In this week’s digest, we’ll cover:
- An XSS vulnerability exists in the very popular WordPress plugin, Advanced Custom Fields.
- cPanel XSS vulnerability.and
- Flask Potential Information Disclosure Vulnerability
CVE-2023-30777: Advanced Custom Fields (ACF) and ACF Pro WordPress plugin: unauthenticated XSS
Background
Advanced Custom Fields (ACF) and ACF Pro, The free and pro versions of the ACF plugin are extremely popular WordPress plugins with over 2 million active installs each. This plugin makes it easy to add and manage content fields in your WordPress edit screen. Read here to learn how to launch your own WordPress website on a Linode compute instance.
Vulnerability
The tracked vulnerability is CVE-2023-30777 Present in ACF and ACF Pro plugins version 6.1.5 and below. This is a reflected XSS vulnerability that allows an attacker to inject malicious script into a vulnerable website by tricking a user into visiting a crafted URL. If the victim is a privileged user, the attacker could steal her sensitive information such as cookies and session tokens to elevate her privileges.
The vulnerability is in the function handler admin_body_class which does not properly sanitize user input passed to variables. This allows an attacker to directly concatenate malicious code, such as a DOM XSS payload, to a variable containing the body class string.
relief
- This vulnerability has been fixed in version 6.1.6 of the plugin. We strongly recommend updating the plugin to the latest version.
CVE-2023-29489: cPanel: XSS in cpsrvd error page due to invalid web call
Background
c panel is a web hosting control panel that is widely used by website owners, administrators and hosting providers to manage and control various aspects of websites and hosting accounts. This is a Linux-based her GUI that allows users to easily manage website files, create email accounts, set up databases, install applications, manage domains and subdomains, and various other administrative tasks. Offers.
Vulnerability
The tracked vulnerability is CVE-2023-29489, which is a reflected XSS present in cPanel versions prior to 11.109.9999.116. The vulnerability is caused when an invalid web call is invoked using an identity that contains XSS content. This vulnerability exists in the cpsrvd binary, which provides core cPanel functionality. The cpsrvd error page performs improper validation of user-provided content. An XSS attack is triggered when an error page contains XSS content. This vulnerability does not require authentication and also affects management ports that are not externally exposed.
relief
- This vulnerability is fixed in versions 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31. We recommend upgrading to these versions to resolve this issue.
CVE-2023-30861: Flask: Possible information disclosure of persistent session cookies
Background
flask is a lightweight web application framework written in Python. It provides a simple and flexible way to build web applications using the Python programming language. It focuses on simplicity and extensibility by not forcing you to build your application in any particular way. Flask also has a rich ecosystem of extensions that allow developers to choose the components they need for their projects.
Vulnerability
Vulnerabilities are tracked as CVE-2023-30861. Affected Flask package versions are versions 2.3.0, 2.3.1, and 2.2.4 and below. This is a potential information disclosure vulnerability where responses containing data intended for one client may be cached by a proxy and sent to another client. Session cookies may also be sent to unintended clients, depending on how the proxy handles cookies. To exploit this vulnerability, the following specific conditions must be met:
- Caching proxies in front of Flask web applications do not remove cookies or ignore responses containing cookies.
- The web application sets the session.permanent field to True.
- The web application never accesses or modifies the session at any point during the request.
- SESSION_REFRESH_EACH_REQUEST is enabled and is the default setting.
- Web applications do not set Cache-Control headers that specify that pages should not be cached.
- If the proxy also caches the Set-Cookie header, it may also send the client’s session cookie to unintended clients.
The vulnerability is caused by vulnerable versions of Flask not setting the Vary: Cookie header when a session is refreshed without being accessed or modified.
relief
- This vulnerability was patched in Flask package versions 2.2.5 and 2.3.2. We recommend upgrading to these versions.