Maintainers warn to patch all versions of open source web app framework – even those not deemed vulnerable

Maintainers warn to patch all versions of open source web app framework – even those not deemed vulnerable

  

Researchers from AntGroup FG Security Lab have discovered a critical security vulnerability allowing an attacker to remotely execute code within a Grails application runtime.

Grails is an open source web application framework based on the Apache Groovy programming language and is used for developing agile web applications. Customers include Google, IBM, Walmart, Credit Suisse, and Mastercard.

The flaw, tracked using CVE-2022-35912, allows an attacker to remotely execute code within a Grails application runtime by issuing a specially crafted web request that grants the attacker access to the class loader.

Read more of the latest news about web security vulnerabilities

The attack exploits a section of the Grails data-binding logic, which is invoked in a number of ways including the creation of command objects, domain class construction, and manual data binding when using bindData.

The vulnerability has been confirmed on Grails framework versions 3.3.10 and higher, including Grails framework 4 and 5, that are running on Java 8. It has been observed in both the embedded Tomcat runtime and applications deployed as a Web Archive (WAR) to a Tomcat instance.

“Due to the nature of this vulnerability, we strongly suggest that all Grails applications, including those that are not vulnerable to this specific attack, be updated to a patched Grails release,” the Grails team noted in a blog post.

“While we have not been able to reproduce this specific exploit on applications running in Java 11 or in versions of the Grails framework before 3.3.10, the nature of the vulnerability is such that variations on the attack could be discovered that earlier Grails releases, and Grails applications running on higher versions of Java will be impacted.”

**Patches available**

Versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15 have now been patched, and the team recommends upgrading to a patched version. Grails 4.x applications can be upgraded to version 4.1.1 or higher, Grails 5.0.x and 5.1.x applications can be upgraded to 5.1.9 or higher, and Grails 5.2 applications can be upgraded to 5.2.1 or higher.

“The Grails Foundation and the Grails core development team take application security very seriously,” wrote the team. “We are continuing to research and monitor this vulnerability.”

YOU MAY ALSO LIKE Cisco patches dangerous bug trio in Nexus Dashboard

Critical security vulnerability in Grails could lead to remote code execution

As many as 207 websites have been infected with malicious code designed to launch a cryptocurrency miner by leveraging WebAssembly (Wasm) on the browser.
Web security company Sucuri, which published details of the campaign, said it launched an investigation after one of its clients had their computer slowed down significantly every time upon navigating to their own WordPress portal.
This

As many as 207 websites have been infected with malicious code designed to launch a cryptocurrency miner by leveraging WebAssembly (Wasm) on the browser.

Web security company Sucuri, which published details of the campaign, said it launched an investigation after one of its clients had their computer slowed down significantly every time upon navigating to their own WordPress portal.

This uncovered a compromise of a theme file to inject malicious JavaScript code from a remote server -- hxxps://wm.bmwebm\[.\]org/auto.js -- that's loaded whenever the website's page is accessed.

"Once decoded, the contents of auto.js immediately reveal the functionality of a cryptominer which starts mining when a visitor lands on the compromised site," Sucuri malware researcher Cesar Anjos said.

What's more, the deobfuscated auto.js code makes use of WebAssembly to run low-level binary code directly on the browser.

WebAssembly, which is supported by all major browsers, is a binary instruction format that offers performance improvements over JavaScript, allowing applications written in languages like C, C++, and Rust to be compiled into a low-level assembly-like language that can be directly run on the browser.

"When used in a web browser, Wasm runs in its own sandboxed execution environment," Anjos said. "As it is already compiled into an assembly format, the browser can read and execute its operations at a speed JavaScript itself can't match."

The actor-controlled domain, wm.bmwebm\[.\]org, is said to have been registered in January 2021, implying the infrastructure continued to remain active for more than 1.5 years without attracting any attention.

On top of that, the domain also comes with the ability to automatically generate JavaScript files that masquerade as seemingly harmless files or legitimate services like that of Google Ads (e.g., adservicegoogle.js, wordpresscore.js, and facebook-sdk.js) to conceal its malicious behavior.

"This functionality also makes it possible for the bad actor to inject the scripts in multiple locations on the compromised website and still maintain the appearance that injections 'belong' within the environment," Anjos noted.

This is not the first time WebAssembly's ability to run high-performance applications on web pages has raised potential security red flags.

Setting aside the fact that Wasm's binary format makes detection and analysis by conventional antivirus engines more challenging, the technique could open the door to more sophisticated browser-based attacks such as e-skimming that can fly under the radar for extended periods of time.

Complicating matters further is the lack of integrity checks for Wasm modules, effectively making it impossible to determine if an application has been tampered with.

To help illustrate the security weaknesses of WebAssembly, a 2020 study by a group of academics from the University of Stuttgart and Bundeswehr University Munich unearthed security issues that could be used to write to arbitrary memory, overwrite sensitive data, and hijack control flow.

Subsequent research published in November 2021 based on a translation of 4,469 C programs with known buffer overflow vulnerabilities to Wasm found that "compiling an existing C program to WebAssembly without additional precautions may hamper its security."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Increasingly Using WebAssembly Coded Cryptominers to Evade Detection

A command injection vulnerability affects all versions of the deprecated package google-cloudstorage-commands.

**google-cloudstorage-commands Command Injection vulnerability**

Critical severity GitHub Reviewed Published Jul 26, 2022 • Updated Aug 6, 2022

GHSA-6367-p3v8-7mgw: google-cloudstorage-commands Command Injection vulnerability

Several threat actors used Amadey Bot previously to steal information and distribute malware such as the GandCrab ransomware and the FlawedAmmy RAT.

A dangerous malware variant called "Amadey Bot" that has been largely dormant for the past two years has surfaced again with new features that make it stealthier, more persistent, and much more dangerous than previous versions — including antivirus bypasses.

Amadey Bot first appeared in 2018 and is primarily designed to steal data from infected systems. However, various threat actors — such as Russia's infamous TA505 advanced persistent threat (APT) group — have also used it to distribute other malicious payloads, including GandCrab ransomware and the FlawedAmmy remote access Trojan (RAT), making it a threat for enterprise organizations.

Previously, threat actors used the Fallout and RIG exploit kits, as well as the AZORult infostealer, to distribute Amadey. But researchers at South Korea's AhnLab recently spotted the new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been using since at least 2011.

**Smoke & Mirrors**

Researchers at AhnLab found that the operators of the new Amadey variant have disguised SmokeLoader in software cracks and fake keys for commercial software that people often use to try and activate pirated software. When users download the malware assuming it is a cracked (pirated) version or a key generator, SmokeLoader injects its malicious payload into the currently running Windows Explorer process (explorer.exe) and then proceeds to download Amadey on the infected system, the researchers at AhnLab discovered.

Once the malware is executed, Amadey lodges itself in the TEMP folder as a startup folder, ensuring the malware will persist even after a system reboot. As an additional persistence measure, Amadey also registers itself as a scheduled task in Task Scheduler, according to AhnLab.

After the malware completes its initial setup processes, it contacts a remote, attacker-controlled command-and-control server (C2) and downloads a plug-in to collect environment information. This includes details such as the computer and username, operating system information, a list of applications on the system, and a list of all anti-malware tools on it. 

The sample of the new Amadey variant that researchers at AhnLab analyzed was also designed to take periodic screenshots of the current screen and send them back in a .JPG format to the attacker controlled C2 server.

**Bypassing AV Protections**

AhnLab found that the malware is configured to look for and bypass antivirus tools from 14 vendors, including Avast, Avira, BitDefender, Kaspersky, Sophos, and Microsoft's Windows Defender.

"The new and improved version of the malware flaunts even more features compared to its predecessor," security vendor Heimdal said in a blog post. This includes features "such as scheduled tasks for persistence, advanced reconnaissance, UAC bypassing, and defense evasion strategies tailored for 14 known antivirus products," it noted.

Once Amadey relays system information to the C2 server, the threat actor knows exactly how to bypass protection for the specific AV tools that might be present on the system. "On top of that, once Amadey gets ahold of your AV’s profile, all future payloads or DLLs will be executed with elevated privileges," Heimdal warned in the blog post. 

**A More Dangerous Version of Amadey**

The information that Amadey relays to the C2 server allows the attackers to take a variety of follow-up actions, including installing additional malware. The sample that AhnLab analyzed, for instance, downloaded a plug-in for stealing Outlook emails and information about FTPs and VPN clients on the infected system. 

It also installs an additional information stealer called RedLine on the victim system. RedLine is a prolific information stealer that first surfaced in 2020 and has been distributed via various mechanisms, including COVID-19 themed phishing emails, fake Google ads and in targeted campaigns. Researchers from Qualys recently observed the malware being distributed via fake cracked software on Discord.  

Researchers from BlackBerry Cylance who analyzed the earlier version of Amadey determined at the time that the malware does not install any additional payloads if it assesses the victim to be in Russia.

Dmitry Bestuzhev, threat researcher at BlackBerry says SmokeLoader has been actively tricking victims via cracked software and so-called “software activation” programs from the beginning of this year. 

"We saw several brands being abused by cybercriminals spreading malicious cracks for the most popular software houses," he says. 

Amadey's botnet too has been very active, impersonating popular private and secure email vendors to infect targets. "According to our telemetry, most of them are in the US, followed by Japan, Mexico and Brazil," Bestuzhev says.

Supercharged Version of Amadey Infostealer & Malware Dropper Bypasses AVs

Authenticated WordPress Options Change vulnerability in Biplob Adhikari's Flipbox plugin <= 2.6.0 at WordPress.

CVE-2022-33969: Changeset 2648808 – WordPress Plugin Repository

Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities in Osamaesh WP Visitor Statistics plugin <= 5.7 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

A comprehensive plugin for your WordPress visitor statistics, Track statistics for your WordPress site without depending on external services. Enable you to display how many users are online on your WordPress blog with detailed statistics, easy to install and working fine (Thousands of WordPress sites are already using it)  
When it comes to ease of use, WordPress visitor statistics comes in first, You will have a real counter and statistics plugin for your WordPress website..  
This plugin will help you to track your visitors, browsers, operating systems, visits and much more in one dashboard page..

**Basic Features**

✅ Real time statistics  
✅ visits, visitors location.  
✅ Comprehensive overview page & User-friendly interface  
✅ GeoIP location by Country  
✅ Search Engines queries from popular search engines like Google  
✅ Support for hashing IP addresses (Full GDPR)  
✅ Automatically prune the databases of old data  
✅ Automatic updates to the GeoIP database.  
✅ Fully compliant with the European GDPR guidelines.  
✅ and more

**Pro features**

✅ Online counter  
✅ Widgets to provide information to your users  
✅ Shortcodes for many different types of data.  
✅ E-mail reports of statistics  
✅ Interactive map of visitors location  
✅ GEO locations (country and city)  
✅ Recent visitors by IP  
✅ and more

**Requirements**

*   WordPress 3.8+
*   PHP 5.2+ (or 5.5+ if you use the Browscap data file)
*   MySQL 5.0.3+
*   At least 20 MB of free web space
*   At least 5 MB of free DB space
*   At least 32 Mb of free PHP memory for the tracker (peak memory usage)
*   IE9+ or any browser supporting HTML5, to access the reports

**Premium Add-ons**

Visit our website for a list of available extensions.

**Translations**

*   English
*   French
*   Russian
*   German (Formal)

**Contributing and Reporting Bugs**

WordPress visitor statistics (Histats) is being developed on GitHub, If you’re interested in contributing to plugin, Please look at Github page

**Support**

We’re happy to help. Here are a few things to do before contacting us:  
\* Have you read the \[FAQs\] (http://plugins-market.com/documentation/)  
\* Have you search the support forum for a similar issue?  
\* You can also contact us at support@plugins-market.com if you have any enquiry.

1.  Download the package.
2.  Upload the package using your plugins page > add new > upload or Extract the contents of .zip folder to wp-content/plugins/ folder
3.  Activate the Plugin via plugins page
4.  Clear your site cache (if you have any caching plugin enabled)  
    Thanks!

I am hugely disappointed at their support and the Plugins. Firstly, the Counts shown on Graphic Chart increased, for example, from 100 counts to 170 from Mexico. It is an increment of 70 visitors. However, there are No visitor logs shown on Google Analytics or Analtify. the Same thing with WordFence Traffic Logs, there's no Traffic log shows 70 visitors from Mexico. The overall count visit logs including the \* Hacking Attempt \* Search Engine Bots(from Bing, Google. etc) \* Human Visit I have tried to get help on this matter by contacting the support, but No Replies for over 10 days.

It is very accurate with its statistics, which is good because you know what to do and what not to do to keep improving your site

I don't recommend this plugin. If you try to delete it, it leaves lots of unused tables that are impossible to delete automatically contrary to what the designer says. I had to go through the cPanel to delete them. And those who are not familiar with this kind of manipulation, they can break the website.

We find the Visitor Statistics plug-in very useful, and the developers are highly responsive and efficient when it comes to technical support.

this plugin is useful and easy to use

Read all 105 reviews

“WP Visitor Statistics (Real Time Traffic)” is open source software. The following people have contributed to this plugin.

Contributors

*    osama.esh

**5.9**

1.  Bug fixes (notice)

**5.8**

1.  Bug fixes in settings page
2.  Adding new feature in the settings page (Excluding Roles from statistics)

**5.7**

1.  Bug fixes in the GEO location vars

**5.6**

1.  Bug fixes – escape data

**5.5**

1.  Bug fixes in IP execlusion page

**5.4**

1.  Bug fixes – escape data

**5.3**

1.  Bug fixes in IP exclusion ajax request

**5.2**

1.  Bug fixes in timezone

**5.1**

1.  Bug fixes in settings

**4.9**

1.  Security Bug fixes

**4.8**

1.  Security Bug fixing in ajax requests

**4.7**

1.  Bug fixing in multisite (network)

**4.6**

1.  Bug fixing in IP extension

**4.5**

1.  Bug fixing in removing plugin (remove all tables and views)

**4.4**

1.  Bug fixing in dashboard stylesheet (with non admin users)

**4.3**

1.  Bug fixing in storing URLs (Lowercase issue)

**4.2**

1.  Security Bug fixing in ajax requests – part 2

**4.1**

1.  Security Bug fixing in ajax requests reported by Mr. Krzysztof Zając

**3.18**

1.  Security Bug fixing in ajax requests reported by Mr. Krzysztof Zając

**3.18**

1.  Bug fixing in the timezone (part 2)

**3.17**

1.  Bug fixing in the timezone

**3.16**

1.  bug fixing in stylesheet

**3.15**

1.  Adding FR translation (Thanks Maxence RICHARD for your help)
2.  Bug fixing in the main statistics chart
3.  bug fixing in stylesheet

**3.14**

1.  Bug fixing “PHP Notice: Undefined variable” in functions

**3.13**

1.  Bug fixing “PHP Notice: Undefined variable” happend after the latest changes
2.  Reports enhancements

**3.12**

1.  Bug fixing “PHP Notice: Undefined variable” happend after the latest changes

**3.11**

1.  bug fixing (single quote issue) in search engines

**3.10**

1.  Urgent fixing (Database errors)

**3.9**

1.  Top bar icon + bug fixing in the plugin init file

**3.8**

1.  Security bug fixing reported by Mr. “Austin Turecek”, Sanitizing ajax request

**3.7**

1.  Bug fixing in search engines graphs

**3.6**

1.  Bug fixing in prepare statement in the reports

**3.5**

1.  Bug fixing in prepare statement

**3.4**

1.  Bug fixing in search engines query (single quote issue reported by @madmax4ever)

**3.3**

1.  Bug fixing in enqueue scripts

**3.2**

1.  Bug fixing in user roles with different site language

**3.1**

1.  Bug fixing in user roles

**2.9**

1.  Bug fixing in traffic counter after the latest updates

**2.8**

1.  Bug fixing – PHP notice

**2.7**

1.  js compression

**2.6**

1.  Css compression

**2.5**

1.  adding the ability to give access to statistics page for any user type
2.  exclude robots

**2.4**

1.  adding new subscribe message to get latest updates

**2.3**

1.  bug fixing in CSS
2.  enhancement in the plugin performance

**2.2**

1.  removing alert message

**2.1**

1.  IP addresses hashing for last 3 digits
2.  Bug fixing in default data

**1.9**

1.  we used the \[GEOPLUGIN\] web service (http://geoip-db.com) These library give us more help in identifying the city name, here is the privacy page for this service http://geoip-db.com/privacy
2.  improve reports

**1.8**

1.  fixing content reports (Traffic by title and by url)
2.  timezone is now support syncronization
3.  php 7.2 bug fixing
4.  improve reports

**1.7**

1.  Fixing undefined offset issue

**1.6**

1.  New feature, user can setup add-ons
2.  wordpress network (multisite support)

**1.5**

1.  Fix Bounce issue

**1.4**

1.  Fix total page views issue

**1.3**

1.  Fix timezone issue

**1.2**

1.  show alert if another stats plugin is enabled

**1.1**

1.  Fix schedule cron job issue

**1.0**

1.  Initial version

CVE-2022-33965: WP Visitor Statistics (Real Time Traffic)

OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Users Timeline module.

**OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS****Vulnerability Explanation:**

OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Users Timeline module.

**Attack Vectors:**

The attacker must post something on the Users Timeline and insert the XSS payload at the location input in order to exploit the stored XSS. The XSS payload will be launched immediately after submission.

**Affected Component:**

*   http://ip\_address:port/ossn/u/{username}
    
*   POST /ossn/action/wall/post/u?ossn\_ts=1656419317&ossn\_token=580bcf1b98fec62baecd2e15b7c4c03173f59226623258b968a316f893e8cbf1
    

**Payload :**

1.  <img/&#09;&#10;&#11; src=~ onerror=prompt('Grim-The-Ripper-Team-by-SOSECURE-Thailand')>
    
2.  <BODY ONLOAD=alert('Grim-The-Ripper-Team-by-SOSECURE-Thailand')>
    
3.  <img src=x onerror=confirm('Grim-The-Ripper-Team-by-SOSECURE-Thailand')>
    

**Tested on:**

1.  OSSN v6.3 LTS (https://github.com/opensource-socialnetwork/opensource-socialnetwork/releases/tag/6.3)
    
2.  Google Chrome Version 102.0.5005.115 (Official Build) (x86\_64)
    

**Steps to attack:**

1.  Login with username and password. (If you don't have an account, you can register)
2.  Go to "Users Timeline" by clicking on their username in the top left corner.
3.  Enter data in the data entry form.
4.  Click on the location button and enter the XSS payload.
5.  The XSS payload will run immediately.

**Author:**

 Grim The Ripper Team by SOSECURE Thailand

**Medium:**

*   https://grimthereaperteam.medium.com/cve-2022-34961-ossn-6-3-lts-stored-xss-vulnerability-at-users-timeline-819a9d4e5e6c

**Disclosure Timeline:**

*   2022–06–28: Vulnerability discovered.
*   2022–06–28: Vulnerability reported to the MITRE corporation.
*   2022–07–08: CVE has been reserved.
*   2022–07–08: Public disclosure of the vulnerability.

Reference:

1.  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34961
2.  https://www.opensource-socialnetwork.org/
3.  https://github.com/opensource-socialnetwork/opensource-socialnetwork/releases/tag/6.3
4.  https://www.openteknik.com/contact?channel=ossn

CVE-2022-34961: GitHub - bypazs/CVE-2022-34961: OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Users Timeline module.

OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the News Feed module.

OSSN - OPEN SOURCE SOCIAL NETWORK v6.3 LTS

*   \[E\] Allow all callables for extend view #2024
*   \[E\] avoiding unnecessary handling of extra space at comment start #2029
*   \[B\] skip friend access check if page visitor is not logged in #2037
*   \[B\] User can not comment on friend only, own album photo #2039
*   \[B\] OssnSounds missing the button for sound on/off #2032
*   \[E\] Make sure addUser also run isEmail validation #2022
*   \[E\] Multiple select (html) handler #2040
*   \[B\] jqueryui-datepicker fails on Google translated pages #2036
*   \[B\] ossn\_delete\_relationship recursive not working #2035
*   \[E\] add a new function ossn\_get\_relation\_by\_id() #2034
*   \[B\] UI add friend success text goes wrong position #2027
*   \[E\] update version and pre-requisite OssnEmbed #2045
*   \[B\] fixed unallowed
    
    inside paragraph again #2044
    
*   \[E\] load css for video in #2043
*   \[E\] make video visible in #2042
*   \[E\] Add provided by giphy footer or banner #2049
*   \[E\] Correction of term 'miinutos' to 'minutos' #2048
*   \[E\] CLI + cron library and documentation on community #2050
*   \[B\] fixed calling unavailable/mistyped function #2051
*   \[E\] OssnMail 'email', 'send:policy' 3rd parameter #2052
*   \[E\] \[E\] optimized getMyGroups() #2071
*   \[E\] optimized OssnGroup::isMember() #2070
*   \[E\] optimized OssnGroup::getMembersRequests() #2069
*   \[E\] optimized group join-requests counter #2067
*   \[E\] PHP8 prevent bool->guid warnings #2058
*   \[B\] fixed missing error handler for not existing subpages #2055
*   \[E\] Add confirmation before deleting photos #2073
*   \[E\] Enhance group menu entries in sidebar #2072
*   \[B\] PHP8 If deleted comments tried to be deleted again #2057
*   \[B\] OssnNotification if poster and owner is same participants hook never run #2053
*   \[B\] Fix the like:object view menu type introduced in #1868 #2081
*   \[E\] Replace translation PT #2079 #2075
*   \[E\] Improve mod\_rewrite CURL functionality #2078
*   \[B\] fixed use of undefined variable $object #2084
*   \[E\] Some small locale fixes. #2087
*   \[B\] PHP Warning: preg\_match(): Compilation failed (#2018). #2086
*   \[B\] fix creating incomplete wall entities if addPhoto() fails #2088
*   \[B\] prevent warning if $fields is false #2137 #2136 #2135
*   \[E\] Update PHP version to minimum 8 #2061
*   \[B\] Comment Static photo should have only filename no fullpath #2090
*   \[B\] No notification to participants if someone comments on profile photo , cover, album photo #2054
*   \[B\] jqueryui-datepicker fails on Google translated pages #2036
*   \[E\] Removal of old upgrade scripts #2085
*   \[E\] Enhance OssnFile and Include CDN option #2089
*   \[E\] fixed different 'readonly' colors #2134
*   \[B\] missing check if member has a cover image #2093
*   \[E\] some installation warnings #2018
*   \[E\] don't list unvalidated members #2144
*   \[B\] Multiple clicks on same action add member multiple times in group #2147
*   \[B\] col-xs not anymore with BS5 #2017
*   \[E\] Remove php5 apache config and update post and upload sizes #2033
*   \[E\] Stop rewriting .htaccess every time page loads during installation #2091
*   \[B\] Deleting a group should remove group:joinrequest records #2066
*   \[E\] Enable linkifying of Entity comments #2080
*   \[B\] wrong class extending in all input plugins #2146
*   \[E\] Ossn::File MaxSize() add UploadMaxSize #2148
*   \[B\] getting orphan notification records of type comments:post:group:wall #2060
*   \[E\] isModerator (for groups) in comments section also. #2025
*   \[E\] Added OssnJWT class based on firebase/JWT
*   \[E\] Updated cacert.pem
*   \[E\] Updated PHP MAILER to 6.6.0
*   \[B\] Pagination not responsive #2150
*   \[E\] Show components in admin panel in ASC order of their installation #2155
*   \[E\] Component delete confirmation if wanted to keep settings. #2152
*   \[T\] OssnUser::getFriends() #2149
*   \[B\] Pagination not responsive #2150
*   \[B\] btn-sm have no effect #2153
*   \[B\] missing checkbox-block span style #2145
*   \[B\] Non logged in visitor can view private posts #2158
*   \[B\] OssnChat default value showing 0 in class #2163
*   \[E\] Request for new user image classes defining the shape only #2143
*   \[B\] Post background not breaking if str > 125 chars #2164
*   \[B\] deleting profile photo gives error on iconURL() #2166
*   \[B\] deleting profile cover gives error on coverURL() #2166

Special Thanks to Michael Zülsdorff (aka Zetman) (https://www.opensource-socialnetwork.org/u/zetman) for testing and bug reporting, fixing.

CVE-2022-34963: Release OSSN 6.3 LTS · opensource-socialnetwork/opensource-socialnetwork

The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.

**Description**

The time parameter in fava is vulnerable to reflected XSS

**Proof of Concept**

1.  1.Open the web browser to access the fava webpage.
2.  2.Access the url: https://fava.pythonanywhere.com/example-beancount-file/income_statement/?time=%22%3E%3Cbutton+onclick%3Dalert%281%29%3EClICK+ME%3C%2Fbutton%3E Script will be reflected in on clicking the button.
3.  3.when the victim clicks on the button -> Alert box will pop up

**Image**

https://drive.google.com/file/d/1PJ\_kKyn5KrHbzplApD-rfhuwSbtsCTvS/view?usp=sharing

**Impact**

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

+Perform any action within the application that the user can perform.

+View any information that the user is able to view.

+Modify any information that the user is able to modify.

Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user. There are various means by which an attacker might induce a victim user to make a request that they control, to deliver a reflected XSS attack. These include placing links on a website controlled by the attacker, or on another website that allows content to be generated, or by sending a link in an email, tweet or other message

CVE-2022-2514: Cross-site Scripting (XSS) - Reflected in fava

Use after free in storage in Google Chrome prior to 100.0.4896.88 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.

Tag

#google