On this week’s digest, we’ll focus on the next:
- An XSS vulnerability in a Extremely Well-liked WordPress Plugin, Superior Customized Fields;
- cPanel XSS Vulnerability; and
- a Potential Data Publicity Vulnerability in Flask
CVE-2023-30777: Superior Customized Fields (ACF) and ACF Professional WordPress Plugin: Unauthenticated XSS
Background
Superior Customized Fields (ACF) and ACF Professional, the free and professional variations of the ACF plugins, respectively, is a extremely standard WordPress plugin with over two million energetic installations. This plugin makes it simple so as to add and handle content material fields within the WordPress edit display screen. You may learn right here to search out out how one can spin up your individual WordPress web site on a Linode Compute Occasion.
Vulnerability
The vulnerability tracked as CVE-2023-30777 exists in ACF and ACF Professional plugin variations 6.1.5 and beneath. It’s a mirrored XSS vulnerability that enables an attacker to inject malicious scripts on susceptible web sites by tricking a consumer into visiting a crafted URL. If the sufferer is a privileged consumer, the attacker can probably steal delicate data reminiscent of cookies or session tokens and escalate their privileges.
The vulnerability lies in a perform handler admin_body_class that doesn’t correctly sanitize consumer enter that’s handed to a variable. This enables an attacker to straight concatenate dangerous code, reminiscent of a DOM XSS payload, to the variable, which comprises the physique class string.
Mitigation
- This vulnerability has been mounted in model 6.1.6 of the plugin. It’s strongly really useful to replace the plugin to the newest model.
CVE-2023-29489: cPanel: XSS on the cpsrvd Error Web page by way of Invalid Internet Name
Background
cPanel is a extensively used hosting management panel utilized by web site homeowners, directors, and internet hosting suppliers to handle and management numerous facets of their web sites and internet hosting accounts. It gives a Linux-based GUI that enables customers to simply handle their web site recordsdata, create electronic mail accounts, arrange databases, set up functions, handle domains and subdomains, and carry out numerous different administrative duties.
Vulnerability
The vulnerability tracked as CVE-2023-29489, is a mirrored XSS current in cPanel variations earlier than 11.109.9999.116. The vulnerability arises when an invalid internet name known as with its ID containing XSS content material. The vulnerability is current within the cpsrvd binary, which gives the core functionalities for cPanel. It performs improper validation of user-supplied content material by the cpsrvd error web page. An XSS assault is triggered when the error web page comprises the XSS content material. This vulnerability doesn’t require any authentication and even impacts administration ports that aren’t uncovered externally.
Mitigation
- The vulnerability has been mounted in variations 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31. Upgrading to those variations is really useful to repair this problem.
CVE-2023-30861: Flask: Potential Data Publicity of Everlasting Session Cookie
Background
Flask is a light-weight internet utility framework written in Python. It gives a easy and versatile approach to construct internet functions by leveraging the Python programming language. It focuses on simplicity and extensibility by not imposing any specific method of structuring an utility. Flask additionally has a wealthy ecosystem of extensions permitting builders to decide on the parts they want for his or her undertaking.
Vulnerability
The vulnerability is tracked as CVE-2023-30861. The affected variations of Flask packages are variations 2.3.0, 2.3.1, and a pair of.2.4 and beneath. It’s a potential data publicity vulnerability the place a response containing knowledge supposed for one shopper could also be cached by a proxy and despatched to a different shopper. Relying on how the proxy handles cookies, it could additionally ship session cookies to an unintended shopper. The vulnerability requires specific circumstances to be met:
- The caching proxy sitting in entrance of the Flask internet utility doesn’t strip cookies or ignore responses with cookies.
- The net utility units the session.everlasting subject to True.
- The net utility doesn’t entry or modify the session at any level throughout a request.
- SESSION_REFRESH_EACH_REQUEST is enabled, which is the default setting.
- The net utility doesn’t set a Cache-Management header to specify the web page shouldn’t be cached.
- If the proxy additionally caches Set-Cookie headers, it could additionally ship a shopper’s session cookie to an unintended shopper.
This vulnerability is prompted as a result of susceptible variations of Flask not setting the Differ: Cookie header when the session is refreshed with out being accessed or modified.
Mitigation
- This vulnerability was patched in Flask bundle variations 2.2.5 and a pair of.3.2. Upgrading to those variations is really useful.
