Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Order date, Order pickup, Order date time, Pickup Location, delivery date for WooCommerce plugin <= 3.0.19 versions.

**Solution**

Fixed 

Update the WordPress Order date time for WooCommerce plugin to the latest available version (at least 3.0.20).

MyungJu Kim discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Order date time for WooCommerce Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.0.20.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-28991: WordPress Order date time for WooCommerce plugin <= 3.0.19 - Cross Site Scripting (XSS) vulnerability - Patchstack

An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature.

**

XSS in BlockLogFormatter due to unsafe message use

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

Found with r902363 which annotates some methods as unsafe. There are some genuine vulnerabilities in BlockLogFormatter, specifically in the code for partial blocks:

BlockLogFormatter.php#110-135

$actions \= $params\[6\]\['actions'\] ?? \[\];
$actions \= array\_map( function ( $actions ) {
	return $this\->msg( 'ipb-action-' . $actions )->text();
}, $actions );

$restrictions \= \[\];
if ( $pages ) {
	$restrictions\[\] \= $this\->msg( 'logentry-partialblock-block-page' )
		\->numParams( count( $pages ) )
		\->rawParams( $this\->context\->getLanguage()->listToText( $pages ) )->text();
}

if ( $namespaces ) {
	$restrictions\[\] \= $this\->msg( 'logentry-partialblock-block-ns' )
		\->numParams( count( $namespaces ) )
		\->rawParams( $this\->context\->getLanguage()->listToText( $namespaces ) )->text();
}
$enablePartialActionBlocks \= $this\->context\->getConfig()
	\->get( MainConfigNames::EnablePartialActionBlocks );
if ( $actions && $enablePartialActionBlocks ) {
	$restrictions\[\] \= $this\->msg( 'logentry-partialblock-block-action' )
		\->numParams( count( $actions ) )
		\->rawParams( $this\->context\->getLanguage()->listToText( $actions ) )->text(); // <-- Unsafe use of rawParams because $actions is built with Message::text()
}

$params\[6\] \= Message::rawParam( $this\->context\->getLanguage()->listToText( $restrictions ) );// <-- Unsafe use of rawParam because $restrictons is built with Message::text()

These can be reproduced by:

*   Adding <script>alert()</script> or something like that to ipb-action-\* and logentry-partialblock-block-\* messages
*   Enabling action blocks with $wgEnablePartialActionBlocks = true;
*   Blocking someone selecting all options for partial blocks
*   Going to their contributions page

Risk Rating

Medium

Author Affiliation

WMF Product

*   Task Graph

**Event Timeline**

Comment Actions

So for:

\->rawParams( $this\->context\->getLanguage()->listToText( $actions ) )->text(); // <-- Unsafe use of rawParams because $actions is built with Message::text()

that should be resolved with an s/text()/parse()/, no? Which we'd also want to change for the message construction under the if ( $pages ) and if ( $namespaces ) conditionals, right? Unless that would somehow lead to double-escaping. Assuming it doesn't, those mitigations should ensure that $restrictions shouldn't be tainted within:

$params\[6\] \= Message::rawParam( $this\->context\->getLanguage()->listToText( $restrictions ) );

Comment Actions

> So for:
> 
> \->rawParams( $this\->context\->getLanguage()->listToText( $actions ) )->text(); // <-- Unsafe use of rawParams because $actions is built with Message::text()
> 
> that should be resolved with an s/text()/parse()/, no?

When using the ipb-action-\* messages, yes, I think so. Possibly escaped() instead of parse(), unless there's a good reason to use the latter.

> Which we'd also want to change for the message construction under the if ( $pages ) and if ( $namespaces ) conditionals, right? Unless that would somehow lead to double-escaping. Assuming it doesn't, those mitigations should ensure that $restrictions shouldn't be tainted within:
> 
> $params\[6\] \= Message::rawParam( $this\->context\->getLanguage()->listToText( $restrictions ) );

Yes, I think replacing text() with escaped() in all the 3 conditionals should fix this, BUT I have no idea if this will break anything. I'm not familiar with LogFormatter and I've always found it to be a huge mess, particularly for how the escaping is controlled ($this>plaintext etc.). Maybe we need to manually vary the escaping on the value of $this->plaintext. I don't really know...

Comment Actions

> Yes, I think replacing text() with escaped() in all the 3 conditionals should fix this, BUT I have no idea if this will break anything. I'm not familiar with LogFormatter and I've always found it to be a huge mess, particularly for how the escaping is controlled ($this>plaintext etc.). Maybe we need to manually vary the escaping on the value of $this->plaintext. I don't really know...

I think we should just get a patch up on gerrit for this and see how it tests. That's the most reasonable approach IMO, especially since we've fixed many of these MW message output issues in the open. Unless there are strong objections...

Comment Actions

> > Yes, I think replacing text() with escaped() in all the 3 conditionals should fix this, BUT I have no idea if this will break anything. I'm not familiar with LogFormatter and I've always found it to be a huge mess, particularly for how the escaping is controlled ($this>plaintext etc.). Maybe we need to manually vary the escaping on the value of $this->plaintext. I don't really know...
> 
> I think we should just get a patch up on gerrit for this and see how it tests. That's the most reasonable approach IMO, especially since we've fixed many of these MW message output issues in the open. Unless there are strong objections...

No objections in the meantime, so I pushed the fix to gerrit to get the ball rolling.

Comment Actions

There's a merge conflict when backporting to REL1\_35 that I didn't investigate yet.

Comment Actions

> There's a merge conflict when backporting to REL1\_35 that I didn't investigate yet.

I'll take care of that.

Comment Actions

> > There's a merge conflict when backporting to REL1\_35 that I didn't investigate yet.
> 
> I'll take care of that.

Or maybe not? It's rejecting my push for some reason. The conflict itself is easy to fix, a couple of places that use text() in master did not exist in 1.35.

Comment Actions

Thanks all, I'm leaving it up to the Security team to close this task and make it public when they're comfortable with that.

Comment Actions

> Thanks all, I'm leaving it up to the Security team to close this task and make it public when they're comfortable with that.

Thanks for getting this done. I'll make this task public now since all of the work was done in gerrit and the issue is now being tracked for the next release as well: T333617.

sbassett changed Author Affiliation from N/A to WMF Product.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2023-36675: ⚓ T332889 XSS in BlockLogFormatter due to unsafe message use

The TechTime User Management components for Atlassian products allow stored XSS on the Bulk User Actions page. This affects User Management for Jira 2.0.0 through 2.17.1, User Management for Confluence 2.0.0 through 2.15.24, and User Management for Bitbucket 2.2.2 through 2.15.24.

I peeked inside a nowhere place —  
There was nobody there.  
Pure nothing stirred the empty space,  
Not going anywhere.

No time has passed while I was in,  
No sound has been heard.  
No scent escaped the empty room,  
Where noone was alert.

I gained no knowledge from my peek,  
As if I wasn't there.  
As if some nonsense has replaced —  
True meaning of “nowhere”.

You've reached a "nowhere" corner of our website.

Nothing to see here, but don't get discouraged! Try these links instead:

*   Products - links to our apps
*   Services - explanation of what we do for our customers
*   Our Partners - companies we work with
*   Meet Our Team - meet the team
*   Blog - the "memoir" of the events

CVE-2023-36662: Atlassian Partner, Wellington - 404

Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).

CVE-2023-36664

Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory \[12 June 2023\] An updated version of the XMLTooling library that is part of the OpenSAML and Shibboleth Service Provider software is now available which corrects a server-side request forgery (SSRF) vulnerability. Parsing of KeyInfo elements can cause remote resource access. ============================================================= Including certain legal but "malicious in intent" content in the KeyInfo element defined by the XML Signature standard will result in attempts by the SP's shibd process to dereference untrusted URLs. While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, there is at minimum a risk of denial of service, and the attack could be combined with others to create more serious vulnerabilities in the future. This issue is \*not\* specific to the V3 XMLTooling software and is believed to impact all versions prior to V3.2.4. Recommendations =============== Update to V3.2.4 or later of the XMLTooling library, which is now available. Note that on Linux and similar platforms, upgrading this component will require restarting the shibd process to correct the bug. The updated version of the library has been included in a V3.4.1.3 patch release of the Service Provider software on Windows. Other Notes =========== The xmltooling git commit containing the fix for this issue is 6080f6343f98fec085bc0fd746913ee418cc9d30 and may be in general terms applicable to V2 of the library. Credits ======= Juriën de Jong, an independent security researcher in the Netherlands URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv\_20230612.txt -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmSHDk4ACgkQN4uEVAIn eWKdwg/9H2DoBB5xU53ZkNPHQW2MLHvhT/EKXp+1TfL1YD6fpqBrsY1A4pJmwamA U/PRkEGV7EitP0AJZ+lWxJoMcDupu8wsPh2nm0MJUUcgkuYdD38/ixyLs1HQ4jwT SMDQsfTDlEZvbMqdr7B20HxzIGU/bX8pxgvkP1IyclfiSOBIPdbDOQG3OvdZYl5u aJv0mACkPkiH1/JbRI9ODm3zYpwe8C2vpPyBhNrOARB9QzdogN2zx7l5xDyUiHtC YJHWnSMUEn9xvZJUTS+dHZpCmh2R3cpxmbL7WsT5xHq/LH7UUXELwcOiCgUNQgDn rz5lwF2FpXKw4qQ8u49Emqjb9pqPOD+OT1gRc/j3oibqINQunmrdjWt4m8MAK6Bh eS4S3zjGw7JNfaO91PV2TYypYf6hSqGemQBlCmnVHTZqVf068S87ZpFyG1F/VRB5 voEbdoOMBVGpeaan8snRoQTHEMG/tUdlmL7g076NvExH8W9dmhcWW/SiP/gWQ8ko NdUKfqYxONOBCDOlBzC9lBk6D106qbcCsnInwBHdPvWlX36M56oZU/DjV/lNMK+Y j2HS3DtBWxX+1nsrg/DLzyi+8ULOqbawyOqCaaolVjZzTOHGFwpd35XYblyb3iwb JbpmuRuk5cHGTwlHwXNI/5FzECOOe4KMLUzvrgzSiTWU89XBQ1M= =XkeU -----END PGP SIGNATURE-----

CVE-2023-36661

The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory corruption.

'1212112?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-36660: Invalid Bug ID

INEX IXP-Manager before 6.3.1 allows XSS. list-preamble.foil.php, page-header-preamble.foil.php, edit-form.foil.php, page-header-preamble.foil.php, overview.foil.php, cust.foil.php, and view.foil.php may be affected.

**Commits on Nov 3, 2022**

1.  Browse the repository at this point in the history
    

**Commits on Dec 9, 2022**

1.  Browse the repository at this point in the history
    
2.  Browse the repository at this point in the history
    

**Commits on Feb 22, 2023**

1.  Browse the repository at this point in the history
    

**Commits on Apr 6, 2023**

1.  Browse the repository at this point in the history
    
2.  Browse the repository at this point in the history
    

**Commits on May 19, 2023**

1.  Browse the repository at this point in the history
    
2.  Browse the repository at this point in the history
    
3.  Browse the repository at this point in the history
    
4.  Browse the repository at this point in the history
    
5.  Browse the repository at this point in the history
    
6.  Browse the repository at this point in the history
    
7.  Browse the repository at this point in the history
    

**Commits on Jun 19, 2023**

1.  Browse the repository at this point in the history
    
2.  Browse the repository at this point in the history
    

**Commits on Jun 20, 2023**

1.  Browse the repository at this point in the history
    
2.  Browse the repository at this point in the history
    
3.  Browse the repository at this point in the history
    
4.  Browse the repository at this point in the history

CVE-2023-36666: Comparing v6.3.0...v6.3.1 · inex/IXP-Manager

it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows SQL Injection (by authenticated users) via the sort parameter of the API interface.

@@ -0,0 +1,59 @@

<?php

// Copyright (C) <2015> <it-novum GmbH>

//

// This file is dual licensed

//

// 1.

// This program is free software: you can redistribute it and/or modify

// it under the terms of the GNU General Public License as published by

// the Free Software Foundation, version 3 of the License.

//

// This program is distributed in the hope that it will be useful,

// but WITHOUT ANY WARRANTY; without even the implied warranty of

// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

// GNU General Public License for more details.

//

// You should have received a copy of the GNU General Public License

// along with this program. If not, see <http://www.gnu.org/licenses/>.

//

// 2.

// If you purchased an openITCOCKPIT Enterprise Edition you can use this file

// under the terms of the openITCOCKPIT Enterprise Edition license agreement.

// License agreement and license key will be shipped with the order

// confirmation.

  

namespace App\\itnovum\\openITCOCKPIT\\Database;

  

class SanitizeOrder {

  

/\*\*

\* Only allow to pass column\_name or Table.column\_name into the MySQL ORDER BY query

\*

\* @param string $sort

\* @return array|string|string\[\]|null

\*/

public static function filterOrderColumn(string $sort) {

$sort = trim($sort);

// Only match to column\_name or Table.column\_name (no numbers, no special characters or umlauts)

if (preg\_match('/^\[a-zA-Z\_\]+(\\.\[a-zA-Z\_\]+)\*$/', $sort) === 1) {

// This should be unnecessary because the preg\_match above should never match on invalid characters

// However, better safe than sorry

return preg\_replace('/\[^a-zA-Z\_\\.\]/', '', $sort);

}

// Ref.: https://xkcd.com/327/

throw new FishyQueryException('Bobby Tables?');

}

  

public static function filterOrderArray($sortAsArray) {

if (is\_array($sortAsArray)) {

$validatedSort = \[\];

foreach ($sortAsArray as $sortField => $sortDirection) {

$sortField = self::filterOrderColumn($sortField);

$validatedSort\[$sortField\] = ($sortDirection === 'desc') ? 'desc' : 'asc';

}

return $validatedSort;

}

  

return self::filterOrderColumn((string)$sortAsArray);

}

}

CVE-2023-36663: ITC-3017 by nook24 · Pull Request #1519 · it-novum/openITCOCKPIT

A vulnerability was found in Campcodes Retro Cellphone Online Store 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/index.php. The manipulation of the argument username/password leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-232351.

CVE-2023-3396

The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class.

**Source code:** Lib/email/utils.py

There are a couple of useful utilities provided in the email.utils module:

email.utils.localtime(_dt\=None_)¶

Return local time as an aware datetime object. If called without arguments, return current time. Otherwise _dt_ argument should be a datetime instance, and it is converted to the local time zone according to the system time zone database. If _dt_ is naive (that is, dt.tzinfo is None), it is assumed to be in local time. In this case, a positive or zero value for _isdst_ causes localtime to presume initially that summer time (for example, Daylight Saving Time) is or is not (respectively) in effect for the specified time. A negative value for _isdst_ causes the localtime to attempt to divine whether summer time is in effect for the specified time.

New in version 3.3.

email.utils.make\_msgid(_idstring\=None_, _domain\=None_)¶

Returns a string suitable for an **RFC 2822**\-compliant header. Optional _idstring_ if given, is a string used to strengthen the uniqueness of the message id. Optional _domain_ if given provides the portion of the msgid after the ‘@’. The default is the local hostname. It is not normally necessary to override this default, but may be useful certain cases, such as a constructing distributed system that uses a consistent domain name across multiple hosts.

Changed in version 3.2: Added the _domain_ keyword.

The remaining functions are part of the legacy (Compat32) email API. There is no need to directly use these with the new API, since the parsing and formatting they provide is done automatically by the header parsing machinery of the new API.

email.utils.quote(_str_)¶

Return a new string with backslashes in _str_ replaced by two backslashes, and double quotes replaced by backslash-double quote.

email.utils.unquote(_str_)¶

Return a new string which is an _unquoted_ version of _str_. If _str_ ends and begins with double quotes, they are stripped off. Likewise if _str_ ends and begins with angle brackets, they are stripped off.

email.utils.parseaddr(_address_)¶

Parse address – which should be the value of some address-containing field such as or – into its constituent _realname_ and _email address_ parts. Returns a tuple of that information, unless the parse fails, in which case a 2-tuple of ('', '') is returned.

email.utils.formataddr(_pair_, _charset\='utf-8'_)¶

The inverse of parseaddr(), this takes a 2-tuple of the form (realname,
email_address) and returns the string value suitable for a or header. If the first element of _pair_ is false, then the second element is returned unmodified.

Optional _charset_ is the character set that will be used in the **RFC 2047** encoding of the realname if the realname contains non-ASCII characters. Can be an instance of str or a Charset. Defaults to utf-8.

Changed in version 3.3: Added the _charset_ option.

email.utils.getaddresses(_fieldvalues_)¶

This method returns a list of 2-tuples of the form returned by parseaddr(). _fieldvalues_ is a sequence of header field values as might be returned by Message.get_all. Here’s a simple example that gets all the recipients of a message:

from email.utils import getaddresses

tos \= msg.get\_all('to', \[\])
ccs \= msg.get\_all('cc', \[\])
resent\_tos \= msg.get\_all('resent-to', \[\])
resent\_ccs \= msg.get\_all('resent-cc', \[\])
all\_recipients \= getaddresses(tos + ccs + resent\_tos + resent\_ccs)

email.utils.parsedate(_date_)¶

Attempts to parse a date according to the rules in **RFC 2822**. however, some mailers don’t follow that format as specified, so parsedate() tries to guess correctly in such cases. _date_ is a string containing an **RFC 2822** date, such as "Mon, 20 Nov 1995 19:12:08 -0500". If it succeeds in parsing the date, parsedate() returns a 9-tuple that can be passed directly to time.mktime(); otherwise None will be returned. Note that indexes 6, 7, and 8 of the result tuple are not usable.

email.utils.parsedate\_tz(_date_)¶

Performs the same function as parsedate(), but returns either None or a 10-tuple; the first 9 elements make up a tuple that can be passed directly to time.mktime(), and the tenth is the offset of the date’s timezone from UTC (which is the official term for Greenwich Mean Time) 1. If the input string has no timezone, the last element of the tuple returned is 0, which represents UTC. Note that indexes 6, 7, and 8 of the result tuple are not usable.

email.utils.parsedate\_to\_datetime(_date_)¶

The inverse of format_datetime(). Performs the same function as parsedate(), but on success returns a datetime; otherwise ValueError is raised if _date_ contains an invalid value such as an hour greater than 23 or a timezone offset not between -24 and 24 hours. If the input date has a timezone of -0000, the datetime will be a naive datetime, and if the date is conforming to the RFCs it will represent a time in UTC but with no indication of the actual source timezone of the message the date comes from. If the input date has any other valid timezone offset, the datetime will be an aware datetime with the corresponding a timezone tzinfo.

New in version 3.3.

email.utils.mktime\_tz(_tuple_)¶

Turn a 10-tuple as returned by parsedate_tz() into a UTC timestamp (seconds since the Epoch). If the timezone item in the tuple is None, assume local time.

email.utils.formatdate(_timeval\=None_, _localtime\=False_, _usegmt\=False_)¶

Returns a date string as per **RFC 2822**, e.g.:

Fri, 09 Nov 2001 01:08:47 \-0000

Optional _timeval_ if given is a floating point time value as accepted by time.gmtime() and time.localtime(), otherwise the current time is used.

Optional _localtime_ is a flag that when True, interprets _timeval_, and returns a date relative to the local timezone instead of UTC, properly taking daylight savings time into account. The default is False meaning UTC is used.

Optional _usegmt_ is a flag that when True, outputs a date string with the timezone as an ascii string GMT, rather than a numeric -0000. This is needed for some protocols (such as HTTP). This only applies when _localtime_ is False. The default is False.

email.utils.format\_datetime(_dt_, _usegmt\=False_)¶

Like formatdate, but the input is a datetime instance. If it is a naive datetime, it is assumed to be “UTC with no information about the source timezone”, and the conventional -0000 is used for the timezone. If it is an aware datetime, then the numeric timezone offset is used. If it is an aware timezone with offset zero, then _usegmt_ may be set to True, in which case the string GMT is used instead of the numeric timezone offset. This provides a way to generate standards conformant HTTP date headers.

New in version 3.3.

email.utils.decode\_rfc2231(_s_)¶

Decode the string _s_ according to **RFC 2231**.

email.utils.encode\_rfc2231(_s_, _charset\=None_, _language\=None_)¶

Encode the string _s_ according to **RFC 2231**. Optional _charset_ and _language_, if given is the character set name and language name to use. If neither is given, _s_ is returned as-is. If _charset_ is given but _language_ is not, the string is encoded using the empty string for _language_.

email.utils.collapse\_rfc2231\_value(_value_, _errors\='replace'_, _fallback\_charset\='us-ascii'_)¶

When a header parameter is encoded in **RFC 2231** format, Message.get_param may return a 3-tuple containing the character set, language, and value. collapse_rfc2231_value() turns this into a unicode string. Optional _errors_ is passed to the _errors_ argument of str’s encode() method; it defaults to 'replace'. Optional _fallback\_charset_ specifies the character set to use if the one in the **RFC 2231** header is not known by Python; it defaults to 'us-ascii'.

For convenience, if the _value_ passed to collapse_rfc2231_value() is not a tuple, it should be a string and it is returned unquoted.

email.utils.decode\_params(_params_)¶

Decode parameters list according to **RFC 2231**. _params_ is a sequence of 2-tuples containing elements of the form (content-type, string-value).

Footnotes

1

Note that the sign of the timezone offset is the opposite of the sign of the time.timezone variable for the same timezone; the latter variable follows the POSIX standard while this module follows **RFC 2822**.