An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.

**Security Announcements**

**\[20221101\] - Core - RXSS through reflection of user input in com\_media**

*   **Project:** Joomla!
*   **SubProject:** CMS
*   **Impact:** Low
*   **Severity:** Low
*   **Probability:** Low
*   **Versions:** 4.0.0-4.2.4
*   **Exploit type:** Reflexted XSS
*   **Reported Date:** 2022-10-28
*   **Fixed Date:** 2022-11-08
*   **CVE Number:** CVE-2022-27914

**Description**

Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com\_media..

**Affected Installs**

Joomla! CMS versions 4.0.0-4.2.4

**Solution**

Upgrade to version 4.2.5

**Contact**

The JSST at the Joomla! Security Centre.

**Reported By:** https://github.com/Denitz

*

CVE-2022-27914: Joomla! Developer Network

Nonce token leakage and missing authorization in SearchWP premium plugin <= 4.2.5 on WordPress leading to plugin settings change.

CVE-2022-40223: Changelog (v4) - SearchWP

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import.

CVE-2022-43491: Advanced Dynamic Pricing for WooCommerce

Server Side Request Forgery (SSRF) vulnerability in All in One SEO Pro plugin <= 4.2.5.1 on WordPress.

CVE-2022-42494: AIOSEO Changelog - AIOSEO

Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.

CVE-2022-40206: wpForo Forum

Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”

Tuesday, November 8, 2022 13:11

  
Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”  

Three of the critical entries are remote code execution (RCE) vulnerabilities for Windows Point-to-Point Tunneling Protocol (PPTP).  

*   CVE-2022-41039
*   CVE-2022-41044
*   CVE-2022-41088  
    

An unauthenticated attacker can send a specially crafted request to an RAS (Remote Access Server), which may lead to remote code execution. Although according to Microsoft, these three vulnerabilities are less likely to be exploited, as the attacker must win a complex race condition. In August of 2022’s Patch Tuesday release, several vulnerabilities for Windows PPTP were also disclosed.  

Another notable vulnerability in this release is CVE-2022-41118, a remote code execution vulnerability for both the JScript9 and Chakra scripting languages. While exploiting this vulnerability requires that the attacker win a race condition, Microsoft has determined that exploitation is more likely. Successful exploitation of CVE-2022-41118 requires that the attacker convince the victim to visit a malicious server share or website. This requirement can likely be met by phishing emails or another form of social engineering.  

Two of the entries listed as critical are privilege escalation vulnerabilities in Windows Kerberos. Microsoft has determined that exploitation of both is more likely.  

*   CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege
*   CVE-2022-37967 Windows Kerberos Elevation of Privilege Vulnerability  
    

CVE-2022-37966 is a privilege escalation vulnerability in Windows Kerberos, where an unauthenticated attacker may be able to leverage vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass constrained delegation security features in a Windows AD environment. The attack complexity has been labeled as “High.”  

CVE-2022-37967 is another privilege escalation vulnerability in Windows Kerberos, where an authenticated attacker could leverage cryptographic protocol vulnerabilities in the Windows Kerberos AES-SHA1 cipher suite. If an attacker is successful in gaining control over the service  that is allowed for delegation, they can modify Kerberos PAC to elevate their privileges. In contrast to CVE-2022-37966, the attack complexity is considered “Low.”  

Also listed in this release is CVE-2022-38015, a Windows Hyper-V denial of service vulnerability. This affects Windows 10 and 11 hosts, as well as Windows Server 2016 and 2022. While the attack complexity is listed as “Low,” Microsoft considers successful exploitation as “Less Likely.”  

The last critical disclosure is CVE-2022-41080, a Microsoft Exchange Server elevation of privilege vulnerability, which has a low attack complexity and successful exploitation is considered “More Likely.” CVE-2022-41080 affects Microsoft Exchange Server versions listed below:  

*   Microsoft Exchange Server 2013 Cumulative Update 23
*   Microsoft Exchange Server 2016 Cumulative Update 22
*   Microsoft Exchange Server 2016 Cumulative Update 23
*   Microsoft Exchange Server 2019 Cumulative Update 11
*   Microsoft Exchange Server 2019 Cumulative Update 12  
    

Talos would also like to highlight three “Important” vulnerabilities as Microsoft has listed them as being successfully exploited in the wild:  

*   CVE-2022-41091 - Windows Mark of the Web Security Feature Bypass Vulnerability
*   CVE-2022-41073 - Windows Print Spooler Elevation of Privilege Vulnerability
*   CVE-2022-41125 - Windows CNG Key Isolation Service Elevation of Privilege Vulnerability  
    

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60815-60816, 60818-60819, 60820-60821, 60822-60823, 60831-60832, 60833-60834. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300309, 300310, 300311, 300312, 300315, 300316.

Microsoft Patch Tuesday for November 2022 — Snort rules and prominent vulnerabilities

### Impact

Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it was possible to partially bypass the `fs` scope definition. It was not possible to traverse into arbitrary paths, as the issue was limited to neighboring files and sub folders of already allowed paths.

The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters.

On Linux or MacOS based systems it was possible to use the `*`, `**` and `[a-Z]` patterns inside a path, which allowed to read the content of sub directories and single character files in a folder, where only specific files or the directory itself were allowed.

On Windows `[a-Z]` was the possible bypass pattern, as `*` is not treated as a valid path component. This implies that only single character files inside an already allowed directory were unintentionally accessible.

This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime.

A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. This means the issue by itself can not be abused and requires further intentional or unintentional privileges.

### Workaround

Disable the `dialog` and `fileDropEnabled` component inside the `tauri.conf.json`.

### Patches

The issue has been resolved in #5237 and the implementation now properly escapes the special characters. The patch has been included in releases: `1.0.7`, `1.1.2` and `1.2.0`

### For more information

This issue was initially reported by MessyComposer in #5234.

If you have any questions or comments about this advisory:

Open an issue in tauri
Email us at security@tauri.app

**Impact**

Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it was possible to partially bypass the fs scope definition. It was not possible to traverse into arbitrary paths, as the issue was limited to neighboring files and sub folders of already allowed paths.

The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters.

On Linux or MacOS based systems it was possible to use the *, ** and [a-Z] patterns inside a path, which allowed to read the content of sub directories and single character files in a folder, where only specific files or the directory itself were allowed.

On Windows [a-Z] was the possible bypass pattern, as * is not treated as a valid path component. This implies that only single character files inside an already allowed directory were unintentionally accessible.

This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime.

A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. This means the issue by itself can not be abused and requires further intentional or unintentional privileges.

**Workaround**

Disable the dialog and fileDropEnabled component inside the tauri.conf.json.

**Patches**

The issue has been resolved in #5237 and the implementation now properly escapes the special characters. The patch has been included in releases: 1.0.7, 1.1.2 and 1.2.0

**For more information**

This issue was initially reported by MessyComposer in #5234.

If you have any questions or comments about this advisory:

Open an issue in tauri  
Email us at security@tauri.app

**References**

*   GHSA-q9wv-22m9-vhqh
*   tauri-apps/tauri#5234
*   tauri-apps/tauri#5237

GHSA-q9wv-22m9-vhqh: Tauri Filesystem Scope can be Partially Bypassed

Rapid remedy follows reawakening of long-dormant bug threat

Rapid remedy follows reawakening of long-dormant bug threat

A critical vulnerability arising from improper input validation has been addressed in XMLDOM, the JavaScript implementation of W3C DOM for Node.js, Rhino, and browsers.

The flawed behavior was seemingly first flagged as potentially in need of remedy in 2016. But it was only with the recent discovery of an authentication bypass in Passport-SAML, the SAML 2.0 authentication provider for Node.js library Passport, that XMLDOM maintainers tackled the root cause of the problem.

“Xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing,” an XMLDOM advisory published on November 1 explained.

**Breaking the assumption**

“This breaks the assumption that there is only a single root node in the tree,” it continues, and poses “a potential issue for dependents”.

The bug was assigned CVE-2022-39353 and a severity rating of CVSS 9.4 by GitHub CVE Numbering Authority, later uprated in severity to CVSS 9.8 by the NIST National Vulnerability Database.

XMLDOM is widely used, with NPM detecting 2.8 million weekly downloads (albeit caveats apply regarding the accuracy of download counts).

DON’T MISS Gatsby patches SSRF, XSS bugs in Cloud Image CDN

Kurt Boberg, a maintainer on the project, told The Daily Swig: “Any security-critical workflow that accepts partial signatures on XML and reads a child node is likely affected by this issue.

“The core problem is that you can supply two XML documents to a request (one valid, one forged) and as long as the validator accepts the legitimate one, a property read via xmldom can potentially read a node value out of the forged document.”

**Passport-SAML bypass**

Passport-SAML, which has 167,000 weekly NPM downloads, mishandled cryptographic signature verification because of the XMLDOM flaw. Tracked as CVE-2022-39299, the high severity Passport-SAML issue potentially enabled an attacker “to bypass SAML authentication on a website using passport-saml,” The CVE description said.

“A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.”

The bug, assigned a severity score of CVSS 8.1, was patched on October 11.

**‘Worst possible outcome’**

Asked what other damage an attacker might potentially cause downstream of the XMLDOM bug, Boberg said it “really depends on the expectations around the XML parsing. The aforementioned SAML issue is pretty much the worst possible outcome.

Read more of the latest cybersecurity vulnerability news

“It really hinges on the parsing application making a security decision based on XML input from the user that it expects to be signed. It’s like stapling an additional page to a notarized document, and passing it through a verification process that only checks if the first page is notarized.”

He added: “The downstream impact depends entirely on what the legitimate document would let you do.”

**Path to a patch**

The related GitHub bug thread began in 2016, when an XMLDOM maintainer said the issue “appears to me to be a violation of the W3C DOM Level 2 Core Specification”.

Speculating that the flaw “might be a ‘false-positive’ bug”, he suggested “there is some utility in being able to parse multiple documents in a single stream, if the API can be re-tooled just a bit”. He also described doing so “silently without issuing even so much as a warning to consumers” as “odd”.

The thread then remained dormant until the emergence of the Passport-SAML vulnerability and its root cause quickly became apparent, prompting the rapid deployment of patches within @xmldom/xmldom NPM versions 0.7.7, 0.8.4, and 0.9.0-beta.4, together with mitigations, fix details, and advice to developers to align with the specs to avoid code breakage.

YOU MIGHT ALSO LIKE OpenSSL vulnerability downgraded to ‘high’ severity

Passport-SAML auth bypass triggers fix of critical, upstream XMLDOM bug

Red Hat Security Advisory 2022-7457-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include information leakage and memory exhaustion vulnerabilities.

Red Hat Security Advisory 2022-7457-01

Red Hat Security Advisory 2022-7645-01 - OpenJPEG is an open source library for reading and writing image files in JPEG2000 format.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Low: openjpeg2 security update  
Advisory ID:       RHSA-2022:7645-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7645  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-1122  
====================================================================  
1. Summary:

An update for openjpeg2 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

OpenJPEG is an open source library for reading and writing image files in  
JPEG2000 format.

Security Fix(es):

* openjpeg: segmentation fault in opj2_decompress due to uninitialized  
pointer (CVE-2022-1122)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2067052 - CVE-2022-1122 openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
openjpeg2-2.4.0-5.el8.src.rpm

aarch64:  
openjpeg2-2.4.0-5.el8.aarch64.rpm  
openjpeg2-debuginfo-2.4.0-5.el8.aarch64.rpm  
openjpeg2-debugsource-2.4.0-5.el8.aarch64.rpm  
openjpeg2-tools-2.4.0-5.el8.aarch64.rpm  
openjpeg2-tools-debuginfo-2.4.0-5.el8.aarch64.rpm

noarch:  
openjpeg2-devel-docs-2.4.0-5.el8.noarch.rpm

ppc64le:  
openjpeg2-2.4.0-5.el8.ppc64le.rpm  
openjpeg2-debuginfo-2.4.0-5.el8.ppc64le.rpm  
openjpeg2-debugsource-2.4.0-5.el8.ppc64le.rpm  
openjpeg2-tools-2.4.0-5.el8.ppc64le.rpm  
openjpeg2-tools-debuginfo-2.4.0-5.el8.ppc64le.rpm

s390x:  
openjpeg2-2.4.0-5.el8.s390x.rpm  
openjpeg2-debuginfo-2.4.0-5.el8.s390x.rpm  
openjpeg2-debugsource-2.4.0-5.el8.s390x.rpm  
openjpeg2-tools-2.4.0-5.el8.s390x.rpm  
openjpeg2-tools-debuginfo-2.4.0-5.el8.s390x.rpm

x86_64:  
openjpeg2-2.4.0-5.el8.i686.rpm  
openjpeg2-2.4.0-5.el8.x86_64.rpm  
openjpeg2-debuginfo-2.4.0-5.el8.i686.rpm  
openjpeg2-debuginfo-2.4.0-5.el8.x86_64.rpm  
openjpeg2-debugsource-2.4.0-5.el8.i686.rpm  
openjpeg2-debugsource-2.4.0-5.el8.x86_64.rpm  
openjpeg2-tools-2.4.0-5.el8.x86_64.rpm  
openjpeg2-tools-debuginfo-2.4.0-5.el8.i686.rpm  
openjpeg2-tools-debuginfo-2.4.0-5.el8.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
openjpeg2-debuginfo-2.4.0-5.el8.aarch64.rpm  
openjpeg2-debugsource-2.4.0-5.el8.aarch64.rpm  
openjpeg2-devel-2.4.0-5.el8.aarch64.rpm  
openjpeg2-tools-debuginfo-2.4.0-5.el8.aarch64.rpm

ppc64le:  
openjpeg2-debuginfo-2.4.0-5.el8.ppc64le.rpm  
openjpeg2-debugsource-2.4.0-5.el8.ppc64le.rpm  
openjpeg2-devel-2.4.0-5.el8.ppc64le.rpm  
openjpeg2-tools-debuginfo-2.4.0-5.el8.ppc64le.rpm

s390x:  
openjpeg2-debuginfo-2.4.0-5.el8.s390x.rpm  
openjpeg2-debugsource-2.4.0-5.el8.s390x.rpm  
openjpeg2-devel-2.4.0-5.el8.s390x.rpm  
openjpeg2-tools-debuginfo-2.4.0-5.el8.s390x.rpm

x86_64:  
openjpeg2-debuginfo-2.4.0-5.el8.i686.rpm  
openjpeg2-debuginfo-2.4.0-5.el8.x86_64.rpm  
openjpeg2-debugsource-2.4.0-5.el8.i686.rpm  
openjpeg2-debugsource-2.4.0-5.el8.x86_64.rpm  
openjpeg2-devel-2.4.0-5.el8.i686.rpm  
openjpeg2-devel-2.4.0-5.el8.x86_64.rpm  
openjpeg2-tools-2.4.0-5.el8.i686.rpm  
openjpeg2-tools-debuginfo-2.4.0-5.el8.i686.rpm  
openjpeg2-tools-debuginfo-2.4.0-5.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1122  
https://access.redhat.com/security/updates/classification/#low  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSWNzjgjWX9erEAQg6GhAAiOBUk8qXJuDlt6tD7lrGqBFWfDTN5jTR  
dSzKPRnp3ctiwIn8hbe8UsXapg7+NB4f1zS2+bsjvBvqbES6xctG3gKdY9jPAB/e  
jWkWzhsfHCHpOrkDxCenU8RDQQ7XdMYKn2KTypVUhSLKn7jktbaUQMCH1cUbzvaI  
1z0qXSdHvsMG+1vVzhhh4ZWSPL4gTI9r6+ndYbLRIEJAPApoKuDkI6Z+OqkiZsaR  
2pssPowTJmPHb/72/ojSPQ6sQ07Gyjz0POG07SPFah2PM4F1p+Haa3kARgcthdPr  
vDjqTLeeg4dlq5ohEfr6ki/c6s6Pm6Ziz3+QIHMVtoXuLdqegKyZZeoywOo7Xihf  
A4gXAajdB1X3W+ClWVcPTvZVGFaIGbVSFjfLPLtYGfEdTx80/7QkVWoDwuaP+KD9  
E5JZ7yVTCkwTbikIs8Aen4JQQa5ieUCoWbDSLPq0wtgva7S8dFQ7R7XvkiBYVTAX  
DOpVa5cMQ9B7zdmg1lB/n0zjXqYGIxovhA4ydZRxV94w1f7MW0Z6iak60OrBdyZ7  
nk1YZM4sikPMVTGAOYmY7oSYEeWWnOY3NE9kvQsmEbfB+K6WIgfbCKdPaw6rOJkZ  
lMFa7/btx5yRZEGEklUQqrGgkXHNs9VFQ169eIHb17FdnfD0vcGoIhfvFcjsqkUx  
m/NyIG6kTcM=5Pm+  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js