The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

CVE-2022-3915

The Icegram Express WordPress plugin before 5.5.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber

CVE-2022-3981

The WP CSV Exporter WordPress plugin before 1.3.7 does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability.

CVE-2022-3605

The Cooked Pro WordPress plugin before 1.7.5.7 does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability.

CVE-2022-3900

A vulnerability within the web-based management interface of Aruba EdgeConnect Enterprise could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-018 CVE: CVE-2022-37919, CVE-2022-37920, CVE-2022-37921, CVE-2022-37922, CVE-2022-37923, CVE-2022-37924, CVE-2022-37925, CVE-2022-37926, CVE-2022-43518, CVE-2022-43541, CVE-2022-43542, CVE-2022-44532, CVE-2022-44533 Publication Date: 2022-Nov-22 Status: Confirmed Severity: High Revision: 1 Title ===== Multiple Vulnerabilities in Aruba EdgeConnect Enterprise Overview ======== Aruba has released patches for Aruba EdgeConnect Enterprise that address multiple security vulnerabilities. Affected Products ================= - Aruba EdgeConnect Enterprise - ECOS 9.2.1.0 and below - ECOS 9.1.3.0 and below - ECOS 9.0.7.0 and below - ECOS 8.3.7.1 and below Versions of Aruba EdgeConnect Enterprise that are end of life are affected by these vulnerabilities unless otherwise indicated. Unaffected Products =================== Any other Aruba products not specifically listed above are not affected by these vulnerabilities. Details ======= Unauthenticated Denial-of-Service (DoS) Condition in Aruba EdgeConnect Enterprise API (CVE-2022-37919) -------------------------------------------------------------- A vulnerability exists in the API of Aruba EdgeConnect Enterprise. An unauthenticated attacker can exploit this condition via the web-based management interface to create a denial-of-service condition which prevents the appliance from properly responding to API requests. Internal Reference: ATLSP-2 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Aruba's internal engineering team Authenticated Remote Code Execution in Aruba EdgeConnect Enterprise Command Line Interface Leading to Full System Compromise (CVE-2022-37920, CVE-2022-37921, CVE-2022-37922, CVE-2022-37923, CVE-2022-37924, CVE-2022-43541, CVE-2022-43542) --------------------------------------------------------------------- Vulnerabilities in the Aruba EdgeConnect Enterprise command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLSP-31, ATLSP-32, ATLSP-36, ATLSP-37, ATLSP-39, ATLSP-41, ATLSP-46 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Bill Marquette, Daniel Jensen (@dozernz), and Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Authenticated Remote Code Execution in Aruba EdgeConnect Enterprise Web Management Interface Leading to Full System Compromise (CVE-2022-44533) --------------------------------------------------------------------- A vulnerability in the Aruba EdgeConnect Enterprise web management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLSP-52 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Reflected Cross Site Scripting Vulnerability (XSS) in Aruba EdgeConnect Enterprise Web Management Interface (CVE-2022-37925) --------------------------------------------------------------------- A vulnerability within the web-based management interface of Aruba EdgeConnect Enterprise could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal References: ATLSP-35 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Stored Cross Site Scripting Vulnerability (XSS) in EdgeConnect Enterprise Web Management Interface via File Upload (CVE-2022-37926) --------------------------------------------------------------------- A vulnerability within the web-based management interface of EdgeConnect Enterprise could allow a remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface by uploading a specially crafted file. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal References: ATLSP-40 Severity: Medium CVSSv3 Overall Score: 5.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Bill Marquette via Aruba's Bug Bounty Program. Authenticated Remote Path Traversal in Aruba EdgeConnect Enterprise Web Interface Allows for Arbitrary File Read (CVE-2022-43518) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise web interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files. Internal References: ATLSP-24 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Remote Path Traversal in Aruba EdgeConnect Enterprise Command Line Interface Allows for Arbitrary File Read (CVE-2022-44532) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files. Internal References: ATLSP-29 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Resolution ========== Upgrade Aruba EdgeConnect Enterprise to one of the following versions to resolve all issues noted in the details section. - Aruba EdgeConnect Enterprise - ECOS 9.2.2.0 and above - ECOS 9.1.4.0 and above - ECOS 9.0.8.0 and above - ECOS 8.3.8.0 and above Aruba does not evaluate or patch product versions that have reached their End of Support (EoS) milestone. Supported versions as of the publication date of this advisory are: - Aruba EdgeConnect Enterprise 9.2.x - Aruba EdgeConnect Enterprise 9.1.x - Aruba EdgeConnect Enterprise 9.0.x - Aruba EdgeConnect Enterprise 8.3.x For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Nov-22 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmNjx2sXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtl8Ugf+NPYBlbSRZBuitTDhuAA1aqh3 b3Iy08BQK/U7NLHSwHpJUFyv7+at54/Mp57RiruBOvp0xcVpsCzJE+lY6qXtaAaY utQYcXNCcz+8G3gWe7DXrUikMk56k9i/+VDSvQJ1Fn7RCm89iwnHauoVQVi4Kh6u b/vCyCyljWBFNxA2JGjGiKqJbj6tp9ErowwTGqzwyw1TieH5Fzo/lIR4mPvT0itd t7HhQIlCrkSb0nj8qLvG+g25XZ+ToHGOP4Xda5M7ISn4kKxUkpQfjptXR3HgKNOm gG641FqqP3ZGOqwF6dyxslo0JU7Em3zbJIyTC+23fVF9EpARFudrJbspUYHLsA== =ciDp -----END PGP SIGNATURE-----

CVE-2022-37925

Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. Google Login Plugin 1.7 only redirects to relative (Jenkins) URLs.



**Jenkins Google Login Plugin Open Redirect vulnerability**

Moderate severity GitHub Reviewed Published Dec 12, 2022 • Updated Dec 12, 2022

GHSA-v93c-cxj5-c398: Jenkins Google Login Plugin Open Redirect vulnerability

A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on an affected device.

*   Cisco will release free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
    
    Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:  
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
    
    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
    
    The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.
    
    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Customers Without Service Contracts**
    
    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
    
    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
    
    **Fixed Releases**
    
    In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.
    
    Cisco IP Phone Firmware Release
    
    First Fixed Release
    
    14.2 and earlier
    
    14.2(1) (Jan 2023)
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

CVE-2022-20968: Cisco Security Advisory: Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability

Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Checkmarx Plugin
*   Custom Build Properties Plugin
*   Gitea Plugin
*   Google Login Plugin
*   Plot Plugin
*   Sonar Gerrit Plugin
*   Spring Config Plugin

**Descriptions****XXE vulnerability in Plot Plugin**

**SECURITY-2940 / CVE-2022-46682**  
**Severity (CVSS):** High  
**Affected plugin: plot**  
**Description:**

Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Plot Plugin 2.1.12 disables external entity resolution for its XML parser.

**Open redirect vulnerability in Google Login Plugin**

**SECURITY-2967 / CVE-2022-46683**  
**Severity (CVSS):** Medium  
**Affected plugin: google-login**  
**Description:**

Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

Google Login Plugin 1.7 only redirects to relative (Jenkins) URLs.

**Stored XSS vulnerability in Checkmarx Plugin**

**SECURITY-2869 / CVE-2022-46684**  
**Severity (CVSS):** High  
**Affected plugin: checkmarx**  
**Description:**

Checkmarx Plugin processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI.

Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site scripting (XSS) vulnerability.

While Jenkins users without Overall/Administer permission are not allowed to configure the URL to the Checkmarx service, this could still be exploited via man-in-the-middle attacks.

Checkmarx Plugin 2022.4.3 escapes values returned from the Checkmarx service API before inserting them into HTML reports.

**Improper credentials masking in Gitea Plugin**

**SECURITY-2661 / CVE-2022-46685**  
**Severity (CVSS):** Medium  
**Affected plugin: gitea**  
**Description:**

Gitea Plugin support authentication with Gitea personal access tokens.

In Gitea Plugin 1.4.4 and earlier, the implementation of these tokens did not support credentials masking. This can expose Gitea personal access tokens in the build log, e.g., when printed as part of repository URLs.

Gitea Plugin 1.4.5 adds support for masking of Gitea personal access tokens.

Administrators unable to update are advised to use SSH checkout instead.

**Stored XSS vulnerability in Custom Build Properties Plugin**

**SECURITY-2810 / CVE-2022-46686**  
**Severity (CVSS):** High  
**Affected plugin: custom-build-properties**  
**Description:**

Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.

Custom Build Properties Plugin 2.82.v16d5b\_d3590c7 escapes property values and build display names on the Custom Build Properties and Build Summary pages.

**Stored XSS vulnerability in Spring Config Plugin**

**SECURITY-2814 / CVE-2022-46687**  
**Severity (CVSS):** High  
**Affected plugin: spring-config**  
**Description:**

Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.

Spring Config Plugin 2.0.1 escapes build display names shown on the Spring Config view.

**CSRF vulnerability in Sonar Gerrit Plugin**

**SECURITY-1002 / CVE-2022-46688**  
**Severity (CVSS):** Medium  
**Affected plugin: sonar-gerrit**  
**Description:**

Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

**Severity**

*   SECURITY-1002: Medium
*   SECURITY-2661: Medium
*   SECURITY-2810: High
*   SECURITY-2814: High
*   SECURITY-2869: High
*   SECURITY-2940: High
*   SECURITY-2967: Medium

**Affected Versions**

*   **Checkmarx Plugin** up to and including 2022.3.3
*   **Custom Build Properties Plugin** up to and including 2.79.vc095ccc85094
*   **Gitea Plugin** up to and including 1.4.4
*   **Google Login Plugin** up to and including 1.6
*   **Plot Plugin** up to and including 2.1.11
*   **Sonar Gerrit Plugin** up to and including 377.v8f3808963dc5
*   **Spring Config Plugin** up to and including 2.0.0

**Fix**

*   **Checkmarx Plugin** should be updated to version 2022.4.3
*   **Custom Build Properties Plugin** should be updated to version 2.82.v16d5b\_d3590c7
*   **Gitea Plugin** should be updated to version 1.4.5
*   **Google Login Plugin** should be updated to version 1.7
*   **Plot Plugin** should be updated to version 2.1.12
*   **Spring Config Plugin** should be updated to version 2.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Sonar Gerrit Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Asi Greenholts of Cider Security** for SECURITY-2661
*   **CC Bomber, Kitri BoB** for SECURITY-2940
*   **Kevin Guerroudj, CloudBees, Inc. and Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2810, SECURITY-2869
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1002
*   **Valdes Che Zogou, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2814
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2967

CVE-2022-46683: Jenkins Security Advisory 2022-12-07

Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-46682: Jenkins Security Advisory 2022-12-07

Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.

Tag

#perl