Red Hat Security Advisory 2023-2256-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include buffer overflow, bypass, code execution, information leakage, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security and bug fix update  
Advisory ID:       RHSA-2023:2256-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2256  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-32886 CVE-2022-32888 CVE-2022-32923  
                   CVE-2022-42799 CVE-2022-42823 CVE-2022-42824  
                   CVE-2022-42826 CVE-2022-42852 CVE-2022-42863  
                   CVE-2022-42867 CVE-2022-46691 CVE-2022-46692  
                   CVE-2022-46698 CVE-2022-46699 CVE-2022-46700  
                   CVE-2023-23517 CVE-2023-23518 CVE-2023-25358  
                   CVE-2023-25360 CVE-2023-25361 CVE-2023-25362  
                   CVE-2023-25363  
====================================================================  
1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: use-after-free issue leading to arbitrary code execution  
(CVE-2022-42826)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-23517)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-23518)

* webkitgtk: buffer overflow issue was addressed with improved memory  
handling (CVE-2022-32886)

* webkitgtk: out-of-bounds write issue was addressed with improved bounds  
checking (CVE-2022-32888)

* webkitgtk: correctness issue in the JIT was addressed with improved  
checks (CVE-2022-32923)

* webkitgtk: issue was addressed with improved UI handling (CVE-2022-42799)

* webkitgtk: type confusion issue leading to arbitrary code execution  
(CVE-2022-42823)

* webkitgtk: sensitive information disclosure issue (CVE-2022-42824)

* webkitgtk: memory disclosure issue was addressed with improved memory  
handling (CVE-2022-42852)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-42863)

* webkitgtk: use-after-free issue leading to arbitrary code execution  
(CVE-2022-42867)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46691)

* webkitgtk: Same Origin Policy bypass issue (CVE-2022-46692)

* webkitgtk: logic issue leading to user information disclosure  
(CVE-2022-46698)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46699)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46700)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::addChild()  
(CVE-2023-25358)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::renderer()  
(CVE-2023-25360)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::setNextSibling()  
(CVE-2023-25361)

* webkitgtk: heap-use-after-free in  
WebCore::RenderLayer::repaintBlockSelectionGaps() (CVE-2023-25362)

* webkitgtk: heap-use-after-free in  
WebCore::RenderLayer::updateDescendantDependentFlags() (CVE-2023-25363)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2127467 - Upgrade WebKitGTK for RHEL 9.2  
2128643 - CVE-2022-32886 webkitgtk: buffer overflow issue was addressed with improved memory handling  
2140501 - CVE-2022-32888 webkitgtk: out-of-bounds write issue was addressed with improved bounds checking  
2140502 - CVE-2022-32923 webkitgtk: correctness issue in the JIT was addressed with improved checks  
2140503 - CVE-2022-42799 webkitgtk: issue was addressed with improved UI handling  
2140504 - CVE-2022-42824 webkitgtk: sensitive information disclosure issue  
2140505 - CVE-2022-42823 webkitgtk: type confusion issue leading to arbitrary code execution  
2156986 - CVE-2022-42852 webkitgtk: memory disclosure issue was addressed with improved memory handling  
2156987 - CVE-2022-42863 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156989 - CVE-2022-42867 webkitgtk: use-after-free issue leading to arbitrary code execution  
2156990 - CVE-2022-46691 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156991 - CVE-2022-46692 webkitgtk: Same Origin Policy bypass issue  
2156992 - CVE-2022-46698 webkitgtk: logic issue leading to user information disclosure  
2156993 - CVE-2022-46699 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156994 - CVE-2022-46700 webkitgtk: memory corruption issue leading to arbitrary code execution  
2167715 - CVE-2023-23518 webkitgtk: memory corruption issue leading to arbitrary code execution  
2167716 - CVE-2022-42826 webkitgtk: use-after-free issue leading to arbitrary code execution  
2167717 - CVE-2023-23517 webkitgtk: memory corruption issue leading to arbitrary code execution  
2175099 - CVE-2023-25358 webkitgtk: heap-use-after-free in WebCore::RenderLayer::addChild()  
2175101 - CVE-2023-25360 webkitgtk: heap-use-after-free in WebCore::RenderLayer::renderer()  
2175103 - CVE-2023-25361 webkitgtk: heap-use-after-free in WebCore::RenderLayer::setNextSibling()  
2175105 - CVE-2023-25362 webkitgtk: heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps()  
2175107 - CVE-2023-25363 webkitgtk: heap-use-after-free in WebCore::RenderLayer::updateDescendantDependentFlags()

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
webkit2gtk3-2.38.5-1.el9.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el9.i686.rpm  
webkit2gtk3-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el9.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32886  
https://access.redhat.com/security/cve/CVE-2022-32888  
https://access.redhat.com/security/cve/CVE-2022-32923  
https://access.redhat.com/security/cve/CVE-2022-42799  
https://access.redhat.com/security/cve/CVE-2022-42823  
https://access.redhat.com/security/cve/CVE-2022-42824  
https://access.redhat.com/security/cve/CVE-2022-42826  
https://access.redhat.com/security/cve/CVE-2022-42852  
https://access.redhat.com/security/cve/CVE-2022-42863  
https://access.redhat.com/security/cve/CVE-2022-42867  
https://access.redhat.com/security/cve/CVE-2022-46691  
https://access.redhat.com/security/cve/CVE-2022-46692  
https://access.redhat.com/security/cve/CVE-2022-46698  
https://access.redhat.com/security/cve/CVE-2022-46699  
https://access.redhat.com/security/cve/CVE-2022-46700  
https://access.redhat.com/security/cve/CVE-2023-23517  
https://access.redhat.com/security/cve/CVE-2023-23518  
https://access.redhat.com/security/cve/CVE-2023-25358  
https://access.redhat.com/security/cve/CVE-2023-25360  
https://access.redhat.com/security/cve/CVE-2023-25361  
https://access.redhat.com/security/cve/CVE-2023-25362  
https://access.redhat.com/security/cve/CVE-2023-25363  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo08tzjgjWX9erEAQizzA//ZfzdltwdtCXIOyqB+fCYF071RAjvFVho  
gGI/whuz9NHfhE1rFBw/C4pwVbauyRLEb8woNd6YM1fjr8itYOcvO1oFp8VU5sVr  
pC87bfUitNVO2nuZ/tbcM8HAz30HqjEV63o8PEJlRVz44+kY5RVlRIO+1dqWImYc  
Tv39Cd3NYB1BVNKQXB+sHZa11aSdFoJsPmMDyP2CRR+/hc5rwfPtqMYf5Nuwkf5+  
M25FubVdNJKJOvaxrqvqmJ52kA6bzazo9mX1fYUahPUtiiQlp6O1x5WgP/AqsoO/  
ZXy2dWFu7kUlq9ATL0YbhDmNUZVbYVBajobmvFXXpLklvI0iothfcX8mQXsSvy1Y  
ZBYShGu88cpS+qrn7jOTmkjNIWHFNHlhJs1JUdZ6zkN1IkXTyI7jaOmxCC5/elac  
SrNTweI/G3zA2QosLwdJMpsSPi2EHU10S/SiSx8VZaehLgkkY0NRW77c4CdlPs5z  
5/JldynPytqNqSxxT/4kYprTyrR7JnL/6BL0oqOGK2+aAiJdWx9bwjm9SD4lOwOe  
QPZUtkL7GWRccAjagX8YFccoJu9nOdNSAObJyDYXVRS1rftqOdYn6RYU8FHHCCOv  
g0cWjH87k4AWBvavbA9DhpftLvEz1oDGnUfZks4/tJeWKAWI/wQDWK3xTjAx4qYD  
6EzZBUU3xAw=k7TK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2256-01

Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerability in Sk. Abul Hasan Team Member – Team with Slider plugin <= 4.4 versions.

**Solution**

Update the WordPress Team Member – Team with Slider plugin to the latest available version (at least 4.5).

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Team Member Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 4.5.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23647: WordPress Team Member – Team with Slider plugin <= 4.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Amin A.Rezapour Product Specifications for Woocommerce plugin <= 0.6.0 versions.

**Solution**

Update the WordPress Product Specifications for Woocommerce plugin to the latest available version (at least 0.7.0).

TEAM WEBoB of BoB 11th discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Product Specifications for Woocommerce Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 0.7.0.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-46858: WordPress Product Specifications for WooCommerce plugin <= 0.6.0 - Cross Site Scripting (XSS) - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Umair Saleem Woocommerce Custom Checkout Fields Editor With Drag & Drop plugin <= 0.1 versions.

**Solution**

No patched version is available. No reply from the vendor.

TEAM WEBoB of BoB 11th discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Woocommerce Custom Checkout Fields Editor With Drag & Drop Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-46864: WordPress Woocommerce Custom Checkout Fields Editor With Drag & Drop plugin <= 0.1 - Cross Site Scripting (XSS) - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in JC Development Team WooCommerce JazzCash Gateway Plugin plugin <= 2.0 versions.

**Solution**

No patched version is available. No reply from the vendor.

Found this useful? Thank minhtuanact for reporting this vulnerability. Buy a coffee ☕

minhtuanact discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WooCommerce JazzCash Gateway Plugin Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-46822: WordPress WooCommerce JazzCash Gateway Plugin plugin <= 2.0 - Cross Site Scripting (XSS) - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in PixelGrade PixFields plugin <= 0.7.0 versions.

**Solution**

No patched version is available. No reply from the vendor.

Justiice discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress PixFields Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-46844: WordPress PixFields plugin <= 0.7.0 - Auth. Cross-Site Scripting (XSS) vulnerability - Patchstack

`org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `>` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters. There are no known workarounds apart from upgrading to a version including the fix.

**Steps to Reproduce:**

Add the attribute data-x/onmouseover="alert('XSS1')" to any element like a link: \[\[Link1>>https://XWiki.example.com||data-x/onmouseover="alert('XSS1')"\]\].

**Expected Result:**

The attribute is rejected by the sanitizer and no alert is displayed when moving the mouse over the link.

**Actual Result:**

The attribute is accepted by the sanitizer and an alert is displayed when moving the mouse over the link.

Note that restricted cleaning in the HTMLCleaner is not affected by this vulnerability as HTMLCleaner properly parses data-x/onmouseover as two different attributes, or in other words, this cannot be exploited through the HTML macro.

CVE-2023-31126: HTML element sanitizer accepts invalid data attributes, allowing XSS

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in USB Memory Direct Simple Custom Author Profiles plugin <= 1.0.0 versions.

**Solution**

No patched version is available. No reply from the vendor.

Nithissh S discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Simple Custom Author Profiles Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-24372: WordPress Simple Custom Author Profiles plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Kanban for WordPress Kanban Boards for WordPress plugin <= 2.5.20 versions.

**Solution**

No patched version is available. No reply from the vendor.

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Kanban Boards for WordPress Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23884: WordPress Kanban Boards for WordPress plugin <= 2.5.20 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in David Gwyer WP Content Filter plugin <= 3.0.1 versions.

**Solution**

No patched version is available. No reply from the vendor.

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Content Filter – Censor All Offensive Content From Your Site Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23883: WordPress WP Content Filter – Censor All Offensive Content From Your Site plugin <= 3.0.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Tag

#xss