com/support-form or contact Support directly via email support@starwind.com or via phone +1 617 829 4499.

****Status of Notice****

**Final**

StarWind will continue to update information regarding this vulnerability as new details become available.

This vulnerability article should be considered as the single source of current, up-to-date, authorized and accurate information posted by StarWind Software.

**Revision History** 

Revision #

Date

Comments

1.0

2022-05-31

Initial Public Release and Final Status

CVE-2022-32268: CVE-2022-32268 Remote code execution in StarWind products

Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.
The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134.
"Atlassian has been made aware of current active exploitation of a

Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.

The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as **CVE-2022-26134**.

"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server," it said in an advisory.

"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix." Specifics of the security flaw have been withheld until a software patch is available.

Confluence Server version 7.18.0 is known to have been exploited in the wild, although Confluence Server and Data Center versions 7.4.0 and later are potentially vulnerable.

In the absence of a fix, Atlassian is urging customers to restrict Confluence Server and Data Center instances from the internet or consider disabling Confluence Server and Data Center instances altogether.

Volexity, in an independent disclosure, said it detected the activity over the Memorial Day weekend in the U.S. as part of an incident response investigation.

The attack chain involved leveraging the Atlassian zero-day exploit — a command injection vulnerability — to achieve unauthenticated remote code execution on the server, enabling the threat actor to use the foothold to drop the Behinder web shell.

"Behinder provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike," the researchers said. "At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out."

Subsequently, the web shell is said to have been employed as a conduit to deploy two additional web shells to disk, including China Chopper and a custom file upload shell to exfiltrate arbitrary files to a remote server.

The development comes less than a year after another critical remote code execution flaw in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively weaponized in the wild to install cryptocurrency miners on compromised servers.

"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks," Volexity said. "Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability

Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google-it will unsafely concat the result's link retrieved from google to a shell command, potentially exposing the server to RCE.

**Command injection in google-it**

High severity GitHub Reviewed Published Jun 3, 2022 • Updated Jun 3, 2022

GHSA-7xhv-mpjw-422f: Command injection in google-it

A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL.

**Server-Side Template Injection in formio**

Moderate severity GitHub Reviewed Published Jun 3, 2022 • Updated Jun 3, 2022

GHSA-52vj-mr2j-f8jh: Server-Side Template Injection in formio

A CWE-20: Improper Input Validation vulnerability exists that could cause potential remote code execution when an attacker is able to intercept and modify a request on the same network or has configuration access to an ION device on the network. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

Schneider Electric is aware of a vulnerability in its PowerLogic ION Setup product. The PowerLogic ION Setup product is an engineering tool for configuration and maintenance of PowerLogic metering devices. Failure to apply the remediations provided below may risk remote code execution, which could result in a compromise of the engineering workstation running the ION Setup software.

Date : 06/05/2022 Type : Security and Safety Notice  

Languages : English Latest Version : 1.0

Reference : SEVD-2022-130-01

Date : 06/05/2022 Type : Security and Safety Notice Languages : English Latest Version : 1.0 Reference : SEVD-2022-130-01

CVE-2022-30232: Security Notification - PowerLogic ION Setup | Schneider Electric

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.

CVE-2022-1982: Security Updates

NetScout nGeniusONE 6.3.2 allows an XML External Entity (XXE) attack.

**NETSCOUT Security**

**CVE-2021-45981**

CVE

Title

Version

Severity

CVE-2021-45981

XML External Entity (XXE)

6.3.2

Base

**Summary**

NETSCOUT Systems in nGeniusONE version 6.3.2 build 904 allows XML External Entity (XXE) attacks. Attack complexity is high. Privileges required none. User interaction required and scope is unchanged.

NetScout Systems would like to acknowledge Lukasz Plonka for reporting CVE-2021-45981 to techsupport@netscout.com

   
**Fixed Software**

Customers should install patch 6.3.2 P12 to eliminate this vulnerability. The patch is available on My NETSCOUT account page or may be obtained by contacting NETSCOUT support at 1-800-708-4784. Please note all future versions include this fix.

techsupport@netscout.com

**CVE-2021-45982**

CVE

Title

Version

Severity

CVE-2021-45982

Arbitrary File Upload

6.3.2

Base

**Summary**

NETSCOUT Systems in nGeniusONE version 6.3.2 build 904 allows an Arbitrary File Upload vulnerability. Attack complexity is high. Privileges required low. User interaction required and scope is unchanged.

NetScout Systems would like to acknowledge Lukasz Plonka for reporting CVE-2021-45982 to techsupport@netscout.com

   
**Fixed Software**

Customers should install patch 6.3.2 P10  to eliminate this vulnerability. The patch is available on My NETSCOUT account page or may be obtained by contacting NETSCOUT support at 1-800-708-4784. Please note all future versions include this fix.

techsupport@netscout.com

**CVE-2021-45983**

CVE

Title

Version

Severity

CVE-2021-45983

Java RMI Remote Code Execution

6.3.2

Base

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.2 build 904 allows Java RMI Code Execution attacks. Attack complexity is high. Privileges required none. User interaction required and scope is unchanged.

NetScout Systems would like to acknowledge Lukasz Plonka for reporting CVE-2021-45982 to techsupport@netscout.com

   
**Fixed Software**

Customers should install 6.3.2 P12 to eliminate this vulnerability. The patch is available on My NETSCOUT account page or may be obtained by contacting NETSCOUT support at 1-800-708-4784. Please note all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35205**

CVE

Title

Severity

Published

Updated

CVE-2021-35205

Open Redirection

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows URL redirection in redirector. The Attack complexity is low, and the privileges required are also low. User Interaction required, and Scope is unchanged

  **Fixed Software**

Customers should request a patch 6.3.2 FCS B426 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35204**

CVE

Title

Severity

Published

Updated

CVE-2021-35204

Cross-Site Scripting (XSS)

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows Reflected Cross-Site Scripting (XSS) in the support endpoint. Attack Complexity required is low. Privileges required are low and User Interaction required, and Scope is unchanged. The victim has to click on the provided URL.

**Fixed Software**

Customers should request a patch 6.3.0 P6 B1413 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35203**

CVE

Title

Severity

Published

Updated

CVE-2021-35203

Incorrect Access Control

Medium

09/30/2021

10/04/2021

**Summary** 

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows Arbitrary File Read operations via the FDSQueryService endpoint. The attacker needs to send a specially crafted request with a parameter with the file name to read. The Attack Complexity is low, and the privileges required are low. User Interaction is required, and Scope is unchanged

**Fixed Software**

 Customers should request a patch 6.3.0 P6 B1413 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784. Please note that all future versions include this fix.

 techsupport@netscout.com

**CVE-2021-35202**

CVE

Title

Severity

Published

Updated

CVE-2021-35202

Insecure Permissions

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows Authorization Bypass (to access an endpoint) in FDSQueryService. Attack Complexity is Low. The attacker can reach endpoints that are restricted. User Interaction is required, and Scope is unchanged

  **Fixed Software**

Customers should request a patch 6.3.0 P6 B1413 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35201**

CVE

Title

Severity

Published

Updated

CVE-2021-35201

XML External Entity (XXE)

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems NEI in nGeniusONE version 6.3.0 build 1196 allows XML External Entity (XXE) attacks. Attack Complexity is High, Privileges Required None, User Interaction Required and Scope is unchanged.

**Fixed Software**

Customers should request a patch 6.3.0 P4 B1406 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35200**

CVE

Title

Severity

Published

Updated

CVE-2021-35200

Stored Cross-Site Scripting (XSS)

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 has stored cross-site scripting in FDSQueryService vulnerability that a high-privileged user can exploit. This would require a user with high privileges. Attack complexity is High, and the Scope is Unchanged

**Fixed Software**

Customers should request a patch 6.3.0 P5 B1411 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35199**

CVE

Title

Severity

Published

Updated

CVE-2021-35199

Stored Cross-Site Scripting (XSS) in UploadFile

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 and earlier has stored cross-site scripting in Packet Analysis module Upload File vulnerability that a normal user can exploit. This requires a little crypto knowledge to exploit. The vulnerability exists in upload functionality.

**Fixed Software**

Customers should request a patch 6.3.0 P5 B1411 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35198**

CVE

Title

Severity

Published

Updated

CVE-2021-35198

Stored Cross-Site Scripting (XSS) in the Packet Analysis module

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1004, and earlier has a stored cross-site scripting vulnerability that a normal user can exploit. The user would need to visit a certain functionality in the packet module for the Stored XSS to get executed.

**Fixed Software**

Customers should request a patch 6.3.0 P5 B1411 to eliminate this vulnerability. This is available on the My NETSCOUT or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix

techsupport@netscout.com

**CVE-2020-28251**

CVE

Title

Severity

Published

Updated

CVE-2020-28251

Escalated Privileges Vulnerability on AirMagnet Enterprise Sensors

High

2020 December 03

2020 December 07

NETSCOUT Systems AirMagnet Enterprise version 11.1.4 build 37257 and earlier has a sensor escalated privileges vulnerability that can be exploited to provide someone with administrative access to a sensor, with credentials to invoke a command to provide root access to the operating system. The attacker must complete a straightforward password-cracking exercise.

The affected product models are:

*   SENSOR6-R1S0W1-E
*   SENSOR6-R2S1-E
*   SENSOR6-R2S1-I
*   SENSOR4-R1S1W1-E
*   SENSOR4-R2S1-E
*   SENSOR4-R2S1-I

A software upgrade to AirMagnet Enterprise version 11.1.4 build 37271 to eliminate this vulnerability is available on My NETSCOUT accounts on the AirMagnet Enterprise Downloads page or may be obtained by contacting AirMagnet support at 1-800-708-4784.

  techsupport@netscout.com

CVE-2021-45981: Security Advisories | NETSCOUT

Couchbase Server before 7.1.0 has Incorrect Access Control.

CVE-2021-33504: Alerts | Couchbase

Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.

**Bonita Web****Requirements**

This project bundles the Maven Wrapper, so the mvnw script is available at the project root.

**Dependencies**

The project depends on bonita-engine artifacts so if you want to build a branch in a SNAPSHOT version, you must build the bonita-engine first (install artifacts in your local repository).

If you build a tag, you don't need to build the bonita-engine as its artifacts are available on Maven Central.

**Contribution**

I you want to contribute, ask questions about the project, report bug, see the contributing guide.

**Build the project**

At root level (same location as the parent pom.xml) :

**Execution in hosted mode**

In server module, to build and launch a tomcat hosting the app :

    ./mvnw clean verify org.codehaus.cargo:cargo-maven2-plugin:run -DskipTests
    

H2 database is created (if it does not already exist) in ${user.home}/bonita/community/database When you checkout a different branch you need to clean this directory because the database schema may have changed.

Hot reload is not supported, but when you update a class in portal/, server/ or common/ in your IDE all you need to do is to restart the tomcat with the previous command (classes will be retrieved from the projects target/classes directory)

**Structure****Parent pom.xml**

Contains the common maven configuration such as:

*   the definition of all the dependencies version, e.g., junit.version, bonita.engine.version, gwt.version, ...
*   the maven repositories

**common module**

Contains the back-end business logic, i.e., the code executed on the server side. But also contains shared code between back end and front (e.g. model) and the implement of the REST API.

**test-toolkit**

Contains integration tests utils

**server module**

Contains the server side code of portal

Tag

#rce