A vulnerability was found in YAFNET up to 3.1.11 and classified as problematic. This issue affects some unknown processing of the component Signature Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.12 is able to address this issue. The name of the patch is a1442a2bacc3335461b44c250e81f8d99c60735f. It is recommended to upgrade the affected component. The identifier VDB-220037 was assigned to this vulnerability.

@@ -59,16 +59,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ServiceStack.OrmLite.SqlSer EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Tests", "Tests", "{66545891-3124-4CAF-897D-2A7280B0A7D4}" EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Externals", "Externals", "{A3427F65-AE3B-4962-8DC1-93551065C0A6}" EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "YAF.Tests.BasicTests", "..\\tests\\YAF.Tests.BasicTests\\YAF.Tests.BasicTests.csproj", "{51CC78BB-B5C2-46C3-B69D-5023F739B78C}" EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "YAF.Tests.CoreTests", "..\\tests\\YAF.Tests.CoreTests\\YAF.Tests.CoreTests.csproj", "{CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}" EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "YAF.Tests.Utils", "..\\tests\\YAF.Tests.Utils\\YAF.Tests.Utils.csproj", "{94C11F2B-E560-4075-A43A-59529CFAFC5C}" EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "HttpSimulator", "..\\tests\\Externals\\HttpSimulator\\HttpSimulator.csproj", "{CE9FFE92-9A64-483C-9F11-A27F83C0E14C}" EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{B7DF71FA-51C6-4798-887B-8AD4596629C0}" ProjectSection(SolutionItems) = preProject .editorconfig \= .editorconfig @@ -236,18 +228,6 @@ Global {5532392F-3038-428E-BE72-AB78A21BA84F}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {5532392F-3038-428E-BE72-AB78A21BA84F}.Release|x86.ActiveCfg \= Release|Any CPU {5532392F-3038-428E-BE72-AB78A21BA84F}.Release|x86.Build.0 \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Any CPU.Build.0 \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|Mixed Platforms.Build.0 \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|x86.ActiveCfg \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Debug|x86.Build.0 \= Debug|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Any CPU.ActiveCfg \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Any CPU.Build.0 \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Mixed Platforms.ActiveCfg \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|x86.ActiveCfg \= Release|Any CPU {51CC78BB-B5C2-46C3-B69D-5023F739B78C}.Release|x86.Build.0 \= Release|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Debug|Any CPU.Build.0 \= Debug|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU @@ -260,30 +240,6 @@ Global {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Release|x86.ActiveCfg \= Release|Any CPU {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E}.Release|x86.Build.0 \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Any CPU.Build.0 \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|Mixed Platforms.Build.0 \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|x86.ActiveCfg \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Debug|x86.Build.0 \= Debug|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Any CPU.ActiveCfg \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Any CPU.Build.0 \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Mixed Platforms.ActiveCfg \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|x86.ActiveCfg \= Release|Any CPU {94C11F2B-E560-4075-A43A-59529CFAFC5C}.Release|x86.Build.0 \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Any CPU.Build.0 \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|Mixed Platforms.Build.0 \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|x86.ActiveCfg \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Debug|x86.Build.0 \= Debug|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Any CPU.ActiveCfg \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Any CPU.Build.0 \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Mixed Platforms.ActiveCfg \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|Mixed Platforms.Build.0 \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|x86.ActiveCfg \= Release|Any CPU {CE9FFE92-9A64-483C-9F11-A27F83C0E14C}.Release|x86.Build.0 \= Release|Any CPU {AA001480-3713-4927-8650-ED1E16AFB791}.Debug|Any CPU.ActiveCfg \= Debug|Any CPU {AA001480-3713-4927-8650-ED1E16AFB791}.Debug|Any CPU.Build.0 \= Debug|Any CPU {AA001480-3713-4927-8650-ED1E16AFB791}.Debug|Mixed Platforms.ActiveCfg \= Debug|Any CPU @@ -322,11 +278,7 @@ Global {9E7362F6-25FE-4E06-884D-92AEA9A28D45} = {C9CC269F-1DC1-4189-9116-12EB6A726F0B} {BF9FE592-B675-4097-9F69-B2776FAC347F} = {C9CC269F-1DC1-4189-9116-12EB6A726F0B} {5532392F-3038-428E-BE72-AB78A21BA84F} = {A61BA819-987E-4F04-B4D8-0960363558C5} {A3427F65-AE3B-4962-8DC1-93551065C0A6} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {51CC78BB-B5C2-46C3-B69D-5023F739B78C} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {CEA1C60C-C6A7-4B01-9FC6-6292812E4E5E} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {94C11F2B-E560-4075-A43A-59529CFAFC5C} = {66545891-3124-4CAF-897D-2A7280B0A7D4} {CE9FFE92-9A64-483C-9F11-A27F83C0E14C} = {A3427F65-AE3B-4962-8DC1-93551065C0A6} {AA001480-3713-4927-8650-ED1E16AFB791} = {A61BA819-987E-4F04-B4D8-0960363558C5} {7C82AFFA-FB8A-4227-BC7F-0697F7ED58F6} = {BDA94567-4516-4110-9743-085C36B24E35} EndGlobalSection

CVE-2023-0650: [FIXED] Stored XSS in Signature · YAFNET/YAFNET@a1442a2

Popular hacking aid resurrected following end-of-life announcement

Popular hacking aid resurrected following end-of-life announcement

XSS Hunter now has a home at Truffle Security, which has launched a new version of the tool after its original creator declared that he will be deprecating it in February.

XSS Hunter is a popular open source tool for identifying cross-site scripting (XSS) bugs in websites. An online version was previously maintained by its creator Mandatory (Matthew Bryant).

The new version, hosted on Truffle Security’s domain, is an open source fork of the original code with new features and enhanced security.

**Privacy concerns**

XSS is a very common vulnerability, accounting for 23% of bug reports submitted to bug bounty platform HackerOne, for example.

“The most popular tool for looking for XSS aside from manual testing is XSSHunter,” Dylan Ayrey, co-founder of Truffle Security, told The Daily Swig. “It’s an extremely valuable tool to the community, but it also had risks.”

Many users of XSS Hunter would accidentally send sensitive data to the platform and possibly cause data leakage. Ayrey had previously stumbled on 50,000 Google user records while working with the old XSS Hunter, which became the topic of a talk he gave at Black Hat 2022.

“As long as Mandatory was in charge of the service, I wasn’t concerned with what the platform might do with that data collected,” Ayrey said.

“But we were concerned after the EOL \[end of life\] was announced, another tool might have come along to replace it with operators that may have had different intentions with the data collected.”

Read more of the latest news about web hacking tools

The new XSS Hunter tool blurs screenshots captured by the platform to protect sensitive information rendered by the XSS payload. It has also removed support for full DOM capture and enforces Google SSO login to improve account security.

Regarding the deprecation of the old service, Mandatory told The Daily Swig that he had become “increasingly uncomfortable with the amount of vulnerability information stored in the service.

“Ideally I’d like to be storing zero vulnerability information for XSS hunter users, which this deprecation will achieve,” he said.

Mandatory described Truffle Security’s fork as “a step in the right direction” and said: “I think the fact that Truffle Security is starting out with an eye on balancing privacy and bug bounty research interests is a good sign.”

**New features**

Truffle Security has added support for detecting other kinds of vulnerabilities, including cross-origin resource sharing (CORS) misconfigurations that would allow external sites to view and extract data from internal domains. CORS vulnerabilities can be especially damaging, as Truffle Security recently discovered while investigating different internal corporate networks.

Truffle Security has integrated the lite version of its TruffleHog tool into the new XSSHunter, enabling it to scan HTML pages for secrets such as AWS, GCP, and Slack keys. It will also scan tested websites for source code leaks via .git directories.

“We saw an opportunity to both address privacy concerns as well as give the cybersecurity community new capabilities within the XSS Hunter tool,” Ayrey said.

Ayrey said Mandatory was supportive of the effort and helped out in the process. Truffle Security plans to add more features to XSS Hunter in the future, including adding a more complete version of TruffleHog.

Mandatory, who described XSS Hunter as his long time passion project, will continue to maintain the open source xsshunter-express repository “more dutifully in the future to support those who wish to self-host their own instance”.

“When I first built the service many people didn’t really believe that blind XSS was a ‘real’ concern,” he said. “Today I don’t think anyone doubts the pervasiveness and severity of these vulnerabilities, so it has pretty much achieved what it was meant to do.”

YOU MAY ALSO LIKE Meet TruffleHog – a browser extension for finding secret keys in JavaScript code

Truffle Security relaunches XSS Hunter tool with new features

The total number of 61,000 open vulnerabilities, including 1,700 critical ones that have been open for 180+ days, exposes businesses to potential attacks.

Indusface's research on 1,400+ Web apps, mobile apps, and APIs revealed that open vulnerabilities remain cybercriminals' most significant attack vector.

According to the report, 829 million attacks were blocked on the AppTrana WAF in the fourth quarter of 2022, a 79% increase from the third quarter.

The alarming finding is that 61,713 open vulnerabilities were found, which is a 50% jump from the third quarter. The number of open vulnerabilities directly relates to the increased threat actors.

How can you protect them? The best option is to fix known vulnerabilities using virtual patching at the WAF level while blocking attacks.

**Critical Vulnerabilities Found on Applications**

While any vulnerability carries a risk to your business, here are the top 10 high/critical vulnerabilities that hackers attempted to exploit during the fourth quarter of 2022:

*   Server-side request forgery
*   HTML injection
*   Cross-site scripting (XSS)
*   TLS/SSL server certificate will expire soon
*   Script source code disclosure
*   SQL injection
*   SSL certificate common name mismatch
*   TLS/SSL server certificate expired
*   Untrusted TLS/SSL server certificate
*   Insecure Direct Object References

Prioritize addressing these vulnerabilities if you have not done so already.

**Cost of Vulnerabilities**

A single vulnerability can invite thousands of cybersecurity troubles. Poodle, Heartbleed, EternalBlue, and Shellshock are just a few of the vulnerabilities that open businesses to security threats.

The report found 31% of vulnerabilities have been open for 180+ days. And 1,700+ of these are rated as critical and high vulnerabilities.

So, what happens if you don't patch the vulnerabilities? A failure to maintain this responsibility could have severe effects, including potential security breaches.

Back in 2017, the massive Equifax security breach made headlines. Hackers exploited the known vulnerability CVE-2017-5638 in their app framework and gained access to the company's system.

This breach exposed the personally identifiable information (PII) of 147 million people. Two years after the breach, the company said it spent $1.4 billion on cleanup costs and revamping its security program. Equifax agreed to pay up to $700 million to settle claims related to the breach.

The breach's total cost is likely higher than the reported settlements and expenses. It also includes intangible costs such as loss of trust, brand reputation, and long-term impact on the business.

**Managing Vulnerabilities With Virtual Patching**

Security patches play a vital role in dealing with vulnerabilities. They patch up the security gaps and resolve the risks. After all, successful exploitation means an insecure configuration or missing security control.

The patching process can, at times, be challenging. Many companies turn to virtual patching to protect their apps on the Web application firewall (WAF) when a system can't be patched immediately.

Virtual patching is a vulnerability shield that secures apps during your risk window and beyond. It enables you to scale your coverage and responses accordingly with appropriate defense, which can be applied in minutes or hours. Thereby, it reduces the risk of exposure to vulnerabilities.

Virtual patching is attained by implementing a security policy layer in the WAF. It eliminates application vulnerabilities without changing the codebase.

Companies can leverage virtual patching in two ways to mitigate vulnerabilities:

1.  Core rules
2.  Custom rules

The Indusface report found that the WAF core rule set blocks 40% of requests, and custom rules block 60%.

**Why Are the Custom Rules Gaining Momentum?**

Core rules are predefined, standardized, based on industry best practices, and designed to protect against known vulnerabilities. Security experts typically create these rules. Core rules are easy to implement and can provide high protection.

Since most dev teams work on sprints that are a few weeks long, vulnerabilities keep getting added with the changing code.

Most companies leverage weekly scans and periodic penetration testing on applications. Since fixing these on code will be long and arduous, product owners rely on WAF's custom rules to plug these vulnerabilities while their dev team focuses on shipping features.

Whenever the teams get to a security-focused sprint, they fix these vulnerabilities in the code.

Virtual patching is also used as a risk mitigation mechanism. For instance, we have observed that geofencing is gaining popularity in the custom rule category as application owners look to limit traffic from geographies where the application is not designed to be used. The other example is blacklisting or whitelisting IPs that are used to allow traffic to the application.

**False Positive Monitoring**

While the power of custom rules is undisputed, they also add the burden of monitoring applications for false positives.

In talking to several security leaders, one consistent theme that we keep hearing about is the lack of skilled security practitioners who can manage a complex application like a WAF/WAAP.

The other challenge is the worsening economy; security teams are increasingly being asked to do more with less.

We are seeing an increased trend of product owners relying on managed services to help with virtual patches and guarantee no false positives.

**Conclusion**

If the attackers discover a piece of exploitable code, the next step is taking advantage of the vulnerability.

The sooner you deploy the virtual patching, the sooner attackers look elsewhere. Keep your WAF running to ensure your security and bottom line.

**About the Author**

    

Venky is an application security technologist who built the new-age Web application scanner and cloud WAF AppTrana at Indusface as a founding CTO. Currently, he spends his time on driving product road map, customer success, growth, and technology adoption for US businesses.

AppSec Playbook 2023: Study of 829M Attacks on 1,400 Websites

Differences in how the National Vulnerability Database (NVD) and vendors score bugs can make patch prioritization harder, study says.

A new study this week is sure to raise more questions for enterprise security teams on the wisdom of relying on vulnerability scores in the National Vulnerability Database (NVD) alone to make patch prioritization decisions.

An analysis by VulnCheck of 120,000 CVEs with CVSS v3 scores associated with them shows almost 25,000 — or some 20% — had two severity scores. One score was from NIST, which maintains the NVD, and the other from the vendor of the product with the bug. In many cases, these two scores differed, making it hard for security teams to know which to trust.

**High Rate of Conflict**

Approximately 56%, or 14,000, of the vulnerabilities with two severity scores had conflicting scores, meaning the one assigned by NIST and the score from the vendor did not match. Where a vendor might have assessed a particular vulnerability to be of moderate severity, NIST might have assessed it as severe.

As one example, VulnCheck pointed to CVE-2023-21557, a denial-of-service vulnerability in the Windows Lightweight Directory Access Protocol (LDAP). Microsoft assigned the vulnerability a "high" severity rating of 7.5 on the 10-point CVSS scale. NIST gave it a score of 9.1, making it a "critical" vulnerability. Information on the vulnerability in the NVD provided no insight on why the scores differed, VulnCheck said. The vulnerability database is peppered with numerous other similar instances.

That high conflict rate can set back remediation efforts for organizations that are resource-strapped in vulnerability management teams, says Jacob Baines, vulnerability researcher at VulnCheck. "A vulnerability management system that heavily relies on CVSS scoring will sometimes prioritize vulnerabilities that aren't critical," he says. "Prioritizing the wrong vulnerabilities will squander vulnerability management teams' most critical resource: time."

VulnCheck researchers found other differences in the way NIST and vendors included specific information about flaws in the database. They decided to look at cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in the NVD.

The analysis showed the primary source — typically NIST — assigned 12,969 of the 120,000 CVEs in the database as an XSS vulnerability, while secondary sources listed a much smaller 2,091 as XSS. VulnCheck found that secondary sources were much less likely to indicate that an XSS flaw requires user interaction to exploit. CSRF flaw scores showed similar differences.

"XSS and CSRF vulnerabilities always require user interaction," Baines says. "User interaction is a scoring element of CVSSv3 and is present in the CVSSv3 vector." Examining how often XSS and CSRF vulnerabilities in NVD include that information provides insight into the scale of scoring mistakes in the database, he says.

**Severity Scores Alone Not the Answer**

Severity scores based on the Common Vulnerability Severity Scale (CVSS) are meant to give patching and vulnerability management teams a straightforward way to understand the severity of a software vulnerability. It informs the security professional whether a flaw presents a low, medium, or severe risk, and often provides context around a vulnerability that the software vendor might not have provided when assigning a CVE to the bug.

Numerous organizations use the CVSS standard when assigning severity scores to vulnerabilities in their products, and security teams commonly use the scores to decide the order in which they apply patches to vulnerable software in the environment.

Despite its popularity, many have previously cautioned against solely relying on CVSS reliability scores for patch prioritization. In a Black Hat USA 2022 session, Dustin Childs and Brian Gorenc, both researchers with Trend Micro's Zero Day Initiative (ZDI), pointed to multiple issues like the lack of information around a bug's exploitability, its pervasiveness, and how accessible it might be to attack as reasons why CVSS scores alone are not enough.

"Enterprises are resource constrained, so they typically have to prioritize which patches they roll out," Childs told Dark Reading. "However, if they get conflicting information, they can end up spending resources on bugs that are unlikely to ever be exploited."

Organizations often rely on third-party products to help them prioritize vulnerabilities and decide what to patch first, Childs notes. Often, they tend to give preference to the CVSS from the vendor rather than another source like NIST.

"But vendors can't always be relied on to be transparent on the real risk. Vendors don't always understand how their products are deployed, which can lead to differences in the operational risk to a target," he says.

Childs and Bains advocate that organizations should consider information from multiple sources when making decisions around vulnerability remediation. They should also consider factors such as whether a bug has a public exploit for it in the wild, or whether it is being actively exploited.

"To accurately prioritize a vulnerability, organizations need to be able to answer the following questions," Baines says. "Does this vulnerability have a public exploit? Has this vulnerability been exploited in the wild? Is this vulnerability being used by ransomware or APT? Is this vulnerability likely to be Internet-exposed?"

Discrepancies Discovered in Vulnerability Severity Ratings

A vulnerability was found in TRENDnet TEW-652BRP 3.04b01 and classified as problematic. This issue affects some unknown processing of the file get_set.ccp of the component Web Management Interface. The manipulation of the argument nextPage leads to cross site scripting. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-220019.

CVE-2023-0639

Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.

*   Pro: We completed dependency updates required to support the latest Metasploit Framework version 6.3.
    
*   Pro: We completed a periodic update of the Java Runtime to maintain a good security posture.
    
*   PR 16685 - Updates the Kerberos Authentication support to include multiple new encryption types, which will allow Kerberos Authentication to work against newer targets that have older encryption types disabled.
    
*   PR 16689 - Adds support for host addresses in kerberos tickets.
    
*   PR 16700 - Updates LDAP modules to support Kerberos and NTLM authentication.
    
*   PR 16749 - Adds Kerberos Authentication support to WinRM modules.
    
*   PR 16760 - Updates WinRM sessions to support delegated Kerberos tickets, to be able to access additional network resources from the compromised server.
    
*   PR 16770 - This enables the reuse of previously obtained CCache files for MSSQL, SMB, WinRM, and LDAP authentication. After a successful authentication using Kerberos, tickets are stored in CCache files. They will be reused for subsequent authentications without having to renegotiate new Kerberos tickets.
    
*   PR 17025 - Adds a new USER_RID option to the Kerberos ticket forging module auxiliary/admin/kerberos/forge_ticket.
    
*   PR 17340 - The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
    
*   PR 17343 - This makes performance improvements to the windows/local/unquoted_service_path module.
    
*   PR 17373 - Adds ticket flags when presenting krb5 ccaches on msfconsole.
    
*   PR 17374 - Adds klist command support to list Kerberos tickets in the database.
    
*   PR 17451 - This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.
    
*   PR 17456 - This PR adds a new KrbOfferedEncryptionTypes option that allows users to configure what encryption types are used with the KDC.
    
*   PR 17466 - This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.
    
*   PR 17473 - Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
    
*   PR 17475 - Enables the datastore\_fallbacks feature flag by default. This is a rewrite of Metasploit's datastore to fix multiple bugs and edge-cases. The unset command will now consistently unset previously set datastore values, so that default values are used once again.
    
*   PR 17480 - A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.
    
*   PR 17518 - A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.
    
*   PR 17519 - Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.
    
*   PR 17526 - Updates the show options and show advanced command to visually group options with the same conditions together, such as options that require an action or datastore value to be set.
    
*   PR 17535 - This adds NTLM hash recover to the kerberos/get\_ticket module.
    
*   PR 17539 - Adds additional error handling for Kerberos error codes.
    

*   Pro: We addressed CVE-2023-0599, a stored XSS vulnerability on the individual host services page reported by Michael Caruso. Thank you for the coordinated disclosure.
    
*   Pro: We improved the CLI startup process to ensure running tasks are no longer interrupted by starting a Pro console.
    
*   PR 17385 - This PR fixes the file write and file append methods to return the expected Boolean values rather than nil.
    
*   PR 17455 - Fixes an issue where Kerberos responses could not be received in smaller chunks, such as in bandwidth restricted networks.
    
*   PR 17482 - Fixes a connection issue with reverse\_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
    
*   PR 17491 - A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.
    
*   PR 17497 - This fixes an error where modules that issue certificates (icpr\_cert and now auxiliary/admin/dcerpc/cve\_2022\_26923\_certifried) would crash if the response from the server was that the certificate was submitted and no certificate was returned. This updates the code to check if the certificate is present before attempting to process it.
    
*   PR 17516 - The version of metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.
    
*   PR 17525 - Fixes a deprecation warning when using socks proxy support in Metasploit.
    
*   PR 17541 - Fixes a crash that occurs when domain option is set to blank.
    
*   PR 17549 - Updates the inspect_ticket module to output a user friendly error if the ticket decryption has failed, i.e. due to an invalid decryption key.
    

*   PR 16625 - Adds a new scanner/kerberos/kerberos_login module for bruteforcing and verifying credentials against a Kerberos server. Accounts which do not require preauthnetication, i.e. AS-REP Roastable accounts, will have the hashes output for offline cracking.
    
*   PR 17348 - This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.
    
*   PR 17407 - This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.
    
*   PR 17449 - A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.
    
*   PR 17479 - This adds an exploit module that leverages an unauthenticated SQLi against Wordpress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves Wordpress usernames and password hashes using Time-Based Blind SQL Injection technique.
    
*   PR 17533 - Enhances the auxiliary/admin/kerberos/get\_ticket module with PKINIT functionality.

CVE-2023-0599: Metasploit Release Notes

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

Zoho offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products. If you believe you have discovered a potential security vulnerability in any of Zoho's products or assets, let us know immediately, and we will make every effort to get the issues addressed as quickly as possible.

Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules. Zoho provides monetary rewards to vulnerability reporters at its discretion and the reward may vary based upon metrics including (but not limited to) vulnerability severity, impact, and exploitability.

You can share details of the suspected vulnerability with Zoho by clicking below;

Submit Bug

These Bug Bounty Terms and Conditions ("Bug Bounty Terms") govern your participation in the Zoho Bug Bounty Program ("Bug Bounty Program") and are a legally binding contract between you or the company you represent and Zoho. By submitting a vulnerability or participating in the program, you agree to be bound by the Terms.

The Bug Bounty Program enables you to submit security bugs or vulnerabilities discovered by you in eligible Zoho Services and earn rewards for your submissions. Service-specific terms of use that are applicable to specific Zoho Services ("Service-Specific Terms") shall be applicable to you in addition to the Bug Bounty Terms. In the event of a conflict between Bug Bounty Terms and Service-specific Terms, the Bug Bounty Terms shall prevail.

Participation in the Bug Bounty Program is open to all individuals unless:

*   You are below 14 years of age. If you are 14 years old or above, but you are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to your participation in the Bug Bounty Program after having read the Bug Bounty Terms;
    
*   You are a resident of any US sanctioned countries;
    
*   You are currently an employee of Zoho or you were employed by Zoho within six (6) months prior to your participation in the Bug Bounty Program; or
    
*   You are a family member of a Zoho employee.
    

You will follow the rules specified hereunder, failing which your participation in the Bug Bounty Program will be immediately terminated.

*   You will make all efforts to avoid privacy violations, degradation of user experience, degradation of Zoho Services, disruptions to Zoho's infrastructure and systems, and destruction of both Zoho's and users' data in the course of your security bug research.
    
*   You will report any security bug discovered by you ("Security Bug") to Zoho and provide Zoho with reasonable time to identify and mitigate the security bug before publicly disclosing it to others.
    
*   During your security bug research, if you have any inadvertent access to Zoho's or users' information, including sensitive, personal, or any other unauthorized information ("Unauthorized Information"), you must cease your Security Bug research to prevent further access to any Unauthorized Information by you and notify Zoho of any Unauthorized Information you accessed. Upon notifying Zoho of such access, delete all Unauthorized Information from your systems or devices.
    
*   You will always use your account, or an account for which you have explicit consent from the account owner, for testing the Security Bug.
    
*   You will use any security bug discovered by you only for testing, and you will not exploit the Security Bug in any manner.
    

If you have discovered an eligible security bug as specified in the scope, you may submit the bug through the website provided to you for submission.

Your submission shall include details such as vulnerability description, clear reproduction steps, and a proof-of-concept.

Upon receipt of your submission, Zoho will review and validate the submission within three (3) days from the date of your submission and will prioritize based on the severity of the vulnerability submitted and resolve the vulnerability accordingly. Zoho will notify you once the vulnerability is resolved and you may confirm whether the remedy resolves the vulnerability. If there is more than one submission for the same vulnerability from different parties, bounty will be paid to the first submission.

Zoho will pay a reward for your eligible submissions ("Bounty"). Bounties will be determined and granted only at Zoho's discretion. You can find the reward tiers here.

Zoho will fulfill the Bounty payments through the following payment modes:

*   For Indian participants, in INR through wire transfer;
    
*   For participants from outside India, in USD through PayPal; or
    
*   As an Amazon gift card in USD.
    

You understand that you are responsible for paying the taxes associated with Bounty payments. Bounties for Indian participants will be paid only after deducting TDS of 10% (Tax Deducted at Source).

Bounties shall be claimed by you within a period of three (3) months from the date of your entitlement to the reward.

You grant Zoho non-exclusive, irrevocable, worldwide, perpetual, and royalty-free license to review, assess, and use your submission to analyze and resolve the vulnerability submitted by you and for other related purposes.

ZOHO SHALL IN NO EVENT BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR OTHER LOSS OR DAMAGE WHATSOEVER OR FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, COMPUTER FAILURE, LOSS OF BUSINESS INFORMATION, OR OTHER LOSS ARISING OUT OF THE BUG BOUNTY PROGRAM.

*   All Zoho branded products and applications listed at zoho.com
    
*   All ManageEngine branded products and applications listed at manageengine.com (except SupportCenter Plus)
    
*   Site24x7
    
*   Qntrl
    
*   TrainerCentral
    
*   Zoho Corporation owned assets
    

*   Missing any best security practice that is not a vulnerability
    
*   Self XSS
    
*   Username or email address enumeration
    
*   Email bombing
    
*   HTML injection
    
*   XSS vulnerabilities on sandbox or user-content domains
    
*   Unvalidated or open redirects or tabnabbing
    
*   Clickjacking in unauthenticated pages or in pages with no significant state-changing action
    
*   Logout or unauthenticated CSRF
    
*   Missing cookie flags on non-sensitive cookies
    
*   Missing security headers that do not lead directly to a vulnerability
    
*   Unvalidated findings from automated tools or scans
    
*   "Back" button that keeps working after logout
    
*   Issues that do not affect the latest version of modern browsers or platforms
    
*   Attacks that require physical access to a user device
    
*   Social engineering
    
*   Hosting malware/arbitrary content on Zoho and causing downloads
    
*   Use of a known-vulnerable library (without evidence of exploitability)
    
*   Low-impact descriptive error pages and information disclosures without any sensitive information
    
*   Invalid or missing SPF/DKIM/DMARC/BIMI records
    
*   Password and account policies, such as (but not limited to) reset link expiration or password complexity
    
*   Non-critical issues in blog.zoho.com or other product blogs
    
*   CSV injection
    
*   Phishing risk via Unicode/Punycode or RTLO issues
    
*   Missing rate limitations on endpoints (without any security concerns)
    
*   Presence of EXIF information in file uploads
    
*   Ability to upload/download executables
    
*   Bypassing pricing/paid feature restrictions
    
*   0-day vulnerabilities in any third parties we use within 10 days of their disclosure
    
*   Any other issues determined to be of low or negligible security impact
    
*   Issues that do not affect the latest version of applications, modern browsers, or platforms
    
*   Vulnerabilities that resulted from implementation that does not follow our deployment guidelines
    
*   Usage of known vulnerable components without actual working exploit
    
*   Our intended features or accepted risks (including but not limited to the following) are not vulnerabilities and are thus excluded from our program:
    
*   Applications running as SYSTEM user
    
*   Features to execute queries, scripts, or workflows by privileged users
    
*   Usage of UDP-based unauthenticated protocols (which can be disabled by the user)
    

Severity

Bounty in USD (Up to)

Low

$ 50

Medium

$ 200

High

$ 800

Critical

$ 3000

We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.

Hall Of Fame for

CVE-2023-23074: BugBounty

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

CVE-2023-23073: BugBounty

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

CVE-2023-23077: BugBounty

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.

Tag

#xss