In this week’s digest, we will discuss the following:
- An XSS vulnerability in a Highly Popular WordPress Plugin, Advanced Custom Fields;
- cPanel XSS Vulnerability; and
- a Potential Information Exposure Vulnerability in Flask
CVE-2023-30777: Advanced Custom Fields (ACF) and ACF Pro WordPress Plugin: Unauthenticated XSS
Advanced Custom Fields (ACF) and ACF Pro, the free and pro versions of the ACF plugins, respectively, is a highly popular WordPress plugin with over two million active installations. This plugin makes it easy to add and manage content fields in the WordPress edit screen. You can read here to find out how you can spin up your own WordPress website on a Linode Compute Instance.
The vulnerability tracked as CVE-2023-30777 exists in ACF and ACF Pro plugin versions 6.1.5 and below. It is a reflected XSS vulnerability that allows an attacker to inject malicious scripts on vulnerable websites by tricking a user into visiting a crafted URL. If the victim is a privileged user, the attacker can potentially steal sensitive information such as cookies or session tokens and escalate their privileges.
The vulnerability lies in a function handler admin_body_class that does not properly sanitize user input that is passed to a variable. This allows an attacker to directly concatenate harmful code, such as a DOM XSS payload, to the variable, which contains the body class string.
- This vulnerability has been fixed in version 6.1.6 of the plugin. It is strongly recommended to update the plugin to the latest version.
CVE-2023-29489: cPanel: XSS on the cpsrvd Error Page via Invalid Web Call
cPanel is a widely used web hosting control panel used by website owners, administrators, and hosting providers to manage and control various aspects of their websites and hosting accounts. It provides a Linux-based GUI that allows users to easily manage their website files, create email accounts, set up databases, install applications, manage domains and subdomains, and perform various other administrative tasks.
The vulnerability tracked as CVE-2023-29489, is a reflected XSS present in cPanel versions before 11.109.9999.116. The vulnerability arises when an invalid web call is called with its ID containing XSS content. The vulnerability is present in the cpsrvd binary, which provides the core functionalities for cPanel. It performs improper validation of user-supplied content by the cpsrvd error page. An XSS attack is triggered when the error page contains the XSS content. This vulnerability does not require any authentication and even affects management ports that are not exposed externally.
- The vulnerability has been fixed in versions 11.109.9999.116, 126.96.36.199, 188.8.131.52, and 184.108.40.206. Upgrading to these versions is recommended to fix this issue.
CVE-2023-30861: Flask: Potential Information Exposure of Permanent Session Cookie
Flask is a lightweight web application framework written in Python. It provides a simple and flexible way to build web applications by leveraging the Python programming language. It focuses on simplicity and extensibility by not imposing any particular way of structuring an application. Flask also has a rich ecosystem of extensions allowing developers to choose the components they need for their project.
The vulnerability is tracked as CVE-2023-30861. The affected versions of Flask packages are versions 2.3.0, 2.3.1, and 2.2.4 and below. It is a potential information exposure vulnerability where a response containing data intended for one client may be cached by a proxy and sent to another client. Depending on how the proxy handles cookies, it may also send session cookies to an unintended client. The vulnerability requires particular conditions to be met:
- The caching proxy sitting in front of the Flask web application does not strip cookies or ignore responses with cookies.
- The web application sets the session.permanent field to True.
- The web application does not access or modify the session at any point during a request.
- SESSION_REFRESH_EACH_REQUEST is enabled, which is the default setting.
- The web application does not set a Cache-Control header to specify the page should not be cached.
- If the proxy also caches Set-Cookie headers, it may also send a client’s session cookie to an unintended client.
This vulnerability is caused due to vulnerable versions of Flask not setting the Vary: Cookie header when the session is refreshed without being accessed or modified.
- This vulnerability was patched in Flask package versions 2.2.5 and 2.3.2. Upgrading to these versions is recommended.