CyberAlerts

Treasury Dept. Sanctions Chinese Tech Vendor for Complicity

Description: Integrity Technology Group was found complicit with Flax Typhoon as part of a broader Chinese strategy to infiltrate the IT systems of US critical infrastructure.

Source: Dark Reading

January 3rd, 2025 (6 months ago)

Live Unredacted Ransomware Feed (Pro Subscribers)

Description: Live Unredacted Ransomware Feed (Pro Subscribers)

Source: DarkWebInformer

January 3rd, 2025 (6 months ago)

Alleged Data Leak of Port of Seattle

Description: Alleged Data Leak of Port of Seattle

Source: DarkWebInformer

January 3rd, 2025 (6 months ago)

[phpoffice/phpspreadsheet] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties

Description: Cross-Site Scripting (XSS) vulnerability in custom properties Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: the HTML page is generated without clearing custom properties Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateMeta Exploitation conditions: a user viewing a specially generated Excel file Mitigation: additional sanitization of special characters in a string Researcher: Aleksey Solovev (Positive Technologies) Research The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in custom properties in Phpspreadsheet. The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response. Listing 9. Source code on the server <?php require __DIR__ . '/vendor/autoload.php'; $inputFileName = './doc/Book1.xlsx'; $spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); An attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code. The Excel file is unpacked and a custom ...

Source: Github Advisory Database (Composer)

January 3rd, 2025 (6 months ago)

[phpoffice/phpspreadsheet] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header

Description: Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: the HTML page is formed without sanitizing the hyperlink base Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateHTMLHeader Exploitation conditions: a user viewing a specially generated Excel file Mitigation: additional sanitization of special characters in a string Researcher: Aleksey Solovev (Positive Technologies) Research The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header in Phpspreadsheet. The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response. Listing 8. Source code on the server <?php require __DIR__ . '/vendor/autoload.php'; $inputFileName = './doc/Book1.xlsx'; $spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); An attacker can embed a payload in a file property that will result in the execution of arbitrary J...

Source: Github Advisory Database (Composer)

January 3rd, 2025 (6 months ago)

[phpoffice/phpspreadsheet] PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters

Description: Bypass XSS sanitizer using the javascript protocol and special characters Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow Exploitation conditions: a user viewing a specially generated Excel file Mitigation: additional sanitization of special characters in a string Researcher: Aleksey Solovev (Positive Technologies) Research The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet. The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response. Listing 6. Source code on the server <?php require __DIR__ . '/vendor/autoload.php'; $inputFileName = './doc/Book1.xlsx'; $spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); An attacker can use special characters so that th...

Source: Github Advisory Database (Composer)

January 3rd, 2025 (6 months ago)

Apple Offers $95M to Settle Siri Privacy Lawsuit

Description: The proposed settlement would amount to roughly $20 per Apple product that has Siri enabled, for each plaintiff.

Source: Dark Reading

January 3rd, 2025 (6 months ago)

[trix] Trix allows Cross-site Scripting via `javascript:` url in a link

Description: The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field. Impact An attacker could trick the user to copy&paste a malicious javascript: URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. See https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8 Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.12 or later. Workarounds This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem. References https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8 Credits This vulnerability was reported by Hackerone researcher https://hackerone.com/lio346?type=user References https://github.com/basecamp/trix/security/advisories/GHSA-j386-3444-qgwg https://github.com/basecamp/trix/commit/180c8d337f18e1569cea6ef29b4d03ffff5b5faa https://github.com/basecamp/trix/commit/c4f0d6f80654603932af6685694f694e96593b93 https://gist.github.com/th4s1s/3921fd9c3e324ad9...

Source: Github Advisory Database (NPM)

January 3rd, 2025 (6 months ago)

Omnisci3nt: Unveiling the Hidden Layers of the Web – A Comprehensive Web Reconnaissance Tool

Description: Omnisci3nt: Unveiling the Hidden Layers of the Web – A Comprehensive Web Reconnaissance Tool

Source: DarkWebInformer

January 3rd, 2025 (6 months ago)

[github.com/karmada-io/karmada] Karmada PULL Mode Cluster Privilege Escalation

Description: Impact What kind of vulnerability is it? Who is impacted? The PULL mode clusters registered with the karmadactl register command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Patches Has the problem been patched? What versions should users upgrade to? Since Karmada v1.12.0, command karmadactl register restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? Restricts the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs. References Are there any links users can visit to find out more? Enhancements made from the Karmada community: https://github.com/karmada-io/karmada/pull/5793 Karmada Component Permissions: https://karmada.io/docs/administrator/security/component-permission References https://github.com/karmada-io/karmada/security/advisories/GHSA-mg7w-c9x2-xh7r https://github.com/karmada-io/karmada/pull/5793 https://github.com/karmada-io/karmada/commit/2c82055c4c7f469411b1ba48c4dba4841df04831 https://karmada.io/docs/admin...

Source: Github Advisory Database (Go)

January 3rd, 2025 (6 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	Treasury Dept. Sanctions Chinese Tech Vendor for Complicity Description: Integrity Technology Group was found complicit with Flax Typhoon as part of a broader Chinese strategy to infiltrate the IT systems of US critical infrastructure. Source: Dark Reading January 3rd, 2025 (6 months ago)
	Live Unredacted Ransomware Feed (Pro Subscribers) Description: Live Unredacted Ransomware Feed (Pro Subscribers) Source: DarkWebInformer January 3rd, 2025 (6 months ago)
	Alleged Data Leak of Port of Seattle Description: Alleged Data Leak of Port of Seattle Source: DarkWebInformer January 3rd, 2025 (6 months ago)
	[phpoffice/phpspreadsheet] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties Description: Cross-Site Scripting (XSS) vulnerability in custom properties Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: the HTML page is generated without clearing custom properties Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateMeta Exploitation conditions: a user viewing a specially generated Excel file Mitigation: additional sanitization of special characters in a string Researcher: Aleksey Solovev (Positive Technologies) Research The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in custom properties in Phpspreadsheet. The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response. Listing 9. Source code on the server <?php require __DIR__ . '/vendor/autoload.php'; $inputFileName = './doc/Book1.xlsx'; $spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); An attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code. The Excel file is unpacked and a custom ... Source: Github Advisory Database (Composer) January 3rd, 2025 (6 months ago)
	[phpoffice/phpspreadsheet] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header Description: Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: the HTML page is formed without sanitizing the hyperlink base Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateHTMLHeader Exploitation conditions: a user viewing a specially generated Excel file Mitigation: additional sanitization of special characters in a string Researcher: Aleksey Solovev (Positive Technologies) Research The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header in Phpspreadsheet. The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response. Listing 8. Source code on the server <?php require __DIR__ . '/vendor/autoload.php'; $inputFileName = './doc/Book1.xlsx'; $spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); An attacker can embed a payload in a file property that will result in the execution of arbitrary J... Source: Github Advisory Database (Composer) January 3rd, 2025 (6 months ago)
	[phpoffice/phpspreadsheet] PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters Description: Bypass XSS sanitizer using the javascript protocol and special characters Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow Exploitation conditions: a user viewing a specially generated Excel file Mitigation: additional sanitization of special characters in a string Researcher: Aleksey Solovev (Positive Technologies) Research The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet. The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response. Listing 6. Source code on the server <?php require __DIR__ . '/vendor/autoload.php'; $inputFileName = './doc/Book1.xlsx'; $spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); An attacker can use special characters so that th... Source: Github Advisory Database (Composer) January 3rd, 2025 (6 months ago)
	Apple Offers $95M to Settle Siri Privacy Lawsuit Description: The proposed settlement would amount to roughly $20 per Apple product that has Siri enabled, for each plaintiff. Source: Dark Reading January 3rd, 2025 (6 months ago)
	[trix] Trix allows Cross-site Scripting via `javascript:` url in a link Description: The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field. Impact An attacker could trick the user to copy&paste a malicious javascript: URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. See https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8 Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.12 or later. Workarounds This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem. References https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8 Credits This vulnerability was reported by Hackerone researcher https://hackerone.com/lio346?type=user References https://github.com/basecamp/trix/security/advisories/GHSA-j386-3444-qgwg https://github.com/basecamp/trix/commit/180c8d337f18e1569cea6ef29b4d03ffff5b5faa https://github.com/basecamp/trix/commit/c4f0d6f80654603932af6685694f694e96593b93 https://gist.github.com/th4s1s/3921fd9c3e324ad9... Source: Github Advisory Database (NPM) January 3rd, 2025 (6 months ago)
	Omnisci3nt: Unveiling the Hidden Layers of the Web – A Comprehensive Web Reconnaissance Tool Description: Omnisci3nt: Unveiling the Hidden Layers of the Web – A Comprehensive Web Reconnaissance Tool Source: DarkWebInformer January 3rd, 2025 (6 months ago)
	[github.com/karmada-io/karmada] Karmada PULL Mode Cluster Privilege Escalation Description: Impact What kind of vulnerability is it? Who is impacted? The PULL mode clusters registered with the karmadactl register command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Patches Has the problem been patched? What versions should users upgrade to? Since Karmada v1.12.0, command karmadactl register restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? Restricts the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs. References Are there any links users can visit to find out more? Enhancements made from the Karmada community: https://github.com/karmada-io/karmada/pull/5793 Karmada Component Permissions: https://karmada.io/docs/administrator/security/component-permission References https://github.com/karmada-io/karmada/security/advisories/GHSA-mg7w-c9x2-xh7r https://github.com/karmada-io/karmada/pull/5793 https://github.com/karmada-io/karmada/commit/2c82055c4c7f469411b1ba48c4dba4841df04831 https://karmada.io/docs/admin... Source: Github Advisory Database (Go) January 3rd, 2025 (6 months ago)