Chiwopsezo chachikulu (CVE-2023-7101) chadziwika mu Perl module Spreadsheet ::ParseExcel, yomwe imapereka ntchito zogawa mafayilo a Excel, omwe amalola kupha ma code mosasamala pokonza mafayilo a XLS kapena XLSX omwe ali ndi malamulo osintha manambala mwapadera. Chiwopsezocho chimayamba chifukwa chogwiritsa ntchito deta yomwe imapezeka mufayilo yomwe ikukonzedwa popanga kuyimba kwa "eval". Vuto lidakhazikitsidwa mu Spreadsheet ::ParseExcel 0.66 pomwe. Pali chitsanzo cha ntchito. Khodi yomwe ili pachiwopsezo: ngati ( $format_str =~ /^\[([<>=][^\]]+)\](.*)$/ ) {$conditional = $1; $format_str = $2; } ... $gawo = eval "$nambala $conditional" ? 0: 1; Chitsanzo cha mwayi wotsatira lamulo la whoami: 1;system('whoami > /tmp/inject.txt')]123″/ >
Chiwopsezochi chidadziwika ndi Barracuda Networks pakuwunika kuwopseza kuyika pulogalamu yaumbanda pazida za Barracuda ESG (Email Security Gateway). Chifukwa chomwe chidapangitsa kuti chipangizochi chisokonezeke chinali kusatetezeka kwa masiku 0 (CVE-2023-7102) mu Spreadsheet ::ParseExcel module, yomwe imagwiritsidwa ntchito ku Barracuda ESG kugawa maimelo amtundu wa Excel. Kuti mugwiritse ntchito khodi yanu pamakina ogwiritsira ntchito Barracuda ESG, zinali zokwanira kutumiza imelo yokhala ndi maimelo opangidwa mwapadera.
Source: opennet.ru
