In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between January 23-24, 2024.
During this period, The National Vulnerability Database published 139, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 13
Medium: 12
Low: 0
Severity Not Assigned: 110
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-23342
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.2
Description: The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.
References: https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
https://minerva.crocs.fi.muni.cz/
https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
CWE-ID: CWE-203 CWE-208 CWE-385
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-23345
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.3
Description: Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.
References: https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80
https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce
https://github.com/nautobot/nautobot/pull/5133
https://github.com/nautobot/nautobot/pull/5134
https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-22768
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-22769
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR HVR-8781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-22770
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR HVR-16781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-22771
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR LGUVR-4H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-22772
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR LGUVR-8H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-23842
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-49657
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.
For 2.X versions, users should change their config to include:
TALISMAN_CONFIG = {
"content_security_policy": {
"base-uri": ["'self'"],
"default-src": ["'self'"],
"img-src": ["'self'", "blob:", "data:"],
"worker-src": ["'self'", "blob:"],
"connect-src": [
"'self'",
" https://api.mapbox.com" https://api.mapbox.com" ;,
" https://events.mapbox.com" https://events.mapbox.com" ;,
],
"object-src": "'none'",
"style-src": [
"'self'",
"'unsafe-inline'",
],
"script-src": ["'self'", "'strict-dynamic'"],
},
"content_security_policy_nonce_in": ["script-src"],
"force_https": False,
"session_cookie_secure": False,
}
References: http://www.openwall.com/lists/oss-security/2024/01/23/5
https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-50274
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: HPE OneView may allow command injection with local privilege escalation.
References: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04586en_us
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-50275
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: HPE OneView may allow clusterService Authentication Bypass resulting in denial of service.
References: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04586en_us
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-22203
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a GET request on lines 339-343 in `request.py`, which leads to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet. This issue is fixed in version 0.8.4.
References: https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/request.py#L339-L343
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L465-L490
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L466
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L476
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L479
https://github.com/benbusby/whoogle-search/commit/3a2e0b262e4a076a20416b45e6b6f23fd265aeda
https://securitylab.github.com/advisories/GHSL-2023-186_GHSL-2023-189_benbusby_whoogle-search/
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-22205
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `window` endpoint does not sanitize user-supplied input from the `location` variable and passes it to the `send` method which sends a `GET` request on lines 339-343 in `request.py,` which leads to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet. This issue is fixed in version 0.8.4.
References: https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/request.py#L339-L343
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L479
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L496-L557
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L497
https://github.com/benbusby/whoogle-search/commit/3a2e0b262e4a076a20416b45e6b6f23fd265aeda
https://securitylab.github.com/advisories/GHSL-2023-186_GHSL-2023-189_benbusby_whoogle-search/
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-23636
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue by adding a blacklist. SOFARPC also provides a way to add additional blacklists. Users can add a class like `-Drpc_serialize_blacklist_override=org.apache.xpath.` to avoid this issue.
References: https://github.com/sofastack/sofa-rpc/commit/42d19b1b1d14a25aafd9ef7c219c04a19f90fc76
https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-7q8p-9953-pxvr
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-6926
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description:
There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-02
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
16. CVE-2023-7238
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description:
A XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered. If exploited, the attacker will be able to execute arbitrary JavaScript code inside the victim's browser.
References: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
17. CVE-2023-47115
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image.
The file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed.
Version 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs.
References: https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3
https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between January 23-24, 2024.
During this period, The National Vulnerability Database published 139, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 13
Medium: 12
Low: 0
Severity Not Assigned: 110
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-23342
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.2
Description: The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.
References: https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
https://minerva.crocs.fi.muni.cz/
https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
CWE-ID: CWE-203 CWE-208 CWE-385
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-23345
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.3
Description: Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.
References: https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80
https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce
https://github.com/nautobot/nautobot/pull/5133
https://github.com/nautobot/nautobot/pull/5134
https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-22768
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-22769
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR HVR-8781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-22770
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR HVR-16781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-22771
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR LGUVR-4H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-22772
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR LGUVR-8H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-23842
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
References: http://www.hitron.co.kr/firmware/
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-49657
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.
For 2.X versions, users should change their config to include:
TALISMAN_CONFIG = {
"content_security_policy": {
"base-uri": ["'self'"],
"default-src": ["'self'"],
"img-src": ["'self'", "blob:", "data:"],
"worker-src": ["'self'", "blob:"],
"connect-src": [
"'self'",
" https://api.mapbox.com" https://api.mapbox.com" ;,
" https://events.mapbox.com" https://events.mapbox.com" ;,
],
"object-src": "'none'",
"style-src": [
"'self'",
"'unsafe-inline'",
],
"script-src": ["'self'", "'strict-dynamic'"],
},
"content_security_policy_nonce_in": ["script-src"],
"force_https": False,
"session_cookie_secure": False,
}
References: http://www.openwall.com/lists/oss-security/2024/01/23/5
https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-50274
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: HPE OneView may allow command injection with local privilege escalation.
References: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04586en_us
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-50275
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: HPE OneView may allow clusterService Authentication Bypass resulting in denial of service.
References: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04586en_us
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-22203
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a GET request on lines 339-343 in `request.py`, which leads to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet. This issue is fixed in version 0.8.4.
References: https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/request.py#L339-L343
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L465-L490
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L466
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L476
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L479
https://github.com/benbusby/whoogle-search/commit/3a2e0b262e4a076a20416b45e6b6f23fd265aeda
https://securitylab.github.com/advisories/GHSL-2023-186_GHSL-2023-189_benbusby_whoogle-search/
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-22205
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `window` endpoint does not sanitize user-supplied input from the `location` variable and passes it to the `send` method which sends a `GET` request on lines 339-343 in `request.py,` which leads to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet. This issue is fixed in version 0.8.4.
References: https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/request.py#L339-L343
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L479
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L496-L557
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L497
https://github.com/benbusby/whoogle-search/commit/3a2e0b262e4a076a20416b45e6b6f23fd265aeda
https://securitylab.github.com/advisories/GHSL-2023-186_GHSL-2023-189_benbusby_whoogle-search/
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-23636
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue by adding a blacklist. SOFARPC also provides a way to add additional blacklists. Users can add a class like `-Drpc_serialize_blacklist_override=org.apache.xpath.` to avoid this issue.
References: https://github.com/sofastack/sofa-rpc/commit/42d19b1b1d14a25aafd9ef7c219c04a19f90fc76
https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-7q8p-9953-pxvr
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
15. CVE-2023-6926
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description:
There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-02
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
16. CVE-2023-7238
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description:
A XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered. If exploited, the attacker will be able to execute arbitrary JavaScript code inside the victim's browser.
References: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
17. CVE-2023-47115
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image.
The file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed.
Version 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs.
References: https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3
https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found