Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9.

@@ -88,10 +88,14 @@ func ServeData(ctx \*context.Context, name string, size int64, reader io.Reader)

}

if (st.IsImage() || st.IsPDF()) && (setting.UI.SVG.Enabled || !st.IsSvgImage()) {

ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(\`inline; filename="%s"\`, name))

if st.IsSvgImage() {

if st.IsSvgImage() || st.IsPDF() {

ctx.Resp.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")

ctx.Resp.Header().Set("X-Content-Type-Options", "nosniff")

ctx.Resp.Header().Set("Content-Type", typesniffer.SvgMimeType)

if st.IsSvgImage() {

ctx.Resp.Header().Set("Content-Type", typesniffer.SvgMimeType)

} else {

ctx.Resp.Header().Set("Content-Type", typesniffer.ApplicationOctetStream)

}

}

} else {

ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(\`attachment; filename="%s"\`, name))

CVE-2022-1928: Fix raw endpoint PDF file headers (#19825) · go-gitea/gitea@65e0688

The new draft guidance on premarket submissions incorporates quality system regulations and doubles down on a life-cycle approach to product security.

It's hard to believe, but medical device manufacturers who are subject to Food and Drug Administration premarket approval — the FDA process of review to evaluate the safety and effectiveness of Class III medical devices — are still operating under the FDA's original medical device cybersecurity guidance from 2014 and a subsequent update in 2018. But that is about to change in a major way.

Instead of finalizing the 2018 premarket cybersecurity draft guidance, the FDA has decided to issue a new 2022 version to reflect the rapid evolution of cybersecurity, incorporating a new set of quality system regulations (QSRs) with significant changes to its 2018 predecessor.

**New FDA Draft Guidance  
**The new draft guidance, titled "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions," deals with myriad design, labeling, and documentation issues that will have to be addressed by medical device manufacturers before their new devices can gain FDA premarket approval.

The FDA's original guidance on cybersecurity was just nine pages while the 2022 version swells to 50 pages, reflecting advancements in the cybersecurity ecosystem and best practices. It appears that, when approving connected medical devices for market, the FDA will be taking a long look at how cybersecurity is implemented, especially regarding levels of risk to patient safety.

**Updated Regulations: Why Now?  
**Requiring greater cybersecurity measures to protect medical devices and their operational and patient data is vital since the healthcare industry has become a massive target of cyberattacks. Data breaches hit an all-time high in 2021, exposing a record volume of protected health information. Besides pilfering data, a growing number of breaches attempt to disrupt the smooth operation of medical devices like computed tomography and magnetic resonance imaging machines, potentially causing incorrect diagnoses, unnecessary medical procedures, or direct harm to patients.

The American Hospital Association's senior adviser for cybersecurity and risk has stated that medical devices used in hospital rooms suffer from an average of 6.2 vulnerabilities. As devices become more complex and interconnected, opportunities for cyberattackers to exploit vulnerabilities are becoming greater, hence the need for updated regulations.

**Incorporating Cybersecurity into Quality System Regulations to Boost Safety  
**With the new guidance, the FDA seeks to ensure that the next generation of medical devices will be far safer and secure throughout the entire device life cycle, from premarket and throughout the entire useful life, beginning from the earliest stages of design (shift-left) to post-production (shift-right).

With the proposed guidance, the FDA is doubling down on its efforts to incorporate cybersecurity into quality regulations to address the complexity of modern devices and today's evolving threat landscape.

**From CBOM to SBOM: What's the Difference?  
**Surprisingly, one of the major changes that the new guidance brings is a leniency in the requirement for manufacturers to provide a complete software bill of materials (SBOM) instead of a more tedious cybersecurity bill of materials (CBOM), as was required in the 2018 draft. Medical device manufacturers were balking at the 2018 guidelines because of this stringency.

An SBOM is more in line with cybersecurity standards across most industries and aligns with the Biden administration's recently issued Executive Order 14028, "Improving the Nation's Cybersecurity." It contains all of the required software packages (commercial and open source) and their versions.

The much more complicated CBOM, according to the 2018 guidance, demands "a list of commercial, open source, and off-the-shelf software and hardware components to enable device users (including patients, care providers, and healthcare delivery organizations) to effectively manage their assets, understand the potential impact of identified vulnerabilities to the device — and the connected system — and to deploy countermeasures to maintain the device's essential performance."

**A Secure Product Development Framework for Every Device  
**The latest guidance asks medical device manufacturers to consider using a secure product development framework (SPDF) to achieve the goals of the QSR: "An SPDF encompasses all aspects of a product's lifecycle, including development, release, support, and decommission."

Besides compliance with the draft guidance, the call for using an SPDF can add significant value to medical devices. As the draft guideline states: "Using SPDF processes during device design may prevent the need to re-engineer the device when connectivity-based features are added after marketing and distribution, or when vulnerabilities resulting in uncontrolled risks are discovered."

**Is the New FDA Draft Guidance Binding?  
**Until July 7, the FDA is inviting medical device manufacturers and the public to comment on the new draft, which is expected to be finalized later this year when it will become the new FDA cybersecurity guidance for medical devices. While FDA guidance is nonbinding, the approved version will provide a road map for how medical device manufacturers should address cybersecurity in their products to ensure compliance and patient safety.

The FDA is not the only federal agency looking to strengthen cybersecurity regs. Legislation called the Protecting and Transforming Cyber Health Care (PATCH) Act was recently introduced in the US Congress. The act, the EO, and other proposed bills contain provisions that will strengthen the FDA's ability to require medical device manufacturers to meet certain cybersecurity objectives.

In order to future-proof for impending legislation, medical device manufacturers should start investigating solutions that can generate detailed SBOMs and continuously detect vulnerabilities and mitigate risks in order to stay compliant with the FDA's 2022 guidance and beyond.

The FDA's New Cybersecurity Guidance for Medical Devices Reminds Us That Safety & Security Go Hand in Hand

An unknown advanced persistent threat (APT) group has been linked to a series of spear-phishing attacks targeting Russian government entities since the onset of the Russo-Ukrainian war in late February 2022.
"The campaigns [...] are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely," Malwarebytes said in a

An unknown advanced persistent threat (APT) group has been linked to a series of spear-phishing attacks targeting Russian government entities since the onset of the Russo-Ukrainian war in late February 2022.

"The campaigns \[...\] are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely," Malwarebytes said in a technical report published Tuesday.

The cybersecurity company attributed the attacks with low confidence to a Chinese hacking group, citing infrastructure overlaps between the RAT and Sakula Rat malware used by a threat actor known as Deep Panda.

The attack chains, while leveraging different lures over the course of two months, all employed the same malware barring small differences in the source code.

The campaign is said to have commenced around February 26, days after Russia's military invasion of Ukraine, with the emails distributing the RAT under the guise of an interactive map of Ukraine ("interactive\_map\_UA.exe").

The development once again demonstrates threat actors' capabilities to adapt and adjust their attacks to world events, using the most relevant and up-to-date lures to maximize their chances of success.

A second early March attack wave primarily targeted the state-controlled RT TV and involved the use of a rogue software fix for the Log4Shell vulnerability that made headlines in late 2021.

Besides including the patch in the form of a compressed TAR file, the email message also came with a PDF document with instructions to install the patch and listed the best security practices to follow, including enabling two-factor authentication, using Kaspersky antivirus, and refraining from opening or replying to suspicious emails.

In a further attempt to boost the authenticity of the email, the document also contained a VirusTotal URL pointing to an unrelated file to give the impression that the Log4j patch file is not malicious.

What's more, the email featured links to an attacker-controlled domain "rostec\[.\]digital" along with fraudulent profiles created on Facebook and Instagram alluding to the Russian defense conglomerate.

"Interestingly, the threat actor created the Facebook page in June 2021, nine months before it was used in this campaign," the researchers said. "This was probably an attempt to attract followers, to make the page look more legitimate, and it suggests the APT group were planning this campaign long before the invasion of Ukraine."

The third iteration of the attack that followed made use of another malicious executable file — this time "build\_rosteh4.exe" — in an attempt to pass off the malware as though it's from Rostec.

Lastly, in mid-April 2022, the attackers pivoted to a job-themed phishing bait for Saudi Aramco, a Saudi Arabian petroleum and natural gas company, the weaponized Microsoft Word document acting as a trigger for an infection sequence to deploy the RAT.

The DLL payload employs a variety of advanced tricks to thwart analysis, including control flow flattening and string obfuscation, while also incorporating features that allow it to arbitrary files sent from a remote server to the infected host and execute command-line instructions.

The findings closely follow findings from Check Point that a Chinese adversarial collective with connections to Stone Panda and Mustang Panda targeted at least two research institutes located in Russia with a previously undocumented backdoor called Spinner.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Find New Malware Attacks Targeting Russian Government Entities

Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.

When it comes to packaging malware, the file format of choice remains Microsoft Word or Excel, but a recent attack using a PDF file to lure in victims caught the attention of researchers.

The campaign _—_ observed by HP Wolf Security _—_ sent the malicious PDF as an email attachment. Once opened, it used a variety of tactics to evade detection, embed malicious files, load remote exploits, and shellcode encryption, according to the researchers.

"Embedding files, loading remotely hosted exploits, and encrypting shellcode are just three techniques attackers use to run malware under the radar," the HP Wolf team reported on the malicious PDF attack in a recent blog post. "The exploited vulnerability in this campaign (CVE-2017-11882) is over four years old, yet continues being used, suggesting the exploit remains effective for attackers."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Attack Shows Weaponized PDF Files Remain a Threat

Ubuntu Security Notice 5438-1 - It was discovered that HTMLDOC did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted HTML file, a remote attacker could possibly use this issue to cause HTMLDOC to crash, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5438-1May 23, 2022htmldoc vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:HTMLDOC could be made to crash or run programs if it received speciallycrafted HTML files.Software Description:- htmldoc: HTML processor that generates indexed HTML, PS, and PDFDetails:It was discovered that HTMLDOC did not properly manage memory under certaincircumstances. If a user were tricked into opening a specially crafted HTMLfile, a remote attacker could possibly use this issue to cause HTMLDOC tocrash, resulting in a denial of service, or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:htmldoc 1.9.7-1ubuntu0.3htmldoc-common 1.9.7-1ubuntu0.3Ubuntu 18.04 LTS:htmldoc 1.9.2-1ubuntu0.2htmldoc-common 1.9.2-1ubuntu0.2In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-5438-1CVE-2021-23165Package Information:https://launchpad.net/ubuntu/+source/htmldoc/1.9.7-1ubuntu0.3https://launchpad.net/ubuntu/+source/htmldoc/1.9.2-1ubuntu0.2

Ubuntu Security Notice USN-5438-1

An in-depth look at the attack chain used by an unknown APT group that has launched four campaigns against Russian targets since February.
The post Unknown APT group has targeted Russia repeatedly since Ukraine invasion appeared first on Malwarebytes Labs.

An unknown Advanced Persistent Threat (APT) group has targeted Russian government entities with at least four separate spear phishing campaigns since late February, 2022.

The campaigns, discovered by the Malwarebytes Threat Intelligence team, are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely. The malware uses a number of advanced tricks to hide what it does and how it works, but our analysts have been able to reverse engineer the malware, reveal its inner workings, and uncover some clues about its possible origins.

Attribution is always difficult, and there is no shortage of countries or agencies with an interest in getting covert access to Russian government computers—and the recent invasion of Ukraine has simply increased the stakes. Although our analysis and attribution efforts are ongoing, we have discovered some indicators that suggest the threat actor may be a Chinese group.

**The campaigns**

The APT group has launched at least four campaigns since late February, using a variety of lures, detailed below.

**1\. Interactive map of Ukraine**

The threat actor started this campaign around February 26, 2022, and distributed its custom malware with the name interactive_map_UA.exe, trying to disguise it as an interactive map of Ukraine. This campaign began a few days after Russia invaded Ukraine, which shows the threat actor was monitoring the situation between Ukraine and Russia and took advantage of it to lure targets in Russia.

**2\. Log4j patch**

In this campaign the threat actor packaged its custom malware in a tar file called Patch_Log4j.tar.gz, a fake fix for December’s high-profile Log4j vulnerability.

This campaign ran in early March and was primarily aimed at RT TV (formerly Russia Today or Rossiya Segodnya, a Russian state-controlled international television network funded by the Russian government). The APT group had access to almost 100 RT TV employees’ email address.

The emails were sent with the subject “Ростех. ФСБ РФ. Роскомнадзор. Срочные сиправления уязвимостей”, which translates into “Rostec. FSB RF. Roskomnadzor. Urgent Vulnerability Fixes”. (Rostec is a Russian state-owned defense conglomerate founded by Putin.)

The emails also come with a number of image files and a PDF attached, perhaps to make the email less suspicious, and to bypass any systems that flag emails by number of attachments.

A spear phishing email from an unknown APT group claims to have “urgent vulnerability fixes”

The PDF attachment—О кибербезопасности 3.1.2022.pdf—pretends to be from the “Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation”. It contains instructions about how to execute the fake patch, as well as a bulleted list of security advice such as “Use two-factor authentication”, “Issue separate credit cards for purchases”, and “Use Kaspersky antivirus”.

A PDF attachment tries to build trust with security advice and instructions on how to run the fake Log4j patch

In a confident demonstration of just how little attention people pay to such lists it ends “Do not open or reply to suspicious emails.”

The list even includes a link to a page on VirusTotal that proclaims in bright green letters that “No security vendors and no sandboxes flagged this file as malicious”. This is just another effort to convince the victims that the attachment is not malicious—the file on VirusTotal has nothing to do with the attachment and appears to be a legitimate OpenVPN file.

The PDF attachment links to a VirusTotal entry for an unrelated file

In another effort to build trust, the spear phishing email links to the website rostec.digital, a domain registered by the threat actor, hosting a site made look like the official Rostec website.

This email also contains links to fake Instagram and Facebook accounts. Interestingly, the threat actor created the Facebook page in June 2021, nine months before it was used in this campaign. This was probably an attempt to attract followers, to make the page look more legitimate, and it suggests the APT group were planning this campaign long before the invasion of Ukraine.

The rostec.digital website  

The rostec.digital facebook account

The rostec.digital Instagram account

**3\. Build Rostec**

The Rostec defense conglomerate also appears in the third campaign. This time the threat actor used the file name build_rosteh4.exe for its malware—an apparent attempt to make it look like software from Rostec.

**4\. Saudi Aramco job**

The most recent campaign occured in mid April and used a Word document containing a fake job advert for a “Strategy and Growth Analyst” position at Saudi Aramco as a lure.

(We also discovered a self-extracting archive file that belonged to this campaign—the archive file used a Jitsi video conferencing software icon as decoy, and created a directory named Aramco under C:\ProgramData.)

Although the job advert is written in English, it also contains a message in Russian, asking users to enable macros.

A malicious job advert urges Russian readers to enable macros

The document uses remote template injection to download a macro-embedded template, which executes a macro that drops a VBS script called HelpCenterUpdater.vbs in the %USER%\Documents\AdobeHelpCenter directory.

The template also seems to do a redundant check for the existence of %USER%\Documents\D5yrqBxW.txt and only if it doesn’t exist, will it drop the script and execute it.

Macros embedded in the remote template

The obfuscated HelpCenterUpdater.vbs script drops another obfuscated VBS file named UpdateRunner.vbs and downloads the main payload—a DLL named GE40BRmRLP.dll—from its command and control (C2) server. (Interestingly, some anti-analysis code, and code responsible for persistence, seems to be commented out in UpdateRunner.vbs and isn’t executed.)

In another payload related to this campaign, the script seems to drop an EXE instead of a DLL, but after analyzing both it seems they share the same code.

Deobfuscated HelpCenterUpdater.vbs

The job of the UpdateRunner.vbs script is to execute the DLL through rundll32.exe.

Deobfuscated UpdateRunner.vbs

The malicious DLL contains the code that communicates with the C2 server and executes the commands it receives from it.

The attack chain for the Saudi Aramco-themed APT campaign

The malware, which is common to all four campaigns, is explained in detail in the next section.

**Payload analysis**

This analysis focuses on the GE40BRmRLP.dll payload from the Saudi Aramco campaign, but the malware used in all four campaigns is essentially the same, with small differences in the code.

The DLL is heavily obfuscated and most of the library functions are statically linked. IDA is barely able to recognize any functions, though it was able to recognize a few that indicate the DLL was most likely compiled with LLVM. The DLL’s original name is supposed to be simpleloader.dll, as we can see after analyzing it a bit.

The DLLMain function from GE40BRmRLP.dll

Before we dive into the functionality and capabilities of this malware, let’s look at various methods it uses to make the analysis difficult for us.

**Anti-analysis techniques****Control Flow Flattening**

All of the samples used in these campaigns use control flow flattening heavily, a technique that flattens the nested structure of a program, making analysis very difficult. We used the D810 plugin for IDA which has the capability to deobfuscate flattened code and make the decompilation more readable.

Although there are many tools that can perform control flow flattening, in this case we suspect OLLVM—an obfuscator for LLVM—was used. The different samples had different levels of flattening and OLLVM allows users to specify this. Additionally we also saw what looks like the Bogus Control Flow LLVM pass being used.

Control Flow Flattening used by the malware

**String obfuscation**

The payload’s strings are obfuscated with simple XOR encoding. The decode_string function which is used to decode a string takes 3 arguments: The encoded string, the destination of the decoded string, and the byte that is used while decoding the string.

Each string is decoded every time it’s required by the malware.

The decode_string function from GE40BRmRLP.dll

**Command and control**

Before contacting its C2 server the malware derives an ID which is unique to every machine, which could be used to differentiate infections. It uses the data from the following APIs to construct the ID:

*   GetFileAttributesA on the C:\Windows directory
*   GetComputerNameA
*   GetVolumeInformationA on the C:\ drive

It then calculates a hash of this data using the Blake2b-256 algorithm and sends it when it makes the first contact with its C2.

Deriving the ID

The C2 address is decoded every time the malware sends a request. To communicate with the C2 the malware uses GET requests in the form url/?wSR=_data_, where _data_ contains the encoded information.

Interestingly Any.run and Fiddler fail to capture the HTTPS requests made by the malware. To make them, the malware doesn’t use any library functions but instead implements everything over raw sockets, and it uses the WolfSSL library to implement SSL itself. Our analysis also uncovered traces of http-parser from ZephyrOS. The certificate used for the SSL communication is stored inside the binary as chunks of encoded strings. Initially the malware decodes this data and stores it. Later, while making the HTTPS request, it loads this data using WolfSSL’s loadX509orX509REQFromBuffer.

After making every request the malware sleeps for a random amount of time.

HTTPS GET request

Based on the response to the above request, the malware decides which of command to execute:

1.  **getcomputername**. This retrieves the computer name using GetComputerNameA and sends a response to the C2 containing the unique id and the computer name.
2.  **upload**. This receives a file name and file contents from the C2 which it writes to the local file system.
3.  **execute**. This receives a command line instruction from the C2 and executes it using CreateProcessA. If the command is successful then the malware sends the UID with the “OK” string to the C2, or the output of GetLastError if it fails.
4.  **exit**. This is used to terminate the malware process.
5.  **ls**. This command uses a directory name from the C2, or the name of the current directory if one isn’t provided. It uses the FindFirstFile and FindNextFile function to retrieve a list of all the files under the directory and sends it back to the C2.

The upload command

The List Files command

**Attribution**

Attribution is difficult, and threat actors are known to use indicators from other groups as false flags. The attribution of the APT behind these campaigns is ongoing, but based on the infrastructure used we assess with low confidence that this group is a Chinese actor.

All of the C2s are from BL Networks, which has been used by Chinese APTs in the past. Also, we discovered infrastructure overlap between the malware we analyzed and the Sakula Rat malware used by the Deep Panda APT.

Infrastructure overlap between Sakula RAT and the malware analzed in this article

Another interesting indicator we found was that the macro used in the Aramco campaign is almost identical to some macros used by TrickBot and BazarLoader in the past. We think the actor may have used the same macro builder to generate its macro, and they may have used it as a false flag. There are some other weak indicators, such as WolfSSL, which has been used by Lazarus and Tropic Troopers, but they are not enough to help attribute the attack to any specific actor.

Malwarebytes customers were proactively protected against these campaigns thanks to our heuristic detection engines.

**IOCs****C2 Domains**

windowsipdate\[.\]com  
microsoftupdetes\[.\]com  
mirror-exchange\[.\]com

**C2 IPs**

168.100.11.142  
192.153.57.83  
45.61.137.211  
206.188.197.35

**Download Domain**

fatobara\[.\]com

**Download IP**

91.210.104.54

****Hashes****

Name

Hash

Final payload

cbde42990e53f5af37e6f6a9fd14714333b45498978a7971610acb640ddd5541  
86ecd536c84cec6fc07c4cb3db63faa84f966a95763d855c7f6d7207d672911e  
917820338751b08cefc635090fc23b4556fa77b9007a8f5d72c11e0453bfec95  
22bdc42a86d3c70a01c51f20f5b7cfb353319691a8102f0fe3ea02af9079653e  
12c20f9dbdb8955f3f88e28dc10241f35659dbcd74dadc9a10ca1b508722d69a  
3f16055dc0f79f34f7644cae21dfe92ffc80f2c3839340a7beebd9436da5d0eb  
f5658588c36871421f287f12e7e9ba5afba783a7003da1043a9c52d10354b909  
ca95e8a8b6fb11b5129821f034b337b06cdf407fa9516619f3baed450ac1cf2d  
bac1790efe7618c5b2b9e34e6e1d36ec51592869bcc5fb304dd7554c32731093  
5d039f4368f88a2299be91303c03143e340f700f1fc8aa0a8cdbfbc5a193c6be

patch\_Log4j.tar.gz

4b622d63e6886b1430f6ca9cba519cbefde60cd8b6dbcade7c3a152c3930e7c7

PDF attachment

f4db6fa3a83052152b5d16dc6a4e9749afafc026612ff5c3ad735743736ac488

Emails

0625566ec55f0a083d1c1a548a2631502f17e455066b29731e29d372918e6541 0925b3c05cef6d3476a97b7d4975e9e3ceefedf62f42663b9c02070e587b3f2d 111fef44ba63f11279572f1e7e4d6ce5613ef8fe3b76808355cdcbed47b49fec 1c886a9138f3b0e0b18f1c0da83719a9b5351db7ce24baa13c0e56ef65d96d02 1fb0cd76ec5ae70f08a87f9e81cb5e9b07f9b3306772ae723fa63ff5abfa0d07 27d19efedb6a7c8d3c65fe06fd5be9c3e236600e797e5058705db1e2335ec2ad 310fa9c65aa182a59e001e8f61c079e27d73b8eb5f8f8965509cb781d97ba811 3627b37b341efa0b36352d76480dce994f481e672ebf9fa2da114a1339cf6c01 3655420f72d0c14cfb113ccb53e9ac85b87883913c3844b3e0bfb7bd7230a9bd 3b2ef76ec2eb3b4db4b7efe14d88c5338f1dc4eb9a9cf309989362d193c25403 3e9254d8cb25b2abf4fb755feaaf41c0059c68067e64de01a9242e5d9e47ab33 3ff96e73aeb0419df67bc5fec786a4dc82e4a9051274b4fc3cbc3ae3af7fdf94 44118322165be32de86569972e9f599a3c79a2336ca6f76c29861b40905cd067 4b6b0c29ece1c4719ec4d5186fb6247603fa1f03bd473bf6ef6367995e8c1121 4f28db1131ace2fce96e84172e0a861eb471ea054799e1132eb4945e4dca550b 4f8c2079ac98a3e8e085be8e88ff7b53ea70cb131cba4bfd2784e391d24c27e9 5a662050df51863575700a8e21efe605f4e789404d4bb53b4299f32b93e8d20f 5aa0a15e052fea2a2d445940ef751ddf3d3ae7c43c095a738b9bd603efc7df8b 5b9c7fe8ee5756dbd8563b3efe8dbc0966ad9044ff223b8797940f9e4e47333e 5ccf98699b96c811f4dab768cf486dc0f31b098dba30e031ba4ab2a5a5a3aba8 7ee7b2193b1e53f93dc2ed573d8f927cfa0916ccf111ff35faef9c4b153456f2 80a3de79f6c859d6c4667f705588c7c254d24fca2f44704123a2ba38e7c285a9 810d6566d9879c10a6a8581bb6ea6bed83a14a869383ad7e1ee16eadfd5bbb54 811827026414bdd400257cd3f048a1c75a2b211d02ac790510b800baa0702de4 81f24d1c310214b8f66345f250a6d5493e5e1cdf06d39d18a96cd9f93a1e7655 ac328efa54b6dd4497ba5dc6195474b8b9e5a7bcd32d5733e5006be9bbd0dc22 b63ef28fc1b0b1180fe9f476fe2ef3970b9928b009354e996bb2bf4ece223031 b99580152dde60622c1a962cd7cee1834d0ee86490785ac02d8ee51b73be008f c9623e83d875d6b9ca1a80087151b59a4037159c605ee92c6c795252ccf89596 cd277299ed849de71e88f698c1c06b0cfa65f166b0e90fc620aa50f6efe70161 d4062c6fd3813299ac721309fe0385a5337cea8b8e3605b05458467aeb23d8c0 e19b7dfe0e693c468c73f0a9e4c751216787daeff7d933cedcc10c932bd2835e e444303f1888b1ee5eeb69a0c4c3372b0cd2276b6987b0b18ea2267ff7ba19ad f15d90da5e253aaf570d29ffb9bf87ce7d8292b953d13e5a0f86b8671a4c57e7 fa800e6e16444894455b2a8f9e245efbe8b298fc8af9d7f8e155bb313ca9e7bb fc4af16fed48bd3a029ce8bfc4158712f9ab0cd8b82ca48cb701923d0a792015

Unknown APT group has targeted Russia repeatedly since Ukraine invasion

Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.

Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.

While most malicious e-mail campaigns use Word documents to hide and spread malware, a recently discovered campaign uses a malicious PDF file and a 22-year-old Office bug to propagate the Snake Keylogger malware, researchers have found.

The campaign—discovered by researchers at HP Wolf Security—aims to dupe victims with an attached PDF file purporting to have information about a remittance payment, according to a blog post published Friday. Instead, it loads the info-stealing malware, using some tricky evasion tactics to avoid detection.

“While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems,” HP Wolf Security researcher Patrick Schlapfer wrote in the post, which opined in the headline that “PDF Malware Is Not Yet Dead.”  
Indeed, attackers using malicious email campaigns have preferred to package malware in Microsoft Office file formats, particularly Word and Excel, for the past decade, Schlapfer said. In the first quarter of 2022 alone, nearly half (45 percent) of malware stopped by HP Wolf Security used Office formats, according to researchers.

“The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures,” he wrote.

Still, while the new campaign does use PDF in the file lure, it later employs Microsoft Word to deliver the ultimate payload—the Snake Keylogger, researchers found. Snake Keylogger is a malware developed using .NET that first appeared in late 2020 and is aimed at stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data, according to Fortinet.

****‘Unusual’ Campaign****

The HPW Wolf Security team noticed a new PDF-based threat campaign on March 23 with an “unusual infection chain,” involving not just a PDF but also “several tricks to evade detection, such as embedding malicious files, loading remotely-hosted exploits and shellcode encryption,” Schlapfer wrote.

Attackers target victims with emails that include a PDF document named “REMMITANCE INVOICE.pdf”—misspelling intended–as attachment. If someone opens the file, Adobe Reader prompts the user to open a .docx file with a rather curious name, researchers found.

“The attackers sneakily named the Word document “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name was part of the Adobe Reader prompt,” according to the post.

The.docx file is stored as an EmbeddedFile object within the PDF, which opens Microsoft Word if clicked on, researchers found. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which then is run in the context of the open document.

Researchers unzipped the contents of the .rtf—which is an Office Open XML file—finding a URL hidden in the “_document.xml.rels__”_ file that is not a legitimate domain found in Office documents, they said.

****17-Year-Old Bug Exploited****

Connecting to this URL leads to a redirect and then downloads an RTF document called “_f\_document\_shp.do__c._ This document contained two “not well-formed” OLE objects that revealed shellcode exploiting  CVE-2017-11882, which researchers said is an “over four-years-old” remote code execution vulnerability (RCE) in Equation Editor.

Equation Editor is app installed by default with the Office suite that’s used to insert and edit complex equations as Object Linking and Embedding (OLE) items in Microsoft Word documents.

It turns out, however, that the bug that attackers leverage in the campaign is actually one that Microsoft patched more than four years ago–in 2017, to be exact—but actually had existed some 17 years before that, making it 22 years old now.

As the final act of the attack, researchers found shellcode stored in the “_OLENativeStream__”_ structure at the end of one of the OLE objects they examined. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed after to lead to an executable called _fresh.exe_ that loads the Snake Keylogger, researchers found.

Snake Keylogger Spreads Through Malicious PDFs

Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-Plugins wpDataTables plugin <= 2.1.27 on WordPress via &data-link-text, &data-link-url, &data, &data-shortcode, &data-star-num vulnerable parameters.

CVE-2022-29432: wpDataTables – Tables & Table Charts

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, The implementation of `tf.raw_ops.QuantizeAndDequantizeV4Grad` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

/\* Copyright 2015 The TensorFlow Authors. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. \==============================================================================\*/ #include "tensorflow/core/framework/op\_requires.h" #define EIGEN\_USE\_THREADS #if (defined(GOOGLE\_CUDA) && GOOGLE\_CUDA) || \\ (defined(TENSORFLOW\_USE\_ROCM) && TENSORFLOW\_USE\_ROCM) #define EIGEN\_USE\_GPU #endif // GOOGLE\_CUDA || TENSORFLOW\_USE\_ROCM #include "tensorflow/core/kernels/quantize\_and\_dequantize\_op.h" #include "tensorflow/core/framework/op.h" #include "tensorflow/core/framework/op\_kernel.h" #include "tensorflow/core/framework/register\_types.h" #include "tensorflow/core/framework/type\_traits.h" #include "tensorflow/core/framework/types.h" #include "tensorflow/core/lib/core/errors.h" namespace tensorflow { typedef Eigen::ThreadPoolDevice CPUDevice; typedef Eigen::GpuDevice GPUDevice; // Simulate quantization precision loss in a float tensor by: // 1. Quantize the tensor to fixed point numbers, which should match the target // quantization method when it is used in inference. // 2. Dequantize it back to floating point numbers for the following ops, most // likely matmul. template <typename Device, typename T> class QuantizeAndDequantizeV2Op : public OpKernel { public: explicit QuantizeAndDequantizeV2Op(OpKernelConstruction\* ctx) : OpKernel(ctx) { OP\_REQUIRES\_OK(ctx, ctx->GetAttr("signed\_input", &signed\_input\_)); OP\_REQUIRES\_OK(ctx, ctx->GetAttr("axis", &axis\_)); OP\_REQUIRES\_OK(ctx, ctx->GetAttr("num\_bits", &num\_bits\_)); OP\_REQUIRES(ctx, num\_bits\_ > 0 && num\_bits\_ < (signed\_input\_ ? 62 : 63), errors::InvalidArgument("num\_bits is out of range: ", num\_bits\_, " with signed\_input\_ ", signed\_input\_)); OP\_REQUIRES\_OK(ctx, ctx->GetAttr("range\_given", &range\_given\_)); string round\_mode\_string; OP\_REQUIRES\_OK(ctx, ctx->GetAttr("round\_mode", &round\_mode\_string)); OP\_REQUIRES( ctx, (round\_mode\_string == "HALF\_UP" || round\_mode\_string == "HALF\_TO\_EVEN"), errors::InvalidArgument("Round mode string must be " "'HALF\_UP' or " "'HALF\_TO\_EVEN', is '" + round\_mode\_string + "'")); if (round\_mode\_string == "HALF\_UP") { round\_mode\_ = ROUND\_HALF\_UP; } else if (round\_mode\_string == "HALF\_TO\_EVEN") { round\_mode\_ = ROUND\_HALF\_TO\_EVEN; } OP\_REQUIRES\_OK(ctx, ctx->GetAttr("narrow\_range", &narrow\_range\_)); } void Compute(OpKernelContext\* ctx) override { const Tensor& input = ctx->input(0); OP\_REQUIRES( ctx, axis\_ >= -1, errors::InvalidArgument("Axis must be at least -1. Found ", axis\_)); OP\_REQUIRES( ctx, (axis\_ == -1 || axis\_ < input.shape().dims()), errors::InvalidArgument("Shape must be at least rank ", axis\_ + 1, " but is rank ", input.shape().dims())); const int depth = (axis\_ == -1) ? 1 : input.dim\_size(axis\_); Tensor input\_min\_tensor; Tensor input\_max\_tensor; Tensor\* output = nullptr; OP\_REQUIRES\_OK(ctx, ctx->allocate\_output(0, input.shape(), &output)); if (range\_given\_) { input\_min\_tensor = ctx->input(1); input\_max\_tensor = ctx->input(2); if (axis\_ == -1) { auto min\_val = input\_min\_tensor.scalar<T>()(); auto max\_val = input\_max\_tensor.scalar<T>()(); OP\_REQUIRES(ctx, min\_val <= max\_val, errors::InvalidArgument("Invalid range: input\_min ", min\_val, " > input\_max ", max\_val)); } else { OP\_REQUIRES(ctx, input\_min\_tensor.dim\_size(0) == depth, errors::InvalidArgument( "input\_min\_tensor has incorrect size, was ", input\_min\_tensor.dim\_size(0), " expected ", depth, " to match dim ", axis\_, " of the input ", input\_min\_tensor.shape())); OP\_REQUIRES(ctx, input\_max\_tensor.dim\_size(0) == depth, errors::InvalidArgument( "input\_max\_tensor has incorrect size, was ", input\_max\_tensor.dim\_size(0), " expected ", depth, " to match dim ", axis\_, " of the input ", input\_max\_tensor.shape())); } } else { auto range\_shape = (axis\_ == -1) ? TensorShape({}) : TensorShape({depth}); OP\_REQUIRES\_OK(ctx, ctx->allocate\_temp(DataTypeToEnum<T>::value, range\_shape, &input\_min\_tensor)); OP\_REQUIRES\_OK(ctx, ctx->allocate\_temp(DataTypeToEnum<T>::value, range\_shape, &input\_max\_tensor)); } if (axis\_ == -1) { functor::QuantizeAndDequantizeOneScaleFunctor<Device, T> f; f(ctx->eigen\_device<Device>(), input.flat<T>(), signed\_input\_, num\_bits\_, range\_given\_, &input\_min\_tensor, &input\_max\_tensor, round\_mode\_, narrow\_range\_, output->flat<T>()); } else { functor::QuantizeAndDequantizePerChannelFunctor<Device, T> f; f(ctx->eigen\_device<Device>(), input.template flat\_inner\_outer\_dims<T, 3\>(axis\_ - 1), signed\_input\_, num\_bits\_, range\_given\_, &input\_min\_tensor, &input\_max\_tensor, round\_mode\_, narrow\_range\_, output->template flat\_inner\_outer\_dims<T, 3\>(axis\_ - 1)); } } private: int num\_bits\_; int axis\_; QuantizerRoundMode round\_mode\_; bool signed\_input\_; bool range\_given\_; bool narrow\_range\_; }; // Implementation of QuantizeAndDequantizeV4GradientOp. // When back-propagating the error through a quantized layer, the following // paper gives evidence that clipped-ReLU is better than non-clipped: // "Deep Learning with Low Precision by Half-wave Gaussian Quantization" // http://zpascal.net/cvpr2017/Cai\_Deep\_Learning\_With\_CVPR\_2017\_paper.pdf template <typename Device, typename T> class QuantizeAndDequantizeV4GradientOp : public OpKernel { public: explicit QuantizeAndDequantizeV4GradientOp(OpKernelConstruction\* ctx) : OpKernel::OpKernel(ctx) { OP\_REQUIRES\_OK(ctx, ctx->GetAttr("axis", &axis\_)); } void Compute(OpKernelContext\* ctx) override { const Tensor& gradient = ctx->input(0); const Tensor& input = ctx->input(1); Tensor\* input\_backprop = nullptr; OP\_REQUIRES\_OK(ctx, ctx->allocate\_output(0, input.shape(), &input\_backprop)); OP\_REQUIRES( ctx, axis\_ >= -1, errors::InvalidArgument("Axis must be at least -1. Found ", axis\_)); OP\_REQUIRES(ctx, (axis\_ == -1 || axis\_ < input.shape().dims()), errors::InvalidArgument( "Axis should be -1 or 0 or a positive value less than ", input.shape().dims(), "but given axis value was ", axis\_)); OP\_REQUIRES( ctx, input.IsSameSize(gradient), errors::InvalidArgument("gradient and input must be the same size")); const int depth = (axis\_ == -1) ? 1 : input.dim\_size(axis\_); const Tensor& input\_min\_tensor = ctx->input(2); OP\_REQUIRES(ctx, input\_min\_tensor.dims() == 0 || input\_min\_tensor.dims() == 1, errors::InvalidArgument( "Input min tensor must have dimension 1. Recieved ", input\_min\_tensor.dims(), ".")); const Tensor& input\_max\_tensor = ctx->input(3); OP\_REQUIRES(ctx, input\_max\_tensor.dims() == 0 || input\_max\_tensor.dims() == 1, errors::InvalidArgument( "Input max tensor must have dimension 1. Recieved ", input\_max\_tensor.dims(), ".")); if (axis\_ != -1) { OP\_REQUIRES( ctx, input\_min\_tensor.dim\_size(0) == depth, errors::InvalidArgument("min has incorrect size, expected ", depth, " was ", input\_min\_tensor.dim\_size(0))); OP\_REQUIRES( ctx, input\_max\_tensor.dim\_size(0) == depth, errors::InvalidArgument("max has incorrect size, expected ", depth, " was ", input\_max\_tensor.dim\_size(0))); } TensorShape min\_max\_shape(input\_min\_tensor.shape()); Tensor\* input\_min\_backprop; OP\_REQUIRES\_OK(ctx, ctx->allocate\_output(1, min\_max\_shape, &input\_min\_backprop)); Tensor\* input\_max\_backprop; OP\_REQUIRES\_OK(ctx, ctx->allocate\_output(2, min\_max\_shape, &input\_max\_backprop)); if (axis\_ == -1) { functor::QuantizeAndDequantizeOneScaleGradientFunctor<Device, T> f; f(ctx->eigen\_device<Device>(), gradient.template flat<T>(), input.template flat<T>(), input\_min\_tensor.scalar<T>(), input\_max\_tensor.scalar<T>(), input\_backprop->template flat<T>(), input\_min\_backprop->template scalar<T>(), input\_max\_backprop->template scalar<T>()); } else { functor::QuantizeAndDequantizePerChannelGradientFunctor<Device, T> f; f(ctx->eigen\_device<Device>(), gradient.template flat\_inner\_outer\_dims<T, 3\>(axis\_ - 1), input.template flat\_inner\_outer\_dims<T, 3\>(axis\_ - 1), &input\_min\_tensor, &input\_max\_tensor, input\_backprop->template flat\_inner\_outer\_dims<T, 3\>(axis\_ - 1), input\_min\_backprop->template flat<T>(), input\_max\_backprop->template flat<T>()); } } private: int axis\_; }; // Simulate quantization precision loss in a float tensor by: // 1. Quantize the tensor to fixed point numbers, which should match the target // quantization method when it is used in inference. // 2. Dequantize it back to floating point numbers for the following ops, most // likely matmul. // Almost identical to QuantizeAndDequantizeV2Op, except that num\_bits is a // tensor. template <typename Device, typename T> class QuantizeAndDequantizeV3Op : public OpKernel { public: explicit QuantizeAndDequantizeV3Op(OpKernelConstruction\* ctx) : OpKernel(ctx) { OP\_REQUIRES\_OK(ctx, ctx->GetAttr("signed\_input", &signed\_input\_)); OP\_REQUIRES\_OK(ctx, ctx->GetAttr("range\_given", &range\_given\_)); OP\_REQUIRES\_OK(ctx, ctx->GetAttr("narrow\_range", &narrow\_range\_)); OP\_REQUIRES\_OK(ctx, ctx->GetAttr("axis", &axis\_)); } void Compute(OpKernelContext\* ctx) override { const Tensor& input = ctx->input(0); OP\_REQUIRES(ctx, axis\_ < input.dims(), errors::InvalidArgument( "Axis requested is larger than input dimensions. Axis: ", axis\_, " Input Dimensions: ", input.dims())); const int depth = (axis\_ == -1) ? 1 : input.dim\_size(axis\_); Tensor\* output = nullptr; OP\_REQUIRES\_OK(ctx, ctx->allocate\_output(0, input.shape(), &output)); Tensor num\_bits\_tensor; num\_bits\_tensor = ctx->input(3); int num\_bits\_val = num\_bits\_tensor.scalar<int32>()(); OP\_REQUIRES( ctx, num\_bits\_val > 0 && num\_bits\_val < (signed\_input\_ ? 62 : 63), errors::InvalidArgument("num\_bits is out of range: ", num\_bits\_val, " with signed\_input\_ ", signed\_input\_)); Tensor input\_min\_tensor; Tensor input\_max\_tensor; if (range\_given\_) { input\_min\_tensor = ctx->input(1); input\_max\_tensor = ctx->input(2); if (axis\_ == -1) { auto min\_val = input\_min\_tensor.scalar<T>()(); auto max\_val = input\_max\_tensor.scalar<T>()(); OP\_REQUIRES(ctx, min\_val <= max\_val, errors::InvalidArgument("Invalid range: input\_min ", min\_val, " > input\_max ", max\_val)); } else { OP\_REQUIRES(ctx, input\_min\_tensor.dim\_size(0) == depth, errors::InvalidArgument( "input\_min\_tensor has incorrect size, was ", input\_min\_tensor.dim\_size(0), " expected ", depth, " to match dim ", axis\_, " of the input ", input\_min\_tensor.shape())); OP\_REQUIRES(ctx, input\_max\_tensor.dim\_size(0) == depth, errors::InvalidArgument( "input\_max\_tensor has incorrect size, was ", input\_max\_tensor.dim\_size(0), " expected ", depth, " to match dim ", axis\_, " of the input ", input\_max\_tensor.shape())); } } else { auto range\_shape = (axis\_ == -1) ? TensorShape({}) : TensorShape({depth}); OP\_REQUIRES\_OK(ctx, ctx->allocate\_temp(DataTypeToEnum<T>::value, range\_shape, &input\_min\_tensor)); OP\_REQUIRES\_OK(ctx, ctx->allocate\_temp(DataTypeToEnum<T>::value, range\_shape, &input\_max\_tensor)); } if (axis\_ == -1) { functor::QuantizeAndDequantizeOneScaleFunctor<Device, T> f; f(ctx->eigen\_device<Device>(), input.flat<T>(), signed\_input\_, num\_bits\_val, range\_given\_, &input\_min\_tensor, &input\_max\_tensor, ROUND\_HALF\_TO\_EVEN, narrow\_range\_, output->flat<T>()); } else { functor::QuantizeAndDequantizePerChannelFunctor<Device, T> f; f(ctx->eigen\_device<Device>(), input.template flat\_inner\_outer\_dims<T, 3\>(axis\_ - 1), signed\_input\_, num\_bits\_val, range\_given\_, &input\_min\_tensor, &input\_max\_tensor, ROUND\_HALF\_TO\_EVEN, narrow\_range\_, output->template flat\_inner\_outer\_dims<T, 3\>(axis\_ - 1)); } } private: int axis\_; bool signed\_input\_; bool range\_given\_; bool narrow\_range\_; }; // DEPRECATED: Use QuantizeAndDequantizeV2Op. template <typename Device, typename T> class QuantizeAndDequantizeOp : public OpKernel { public: explicit QuantizeAndDequantizeOp(OpKernelConstruction\* ctx) : OpKernel(ctx) { OP\_REQUIRES\_OK(ctx, ctx->GetAttr("signed\_input", &signed\_input\_)); OP\_REQUIRES\_OK(ctx, ctx->GetAttr("num\_bits", &num\_bits\_)); OP\_REQUIRES(ctx, num\_bits\_ > 0 && num\_bits\_ < (signed\_input\_ ? 62 : 63), errors::InvalidArgument("num\_bits is out of range: ", num\_bits\_, " with signed\_input\_ ", signed\_input\_)); OP\_REQUIRES\_OK(ctx, ctx->GetAttr("range\_given", &range\_given\_)); OP\_REQUIRES\_OK(ctx, ctx->GetAttr("input\_min", &input\_min\_)); OP\_REQUIRES\_OK(ctx, ctx->GetAttr("input\_max", &input\_max\_)); if (range\_given\_) { OP\_REQUIRES( ctx, input\_min\_ <= input\_max\_, errors::InvalidArgument("Invalid range: input\_min ", input\_min\_, " > input\_max ", input\_max\_)); } } void Compute(OpKernelContext\* ctx) override { const Tensor& input = ctx->input(0); Tensor\* output = nullptr; OP\_REQUIRES\_OK(ctx, ctx->allocate\_output(0, input.shape(), &output)); // One global scale. Tensor input\_min\_tensor(DataTypeToEnum<T>::value, TensorShape()); Tensor input\_max\_tensor(DataTypeToEnum<T>::value, TensorShape()); // Initialize the tensors with the values in the Attrs. input\_min\_tensor.template scalar<T>()() = static\_cast<T>(input\_min\_); input\_max\_tensor.template scalar<T>()() = static\_cast<T>(input\_max\_); functor::QuantizeAndDequantizeOneScaleFunctor<Device, T> functor; functor(ctx->eigen\_device<Device>(), input.flat<T>(), signed\_input\_, num\_bits\_, range\_given\_, &input\_min\_tensor, &input\_max\_tensor, ROUND\_HALF\_TO\_EVEN, /\*narrow\_range=\*/false, output->flat<T>()); } private: bool signed\_input\_; int num\_bits\_; bool range\_given\_; float input\_min\_; float input\_max\_; }; // Specializations for CPUDevice. namespace functor { template <typename T> struct QuantizeAndDequantizeOneScaleFunctor<CPUDevice, T> { void operator()(const CPUDevice& d, typename TTypes<T>::ConstVec input, const bool signed\_input, const int num\_bits, const bool range\_given, Tensor\* input\_min\_tensor, Tensor\* input\_max\_tensor, QuantizerRoundMode round\_mode, bool narrow\_range, typename TTypes<T>::Vec out) { QuantizeAndDequantizeOneScaleImpl<CPUDevice, T>::Compute( d, input, signed\_input, num\_bits, range\_given, input\_min\_tensor, input\_max\_tensor, round\_mode, narrow\_range, out); } }; template <typename T> struct QuantizeAndDequantizePerChannelFunctor<CPUDevice, T> { void operator()(const CPUDevice& d, typename TTypes<T, 3\>::ConstTensor input, bool signed\_input, int num\_bits, bool range\_given, Tensor\* input\_min\_tensor, Tensor\* input\_max\_tensor, QuantizerRoundMode round\_mode, bool narrow\_range, typename TTypes<T, 3\>::Tensor out) { QuantizeAndDequantizePerChannelImpl<CPUDevice, T>::Compute( d, input, signed\_input, num\_bits, range\_given, input\_min\_tensor, input\_max\_tensor, round\_mode, narrow\_range, out); } }; template <typename T> struct QuantizeAndDequantizeOneScaleGradientFunctor<CPUDevice, T> { void operator()(const CPUDevice& d, typename TTypes<T>::ConstFlat gradient, typename TTypes<T>::ConstFlat input, typename TTypes<T>::ConstScalar input\_min\_tensor, typename TTypes<T>::ConstScalar input\_max\_tensor, typename TTypes<T>::Flat input\_backprop, typename TTypes<T>::Scalar input\_min\_backprop, typename TTypes<T>::Scalar input\_max\_backprop) { QuantizeAndDequantizeOneScaleGradientImpl<CPUDevice, T>::Compute( d, gradient, input, input\_min\_tensor, input\_max\_tensor, input\_backprop, input\_min\_backprop, input\_max\_backprop); } }; template <typename T> struct QuantizeAndDequantizePerChannelGradientFunctor<CPUDevice, T> { void operator()(const CPUDevice& d, typename TTypes<T, 3\>::ConstTensor gradient, typename TTypes<T, 3\>::ConstTensor input, const Tensor\* input\_min\_tensor, const Tensor\* input\_max\_tensor, typename TTypes<T, 3\>::Tensor input\_backprop, typename TTypes<T>::Flat input\_min\_backprop, typename TTypes<T>::Flat input\_max\_backprop) { QuantizeAndDequantizePerChannelGradientImpl<CPUDevice, T>::Compute( d, gradient, input, input\_min\_tensor, input\_max\_tensor, input\_backprop, input\_min\_backprop, input\_max\_backprop); } }; template struct functor::QuantizeAndDequantizeOneScaleGradientFunctor<CPUDevice, float\>; template struct functor::QuantizeAndDequantizePerChannelGradientFunctor< CPUDevice, double\>; } // namespace functor #define REGISTER\_CPU\_KERNEL(T) \\ REGISTER\_KERNEL\_BUILDER(Name("QuantizeAndDequantizeV2") \\ .Device(DEVICE\_CPU) \\ .TypeConstraint<T>("T"), \\ QuantizeAndDequantizeV2Op<CPUDevice, T>); \\ REGISTER\_KERNEL\_BUILDER(Name("QuantizeAndDequantizeV3") \\ .Device(DEVICE\_CPU) \\ .TypeConstraint<T>("T"), \\ QuantizeAndDequantizeV3Op<CPUDevice, T>); \\ REGISTER\_KERNEL\_BUILDER(Name("QuantizeAndDequantizeV4") \\ .Device(DEVICE\_CPU) \\ .TypeConstraint<T>("T"), \\ QuantizeAndDequantizeV2Op<CPUDevice, T>); \\ REGISTER\_KERNEL\_BUILDER(Name("QuantizeAndDequantizeV4Grad") \\ .Device(DEVICE\_CPU) \\ .TypeConstraint<T>("T"), \\ QuantizeAndDequantizeV4GradientOp<CPUDevice, T>); \\ REGISTER\_KERNEL\_BUILDER( \\ Name("QuantizeAndDequantize").Device(DEVICE\_CPU).TypeConstraint<T>("T"), \\ QuantizeAndDequantizeOp<CPUDevice, T>); TF\_CALL\_float(REGISTER\_CPU\_KERNEL); TF\_CALL\_double(REGISTER\_CPU\_KERNEL); #undef REGISTER\_CPU\_KERNEL #if (defined(GOOGLE\_CUDA) && GOOGLE\_CUDA) || \\ (defined(TENSORFLOW\_USE\_ROCM) && TENSORFLOW\_USE\_ROCM) #define REGISTER\_GPU\_KERNEL(T) \\ REGISTER\_KERNEL\_BUILDER(Name("QuantizeAndDequantizeV2") \\ .Device(DEVICE\_GPU) \\ .HostMemory("input\_min") \\ .HostMemory("input\_max") \\ .TypeConstraint<T>("T"), \\ QuantizeAndDequantizeV2Op<GPUDevice, T>); \\ REGISTER\_KERNEL\_BUILDER(Name("QuantizeAndDequantizeV3") \\ .Device(DEVICE\_GPU) \\ .HostMemory("input\_min") \\ .HostMemory("input\_max") \\ .HostMemory("num\_bits") \\ .TypeConstraint<T>("T"), \\ QuantizeAndDequantizeV3Op<GPUDevice, T>); \\ REGISTER\_KERNEL\_BUILDER(Name("QuantizeAndDequantizeV4") \\ .Device(DEVICE\_GPU) \\ .HostMemory("input\_min") \\ .HostMemory("input\_max") \\ .TypeConstraint<T>("T"), \\ QuantizeAndDequantizeV2Op<GPUDevice, T>); \\ REGISTER\_KERNEL\_BUILDER(Name("QuantizeAndDequantizeV4Grad") \\ .Device(DEVICE\_GPU) \\ .HostMemory("input\_min") \\ .HostMemory("input\_max") \\ .TypeConstraint<T>("T"), \\ QuantizeAndDequantizeV4GradientOp<GPUDevice, T>); \\ REGISTER\_KERNEL\_BUILDER( \\ Name("QuantizeAndDequantize").Device(DEVICE\_GPU).TypeConstraint<T>("T"), \\ QuantizeAndDequantizeOp<GPUDevice, T>); TF\_CALL\_float(REGISTER\_GPU\_KERNEL); TF\_CALL\_double(REGISTER\_GPU\_KERNEL); #undef REGISTER\_GPU\_KERNEL #endif // GOOGLE\_CUDA || TENSORFLOW\_USE\_ROCM } // namespace tensorflow

CVE-2022-29192: tensorflow/quantize_and_dequantize_op.cc at f3b9bf4c3c0597563b289c0512e98d4ce81f886e · tensorflow/tensorflow

Cross-Site Scripting (XSS) vulnerability in WP Wham's Checkout Files Upload for WooCommerce plugin <= 2.1.2 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Checkout Files Upload for WooCommerce plugin lets your customers upload files on (or after) WooCommerce checkout.

**Features**

Set field’s **position** on WooCommerce checkout page:

*   Before checkout form.
*   After checkout form.
*   Do not add on checkout.

Set if file upload **is required**.

If you need files to be uploaded after order is created, you can optionally add field to:

*   WooCommerce **Thank You** (i.e. **Order Received**) page.
*   WooCommerce **My Account** page.

Add custom **label** to the field.

Set **accepted file types**.

Set custom Upload and Remove **button labels**.

Set **custom messages**:

*   “Wrong file type”.
*   “Wrong image dimensions” and “Couldn’t get image dimensions”.
*   “File is required”.
*   “File was successfully uploaded”.
*   “No file selected”.
*   “File was successfully removed”.

Optionally set field to show up only if in cart there are selected:

*   **Products**.
*   **Product categories**.
*   **Product tags**.

Add uploaded files to admin and customers **emails**.

Send **additional emails** if user uploads or removes files on “Thank You” or “My Account” pages.

**Customize** the frontend files upload form.

Optionally enable **AJAX form** for file uploads.

Set **max file size** option.

Optionally **validate image dimensions**.

**Feedback**

*   We are open to your suggestions and feedback. Thank you for using or trying out one of our plugins!
*   Drop us a line at www.wpwham.com.

**More**

*   Visit the Checkout Files Upload for WooCommerce plugin page.

1.  Upload the entire plugin folder to the /wp-content/plugins/ directory.
2.  Activate the plugin through the “Plugins” menu in WordPress.
3.  Start by visiting plugin settings at “WooCommerce > Settings > Checkout Files Upload”.

This plugin it might be very helpful if, for some reason, you have to let customers upload files during the checkout.

The free version of this plugin is just brilliant! The UI is very easy to understand, making it pretty straightforward to configure. We needed to have an upload field on the Checkout so customers could attach a PDF file. The file can be included as an actual email attachment, and not just a link. It also has the ability to include the upload field conditionally, meaning you can link it to a specific product on the backend, and it will just show if that product is in cart. I have tested multiple checkout upload plugins over the last few months. This is HANDS DOWN the BEST plugin of its kind on the market.

The free version of the plugin does much more than other paid plugins do. So many possibilities for customisation.

I have been facing a problem from three days on order at checkout file upload attachment not showing in mail .it was working fine before. kindly help me . https://fastprintamman.com/ palce a order and on check out there is file upload that attachment not showing in admin mail

Is it possible to set MINIMUM dimensions for both height and width? Also, the progress meter doesn't seem to actually reflect the upload progress... It just jumps to 100% almost immediately...

Read all 10 reviews

“Checkout Files Upload for WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

*    WP Wham

**2.1.3 – 2022-05-10**

*   FIX: escape filenames on order confirmation/thank you pages.

**2.1.2 – 2021-12-23**

*   FIX: potential XSS vulnerability (thanks to Vlad at Patchstack).
*   FIX: minor display bug in settings due to WooCommerce update.

**2.1.1 – 2021-09-16**

*   UPDATE: PHP 8 now officially supported.
*   UPDATE: updated .pot file for translations.

**2.1.0 – 2021-04-15**

*   NEW: added more options to “validate image dimensions” setting: “greater than or equal”, and “less than or equal”.
*   NEW: added button to delete file attachments on admin “edit order” page. (If you don’t want the ability to delete files, you can use the filter wpwham_checkout_files_upload_allow_admin_delete_files to disable it).
*   FIX: check if server’s temporary directory is writeable. If not, display an error message. (Solves an issue with 0-byte files being uploaded).
*   FIX: bug where sometimes 0-byte files were attached to order emails.
*   UPDATE: for text labels/notices, made it possible for a translated string to take precedence over stored settings. (Previously it was the other way around. This should now make things easier if you use a translation plugin like LocoTranslate, Polylang, etc).
*   UPDATE: performance improvement — load our admin assets only when needed.
*   UPDATE: updated .pot file for translations.

**2.0.4 – 2021-01-12**

*   FIX: clean output buffer before downloads (solves conflict with some 3rd-party plugins which interfere with the output buffer, causing downloads to appear as empty or corrupt).

**2.0.3 – 2020-09-17**

*   UPDATE: display our settings in WC status report.

**2.0.2 – 2020-08-21**

*   FIX: upload button translation issue (removed old label settings, added new ones).
*   UPDATE: updated .pot file for translations.

**2.0.1 – 2020-06-17**

*   FIX: issue with upload button not working in certain themes.
*   FIX: user permissions issue incorrectly preventing downloading of images from the WP admin side.
*   FIX: JS typo.

**2.0.0 – 2020-06-11**

*   NEW: **Breaking Change** the Form (simple) template has been removed, and Form (AJAX) is now the standard template. Form (AJAX) has been the default since v1.4.0 (2018-08-25), so for most people this change will have no effect. However, if you were using Form (simple), or if you had customized either template, please double check your settings to make sure things look correct. Or, you can reset the settings to get a fresh start.
*   NEW: **Breaking Change** in template settings, the variable %field_html% which previously contained BOTH the field html AND the upload button itself, has been split into separate variables %field_html% and %button_html%. Your template settings will be updated automatically to reflect this.
*   NEW: image thumbnails will be shown by default. The image feature has existed since v1.4.0 (2018-08-25), but some people didn’t realize this and/or didn’t know they needed to add %image% into the template to enable it. Now %image% is included in the template by default. If you don’t want this, simply edit your template settings and remove the %image% variable.
*   NEW: show spinner when processing, and prevent checkout form submission before upload is completed.
*   UPDATE: change the way we handle sessions — only start them when needed, not on every page load.
*   UPDATE: extensive code refactoring.
*   UPDATE: updated some styling and text. For example, progress bars (if enabled) are now green.
*   UPDATE: updated .pot file for translations.

**1.5.4 – 2020-01-14**

*   UPDATE: add new filters ‘wpw\_checkout\_files\_upload\_form\_html’ and ‘wpw\_checkout\_files\_upload\_form\_ajax\_html’.
*   UPDATE: wrap checkout page file upload controls in

<

div>.

**1.5.3 – 2019-11-22**

*   UPDATE: bump tested versions

**1.5.2 – 2019-11-15**

*   UPDATE: bump tested versions

**1.5.1 – 2019-09-12**

*   UPDATE: bump tested upto versions

**1.5.0 – 2018-10-08**

*   FIX: php notice
*   UPDATE: updated .pot file for translations

**1.4.5 – 2018-10-01**

*   Dev – [alg_wc_cfu_translate] shortcode added and do_shortcode() is now applied to each file’s “Labels”.

**1.4.4 – 2018-09-13**

*   Dev – Emails – “Additional Emails Options” subsection added.
*   Dev – “Raw” input is now allowed in all textarea admin settings fields.
*   Dev – Code refactoring – “Reset” function re-written.
*   Dev – Code refactoring – custom_number_checkout_files_upload settings type removed.
*   Dev – “Your settings have been saved” admin notice added.

**1.4.3 – 2018-09-10**

*   Dev – “Author URI” updated.

**1.4.2 – 2018-09-10**

*   Dev – “Contributors” updated.

**1.4.1 – 2018-08-27**

*   Fix – %image% in AJAX form fixed on “Thank you” and “My Account” pages.
*   Dev – “Validate image dimensions” options added for each file.
*   Dev – Minor code refactoring.
*   Dev – Minor admin settings restyling.

**1.4.0 – 2018-08-25**

*   Fix – User file download fixed on “Thank you” and “My Account” pages.
*   Dev – %image% replaced value added.
*   Dev – “AJAX form” now is enabled (yes) in settings by default.
*   Dev – Code refactoring.
*   Dev – Minor admin settings restyling.
*   Dev – Plugin URI updated.

**1.3.0 – 2018-06-09**

*   Fix – Case insensitive comparison of the “Accepted file types” options.
*   Fix – Default values fixed for all get_option() calls.
*   Dev – “AJAX form” options added.
*   Dev – “Max file size” options added.
*   Dev – Filter rewritten.
*   Dev – Admin settings – “Reset settings” section added.
*   Dev – Admin settings – Files settings added as separate sections.
*   Dev – Admin settings – Minor changes: restyling; select option type changed to wc-enhanced-select; settings array saved as main class property.

**1.2.0 – 2017-05-10**

*   Fix – Call to undefined function is_shop_manager() error fixed.
*   Dev – WooCommerce v3.x.x compatibility – Order ID – using function instead of accessing property directly.
*   Dev – load_plugin_textdomain moved to constructor from init hook.
*   Dev – Plugin link changed from http://coder.fm to https://wpcodefactory.com.

**1.1.1 – 2016-12-07**

*   Dev – alg_current_filter_priority() modified for compatibility with WordPress since v4.7.
*   Dev – Language (POT) file updated.
*   Dev – Checking for Pro modified.

**1.1.0 – 2016-11-28**

*   Dev – “Form Template Options” settings section added.
*   Dev – Language (POT) file added.
*   Dev – “Emails Options” settings moved to separate section.

**1.0.0 – 2016-09-05**

*   Initial Release.

Tag

#pdf