A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023.
"GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive

Vulnerability / Data Breach

A previously unknown hacker outfit called **GambleForce** has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023.

"GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials," Singapore-headquartered Group-IB said in a report shared with The Hacker News.

The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive information from compromised networks.

Also used by the threat actor is the legitimate post-exploitation framework known as Cobalt Strike. Interestingly, the version of the tool discovered on its attack infrastructure used commands in Chinese, although the group's origins are far from clear.

The attack chains entail the abuse of victims' public-facing applications of victims by exploiting SQL injections as well as the exploitation of CVE-2023-23752, a medium-severity flaw in Joomla CMS, to gain unauthorized access to a Brazilian company.

It's currently not known how GambleForce leverages the stolen information. The cybersecurity firm said it also took down the adversary's command-and-control (C2) server and notified the identified victims.

"Web injections are among the oldest and most popular attack vectors," Nikita Rostovcev, senior threat analyst at Group-IB, said.

"And the reason being is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Hacker Group 'GambleForce' Tageting APAC Firms Using SQL Injection Attacks

SQL Injection vulnerability in functions/point_list.php in Common Services soliberte before v4.3.03 allows attackers to obtain sensitive information via the lat and lng parameters.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “soliberte” for PrestaShop, an attacker can perform a SQL injection from >= 4.0.0 and < 4.3.03. Release 4.3.03 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-40921
*   **Published at**: 2023-12-12
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: soliberte
*   **Impacted release**: >= 4.0.0 and < 4.3.03 (4.3.03 fixed issue)
*   **Product author**: Common Services
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Before 4.3.03, a sensitive SQL calls in file functions/point_list.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted lat and lng variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Patch**

    --- a/modules/soliberte/classes/socolissimo.class.php
    +++ b/modules/soliberte/classes/socolissimo.class.php
    @@ -822,7 +822,7 @@ class So_Colissimo extends Module
            public function lookup_latlng($lat, $lng, $limiter = 30)
            {
                    $countDeactivateCarrier = 0;
    -               $formula = "(6366*acos(cos(radians('$lat'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('$lng'))+sin(radians('$lat'))*sin(radians(`lat`))))";
    +               $formula = "(6366*acos(cos(radians('" . (float)$lat . "'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('" . (float)$lng . "'))+sin(radians('" . (float)$lat . "'))*sin(radians(`lat`)))>
                    // meme principe que chmod pour savoir lesquels ne sont pas a inclure dans la recherche
                    if (!Configuration::get('SOLIBERTE_BPR'))
                            $countDeactivateCarrier += 4;
    @@ -899,8 +899,8 @@ class So_Colissimo extends Module
                    {
                            case $this->_retrait :
                                    if ($lat)
    -                                       $formula = "(6366*acos(cos(radians('$lat'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('$lng'))+sin(radians('$lat'))*sin(radians(`lat`))))";
    -                               $sql = 'select `id`, `libelle`, `adresse1`, `adresse2`, `lieudit`, `indice`, `code_postal`, `commune`, `lat`, `lng`, `mobilite_reduite`, `type`, `poids` '.
    +                                       $formula = "(6366*acos(cos(radians('" . (float)$lat . "'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('" . (float)$lng . "'))+sin(radians('" . (float) $lat . >
    +                               $sql = 'select `id`, `libelle`, `adresse1`, `adresse2`, `lieudit`, `indice`, `code_postal`, `commune`, `la t`, `lng`, `mobilite_reduite`, `type`, `poids` '.
                                            ($lat ? ', '.$formula.' as distance ' : '').
                                            ' from '.$this->_retrait.' where id = "'.(int)$pr_id.'"';
                                    $tab = 0;
    

**Other recommandations**

*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-08-12

Vunlnerability found during a audit by 202 ecommerce

2023-08-16

Contact PrestaShop addons teams to get the scope

2023-09-18

PrestaShop addons teams confirm the issue and supply a fixed release

2023-08-15

Request a CVE ID

2023-08-25

Received CVE ID

2023-12-12

Publication of this advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-40921: [CVE-2023-40921] Improper neutralization of a SQL parameter in deprecated soliberte module from Common Services for PrestaShop

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

Skip to content

Sign in

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

glpi-project / **glpi** Public

*   Notifications
*   Fork 1.2k
*   Star 3.5k
    

*   Code
*   Issues 137
*   Pull requests 62
*   Actions
*   Projects 1
*   Security
*   Insights

Additional navigation options

Moderate

trasher published GHSA-94c3-fw5r-3362

Dec 13, 2023

**Package**

glpi (glpi)

**Affected versions**

\>= 10.0.0

**Patched versions**

10.0.11

**Description**

**Impact**

The saved search feature can be used to perform a SQL injection.

**Patches**

Upgrade to 10.0.11.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Severity**

Moderate

6.5

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**CVE ID**

CVE-2023-43813

**Weaknesses**

CWE-89

**Credits**

*    bhopkins0 Reporter

CVE-2023-43813: Authenticated SQL Injection

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.

High

trasher published GHSA-v799-2mp3-wgfr

Dec 13, 2023

**Affected versions**

\>= 10.0.0

**Description**

**Impact**

GLPI inventory endpoint can be used to drive a SQL injection attack.

**Patches**

Upgrade to 10.0.11

**Workarounds**

Disable native inventory.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Credits**

This vulnerability was discovered by Nikita Petrov (Positive Technologies).

**Severity**

**CVSS base metrics**

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

**Weaknesses**

CVE-2023-46727: SQL injection through inventory agent request

A vulnerability, which was classified as critical, was found in OTCMS 7.01. Affected is an unknown function of the file /admin/ind_backstage.php. The manipulation of the argument sqlContent leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247908.

CVE-2023-6772

A vulnerability, which was classified as critical, has been found in SourceCodester Simple Student Attendance System 1.0. This issue affects the function save_attendance of the file actions.class.php. The manipulation of the argument sid leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247907.

CVE-2023-6771

A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0. It has been rated as critical. This issue affects the function prepare of the file email_setup.php. The manipulation of the argument name leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247895.

CVE-2023-6765

Rockoa <2.3.3 is vulnerable to SQL Injection. The problem exists in the indexAction method in reimpAction.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-49363: Vulnerability-recurrence/rockoa less than 2.3.3 sql injection vulnerability.pdf at main · wednesdaygogo/Vulnerability-recurrence

Threat actors are increasingly placing malicious ads for Zoom within Google searches.

During the past month, we have observed an increase in the number of malicious ads on Google searches for “Zoom”, the popular piece of video conferencing software. Threat actors have been alternating between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared towards IT administrators.

While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks.

In this blog post, we chose to highlight two cases:

*   Case #1 is about a new loader which we have not seen mentioned publicly before called **_HiroshimaNukes_**. It drops an additional payload designed to steal user data.
*   Case #2 is a campaign dropping FakeBat loader where the threat actor tracked victims via a panel that was new to us, called **_Hunting panel 1.40_**. FakeBat is often used by threat actors as the initial entry point for hands on keyboard operations.

We have reported the malicious ads to Google.

**Advertiser profiles**

The threat actors are using a number of fake identities to create multiple advertiser accounts. We noticed that different ads had different advertiser IDs but the backend infrastructure was the same.

Fake advertiser profiles

They are also using what looks like existing advertising accounts (one of the accounts had over 30K ads) which may have been compromised:

Advertising account possibly hacked to insert malicious Zoom ad

While we don’t know how many people may have fallen for these Zoom malvertising campaigns, we can say that the number of ads and their positioning was prominent enough to generate a substantial amount of traffic.

**Cloaking via new services**

The threat actors are using tracking templates to cloak the redirection mechanism to either the legitimate Zoom website or a site or their choosing. They are abusing a service called AppsFlyer (onelink.me) and HYROS (l.hyros.com) for their redirects. We observed the following links for the Zoom campaigns:

*   aksdquwrqr\[.\]onelink\[.\]me
*   ntcrgfmmc3\[.\]onelink\[.\]me
*   169-zoona32\[.\]onelink\[.\]me
*   zoromonm\[.\]onelink\[.\]me
*   notetrest\[.\]onelink\[.\]me
*   putin-777\[.\]onelink\[.\]me
*   zoomus\[.\]onelink\[.\]me
*   mmozl\[.\]onelink\[.\]me
*   arnold\[.\]onelink\[.\]me
*   desktop-client\[.\]onelink\[.\]me
*   slovo-pacana\[.\]onelink\[.\]me
*   l\[.\]hyros\[.\]com/c8KqPHYKdt

Ad and redirection mechanism

**Case #1: HiroshimaNukes**

HiroshimaNukes is a name given by its author to a piece of malware that was new to us. It uses several techniques to bypass detection from DLL side-loading to very large payloads. Its goal is to drop additional malware, typically a stealer followed by data exfiltration.

HiroshimaNukes loader installation flow

**Distribution**

The threat actor is targeting users via Google ads related to a search for zoom:

Malicious ad for Zoom via Google search

Clicking on the ad redirects to a domain at _zoommaster\[.\]life_ that checks the IP address of the visitor and performs a redirect to _zoom.us_ (legitimate) site or _zoom-us\[.\]tech_ (malicious site) based on certain conditions. Intended targets will see a web page that looks similar to the real Zoom’s website:

Fake Zoom web page with malicious download

Users are tricked into downloading a file called _ZoomInstaller.zip_ which once extracted contains one main executable and several DLL files:

Content of the Zoom download archive

The _\_Zoom.exe_ file is a legitimate binary signed by Zoom Video Communications, Inc:

Main executable is legitimate

**DLL side-loading**

DLL side-loading is a technique used by threat actors to bypass detection. It consists of replacing a legitimate library file (DLL) used by a program (EXE) with a malicious one, using the same name and location.

When the main program is launched, it will automatically load the corresponding DLL without necessarily validating it. In this instance, _\_Zoom.exe_ side-loads _librcrypto-3-zm.dll_:

The malicious DLL that is loaded when the main executable runs

While DLL side-loading is commonly used by malware authors, it is also a unique TTP that we don’t see in all malvertising campaigns. We were able to search for previous similar attacks from the same threat actor. This time, the malicious DLL was side-loaded as if it was the FFmpeg library (_ffmpeg.dll_). As you can see from the screenshot below, the lure varied over time with for example brands such as TradingView, Notion or Obsidian.

Other examples of DLL side-loading

All the malicious DLLs we found were likely compiled by the same threat actor, who was either sloppy or wanted to leave the malware name in plain sight:

D:\\Projects\\General\\HiroshimaNukesDropper\\V2\\Dll\\x64\\Release\\Dll.pdb

This “HiroshimaNukes” dropper will spawn a new executable (_zoom\_crypted.exe_) that also attempts to evade detection due to its size:

Dropped file over 774 MB

The file has been inflated with junk code:

UnpacMe service’s analysis of the binary

Looking at its strings we can see that it is a stealer focusing on cryptocurrency wallets:

0x40284e: Cookies
0x40290a: Network\\Cookies
0x4029c2: DHistoryDDDDDDDsWeb Datassssssss
0x42c43b: TDiscord PTB\\Local Storage\\leveldbTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTC
0x42c51f: wDiscord Canary\\leveldbwwwwwwwwwwwwwwwwwwwwww-
0x42e1fd: Jkey3.dbJJJJJJJ
0x42e67c: Nformhistory.sqlite
0x42e798: Nformhistory.sqlite
0x433d69: WIMAP PasswordWWWWWWWWWWWWW
0x43515c:
0x44241d: oArmoryoooooo6
0x4426f4: 2bytecoin22222222
0x4427ba: ZJaxxClassicZZZZZZZZZZZ
0x4431f2: %Jaxx\\Local Storage\\leveldb%%%%%%%%%%%%%%%%%%%%%%%%%%
0x44347e: jEthereumjjjjjjjj2
0x443544: oEthereum\\keystoreooooooooooooooooo>
0x443621: #Electrum
0x443751: }Electrum\\wallets}}}}}}}}}}}}}}}}
0x443825: Electrum-LTC
0x4438ff: Electrum-LTC\\wallets
0x443a3c: Electrum-BCH
0x443b76: WElectrum-BCH\\walletsWWWWWWWWWWWWWWWWWWWW
0x443c5e: 2Atomic222222&
0x443d64: atomic\\Local Storage\\leveldb
0x443e5a: +Guarda
0x443f66: 9lGuarda\\Local Storage\\leveldb
0x4440ab: tWasabitttttt
0x444194: 7^WalletWasabi\\Client\\Wallets
0x444335: ,Daedalus,,,,,,,,f
0x444441: Daedalus Mainnet\\wallets
0x444523: Ledger Live
0x4445fc: )Ledger Live)))))))))))
0x444d50: /Litecoin////////

**Case #2: FakeBat and Hunting panel**

In this second case we look at a FakeBat loader payload which has an interesting addition to it. The threat actors are tracking victims from their campaigns using a control panel called Hunting panel 1.40 which was new to us.

FakeBat installation flow

**Distribution**

Unsuspecting users doing a Google search for “zoom” are deceived by a Sponsored result that looks authentic from the outside. While the ad display URL is **zoom.us** (which is the official website for Zoom), clicking on the menu beside the ad reveals an advertiser identified as “CHANDLER BONNY M”:

Malicious ad for Zoom via Google search

Web traffic following click on ad

On this landing page, users are tricked into downloading a malicious version of the Zoom installer:

Fake Zoom web page and malicious installer

The download process is initiated via a JavaScript event linking to the _ms-appinstaller_ URL where the MSIX file is hosted:

Source code processing the download of the MSIX installer

**Malware payload**

The malicious installer contains several files but the malicious components reside in the PowerShell scripts. This technique has been used by the threat actor for months already, probably because they get higher infection rates than with a traditional malware binary.

Contents of the MSIX file

The Base64-encoded PowerShell reveals the malware’s command and control server as well as a number of other commands such as reporting telemetry back about the machine and any security software installed, and more importantly a GPG encrypted payload decoded on the fly.

View of the malicious PowerShell script

**Panel and API**

Inspecting web traffic, we noticed that a new WebSocket was created to send data to a remote domain at api\[.\]huntingpanel\[.\]link. Some of this data includes a fileID, a project name and the domain that was used for the landing page.

Connection to WebSocket

This server is hosting a login page to “Hunting panel 1.40”, a control panel we had not heard of before. We surmise this is a way for the threat actor to track their malvertising and payload delivery campaigns. The panel’s background image is from the Firewatch video game.

Hunting panel 1.40 control panel

**Protection**

Malvertising continues to be a privileged malware delivery vector where threat actors are able to bypass ad verification checks, and often times security solutions as well.

We are actively tracking and reporting each new malvertising campaign we come across. As we can’t always control when third parties will take action on malicious ads, our top priority is to ensure our customers remain protected by blocking new malware domains and samples.

Both our consumer and enterprise users are protected agains these threats.

**Acknowledgements**

We would like to thank Sergei Frankoff, malware researcher and a co-founder of Open Analysis, for his help with the HiroshimaNukes dropper.

**Indicators of Compromise**

**Case #1 IOCs**

**_Description_**

**_Indicator_**

Fake Zoom site

zoom-us\[.\]tech

Download URL

zoom-us\[.\]tech/ZoomInstaller.zip

Fake Zoom archive (ZoomInstaller.zip)

fd524641d2be705d76feb0453374c5b2ad9582ced4f00bb3722b735401da2762

Malicious DLL (libcrypto-3-zm.dll)

30fda67726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5c

Stealer payload

5b917d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0b

Stealer C2

94.131.110\[.\]127

**Case #2 IOCs**

**_Description_**

**_Indicator_**

Fake Zoom site

z00nn.one-platform-to-connect\[.\]group

Fake Zoom site

info-zoomapp\[.\]com

Fake Zoom site

zoomnewsonly\[.\]site

Fake Zoom site

zoonn\[.\]virtual-meetings\[.\]cn\[.\]com

Fake Zoom site

promoapp-zoom\[.\]com

Download URL

youstorys\[.\]com/fonts/Zoom-x64.msix

Download URL

windows-rars\[.\]shop/bootstrap/Zoom-x64.msix

Download URL

scheta\[.\]site/apps.store/ZoomInstaller.msix

Installer (Zoom-x64.msix)

dcb80bd21bd6900fe87423d3fb0c49d8f140d5cf5d81b662cd74c22fca622893

Installer (Zoom-x64.msix)

44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5

Installer (ZoomInstaller.msix)

462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c

Encrypted payload URL

winkos\[.\]net/ld/zm.tar.gpg

FakeBat C2

2311foreign\[.\]xyz

 Malvertisers zoom in on cryptocurrencies and initial access 

Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) via the Domain SQL Create function.

**Cross Site Request Forgery in Silverpeas**

High severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023

Tag

#sql