Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

**Mozilla Foundation Security Advisory 2020-20**

Announced

June 2, 2020

Impact

high

Products

Firefox

Fixed in

*   Firefox 77

**#CVE-2020-12399: Timing attack on DSA signatures in NSS library**

Reporter

Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at Tampere University

Impact

high

**Description**

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys.

**References**

*   Bug 1631576

**#CVE-2020-12405: Use-after-free in SharedWorkerService**

Reporter

Marcin 'Icewall' Noga of Cisco Talos

Impact

high

**Description**

When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash.

**References**

*   Bug 1631618

**#CVE-2020-12406: JavaScript type confusion with NativeTypes**

Reporter

Iain Ireland

Impact

high

**Description**

Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code.

**References**

*   Bug 1639590

**#CVE-2020-12407: WebRender leaking GPU memory when using border-image CSS directive**

Reporter

Nicolas Silva

Impact

moderate

**Description**

Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The leaked memory content was visible to the user, but not observable from web content.

**References**

*   Bug 1637112

**#CVE-2020-12408: URL spoofing when using IP addresses**

Reporter

Rayyan Bijoora

Impact

low

**Description**

When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar.

**References**

*   Bug 1623888

**#CVE-2020-12409: URL spoofing with unicode characters**

Reporter

Rayyan Bijoora

Impact

low

**Description**

When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL.

**References**

*   Bug 1629506

**#CVE-2020-12410: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9

**#CVE-2020-12411: Memory safety bugs fixed in Firefox 77**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers :Gijs (he/him), Randell Jesup reported memory safety bugs present in Firefox 76. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 77

CVE-2020-12406: Security Vulnerabilities fixed in Firefox 77

Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.

Sorry, I can't find "_1634738?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-12425: Invalid Bug ID

When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. *Note: This issue only affects the Windows operating system; other operating systems are unaffected.* This vulnerability affects Firefox < 78.

Sorry, I can't find "_1642400?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-12423: Invalid Bug ID

In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78.

**Mozilla Foundation Security Advisory 2020-24**

Announced

June 30, 2020

Impact

high

Products

Firefox

Fixed in

*   Firefox 78

**#CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing**

Reporter

Kevin Higgs

Impact

high

**Description**

When %2F was present in a manifest URL, Firefox's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory. This could cause the appcache to be used to service requests for the top level directory.

**References**

*   Bug 1586630

**#CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster**

Reporter

Alex Mayorga

Impact

high

**Description**

A VideoStreamEncoder may have been freed in a race condition with VideoBroadcaster::AddOrUpdateSink, resulting in a use-after-free, memory corruption, and a potentially exploitable crash.

**References**

*   Bug 1639734

**#CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64**

Reporter

Deian Stefan

Impact

high

**Description**

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash.  
_Note: this issue only affects Firefox on ARM64 platforms._

**References**

*   Bug 1640737

**#CVE-2020-12418: Information disclosure due to manipulated URL object**

Reporter

Marcin 'Icewall' Noga of Cisco Talos

Impact

high

**Description**

Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript.

**References**

*   Bug 1641303

**#CVE-2020-12419: Use-after-free in nsGlobalWindowInner**

Reporter

worcester12345

Impact

high

**Description**

When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1643874

**#CVE-2020-12420: Use-After-Free when trying to connect to a STUN server**

Reporter

Byron Campen

Impact

high

**Description**

When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1643437

**#CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack**

Reporter

Sohaib ul Hassan, Iaroslav Gridin, Ignacio M. Delgado-Lozano, Cesar Pereida García, Jesús-Javier Chi-Domínguez, Alejandro Cabrera Aldaya, and Billy Bob Brumley, Network and Information Security (NISEC) Group, Tampere University, Finland

Impact

moderate

**Description**

During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.  
We would like to thank Sohaib ul Hassan for contributing a fix for this issue as well.  
_Note:_ An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might.

**References**

*   Bug 1631597

**#CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates**

Reporter

Chuck Harmston, Robert Hardy

Impact

moderate

**Description**

When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user.

**References**

*   Bug 1308251

**#CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer**

Reporter

Ronald Crane

Impact

moderate

**Description**

In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.

**References**

*   Bug 1450353

**#CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library**

Reporter

Riccardo Ancarani

Impact

moderate

**Description**

When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution.  
_Note: This issue only affects the Windows operating system; other operating systems are unaffected._

**References**

*   Bug 1642400

**#CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process**

Reporter

Paul Theriault

Impact

low

**Description**

When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing the prompt.

**References**

*   Bug 1562600

**#CVE-2020-12425: Out of bound read in Date.parse()**

Reporter

Bruno Keith

Impact

low

**Description**

Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure.

**References**

*   Bug 1634738

**#CVE-2020-12426: Memory safety bugs fixed in Firefox 78**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Bob Clary, Benjamin Bouvier, Calixte Denizet, Christian Holler reported memory safety bugs present in Firefox 77. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 78

CVE-2020-12422: Security Vulnerabilities fixed in Firefox 78

The SeedProd coming-soon plugin before 5.1.1 for WordPress allows XSS.

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin for WordPress version 5.1.0 and below were found to be vulnerable to stored XSS while I was auditing the plugin. Plugin version 5.1.2 with improved data sanitization was released on June 24, 2020.

**CVE ID:** CVE-2020-15038

****Summary****

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd is a popular WordPress Plugin with over 1 million active installations. It was found to be vulnerable to stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

**Impact**

While there are multiple ways in which an attacker can perform malicious actions exploiting this vulnerability, let’s take a look at two.

*   **Redirection**:
    
    If an attacker were to exploit the vulnerability, they would be able to use an XSS payload to cause redirection such that any time the developer enables maintenance mode, a user visiting the site would be redirected to a domain under the attacker’s control, which could be made to look exactly like the original website with a login form for the user to submit their credentials. If the user submits their credentials without noticing the changed domain, their account gets compromised.
    
  
*   **Phishing**:
    
    Similarly, an attacker can also use a payload to create a login form on the Coming Soon/Maintenance Mode page itself, trying to bait unsuspecting users into entering their credentials.
    

**Vulnerability**

The Headline field under the Page Settings section along with other fields in the plugin settings were found to be vulnerable to stored XSS, which gets triggered when the Coming Soon page is displayed (both in preview mode and live).

    POST /wp-admin/options.php HTTP/1.1
    Host: localhost:10004
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:10004/wp-admin/admin.php?page=seed_csp4
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 636
    Origin: http://localhost:10004
    Connection: close
    Cookie: ...
    
    option_page=seed_csp4_settings_content&action=update&_wpnonce=faced0b8ff&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dseed_csp4&seed_csp4_settings_content%5Bstatus%5D=1&seed_csp4_settings_content%5Blogo%5D=&seed_csp4_settings_content%5Bheadline%5D=%3Cscript%3Ealert%28%22Stored+XSS+in+Page+Headline%22%29%3C%2Fscript%3E&seed_csp4_settings_content%5Bdescription%5D=Proof+of+Concept&seed_csp4_settings_content%5Bfooter_credit%5D=0&submit=Save+All+Changes&seed_csp4_settings_content%5Bfavicon%5D=&seed_csp4_settings_content%5Bseo_title%5D=&seed_csp4_settings_content%5Bseo_description%5D=&seed_csp4_settings_content%5Bga_analytics%5D=

****Timeline****

Vulnerability reported to the SeedProd team on June 22, 2020.  
Version 5.1.2 containing the fix to the vulnerability was released on June 24, 2020.

****Recommendation****

It is highly recommended to update the plugin to the latest version.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15038
*   https://nvd.nist.gov/vuln/detail/CVE-2020-15038
*   https://wordpress.org/plugins/coming-soon/#developers
*   https://wpvulndb.com/vulnerabilities/10283

For best security practices, you can follow the below guides:

*   WordPress Security Guide
*   WordPress Hack and Malware Removal

Tags: coming soon page, Cross Site Scripting, maintenance mode, seedprod, stored xss, under construction, vulnerability, WordPress, WordPress Maintenance, Wordpress Plugin Vulnerability, wordpress security, XSS

**Jinson Varghese**

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

CVE-2020-15038: XSS Found In Coming Soon Page and Maintenance Mode Plugin

An issue was discovered in Navigate CMS 2.8 and 2.9 r1433. The query parameter fid on the resource navigate.php does not perform sufficient data validation and/or encoding, making it vulnerable to reflected XSS.

I recently took part in a live bug hunting event:

> — OnSecurity - We're Hiring! (@HackersOnDemand) June 9, 2020

As part of these event, we reviewed the product Navigate CMS. In order to perform this review I setup a local instance of this tool, using version v2.9 r1433 (2020/06).

While taking part of this event, I managed to help identify several findings:

*   User enumeration
*   Session information leakage
*   User password reset vulnerability
*   Store Cross-Site Scripting (XSS)
*   Reflected Cross-Site Scripting (XSS)

**User Enumeration - CVE-2020-14016**

Navigate CMS has a _Forgot password?_ feature, which allows a user to reset their password if they forgot what their current password is.

Navigate CMS login page with _Forgot password?_ link.

In order to use this feature the user supplies either their username associated with their account, or the email address which is associate with their account.

Forgot password feature.

When entering the username or email address of a non-existent user, it produces and error stating that the user couldn't be found:

Result of providing details of non-existent user.

When reviewing the HTTP response it can clearly be seen that the HTTP response responds with the message _not\_found_ in the response body:

**HTTP request:**

    POST /navigate/login.php HTTP/1.1
    Host: 192.168.0.130
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    X-Requested-With: XMLHttpRequest
    Content-Length: 36
    Origin: http://192.168.0.130
    Connection: close
    Referer: http://192.168.0.130/navigate/login.php
    Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; navigate-tinymce-scroll=%7B%7D; NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t
    
    action=forgot-password&value=invalid
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Wed, 10 Jun 2020 16:55:33 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    Set-Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    Vary: Accept-Encoding
    Connection: close
    Content-Type: text/html; charset=utf-8
    Content-Length: 9
    
    not_found
    

Using this one can either use something such as a wordlist to try enumeration which users exist on the system:

User enumeration of the _Forgot password?_ feature.

**Session Information Leakage - CVE-2020-14017**

Navigate CMS stores session information in plaintext files on the server in the webroot. These files are then publicly available to un-authenticated users. As part of the setup, there is an option to copy/install the appropriate _.htaccess_ files used to prevent access to this directory and files. However it appears that this doesn't prevent access with later versions of Apache HTTPD.

Depending how the server has been configured, it could be possible to view the contents of the directory:

Directory list of the directory private/sessions which contains all session files.

Upon navigating to one of the session files (most preferably the most recent), one is able to view details and sensitive information (such as CSRF tokens) which are associated with the session:

Details of session file.

If directory listing has been disabled on the webserver (such as via Apache configuration), an attacker is still able to access these files without authentication, however they would need to bruteforce the session IDs to find existing sessions and thus the existing session files:

Bruteforcing of session files.

**User Password Reset Vulnerability - CVE-2020-14015**

The _Forgot password?_ feature allows a user to reset their password. When a user successfully enters their username or email address in the forgot password feature, an email is sent the user which contains a password reset link. This link contains an _activation code_, which allows the user to then reset the password associated with their account.

When providing an invalid code, the user is presented with the login screen:

Login screen with invalid password activation code.

However a flaw exists when no code is presented, the user is prompted for a new password:

Password reset for now password activation code.

And setting the password results in success:

Password reset successful.

Upon further investigation, the reason is that when a user is created, their account is created without an activation code:

Database after user created.

When no code is supplied in the password reset process flow, the first user without an activation key will be matched and thus have their password reset.

**Stored Cross-Site Scripting - CVE-2020-14018**

While there is HTML encoding on _User_ field in the Users / Edit page, there is not sufficient encoding on the _E-Mail_ field, these leaves it vulnerable to a store XSS vulnerability:

Stored XSS from E-Mail field on the Users / Edit page.

As stated the _User_ field is appropriate HTML encoded, preventing any XSS vulnerability from this field on this page:

HTML encoding of the _User_ field.

However the E-Mail field is does not have sufficient HTML encoding, resulting in a stored XSS vulnerability:

XSS vulnerability in the _E-Mail_ field.

This stored XSS vulnerability is persisted and present from both the _User_ as well as the _E-Mail_ fields when viewing users on the _Users_ page:

Stored XSS from the _User_ field.

Stored XSS from the _E-Mail_ field.

**Reflected Cross-Site Scripting - CVE-2020-14014**

On the landing page once the user authenticates, there is a resource _/nagivate.php_ which can take the query parameter _fid_. The value from this parameter is reflected back on the page, without having appropriate validation or HTML encoding. This makes the page vulnerable to reflected XSS:

Reflected XSS from the vulnerable _fid_ query parameter.

This is since the value is reflected to a link in the top right corner of the page:

Reflected link contain the reflected XSS.

**Resolution**

Fixed as of version v2.9.1 r1487 (2020/06).

**Vendor Notification**

*   10 June 2020 - Initial contact with the vendor, indicating wish to share findings with vendor before disclosing publicly.
*   11 June 2020 - Received response from vendor expressing wish to obtain information about findings.
*   11 June 2020 - Forwarded findings to vendor.
*   17 June 2020 - Vendor shared fixes with myself and asked me to review the fixes.
*   21 June 2020 - Reviewed fixes and confirmed with vendor.
*   22 June 2020 - Vendor confirmed new version and approved public disclosure of findings.

CVE-2020-14014: Navigate CMS

Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Special Register Buffer Data Sampling Advisory**

**Summary: **

A potential security vulnerability in some Intel® Processors may allow information disclosure.  Intel is releasing firmware updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2020-0543

Description: Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score:  6.5 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

A list of impacted products can be found here. 

**Recommendations:**

Intel recommends that users of affected Intel® Processors update to the latest version firmware provided by the system manufacturer that addresses this issue. 

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode:  

GitHub\*: Public Github: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

The microcode updates also provide an opt-out mechanism (RNGDS\_MITG\_DIS) to disable the mitigation for RDRAND and RDSEED instructions executed outside of Intel® Software Guard Extensions (Intel® SGX) enclaves. Please refer to technical details to find additional information on the opt-out mechanism here.  

Note that inside of an Intel SGX enclave, the mitigation is applied regardless of the value of RNGDS\_MITG\_DIS.

Additional technical details about SRBDS can be found here.

To address this issue, an SGX TCB recovery will be required in Q3 2020. Refer to Intel® SGX Attestation Technical Details for more information on the SGX TCB recovery process.

**Acknowledgements:**

Intel would like to thank Alyssa Milburn, Hany Ragab, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU Amsterdam for reporting this issue. 

This issue was also identified by Intel employees.  Intel would like to thank Rodrigo Branco (formerly Intel), Kekai Hu (formerly Intel), Gabriel Negreira Barbosa (Intel), and Ke Sun (Intel).  

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/09/2020

Initial Release

1.1

06/12/2020

Updated Acknowledgements

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2020-0543: INTEL-SA-00320

Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme.

**Describe the bug**  
XSS when a admin click on the link bellow, the g\_preview\_theme parameter not encoding the double quotes, an attacker could trick the admin to click on that link..  
https://demo.gilacms.com/cm/edit\_form/postcategory?id=8%22+%3E%3Cscript%3Ealert(1)%3C/script%3E

**To Reproduce**  
Steps to reproduce the behavior:

1.  Go to 'https://demo.gilacms.com/admin/content/postcategory'
2.  Click on 'edit'
3.  With a web proxy like burp intercept that request, and after id= parameter put " "+><script>alert(1)</script>
4.  See the alert on browser..

**Screenshots**  
If applicable, add screenshots to help explain your problem.

**Desktop (please complete the following information):**

*   Browser Firefox
*   Version 70.0 (64-bit)

**Additional context**  
In fact the attacker could trick any admin to click on  
https://demo.gilacms.com/cm/edit\_form/postcategory?id=8%22+%3E%3Cscript%3Ealert(1)%3C/script%3E .. and execute javascript..

CVE-2019-20803: Cross Site Scripting (XSS) -  · Issue #56 · GilaCMS/gila

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.



CVE-2019-2388: Ops Manager Server Changelog — MongoDB Ops Manager 6.0

An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.

This is a service and security update to the stable version 1.4 of Roundcube Webmail.  
It contains four fixes for recently reported security vulnerabilities as well a number  
of general improvements from our issue tracker. See the full changelog below.

**Security fixes**

*   Cross-Site Scripting (XSS) via malicious HTML content
*   CSRF attack can cause an authenticated user to be logged out
*   Remote code execution via crafted config options
*   Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations  
with public access to the Roundcube installer. That's generally a high-risk situation and is expected  
to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done  
in core in order to also prevent from future and yet unknown attack vectors.

This version is considered stable and we recommend to update all productive installations  
of Roundcube with it. Please do backup your data before updating!

**CHANGELOG**

*   Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
*   Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
*   Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
*   Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
*   Elastic: Fix color of a folder with recent messages (#7281)
*   Elastic: Restrict logo size in print view (#7275)
*   Fix invalid Content-Type for messages with only html part and inline images - Mail\_Mime-1.10.7 (#7261)
*   Fix missing contact display name in QR Code data (#7257)
*   Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
*   Fix regression in testing database schema on MSSQL (#7227)
*   Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
*   Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
*   Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
*   Fix handling keyservers configured with protocol prefix (#7295)
*   Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
*   Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
*   Fix so imap error message is displayed to the user on folder create/update (#7245)
*   Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
*   Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
*   Fix characters encoding in group rename input after group creation/rename (#7330)
*   Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
*   Make install-jsdeps.sh script working without the file program installed (#7325)
*   Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
*   Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
*   Security: Fix XSS issue in handling of CDATA in HTML messages
*   Security: Fix remote code execution via crafted 'im\_convert\_path' or 'im\_identify\_path' settings
*   Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
*   Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

Tag

#firefox