CakePHP 3.4 prior to 3.4.14, 3.5 prior to 3.5.17, and 3.6 prior to 3.6.4 contains a cross-site-scripting (XSS) vulnerability in the development only `missing route` and `duplicate named route` error pages.

**Package**

composer cakephp/cakephp (Composer)

**Affected versions**

\>= 3.4.0, < 3.4.14

\>= 3.5.0, < 3.5.17

\>= 3.6.0, < 3.6.4

**Patched versions**

3.4.14

3.5.17

3.6.4

GHSA-xwhj-pqcg-8rcr: CakePHP vulnerable to Cross-site Scripting in some development error pages

In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2023-24027: fix: [security] XSS through network history name · MISP/MISP@72c5424

In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.

@@ -636,7 +636,7 @@ class EventGraph {

btn\_plot.data('network-preview', preview);

btn\_plot.popover({

container: 'body',

content: function() { return '<img style="width: 500px; height: 150px;" src="' + $(this).data('network-preview') + '" />'; },

content: function() { return '<img style="width: 500px; height: 150px;" src="' + $('<div>').text($(this).data('network-preview')).html() + '" />'; },

placement: 'right',

trigger: 'hover',

template: '<div class="popover" role="tooltip"><div class="arrow"></div><h3 class="popover-title"></h3><div class="popover-content" style="width: 500px; height: 150px;"></div></div>',

@@ -2002,7 +2002,7 @@ function reset\_graph\_history() {

btn\_plot.data('network-preview', preview);

btn\_plot.popover({

container: 'body',

content: function() { return '<img style="width: 500px; height: 150px;" src="' + $(this).data('network-preview') + '" />'; },

content: function() { return '<img style="width: 500px; height: 150px;" src="' + $('<div>').text($(this).data('network-preview')).html() + '" />'; },

placement: 'right',

trigger: 'hover',

template: '<div class="popover" role="tooltip"><div class="arrow"></div><h3 class="popover-title"></h3><div class="popover-content" style="width: 500px; height: 150px;"></div></div>',

CVE-2023-24026: fix: [security] XSS in eventgraph preview payload · MISP/MISP@a46f794

The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL injection vulnerability in the 'ID' parameter of its 'lwp_forgot_password' action.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2023-3

CVSSv3 Base / Temporal Score

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products

Quick Event Manager WordPress Plugin

Login with Phone Number WordPress Plugin

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2023-23492: Cross-Site Scripting vulnerabilities in Multiple WordPress Plugins

Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the writer parameter.

50 XSS vulnerabilities.

Different sources that saved in the database in this project.

// In file application/models/M\_book.php
$object\=array(
      'book\_title'\=>$this\->input\->post('book\_title'),
      'year'\=>$this\->input\->post('year'),
      'price'\=>$this\->input\->post('price'),
      'category\_code'\=>$this\->input\->post('category'),
      'publisher'\=>$this\->input\->post('publisher'),
      'writer'\=>$this\->input\->post('writer'),
      'stock'\=>$this\->input\->post('stock')
    );
return $this\->db\->insert('book', $object);

// In file application/models/M\_transaction.php
$object\=array(
    'user\_code'\=>$this\->input\->post('user\_code'),
    'buyer\_name'\=>$this\->input\->post('buyer\_name'),
    'tgl' => date('Y-m-d'),
    'total'\=>$this\->input\->post('total'),
    'bookname'\=>$this\->input\->post('bookname'),
    'book\_qty'\=>$this\->input\->post('book\_qty'),
  );
$this\->db\->insert('transaction', $object);

These sources will pass from the database to the view files.

// In file application/views/v\_book.php
<td><?=$book\->book\_title?></td\>
<td\><?=$book\->year?></td\>
<td\><?=$book\->category\_name?></td\>
<td\><?=$book\->publisher?></td\>
<td\><?=$book\->writer?></td\>
<td\><?=$book\->stock?></td\>

// In file application/views/v\_transaction.php
<td\><?=$book\->book\_title?></td\>
<td\><?=$book\->category\_name?></td\>
<td class\="text-right"\>$<?=$book\->price?></td\>
<td class\="text-right"\><?=$book\->stock?></td\>
                                                      
<?php foreach ($transaction as $transaction): ?>
<option class\="text-dark" value\="<?=$transaction\->user\_code?>"\><?=$transaction\->fullname?></option\>
<?php endforeach ?>

CVE-2023-23024: XSS in Book Store

Cross Site Scripting (XSS) vulnerability in Kalkun 0.8.0 via username input in file User_model.php.

Link: https://github.com/kalkun-sms/Kalkun

XSS vulnerability with the user name.

We see that the username will be setted in the DB without sanitization in file Kalkun-devel\\application\\models\\User\_model.php

$this\->db\->set('username', trim($this\->input\->post('username')));

Then the username retrieved from the DB and set in the session then redirect to 'kalkun' in file Kalkun-devel\\application\\models\\Kalkun\_model.php

function login(){
  $username = $this\->input\->post('username');
  $this\->db\->from('user');
  $this\->db\->where('username', $username);
  $query = $this\->db\->get();
  
  if ($query\->num\_rows() === 1 && password\_verify($this\->input\->post('password'), $query\->row('password')))
  {
	  //..
	  $this\->session\->set\_userdata('username', $query\->row('username'));
         //...
  }
  if ($this\->input\->post('r\_url'))
  {
  redirect($this\->input\->post('r\_url'));
  }
  else
  {
  redirect('kalkun');
  }
}

In file Kalkun-devel\\application\\controllers\\Kalkun.php

function index()
{
  //...
  $this\->load\->view('main/layout', $data);
}

In file Kalkun-devel\\application\\views\\main\\layout.php

<?php $this\->load\->view('main/dock');?>

Finally, in file Kalkun-devel\\application\\views\\main\\dock.php

<?php echo $this\->session\->userdata('username');?>

CVE-2023-23015: XSS Kalkun

Cross Site Scripting (XSS) vulnerability in InventorySystem thru commit e08fbbe17902146313501ed0b5feba81d58f455c (on Apr 23, 2021) via edit_store_name and edit_active inputs in file InventorySystem.php.

Hello,

I would like to report for possible XSS vulnerabilities.

For example,

In file InventorySystem-master\\application\\controllers\\Stores.php in update function

$data = array(
	'name' => $this\->input\->post('edit\_store\_name'),
	'active' => $this\->input\->post('edit\_active'),	
);

$update = $this\->model\_stores\->update($data, $id);

In file InventorySystem-master\\application\\models\\Model\_stores.php

public function update($data, $id){
  if($data && $id) {
	  $this\->db\->where('id', $id);
	  $update = $this\->db\->update('stores', $data);
	  return ($update == true) ? true : false;
  }
}

Then In file InventorySystem-master\\application\\controllers\\Stores.php

public function fetchStoresDataById($id) {
  if($id) {
	  $data = $this\->model\_stores\->getStoresData($id);
	  echo json\_encode($data);
  }
}

In file InventorySystem-master\\application\\models\\Model\_stores.php

public function getStoresData($id = null){
  if($id) {
	  $sql = "SELECT \* FROM \`stores\` where id = ?";
	  $query = $this\->db\->query($sql, array($id));
	  return $query\->row\_array();
  }
  
  $sql = "SELECT \* FROM \`stores\`";
  $query = $this\->db\->query($sql);
  return $query\->result\_array();
}

CVE-2023-23014: Possible XSS vulnerabilities · Issue #23 · ronknight/InventorySystem

Cross Site Scripting (XSS) vulnerability in craigrodway classroombookings 2.6.4 allows attackers to execute arbitrary code or other unspecified impacts via the input bgcol in file Weeks.php.

Link: https://github.com/craigrodway/classroombookings

XSS vulnerability.

In file classroombookings-master\\application\\controllers\\Weeks.php in function save\_week

the input 'bgcol' will be saved in the DB and passed to the view when it will be printed without sanitization.

$data = array(
	'name' => $this\->input\->post('name'),
	'bgcol' => $this\->input\->post('bgcol'),
);
if ($week\_id = $this\->weeks\_model\->insert($data)) {
//...
}

In file classroombookings-master\\application\\models\\Weeks\_model.php

public function insert($data){
  $data = $this\->sleep\_values($data);
  
  $insert = $this\->db\->insert($this\->table, $data);
  
  return $insert ? $this\->db\->insert\_id() : FALSE;
}

In file classroombookings-master\\application\\controllers\\Weeks.php in function save\_week

public function index(){
  $this\->data\['weeks'\] = $this\->weeks\_model\->get\_all();
  $this\->data\['title'\] = $this\->data\['showtitle'\] = 'Timetable Weeks';
  
  $body = $this\->load\->view('weeks/index', $this\->data, TRUE);
  
  $this\->data\['body'\] = $body;
  
  return $this\->render();
}

In file classroombookings-master\\application\\models\\Weeks\_model.php

public function get\_all(){
  $query = $this\->db\->from($this\->table)
	  ->order\_by('name', 'ASC')
	  ->get();
  
  if ($query\->num\_rows() > 0) {
	  $result = $query\->result();
	  //..
	  return $result;
  }
}

The In file C:\\transfer\_projects\\classroombooking\\classroombookings-master\\application\\views\\weeks\\index.php

<?php
foreach ($weeks as $week) {
//...
	$dot = week\_dot($week);
  echo "<td style='text-align:center'>{$dot}</td>";
//...
}
?>

In file classroombookings-master\\application\\helpers\\week\_helper.php

function week\_dot($week, $size = 'md')
{
	$col = $week\->bgcol;
	$col = str\_replace('#', '', $col);
	$col = '#' . $col;

	$out = "<span class='dot dot-week dot-size-{$size}' style='background-color:{$col}'></span>";
	return $out;
}

CVE-2023-23012: XSS in classroombookings

Cross Site Scripting (XSS) vulnerability in Ecommerce-CodeIgniter-Bootstrap thru commit d5904379ca55014c5df34c67deda982c73dc7fe5 (on Dec 27, 2022), allows attackers to execute arbitrary code via the languages and trans_load parameters in file add_product.php.

@@ -18,37 +18,37 @@ <div class\="form-group available-translations"\> <b\>Languages</b\> <?php foreach ($languages as $language) { ?> <button type\="button" data-locale-change\="<?= $language\->abbr ?>" class\="btn btn-default locale-change text-uppercase <?= $language\->abbr == MY\_DEFAULT\_LANGUAGE\_ABBR ? 'active' : '' ?>"\> <img src\="<?= base\_url('attachments/lang\_flags/' . $language\->flag) ?>" alt\=""\> <?= $language\->abbr ?> <button type\="button" data-locale-change\="<?= htmlspecialchars($language\->abbr) ?>" class\="btn btn-default locale-change text-uppercase <?= $language\->abbr == MY\_DEFAULT\_LANGUAGE\_ABBR ? 'active' : '' ?>"\> <img src\="<?= base\_url('attachments/lang\_flags/' . htmlspecialchars($language\->flag)) ?>" alt\=""\> <?= htmlspecialchars($language\->abbr) ?> </button\> <?php } ?> </div\> <?php $i = 0; foreach ($languages as $language) { ?> <div class\="locale-container locale-container-<?= $language\->abbr ?>" <?= $language\->abbr == MY\_DEFAULT\_LANGUAGE\_ABBR ? 'style="display:block;"' : '' ?>\> <input type\="hidden" name\="translations\[\]" value\="<?= $language\->abbr ?>"\> <div class\="locale-container locale-container-<?= htmlspecialchars($language\->abbr) ?>" <?= $language\->abbr == MY\_DEFAULT\_LANGUAGE\_ABBR ? 'style="display:block;"' : '' ?>\> <input type\="hidden" name\="translations\[\]" value\="<?= htmlspecialchars($language\->abbr) ?>"\> <div class\="form-group"\> <img src\="<?= base\_url('attachments/lang\_flags/' . $language\->flag) ?>" alt\="<?= $language\->name ?>" class\="language"\> <input type\="text" name\="title\[\]" placeholder\="<?= lang('vendor\_product\_name') ?>" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['title'\]) ? $trans\_load\[$language\->abbr\]\['title'\] : '' ?>" class\="form-control"\> <img src\="<?= base\_url('attachments/lang\_flags/' . htmlspecialchars($language\->flag)) ?>" alt\="<?= htmlspecialchars($language\->name) ?>" class\="language"\> <input type\="text" name\="title\[\]" placeholder\="<?= lang('vendor\_product\_name') ?>" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['title'\]) ? htmlentities($trans\_load\[$language\->abbr\]\['title'\], ENT\_QUOTES, 'UTF-8') : '' ?>" class\="form-control"\> </div\> <label\><?= lang('vendor\_product\_description') ?> <img src\="<?= base\_url('attachments/lang\_flags/' . $language\->flag) ?>" alt\="<?= $language\->name ?>"\></label\> <label\><?= lang('vendor\_product\_description') ?> <img src\="<?= base\_url('attachments/lang\_flags/' . htmlspecialchars($language\->flag)) ?>" alt\="<?= htmlspecialchars($language\->name) ?>"\></label\> <div class\="form-group"\> <textarea class\="form-control" name\="description\[\]" id\="description<?= $i ?>"\><?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['description'\]) ? $trans\_load\[$language\->abbr\]\['description'\] : '' ?></textarea\> <textarea class\="form-control" name\="description\[\]" id\="description<?= $i ?>"\><?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['description'\]) ? htmlentities($trans\_load\[$language\->abbr\]\['description'\], ENT\_QUOTES, 'UTF-8') : '' ?></textarea\> </div\> <script\> CKEDITOR.replace('description<?= $i ?>'); CKEDITOR.config.entities \= false; </script\> <div class\="form-group"\> <img src\="<?= base\_url('attachments/lang\_flags/' . $language\->flag) ?>" alt\="" class\="language"\> <input type\="text" name\="price\[\]" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['price'\]) ? $trans\_load\[$language\->abbr\]\['price'\] : '' ?>" placeholder\="<?= lang('vendor\_price') ?>" class\="form-control"\> <img src\="<?= base\_url('attachments/lang\_flags/' . htmlspecialchars($language\->flag)) ?>" alt\="" class\="language"\> <input type\="text" name\="price\[\]" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['price'\]) ? htmlentities($trans\_load\[$language\->abbr\]\['price'\], ENT\_QUOTES, 'UTF-8') : '' ?>" placeholder\="<?= lang('vendor\_price') ?>" class\="form-control"\> </div\> <div class\="form-group"\> <img src\="<?= base\_url('attachments/lang\_flags/' . $language\->flag) ?>" alt\="" class\="language"\> <input type\="text" name\="old\_price\[\]" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['old\_price'\]) ? $trans\_load\[$language\->abbr\]\['old\_price'\] : '' ?>" placeholder\="<?= lang('vendor\_old\_price') ?>" class\="form-control"\> <img src\="<?= base\_url('attachments/lang\_flags/' . htmlspecialchars($language\->flag)) ?>" alt\="" class\="language"\> <input type\="text" name\="old\_price\[\]" value\="<?= $trans\_load != null && isset($trans\_load\[$language\->abbr\]\['old\_price'\]) ? htmlentities($trans\_load\[$language\->abbr\]\['old\_price'\], ENT\_QUOTES, 'UTF-8') : '' ?>" placeholder\="<?= lang('vendor\_old\_price') ?>" class\="form-control"\> </div\> </div\> <?php

CVE-2023-23010: xss fixes · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d590437

In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.

Release date: January 18, 2023

These release notes describe the new features, improvements, and fixed issues in Database Performance Analyzer 2023.1. They also provide information about upgrades and describe workarounds for known issues.

**Learn more**

*   For information on the latest hotfixes, see DPA hotfixes.
*   For release notes for previous DPA versions, see Previous Version documentation.
*   For information about requirements, see DPA system requirements.
*   For information about working with DPA, see the DPA Administrator Guide.

**New features and improvements in DPA**

Return to top

DPA 2023.1 offers new features and improvements compared to previous releases of DPA.

**Improvements to importing alerts, rules, and custom properties**

DPA 2022.4 introduced the ability to export the alerts, rules, and custom properties that are configured on one DPA server and import them to another server. DPA 2023.1 improves the import functionality in the following ways:

*   You can specify which entities to import. The import wizard displays a list of the alerts, rules, and custom properties to be imported. Clear the checkbox next to any entity you don't want to import.
    
*   You can choose to overwrite existing entities with the same name. If you overwrite an entity, the existing entity is replaced by the imported entity.
    

**Additions to systems requirements and monitored instances**

 

Category

Vender and version

Repository database

Microsoft SQL Server 2022, Windows or Linux

Monitored database instances

Microsoft SQL Server 2022, Windows or Linux

VMware

VMware vCenter Server 7.0

VMware ESX/ESXi Host 7.0

For more information, see the DPA 2023.1 system requirements and Database instances DPA can monitor.

**Fixed issues in DPA 2023.1**

Return to top

DPA 2023.1 fixes the following issues.

 

Case number

Description

01144021, 01233510, 01234275

In deployments with an Oracle repository that monitor Oracle database instances, index analysis runs successfully. Logs no longer include the error message Unable to run index analysis.

01080326, 01129290, 01234534, 01236488

Files in the /tomcat/logs/ directory, such as catalina.out, stderr.log, and catalina._YYYY-MM-DD_.log, no longer grow quickly and consume a large amount of space.

00978208, 01076887

Collecting a large number of metrics (for example, because you have configured many custom metrics), can sometimes cause DPA monitoring to stop periodically. DPA 2023.1 includes metrics setting in the system.properties files that can be adjusted to avoid this issue. For information on adjusting these properties, see Scale DPA for the number of databases being monitored and the number of custom metrics.

00560405, 00850966, 01061361, 01128672

In previous versions, when DPA was installed on Windows the installer ran a VBS script to create the Windows service. If an organization had a security policy that prevented VBS scripts from running, the service was not created and DPA would not start. To prevent this issue, DPA 2023.1 runs a Powershell script instead of a VBS script.

**SolarWinds CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

   

CVE-ID

Vulnerability Title

Description

Severity

CVE-2022-38110

Reflected Cross-Site Scripting Vulnerability

In DPA 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting.

6.3 Medium

CVE-2022-38112

Sensitive Information Disclosure Vulnerability

In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.

6.3 Medium

**Notes - BugCrowd**

SolarWinds would like to additionally thank our Bugcrowd community for their continued help in testing our products and keeping them secure

**New customer installation**

Return to top

For information about installing DPA, see the DPA Installation and Upgrade Guide. You can download a free trial from the SolarWinds website.

**Before you upgrade!**

If you are upgrading from DPA 2022.3 and you configured that version for SAML authentication, be aware that 2022.4 and later versions include changes to the SAML configuration. After the upgrade, no one will be able to log in with SAML until you update the configuration.

*   **Before** you upgrade, make sure you have a local login available.
    
*   **After** the upgrade, log in as a local user and complete the steps under SAML configuration changes in the DPA 2022.3 release notes to update the SAML configuration.
    

**How to upgrade**

If you are upgrading from an earlier version, use the following resources to plan and implement your upgrade:

*   Use the DPA Installation and Upgrade Guide to help you plan and execute your upgrade.
*   When you are ready, download the upgrade package from the SolarWinds Customer Portal.

**Known issues**

Return to top

 

Importing an alert definition without the associated database assignment rule

**Issue**

In some situations, the log file shows the status of an imported alert definition as both Imported and Failed. This occurs when the alert definition uses a database assignment rule, but the rule was not imported and did not already exist on the server.

The two statuses indicate that the alert definition was imported but the attempt to associate the database assignment rule failed.

**Resolution or Workaround**

When you import an alert definition that uses a database assignment rule, either import the rule or ensure that it already exists on the server.

If you imported an alert definition and the associated rule is missing, you must edit the alert definition to specify the database instances. (You can specify instances by manually selecting them or by applying a rule.)

 

REST API does not work when you access DPA with SAML login credentials

**Issue**

If you access DPA with SAML login credentials and you generate a refresh token, the following message is displayed when you attempt to use that refresh token to access the REST API:

You are not authorized to perform this action. Contact your DPA administrator.

**Resolution or Workaround**

Access DPA with a local login when you generate the refresh token.

 

The database name is not updated for stored procedures

**Issue**

If a stored procedure name includes the name of a database and it is copied to a different database, the database name is not updated. When DPA shows information about the copied stored procedure, the hash is the same as the first and the information appears to be incorrect.

**Resolution or Workaround**

If you experience this issue, complete the following steps:

1.  Run the following command against the DPA repository database (replacing <HashValue> with the stored procedure's hash value):
    
    delete from ignite.CONST_<DBID> where H = '<HashValue>'
    
2.  Restart DPA.

 

Registering an Azure SQL database instance fails when the privileged user is an Azure AD user

**Issue**

When registering an Azure SQL database, if you let DPA create the monitoring user and select an Azure Active Directory (AD) user as the privileged user, registration fails on the last step with the message Connection test to database as monitoring user failed.

**Resolution or Workaround**

Select the option 'I'll create the contained user or login', and follow the instructions to create the monitoring user manually.

 

Adding a distributed AG to a server prevents DPA from monitoring non-distributed AGs on the server

**Issue**

If DPA is monitoring non-distributed SQL Server Availability Groups (AGs) on a server and you add a distributed AG to the server, DPA stops monitoring the non-distributed AGs.

**Resolution or Workaround**

Do not add a distributed AG to the server.

 

Microsoft reports incorrect metric values for SQL Server on Linux

**Issue**

When you monitor a **SQL Server 2017** database instance that runs on a Linux server:

*   The O/S CPU Utilization resource always shows usage at 100%.
*   The Instance CPU Utilization resource always shows usage at 100%.
*   The O/S Memory Utilization resource always shows usage at 0%.

When you monitor a **SQL Server 2019** database instance that runs on a Linux server:

*   The O/S CPU Utilization resource always shows usage at 100%.
*   In some cases, the Instance CPU Utilization resource always shows usage at 100%.

Microsoft reports these values.

**Resolution or Workaround**

Disregard the values that are incorrect on your version of SQL Server. You can also disable the collection of a metric that shows incorrect data.

 

DPA fails to reconnect after losing its connection to a SQL Server instance

**Issue**

When DPA loses its connection to a monitored SQL Server instance (for example, when the DPA server is rebooted), and Windows authentication is used, DPA is sometimes unable to reconnect to the instance. This can happen if DPA attempts to connect before SQL Server has been able to connect to Active Directory. DPA interprets the rejected connection attempt as possibly occuring because the credentials were incorrect. To avoid being locked out of the account, DPA does not keep trying to reconnect. Messages such as the following appear in the logs:

Monitor for database [databaseName] failed to start due to [username and/or password must be updated due to previous login failure; if the credentials have not changed for this database, stop the monitor, wait for the monitor to stop, then start the monitor.].

**Resolution or Workaround**

When the monitored instance is fully initialized, manually restart monitoring. On the DPA home page, click the Action drop-down menu for the instance and select Start Monitor.

**End of life**

Return to top

   

Version

EoL Announcement

EoE Effective Date

EoL Effective Date

DPA 2022.1

**January18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2022.1 or earlier should begin transitioning to the latest version of DPA.

**April18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version2022.1 or earlier will no longer actively be supported by SolarWinds.

**April18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.1 or earlier.

DPA 2021.3

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.3 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.3 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.3 or earlier.

DPA 2021.1

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.1 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.1 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.1 or earlier.

DPA 2020.2

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2020.2 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2020.2 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2020.2 or earlier.

**Deprecation notices**

Return to top

This version of Database Performance Analyzer deprecates the following platforms and features.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features. 

 

Type

Details

DPA server OS

Installing DPA on a server with a **Windows Server 2012 R2** operating system is still supported in 2022.4, but support will be removed in an upcoming release.

_The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation_.

**Legal notices**

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

Tag

#xss