### Impact
HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication.

### Patches
It has been patched on 3.4.15 and 4.36.0.

Skip to content

Sign up

**CVE-2023-48701**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-48701

**Cross-site Scripting via uploaded assets**

High severity GitHub Reviewed Published Nov 21, 2023 in statamic/cms

Vulnerability details Dependabot alerts 0

**Package**

composer statamic/cms (Composer)

**Affected versions**

< 3.4.15

\>= 4.0.0, < 4.36.0

**Patched versions**

3.4.15

4.36.0

**Description**

**Impact**

HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication.

**Patches**

It has been patched on 3.4.15 and 4.36.0.

**References**

*   GHSA-8jjh-j3c2-cjcv
*   https://nvd.nist.gov/vuln/detail/CVE-2023-48701
*   https://github.com/statamic/cms/releases/tag/v3.4.15
*   https://github.com/statamic/cms/releases/tag/v4.36.0

 jasonvarga published to statamic/cms

Nov 21, 2023

Published by the National Vulnerability Database

Nov 21, 2023

Published to the GitHub Advisory Database

Nov 22, 2023

Reviewed

Nov 22, 2023

**Severity**

High

7.5

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

High

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H

**Weaknesses**

CWE-79

**CVE ID**

CVE-2023-48701

**GHSA ID**

GHSA-8jjh-j3c2-cjcv

**Source code**

statamic/cms

**Credits**

*    Cyber-Wo0dy Reporter

Checking history

See something to contribute? Suggest improvements for this vulnerability.

GHSA-8jjh-j3c2-cjcv: Cross-site Scripting via uploaded assets

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premio Chaty plugin <= 3.1.2 versions.

**Solution**

 Fixed

Update the WordPress Chaty plugin to the latest available version (at least 3.1.3).

emad discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Chaty Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.1.3.

**Other vulnerabilities in this plugin**

 0 present

 5 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47759: WordPress chaty plugin <= 3.1.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Draytek Vigor2960 v1.5.1.4 and v1.5.1.5 are vulnerable to directory traversal via the mainfunction.cgi dumpSyslog 'option' parameter allowing an authenticated attacker with access to the web management interface to delete arbitrary files. Vigor2960 is no longer supported.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-6265: Vuln/Draytek/4.md at main · xxy1126/Vuln

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MagePeople Team WpBusTicketly plugin <= 5.2.5 versions.

**Solution**

 Fixed

Update the WordPress Bus Ticket Booking with Seat Reservation plugin to the latest available version (at least 5.2.6).

Ivy (TOOR, LISA) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Bus Ticket Booking with Seat Reservation Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 5.2.6.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-30496: WordPress Bus Ticket Booking with Seat Reservation plugin <= 5.2.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.16.0could allow an authenticated user to obtain sensitive version information that could aid in further attacks against the system.  IBM X-Force ID:  233665.

CVE-2022-36777: Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

By Deeba Ahmed
Patches for all affected versions of Apache ActiveMQ have been released, and clients are strongly advised to upgrade their systems.
This is a post from HackRead.com Read the original post: Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw

Active since 2020, the resurgence of the Kinsing malware poses a significant threat to Linux-based systems, infiltrating servers and rapidly spreading across networks.

Cybersecurity researchers at Trend Micro have identified cybercriminals exploiting a critical vulnerability in Apache ActiveMQ (CVE-2023-46604) to infect Linux systems with the **Kinsing malware** (also known as h2miner). This vulnerability enables attackers to execute arbitrary code on affected systems, installing cryptocurrency miners and rootkits.

****What is Kinsing Malware?****

The Kinsing malware poses a significant threat to Linux-based systems, infiltrating servers and rapidly spreading across networks. It exploits vulnerabilities in web applications or misconfigured container environments to gain access, specifically targeting Linux systems. Its primary objectives include cryptocurrency mining, such as Bitcoin, and establishing persistence on the infected host.

Interestingly, the malware detects and eradicates competing cryptocurrency miners, targeting processes, active network connections, and crontabs that exploit vulnerabilities like **WebLogic** or **Log4Shell**. This strategic approach allows the malware to gain complete control of the system’s resources.

Furthermore, it ensures persistence by adding a cronjob to download and execute its malicious bootstrap script every minute, ensuring the latest malicious Kinsing binary is consistently available on the infected host.

“Kinsing doubles down on its persistence and compromise by loading its rootkit in /etc/ld.so.preload, which completes a full system compromise,” researchers noted.

Recently, attackers using Kinsing malware have utilized high-profile vulnerabilities like CVE-2023-4911 (**Looney Tunables**).

Image: Trend Micro

****About the Vulnerability****

Since early November 2023, Trend Micro researchers observed that CVE-2023-46604 is being exploited. It is a critical severity vulnerability **assigned** a CVSS score of 9.8. The vulnerability stems from OpenWire commands failing to validate throwable class type, thus enabling RCE.

“When the marshaller fails to validate the class type of a Throwable, it inadvertently allows the creation and execution of instances of any class. This opens the door to remote code execution (RCE) vulnerabilities, enabling attackers to execute arbitrary code on the affected server or application,” Trend Micro researchers explained in a **blog post**.

Apache ActiveMQ is a popular open-source message and integration platform written in Java. It implements message-oriented middleware (**MOM**) and facilitates communication between different applications. It offers different features, including OpenWire, STOMP, and Jakarta Messaging (JMS). OpenWire is a binary protocol designed for MOM and serves as the native wire format for ActiveMQ. It offers several benefits, such as bandwidth efficiency and support for various message types.

****How Does the Attack Work?****

The Kinsing malware exploits the CVE-2023-46604 vulnerability discovered in Apache ActiveMQ, which enables remote code execution (RCE). The vulnerability allows attackers to execute arbitrary code on the impacted system. After gaining access to the vulnerable server and executing the Kinsing binary, it becomes possible to install rootkits and cryptominers, steal sensitive data, disrupt operations, and install malware.

****Impacted versions****

Apache ActiveMQ versions 5.18.0 before 5.18.3, 5.17.0 before 5.17.6, and 5.16.0 before 5.16.5 are vulnerable to this attack. Apache ActiveMQ has **released** patches for all affected versions. Users are advised to update their ActiveMQ installations as soon as possible. In addition, keep OpenWire disabled if not required, restrict access to ActiveMQ management interfaces and isolate ActiveMQ deployments through network segmentation to stay protected.

Ken Dunham, Director of Cyber Threat at Foster City, Calif.-based **Qualys**, a disruptive cloud-based IT, security and compliance solutions provider, shared with Hackread.com that there’s a dire need for proper configuration of the cloud platform.

“The main takeaway I get here is around how the cloud is rarely configured properly and malware is exploiting that. We don’t want to allow malware like this to be proof of poor configurations and lack of security in our systems, especially around lateral movement tools, tactics and procedures (TTPs) used by the group.”

Dunham noted that Kinsing has been a significant threat **since 2020**.

“Kinsing has successfully preyed upon poorly authenticated and configured cloud Docker containers dating back to 2020, then performing lateral movement attempts leveraging brute force attacks,“ Dunham explained.

**Irfan Asrar**, Director, of Malware and Threat Research at Qualys, told Hackread.com that researchers have discovered a major gap in the cloud.

“This discovery highlights a major gap in the cloud not commonly defended against; most web apps/cloud infrastructure are not scanning for malware in their cloud infrastructure, mostly just attempting to screen web traffic, which allows the Kinsing malware to take advantage and gain persistency. I see this gap being taken advantage of in the future by other groups.”

****_RELATED ARTICLES_****

1.  **Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer**
2.  **Microsoft Azure Exploited to Create Undetectable Cryptominer**
3.  **Hackers actively exploiting 0-day in Ubiquitous Apache Log4j tool**
4.  **Golang malware infecting Windows, Linux servers with XMRig miner**
5.  **Nitrokod Crypto Miner Hiding in Fake Microsoft, Google Translate Apps**

Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AazzTech WooCommerce Product Carousel Slider plugin <= 3.3.5 versions.

**Solution**

 No fix

No patched version is available. This plugin has been closed as of June 28, 2023 and is not available for download. This closure is permanent. Reason: Author Request.

Found this useful? Thank Abdi Pranata for reporting this vulnerability. Buy a coffee ☕

Abdi Pranata discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WooCommerce Product Carousel Slider Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47755: WordPress WooCommerce Product Carousel Slider plugin <= 3.3.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to Login Credential Leakage via Audit Entries.

Published CVE numbers:

*   https://www.cve.org/CVERecord?id=CVE-2023-47312
    
*   https://nvd.nist.gov/vuln/detail/CVE-2023-47312
    

Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to Login Credential Leakage via Audit Entries.

The Audit plugin provides a detailed list of the web panel’s operations. When a configuration is updated, the set password is stored in an audit entry and returned without being masked. Due to the missing permission control, the audit plugin may not be accessible to lower-level users.

**Exploitation’s steps**

Authentication: Required (low-level user access is enough)

*   Due to the vulnerability of CVE-2023-47316, even low-level users can access the Functions tab and the menu item _Audit_ under this tab.​
    

Accessible Audit function

*   Users can retrieve all details belonging to the given log entry by clicking the search icon.
    

Password property contains a plaintext password to the given configuration

*   Affected API call: /rest/plugins/audit/private/log/search (POST)

CVE-2023-47312: CVE-2023-47312 – Headwind MDM Web panel 5.22.1 – Login Credential Leakage via Audit Entries - Boltonshield

Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control. The Web panel allows users to gain access to potentially sensitive API calls such as listing users and their data, file management API calls and audit-related API calls.

Published CVE numbers:

*   https://www.cve.org/CVERecord?id=CVE-2023-47316
    
*   https://nvd.nist.gov/vuln/detail/CVE-2023-47316
    

Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control. The Web panel allows users to gain access to potentially sensitive API calls such as listing users and their data, file management API calls and audit-related API calls.

**Exploitation’s steps**

Authentication: Required (A low-level user access is enough)

*   Login to the web panel with the low-level user
    
*   By modifying the cookie _user_ so that the _superadmin_ property is set to _True,_ the user interface will show sensitive functions such as user management, file upload, and audit-related functions. These functions are not supposed to be accessible to low-level users. It is important to note that mostly only API calls using GET method can be called this way with the permission of a low-level user. The only exception is the file add function (/rest/private/web-ui-files POST).
    

Available functions before modifying the user cookie

Available functions after changing the user cookie

​

Setting up an attacker proxy like Burp to intercept outgoing HTTP requests and modify them (if it is needed)

*   By uploading files, attackers may be able to exploit other vulnerabilities; By retrieving the audit function, attackers may learn sensitive information, including login credentials; By retrieving the users’ list, attackers may be able to get the authToken of other users and to get the password reset token (in case the password reset feature is enabled)
    
*   Important note: This vulnerability may aid attackers in exploiting other issues, such as CVE-2023-47315, by allowing them to learn the _authToken_ of other users.

CVE-2023-47316: CVE-2023-47316 – Headwind MDM Web panel 5.22.1 – Missing Permission Control - Boltonshield

Headwind MDM Web panel 5.22.1 is vulnerable to Cross Site Scripting (XSS) via Uncontrolled File Upload.

Published CVE numbers:

*   https://www.cve.org/CVERecord?id=CVE-2023-47314
    
*   https://nvd.nist.gov/vuln/detail/CVE-2023-47314
    

Headwind MDM Web panel 5.22.1 is vulnerable to cross-site scripting (XSS).

The file upload function allows APK and arbitrary files to be uploaded. By exploiting this issue, attackers may upload HTML files and share the download URL pointing to these files with the victims. As the file download function returns the file in inline mode, the victim’s browser will immediately render the content of the HTML file as a web page. As a result, the uploaded client-side code will be evaluated and executed in the victim’s browser, allowing attackers to perform common XSS attacks.

**Exploitation’s steps**

Authentication: Required (a low-level access is enough)

*   Due to the vulnerability CVE-2023-47316, even low-level users can access the tab _Files_
    
*   Uploading an HTML file with arbitrary content by using the add file function under the tab _Files_
    

Uploading an HTML file using the Add file function​

Uploading an HTML file

   

*   Intercepting/modifying the outgoing HTTP requests is not necessary
    
*   The uploaded file can be downloaded by using the following URL: https://{server-address}/files/{original-name-of-the-uploaded-file}
    

HTML file can be rendered

​

*   The above URL is accessible even for unauthenticated users

Tag

#web