An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.

UPDATE

A critical security vulnerability in Atlassian Confluence is under active attack, opening servers to full system takeover, security researchers warned.

The bug (CVE-2022-26134) is a command-injection issue that allows unauthenticated remote code execution (RCE), affecting all supported versions of Confluence Server and Confluence Data Center. According to a forensic investigation of two zero-day attacks by Volexity, it can be exploited without needing credentials or user interaction, simply by sending a specially crafted Web request to the Confluence system.

No Atlassian Cloud sites have been impacted.

Confluence is a remote working and corporate workspace suite used for project management and collaboration among teams. As such, it houses sensitive data on projects, specific users, and potentially partners and customers; also, it tends to be integrated with other corporate resources, servers, and systems. A successful exploit would allow attackers to vacuum up data from the platform as well as pivot to burrowing deeper into an organization's network as a prelude to, say, a ransomware attack.

"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks," Volexity researchers noted.

Researchers have advised administrators to remove external access to their Confluence servers immediately until patches have been applied. In the meantime, Atlassian confirmed in its advisory that has rushed a fix, with patches rolling out towards the close of business ET on June 3.

A spokesperson told Dark Reading that the company has "contacted all potentially vulnerable customers directly to notify them of the fix."

**Zero-Day Atlassian Confluence Attacks**

During its investigation, Volexity followed the path of attackers in two instances, which was the same in both. To start, the culprits exploited the vulnerability to create an interactive webshell (by writing a malicious class file in memory), which gave them persistent backdoor access to the server without having to write anything to disk.

After that, the firm observed that the threat actors dropped the Behinder implant on the server, which is an open source tool for creating flexible memory-only webshells. It also allows integration with Meterpreter and Cobalt Strike, two tools that are most often used for lateral movement. Meterpreter allows users to fetch various Metasploit modules (i.e., working exploits for known bugs), while Cobalt Strike is a pen-testing tool that's often used by the bad guys to probe for and compromise new targets on the network.

Once Behinder was in place, Volexity found that the adversaries went on to install two additional webshells to disk: China Chopper and a custom file upload shell. China Chopper is a tool that's been around for a decade, which allows attackers to retain access to an infected Web server using a client-side application. The client contains all the logic required to control the target, which makes it very easy to use.

Once this basic infection setup was in place, the attackers ran several commands, including those aimed at reconnaissance (checking the operating system, looking for password repositories); stealing information and user tables from the local Confluence database; and altering Web access logs to remove evidence of exploitation, Volexity said.

While the firm detected two zero-day attacks, it's likely that the activity is more widespread. "Volexity has reason to believe this exploit is currently in use by multiple threat actors and that the likely country of origin of these attackers is China," researchers said.

**How to Prevent Confluence Compromise**

The best option beyond patching to prevent compromise is simply to disable Confluence Server and Confluence Data Center instances, remove all external access, or use IP address safelisting rules to restrict access to only trusted endpoints, researchers noted. Organizations can also add Java deserialization rules that defend against RCE injection vulnerabilities to their Web application firewalls (WAFs).

It's also important to uncover signs of any compromise, given that an infection can persist beyond patching.

"The presence of a webshell provides an attacker with the ability to maintain access to a compromised system even after a vulnerability like this one has been patched," notes Satnam Narang, senior staff research engineer at Tenable. "We observed the same following exploitation of the ProxyShell vulnerability last year, where attackers implanted webshells onto vulnerable Microsoft Exchange Server instances."

However, "these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities," Volexity pointed out.

Volexity researchers offered the following advice:

*   Ensure Internet-facing Web services have robust monitoring capabilities and log retention policies to assist in the event of an incident
*   Send relevant log files from Internet-facing web servers to a SIEM or Syslog server
*   Monitor child processes of Web application processes for suspicious processes (in this case, the Python shell is a good example of this)

If past is prologue, it's good to be vigilant on this one: Attackers see Confluence as a popular target, as shown by the mass exploitation of another RCE flaw last fall, in volumes that were large enough to trigger a CISA alert.

"While there are currently no exploitation details or proof-of-concept for this vulnerability, we know from history that attackers relish the opportunity to target Atlassian products like Confluence," Narang tells Dark Reading. "We strongly encourage organizations to review their mitigation options until patches are available."

Greg Fitzgerald, co-founder at Sevco Security, also cautions organizations to take proactive steps to generally prevent zero-day attacks.

“Organizations vulnerable to this exploit cannot simply sit back and assume that this will be resolved through their typical patch management process," he tells Dark Reading. "When Atlassian releases a patch, that will be the first step for most organizations. But while patching vulnerabilities works great for the systems that you know about, the vast majority of enterprises simply don’t know the entirety of their attack surface. This is because maintaining an accurate IT asset inventory in a dynamic environment is exceptionally difficult. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combating threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.”

**_This post was updated at 4:45 ET to reflect that the bug is no longer unpatched._**

Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover

A vulnerability in Atlassian Confluence was found by performing an incident response investigation on a compromised server. The vulnerability is not yet patched.
The post Unpatched Atlassian Confluence vulnerability is actively exploited appeared first on Malwarebytes Labs.

Researchers found a vulnerability in Atlassian Confluence by conducting an incident response investigation. Atlassian rates the severity level of this vulnerability as critical.

Atlassian has issued a security advisory and is working on a fix for the affected products. This qualifies the vulnerability as an actively exploited in the wild zero-day vulnerability.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as CVE-2022-26134.

**Confluence**

Atlassian Confluence is a collaboration tool in wiki style. Confluence is a team collaboration platform that connects teams with the content, knowledge, and their co-workers, which helps them find all the relevant information in one place. Teams use it to work together on projects and share knowledge.

Confluence Server is the on-premises version which is being phased out. Confluence Data Center is the self-managed enterprise edition of Confluence.

**The vulnerability**

The description of CVE-2022-26134 says it is a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center.

During the investigation, the researchers found JSP web shells written to disk. JSP (Jakarta Server Pages or Java Server Pages) is a server-side programming technology that helps software developers create dynamically generated web pages based on HTML, XML, SOAP, or other document types. JSP is similar to PHP and ASP, but uses the Java programming language.

It became clear that the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. The researchers were able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.

After the researchers contacted Atlassian, Atlassian confirmed the vulnerability and subsequently assigned the issue to CVE-2022-26134. It confirmed the vulnerability works on current versions of Confluence Server and Data Center.

**The attack**

The researchers at Volexity were unwilling to provide any details about the attack method since there is no patch available for this vulnerability. However, they were able to provide some details about the shells that were dropped by exploiting the vulnerability.

A web shell is a a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

This web shell was identified as the China Chopper web shell. The China Chopper web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. The web shell has two parts, the client interface  and the small (4 kilobytes in size) receiver host file on the compromised web server. But access logs seemed to indicate that the China Chopper web only served as a means of secondary access.

On further investigation they found bash shells being launched by the Confluence web application process. This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Bash is the default shell for many Linux distros and is short for the GNU Bourne-Again Shell.

Research showed that the web server process as well as the child processes created by the exploit were all running as root (with full privileges) user and group. These types of vulnerabilities are dangerous, as it allows attackers to execute commands and gain full control of a vulnerable system. They can even do this without valid credentials as long as it is possible to make web requests to the Confluence system.

After successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike.

**Mitigation**

There are currently no fixed versions of Confluence Server and Data Center available. In the interim, users should work with their security team to consider the best course of action. Options to consider include:

*   Restricting access to Confluence Server and Data Center instances from the internet.
*   Disabling Confluence Server and Data Center instances.
*   If you are unable to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing **${** may reduce your risk.

_Note: **${** is the first part of a parameter substitution in a shell script_

**Affected versions**

All supported versions of Confluence Server and Data Center are affected. And according to Atlassian it’s likely that **all** versions of Confluence Server and Data Center are affected, but they are still investigating and have yet to confirm the earliest affected version.

One important exception: if you access your Confluence site via an atlassian.net domain. This means it is hosted by Atlassian and is not vulnerable.

We will keep you posted about the developments, so stay tuned.

Unpatched Atlassian Confluence vulnerability is actively exploited

In Real Player 20.0.7.309 and 20.0.8.310, external::Import() allows download of arbitrary file types and Directory Traversal, leading to Remote Code Execution. This occurs because it is possible to plant executables in the startup folder (DLL planting could also occur).

Real Player 'external::Import()' Arbitrary file download, Directory Traversal Vulnerabilities leads to Remote Code Execution

video demo: https://youtu.be/CONlijEgDLc

Real Player uses Microsoft Internet Explorer functionality and exposes properties and methods through a special mean which is application specific:

The 'external' object and it exposes several custom methods and properties.

The 'Import()' method is handled in unsafe way regarding the 'Copy to My Music' parameter, which allows for arbitrary file types downloading which could be unsafe as only audio/image/video types should be allowed to download to the user´s disk. Additionally it does not properly sanitize file paths allowing planting of arbitrary files on arbitrary locations. Even though it displays an error because it cannot render the downloaded file, the file remains until the user closes the dialog box. Additionally when opening new windows, Real Player looks for an old, obsolete IE library (shdoclc.dll), which can also be abused to run code automatically without needing to wait until reboot (true when file is planted in 'startup' folder).

The attacker needs to host the files to be copied/downloaded in an SMB or WebDav share. The directory 'appdata' must be placed in the share´s root.

Also a DOS condition in 'external.PreloadURL()' helps so that the files are not deleted by Real Player

The PoC will drop 'shdoclc.dll' (has simple code to run 'cmd.exe' at 'DllMain()' for demonstration purposes) to the user´s 'windowsapps' folder and 'write.exe' to 'startup' folder, so it works universally (any Windows version from at least XP up to 11)

tested on RP ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309

CVE-2022-32270: GitHub - Edubr2020/RP_Import_RCE

StarWind SAN and NAS v0.2 build 1914 allow remote code execution.

**Title:** CVE-2022-32268 Remote code execution in StarWind products

**Note:** StarWind will continue to update this vulnerability as new information becomes available.

**Vulnerability ID:** SW-20220531-0001

**Version:** 1.0

**Date:** 2022-05-31

**Status:** Final

*   Overview
*   Affected Products
*   Remediation
*   Revision History

****Summary****

REST command which allows changing hostname doesn’t check a new hostname parameter. It goes directly to bash as part of a script.

****Impact** **

The attacker can inject arbitrary data into the command that will be executed with root privileges.

****Vulnerability Scoring****

CVE

CVSS 2.0 Score

CVSS 3.x Score

CVE-2022-32268

**Vector****References**

Resource

Hyperlink

NVD

****Affected Products:****

StarWind SAN and NAS v0.2 build 1914

**Not affected products:**

StarWind VSAN for Hyper-V (all versions)

StarWind VSAN for vSphere (all versions)

StarWind SA (any setup)

StarWind VTLA (any setup)

StarWind VTL component (all versions)

StarWind V2V (all versions)

StarWind Tape Redirector component (all versions)

StarWind Deduplication Analyzer (all versions)

StarWind rPerf (all versions)

StarWind iSCSI Accelerator (all versions)

****Software Versions and Fixes****

StarWind SAN and NAS v0.2 build 1914

****Workaround****

Update StarWind SAN and NAS to the v1.2 build 2481 or higher

****Obtaining Software Fixes** **

Software updates will be available in StarWind release notes – https://www.starwindsoftware.com/release-notes-build. To update the software, perform the steps described at the following link  – https://knowledgebase.starwindsoftware.com/guidance/upgrading-from-any-starwind-version-to-any-starwind-version/ or contact support to perform an update. You can submit a support request using the following link https://www.starwindsoftware.com/support-form or contact Support directly via email support@starwind.com or via phone +1 617 829 4499.

****Status of Notice****

**Final**

StarWind will continue to update information regarding this vulnerability as new details become available.

This vulnerability article should be considered as the single source of current, up-to-date, authorized and accurate information posted by StarWind Software.

**Revision History** 

Revision #

Date

Comments

1.0

2022-05-31

Initial Public Release and Final Status

CVE-2022-32268: CVE-2022-32268 Remote code execution in StarWind products

Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.
The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134.
"Atlassian has been made aware of current active exploitation of a

Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.

The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as **CVE-2022-26134**.

"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server," it said in an advisory.

"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix." Specifics of the security flaw have been withheld until a software patch is available.

Confluence Server version 7.18.0 is known to have been exploited in the wild, although Confluence Server and Data Center versions 7.4.0 and later are potentially vulnerable.

In the absence of a fix, Atlassian is urging customers to restrict Confluence Server and Data Center instances from the internet or consider disabling Confluence Server and Data Center instances altogether.

Volexity, in an independent disclosure, said it detected the activity over the Memorial Day weekend in the U.S. as part of an incident response investigation.

The attack chain involved leveraging the Atlassian zero-day exploit — a command injection vulnerability — to achieve unauthenticated remote code execution on the server, enabling the threat actor to use the foothold to drop the Behinder web shell.

"Behinder provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike," the researchers said. "At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out."

Subsequently, the web shell is said to have been employed as a conduit to deploy two additional web shells to disk, including China Chopper and a custom file upload shell to exfiltrate arbitrary files to a remote server.

The development comes less than a year after another critical remote code execution flaw in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively weaponized in the wild to install cryptocurrency miners on compromised servers.

"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks," Volexity said. "Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability

Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google-it will unsafely concat the result's link retrieved from google to a shell command, potentially exposing the server to RCE.

**Command injection in google-it**

High severity GitHub Reviewed Published Jun 3, 2022 • Updated Jun 3, 2022

GHSA-7xhv-mpjw-422f: Command injection in google-it

A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL.

**Server-Side Template Injection in formio**

Moderate severity GitHub Reviewed Published Jun 3, 2022 • Updated Jun 3, 2022

GHSA-52vj-mr2j-f8jh: Server-Side Template Injection in formio

A CWE-20: Improper Input Validation vulnerability exists that could cause potential remote code execution when an attacker is able to intercept and modify a request on the same network or has configuration access to an ION device on the network. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

Schneider Electric is aware of a vulnerability in its PowerLogic ION Setup product. The PowerLogic ION Setup product is an engineering tool for configuration and maintenance of PowerLogic metering devices. Failure to apply the remediations provided below may risk remote code execution, which could result in a compromise of the engineering workstation running the ION Setup software.

Date : 06/05/2022 Type : Security and Safety Notice  

Languages : English Latest Version : 1.0

Reference : SEVD-2022-130-01

Date : 06/05/2022 Type : Security and Safety Notice Languages : English Latest Version : 1.0 Reference : SEVD-2022-130-01

CVE-2022-30232: Security Notification - PowerLogic ION Setup | Schneider Electric

NetScout nGeniusONE 6.3.2 allows an XML External Entity (XXE) attack.

**NETSCOUT Security**

**CVE-2021-45981**

CVE

Title

Version

Severity

CVE-2021-45981

XML External Entity (XXE)

6.3.2

Base

**Summary**

NETSCOUT Systems in nGeniusONE version 6.3.2 build 904 allows XML External Entity (XXE) attacks. Attack complexity is high. Privileges required none. User interaction required and scope is unchanged.

NetScout Systems would like to acknowledge Lukasz Plonka for reporting CVE-2021-45981 to techsupport@netscout.com

   
**Fixed Software**

Customers should install patch 6.3.2 P12 to eliminate this vulnerability. The patch is available on My NETSCOUT account page or may be obtained by contacting NETSCOUT support at 1-800-708-4784. Please note all future versions include this fix.

techsupport@netscout.com

**CVE-2021-45982**

CVE

Title

Version

Severity

CVE-2021-45982

Arbitrary File Upload

6.3.2

Base

**Summary**

NETSCOUT Systems in nGeniusONE version 6.3.2 build 904 allows an Arbitrary File Upload vulnerability. Attack complexity is high. Privileges required low. User interaction required and scope is unchanged.

NetScout Systems would like to acknowledge Lukasz Plonka for reporting CVE-2021-45982 to techsupport@netscout.com

   
**Fixed Software**

Customers should install patch 6.3.2 P10  to eliminate this vulnerability. The patch is available on My NETSCOUT account page or may be obtained by contacting NETSCOUT support at 1-800-708-4784. Please note all future versions include this fix.

techsupport@netscout.com

**CVE-2021-45983**

CVE

Title

Version

Severity

CVE-2021-45983

Java RMI Remote Code Execution

6.3.2

Base

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.2 build 904 allows Java RMI Code Execution attacks. Attack complexity is high. Privileges required none. User interaction required and scope is unchanged.

NetScout Systems would like to acknowledge Lukasz Plonka for reporting CVE-2021-45982 to techsupport@netscout.com

   
**Fixed Software**

Customers should install 6.3.2 P12 to eliminate this vulnerability. The patch is available on My NETSCOUT account page or may be obtained by contacting NETSCOUT support at 1-800-708-4784. Please note all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35205**

CVE

Title

Severity

Published

Updated

CVE-2021-35205

Open Redirection

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows URL redirection in redirector. The Attack complexity is low, and the privileges required are also low. User Interaction required, and Scope is unchanged

  **Fixed Software**

Customers should request a patch 6.3.2 FCS B426 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35204**

CVE

Title

Severity

Published

Updated

CVE-2021-35204

Cross-Site Scripting (XSS)

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows Reflected Cross-Site Scripting (XSS) in the support endpoint. Attack Complexity required is low. Privileges required are low and User Interaction required, and Scope is unchanged. The victim has to click on the provided URL.

**Fixed Software**

Customers should request a patch 6.3.0 P6 B1413 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35203**

CVE

Title

Severity

Published

Updated

CVE-2021-35203

Incorrect Access Control

Medium

09/30/2021

10/04/2021

**Summary** 

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows Arbitrary File Read operations via the FDSQueryService endpoint. The attacker needs to send a specially crafted request with a parameter with the file name to read. The Attack Complexity is low, and the privileges required are low. User Interaction is required, and Scope is unchanged

**Fixed Software**

 Customers should request a patch 6.3.0 P6 B1413 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784. Please note that all future versions include this fix.

 techsupport@netscout.com

**CVE-2021-35202**

CVE

Title

Severity

Published

Updated

CVE-2021-35202

Insecure Permissions

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows Authorization Bypass (to access an endpoint) in FDSQueryService. Attack Complexity is Low. The attacker can reach endpoints that are restricted. User Interaction is required, and Scope is unchanged

  **Fixed Software**

Customers should request a patch 6.3.0 P6 B1413 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35201**

CVE

Title

Severity

Published

Updated

CVE-2021-35201

XML External Entity (XXE)

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems NEI in nGeniusONE version 6.3.0 build 1196 allows XML External Entity (XXE) attacks. Attack Complexity is High, Privileges Required None, User Interaction Required and Scope is unchanged.

**Fixed Software**

Customers should request a patch 6.3.0 P4 B1406 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35200**

CVE

Title

Severity

Published

Updated

CVE-2021-35200

Stored Cross-Site Scripting (XSS)

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 has stored cross-site scripting in FDSQueryService vulnerability that a high-privileged user can exploit. This would require a user with high privileges. Attack complexity is High, and the Scope is Unchanged

**Fixed Software**

Customers should request a patch 6.3.0 P5 B1411 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35199**

CVE

Title

Severity

Published

Updated

CVE-2021-35199

Stored Cross-Site Scripting (XSS) in UploadFile

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 and earlier has stored cross-site scripting in Packet Analysis module Upload File vulnerability that a normal user can exploit. This requires a little crypto knowledge to exploit. The vulnerability exists in upload functionality.

**Fixed Software**

Customers should request a patch 6.3.0 P5 B1411 to eliminate this vulnerability. This is available on the My NETSCOUT page or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix.

techsupport@netscout.com

**CVE-2021-35198**

CVE

Title

Severity

Published

Updated

CVE-2021-35198

Stored Cross-Site Scripting (XSS) in the Packet Analysis module

Medium

09/30/2021

10/04/2021

**Summary**

NETSCOUT Systems nGeniusONE version 6.3.0 build 1004, and earlier has a stored cross-site scripting vulnerability that a normal user can exploit. The user would need to visit a certain functionality in the packet module for the Stored XSS to get executed.

**Fixed Software**

Customers should request a patch 6.3.0 P5 B1411 to eliminate this vulnerability. This is available on the My NETSCOUT or may be obtained by contacting NETSCOUT support at 1-800-708-4784.  Please note that all future versions include this fix

techsupport@netscout.com

**CVE-2020-28251**

CVE

Title

Severity

Published

Updated

CVE-2020-28251

Escalated Privileges Vulnerability on AirMagnet Enterprise Sensors

High

2020 December 03

2020 December 07

NETSCOUT Systems AirMagnet Enterprise version 11.1.4 build 37257 and earlier has a sensor escalated privileges vulnerability that can be exploited to provide someone with administrative access to a sensor, with credentials to invoke a command to provide root access to the operating system. The attacker must complete a straightforward password-cracking exercise.

The affected product models are:

*   SENSOR6-R1S0W1-E
*   SENSOR6-R2S1-E
*   SENSOR6-R2S1-I
*   SENSOR4-R1S1W1-E
*   SENSOR4-R2S1-E
*   SENSOR4-R2S1-I

A software upgrade to AirMagnet Enterprise version 11.1.4 build 37271 to eliminate this vulnerability is available on My NETSCOUT accounts on the AirMagnet Enterprise Downloads page or may be obtained by contacting AirMagnet support at 1-800-708-4784.

  techsupport@netscout.com

CVE-2021-45981: Security Advisories | NETSCOUT

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.

Tag

#rce