Hello everyone!
https://nvd.nist.gov/vuln/detail/CVE-2023-34407
Another exploit / vulnerability CYBIR discovered has just been disclosed, an
LFI / System service compromise of Harbinger Offline Player.
I strongly suggest checking your systems for this, it is repackaged in
professional training platforms for professionals (cough... like CPAs.... I
initially discovered it in a Checkpoint training component.)
CRITICAL!
The vulnerability allows for full compromise of data and endpoints due to
failure to validate web application parameters and excessive rights.
Turn on your firewall, downgrade the service rights, update when the component
is fixed.
I put PoC up on the site if you want to test:
https://cybir.com/2023/cve/proof-of-concept-checkpoint-learning-harbinger-systems-offline-player-multiple-poc-for-cl-4-0-6-0-2-lfi-excessive-rights/
Ken Pyle
M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+
CYBIR.com
Main: 267-540-3337<tel:267-540-3337>
Direct: 484-498-8340<tel:484-498-8340>
Email: kp@xxxxxxxxx<mailto:kp@xxxxxxxxx>
Website: www.cybir.com<http://www.cybir.com/>