Vulnerabilities

DataEase is an open source data visualization and analysis tool. Prior to version 1.18.11, DataEase has a vulnerability that allows an attacker to to obtain user cookies. The program only uses the `ImageIO.read()` method to determine whether the file is an image file or not. There is no whitelisting restriction on file suffixes. This allows the attacker to synthesize the attack code into an image for uploading and change the file extension to html. The attacker may steal user cookies by accessing links. The vulnerability has been fixed in v1.18.11. There are no known workarounds.

plone.namedfile allows users to handle `File` and `Image` fields targeting, but not depending on, Plone Dexterity content. Prior to versions 5.6.1, 6.0.3, 6.1.3, and 6.2.1, there is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. Note that an image tag with an SVG image as source is not vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in versions 5.6.1 (for Plone 5.2), 6.0.3 (for Plone 6.0.0-6.0.4), 6.1.3 (for Plone 6.0.5-6.0.6), and 6.2.1 (for Plone 6.0.7). There are no known workarounds.

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).

<br /> As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port<br /> 8877 in EVE, exposing limited functionality of the TPM to the clients. <br /> VTPM allows clients to<br /> execute tpm2-tools binaries from a list of hardcoded options”<br /> The communication with this server is done using protobuf, and the data is comprised of 2<br /> parts:<br /> <br /> 1. Header<br /> <br /> 2. Data<br /> <br /> When a connection is made, the server is waiting for 4 bytes of data, which will be the header,<br /> and these 4 bytes would be parsed as uint32 size of the actual data to come.<br /> <br /> Then, in the function “handleRequest” this size is then used in order to allocate a payload on<br /> the stack for the incoming data.<br /> <br /> As this payload is allocated on the stack, this will allow overflowing the stack size allocated for<br /> the relevant process with freely controlled data.<br /> <br /> * An attacker can crash the system. <br /> * An attacker can gain control over the system, specifically on the “vtpm_server” process<br /> which has very high privileges.<br /> <br /> <br />

<br /> On boot, the Pillar eve container checks for the existence and content of<br /> “/config/GlobalConfig/global.json”.<br /> <br /> If the file exists, it overrides the existing configuration on the device on boot.<br /> <br /> This allows an attacker to change the system’s configuration, which also includes some<br /> debug functions.<br /> <br /> This could be used to unlock the ssh with custom “authorized_keys” via the<br /> “debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before.<br /> <br /> Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usb”<br /> key, allowing VNC access via the “app.allow.vnc” key, and more.<br /> <br /> An attacker could easily enable these debug functionalities without triggering the “measured<br /> boot” mechanism implemented by EVE OS, and without marking the device as “UUD”<br /> (“Unknown Update Detected”).<br /> This is because the “/config” partition is not protected by “measured boot”, it is mutable and it<br /> is not encrypted in any way.<br /> <br /> <br /> <br /> <br /> <br /> An attacker can gain full control over the device without changing the PCR values, thereby not<br /> triggering the “measured boot” mechanism, and having full access to the vault.<br /> <br /> <br /> <br /> <br /> Note:<br /> <br /> This issue was partially fixed in these commits (after disclosure to Zededa), where the config<br /> partition measurement was added to PCR13:<br /> <br /> • aa3501d6c57206ced222c33aea15a9169d629141<br /> <br /> • 5fef4d92e75838cc78010edaed5247dfbdae1889.<br /> <br /> This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.

<br /> When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs<br /> are used.<br /> <br /> In a previous project, CYMOTIVE found that the configuration is not protected by the secure<br /> boot, and in response Zededa implemented measurements on the config partition that was<br /> mapped to PCR 13.<br /> <br /> In that process, PCR 13 was added to the list of PCRs that seal/unseal the key.<br /> <br /> In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition<br /> measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of<br /> PCRs that seal/unseal the key.<br /> <br /> This change makes the measurement of PCR 14 effectively redundant as it would not affect<br /> the sealing/unsealing of the key.<br /> <br /> <br /> <br /> An attacker could modify the config partition without triggering the measured boot, this could<br /> result in the attacker gaining full control over the device with full access to the contents of the<br /> encrypted “vault”<br /> <br /> <br /> <br /> <br />

<br /> Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key<br /> would always have the last 16 bytes predetermined to be "arfoobarfoobarfo".<br /> <br /> This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always<br /> return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte<br /> randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys").<br /> <br /> This makes the key a lot weaker.<br /> <br /> This issue does not persist in devices that were initialized on/after version 7.10, but devices<br /> that were initialized before that and updated to a newer version still have this issue.<br /> <br /> <br /> <br /> Roll an update that enforces the full 32bytes key usage.<br /> <br /> <br /> <br /> <br /> <br /> <br />

<br /> On boot, the Pillar eve container checks for the existence and content of<br /> “/config/authorized_keys”.<br /> <br /> If the file is present, and contains a supported public key, the container will go on to open<br /> port 22 and enable sshd with the given keys as the authorized keys for root login.<br /> <br /> An attacker could easily add their own keys and gain full control over the system without<br /> triggering the “measured boot” mechanism implemented by EVE OS, and without marking<br /> the device as “UUD” (“Unknown Update Detected”).<br /> <br /> This is because the “/config” partition is not protected by “measured boot”, it is mutable, and<br /> it is not encrypted in any way.<br /> <br /> <br /> <br /> <br /> An attacker can gain full control over the device without changing the PCR values, thus not<br /> triggering the “measured boot” mechanism, and having full access to the vault.<br /> <br /> <br /> <br /> Note:<br /> <br /> This issue was partially fixed in these commits (after disclosure to Zededa), where the config<br /> partition measurement was added to PCR13:<br /> <br /> • aa3501d6c57206ced222c33aea15a9169d629141<br /> <br /> • 5fef4d92e75838cc78010edaed5247dfbdae1889.<br /> <br /> This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.

Phpjabbers PHP Shopping Cart 4.2 is vulnerable to SQL Injection via the id parameter.

There is a stored cross-site scripting (XSS) vulnerability in Webmin 2.002 and below via the Cluster Cron Job tab Input field, which allows attackers to run malicious scripts by injecting a specially crafted payload.

D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter statuscheckpppoeuser in dir_setWanWifi.

D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter macCloneMac in setMAC.