In
 Brocade Fabric OS before v9.2.0a, a local authenticated privileged user
 can trigger a buffer overflow condition, leading to a kernel panic with
 large input to buffers in the portcfgfportbuffers command.



CVE-2023-4163 - Possible buffer overflow in portcfgfportbuffers in Brocade Fabric OS

**Brocade Security Advisory ID**

**BSA-2023-2368**

**Component**

**CLI**

**Summary**

In Brocade Fabric OS before v9.2.0a, a local authenticated privileged user can trigger a buffer overflow condition, leading to a kernel panic with large input to buffers in the portcfgfportbuffers command.

Note: All Brocade Fabric OS versions are affected.

**Products Affected**

Brocade Fabric OS before v9.2.0a

**Solution**

The security update is provided in Brocade Fabric OS v9.2.0a

**Credit**

The issue was discovered during internal penetration testing.

 **Revision History**

**Version**

**Change**

**Date**

1.0

Initial Publication

August 29, 2023

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

CVE-2023-4163: Support Content Notification - Support Portal - Broadcom support portal

A
 segmentation fault can occur in Brocade Fabric OS after Brocade Fabric 
OS v9.0 and before Brocade Fabric OS v9.2.0a through the passwdcfg 
command. This
 could allow an authenticated privileged user local user to crash a 
Brocade Fabric OS swith using the cli “passwdcfg --set -expire 
-minDiff“.



CVE-2023-4162 - Segmentation fault in Brocade Fabric OS after Brocade Fabric OS v9.0

**Brocade Security Advisory ID**

**BSA-2023-2367**

**Component**

**CLI**

**Summary**

A segmentation fault can occur in Brocade Fabric OS after Brocade Fabric OS v9.0 and before Brocade Fabric OS v9.2.0a through the passwdcfg command.   
This could allow an authenticated privileged user local user to crash a Brocade Fabric OS swith using the cli “passwdcfg --set -expire -minDiff“.

Note:   
•    The --mindiff option was added in Brocade Fabric OS v9.0.   
•    Only Brocade Fabric OS v9.x are affected

**Products Affected**

Brocade Fabric OS after Brocade Fabric OS v9.0 and before Brocade Fabric OS v9.2.0a

**Products Confirmed Not Affected**

Brocade Fabric OS versions before Brocade Fabric OS v9.0 are not affected.

**Solution**

The security update is provided in Brocade Fabric OS v9.2.0a

**Credit**

The issue was discovered during internal penetration testing. 

**Revision History**

**Version**

**Change**

**Date**

1.0

Initial Publication

August 29, 2023

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

CVE-2023-4162: Support Content Notification - Support Portal - Broadcom support portal

Possible
 information exposure through log file vulnerability where sensitive 
fields are recorded in the configuration log without masking on Brocade 
SANnav before v2.3.0 and 2.2.2a. Notes:
 To access the logs, the local attacker must have access to an already collected Brocade SANnav "supportsave" 
outputs.



CVE-2023-31423 - Possible information exposure through log file vulnerability

**Brocade Security Advisory ID**

**BSA-2023-2365**

**Component**

**Brocade Suportsave**

**Summary**

Possible information exposure through log file vulnerability where sensitive fields are recorded in the configuration log without masking on Brocade SANnav before v2.3.0 and 2.2.2a.

Notes: To access the logs, the attacker must first collect a "supportsave" on Brocade SANnav or have access to an already collected "supportsave" outputs

**Products Affected**

Brocade SANnav before v2.3.0 and 2.2.2a

**Solution**

Security update provided in Brocade SANnav v2.3.0 and Brocade SANnav v2.2.2a.

**Credit**

The issue was found during internal penetration testing

**Revision History**

**Version**

**Change**

**Date**

1.0

Initial Publication

August 29, 2023

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

CVE-2023-31423: Support Content Notification - Support Portal - Broadcom support portal

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1.

Expand Up @@ -315,6 +315,11 @@ function file\_get\_contents\_from\_url($url, $timeout = 5, $json\_decode = false, $p return null; }  
// По IP адресу не разрешаем if (preg\_match('#^(?:(?:https?):\\/\\/)(\[0-9\]{1,3}\\.\[0-9\]{1,3}\\.\[0-9\]{1,3}\\.\[0-9\]{1,3}).\*#ui', $url)) { return null; }  
$curl = curl\_init();  
if (strpos($url, 'https') === 0) { Expand Down Expand Up @@ -342,6 +347,7 @@ function file\_get\_contents\_from\_url($url, $timeout = 5, $json\_decode = false, $p $headers\[\] = $key . ': ' . $value; } } curl\_setopt($curl, CURLOPT\_PROTOCOLS, CURLPROTO\_HTTPS | CURLPROTO\_HTTP); curl\_setopt($curl, CURLOPT\_HTTPHEADER, $headers); curl\_setopt($curl, CURLOPT\_URL, $url); curl\_setopt($curl, CURLOPT\_CONNECTTIMEOUT, $timeout); Expand All @@ -368,17 +374,20 @@ function file\_get\_contents\_from\_url($url, $timeout = 5, $json\_decode = false, $p \* @param string $destination Полный путь куда сохраненить файл \* @return boolean \*/ function file\_save\_from\_url($url, $destination){ function file\_save\_from\_url($url, $destination) {  
if (!function\_exists('curl\_init')){ return false; } if (!function\_exists('curl\_init')) { return false; }  
$dest\_file = @fopen($destination, "w");  
$curl = curl\_init(); if(strpos($url, 'https') === 0){ if (strpos($url, 'https') === 0) { curl\_setopt($curl, CURLOPT\_SSL\_VERIFYHOST, 0); curl\_setopt($curl, CURLOPT\_SSL\_VERIFYPEER, false); } curl\_setopt($curl, CURLOPT\_PROTOCOLS, CURLPROTO\_HTTPS | CURLPROTO\_HTTP); curl\_setopt($curl, CURLOPT\_URL, $url); curl\_setopt($curl, CURLOPT\_RETURNTRANSFER, true); curl\_setopt($curl, CURLOPT\_FILE, $dest\_file); Expand All @@ -388,8 +397,8 @@ function file\_save\_from\_url($url, $destination){ fclose($dest\_file);  
return true;  
}  
/\*\* \* Накладывает ваттермарк на изображение \* Expand Down

CVE-2023-4651: Fix SSRF Blind in the image upload · instantsoft/icms2@a6bf758

Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

Expand Up

@@ -780,6 +780,7 @@

html \= html.replace(/&amp;#36;/g, '$');

  

html \= this.cleanEmpty(html);

html \= this.sanitizeHTML(html);

  

this.$editor.html(html);

  

Expand All

@@ -788,6 +789,41 @@

  

this.sync();

},

sanitizeHTML: function(htmlStr)

{

function stringToHTML () {

let parser \= new DOMParser();

let doc \= parser.parseFromString(htmlStr, 'text/html');

return doc.body;

}

function clean (html) {

let nodes \= html.children;

for (let node of nodes) {

removeAttributes(node);

clean(node);

}

}

function removeAttributes (elem) {

let atts \= elem.attributes;

for (let {name, value} of atts) {

if (!isPossiblyDangerous(name, value)) { continue };

elem.removeAttribute(name);

}

  

}

function isPossiblyDangerous (name, value) {

let val \= value.replace(/\\s+/g, '').toLowerCase();

if (\['src', 'href', 'xlink:href'\].includes(name)) {

if (val.includes('javascript:') || val.includes('data:text/html')) { return true; }

}

if (name.startsWith('on')) { return true; }

}

let html \= stringToHTML();

  

clean(html);

  

return html.innerHTML;

},

setCodeIframe: function(html)

{

var doc \= this.iframePage();

Expand Down Expand Up

@@ -822,6 +858,7 @@

html \= this.cleanSavePreCode(html, true);

html \= this.cleanConverters(html);

html \= this.cleanEmpty(html);

html \= this.sanitizeHTML(html);

  

this.$editor.html(html);

  

Expand Down

CVE-2023-4653: Fix External Imperavi Redactor xss · instantsoft/icms2@7e9d798

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository instantsoft/icms2 prior to 2.16.1.

Expand Up @@ -265,6 +265,8 @@ public static function autoLogin($auth\_token) {  
self::setUserSession($user, $user\['ip'\]);  
self::sessionRegenerate();  
return intval($user\['id'\]); }  
Expand Down Expand Up @@ -343,6 +345,8 @@ public static function loginComplete($user, $remember = false) { self::getInstance()->id = $user\['id'\]; self::getInstance()->is\_logged = true;  
self::sessionRegenerate();  
return true; }  
Expand Down Expand Up @@ -384,6 +388,8 @@ public static function logout() {  
self::sessionUnset('user');  
self::sessionRegenerate();  
return true; }  
Expand Down Expand Up @@ -486,6 +492,19 @@ public static function sessionStart(cmsConfig $config) { } }  
public static function sessionRegenerate() {  
session\_regenerate\_id(false);  
$id = session\_id();  
session\_write\_close();  
session\_id($id);  
session\_start(); }  
public static function sessionSet($key, $value) {  
if (strpos($key, ':') === false) { Expand Down Expand Up @@ -568,7 +587,7 @@ public static function setCookie($key, $value, $time = 3600, $path = '/', $http\_ 'path' => $path, 'domain' => $domain, 'samesite' => 'Lax', 'secure' => false, 'secure' => cmsConfig::isSecureProtocol(), 'httponly' => $http\_only \]); } Expand Down

CVE-2023-4654: Add session regenerate after login & logout. Secure cookie if HTTPS. · instantsoft/icms2@ca5f150

Cross-site Scripting (XSS) - Reflected in GitHub repository instantsoft/icms2 prior to 2.16.1.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-4655: Fix file field xss · instantsoft/icms2@a6a30e7

Expand Up

@@ -285,15 +285,16 @@ private function uploadPackage(){

  

files\_clear\_directory(cmsConfig::get('upload\_path') . $this\->installer\_upload\_path);

  

$result = $this\->cms\_uploader\->upload($this\->upload\_name, $this\->upload\_exts, 0, $this\->installer\_upload\_path);

$result = $this\->cms\_uploader\->setAllowedMime(\[

'application/zip'

\])->upload($this\->upload\_name, $this\->upload\_exts, 0, $this\->installer\_upload\_path);

  

if (!$result\['success'\]){

cmsUser::addSessionMessage($result\['error'\], 'error');

return false;

}

  

return $result\['name'\];

  

}

  

}

CVE-2023-4652: Fixed upload XSS with wrong extension · instantsoft/icms2@7a7e57e

The 
firmwaredownload command on Brocade Fabric OS v9.2.0 could log the 
FTP/SFTP/SCP server password in clear text in the SupportSave file when 
performing a downgrade from Fabric OS v9.2.0 to any earlier version of 
Fabric OS.



CVE-2023-3489 - firmwaredownload command could log servers passwords in clear text

Last Updated

29 August 2023

Initial Publication Date

29 August 2023

CVSS Base Score

8.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected CVE

CVE-2023-3489

**Brocade Security Advisory ID**

BSA-2023-2335

**Component**

firmwaredownload command

**Summary**

The firmwaredownload command on Brocade Fabric OS v9.2.0 could log the FTP/SFTP/SCP server password in clear text in the SupportSave file when performing a downgrade from Fabric OS v9.2.0 to any earlier version of Fabric OS.

**CVE Details**  
The firmwaredownload command downloads the Brocade Fabric OS firmware to the Brocade Switch by using FTP, SFTP, SCP, or HTTPs, or a USB device with the downloaded firmware. The firmwaredownload command supports both non-interactive and interactive modes. 

In Brocade Fabric OS v9.2.0, the command exposes the server password in clear text in theSupportSave file when it is collected. The issue is fixed in Brocade Fabric OS v9.2.0a, therefore a migration to/from Brocade Fabric OS v9.2.0a and later versions will not log passwords or sensitive data when the command is executed through the CLI, REST API or the web interface non-interactively.

**Products Affected**

Brocade Fabric OS v9.2.0. 

**Note for Brocade Fabric OS v9.1.1x downgrades**

Should the Brocade Switch be downgraded from v9.2.0 to v9.1.1x or any earlier version of FOS, using the CLI in non-interactive mode ie the whole command line, the password could be exposed in SupportSave file.  

**Products Confrimed Not Affected**

Brocade Fabric OS versions prior to v9.2.0 are not affected.

**Workaround**

The workaround is to use the web interface of REST API or to run the “firmwaredownload “ command in interactive mode.

**Solution**

Solution provided in Brocade Fabric OS v9.2.0a and later versions.

**Credit**

The issue was found during internal penetration testing

 **Revision History**

**Version**

**Change**

**Date**

1.0

Initial Publication

August 29, 2023

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

CVE-2023-3489: Support Content Notification - Support Portal - Broadcom support portal

An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the  GitHub Bug Bounty Program https://bounty.github.com/ .


Source

CVE