Latest News

A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.

Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS) in the /projects/profile, homepage endpoint via the last name field.

Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users.

Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript.

### Impact OpenSearch versions 2.19.2 and earlier improperly apply Field Level Security (FLS) rules on fields which are not at the top level of the source document tree (i.e., which are members of a JSON object). If an FLS exclusion rule (like `~object`) is applied to an object valued attribute in a source document, the object is properly removed from the `_source` document in search and get results. However, any member attribute of that object remains available to search queries. This allows to reconstruct the original field contents using range queries. ### Patches The issue has been resolved in OpenSearch 3.0.0 and OpenSearch 2.19.3. ### Workarounds If FLS exclusion rules are used for object valued attributes (like `~object`), add an additional exclusion rule for the members of the object (like `~object.*`).

### Impact OpenSearch versions 2.19.2 and earlier improperly apply field masking rules on fields of the types `ip`, `geo_point`, `geo_shape`, `xy_point`, `xy_shape`. While the content of these fields is properly redacted in the `_source` document returned by search operations, the original unredacted values remain available to search queries. This allows to reconstruct the original field contents using range queries. Additionally, the content of fields of type `geo_point`, `geo_shape`, `xy_point`, `xy_shape` is returned in an unredacted form if requested via the `fields` option of the search API. ### Patches The issue has been resolved in OpenSearch 3.0.0 and OpenSearch 2.19.3. ### Workarounds If you cannot upgrade immediately, you can avoid the problem by using field level security (FLS) protection on fields of the affected types instead of field masking.