On this week’s digest, we’ll focus on the next:

• An XSS vulnerability in a Extremely Standard WordPress Plugin, Superior Customized Fields;
• cPanel XSS Vulnerability; and
• a Potential Info Publicity Vulnerability in Flask

CVE-2023-30777: Superior Customized Fields (ACF) and ACF Professional WordPress Plugin: Unauthenticated XSS 

Background

Superior Customized Fields (ACF) and ACF Professional, the free and professional variations of the ACF plugins, respectively, is a extremely common WordPress plugin with over two million energetic installations. This plugin makes it straightforward so as to add and handle content material fields within the WordPress edit display screen. You’ll be able to learn right here to seek out out how one can spin up your individual WordPress web site on a Linode Compute Occasion.

Vulnerability

The vulnerability tracked as CVE-2023-30777 exists in ACF and ACF Professional plugin variations 6.1.5 and beneath. It’s a mirrored XSS vulnerability that permits an attacker to inject malicious scripts on weak web sites by tricking a consumer into visiting a crafted URL. If the sufferer is a privileged consumer, the attacker can doubtlessly steal delicate data akin to cookies or session tokens and escalate their privileges.

The vulnerability lies in a perform handler admin_body_class that doesn’t correctly sanitize consumer enter that’s handed to a variable. This permits an attacker to instantly concatenate dangerous code, akin to a DOM XSS payload, to the variable, which incorporates the physique class string.

Mitigation

• This vulnerability has been fastened in model 6.1.6 of the plugin. It’s strongly advisable to replace the plugin to the newest model.

CVE-2023-29489: cPanel: XSS on the cpsrvd Error Web page by way of Invalid Internet Name

Background

cPanel is a broadly used website hosting management panel utilized by web site house owners, directors, and internet hosting suppliers to handle and management numerous elements of their web sites and internet hosting accounts. It supplies a Linux-based GUI that permits customers to simply handle their web site information, create electronic mail accounts, arrange databases, set up purposes, handle domains and subdomains, and carry out numerous different administrative duties.

Vulnerability

The vulnerability tracked as CVE-2023-29489, is a mirrored XSS current in cPanel variations earlier than 11.109.9999.116. The vulnerability arises when an invalid net name known as with its ID containing XSS content material. The vulnerability is current within the cpsrvd binary, which supplies the core functionalities for cPanel. It performs improper validation of user-supplied content material by the cpsrvd error web page. An XSS assault is triggered when the error web page incorporates the XSS content material. This vulnerability doesn’t require any authentication and even impacts administration ports that aren’t uncovered externally.

Mitigation

• The vulnerability has been fastened in variations 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31. Upgrading to those variations is advisable to repair this situation.

CVE-2023-30861: Flask: Potential Info Publicity of Everlasting Session Cookie

Background

Flask is a light-weight net utility framework written in Python. It supplies a easy and versatile strategy to construct net purposes by leveraging the Python programming language. It focuses on simplicity and extensibility by not imposing any specific means of structuring an utility. Flask additionally has a wealthy ecosystem of extensions permitting builders to decide on the parts they want for his or her mission.

Vulnerability

The vulnerability is tracked as CVE-2023-30861. The affected variations of Flask packages are variations 2.3.0, 2.3.1, and a pair of.2.4 and beneath. It’s a potential data publicity vulnerability the place a response containing information meant for one shopper could also be cached by a proxy and despatched to a different shopper. Relying on how the proxy handles cookies, it could additionally ship session cookies to an unintended shopper. The vulnerability requires specific situations to be met:

1. The caching proxy sitting in entrance of the Flask net utility doesn’t strip cookies or ignore responses with cookies.
2. The online utility units the session.everlasting subject to True.
3. The online utility doesn’t entry or modify the session at any level throughout a request.
4. SESSION_REFRESH_EACH_REQUEST is enabled, which is the default setting.
5. The online utility doesn’t set a Cache-Management header to specify the web page shouldn’t be cached.
6. If the proxy additionally caches Set-Cookie headers, it could additionally ship a shopper’s session cookie to an unintended shopper.

This vulnerability is prompted attributable to weak variations of Flask not setting the Fluctuate: Cookie header when the session is refreshed with out being accessed or modified.

Mitigation

• This vulnerability was patched in Flask bundle variations 2.2.5 and a pair of.3.2. Upgrading to those variations is advisable.