Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild.
Tracked as CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library.
Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG) have been

Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild.

Tracked as **CVE-2023-6345**, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library.

Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw on November 24, 2023.

As is typically the case, the search giant acknowledged that "an exploit for CVE-2023-6345 exists in the wild," but stopped short of sharing additional information surrounding the nature of attacks and the threat actors that may be weaponizing it in real-world attacks.

It's worth noting that Google released patches for a similar integer overflow flaw in the same component (CVE-2023-2136) in April 2023 that had also come under active exploitation as a zero-day, raising the possibility that CVE-2023-6345 could be a patch bypass for the former.

CVE-2023-2136 is said to have "allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page."

With the latest update, the tech giant has addressed a total of six zero-days in Chrome since the start of the year -

*   CVE-2023-2033 (CVSS score: 8.8) - Type confusion in V8
*   CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia
*   CVE-2023-3079 (CVSS score: 8.8) - Type confusion in V8
*   CVE-2023-4863 (CVSS score: 8.8) - Heap buffer overflow in WebP
*   CVE-2023-5217 (CVSS score: 8.8) - Heap buffer overflow in vp8 encoding in libvpx

Users are recommended to upgrade to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability

Zumtobel Netlink CCD Onboard v3.74 - Firmware v3.80 was discovered to contain a buffer overflow via the component NetlinkWeb::Information::SetDeviceIdentification.

CVE-2023-24294

An issue in GitKraken GitLens before v.14.0.0 allows an attacker to execute arbitrary code via a crafted file to the Visual Studio Codes workspace trust component.

@@ -1,5 +1,5 @@ import type { ConfigurationChangeEvent } from 'vscode'; import { Disposable, window } from 'vscode'; import { Disposable, window, workspace } from 'vscode'; import { getAvatarUriFromGravatarEmail } from '../../avatars'; import { ViewsLayout } from '../../commands/setViewsLayout'; import type { Container } from '../../container'; Expand All @@ -10,11 +10,18 @@ import { executeCoreCommand, registerCommand } from '../../system/command'; import { configuration } from '../../system/configuration'; import type { Deferrable } from '../../system/function'; import { debounce } from '../../system/function'; import { getSettledValue } from '../../system/promise'; import type { StorageChangeEvent } from '../../system/storage'; import type { IpcMessage } from '../protocol'; import { onIpc } from '../protocol'; import type { WebviewController, WebviewProvider } from '../webviewController'; import type { CompleteStepParams, DismissBannerParams, DismissSectionParams, State } from './protocol'; import type { CompleteStepParams, DidChangeRepositoriesParams, DismissBannerParams, DismissSectionParams, State, } from './protocol'; import { CompletedActions, CompleteStepCommandType, Expand All @@ -27,6 +34,12 @@ import { DismissStatusCommandType, } from './protocol';  
const emptyDisposable \= Object.freeze({ dispose: () \=> { /\* noop \*/ }, });  
export class HomeWebviewProvider implements WebviewProvider<State\> { private readonly \_disposable: Disposable;  
Expand All @@ -36,6 +49,9 @@ export class HomeWebviewProvider implements WebviewProvider<State> { this.container.git.onDidChangeRepositories(this.onRepositoriesChanged, this), configuration.onDidChange(this.onConfigurationChanged, this), this.container.storage.onDidChange(this.onStorageChanged, this), !workspace.isTrusted ? workspace.onDidGrantWorkspaceTrust(this.notifyDidChangeRepositories, this) : emptyDisposable, ); }  
Expand Down Expand Up @@ -221,7 +237,12 @@ export class HomeWebviewProvider implements WebviewProvider<State> { }  
private async getState(subscription?: Subscription): Promise<State\> { const sub \= await this.getSubscription(subscription); const \[visibilityResult, subscriptionResult\] \= await Promise.allSettled(\[ this.getRepoVisibility(), this.getSubscription(subscription), \]);  
const sub \= getSettledValue(subscriptionResult)!; const steps \= this.container.storage.get('home:steps:completed', \[\]); const sections \= this.container.storage.get('home:sections:dismissed', \[\]); const dismissedBanners \= this.container.storage.get('home:banners:dismissed', \[\]); Expand All @@ -233,7 +254,7 @@ export class HomeWebviewProvider implements WebviewProvider<State> { subscription: sub.subscription, completedActions: sub.completedActions, plusEnabled: this.getPlusEnabled(), visibility: await this.getRepoVisibility(), visibility: getSettledValue(visibilityResult)!, completedSteps: steps, dismissedSections: sections, avatar: sub.avatar, Expand All @@ -255,11 +276,12 @@ export class HomeWebviewProvider implements WebviewProvider<State> { }); }  
private getRepositoriesState() { private getRepositoriesState(): DidChangeRepositoriesParams { return { count: this.container.git.repositoryCount, openCount: this.container.git.openRepositoryCount, hasUnsafe: this.container.git.hasUnsafeRepositories(), trusted: workspace.isTrusted, }; }  
Expand Down

CVE-2023-46944: Disables Git access in Restricted Mode (untrusted) · gitkraken/vscode-gitlens@ee2a0c4

Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary code via bypassing the command filtering function.

**广受欢迎的开源堡垒机**

   

9 年时间，倾情投入，用心做好一款开源堡垒机。

JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。

JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：

*   **SSH**: Linux / Unix / 网络设备 等；
*   **Windows**: Web 方式连接 / 原生 RDP 连接；
*   **数据库**: MySQL / MariaDB / PostgreSQL / Oracle / SQLServer / ClickHouse 等；
*   **NoSQL**: Redis / MongoDB 等；
*   **GPT**: ChatGPT 等;
*   **云服务**: Kubernetes / VMware vSphere 等;
*   **Web 站点**: 各类系统的 Web 管理后台；
*   **应用**: 通过 Remote App 连接各类应用。

**产品特色**

*   **开源**: 零门槛，线上快速获取和安装；
*   **无插件**: 仅需浏览器，极致的 Web Terminal 使用体验；
*   **分布式**: 支持分布式部署和横向扩展，轻松支持大规模并发访问；
*   **多云支持**: 一套系统，同时管理不同云上面的资产；
*   **多租户**: 一套系统，多个子公司或部门同时使用；
*   **云端存储**: 审计录像云端存储，永不丢失；

**UI 展示**

**在线体验**

*   环境地址：https://demo.jumpserver.org/

⚠️ 注意

该环境仅作体验目的使用，我们会定时清理、重置数据！

请勿修改体验环境用户的密码！

请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！

**快速开始**

*   快速入门
*   产品文档
*   在线学习
*   知识库

**案例研究**

*   腾讯音乐娱乐集团：基于JumpServer的安全运维审计解决方案
*   腾讯海外游戏：基于JumpServer构建游戏安全运营能力
*   万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动
*   雪花啤酒：JumpServer堡垒机使用体会
*   顺丰科技：JumpServer 堡垒机护航顺丰科技超大规模资产安全运维
*   沐瞳游戏：通过JumpServer管控多项目分布式资产
*   携程：JumpServer 堡垒机部署与运营实战
*   大智慧：JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧
*   小红书：JumpServer 堡垒机大规模资产跨版本迁移之路
*   中手游：JumpServer堡垒机助力中手游提升多云环境下安全运维能力
*   中通快递：JumpServer主机安全运维实践
*   东方明珠：JumpServer高效管控异构化、分布式云端资产
*   江苏农信：JumpServer堡垒机助力行业云安全运维

**社区交流**

如果您在使用过程中有任何疑问或对建议，欢迎提交 GitHub Issue。

您也可以到我们的 社区论坛 当中进行交流沟通。

**参与贡献**

欢迎提交 PR 参与贡献。 参考 CONTRIBUTING.md

**组件项目**

项目

状态

描述

Lina

JumpServer Web UI 项目

Luna

JumpServer Web Terminal 项目

KoKo

JumpServer 字符协议 Connector 项目

Lion

JumpServer 图形协议 Connector 项目，依赖 Apache Guacamole

Razor

JumpServer RDP 代理 Connector 项目

Tinker

JumpServer 远程应用 Connector 项目

Magnus

JumpServer 数据库代理 Connector 项目

Chen

JumpServer Web DB 项目，替代原来的 OmniDB

Kael

JumpServer 连接 GPT 资产的组件项目

Wisp

JumpServer 各系统终端组件和 Core API 通信的组件项目

Clients

JumpServer 客户端 项目

Installer

JumpServer 安装包 项目

**安全说明**

JumpServer是一款安全产品，请参考 基本安全建议 进行安装部署。如果您发现安全相关问题，请直接联系我们：

*   邮箱：support@fit2cloud.com
*   电话：400-052-0755

**License & Copyright**

Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.

Licensed under The GNU General Public License version 3 (GPLv3) (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.gnu.org/licenses/gpl-3.0.html

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an " AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

CVE-2023-48193: GitHub - jumpserver/jumpserver: JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。

Check out our new look — it's crisp, fast, and more reader-friendly.

Source: ronstik via Alamy Stock Photo

Here are some adjectives the Dark Reading team used to describe our revamped site that went live today: Elegant. Slick. Seamless. Clean. Modern.

Change is never easy or comfortable. But the process almost always winds up injecting new life and fresh purpose into your mission, and that's what we've accomplished with Dark Reading's latest look.

The journey to our new look began in August with the quiet rollout of an updated Dark Reading logo that gave our beloved brand a more contemporary design.

Today we've wrapped that logo in a new website platform that improves the overall reader experience, and our hope is that it makes your visit to the site more pleasant, efficient, and productive.

We've streamlined and updated our section names so the site is easier to navigate by topics (check out the Cybersecurity Topics button at the top of the black navigation bar). There's also more context about the type of content that's here, and how to find it on the Dark Reading site.

We enhanced our featured news section at the top of the fold and added a special feed of the latest news from around the globe via Dark Reading Global. As we announced this spring, DR Global initially is focused on the rapidly growing cybersecurity industry in the Middle East and Africa, but stay tuned as we expand our scope to other regions as well.

Scroll further down the homepage and you'll see our Latest News and Commentary sections, packed with our traditional mix of informed, unique, and relevant content. You'll also see a new space titled Deep Reading, which showcases Dark Reading's vast library of digital reports and original research. You can read summaries of our reports as well as download them for free.

Underneath our dedicated features section The Edge, and DR Technology, our section dedicated to cybersecurity technology trends and products, you will find our newest section, DR Global, now with a homepage presence and its own special section within the site.

That's just a quick tour of some of the new features and functions on the updated Dark Reading site. There will be more landing on the site in the coming months as we evolve to match our readers' needs. No matter how much our look changes, we are committed to serving up comprehensive and informed reporting, analysis, and other content that long has set Dark Reading apart as one of the top cybersecurity media sites in the industry.

In the meantime, we want to hear from you on what you think about the site redesign and its features. Drop us an email at \[email protected\] with your feedback — good or bad, we can take it.

**About the Author(s)**

Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Dark Reading Debuts Fresh New Site Design

The company's power production remains in operation, and authorities have been notified of the attack.

Source: Brian Guest via Alamy Stock Photo

Holding Slovenske Elektrarne (HSE), a Slovenian power generation company, fell victim to a ransomware attack on Nov. 22 that compromised its systems but didn't disrupt power production.

The company regained control and was able to contain the attack on Nov. 24. 

The National Office for Cyber Incidents at Si-CERT and the Ljubljana Police Administration were notified of the attack. The power company also worked with third-party experts to mitigate the effects of the attack and prevent the spread of the malware to other critical infrastructure systems in Slovenia. 

No ransom has been demanded yet. The attack is believed to be the work of Rhysida ransomware gang, which offers its victims an email address to connect with the threat actors without making any financial demands. It's still unclear if HSE has made contact with Rhysida.

Disruption is limited to the Šoštanj Thermal Power Plants and the Velenje Coal Mine websites, according to a spokesperson, and HSE officials have claimed that the situation is under control. 

**About the Author(s)**

Slovenian Electrical Utility HSE Suffers Ransomware Attack

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

Hello,

An haproxy user rightfully reported that we don't ignore the fragments in
the URIs we receive. While that's historically true and comes back from
the old days where any byte from one side would be passed to the other
side, I'm facing a dilemma about how to best deal with it.

Indeed, RFC9110 is pretty clear about the fact that URIs do not contain
the fragment component, and even refers to RFC3986 that omits it for
scheme-based absolute URIs. But as often, this only concerns senders and
does not suggest much about how to proceed on the receiver when that rule
is violated. I could be tempted to say that if a fragment is present, the
the rule is violated and I should just reject the request as bad with a
400. I tried various web servers (among which Apache and NGINX) and all
silently trim any received fragment, which leaves me with even more doubt
about the suitability of the 400 here...

We could also consider that we continue to accept it and just trim it
from the functions that extract it for internal processing, but that
would mean we'd continue to pass it to the server, which is contrary to
the rules imposed to a client (even though we're a gateway here, but
still we try hard to comply as much as possible and sometimes to repair
damaged protocol elements if needed and permitted).

We could also completely trim this one when receiving the request, and
probably match more closely what the few servers I've tested seem to do,
but given that we're not supposed to receive them, I'm wondering if we're
not hiding the dust under the carpet. It will also mean that they wouldn't
appear in logs anymore, preventing from observing them.

Thus I'd like to collect some opinions here from other implementers.
Are there any who reject requests containing fragments in the URI ? If
not, are there any good reasons for not doing so (e.g. clients caught
sending them from time to time in the past and situation nor re-evaluated
since; lack of clarity in older versions of the spec, etc) ?

Without strong support for rejecting these as invalid, I'm probably going
to silently fix these requests by trimming the fragment like others seem
to do, but I really do not like doing such things that hide interoperability
issues without a good reason first. We already have normalization rules
in place to either reject or trim, but they're currently opt-in so we
can't count on that to collect more feedback.

Thanks in advance,
Willy

Received on Thursday, 27 July 2023 09:05:14 UTC

CVE-2023-45539: Ambiguity about how to deal with received fragments in URI from Willy Tarreau on 2023-07-27 (ietf-http-wg@w3.org from July to September 2023)

Dozens of advocacy groups are pressuring the US Congress to abandon plans to ram through the renewal of a controversial surveillance program that they say poses an “alarming threat to civil rights.”

United States lawmakers are receiving a flood of warnings from across civil society not to be bend to the efforts by some members of Congress to derail a highly sought debate over the future of a powerful but polarizing US surveillance program.

House and Senate party leaders are preparing to unveil legislation on Wednesday directing the spending priorities of the US military and its $831 billion budget next year. Rumors, meanwhile, have been circulating on Capitol Hill about plans reportedly hatched by House speaker Mike Johnson to amend the bill in an effort to extend Section 702, a sweeping surveillance program drawing fire from a large contingent of Democratic and Republican lawmakers favoring privacy reforms.

WIRED first reported on the rumors on Monday, citing senior congressional aides familiar with ongoing negotiations over the bill, the National Defense Authorization Act (NDAA), separate versions of which were passed by the House and Senate this summer.

More than 80 civil rights and grassroots organizations—including Asian Americans Advancing Justice | AAJC, Color of Change, Muslims for Just Futures, Stop AAPI Hate, and United We Dream—signed a statement this morning opposing “any efforts” to extend the 702 program using the NDAA. The statement, expected to hit the inboxes of all 535 members of Congress this afternoon, says that failure to reform contentious aspects of the program, such as federal agents’ ability to access Americans’ communications without a warrant, poses an “alarming threat to civil rights,” and that any attempt to use must-pass legislation to extend the program would “sell out the communities that have been most often wrongfully targeted by these agencies and warrantless spying powers generally.”

“As you’re aware, this extremely controversial warrantless surveillance authority is set to expire at the end of the year, but will continue to operate as it does currently until April, as government officials have recognized for many years,” the groups say.

Johnson and Senate majority leader Chuck Schumer did not respond to WIRED’s request for comment. Leadership of the House and Senate armed services committees likewise did not respond.

Section 702 of the Foreign Intelligence Surveillance Act authorizes the US government, namely, the US National Security Agency, to surveil the communications of foreign citizens believed to be overseas. Oftentimes, these communications—texts, calls, emails, and other web traffic—“incidentally” involve Americans, whom the government is forbidden from directly targeting. But certain methods of interception, those that tap directly into the internet’s backbone, may make it impossible to fully disentangle foreign communications from domestic ones.

Though a probable-cause warrant is usually required before US law enforcement can obtain the content of an American’s calls, the courts view Section 702 surveillance—accomplished with the compelled assistance of US telecoms—as a two-step process, applying constitutional safeguards to each step individually. The collection, or seizure, only “targets” foreigners and is thus legal. Once communications are in the government's possession, however, federal agents are free to query, or search, them under procedures approved by the Foreign Intelligence Surveillance Court, an 11-judge panel whose proceedings are classified and deliberated ex parte. These procedures are ostensibly designed to “minimize” the program’s impact on Americans' rights.

The “incidental,” or collateral, collection of Americans' communications is intensely controversial, due in part to procedures—namely those of the Federal Bureau of Investigation (FBI)—that allow federal agents to conduct warrantless, after-the-fact queries of Section 702 data for investigations of a purely domestic nature.

The conservative and libertarian nonprofit FreedomWorks, which has supported privacy reforms in an array of surveillance debates at the federal, state, and local levels, said Tuesday that it intends to issue a “key vote” against the NDAA in the event a Section 702 amendment is included in the bill. Key votes are a FreedomWorks scoring tool that track controversial votes by conservative lawmakers—effectively, a bad mark that may be used against them in future elections. The American Civil Liberties Union says likewise that it intends to score the vote using its own similar process, which tags progressives with votes the group deems at odds with the Bill of Rights.

“To use the NDAA to reauthorize a mass spying program that has been so flagrantly abused without going through the full legislative process and robust debate betrays the public’s trust,” says Kia Hamadanchy, senior policy counsel at the ACLU. Added FreedomWorks president Adam Brandon: “This is the time for robust debate over these issues, not maneuvers by congressional leadership to undermine Americans’ privacy. FISA reauthorization should not be in the NDAA—period.”

A single, uniform bill approved by both chambers is needed before the NDAA can be sent to the president for his signature. A conference of dozens of lawmakers, drawn in large part from the armed services committees, is expected to receive a copy of the bill on Wednesday—their first opportunity to review the consolidated text—and will have until the close of business to approve the language.

From there, the NDAA is subjected to different sets of rules for each chamber. In the Senate, it will either be ushered directly to the floor for a vote or may require three-fifths of the body to formally end debate on the NDAA. In the House, the bill may be subjected to a “rule” issued by the House Rules Committee, which is typically designed to promote the goals of party leaders, waiving points of order or limiting floor debate. The bill may also be considered “under suspension,” however, which is an expedited process that prohibits floor amendments and requires a two-thirds majority.

Senior Democratic and Republican sources say the House is expected to bypass the Rules Committee, meaning there will be no opportunity to strike down any amendments that could extend the 702 program—which is itself not typically included as part of the NDAA.

A senior Republican aide tells WIRED the odds of Johnson proceeding with a plan to extend the 702 program using the NDAA have grown slim over the past few days, as it’s become increasingly clear the speaker would face significant backlash from rank-and-file members of his own party, as well as more powerful figures such as Jim Jordan, the chairman of the House Judiciary Committee, and Matt Gaetz, one of a handful of lawmakers to whom Johnson effectively owes his new position.

A senior aide to Jordan tells WIRED that the chairman would not support extending the Section 702 program without significant reforms—in particular, a ban against the FBI accessing 702 data on Americans without a warrant.

The House and Senate intelligence committees on Tuesday introduced their own legislation to reauthorize the 702 program through 2035, banning FBI queries in criminal cases that fall outside the broadly defined “foreign intelligence” umbrella. A high-ranking source familiar with the White House’s views on the 702 program told WIRED on Monday that the White House was open to supporting this reform. Civil liberties groups, however, say requiring the FBI to obtain warrants for purely criminal matters does not go far enough, and would not impact a majority of cases in which 702 data is accessed.

What’s more, the argument goes, in matters of national security, the FBI should already be well prepared to show probable cause in court.

_Update 3:45 pm ET, November 28, 2023: A previous version of this story described new congressional legislation as requiring the FBI to obtain warrants in cases unrelated to foreign intelligence. Instead, it bans those queries outright. We regret the error._

A Civil Rights Firestorm Erupts Around a Looming Surveillance Power Grab

By Deeba Ahmed
In a press release, Ukraine’s intelligence agency referred to the hacking as a “successful complex special operation in cyberspace.” 
This is a post from HackRead.com Read the original post: Ukraine Hacks Russia’s Aviation Agency, Claims “Aviation Cannibalism”

Amid the hack, the Ukrainian agency claims that as per the documents, Russia’s aviation is collapsing given the international sanctions imposed on the country after its invasion of Ukraine in February 2022.

It is rare for nations to admit hacking or surveilling activities against other nations. However, in a rather unexpected act, the Ukrainian government has admitted to carrying out an offensive cyber operation against Russia.

In a press release, Ukraine’s intelligence agency referred to the hacking as a “successful complex special operation in cyberspace.” 

According to the Main Directorate of Intelligence of Ukraine’s Ministry of Defense, through this operation, they obtained a vast trove of classified documents from Russia’s Federal Air Transport Agency, Rosaviatsiya.

For your information, Rosaviatsiya manages flight safety and is responsible for maintaining Russian aviation’s emergency incidents records. The Ukrainian defence ministry claims that it infiltrated Rosaviatsiya’s information systems and repeatedly accessed its daily reports for over a year and a half.

The Ukrainian agency claims that as per the documents, Russia’s aviation is collapsing given the international sanctions imposed on the country after its invasion of Ukraine in February 2022. Some of the documents state that in January 2023, around 185 incidents were reported in Russian civil aviation and one-third of them were declared dangerous.

In the first nine months of 2023, 150 aircraft malfunctioning cases were recorded compared to 50 incidents during the same period in 2022. This indicates the intensity of safety hazards Russian aviation has been recording lately as the number has tripled, claimed the agency.

That’s not all. Russia is also experiencing issues with aircraft maintenance because spare parts are hard to outsource due to sanctions. Now the country is redirecting aircraft maintenance to Iran where such works are carried out without appropriate certification. This shortage of aircraft space parts has created “aviation cannibalism,” in Russia, which means it is dismantling aircraft to repair others.

“Moscow is trying to hide the endless pile of problems with civil aviation, endangering its residents,” Ukrainian sources concluded.

When the hacking was conducted is still unclear. Rosaviatsia is yet to respond to the revelations. It is worth noting that this is the first time that Ukraine has admitted to conducting a cyber operation against a Russian target.

It is unusual for states to proudly publicize their digital attacks against their adversaries, in Ukraine’s case it is understandable. This breach is a significant blow to Russia’s aviation industry and raises concerns about its civilian airspace’s security. The stolen documents can expose vulnerabilities in the country’s air traffic control systems and offer valuable information to Ukraine.

The hacking’s timing is crucial since it comes at a time when tensions between Russia and Ukraine are at their peak.

****_RELATED ARTICLES_****

1.  **Ukraine Leaks Personal Details of 620 Alleged FSB Agents**
2.  **Hackers Deface Russian Websites on Ukraine Invasion Anniversary**
3.  **IT Army of Ukraine Hit Russian Banking Giant with Crippling DDoS Attack**
4.  **Ukraine Busts Pro-Russia Hackers Who Stole 30M Accounts of EU Citizens**

Ukraine Hacks Russia’s Aviation Agency, Claims “Aviation Cannibalism”

raptor-web is a CMS for game server communities that can be used to host information and keep track of players. In version 0.4.4 of raptor-web, it is possible to craft a malicious URL that will result in a reflected cross-site scripting vulnerability. A user controlled URL parameter is loaded into an internal template that has autoescape disabled. This is a cross-site scripting vulnerability that affects all deployments of `raptor-web` on version `0.4.4`. Any victim who clicks on a malicious crafted link will be affected. This issue has been patched 0.4.4.1.

**Patched**

This XSS vulnerability has been patched in v0.4.4.1

Thanks a ton to @ejedev for finding this and reporting it!

**Summary**

Starting in version 0.4.4 of raptor-web, it is possible to craft a malicious URL that will result in a reflected cross-site scripting vulnerability. A user controlled URL parameter is loaded into an internal template that has autoescape disabled.

**Details**

To show the flow of this vulnerability we will start off with a request made to /announcements?server=test

The base template is loaded, located here: https://github.com/zediious/raptor-web/blob/d53f46bed260ed23742a89e6a414228b75dab797/raptorWeb/templates/raptormc/base.html

It builds the following htmx object, which on load will automatically send a GET request to raptormc/api/html/announcements?server=test

<div hx-get\="/raptormc/api/html/{{request.path|strip\_slash}}{% if request.GET %}?{% for param in request.GET %}{{param}}={% get\_param param %}{% endfor %}{% endif %}"

hx-trigger\='load'

hx-target\='#home'

hx-swap\="innerHTML"

hx-indicator\="#mainLoadingspinner"\>

</div\>

The TemplateView for announcements is rendered here:

class Announcements(TemplateView):

"""

Page containing the last 30 announcements from Discord

"""

template\_name: str \= join(

TEMPLATE\_DIR\_RAPTORMC, 'defaultpages/announcements.html')

def get(self, request: HttpRequest, \*args: Any, \*\*kwargs: Any) \-> HttpResponse:

if not DefaultPages.objects.get\_or\_create(pk\=1)\[0\].announcements:

return HttpResponseRedirect('/404')

if request.headers.get('HX-Request') != "true":

return HttpResponseRedirect('/404')

return super().get(request, \*args, \*\*kwargs)

def get\_context\_data(self, \*\*kwargs: dict\[str, Any\]) \-> dict\[str, Any\]:

context: dict\[str, Any\] \= super().get\_context\_data(\*\*kwargs)

if self.request.GET:

context\['opened\_server\_pk'\] \= self.request.GET.get('server')

return get\_or\_create\_informative\_text(

context \= context,

informative\_text\_names \= \["Announcements Information"\])

The get_context_data method sets opened_server_pk equal to the URL parameter server.

context\['opened\_server\_pk'\] \= self.request.GET.get('server')

This template is not accessible directly, and requires the header HX-Request to be set to true. This is done by the hx-get div loaded in the base.

The announcements template itself is located here: https://github.com/zediious/raptor-web/blob/2776281eb12fa04eca177bbfe92a4cfcd74ba391/raptorWeb/templates/raptormc/defaultpages/announcements.html

It notably sets {% autoescape off %} for the majority of the template:

The template attempts to build a second htmx object, making a call to the server_announcements_poll endpoint:

<div id\="server\_announcements"

hx-get\="{% url 'gameservers:server\_announcements\_poll' %}{% if request.GET %}?server={{opened\_server\_pk}}{% endif %}"

hx-trigger\="load"

hx-target\="#server\_announcements"

hx-swap\="outerHTML"\></div\>

</div\>

However, since there is no autoescape enabled, we are able to inject Javacript as we have full control over the opened_server_pk value being rendered. The original hx-get call from the base template will inject the results of this secondary template as innerHTML, rendering it for the user.

**PoC**

We'll make the following request to the server: /announcements?server=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C%2fscript%3E. When URL decoded, it looks like this:  
/announcements?server="><script>alert("XSS")</script>

This results in the base template rendering an htmx object that looks like this:

          <div hx-get\="/raptormc/api/html/announcements?server=&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;"
               hx-trigger\='load'
               hx-target\='#home'
               hx-swap\="innerHTML"
               hx-indicator\="#mainLoadingspinner"\>
          </div\>

Once the page loads, it makes a GET request to /raptormc/api/html/announcements?server=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E.

This request renders the announcements template, and includes an htmx object that looks like this:

      <div id\="server\_announcements"
           hx-get\="/api/servers/html/server\_announcements\_poll/?server="\><script\>alert("XSS")</script\>"
           hx-trigger="load"
           hx-target="#server\_announcements"
           hx-swap="outerHTML"\></div\>

As we can see, we were able to escape from the hx-get attribute as the template does not have autoescape enabled. We injected a script object which is then returned all the way to the original base template and executed, causing a cross-site scripting vulnerability to occur.

The PoC url to test this is https://SITE.COM/announcements?server=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C%2fscript%3E

**Impact**

This is a cross-site scripting vulnerability that affects all deployments of raptor-web on version 0.4.4. Any victim who clicks on a malicious crafted link will be affected.

Tag

#web