Academy LMS version 6.2 suffers from a cross site scripting vulnerability.

    # Exploit Title: Academy LMS 6.2 - Reflected XSS# Exploit Author: CraCkEr# Date: 29/08/2023# Vendor: Creativeitem# Vendor Homepage: https://creativeitem.com/# Software Link: https://demo.creativeitem.com/academy/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4973# CWE: CWE-79 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /academy/tutor/filterGET parameter 'searched_word' is vulnerable to XSSGET parameter 'searched_tution_class_type[]' is vulnerable to XSSGET parameter 'searched_price_type[]' is vulnerable to XSSGET parameter 'searched_duration[]' is vulnerable to XSShttps://website/academy/tutor/filter?searched_word=[XSS]&searched_tution_class_type%5B%5D=[XSS]&price_min=1&price_max=9&searched_price_type%5B%5D=[XSS]&searched_duration%5B%5D=[XSS]XSS Payload:acoa5"><script>alert(1)</script>dyzs0[-] Done

Academy LMS 6.2 Cross Site Scripting

Ubuntu Security Notice 6371-1 - It was discovered that libssh2 incorrectly handled memory access. An attacker could possibly use this issue to cause a crash.

==========================================================================  
Ubuntu Security Notice USN-6371-1  
September 14, 2023

libssh2 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

libssh2 could be made to crash if it received specially  
crafted network traffic.

Software Description:  
- libssh2: Client-side C library implementing the SSH2 protocol

Details:

It was discovered that libssh2 incorrectly handled memory  
access. An attacker could possibly use this issue to cause  
a crash.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   libssh2-1                       1.8.0-2.1ubuntu0.1

Ubuntu 18.04 LTS:  
   libssh2-1                       1.8.0-1ubuntu0.1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   libssh2-1                       1.5.0-2ubuntu0.1+esm2

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   libssh2-1                       1.4.3-2ubuntu0.2+esm3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6371-1  
   CVE-2020-22218

Package Information:  
   https://launchpad.net/ubuntu/+source/libssh2/1.8.0-2.1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/libssh2/1.8.0-1ubuntu0.1

Ubuntu Security Notice USN-6371-1

A Stored Cross-Site Scripting (XSS) vulnerability in the SSH configuration tab in Usermin 2.001 allows remote attackers to inject arbitrary web script or HTML via the key name field while adding an authorized key.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-41160: Usermin-2.001/CVE-2023-41160 at main · shindeanik/Usermin-2.001

Acrobat Reader versions 23.003.20284 (and earlier), 20.005.30516 (and earlier) and 20.005.30514 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB23-34  

**Bulletin ID**

**Date Published**

**Priority**

APSB23-34  

September 12, 2023

1

**Summary**

Adobe has released a security update for Adobe Acrobat and Reader for Windows and macOS. This update addresses a critical vulnerability. Successful exploitation could lead to arbitrary code execution . 

Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader.      

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

23.003.20284 and earlier versions  

Windows &  macOS

Acrobat Reader DC

Continuous 

23.003.20284 and earlier versions  

Windows & macOS

Acrobat 2020  

Classic 2020             

20.005.30516 (Mac) 

20.005.30514 (Win)

and earlier versions  

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.005.30516 (Mac)

20.005.30514 (Win)

and earlier versions  

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page.  

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

23.006.20320  

Windows and macOS

1

Release Notes     

Acrobat Reader DC

Continuous

23.006.20320  

Windows and macOS

1

Release Notes     

Acrobat 2020  

Classic 2020             

20.005.30524  

Windows  and macOS    

1

Release Notes     

Acrobat Reader 2020  

Classic 2020   

20.005.30524  

Windows  and macOS   

1

Release Notes   

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical  

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26369  

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.  

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2023-26369: Adobe Security Bulletin

Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: <= 7.2.0.



CVE-2023-37875: Wing FTP Server History

Adobe Acrobat Reader versions 2019.021.20056 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader | APSB19-55

**Bulletin ID**

**Date Published**

**Priority**

APSB19-55

December 10, 2019

2

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and  important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVE Number**

Out-of-Bounds Read  

Information Disclosure  

Important   

CVE-2019-16449  

CVE-2019-16456

CVE-2019-16457

CVE-2019-16458

CVE-2019-16461

CVE-2019-16465

Out-of-Bounds Write 

Arbitrary Code Execution   

Critical

CVE-2019-16450

CVE-2019-16454

Use After Free   

Arbitrary Code Execution     

Critical

CVE-2019-16445

CVE-2019-16448

CVE-2019-16452

CVE-2019-16459

CVE-2019-16464

CVE-2019-16471  

Heap Overflow 

Arbitrary Code Execution     

Critical

CVE-2019-16451

Buffer Error

Arbitrary Code Execution     

Critical

CVE-2019-16462

CVE-2019-16470  

Untrusted Pointer Dereference

Arbitrary Code Execution 

Critical

CVE-2019-16446

CVE-2019-16455

CVE-2019-16460

CVE-2019-16463

Binary Planting (default folder privilege escalation) 

Privilege Escalation

Important 

CVE-2019-16444

Security Bypass

Arbitrary Code Execution

Critical

CVE-2019-16453

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:    

*   Mateusz Jurczyk of Google Project Zero & Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-16451)
*   Honc (章哲瑜) (CVE-2019-16444) 
*   Ke Liu of Tencent Security Xuanwu Lab. (CVE-2019-16445, CVE-2019-16449, CVE-2019-16450, CVE-2019-16454, CVE-2019-16471)
*   Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University (CVE-2019-16446, CVE-2019-16448) 
*   Aleksandar Nikolic of Cisco Talos (CVE-2019-16463)
*   Technical support team of HTBLA Leonding (CVE-2019-16453) 
*   Haikuo Xie of Baidu Security Lab (CVE-2019-16461)
*   Bit of STAR Labs (CVE-2019-16452) 
*   Xinyu Wan and Yiwei Zhang from Renmin University of China (CVE-2019-16455, CVE-2019-16460, CVE-2019-16462)
*   Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-16456) 
*   Zhibin Zhang of Palo Alto Networks (CVE-2019-16457)
*   Qi Deng, Ken Hsu of Palo Alto Networks (CVE-2019-16458) 
*   Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-16459)
*   Yue Guan, Haozhe Zhang of Palo Alto Networks (CVE-2019-16464) 
*   Hui Gao of Palo Alto networks (CVE-2019-16465)
*   Zhibin Zhang, Yue Guan of Palo Alto Networks (CVE-2019-16465)
*   Zhangqing and Zhiyuan Wang from cdsrc of Qihoo 360 (CVE-2019-16470)

March 26, 2020: Added acknowledgement for CVE-2019-16471, CVE-2019-16470

.

CVE-2019-16470: Adobe Security Bulletin

By Deeba Ahmed
FortiGuard Discovers Phishing Campaign Distributing New Agent Tesla Variant to Windows Devices.
This is a post from HackRead.com Read the original post: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs

The new Agent Tesla variant exploits CVE-2017-11882/CVE-2018-0802 vulnerability to execute the malware. 

**Key Findings**

*   **A new variant of the Agent Tesla malware family is being used in a phishing campaign.**

*   **The malware can steal credentials, keylogging data, and active screenshots from the victim’s device.**

*   **The malware is spread through a malicious MS Excel attachment in phishing emails.**

*   **The malware exploits an old security vulnerability (CVE-2017-11882/CVE-2018-0802) to infect Windows devices.**

*   **The malware ensures persistence even when the device is restarted or the malware process is killed.**

**New Agent Tesla Variant Detected in Malicious Phishing Campaign**

FortiGuard Labs threat researchers have detected a new variant of the notorious Agent Tesla malware family used in a phishing campaign. Report author Xiaopeng Zhang revealed that the malware can steal “credentials, keylogging data, and active screenshots” from the victim’s device. Stolen data is transferred to the malware operator through email or SMTP protocol. The malware mainly infects Windows devices.

For your information, Agent Tesla malware is also offered as a Malware-as-a-Service tool. The malware variants use a data stealer and .NET-based RAT (remote access trojan) for initial access.

**How Phishers Trap Users?**

This is a phishing campaign, so initial access is gained through a phishing email designed to trick users into downloading the malware. The email is a Purchase Order notification that asks the recipient to confirm their order from an industrial equipment supplier.

The email contains a malicious MS Excel attachment titled Order 45232429.xls. This document is in OLE format and contains crafted equation data that exploits an old security RCE vulnerability tracked as CVE-2017-11882/CVE-2018-0802 instead of using a VBS macro.

This vulnerability causes memory corruption in the EQNEDT32.EXE process and allows arbitrary code execution through ProcessHollowing method, in which a hacker replaces the executable file’s code with malicious code.

A shellcode download/execute the Agent Tesla file (dasHost.exe) from this link “hxxp://2395.128.195/3355/chromium.exe” onto the targeted device. It is a .NET program protected by IntelliLock and .NET Reactor. Relevant modules are encrypted/encoded in the Resource section to prevent its core module from detection and analysis.

It is worth noting that Microsoft released fixes for this vulnerability in November 2017 and January 2018. However, it is still being exploited by threat actors indicating the presence of unpatched devices. Per FortiGuard research, they observe around 1300 vulnerable devices daily and mitigate 3,000 attacks at the IPS level per day.

The phishing email and the ShellCode identified by the researchers (Screenshots: FortiGuard Labs)

**Analysis of Agent Tesla Activities**

According to FortiGuard Labs’ report, published on 5 Sep 2023, Agent Tesla variant steals stored credentials from web browsers, email clients, FTP clients, etc. There is a long list of targeted software and email clients available here.

The malware sets a keyboard hook through the API SetWindowsHookEx() to monitor low-level keyboard inputs and calls the callback hook procedure “this.EiqpViCm9()” whenever the victim types something on the device. The malware steals the program title, time, and input contents at regular intervals. A Timer calls a method to check the log.tmp file every 20 seconds and sends the info to the attacker via STMP. Moreover, the malware uses another Timer with a 20-minute interval to check for device activities and determine when to capture screenshots.

**How does Agent Tesla maintain persistence?**

Agent Tesla malware ensures persistence even when the device is restarted, or the malware process is killed, using two methods. It either executes a command for creating a task in the TaskScheuler system in the payload module or adds an auto-run item in the system registry. These methods allow duplication of dasHost.exe to launch automatically when the system restarts.

**Protection against such campaigns**

**Be suspicious of any email that asks for your personal or financial information:** Phishing emails often try to trick you into giving up your passwords, credit card numbers, or other sensitive information. Never click on links or open attachments in emails from senders you don’t know or trust.

**Keep your software up to date**: Software updates often include security patches that can help protect you from malware. Make sure to install security updates as soon as they are available.

**Use a strong antivirus and anti-malware program**: Antivirus and anti-malware programs can help detect and remove malware from your computer. Keep your antivirus and anti-malware programs up to date and scan your computer regularly.

**Be careful what you click on**: Phishing emails often contain links that lead to malicious websites. If you click on a link in an email, make sure to check the URL carefully before visiting the website.

**Use a spam filter**: A spam filter can help reduce the number of phishing emails that you receive.

**Educate yourself about phishing**: The more you know about phishing, the better you will be able to spot it. Read up on phishing scams and how to protect yourself.

1.  Hackers leak logins of vulnerable Fortinet SSL VPNs
2.  Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
3.  Smoke Loader Drops Location Tracker Whiffy Recon Malware
4.  Luna Grabber Malware Hits Roblox Devs Using npm Packages
5.  Chae$4 Malware Steals Login, Financial Data from Businesses
6.  Adobe ColdFusion Vulnerabilities Exploited to Deploy Malware

New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a Path traversal vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available  for Adobe Acrobat and Reader | APSB21-51

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

CVSS base score   

**CVSS vector**  

**CVE Number**

Out-of-bounds Read 

(CWE-125)   

Memory leak

Important  

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-35988

CVE-2021-35987  

Path Traversal

(CWE-22)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-35980

CVE-2021-28644  

Use After Free

(CWE-416)  

Arbitrary code execution   

Critical  

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2021-28640  

Type Confusion

(CWE-843)  

Arbitrary code execution   

Critical  

7.8   

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-28643  

Use After Free

(CWE-416)  

Arbitrary code execution   

Critical  

8.8  

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-28641

CVE-2021-28639  

Out-of-bounds Write

(CWE-787)  

Arbitrary file system write  

Critical  

8.8  

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-28642  

Out-of-bounds Read

(CWE-125)  

Memory leak  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-28637  

Type Confusion

(CWE-843)  

Arbitrary file system read  

Important  

4.3  

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-35986  

Heap-based Buffer Overflow

(CWE-122)  

Arbitrary code execution   

Critical  

8.8  

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-28638  

NULL Pointer Dereference

(CWE-476)  

Application denial-of-service  

Important  

5.5  

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H  

CVE-2021-35985

CVE-2021-35984  

Uncontrolled Search Path Element

(CWE-427)  

Arbitrary code execution   

Critical  

7.3  

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2021-28636  

OS Command Injection

(CWE-78)  

Arbitrary code execution   

Critical  

8.2  

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H  

CVE-2021-28634  

Use After Free 

(CWE-416)

Arbitrary code execution   

Critical  

7.8   

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H   

CVE-2021-35983

CVE-2021-35981

CVE-2021-28635

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:   

*   Nipun Gupta , Ashfaq Ansari and Krishnakant Patil - CloudFuzz working with Trend Micro Zero Day Initiative (CVE-2021-35983) 
*   Xu Peng from UCAS and Wang Yanhao from QiAnXin Technology Research Institute working with Trend Micro Zero Day Initiative (CVE-2021-35981, CVE-2021-28638)
*   Habooblabs (CVE-2021-35980, CVE-2021-28644, CVE-2021-35988, CVE-2021-35987, CVE-2021-28642, CVE-2021-28641, CVE-2021-35985, CVE-2021-35984, CVE-2021-28637)
*   Anonymous working with Trend Micro Zero Day Initiative (CVE-2021-28643, CVE-2021-35986)
*   o0xmuhe (CVE-2021-28640)
*   Kc Udonsi (@glitchnsec) of Trend Micro Security Research working with Trend Micro Zero Day Initiative (CVE-2021-28639)
*   Noah (howsubtle) (CVE-2021-28634)
*   xu peng (xupeng\_1231) (CVE-2021-28635)
*   Xavier Invers Fornells (m4gn3t1k) (CVE-2021-28636)

July 14, 2021: Updated acknowledgement details for CVE-2021-28640.

July 15, 2021: Updated acknowledgement details for CVE-2021-35981.  

July 29, 2021: Updated the CVSS base score and the CVSS vector for CVE-2021-28640, CVE-2021-28637, CVE-2021-28636.  
July 29, 2021: Updated the Vulnerability Impact, Severity, CVSS base score and the CVSS vector for CVE-2021-35988, CVE-2021-35987, CVE-2021-35987, CVE-2021-28644

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-28644: Adobe Security Bulletin

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader | APSB21-55

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address  multiple critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.  

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

CVSS base score   

**CVSS vector**  

**CVE Number**

Type Confusion (CWE-843)

Arbitrary code execution

Critical 

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-39841

Heap-based Buffer Overflow

(CWE-122)

Arbitrary code execution

Critical  

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-39863

Information Exposure

(CWE-200)

Arbitrary file system read

Moderate

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2021-39857

CVE-2021-39856

CVE-2021-39855

Out-of-bounds Read

(CWE-125)

Memory leak

Critical   

7.7

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:H

CVE-2021-39844

Out-of-bounds Read

(CWE-125)

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2021-39861

Out-of-bounds Read

(CWE-125)

Arbitrary file system read

Moderate

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-39858

Out-of-bounds Write

(CWE-787)

Memory leak

Critical 

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-39843

Stack-based Buffer Overflow 

(CWE-121)

Arbitrary code execution

Critical   

6.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CVE-2021-39846

CVE-2021-39845

Uncontrolled Search Path Element

(CWE-427)

Arbitrary code execution

Important 

7.3

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2021-35982

Use After Free

(CWE-416)

Arbitrary code execution

Important

4.4

CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CVE-2021-39859

Use After Free

(CWE-416)

Arbitrary code execution

Critical 

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-39840

CVE-2021-39842

CVE-2021-39839

CVE-2021-39838

CVE-2021-39837

CVE-2021-39836

NULL Pointer Dereference (CWE-476)

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2021-39860

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Important  

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

CVE-2021-39852

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Important

5.5

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2021-39854

CVE-2021-39853

CVE-2021-39850

CVE-2021-39849

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Important  

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

 CVE-2021-39851

Use After Free

(CWE-416)

Arbitrary code execution  

Critical     

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-40725

Use After Free

(CWE-416)

Arbitrary code execution  

Critical     

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-40726  

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:   

*   Mark Vincent Yason (@MarkYason) working with Trend Micro Zero Day Initiative (CVE-2021-39841, CVE-2021-39836, CVE-2021-39837, CVE-2021-39838, CVE-2021-39839, CVE-2021-39840, CVE-2021-40725, CVE-2021-40726)
*   Haboob labs (CVE-2021-39859, CVE-2021-39860, CVE-2021-39861, CVE-2021-39843, CVE-2021-39844, CVE-2021-39845, CVE-2021-39846)
*   Robert Chen (Deep Surface<https://deepsurface.com/\>) **(**CVE-2021-35982)
*   XuPeng from UCAS and Ying Lingyun form QI-ANXIN Technology Research Institute (CVE-2021-39854, CVE-2021-39853, CVE-2021-39852, CVE-2021-39851, CVE-2021-39850, CVE-2021-39849)
*   j00sean (CVE-2021-39857, CVE-2021-39856, CVE-2021-39855, CVE-2021-39842)
*   Exodus Intelligence (exodusintel.com) and Andrei Stefan (CVE-2021-39863)  
    
*   Qiao Li Of Baidu Security Lab working with Trend Micro Zero Day Initiative (CVE-2021-39858)

September 20, 2021: Updated acknowledgement details for CVE-2021-35982.

September 28, 2021: Updated acknowledgement details for CVE-2021-39863.

October 5, 2021: Updated CVSS base score, CVSS vector, and Severity for CVE-2021-39852, CVE-2021-39851, CVE-2021-39863, CVE-2021-39860, CVE-2021-39861. Added data and acknowledgements for CVE-2021-40725 and CVE-2021-40726.

January 18th, 2022: Updated acknowledgement details for CVE-2021-39854, CVE-2021-39853, CVE-2021-39852, CVE-2021-39851, CVE-2021-39850, CVE-2021-39849

January 27th, 2022: Updated CVSS details for CVE-2021-39845, CVE-2021-39846, CVE-2021-39855, CVE-2021-39856, CVE-2021-39860, CVE-2021-39861  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-39859: Adobe Security Bulletin

A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Assembla Auth Plugin
*   AWS CodeCommit Trigger Plugin
*   Azure AD Plugin
*   Bitbucket Push and Pull Request Plugin
*   Frugal Testing Plugin
*   Google Login Plugin
*   Ivy Plugin
*   Job Configuration History Plugin
*   Pipeline Maven Integration Plugin
*   Qualys Container Scanning Connector Plugin
*   SSH2 Easy Plugin
*   TAP Plugin

**Descriptions****Path traversal allows exploiting XSS vulnerability in Job Configuration History Plugin**

**SECURITY-3233 / CVE-2023-41930 (path traversal), CVE-2023-41931 (XSS)**  
**Severity (CVSS):** High  
**Affected plugin: jobConfigHistory**  
**Description:**

Job Configuration History Plugin 1227.v7a\_79fc4dc01f and earlier does not restrict a name query parameter when rendering a history entry. This allows attackers to have Jenkins render a manipulated configuration history that was not created by the plugin.

The history view does not property sanitize or escape the timestamp value from history entries when rendering a history entry. This typically isn’t a problem, as the value is numeric in genuine history entries. Combined with the path traversal vulnerability, this results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to create a file on the controller (e.g., archived artifacts).

Job Configuration History Plugin 1229.v3039470161a\_d restricts the name query parameter when rendering a history entry, and escapes the timestamp value from history entries on the history view.

**Path traversal allows exploiting XXE vulnerability in Job Configuration History Plugin**

**SECURITY-3235 / CVE-2023-41932 (path traversal), CVE-2023-41933 (XXE)**  
**Severity (CVSS):** High  
**Affected plugin: jobConfigHistory**  
**Description:**

Job Configuration History Plugin 1227.v7a\_79fc4dc01f and earlier does not restrict timestamp query parameters in multiple endpoints. This allows attackers with Job Config History/DeleteEntry permission to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called history.xml.

Additionally, Job Configuration History Plugin 1227.v7a\_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with Item/Configure permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Job Configuration History Plugin 1229.v3039470161a\_d restricts timestamp query parameters in the affected endpoints, and disables external entity resolution for its XML parser.

**Improper masking of credentials in Pipeline Maven Integration Plugin**

**SECURITY-3257 / CVE-2023-41934**  
**Severity (CVSS):** Medium  
**Affected plugin: pipeline-maven**  
**Description:**

Pipeline Maven Integration Plugin integrates with Config File Provider Plugin to specify custom Maven settings, including credentials for authentication.

Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked.

Pipeline Maven Integration Plugin 1331.v003efa\_fd6e81 masks usernames of credentials specified in custom Maven settings files in Pipeline build logs.

**Non-constant time nonce comparison in Azure AD Plugin**

**SECURITY-3227 / CVE-2023-41935**  
**Severity (CVSS):** Low  
**Affected plugin: azure-ad**  
**Description:**

Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b\_1154b\_3fb\_, does not use a constant-time comparison when checking whether the provided and expected CSRF protection nonce are equal.

This could potentially allow attackers to use statistical methods to obtain a valid nonce.

Azure AD Plugin 397.v907382dd9b\_98 uses a constant-time comparison when validating the nonce.

**Non-constant time token comparison in Google Login Plugin**

**SECURITY-3228 / CVE-2023-41936**  
**Severity (CVSS):** Low  
**Affected plugin: google-login**  
**Description:**

Google Login Plugin 1.7 and earlier does not use a constant-time comparison when checking whether the provided and expected token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid token.

Google Login Plugin 1.8 uses a constant-time comparison when validating the token.

**SSRF vulnerability in Bitbucket Push and Pull Request Plugin allows capturing credentials**

**SECURITY-3165 / CVE-2023-41937**  
**Severity (CVSS):** Medium  
**Affected plugin: bitbucket-push-and-pull-request**  
**Description:**

Bitbucket Push and Pull Request Plugin provides a webhook endpoint at /bitbucket-hook/ to receive webhook notifications.

When acting on these notifications, Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs. This allows attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.

Successful exploitation requires that a build is triggered. This is the case when the repository has changed since the previous build, or the option "Trigger also if nothing has changed in the repo" is checked.

Bitbucket Push and Pull Request Plugin 2.8.4 connects to the Bitbucket endpoint configured for the job when acting on a webhook notification.

**Incorrect permission checks in Qualys Container Scanning Connector Plugin**

**SECURITY-3018 / CVE pending**  
**Severity (CVSS):** High  
**Affected plugin: qualys-cs**  
**Description:**

Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier does not correctly perform a permission check in multiple HTTP endpoints.

This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to do the following:

*   Enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
    
*   Connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
    

Qualys Container Scanning Connector Plugin 1.6.2.7 requires global Overall/Administer permission, or Item/Configure permission on a job, to access the affected endpoint.

**XXE vulnerability in Ivy Plugin**

**SECURITY-2924 / CVE-2022-46751**  
**Severity (CVSS):** High  
**Affected plugin: ivy**  
**Description:**

Ivy Plugin 2.5 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751.

This allows attackers able to control the input file for the "Trigger the build of other projects based on the Ivy dependency management system" post-build step to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**CSRF vulnerability in Ivy Plugin**

**SECURITY-3093 / CVE-2023-41938**  
**Severity (CVSS):** Medium  
**Affected plugin: ivy**  
**Description:**

Ivy Plugin 2.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete disabled modules.

**Disabled permissions can be granted by SSH2 Easy Plugin**

**SECURITY-3064 / CVE-2023-41939**  
**Severity (CVSS):** Medium  
**Affected plugin: ssh2easy**  
**Description:**

SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled. This may allow users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they’re no longer entitled to.

As a workaround, administrators can save the permission configuration after disabling a permission, as that will overwrite any permission assignments of disabled permissions.

The affected features have been removed without replacement in SSH2 Easy Plugin 1.6.

**Stored XSS vulnerability in TAP Plugin**

**SECURITY-3190 / CVE-2023-41940**  
**Severity (CVSS):** High  
**Affected plugin: tap**  
**Description:**

TAP Plugin 2.3 and earlier does not escape TAP file contents.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents.

**Missing permission check in AWS CodeCommit Trigger Plugin allows enumerating credentials IDs**

**SECURITY-3101 (1) / CVE-2023-41941**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-codecommit-trigger**  
**Description:**

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**CSRF vulnerability and missing permission check in AWS CodeCommit Trigger Plugin**

**SECURITY-3101 (2) / CVE-2023-41942 (CSRF), CVE-2023-41943 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-codecommit-trigger**  
**Description:**

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to clear the SQS queue.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**HTML injection vulnerability in AWS CodeCommit Trigger Plugin**

**SECURITY-3102 / CVE-2023-41944**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-codecommit-trigger**  
**Description:**

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message.

This results in an HTML injection vulnerability.

Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses prevents JavaScript execution, so no scripts can be injected.

**Disabled permissions granted by Assembla Auth Plugin**

**SECURITY-3065 / CVE-2023-41945**  
**Severity (CVSS):** Medium  
**Affected plugin: assembla-auth**  
**Description:**

Assembla Auth Plugin provides an authorization strategy that defines four levels of access to Jenkins, based on the corresponding permissions in Assembla spaces: ALL, EDIT, VIEW, and NONE.

Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled. This results in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.

Additionally, the plugin also grants the deprecated permissions Overall/RunScripts, Overall/UploadPlugins and Overall/ConfigureUpdateCenter to users with EDIT access. These permissions allow arbitrary code execution through various means in Jenkins before 2.222. Additionally, plugins not yet adapted to the changes in Jenkins 2.222 may also provide access to sensitive features to users with these permissions.

**CSRF vulnerability and missing permission checks in Frugal Testing Plugin**

**SECURITY-3082 / CVE-2023-41946 (CSRF), CVE-2023-41947 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: frugal-testing**  
**Description:**

Frugal Testing Plugin 1.1 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to do the following:

*   Connect to Frugal Testing using attacker-specified username and password.
    
*   Retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username.
    

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2924: High
*   SECURITY-3018: High
*   SECURITY-3064: Medium
*   SECURITY-3065: Medium
*   SECURITY-3082: Medium
*   SECURITY-3093: Medium
*   SECURITY-3101 (1): Medium
*   SECURITY-3101 (2): Medium
*   SECURITY-3102: Medium
*   SECURITY-3165: Medium
*   SECURITY-3190: High
*   SECURITY-3227: Low
*   SECURITY-3228: Low
*   SECURITY-3233: High
*   SECURITY-3235: High
*   SECURITY-3257: Medium

**Affected Versions**

*   **Assembla Auth Plugin** up to and including 1.14
*   **AWS CodeCommit Trigger Plugin** up to and including 3.0.12
*   **Azure AD Plugin** up to and including 396.v86ce29279947
*   **Bitbucket Push and Pull Request Plugin** up to and including 2.8.3
*   **Frugal Testing Plugin** up to and including 1.1
*   **Google Login Plugin** up to and including 1.7
*   **Ivy Plugin** up to and including 2.5
*   **Job Configuration History Plugin** up to and including 1227.v7a\_79fc4dc01f
*   **Pipeline Maven Integration Plugin** up to and including 1330.v18e473854496
*   **Qualys Container Scanning Connector Plugin** up to and including 1.6.2.6
*   **SSH2 Easy Plugin** up to and including 1.4
*   **TAP Plugin** up to and including 2.3

**Fix**

*   **Azure AD Plugin** should be updated to version 397.v907382dd9b\_98 or 378.380.v545b\_1154b\_3fb\_
*   **Bitbucket Push and Pull Request Plugin** should be updated to version 2.8.4
*   **Google Login Plugin** should be updated to version 1.8
*   **Job Configuration History Plugin** should be updated to version 1229.v3039470161a\_d
*   **Pipeline Maven Integration Plugin** should be updated to version 1331.v003efa\_fd6e81
*   **Qualys Container Scanning Connector Plugin** should be updated to version 1.6.2.7
*   **SSH2 Easy Plugin** should be updated to version 1.6

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Assembla Auth Plugin
*   AWS CodeCommit Trigger Plugin
*   Frugal Testing Plugin
*   Ivy Plugin
*   TAP Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3190, SECURITY-3233, SECURITY-3235
*   **CC Bomber, Kitri BoB** for SECURITY-2924
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3093, SECURITY-3101 (1), SECURITY-3101 (2), SECURITY-3102
*   **Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3064, SECURITY-3065
*   **Tony Torralba (@atorralba), GitHub Security Lab and Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3165
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3018, SECURITY-3082, SECURITY-3227, SECURITY-3228, SECURITY-3257

Tag

#ssh