An gano wani mummunan rauni (CVE-2023-7101) a cikin tsarin Perl module Spreadsheet :: ParseExcel, wanda ke ba da ayyuka don rarraba fayilolin Excel, wanda ke ba da damar aiwatar da code na sabani lokacin sarrafa fayilolin XLS ko XLSX waɗanda suka haɗa da ƙa'idodin tsara lamba na musamman. Rashin lahani yana faruwa ta hanyar amfani da bayanan da aka samo daga fayil ɗin da ake sarrafa lokacin gina kiran "eval". An gyara matsalar a cikin Taswirar Taɗi :: ParseExcel 0.66. Akwai samfuri na amfani. Lambar mara lahani: idan ( $ format_str = ~ / ^ \ [([<>=] [^\]] +) \] (.*)$/ ) {$ sharadi = $1; $format_str = $2; } ... $section = eval "$lamba $conditional"? 0:1 ku; Misalin amfani don aiwatar da umarnin whoami: 1;system('whoami> /tmp/inject.txt')]123″/ >
Barracuda Networks ne ya gano raunin yayin nazarin harin sanya malware akan na'urorin Barracuda ESG (Email Security Gateway). Dalilin rashin daidaituwa na na'urar shine rashin lahani na kwanaki 0 (CVE-2023-7102) a cikin Maɗaukaki :: ParseExcel module, wanda aka yi amfani da shi a Barracuda ESG don rarraba abubuwan haɗin imel a cikin tsarin Excel. Don gudanar da lambar ku akan tsarin ta amfani da Barracuda ESG, ya isa ya aika imel tare da haɗe-haɗe na imel na musamman.
source: budenet.ru