VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution.

Advisory ID: VMSA-2022-0021.1

CVSSv3 Range: 4.7-9.8

Issue Date: 2022-08-02

Updated On: 2022-08-09

CVE(s): CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

Synopsis: VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities.

Share this page on social media

Sign up for Security Advisories

****1\. Impacted Products****

*   VMware Workspace ONE Access (Access)
*   VMware Workspace ONE Access Connector (Access Connector)
*   VMware Identity Manager (vIDM)
*   VMware Identity Manager Connector (vIDM Connector)
*   VMware vRealize Automation (vRA)
*   VMware Cloud Foundation
*   vRealize Suite Lifecycle Manager

****2\. Introduction****

Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.

****3a. Authentication Bypass Vulnerability (CVE-2022-31656)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

To remediate CVE-2022-31656, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds for CVE-2022-31656 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below.

VMware has confirmed malicious code that can exploit CVE-2022-31656 in impacted products is publicly available.

VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.

****3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0.

A malicious actor with administrator and network access can trigger a remote code execution. 

To remediate CVE-2022-31658, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.

****3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659)****

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0.

A malicious actor with administrator and network access can trigger a remote code execution. 

To remediate CVE-2022-31659, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware has confirmed malicious code that can exploit CVE-2022-31659 in impacted products is publicly available.

VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.

****3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local access can escalate privileges to 'root'. 

To remediate CVE-2022-31660 and CVE-2022-31661 apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Spencer McIntyre of Rapid7 for reporting these issues to us.

****3e. Local Privilege Escalation Vulnerability (CVE-2022-31664)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local access can escalate privileges to 'root'. 

To remediate CVE-2022-31664, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Steven Seeley (mr\_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

****3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6.

A malicious actor with administrator and network access can trigger a remote code execution. 

To remediate CVE-2022-31665, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Steven Seeley (mr\_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

****3g. URL Injection Vulnerability (CVE-2022-31657)****

VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

A malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain.

To remediate CVE-2022-31657, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Tom Tervoort of Secura for reporting this issue to us.

****3h. Path traversal vulnerability (CVE-2022-31662)****

VMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

A malicious actor with network access may be able to access arbitrary files. 

To remediate CVE-2022-31662, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.

****3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.

Due to improper user input sanitization, a malicious actor with some user interaction may be able to inject javascript code in the target user's window.

To remediate CVE-2022-31663, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.

**Response Matrix - Access 21.08.x**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31658

8.0

important

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31659

8.0

important

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31660, CVE-2022-31661

7.8

important

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31664

7.8

important

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31665

7.6

important

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31657

5.9

moderate

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31662

5.3

moderate

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31663

4.7

moderate

KB89096

None

FAQ

**Response Matrix - Identity Manager 3.3.x**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31658

8.0

important

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31659

8.0

important

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31660, CVE-2022-31661

7.8

important

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31664

7.8

important

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31665

7.6

important

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31657

5.9

moderate

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31662

5.3

moderate

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31663

4.7

moderate

KB89096

None

FAQ

**Response Matrix - Connectors**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Access Connector

22.05

Windows

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

N/A

N/A

Unaffected

N/A

N/A

Access Connector

21.08.0.1, 21.08.0.0

Windows

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

N/A

N/A

Unaffected

N/A

N/A

vIDM Connector

3.3.6, 3.3.5, 3.3.4

Windows

CVE-2022-31662

5.3

moderate

KB89096

None

FAQ

vIDM Connector

3.3.6, 3.3.5, 3.3.4

Windows

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

N/A

N/A

Unaffected

N/A

N/A

vIDM Connector

19.03.0.1

Windows

CVE-2022-31662

5.3

moderate

KB89096

None

FAQ

vIDM Connector

19.03.0.1

Windows

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

N/A

N/A

Unaffected

N/A

N/A

**Response Matrix - vRealize Automation (vIDM)**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

vRealize Automation \[1\]

8.x

Linux

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

N/A

N/A

Unaffected

N/A

N/A

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31658

8.0

important

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31659

8.0

important

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31660, CVE-2022-31661

7.8

important

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31664

7.8

important

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31665

7.6

important

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31657

5.9

moderate

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31662

5.3

moderate

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31663

4.7

moderate

KB89096

None

FAQ

\[1\] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.  
\[2\] vRealize Automation 7.6 is affected since it uses embedded vIDM.

**Impacted Product Suites that Deploy vIDM**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Cloud Foundation (vIDM)

4.4.x, 4.3.x, 4.2.x

Any

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

VMware Cloud Foundation (vIDM)

4.4.x, 4.3.x, 4.2.x

Any

CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31657, CVE-2022-31662, CVE-2022-31663

8.0, 8.0, 7.8, 7.8, 7.8, 7.6, 5.9, 5.3, 4.7

important

KB89096

None

FAQ

vRealize Suite Lifecycle Manager (vIDM)

8.x

Any

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

vRealize Suite Lifecycle Manager (vIDM)

8.x

Any

CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31657, CVE-2022-31662, CVE-2022-31663

8.0, 8.0, 7.8, 7.8, 7.8, 7.6, 5.9, 5.3, 4.7

important

KB89096

None

FAQ

**Impacted Product Suites that Deploy vRA**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2022-31658, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31662, CVE-2022-31663

8.0, 7.8, 7.8, 7.8, 7.6, 5.3, 4.7

important

KB89096

None

FAQ

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2022-31659

N/A

N/A

Unaffected

N/A

N/A

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2022-31657

N/A

N/A

Unaffected

N/A

N/A

****4\. References****

****5\. Change Log****

**2022-08-02: VMSA-2022-0021  
**Initial security advisory.

2022-08-09: VMSA-2022-0021.1

Updated advisory with information that VMware has confirmed malicious code that can exploit CVE-2022-31656 and CVE-2022-31659 in impacted products is publicly available.

****6\. Contact****

CVE-2022-31658: VMSA-2022-0021

In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting.

CVE-2020-1691

Researcher bypasses email filter with inspired style tag trickery

Adam Bannister 05 August 2022 at 15:59 UTC

Researcher bypasses email filter with inspired style tag trickery

A cross-site scripting (XSS) vulnerability in AMP for Email, Gmail’s dynamic email feature, has netted a security researcher a $5,000 bug bounty payout.

AMP for Email brings AMP functionality to rich, interactive emails. AMP itself is an open source HTML framework used to optimize websites for web browsing on mobile.

Adi Cohen, who unearthed the security flaw, said he had no problem finding a vector that triggered an XSS within the AMP playground, but found bypassing Gmail’s XSS filter a much tougher assignment.

**Rendering contexts**

The “easiest way to circumvent an XSS filter is by tricking it into a different rendering context than what the browser will actually use to render a given piece of code”, observed Cohen in a blog post.

Since AMP for Email forbids the likes of templates, SVG, math, and CSS, he instead targeted stylesheets as a potential path to an XSS payload with multiple rendering contexts.

RELATED XSS vulnerabilities in Google Cloud, Google Play could lead to account hijacks

This required a discrepancy between how the stylesheet is rendered by the filter and browser, either by “tricking the filter into believing a fake style tag is real”, or “the exact opposite”.

Cohen’s initial vector worked in the sandbox because AMP “leaves the CSS context as soon as it encounters the string ‘’ even if it doesn’t have a closing bracket () or at least a whitespace after it”.

He was then able to “trick the filter into believing we’re back in HTML context, while the browser obviously ignores entirely and stays well within the realm of CSS”.

**</styl> over substance**

But “what looked like a promising vector in AMP, seemed way less interesting after Gmail ran its magic on it,” said Cohen.

A breakthrough came when he harnessed a CSS selector, which ensured the payload was returned unchanged by Gmail – “no escaping or other mutations”.

However, the malicious payload prompted an error after the AMP sandbox encountered ‘’, so Cohen tried , but Gmail’s filter was wise to its resemblance to .

What worked instead was testing a benign payload with an encoded selector – because Gmail decoded it, he could use the selector to inject a closing style tag.

Cohen reported the issue to Google on March 27, 2021, and noticed on July 7 that it had been fixed.

As previously reported by The Daily Swig, Google addressed an unrelated, notable XSS in AMP For Email back in 2019, after security researcher Michał Bentkowski leveraged id attributes in tags to enable ‘DOM clobbering’ attacks.

RELATED Authentication bypass bug in Nextauth.js could allow email account takeover

XSS in Gmail’s AMP For Email earns researcher $5,000

WordPress Testimonial Slider and Showcase plugin version 2.2.6 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in post_title parameter in WordPress Plugin "Testimonial Slider and Showcase" 2.2.6# Date: 05/08/2022# Exploit Author: saitamang , yunaranyancat , amd_syad# Vendor Homepage: wordpress# Software Link: https://wordpress.org/plugins/testimonial-slider-and-showcase/# Version: 2.2.6# Tested on: Centos 7 apache2 + MySQLWordPress Plugin "Testimonial Slider and Showcase" is prone to a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Testimonial Slider and Showcase" version 2.2.6 is vulnerable; prior versions may also be affected.Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the postpayload --> test"/><img/src=""/onerror=alert(document.cookie)>The draft post can be viewed using Admin account and XSS will be triggered.

WordPress Testimonial Slider And Showcase 2.2.6 Cross Site Scripting

Vulnerability has been patched in latest versions

Vulnerability has been patched in latest versions

  

A critical authentication bypass flaw in an NPM package could allow a malicious actor to take over a victim’s email account.

The vulnerability, which was rated a CVSS score of 9.1, was present in Nextauth.js, an open source authentication package for next.js applications.

Users of NPM package next-auth who are using the either in versions before 4.10.3 or 3.29.10 are affected by the bug, a security advisory warns.

Read more of the latest web security vulnerability news

If an attacker could forge a request that sent a comma-separated list of emails, for example , to the sign-in endpoint, Nextauth.js would send emails to both the attacker and to the victim’s email addresses.

The attacker could then login as a newly created user with the email being .

Basic authorization such as in the callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address.

**Patched**

The vulnerability has been patched by maintainers in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else.

“We also added a callback on the configuration, where you can further tweak your requirements for what your system considers a valid email address,” wrote the maintainers.

A detailed workaround is also available for any users who cannot patch, however updating to the latest version is recommended.

YOU MAY ALSO LIKE Trio of XSS bugs in open source web apps could lead to complete system compromise

Authentication bypass bug in Nextauth.js could allow email account takeover

A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false.

** Zero-Day Advisory**

**Fortinet Discovers dotCMS Multiple Cross-Site Scripting Vulnerability**

**Summary**

Fortinet's FortiGuard Labs had discovered a Cross-Site Scripting (XSS) vulnerability in dotCMS Admin Portal.

dotCMS is an open source content management system (CMS) written in Java for managing content and content driven sites and applications.

The vulnerability is caused by insufficient input sanitization in dotCMS Core. Upon successful exploitation, it allows attackers to launch client-side script execution in the browser's process context.  

**Solutions**

FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:

**dotCMS.Portal.Multiple.XSS**  
Released Aug 02, 2022

Users should always enable XSS Prevention feature on dotCMS

**Additional Information**

The vulnerability affected dotCMS Core.  

**Timeline**

Fortinet reported the vulnerability to dotCMS on 10 June, 2022.

dotCMS confirmed the vulnerability on 25th  June, 2022 and concluded it as a no-fix issue. 

**Acknowledgement**

This vulnerability was discovered by Nguyen Thanh Nguyen of Fortinet's FortiGuard Labs.

**IPS Subscription**

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability with the appropriate configuration parameters in place. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

CVE-2022-37431: Fortiguard

A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Version 2.11.3 contains a fix for the problem

**Apache JSPWiki XSS due to crafted request on XHRHtml2Markup.jsp**

Moderate severity GitHub Reviewed Published Aug 5, 2022 • Updated Aug 11, 2022

GHSA-2fxf-qj94-3f83: Apache JSPWiki XSS due to crafted request on XHRHtml2Markup.jsp

A carefully crafted request on WeblogPlugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.3 or later.

**Apache JSPWiki XSS due to crafted request in WeblogPlugin**

Moderate severity GitHub Reviewed Published Aug 5, 2022 • Updated Aug 11, 2022

GHSA-hph8-29xw-qfxx: Apache JSPWiki XSS due to crafted request in WeblogPlugin

A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later.

**Apache JSPWiki XSS due to incomplete patch for CVE-2021-40369**

Moderate severity GitHub Reviewed Published Aug 5, 2022 • Updated Aug 11, 2022

GHSA-ggjq-8c4c-68r5: Apache JSPWiki XSS due to incomplete patch for CVE-2021-40369

PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.

@@ -1511,21 +1511,20 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw== passKeyless := func(\_ context.Context, \_ name.Reference, \_ \*cosign.CheckOpts) (checkedSignatures \[\]oci.Signature, bundleVerified bool, err error) { // This is from 2022/07/29 // ghcr.io/distroless/static@sha256:a1e82f6a5f6dfc735165d3442e7cc5a615f72abac3db19452481f5f3c90fbfa8 payload := \[\]byte(\`{"critical":{"identity":{"docker-reference":"ghcr.io/distroless/static"},"image":{"docker-manifest-digest":"sha256:a1e82f6a5f6dfc735165d3442e7cc5a615f72abac3db19452481f5f3c90fbfa8"},"type":"cosign container image signature"},"optional":{"run\_attempt":"1","run\_id":"2757953139","sha":"7e7572e578de7c51a2f1a1791f025cf315503aa2"}}\`) b64sig := "MEUCIAmudMKGDWEpufGGqrMgeei7KVdpZwhc6clqMaMaw6lyAiEA3JnLUqV3wtKDERcVy8OjMGopJY7IZ8lfks5zEAjlnW0=" set, err := base64.StdEncoding.DecodeString("MEUCIAOMBR9Gh7laJtdvU9+JqK/AiTps8/tzviDzkvfMQqn4AiEAs553xG1bvlIu3aGERoPRf+oR3MfZTIM9M4nQrGeW8D4=") payload := \[\]byte(\`{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3Z1bG4vdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2hjci5pby9kaXN0cm9sZXNzL3N0YXRpYyIsImRpZ2VzdCI6eyJzaGEyNTYiOiJhMWU4MmY2YTVmNmRmYzczNTE2NWQzNDQyZTdjYzVhNjE1ZjcyYWJhYzNkYjE5NDUyNDgxZjVmM2M5MGZiZmE4In19XSwicHJlZGljYXRlIjp7Imludm9jYXRpb24iOnsicGFyYW1ldGVycyI6bnVsbCwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2Rpc3Ryb2xlc3Mvc3RhdGljL2FjdGlvbnMvcnVucy8yNzU3OTUzMTM5IiwiZXZlbnRfaWQiOiIyNzU3OTUzMTM5IiwiYnVpbGRlci5pZCI6IkNyZWF0ZSBSZWxlYXNlIn0sInNjYW5uZXIiOnsidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2FxdWFzZWN1cml0eS90cml2eSIsInZlcnNpb24iOiIwLjI5LjIiLCJkYiI6eyJ1cmkiOiIiLCJ2ZXJzaW9uIjoiIn0sInJlc3VsdCI6eyIkc2NoZW1hIjoiaHR0cHM6Ly9qc29uLnNjaGVtYXN0b3JlLm9yZy9zYXJpZi0yLjEuMC1ydG0uNS5qc29uIiwicnVucyI6W3siY29sdW1uS2luZCI6InV0ZjE2Q29kZVVuaXRzIiwib3JpZ2luYWxVcmlCYXNlSWRzIjp7IlJPT1RQQVRIIjp7InVyaSI6ImZpbGU6Ly8vIn19LCJyZXN1bHRzIjpbXSwidG9vbCI6eyJkcml2ZXIiOnsiZnVsbE5hbWUiOiJUcml2eSBWdWxuZXJhYmlsaXR5IFNjYW5uZXIiLCJpbmZvcm1hdGlvblVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hcXVhc2VjdXJpdHkvdHJpdnkiLCJuYW1lIjoiVHJpdnkiLCJydWxlcyI6W10sInZlcnNpb24iOiIwLjI5LjIifX19XSwidmVyc2lvbiI6IjIuMS4wIn19LCJtZXRhZGF0YSI6eyJzY2FuU3RhcnRlZE9uIjoiMjAyMi0wNy0yOVQwMjoyODo0MloiLCJzY2FuRmluaXNoZWRPbiI6IjIwMjItMDctMjlUMDI6Mjg6NDhaIn19fQ==","signatures":\[{"keyid":"","sig":"MEYCIQDeQXMMojIpNvxEDLDXUC5aAwCbPPr/0uckP8TCcdTLjgIhAJG6M00kY40bz/C90W0FeUc2YcWY+txD4BPXhzd8E+tP"}\]}\`) set, err := base64.StdEncoding.DecodeString("MEQCIDBYWwwDW+nH+1vFoTOqHS4jAtVm4Yezq2nAy7vjcV8zAiBkznmgMrz9em4NuB/hl5X/umubhLgwoXgUAY2NJJwu5A==") if err != nil { return nil, false, err } sig, err := static.NewSignature(payload, b64sig, static.WithCertChain( \[\]byte("-----BEGIN CERTIFICATE-----\\nMIIDnDCCAyKgAwIBAgIUfMlmBH82a8tub3Mzzv8DBUEjLHwwCgYIKoZIzj0EAwMw\\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\\ncm1lZGlhdGUwHhcNMjIwNzI5MDIyNzEzWhcNMjIwNzI5MDIzNzEzWjAAMFkwEwYH\\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEPL3MZbQBWha+4lgvmbZ4JA7BgxcAOcWTq+Ns\\nGgKVhhodbDucZp5JLVRn+QWrEG+Ppd4JzLoAZth2a0BhNlkGC6OCAkEwggI9MA4G\\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU3yHz\\nvrj7CsZsIsI87Ps9XUXd7+0wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\\nZD8wYQYDVR0RAQH/BFcwVYZTaHR0cHM6Ly9naXRodWIuY29tL2Rpc3Ryb2xlc3Mv\\nc3RhdGljLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueWFtbEByZWZzL2hlYWRz\\nL21haW4wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1\\nYnVzZXJjb250ZW50LmNvbTAWBgorBgEEAYO/MAECBAhzY2hlZHVsZTA2BgorBgEE\\nAYO/MAEDBCg3ZTc1NzJlNTc4ZGU3YzUxYTJmMWExNzkxZjAyNWNmMzE1NTAzYWEy\\nMBwGCisGAQQBg78wAQQEDkNyZWF0ZSBSZWxlYXNlMB8GCisGAQQBg78wAQUEEWRp\\nc3Ryb2xlc3Mvc3RhdGljMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjCB\\niQYKKwYBBAHWeQIEAgR7BHkAdwB1AAhgkvAoUv9oRdHRayeEnEVnGKwWPcM40m3m\\nvCIGNm9yAAABgkfHgcEAAAQDAEYwRAIgZteRlFRR3aLNH6RlF3iknW4BfQXwsIWP\\nRnkEOzOlN4MCIBQShlTxp2JJ677LTbFBU30zHLOZfQCa/qj5kpiFDPn6MAoGCCqG\\nSM49BAMDA2gAMGUCMQDG7KFCngua3Nn5C20np9DiSnw74v7/xjbhFBoWQj1m0pio\\nbSbh3ihNMR5neANay6ECMFwFsGFHCeLlL9kmf5ONk2EAZWQuwdJONPvXlbC/28KE\\na7sPOJxVkCUQMdvqf1KBTw==\\n\-----END CERTIFICATE-----\\n"), sig, err := static.NewSignature(payload, "", static.WithCertChain( \[\]byte("-----BEGIN CERTIFICATE-----\\nMIIDnDCCAyOgAwIBAgIUVGZ4TQgYi4VCLLFghYMU/taKrD8wCgYIKoZIzj0EAwMw\\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\\ncm1lZGlhdGUwHhcNMjIwNzI5MDIyODQ4WhcNMjIwNzI5MDIzODQ4WjAAMFkwEwYH\\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEhiVvK5Tqk1+HnXSstf/8byA1RDpZu+Jvn9X6\\nZoaCL/IjSJ7fBakvKAQ0BlzFg/JEtDreg/TFNiX2wnlMBlMV16OCAkIwggI+MA4G\\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUiMn3\\nza+9v+99n385GpkXzZxZiBIwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\\nZD8wYQYDVR0RAQH/BFcwVYZTaHR0cHM6Ly9naXRodWIuY29tL2Rpc3Ryb2xlc3Mv\\nc3RhdGljLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueWFtbEByZWZzL2hlYWRz\\nL21haW4wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1\\nYnVzZXJjb250ZW50LmNvbTAWBgorBgEEAYO/MAECBAhzY2hlZHVsZTA2BgorBgEE\\nAYO/MAEDBCg3ZTc1NzJlNTc4ZGU3YzUxYTJmMWExNzkxZjAyNWNmMzE1NTAzYWEy\\nMBwGCisGAQQBg78wAQQEDkNyZWF0ZSBSZWxlYXNlMB8GCisGAQQBg78wAQUEEWRp\\nc3Ryb2xlc3Mvc3RhdGljMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjCB\\nigYKKwYBBAHWeQIEAgR8BHoAeAB2AAhgkvAoUv9oRdHRayeEnEVnGKwWPcM40m3m\\nvCIGNm9yAAABgkfI9c8AAAQDAEcwRQIgPm4AoftGQF2abbFxMLvtzTjXy+sxwxTp\\nCh5ZsoesBDMCIQCNlwmLpuu1KiqjY74l5527AffSd4kOapDMfpHAlMrpCTAKBggq\\nhkjOPQQDAwNnADBkAjAe7jfVc1OJNhbaZF8BJRJ9nQOAcY6kwFYMav1XfQsJPE0x\\naYpNg/oXVA5UrFcSBLkCMFa4124w3qUzrXSTGq99nlALKQ8HFR8ri17wM5/ZiWxi\\nrtABq5eub32TXpAnfqGSmw==\\n\-----END CERTIFICATE-----\\n"), \[\]byte("-----BEGIN CERTIFICATE-----\\nMIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw\\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\\nMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl\\nLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C\\nAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7\\n7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS\\n0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB\\nBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp\\nKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI\\nzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR\\nnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP\\nmygUY7Ii2zbdCdliiow=\\n\-----END CERTIFICATE-----\\n\-----BEGIN CERTIFICATE-----\\nMIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw\\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\\nMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl\\nLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7\\nXeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex\\nX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j\\nYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY\\nwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ\\nKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM\\nWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9\\nTNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ\\n\-----END CERTIFICATE-----"), ), static.WithBundle(&bundle.RekorBundle{ SignedEntryTimestamp: set, Payload: bundle.RekorPayload{ Body: "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjYzYxZDc4MzdmYWYzYmMyYjMxMThkNTUxZmY5NTJjYzU5NzljNzM3OTkwNGE4NDEwMzAxMDg3OGVlMmZjMDUwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQW11ZE1LR0RXRXB1ZkdHcXJNZ2VlaTdLVmRwWndoYzZjbHFNYU1hdzZseUFpRUEzSm5MVXFWM3d0S0RFUmNWeThPak1Hb3BKWTdJWjhsZmtzNXpFQWpsblcwPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnVSRU5EUVhsTFowRjNTVUpCWjBsVlprMXNiVUpJT0RKaE9IUjFZak5OZW5wMk9FUkNWVVZxVEVoM2QwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEpkMDU2U1RWTlJFbDVUbnBGZWxkb1kwNU5ha2wzVG5wSk5VMUVTWHBPZWtWNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZRVEROTldtSlJRbGRvWVNzMGJHZDJiV0phTkVwQk4wSm5lR05CVDJOWFZIRXJUbk1LUjJkTFZtaG9iMlJpUkhWalduQTFTa3hXVW00clVWZHlSVWNyVUhCa05FcDZURzlCV25Sb01tRXdRbWhPYkd0SFF6WlBRMEZyUlhkblowazVUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlV6ZVVoNkNuWnlhamREYzFwelNYTkpPRGRRY3psWVZWaGtOeXN3ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFsUldVUldVakJTUVZGSUwwSkdZM2RXV1ZwVVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKU2NHTXpVbmxpTW5oc1l6Tk5kZ3BqTTFKb1pFZHNha3g1Tlc1aFdGSnZaRmRKZG1ReU9YbGhNbHB6WWpOa2Vrd3pTbXhpUjFab1l6SlZkV1ZYUm5SaVJVSjVXbGRhZWt3eWFHeFpWMUo2Q2t3eU1XaGhWelIzVDFGWlMwdDNXVUpDUVVkRWRucEJRa0ZSVVhKaFNGSXdZMGhOTmt4NU9UQmlNblJzWW1rMWFGa3pVbkJpTWpWNlRHMWtjR1JIYURFS1dXNVdlbHBZU21waU1qVXdXbGMxTUV4dFRuWmlWRUZYUW1kdmNrSm5SVVZCV1U4dlRVRkZRMEpCYUhwWk1taHNXa2hXYzFwVVFUSkNaMjl5UW1kRlJRcEJXVTh2VFVGRlJFSkRaek5hVkdNeFRucEtiRTVVWXpSYVIxVXpXWHBWZUZsVVNtMU5WMFY0VG5wcmVGcHFRWGxPVjA1dFRYcEZNVTVVUVhwWlYwVjVDazFDZDBkRGFYTkhRVkZSUW1jM09IZEJVVkZGUkd0T2VWcFhSakJhVTBKVFdsZDRiRmxZVG14TlFqaEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVVlhVbkFLWXpOU2VXSXllR3hqTTAxMll6TlNhR1JIYkdwTlFqQkhRMmx6UjBGUlVVSm5OemgzUVZGWlJVUXpTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbXBEUWdwcFVWbExTM2RaUWtKQlNGZGxVVWxGUVdkU04wSklhMEZrZDBJeFFVRm9aMnQyUVc5VmRqbHZVbVJJVW1GNVpVVnVSVlp1UjB0M1YxQmpUVFF3YlROdENuWkRTVWRPYlRsNVFVRkJRbWRyWmtoblkwVkJRVUZSUkVGRldYZFNRVWxuV25SbFVteEdVbEl6WVV4T1NEWlNiRVl6YVd0dVZ6UkNabEZZZDNOSlYxQUtVbTVyUlU5NlQyeE9ORTFEU1VKUlUyaHNWSGh3TWtwS05qYzNURlJpUmtKVk16QjZTRXhQV21aUlEyRXZjV28xYTNCcFJrUlFialpOUVc5SFEwTnhSd3BUVFRRNVFrRk5SRUV5WjBGTlIxVkRUVkZFUnpkTFJrTnVaM1ZoTTA1dU5VTXlNRzV3T1VScFUyNTNOelIyTnk5NGFtSm9Sa0p2VjFGcU1XMHdjR2x2Q21KVFltZ3phV2hPVFZJMWJtVkJUbUY1TmtWRFRVWjNSbk5IUmtoRFpVeHNURGxyYldZMVQwNXJNa1ZCV2xkUmRYZGtTazlPVUhaWWJHSkRMekk0UzBVS1lUZHpVRTlLZUZaclExVlJUV1IyY1dZeFMwSlVkejA5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=", IntegratedTime: 1659061655, LogIndex: 3059462, Body: "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIyYjY1Y2JmMGU3OTAxYmEzMWQ1NWIxMmQzMTliY2EzOTQyMGFmNDM4OGQzZTU3MTRkMTZmMjAxOWQ3NGUzYWI3In0sInBheWxvYWRIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiYzFiNWYwZjRiOGVjZDU1ZWRhMjUwY2Q4NDk2NGQwYzFmYjVkN2E4YTM0OGY0YjdmZmI3ZGFhMmUwNmM0ODM3MyJ9fSwicHVibGljS2V5IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnVSRU5EUVhsUFowRjNTVUpCWjBsVlZrZGFORlJSWjFscE5GWkRURXhHWjJoWlRWVXZkR0ZMY2tRNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEpkMDU2U1RWTlJFbDVUMFJSTkZkb1kwNU5ha2wzVG5wSk5VMUVTWHBQUkZFMFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZvYVZaMlN6VlVjV3N4SzBodVdGTnpkR1l2T0dKNVFURlNSSEJhZFN0S2RtNDVXRFlLV205aFEwd3ZTV3BUU2pkbVFtRnJka3RCVVRCQ2JIcEdaeTlLUlhSRWNtVm5MMVJHVG1sWU1uZHViRTFDYkUxV01UWlBRMEZyU1hkblowa3JUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZwVFc0ekNucGhLemwyS3prNWJqTTROVWR3YTFoNlduaGFhVUpKZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFsUldVUldVakJTUVZGSUwwSkdZM2RXV1ZwVVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKU2NHTXpVbmxpTW5oc1l6Tk5kZ3BqTTFKb1pFZHNha3g1Tlc1aFdGSnZaRmRKZG1ReU9YbGhNbHB6WWpOa2Vrd3pTbXhpUjFab1l6SlZkV1ZYUm5SaVJVSjVXbGRhZWt3eWFHeFpWMUo2Q2t3eU1XaGhWelIzVDFGWlMwdDNXVUpDUVVkRWRucEJRa0ZSVVhKaFNGSXdZMGhOTmt4NU9UQmlNblJzWW1rMWFGa3pVbkJpTWpWNlRHMWtjR1JIYURFS1dXNVdlbHBZU21waU1qVXdXbGMxTUV4dFRuWmlWRUZYUW1kdmNrSm5SVVZCV1U4dlRVRkZRMEpCYUhwWk1taHNXa2hXYzFwVVFUSkNaMjl5UW1kRlJRcEJXVTh2VFVGRlJFSkRaek5hVkdNeFRucEtiRTVVWXpSYVIxVXpXWHBWZUZsVVNtMU5WMFY0VG5wcmVGcHFRWGxPVjA1dFRYcEZNVTVVUVhwWlYwVjVDazFDZDBkRGFYTkhRVkZSUW1jM09IZEJVVkZGUkd0T2VWcFhSakJhVTBKVFdsZDRiRmxZVG14TlFqaEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVVlhVbkFLWXpOU2VXSXllR3hqTTAxMll6TlNhR1JIYkdwTlFqQkhRMmx6UjBGUlVVSm5OemgzUVZGWlJVUXpTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbXBEUWdwcFoxbExTM2RaUWtKQlNGZGxVVWxGUVdkU09FSkliMEZsUVVJeVFVRm9aMnQyUVc5VmRqbHZVbVJJVW1GNVpVVnVSVlp1UjB0M1YxQmpUVFF3YlROdENuWkRTVWRPYlRsNVFVRkJRbWRyWmtrNVl6aEJRVUZSUkVGRlkzZFNVVWxuVUcwMFFXOW1kRWRSUmpKaFltSkdlRTFNZG5SNlZHcFllU3R6ZUhkNFZIQUtRMmcxV25OdlpYTkNSRTFEU1ZGRFRteDNiVXh3ZFhVeFMybHhhbGszTkd3MU5USTNRV1ptVTJRMGEwOWhjRVJOWm5CSVFXeE5jbkJEVkVGTFFtZG5jUXBvYTJwUFVGRlJSRUYzVG01QlJFSnJRV3BCWlRkcVpsWmpNVTlLVG1oaVlWcEdPRUpLVWtvNWJsRlBRV05aTm10M1JsbE5ZWFl4V0daUmMwcFFSVEI0Q21GWmNFNW5MMjlZVmtFMVZYSkdZMU5DVEd0RFRVWmhOREV5TkhjemNWVjZjbGhUVkVkeE9UbHViRUZNUzFFNFNFWlNPSEpwTVRkM1RUVXZXbWxYZUdrS2NuUkJRbkUxWlhWaU16SlVXSEJCYm1aeFIxTnRkejA5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19", IntegratedTime: 1659061729, LogIndex: 3059470, LogID: "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d", }, })) @@ -1675,7 +1674,7 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw== }, Attestations: \[\]webhookcip.AttestationPolicy{{ Name: "test-att", PredicateType: "custom", PredicateType: "vuln", }}, }, },

Tag

#xss