Widely used open-source digital experience platform Pimcore has two newly-patched security vulnerabilities, which could have been chained to enable arbitrary code execution, reports SecurityWeek.
Both flaws, which consist of an SQL injection bug and a path traversal vulnerability, are being tracked as CVE-2023-28438 and have been discovered within an admin-only GET request endpoint that did not have CSRF protections. The absence of sanitization in the endpoint's exportFile parameter prior to its inclusion to the web root path could facilitate the control of the extension, which would then allow control of the CSV output file path, name, and extension for PHP file creation, according to SonarSource.
"The impact of [the] path traversal and arbitrary extension is limited (creation of arbitrary files and appending data to existing files) but when combined with the SQL Injection, the exported data can be controlled and a webshell can be uploaded. Attackers can use that to execute arbitrary PHP code on the server with the permissions of the webserver," said Pimcore.
Ahead of its imminent approval, the Biden administration's proposed executive order mandating U.S. cloud infrastructure-as-a-service providers to strengthen the verification of their users' identities has received industry opposition due to the increased financial and logistical burdens that would arise from such a rule, according to The Record, a news site by cybersecurity firm Recorded Future.
U.S. independent record label Empire Distribution, which has worked with Kendrick Lamar, Snoop Dogg, and 50 Cent, had its sensitive data exposed as a result of an environment file misconfiguration, Cybernews reports.
A look back at the Heartbleed bug and measuring its’ legacy, impact and how some view one of cybersecurity’s biggest headaches as an important learning moment.