The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers.
"The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution,"

Vulnerability / Web Server Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers.

"The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution," CISA said, adding an unnamed federal agency was targeted between June and July 2023.

The shortcoming affects ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, released on March 14, 2023, respectively.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

It was added by CISA to the Known Exploited Vulnerabilities (KEV) catalog a day later, citing evidence of active exploitation in the wild. Adobe, in an advisory released around that time, said it's aware of the flaw being "exploited in the wild in very limited attacks."

The agency noted that at least two public-facing servers were compromised using the flaw, both of which were running outdated versions of the software.

"Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion," CISA noted.

There is evidence to suggest that the malicious activity is a reconnaissance effort carried out to map the broader network, although no lateral movement or data exfiltration has been observed.

In one of the incidents, the adversary was observed traversing the filesystem and uploading various artifacts to the web server, including binaries that are capable of exporting web browser cookies as well as malware designed to decrypt passwords for ColdFusion data sources.

A second event recorded in early June 2023 entailed the deployment of a remote access trojan that's a modified version of the ByPassGodzilla web shell and "utilizes a JavaScript loader to infect the device and requires communication with the actor-controlled server to perform actions."

Also undertaken by the adversary were attempts to exfiltrate the Windows Registry files as well as unsuccessfully download data from a command-and-control (C2) server.

"During this incident, analysis strongly suggests that the threat actors likely viewed the data contained in the ColdFusion seed.properties file via the web shell interface," CISA said.

"The seed.properties file contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in seed.properties file."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-6458

**Mattermost Injection vulnerability**

High severity GitHub Reviewed Published Dec 6, 2023 to the GitHub Advisory Database • Updated Dec 8, 2023

**Package**

gomod github.com/mattermost/mattermost-server/v6 (Go)

**Affected versions**

< 7.8.14

gomod github.com/mattermost/mattermost/server/v (Go)

gomod github.com/mattermost/mattermost/server/v8 (Go)

< 8.1.5

\>= 9.0.0, < 9.0.3

**Description**

Published to the GitHub Advisory Database

Dec 6, 2023

GHSA-7664-hcp7-f497: Mattermost Injection vulnerability

Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution.
The list of vulnerabilities is below -

CVE-2022-1471 (CVSS score: 9.8) - Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products
CVE-2023-22522 (CVSS score

Software Security / Vulnerability

Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution.

The list of vulnerabilities is below -

*   **CVE-2022-1471** (CVSS score: 9.8) - Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products
*   **CVE-2023-22522** (CVSS score: 9.0) - Remote code execution vulnerability in Confluence Data Center and Confluence Server (affects all versions including and after 4.0.0)
*   **CVE-2023-22523** (CVSS score: 9.8) - Remote code execution vulnerability in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (affects all versions up to but not including 3.2.0-cloud / 6.2.0 data center and server)
*   **CVE-2023-22524** (CVSS score: 9.6) - Remote code execution vulnerability in Atlassian Companion app for macOS (affects all versions up to but not including 2.0.0)

Atlassian described CVE-2023-22522 as a template injection flaw that allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page, resulting in code execution.

The Assets Discovery flaw allows an attacker to perform privileged remote code execution on machines with the Assets Discovery agent installed, whereas CVE-2023-22524 could permit an attacker to achieve code execution by utilizing WebSockets to bypass Atlassian Companion's blocklist and macOS Gatekeeper protections.

The advisory comes nearly a month after the Australian software company revealed all versions of its Bamboo Data Center and Server products are impacted by an actively exploited critical security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0). Fixes have been released in versions 9.2.7, 9.3.5, and 9.4.1 or later.

With Atlassian products becoming lucrative attack vectors in recent years, it's highly recommended that users move quickly to update affected installations to a patched version.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution

Open redirect vulnerability in Pleasanter 1.3.47.0 and earlier allows a remote unauthenticated attacker to redirect users to arbitrary web sites via a specially crafted URL.

**■概要**弊社製品「プリザンター」においてSAML認証の脆弱性、クロスサイトスクリプティング、オープンリダイレクトの脆弱性及びテンポラリデータのアクセス制御不備の脆弱性が存在することが判明しました。この脆弱性を悪用された場合、悪意ある第三者の攻撃により、外部の不正なサイトへの誘導やプリザンターに登録しているデータの情報漏洩や改ざんの危険性があります。  
この問題の影響を受けるプリザンターのバージョンを以下に示しますので、対策方法に記載する対応を実施してください。**■該当バージョンの確認方法**影響を受けるバージョンは以下の通りです。

1\. SAML認証の脆弱性  
・1.3.46.1以前の全てのバージョンでSAML認証を使用している場合  
　※Community Edition、Enterprise Editionどちらも該当します。  
　※1.2版、1.1版、0.51版、0.50版、0.49版以前も該当します。

2\. クロスサイトスクリプティング、オープンリダイレクトの脆弱性及びテンポラリデータのアクセス制御不備の脆弱性  
・1.3.47.0以前の全てのバージョン  
　※Community Edition、EnterpriseEditionどちらも該当します。  
　※1.2版、1.1版、0.51版、0.50版、0.49版以前も該当します。  
・バージョンの確認方法は以下のユーザマニュアルを参照願います。  
　「FAQ：プリザンターのバージョンを確認したい」  
　　https://pleasanter.org/manual/faq-version

**■脆弱性の説明および脆弱性がもたらす脅威****SAML認証の脆弱性**Sustainsys.Saml2 ライブラリは、ASP.NET Webサイトに SAML2P サポートを追加し、Webサイトが SAML2 サービス プロバイダーとして機能できるようにします。脆弱性のあるバージョンでは、応答が処理されるときにアイデンティティプロバイダー(ID プロバイダー)の発行者が十分に検証されていません。

悪意のあるIDプロバイダが偽のSaml2応答を作成できることにより、悪意のあるユーザに正規ユーザのなりすましを許してしまう可能性があります。

詳細はライブラリのIssueを参照してください。  
・Sustainsys/Saml2#712  
・Sustainsys/Saml2#713

**クロスサイトスクリプティング**ログインした一般ユーザが、内容、説明項目、コメント等に画像を張り付ける際のリクエストを不正に改ざんすることで、外部サイトへの誘導やスクリプトの不正実行ができる脆弱性が存在します。プリザンターにログインできない匿名ユーザは本脆弱性を用いた攻撃はできません。

攻撃者が設置したスクリプトにより、悪意のある外部サイトへの誘導や、プリザンターの管理者が攻撃者がスクリプトを設置したページを開いた場合にプリザンターの管理操作を意図せず実行させられる可能性があります。

**オープンリダイレクトの脆弱性**不正なログインURLに一般ユーザがログインを行った際に任意のサイトに誘導されてしまう脆弱性が存在します。  
悪意のある第三者が用意したログインURLにログインすることにより、悪意のある外部サイトへ誘導される可能性があります。**テンポラリデータのアクセス制御不備の脆弱性**一般ユーザがアップロードした任意のファイル用テンポラリデータ向けにランダムに生成されるURLを、ログインしている別のユーザが知り得た場合にテンポラリデータが閲覧できてしまう脆弱性が存在します。  
ユーザーがアップロードしたファイルが、ログイン済みの攻撃者に漏洩する可能性があります。**■対策方法**1\. SAML認証の脆弱性  
　・バージョン1.3.X、1.2.X、1.1.X、0.51.X、0.50.X、0.49.X以前をご利用のお客様  
　　1.3.47.0 以降（2023年9月22日リリース）にバージョンアップをしてください。  
　　※バージョンアップをせずに対策するための個別パッチの提供はございません。

2\. クロスサイトスクリプティング、オープンリダイレクトの脆弱性及びテンポラリデータのアクセス制御不備の脆弱性  
　・バージョン1.3.X、1.2.X、1.1.X、0.51.X、0.50.X、0.49.X以前をご利用のお客様  
　　1.3.48.0 以降（2023年10月16日リリース）にバージョンアップをしてください。  
　　※バージョンアップをせずに対策するための個別パッチの提供はございません。

・専用環境ご利用のお客様  
　別途スケジュール調整の上速やかにバージョンアップいたします。（再起動が必要です）

**■連絡先**本件につきまして、ご不明な点がございましたら以下よりお問い合わせ下さい。  
お問い合わせフォーム https://pleasanter.org/contact/

CVE-2023-46688: プリザンターにおける複数の脆弱性について | Pleasanter

The Email Subscription Popup plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the HTTP_REFERER header in all versions up to, and including, 1.2.18 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-6527: Email Subscription Popup <= 1.2.18 -  Reflected Cross-Site Scripting — Wordfence Intelligence

Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow execution of code.

Summary

CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

Advisory Release Date

Tue, Dec 5 2023 21:00 PST

Products

*   **Atlassian Companion** **App for MacOS** for
    
    *   Confluence Server
        
    *   Confluence Data Center
        

CVE ID

CVE-2023-22524

Related Jira Ticket(s)

CONFSERVER-93518

**Summary of Vulnerability**

All versions of the Atlassian Companion App for MacOS up to but not including 2.0.0 are affected by a Remote Code Execution (RCE) vulnerability, CVE-2023-22524. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code.

The Atlassian Companion App is an optional desktop application that can be installed on users' devices to enhance the file editing experience in Confluence Data Center and Server. It enables users to edit files in their preferred desktop application before automatically saving those files to their Confluence instances. See “What You Need To Do” for detailed instructions.

_Note: If you are no longer using Confluence Data Center and Server and have the Atlassian Companion App installed, you may still be vulnerable. In this case, Atlassian recommends removing the Atlassian Companion App from your device._

This vulnerability affects the Atlassian Companion App **only**, not Confluence Data Center and Server or Cloud sites.

**The Atlassian Companion App for Windows is not impacted by this vulnerability.**

**Severity**

Atlassian rates the severity level of this vulnerability as critical (**9.6** with the vector **CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H**) per our internal assessment. This is our assessment, and you should evaluate its applicability to your own IT environment.

**Affected Versions**

This RCE vulnerability affects all versions of Atlassian Companion App for MacOS, up to but not including version 2.0.0.

**Product**

**Affected Versions**

Atlassian Companion App for MacOS

**All** versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability.

**What You Need To Do**

The Atlassian Companion App for MacOS will update automatically _during runtime_. Atlassian recommends that you confirm the version installed is one of the listed fixed versions (or any later version) below.

The fixed versions mentioned below may be incompatible with your Confluence Data Center and Server instance. You can find more details on Confluence version compatibility here.

**Product**

**Fixed Versions**

Atlassian Companion App for MacOS

*   2.0.0 or later
    

If you are not a current Confluence Data Center and Server customer please take action to uninstall the Atlassian Companion App.

**Apply temporary mitigations if unable to patch**

If the Atlassian Companion App for MacOS is not showing a fixed version, and you are unable to patch, you can completely mitigate this vulnerability by uninstalling the Atlassian Companion App.

**Frequently Asked Questions (FAQ)**

More details can be found on the Frequently Asked Questions (FAQ) page.

**Support**

If you did not receive an email for this advisory and you wish to receive such emails in the future, go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory that aren’t answered in the FAQ, please raise a support request at Atlassian Support.

**References**

Security Bug fix Policy

As per our new policy, critical security bug fixes will be back ported in accordance with Security Bugfix Policy | Atlassian. We will release new maintenance releases for the versions covered by the policy instead of binary patches.

**Binary patches are no longer released.** 

Severity Levels for security issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at FIRST.org.

End of Life Policy

Our end of life policy varies for different products. Please refer to our EOL Policy for details.

CVE-2023-22524: CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS | Atlassian Support

CVE-2023-22524

A stored cross-site scripting (XSS) vulnerability in /admin.php of DaiCuo v2.5.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2023-48940

Inappropriate implementation in Web Browser UI in Google Chrome prior to 120.0.6099.62 allowed a remote attacker to potentially spoof the contents of an iframe dialog context menu via a crafted HTML page. (Chromium security severity: Low)

CVE-2023-6512: Stable Channel Update for Desktop

23andMe has provided more information about the scope and scale of its recent breach, but with these details come more unanswered questions.

More details are emerging about a data breach the genetic testing company 23andMe first reported in October. But as the company shares more information, the situation is becoming even murkier and creating greater uncertainty for users attempting to understand the fallout.

23andMe said at the beginning of October that attackers had infiltrated some of its users' accounts and piggybacked off of this access to scrape personal data from a larger subset of users through the company's opt-in, social sharing service known as DNA Relatives. At the time, the company didn't indicate how many users had been impacted, but hackers had already begun selling data on criminal forums that seemed to be taken from at least a million 23andMe users, if not more. In a US Securities and Exchange Commission filing on Friday, the company said that “the threat actor was able to access a very small percentage (0.1 %) of user accounts,” or roughly 14,000 given the company's recent estimate that it has more than 14 million customers.

Fourteen thousand is a lot of people in itself, but the number didn't account for the users impacted by the attacker's data-scraping from DNA Relatives. The SEC filing simply noted that the incident also involved “a significant number of files containing profile information about other users’ ancestry.”

On Monday, 23andMe confirmed to TechCrunch that the attackers collected the personal data of about 5.5 million people who had opted in to DNA Relatives, as well as information from an additional 1.4 million DNA Relatives users who “had their Family Tree profile information accessed." 23andMe subsequently shared this expanded information with WIRED as well.

From the group of 5.5 million people, hackers stole display names, most recent login, relationship labels, predicted relationships, and percentage of DNA shared with DNA Relatives matches. In some cases, this group also had other data compromised, including ancestry reports and details about where on their chromosomes they and their relatives had matching DNA, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, links to self-created family trees, and other profile information. The smaller (but still massive) subset of 1.4 million impacted DNA Relatives users specifically had display names and relationship labels stolen and, in some cases, also had birth years and self-reported location data affected.

Asked why this expanded information wasn't in the SEC filing, 23andMe spokesperson Katie Watson tells WIRED that “we are only elaborating on the information included in the SEC filing by providing more specific numbers.”

23andMe has maintained that attackers used a technique known as credential stuffing to compromise the 14,000 user accounts—finding instances where leaked login credentials from other services were reused on 23andMe. In the wake of the incident, the company forced all of its users to reset their passwords and began requiring two-factor authentication for all customers. In the weeks after 23andMe initially disclosed its breach, other similar services. including Ancestry and MyHeritage, also began promoting or requiring two-factor authentication on their accounts.

In October and again this week, though, WIRED pressed 23andMe on its finding that the user account compromises were attributable solely to credential-stuffing attacks. The company has repeatedly declined to comment, but multiple users have noted that they are certain their 23andMe account usernames and passwords were unique and could not have been exposed somewhere else in another leak.

On Tuesday, for example, US National Security Agency cybersecurity director Rob Joyce noted on his personal X (formerly Twitter) account: “They disclose the credential stuffing attacks, but they don’t say how the accounts were targeted for stuffing. This was unique and not an account that could be scraped from the web or other sites.” Joyce, who was apparently a 23andMe user impacted by the breach, wrote that he creates a unique email address for each company he makes an account with. “That account is used NOWHERE else and it was unsuccessfully stuffed,” he wrote, adding: “Personal opinion: @23andMe hack was STILL worse than they are owning with the new announcement.”

23andMe has not clarified how such accounts can be reconciled with the company's disclosures. Furthermore, it may be that the larger numbers of impacted users were not in the SEC report because 23andMe (like many companies that have suffered security breaches) does not want to include _scraped_ data in the category of _breached_ data. These inconsistencies, though, ultimately make it difficult for users to grasp the scale and impact of security incidents.

“I firmly believe that cyber-insecurity is fundamentally a policy problem,” says Brett Callow, a threat analyst at the security firm Emsisoft. “We need standardized and uniform disclosure and reporting laws, prescribed language for those disclosures and reports, regulation and licensing of negotiators. Far too much happens in the shadows or is obfuscated by weasel words. It's counterproductive and helps only the cybercriminals.”

Meanwhile, apparent 23andMe user Kendra Fee flagged on Tuesday that 23andMe is notifying customers about changes to its terms of service related to dispute resolutions and arbitration. The company says that the changes will “encourage a prompt resolution of any disputes” and “streamline arbitration proceedings where multiple similar claims are filed.” Users can opt out of the new terms by notifying the company that they decline within 30 days of receiving notice of the change.

Tag

#web