Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, a high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is limited due to the high privileges required to be able to create the Package and the eventually consistency nature of controller. This issue is fixed in versions 1.11.5, 1.12.3, and 1.13.0.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-37900: crossplane/security/ADA-security-audit-23.pdf at ac8b24fe739c5d942ea885157148497f196c3dd3 · crossplane/crossplane

Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.

Expand Up @@ -11876,7 +11876,6 @@ { Editor.currentTheme = value; this.themeSwitching = true; var scrollState = this.saveScrollState();  
mxUtils.setPrefixedStyle(this.container.style, 'transition', 'all ' + delay + 'ms ease-in-out'); Expand All @@ -11888,6 +11887,7 @@  
window.setTimeout(mxUtils.bind(this, function() { var scrollState = this.saveScrollState(); this.editor.graph.stopEditing(false); this.container.style.opacity = '0';  
Expand Down Expand Up @@ -11953,6 +11953,44 @@ return noRestart; };  
/\*\* \* Saves scroll position \*/ EditorUi.prototype.saveScrollState = function() { var t = this.editor.graph.view.translate; var x = this.diagramContainer.scrollLeft; var y = this.diagramContainer.scrollTop;  
if (this.embedViewport != null) { if (!Editor.inlineFullscreen) { x += this.embedViewport.x; y += this.embedViewport.y; } else { x -= this.embedViewport.x; y -= this.embedViewport.y; } }  
return {x: x, y: y, tx: t.x, ty: t.y}; };  
/\*\* \* Dynamic change of dark mode. \*/ EditorUi.prototype.restoreScrollState = function(state) { var s = this.editor.graph.view.scale; var t = this.editor.graph.view.translate;  
this.diagramContainer.scrollLeft = state.x + (t.x - state.tx) \* s; this.diagramContainer.scrollTop = state.y + (t.y - state.ty) \* s; };  
/\*\* \* Overrides image dialog to add image search and Google+. \*/ Expand Down Expand Up @@ -14180,46 +14218,6 @@ } };  
/\*\* \* Saves scroll position \*/ EditorUi.prototype.saveScrollState = function() { var t = this.editor.graph.view.translate; var off = mxUtils.getOffset(this.diagramContainer); var x = this.diagramContainer.scrollLeft - off.x; var y = this.diagramContainer.scrollTop - off.y;  
if (this.embedViewport != null) { if (!Editor.inlineFullscreen) { x += this.embedViewport.x; y += this.embedViewport.y; } else { x -= this.embedViewport.x; y -= this.embedViewport.y; } }  
return {x: x, y: y, tx: t.x, ty: t.y}; };  
/\*\* \* Dynamic change of dark mode. \*/ EditorUi.prototype.restoreScrollState = function(state) { var s = this.editor.graph.view.scale; var t = this.editor.graph.view.translate; var off = mxUtils.getOffset(this.diagramContainer);  
this.diagramContainer.scrollLeft = state.x + off.x + (t.x - state.tx) \* s; this.diagramContainer.scrollTop = state.y + off.y + (t.y - state.ty) \* s; };  
/\*\* \* Dynamic change of dark mode. \*/ Expand Down

CVE-2023-3973: 21.6.3 release · jgraph/drawio@1db2c2c

OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.

Expand Up

@@ -2152,8 +2152,7 @@ var ParseDialog = function(editorUi, title, defaultType)

diagramType \= diagramType.substring(0, sp \> 0 ? sp : diagramType.length);

var inDrawioFormat \= typeof mxMermaidToDrawio !== 'undefined' &&

type \== 'mermaid2drawio' && diagramType != 'gantt' &&

diagramType != 'pie' && diagramType != 'timeline' &&

diagramType != 'quadrantchart' && diagramType != 'c4context';

diagramType != 'pie' && diagramType != 'timeline';

  

var graph \= editorUi.editor.graph;

  

Expand Down Expand Up

@@ -2434,7 +2433,6 @@ var ParseDialog = function(editorUi, title, defaultType)

  

var edge \= new mxCell((values.length \> 2) ? values\[1\] : '', new mxGeometry());

edge.edge \= true;

edge.geometry.relative \= true;

source.insertEdge(edge, true);

target.insertEdge(edge, false);

cells.push(edge);

Expand Down Expand Up

@@ -3312,9 +3310,7 @@ var NewDialog = function(editorUi, compact, showName, callback, createOnly, canc

var type \= ((typeSelect.value != '') ? (' (' + mxUtils.trim(

mxUtils.getTextContent(typeSelect.options\[

typeSelect.selectedIndex\])) + ')') : '');

var useMermaidFormat \= typeSelect.value \== 'gantt' || typeSelect.value \== 'pie' ||

typeSelect.value \== 'timeline' || typeSelect.value \== 'quadrantchart' ||

typeSelect.value \== 'c4context';

var useMermaidFormat \= typeSelect.value \== 'gantt' || typeSelect.value \== 'pie';

var title \= description.value + type;

  

if (typeof mxMermaidToDrawio !== 'undefined')

Expand Down

CVE-2023-3974: 21.4.0 release · jgraph/drawio@9d6532d

OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.

CVE-2023-3975: huntr – Security Bounties for any GitHub repository

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Images Gallery for WooCommerce plugin <= 2.3.3 versions.

**Solution**

 Fixed

Update the WordPress Variation Images Gallery for WooCommerce plugin to the latest available version (at least 2.3.4).

Nguyen Xuan Chien discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Variation Images Gallery for WooCommerce Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.3.4.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37894: WordPress Variation Images Gallery for WooCommerce plugin <= 2.3.3 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Matthew Fries MF Gig Calendar plugin <= 1.2 versions.

**Solution**

 Fixed

Update the WordPress MF Gig Calendar plugin to the latest available version (at least 1.2.1).

Found this useful? Thank Abdi Pranata for reporting this vulnerability. Buy a coffee ☕

Abdi Pranata discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress MF Gig Calendar Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.2.1.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37970: WordPress MF Gig Calendar plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Swatches for WooCommerce plugin <= 2.3.7 versions.

**Solution**

 Fixed

Update the WordPress Variation Swatches for WooCommerce plugin to the latest available version (at least 2.3.8).

Phd discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Variation Swatches for WooCommerce Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.3.8.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37975: WordPress Variation Swatches for WooCommerce plugin <= 2.3.7 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Radio Forge Muses Player with Skins plugin <= 2.5 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Radio Forge Muses Player with Skins Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37976: WordPress Radio Forge Muses Player with Skins plugin <= 2.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFunnels Team Drag & Drop Sales Funnel Builder for WordPress – WPFunnels plugin <= 2.7.16 versions.

**Solution**

 Fixed

Update the WordPress Drag & Drop Sales Funnel Builder for WordPress – WPFunnels plugin to the latest available version (at least 2.7.17).

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WPFunnels Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.7.17.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37977: WordPress WPFunnels plugin <= 2.7.16 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.

This blog post is about Ninja Forms plugin vulnerabilities. If you’re a Ninja Forms user, please update the plugin to at least version **3.6.26**.

**Patchstack Developer and Business users are protected from the vulnerability.** You can also sign up for the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.

For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.

**About the Ninja Forms plugin**

The plugin Ninja Forms versions **3.6.25** and below, free version), which has over 900,000 active installations is known as the more popular forms builder plugin in WordPress. This plugin is developed by Saturday Drive.

This plugin is a free form builder plugin for WordPress that enables us to build just about any type of form we could imagine. Ranging from simple contact forms to event registrations, file uploads, payments, and more.

**The security vulnerability**

This plugin suffers from multiple vulnerabilities. The first vulnerability is a POST-based reflected XSS. This vulnerability could allow any unauthenticated user to steal sensitive information to, in this case, privilege escalation on the WordPress site by tricking privileged users to visit the crafted website. The described vulnerability was fixed in version **3.6.26** and assigned **CVE-2023-37979**.

The second and third vulnerabilities are a broken access control on form submissions export feature. This vulnerability allows Subscriber and Contributor role user to export all of the Ninja Forms submissions on a WordPress site. The described vulnerability was also fixed in version **3.6.26** and assigned **CVE-2023-38393** and **CVE-2023-38386**.

**Reflected XSS**

The initial entry-point of this vulnerability exist in the route function:

    public function route()
    {
    	register_shutdown_function( array( $this, 'shutdown' ) );
    
    	$method = strtolower( $_SERVER['REQUEST_METHOD'] );
    
    	/*
    		* Request Method Override
    		* Allows for a POST request to function as another Request Method
    		*   by passing a `method_override` value as a request parameter.
    		* For example, some servers do not support the DELETE request method.
    		*/
    	if( 'post' == $method and isset( $_REQUEST[ 'method_override' ] ) ){
    		$method = sanitize_text_field( $_REQUEST[ 'method_override' ] );
    	}
    
    	if( ! method_exists( $this, $method ) ){
    		$this->_errors[] = esc_html__( 'Endpoint does not exist.', 'ninja-forms' );
    		$this->_respond();
    	}
    	/**
    	 * This call get the $_REQUEST info for the call(post, get, etc.)
    	 * being called.
    	 */
    	$request_data = $this->get_request_data();
    
    	try {
    		$data = $this->$method($request_data);
    		$this->_respond( $data );
    -------------------------- CUT HERE --------------------------

The above route function could be called from an ajax action named nf_batch_process. Notice on the function that we could override the $method using $_REQUEST[ 'method_override' ] parameter if the original HTTP method performed is a POST request. The code then will call this->$method() with $request_data as input parameter. The $request_data value is constructed from get_request_data function :

    protected function get_request_data()
    {
        $request_data = array();
    
        if (isset($_REQUEST['batch_type']) && $_REQUEST['batch_type']) {
            $request_data['batch_type'] = WPN_Helper::sanitize_text_field($_REQUEST['batch_type']);
        }
    
        if (isset($_REQUEST['data']) && $_REQUEST['data']) {
            // @TODO: Find a way to safely sanitize this later.
            // sanitize_text_field overcorrects, breaking "actual" data.
            $request_data['data'] = $_REQUEST['data'];
        }
    
        if (isset($_REQUEST['security']) && $_REQUEST['security']) {
            $request_data['security'] = WPN_Helper::sanitize_text_field($_REQUEST['security']);
        }
    
        if (isset($_REQUEST['action']) && $_REQUEST['action']) {
            $request_data['action'] = WPN_Helper::sanitize_text_field($_REQUEST['action']);
        }
    
        return $request_data;
    }

The interesting part is which function could we call on the $method variable. Turns out that we could call the _respond function itself which originally act as a wrapper function to output data :

    protected function _respond( $data = array() )
    {
        if( empty( $data ) ){
            $data = $this->_data;
        }
    
        if( isset( $this->_data['debug'] ) ) {
            $this->_debug = array_merge( $this->_debug, $this->_data[ 'debug' ] );
        }
    
        if( isset( $this->_data['errors'] ) && $this->_data[ 'errors' ] ) {
            $this->_errors = array_merge( $this->_errors, $this->_data[ 'errors' ] );
        }
    
        // allow for accessing and acting on $data before responding
        do_action( 'ninja_forms_before_response', $data );
    
        $response = array( 'data' => $data, 'errors' => $this->_errors, 'debug' => $this->_debug );
    
        echo wp_json_encode( $response );
    
        wp_die(); // this is required to terminate immediately and return a proper response
    }

Notice that the function will output $response that could be constructed from our $data variable with echo wp_json_encode(). This will still make HTTP response output as text/html. Looking back at the get_request_data function, we could inject the XSS payload via $_REQUEST['data'] since there is no sanitization or escaping implemented.

**Subscriber+ Broken Access Control**

The underlying vulnerability exist in the processing function:

    public function processing() {
    
    	// Get our passed arguments. These come from the querysting of the processing page.
    	if ( isset ( $_REQUEST['args'] ) ) {
    		$this->args = WPN_Helper::sanitize_text_field($_REQUEST['args']);
    		if ( isset ( $this->args['redirect'] ) ) {
    			if( wp_validate_redirect( $this->args['redirect'] ) ){
    				$this->redirect = wp_sanitize_redirect( $this->args['redirect'] );
    			}
    		}
    	} else {
    		$this->args = array();
    	}
    
    	// Get our current step.
    	$this->step = isset ( $_REQUEST['step'] )? esc_html( $_REQUEST['step'] ) : 'loading';
    
    	// Get our total steps
    	$this->total_steps = isset ( $_REQUEST['total_steps'] )? esc_html( $_REQUEST['total_steps'] ) : 0;
    
    	// If our step is loading, then we need to return how many total steps there are along with the next step, which is 1.
    	if ( 'loading' == $this->step ) {
    		$return = $this->loading();
    		if ( ! isset ( $return['step'] ) ) {
    			$saved_step = get_user_option( 'nf_step_processing_' . $this->action . '_step' );
    			if ( ! empty ( $saved_step ) ) {
    				$this->step = $saved_step;
    			} else {
    				$this->step = 1;
    			}
    
    			$return['step'] = $this->step;
    		}
    		if ( ! isset ( $return['complete'] ) ) {
    			$return['complete'] = false;
    		}
    	} else { // We aren't on the loading step, so do our processing.
    		$return = $this->step();
    -------------------------- CUT HERE --------------------------

The processing function is set to be a function handler of nf_download_all_subs ajax action and there is no proper permission check. The function will call $this->step() function which will export all of the submission to the $this->args['filename'] we specified.

**Contributor+ Broken Access Control**

The underlying vulnerability exists in the export_listen function:

    -------------------------- CUT HERE --------------------------
    if (isset ($_REQUEST['download_file']) && !empty($_REQUEST['download_file'])) {
    
        // Open our download all file
        $filename = esc_html($_REQUEST['download_file']);
    
        $upload_dir = wp_upload_dir();
    
        $file_path = trailingslashit($upload_dir['path']) . $filename . '.csv';
    
        if (file_exists($file_path)) {
            $myfile = file_get_contents($file_path);
        } else {
            $redirect = esc_url_raw(remove_query_arg(array('download_file', 'download_all')));
            wp_redirect($redirect);
            die();
        }
    
        unlink($file_path);
    
        $form_name = Ninja_Forms()->form(absint($_REQUEST['form_id']))->get()->get_setting('title');
        $form_name = sanitize_title($form_name);
    
        $today = date('Y-m-d', current_time('timestamp'));
    
        $filename = apply_filters('ninja_forms_download_all_filename', $form_name . '-all-subs-' . $today);
    
        header('Content-type: application/csv');
        header('Content-Disposition: attachment; filename="' . $filename . '.csv"');
        header('Pragma: no-cache');
        header('Expires: 0');
    
        echo $myfile;
    
        die();
    }
    -------------------------- CUT HERE --------------------------

The function is set to be a function handler of load-edit.php hook which could be triggered when a user for example visits the /wp-admin/edit.php endpoint. Since there is no proper permission check, by default, user with minimum role of Contributor could export form submissions.

**The patch**

For the reflected XSS issue, the vendor decide to restrict which method that user could access from the function. With this patch, it is enough to prevent user to directly call the _respond function to trigger the XSS. The patch can be seen below :

For the Subscriber+ broken access control, adding a permission check should also fix the reported issue. The patch can be seen below :

For the Contributor+ broken access control also, adding a permission check should also fix the reported issue. The patch can be seen below :

**Conclusion**

For some cases, plugin or theme code need to call certain function or class from user supplied string. Always try to check and restrict which function or class the user could directly call. Also pay extra attention to an export data action and always implement permission or access control check to the related functions.

**Timeline**

22 June, 2023We found the vulnerability and reached out to the plugin vendor.

04 July, 2023Ninja Forms version **3.6.26** was published to patch the reported issue.

27 July, 2023Security advisory article publicly released.

**Help us make the Internet a safer place**

Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

*   If you’re a **plugin developer**, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
*   If you’re a **security researcher**, join Patchstack Alliance to report vulnerabilities & earn rewards.

Source

CVE