The Awin Data Feed WordPress plugin through 1.6 does not sanitise and escape a header when processing request to generate analytics data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against a logged in admin viewing the plugin's settings

CVE-2022-1938

The core plugin for kitestudio  WordPress plugin before 2.3.1 does not sanitise and escape some parameters before outputting them back in a response of an AJAX action, available to both unauthenticated and authenticated users when a premium theme from the vendor is active, leading to a Reflected Cross-Site Scripting.

CVE-2022-1951

The FoxyShop WordPress plugin before 4.8.2 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

CVE-2022-1220

The WP Event Manager WordPress plugin before 3.1.28 does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting

CVE-2022-1474

The WooCommerce - Product Importer WordPress plugin through 1.5.2 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting

CVE-2022-1546

The Sharebar  WordPress plugin through 1.4.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and also lead to Stored Cross-Site Scripting issue due to the lack of sanitisation and escaping in some of them

CVE-2022-1626

The WP-Paginate WordPress plugin before 2.1.9 does not escape one of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when unfiltered_html is disallowed

CVE-2022-2050

The Bold Page Builder WordPress plugin before 4.3.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

CVE-2022-2089

Single-click account takeovers are made possible by taking advantage of quirks in OAuth

Single-click account takeovers are made possible by taking advantage of quirks in OAuth

It is possible to perform single-click account hijacking by abusing the OAuth process flow, a security researcher has found.

OAuth, also known as Open Authentication, is a framework for managing identities and securing online areas across third-party services. Rather than leverage an account username and password combination, for example, service providers can utilize OAuth to provide temporary and secure access tokens.

However, in some scenarios, attackers can abuse OAuth implementations to steal these tokens and perform one-click account hijacking.

**Dirty dancing**

On July 6, Frans Rosén, Security Advisor at Detectify, walked us through several potential attack vectors and how organizations can mitigate the risk of compromise.

Rosén describes these scenarios as “dirty dancing”. Attackers can abuse OAuth ‘dances’ – their authentication processes and how they manage communication between a browser and service provider – by combining response-type switching, invalid states, and redirect URI programming “quirks” to steal user information such as authorization codes or tokens.

**RECOMMENDED** Node.js fixes multiple bugs that could lead to RCE, HTTP request smuggling

Browser developers, including Google and Mozilla, have worked hard in recent years to destroy any potential pathways to cross-origin referer leaks and cross-site scripting (XSS) attacks.

However, as highlighted in MITRE’s latest 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list, made public at the end of June, these attacks are still common and a threat to users worldwide.

**Abusing the sign-in flow**

The solutions implemented by browsers to reduce the risk of these attacks includes Content Security Policy (CSP) and Trusted Types, which allow the software to reject data values that could lead to DOM XSS and credential hijacking.

However, the researcher says that OAuth’s sign-in flow, used by companies including Slack, Facebook, and Twitter, can potentially be ‘broken’ for the same impact.

**RELATED** CWE Top 25: These are the most dangerous software weaknesses of 2022

It should be kept in mind these types of attacks aren’t easy to perform and, as Rosén says, involve a ‘grind’ involving an examination of source code and a knowledge of how OAuth’s dances work.

**Breaking the chain**

To steal tokens, an attacker must first break the chain between the system issuing tokens and a service provider consuming them.

This can be achieved by changing the state-value in use through a specially crafted link, sent to a potential victim as a sign-in page, but which uses the valid state of the attacker.

Once a victim has signed in and is redirected back to a website, the ‘dance’ is interrupted, as there is no valid state for the user. The user will then be shown an error message, and if the attacker is able to leak data and URLs from the error page, the researcher says that the threat actor “can now sign in with their own state and the code leaked from the victim”.

Read more of the latest hacking news

It can also be possible that response-type, response-mode switching, and redirect-uri path abuse could be used to intercept connections and cause unexpected behavior, although changing these pathways is difficult.

“In a proper OAuth-dance using code, in the last step to acquire the access token from the service provider, the must also be provided for validation to the service provider,” Rosén explains.

“If the that was used in the dance is mismatching the value that the website sends to the provider, no access token will be issued.”

**One-click hijack**

The researcher tested out different attack methods and achieved one-click hijacking. One exploit involving Apple OAuth sign-in was reported on May 12.

There are other quirks that attackers can also exploit to compromise OAuth and grab leaked URLs. These include performing an XSS attack on the third-party domain that receives URL data during authentication and abusing APIs intended for fetching URLs. Domains without sufficient origin checks, for example, may be at risk of exploitation.

“Due to the fact that each OAuth provider allows so many different response types and modes, it becomes quite tricky for a website to cover all different cases,” Rosén says.

To mitigate the risk of attack, the researcher recommends reviewing the OAuth 2.0 Security Best Current Practice guide, making sure that pages rendered for OAuth’s authorization response do not contain third-party resources or links, and users should also consider only allowing limited OAuth response-types and modes.

“You might not use any vulnerable third-party scripts today, but if anyone in your organization introduces anything new through Google Tag Manager or similar, or if the third-party scripts change, you can prevent any future potential token leakage,” Rosén commented.

**DEEP DIVES** Decentralized Identifiers: Everything you need to know about the next-gen web ID tech

‘Dirty dancing’ in OAuth: Researcher discloses how cyber-attacks can lead to account hijacking

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).

The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:

**Note**: only supported versions are referenced, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible.  
_(going back to ZCS 7.1.3)_

Bug#

Summary

**CVE-ID**

**CVSS  
Score**

Zimbra  
Rating

Fix Release or  
Patch Version

Reporter

Memcached poisoning with unauthenticated request.

CVE-2022-27924

Medium

9.0.0 Patch 24, 8.8.15 Patch 31

Simon Scannell of Sonarsource

RCE through mboximport from authenticated user.

CVE-2022-27925

Medium

9.0.0 Patch 24, 8.8.15 Patch 31

Mikhail Klyuchnikov of Positive Technologies

Proxy Servlet Open Redirect Vulnerability

CVE-2021-35209

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

Open Redirect Vulnerability in preauth servlet

CVE-2021-34807

Low

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

Stored XSS Vulnerability in ZmMailMsgView.java

CVE-2021-35208

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

XSS vulnerability in Zimbra Web Client via loginErrorCode

CVE-2021-35207

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Heap-based buffer overflow vulnerabilities in PHP < 7.3.10

9.8

Critical

9.0.0 Patch 13

Upstream, see CVE-2019-9641, CVE-2019-9640

Heap-based buffer overflow vulnerabilities in PHP < 7.3.10

9.8

Critical

8.8.15 Patch 20

Upstream, see CVE-2019-9641, CVE-2019-9640

Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.

7.8

High

9.0.0 Patch 13

Upstream, see CVE-2019-0211, CVE-2019-0217

Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.

7.8

High

8.8.15 Patch 20

Upstream, see CVE-2019-0211, CVE-2019-0217

XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition)

CVE-2020-35123

Medium

9.0.0 Patch 10

Primerica

XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition)

CVE-2020-35123

Medium

8.8.15 Patch 17

Primerica

XSS CWE-79 vulnerability in tinymce

n/a

6.1

Medium

9.0.0 Patch 5

Upstream, see CVE-2019-1010091

Memory Leak in nodejs library mem

n/a

5.5

Medium

9.0.0 Patch 5

Upstream, see WS-2018-0236

Persistent XSS

CVE-2020-13653

Minor

8.8.15 Patch 11, 9.0.0 Patch 4

Telenet

Unrestricted Upload of File with Dangerous Type CWE-434

CVE-2020-12846

6.0

Minor

8.8.16 Patch 10, 9.0.0 Patch 3

Telenet

Persistent XSS CWE-79

CVE-2020-11737

4.3

Minor

9.0.0 Patch 2

Zimbra

109174

Non-Persistent XSS CWE-79

CVE-2019-12427

4.3

Minor

8.8.15 Patch 1

Meridian Miftari

109141

Non-Persistent XSS CWE-79

CVE-2019-15313

4.3

Minor

8.8.15 Patch 1

Quang Bui

109124

Non-Persistent XSS CWE-79

CVE-2019-8947

2.6

Minor

\-

Issam Rabhi of Sysdream

109123

Persistent XSS CWE-79

CVE-2019-8946

2.6

Minor

\-

Issam Rabhi of Sysdream

109122

Persistent XSS CWE-79

CVE-2019-8945

3.5

Minor

\-

Issam Rabhi of Sysdream

109117

Persistent XSS CWE-79

CVE-2019-11318

3.5

Minor

8.8.12 Patch 1

Mondher Smii

109127

SSRF CWE-918 / CWE-807

CVE-2019-9621

4.0

Minor

8.7.11 Patch11  
8.8.9 Patch10  
8.8.10 Patch8  
8.8.11 Patch4  
8.8.12

An Trinh

109096

Blind SSRF CWE-918

CVE-2019-6981

4.0

Minor

8.7.11 Patch11  
8.8.9 Patch10  
8.8.10 Patch8  
8.8.11 Patch4  
8.8.12

An Trinh

109129

XXE CWE-611  
(8.7.x only)

CVE-2019-9670

6.4

Major

8.7.11 Patch10

Khanh Van Pham  
An Trinh

109097

Insecure object deserialization CWE-502

CVE-2019-6980

5.4

Major

8.7.11 Patch9  
8.8.9 Patch10  
8.8.10 Patch7  
8.8.11 Patch3  
8.8.12

An Trinh

109093

XXE CWE-611

CVE-2018-20160

6.4

Major

8.7.x see 109129 above  
8.8.9 Patch9  
8.8.10 Patch5  
8.8.11 Patch1  
8.8.12

An Trinh

109017

Non-Persistent XSS CWE-79

CVE-2018-14013

4.3

Minor

8.7.11 Patch8  
8.8.9 Patch9  
8.8.10 Patch5  
8.8.11

Issam Rabhi of Sysdream

109020

Persistent XSS CWE-79

CVE-2018-18631

5.0

Major

8.7.11 Patch7  
8.8.9 Patch7  
8.8.10 Patch2  
8.8.11

Netragard

109018

Non-Persistent CWE-79

CVE-2018-14013

2.6

Minor

8.7.11 Patch7  
8.8.9 Patch6  
8.8.10 Patch1  
8.8.11

Issam Rabhi of Sysdream

109021

Limited Content Spoofing CWE-345

CVE-2018-17938

4.3

Minor

8.8.10

Sumit Sahoo

109012

Account Enumeration CWE-203

CVE-2018-15131

5.0

Major

8.7.11 Patch6  
8.8.8 Patch9  
8.8.9 Patch3

Danielle Deibler

108970

Persistent XSS CWE-79

CVE-2018-14425

3.5

Minor

8.8.8 Patch7  
8.8.9 Patch1

Diego Di Nardo

108902

Persistent XSS CWE-79

CVE-2018-10939

3.5

Minor

8.6.0 Patch11  
8.7.11 Patch4  
8.8.8 Patch4

Diego Di Nardo

108963

Verbose Error Messages CWE-209

CVE-2018-10950

3.5

Minor

8.7.11 Patch3  
8.8.8

Netragard

108962

Account Enumeration CWE-203

CVE-2018-10949

5.0

Major

8.7.11 Patch3  
8.8.8

Netragard

108894

Persistent XSS CWE-199

CVE-2018-10951

3.6

Minor

8.6.0 Patch10  
8.7.11 Patch3  
8.8.8

Netragard

97579

CSRF CWE-352

CVE-2015-7610

5.8

Major

8.6.0 Patch10  
8.7.11 Patch2  
8.8.8 Patch1

Fortinet's FortiGuard Labs

108786

Persistent XSS CWE-79

CVE-2018-6882

4.3

Minor

8.6.0 Patch10  
8.7.11 Patch1  
8.8.7  
8.8.8

Stephan Kaag of Securify

108265

Persistent XSS CWE-79

CVE-2017-17703

4.3

Minor

8.6.0 Patch9  
8.7.11 Patch1  
8.8.3

Veit Hailperin

107963

Host header injection CWE-20

\-

4.3

Minor

8.8.0 Beta2

\-

107948

107949

Persistent XSS CWE-79

CVE-2018-10948

3.5

Minor

8.6.0 Patch10  
8.7.11 Patch3  
8.8.0 Beta2

Lucideus  
Phil Pearl

107925

Persistent XSS - snippet CWE-79

CVE-2017-8802

3.5

Minor

8.6.0 Patch9  
8.7.11 Patch1  
8.8.0 Beta2

Compass Security

107878

Persistent XSS - location CWE-79

CVE-2017-8783

4.0

Minor

8.7.10

Stephan Kaag of Securify

107712

Improper limitation of file paths CWE-22

CVE-2017-6821

4.0

Minor

8.7.6

Greg Solovyev, Phil Pearl

107684

Improper handling of privileges CWE-280

CVE-2017-6813

4.0

Major

8.6.0 Patch9  
8.7.6

Greg Solovyev

106811

XXE CWE-611

CVE-2016-9924

5.8

Major

8.6.0 Patch10  
8.7.4

Alastair Gray

106612

Persistent XSS CWE-79

CVE-2017-7288

4.3

Minor

8.6.0 Patch11  
8.7.1

Sammy Forgit

105001  
105174

XSS CWE-79

CVE-2016-5721

4.3  
2.1

Minor

8.6.0 Patch11  
8.7.0

Secu

104552  
104703

XSS CWE-79

CVE-2016-3999

4.3

Minor

8.7.0

Nam Habach

104477

Open Redirect CWE-601

CVE-2016-4019

4.3

Minor

8.7.0

Zimbra

104294  
104456

CSRF CWE-352

CVE-2016-3406

2.6

Minor

8.6.0 Patch8  
8.7.0

Zimbra

104222

104910  
105071  

105175

XSS CWE-79

CVE-2016-3407

4.3  
3.5  
4.3  
2.1

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103997

104413  
104414  
104777  

104791

XSS CWE-79

CVE-2016-3412

3.5

Minor

8.7.0

Zimbra

103996

XXE (Admin) CWE-611\-

CVE-2016-3413

2.6

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103961  
104828

CSRF CWE-352

CVE-2016-3405

4.3

Minor

8.6.0 Patch8  
8.7.0

Zimbra

103959

CSRF CWE-352

CVE-2016-3404

4.3

Minor

8.6.0 Patch8  
8.7.0

Zimbra

103956

103995  
104475  
104838  

104839

XSS CWE-79

CVE-2016-3410

4.3

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103609

XSS CWE-79

CVE-2016-3411

3.5

Minor

8.6.0 Patch11  
8.7.0

Zimbra

102637

XSS CWE-79

CVE-2016-3409

4.3

Minor

8.6.0 Patch11  
8.7.0

Peter Nguyen

102276

Deserialization of Untrusted Data CWE-502

CVE-2016-3415

5.8

Major

8.7.0

Zimbra

102227

Deserialization of Untrusted Data CWE-502

n/a

7.5

Major

8.7.0

Upstream, see  
CVE-2015-4852

102029

CWE-674

CVE-2016-3414

4.0

Minor

8.6.0 Patch7  
8.7.0

Zimbra

101813

XSS CWE-79

CVE-2016-3408

4.3

Minor

8.6.0 Patch11  
8.7.0

Volexity

100885  
100899

CSRF CWE-352

CVE-2016-3403

5.8

Major

8.6.0 Patch8  
8.7.0

Sysdream

99810

CWE-284 CWE-203

CVE-2016-3401

3.5

Minor

8.7.0

Zimbra

99167

Account Enumeration CWE-203

CVE-2016-3402

2.6

Minor

8.7.0

Zimbra

101435  
101436

Persistent XSS CWE-79

CVE-2015-7609

6.4  
2.3

Major

8.6.0 Patch5  
8.7.0

Fortinet's FortiGuard Labs

101559

100133  
99854  
99914  

96973

XSS CWE-79

CVE-2015-2249

3.5

Minor

8.6.0 Patch5  
8.7.0

Zimbra

99236

XSS Vuln in YUI components in ZCS

n/a

4.3

Minor

8.6.0 Patch5

Upstream, see  
CVE-2012-5881  
CVE-2012-5882  
CVE-2012-5883

98358

98216  

98215

Non-Persistent XSS CWE-79

CVE-2015-2249

4.3

Minor

8.6.0 Patch2  
8.7.0

Cure53

97625

Non-Persistent XSS CWE-79

CVE-2015-2230

3.5

Minor

8.6.0 Patch2

MWR InfoSecurity

96105

Improper Input Validation CWE-20

CVE-2014-8563

5.8

Major

8.0.9  
8.5.1  
8.6.0

 -

83547

CSRF Vulnerability CWE-352

CVE-2015-6541

5.8

Major

8.5.0

iSEC Partners, Sysdream

87412

92825  
92833  

92835

XSS Vulnerabilities CWE-79  
(8.0.7 Patch  
contains 87412)

CVE-2014-5500

4.3

Minor

8.0.8  
8.5.0

 -

83550

Session Fixation CWE-384

CVE-2013-5119

5.8

Major

8.5.0

\- 

91484

Patch ZCS8 OpenSSL for CVE-2014-0224

n/a

6.8

Major

8.0.3+Patch  
8.0.4+Patch  
8.0.5+Patch  
8.0.6+Patch  
8.0.7+Patch

Upstream, see  
CVE-2014-0224

88708

Patch ZCS8 OpenSSL for CVE-2014-0160

n/a

5.0

Major

8.0.3+Patch  
8.0.4+Patch  
8.0.5+Patch  
8.0.6+Patch  
8.0.7+Patch  
8.0.7

Upstream, see  
CVE-2014-0160

85499

Upgrade to OpenSSL 1.0.1f

n/a

4.3  
4.3  
5.8

Major

8.0.7

Upstream, see  
CVE-2013-4353  
CVE-2013-6449  
CVE-2013-6450

84547

XXE CWE-611

CVE-2013-7217

6.4  
(not 10.0)

Critical

7.2.2\_Patch3  
7.2.3\_Patch  
7.2.4\_Patch2  
7.2.5\_Patch  
7.2.6  
8.0.3\_Patch3  
8.0.4\_Patch2  
8.0.5\_Patch  
8.0.6

Private

85478

XSS vulnerability in message view

\-

6.4

Major

8.0.7

Alban Diquet  
of iSEC Partners

85411

Local root privilege escalation

\-

6.2

Major

8.0.7

Matthew David

85000

Patch nginx for CVE-2013-4547

n/a

7.5

Major

7.2.7  
8.0.7

Upstream, see  
CVE-2013-4547

80450  
80131  
80445  
80132

Upgrade to JDK 1.6 u41  
Upgrade OpenSSL to 1.0.0k  
Upgrade to JDK 1.7u15+  
Upgrade to OpenSSL 1.0.1d

n/a

2.6

Minor

7.2.3  
7.2.3  
8.0.3  
8.0.3

Upstream, see  
CVE-2013-0169

80338

Local file inclusion via skin/branding feature CWE-22

CVE-2013-7091

5.0

Critical

6.0.16\_Patch  
7.1.1\_Patch6  
7.1.3\_Patch3  
7.2.2\_Patch2  
7.2.3  
8.0.2\_Patch  
8.0.3

Private

77655

Separate keystore for CAs used for X509 authentication

\-

5.8

Major

8.0.7

Private

75424

Upgrade to Clamav 0.97.5

n/a

4.3  
4.3  
4.3

Minor

7.2.1

Upstream, see  
CVE-2012-1457  
CVE-2012-1458  
CVE-2012-1459

64981

Do not allow HTTP GET for login

\-

6.8

Major

7.1.3\_Patch  
7.1.4

Private

Tag

#xss