Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN168

_____________________________________________________________________

DATE                : 25/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache VCL versions prior to 
                                    2.5.2.

=====================================================================
https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4
https://lists.apache.org/thread/bq5vs0hndt9cz9b6rpfr5on1nd4qrmyr
_____________________________________________________________________

CVE-2024-53678: Apache VCL: SQL injection vulnerability in New Block
Allocation form

Affected versions:

- Apache VCL 2.2 through 2.5.1

Description:

Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection') vulnerability in Apache VCL. Users can modify form
data submitted when requesting a new Block Allocation such that a
SELECT SQL statement is modified. The data returned by the SELECT
statement is not viewable by the attacker.

This issue affects all versions of Apache VCL from 2.2 through 2.5.1.

Users are recommended to upgrade to version 2.5.2, which fixes the
issue.


Credit:

Chiencp and Nothing from TeamTonTac (finder)


References:

https://vcl.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-53678

_____________________________________________________________________


CVE-2024-53679: Apache VCL: XSS vulnerability in User Lookup
impacting user privileges
Affected versions:

- Apache VCL 2.1 through 2.5.1

Description:

Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') vulnerability in Apache VCL in the User
Lookup form. A user with sufficient rights to be able to view this
part of the site can craft a URL or be tricked in to clicking a URL
that will give a specified user elevated rights.


This issue affects all versions of Apache VCL through 2.5.1.


Users are recommended to upgrade to version 2.5.2, which fixes the
issue.


Credit:

Chiencp and Nothing from TeamTonTac (finder)


References:

https://vcl.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-53679


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================