added advisories

Yaniv-git · Yaniv-git · commit 797ead669622 · 2023-11-02T21:22:52.000+01:00
diff --git a/source/_posts/By-passing Cross-Site Scripting Protection in HTML Sanitizer copy.md b/source/_posts/By-passing Cross-Site Scripting Protection in HTML Sanitizer copy.md
@@ -0,0 +1,41 @@
+---
+title: "HtmlSanitizer vulnerable to Cross-site Scripting in Foreign Content"
+date: 2023-10-04
+tags:
+	- "xss"
+	- "mxss"
+	- "bypass"
+advisory: true
+origin: https://github.com/advisories/GHSA-43cp-6p3q-2pc4
+cves: 
+	- CVE-2023-44390
+ghsas:
+	- "GHSA-43cp-6p3q-2pc4"
+---
+# Impact
+The vulnerability occurs in configurations where foreign content is allowed, i.e. either `svg` or `math` are in the list of allowed elements.
+Specifically, the requirements for the vulnerability are:
+
+1. Allowing one foreign element: `svg`, or `math`
+2. Comments or one raw text element: `iframe`, `noembed`, `xmp`, `title`, `noframes`, `style` or `noscript`
+
+Configurations that meet the above requirements plus the following are vulnerable to an additional vulnerability:
+
+* Any HTML integration element: `title`, `desc`, `mi`, `mo`, `mn`, `ms`, `mtext`, `annotation-xml`.
+
+In case an application sanitizes user input with a vulnerable configuration, an attacker could
+bypass the sanitization and inject arbitrary HTML, including JavaScript code.
+
+Note that in the default configuration the vulnerability is not present.
+
+# Patches
+The vulnerability has been fixed in versions 8.0.723 and 8.1.722-beta (preview version).
+
+# Workarounds
+Disallow foreign elements `svg` and `math`. This is the case in the default configuration, which is therefore not affected by the vulnerability.
+
+# References
+* [GHSA-43cp-6p3q-2pc4](https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-43cp-6p3q-2pc4)
+* [mganss/HtmlSanitizer@ab29319](https://github.com/mganss/HtmlSanitizer/commit/ab29319866c020f0cc11e6b92228cd8039196c6e)
+* https://nvd.nist.gov/vuln/detail/CVE-2023-44390
+
diff --git a/source/_posts/By-passing Cross-Site Scripting Protection in HTML Sanitizer.md b/source/_posts/By-passing Cross-Site Scripting Protection in HTML Sanitizer.md
@@ -0,0 +1,29 @@
+---
+title: "By-passing Cross-Site Scripting Protection in HTML Sanitizer"
+date: 2023-07-26
+tags:
+	- "xss"
+	- "mxss"
+	- "bypass"
+advisory: true
+origin: https://github.com/advisories/GHSA-59jf-3q9v-rh6g
+cves: 
+	- CVE-2023-38500
+ghsas:
+	- "GHSA-59jf-3q9v-rh6g"
+---
+# Problem
+Due to an encoding issue in the serialization layer, malicious markup nested in a noscript element was not encoded correctly. noscript is disabled in the default configuration, but might have been enabled in custom scenarios. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer.
+
+# Solution
+Update to typo3/html-sanitizer versions 1.5.1 or 2.1.2 that fix the problem described.
+
+# Credits
+Thanks to David Klein and Yaniv Nizry who reported this issue, and to TYPO3 security team members Oliver Hader and Benjamin Franzke who fixed the issue.
+
+# References
+* [TYPO3-CORE-SA-2023-002](https://typo3.org/security/advisory/typo3-core-sa-2023-002)
+* [GHSA-59jf-3q9v-rh6g](https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-59jf-3q9v-rh6g)
+* https://nvd.nist.gov/vuln/detail/CVE-2023-38500
+* [TYPO3/html-sanitizer@e3026f5](https://github.com/TYPO3/html-sanitizer/commit/e3026f589fef0be8c3574ee3f0a0bfbe33d7ebdb)
+* https://typo3.org/security/advisory/typo3-core-sa-2023-002
diff --git a/source/_posts/Mutation Cross-Site Scripting (mXSS) Vulnerabilities Discovered in Mozilla-Bleach.md b/source/_posts/Mutation Cross-Site Scripting (mXSS) Vulnerabilities Discovered in Mozilla-Bleach.md
@@ -6,6 +6,7 @@ tags:
 	- "mozilla"
 	- "xss"
 	- "mxss"
+	- "bypass"
 advisory: false
 origin: https://checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach/
 cves:
diff --git a/source/_posts/Mutation Cross-Site Scripting in lxml.md b/source/_posts/Mutation Cross-Site Scripting in lxml.md
@@ -5,6 +5,7 @@ tags:
 	- "python"
 	- "xss"
 	- "mxss"
+	- "bypass"
 advisory: true
 origin: https://advisory.checkmarx.net/advisory/CX-2020-4286/
 cves:
diff --git a/source/_posts/Mutation XSS in Mozilla-bleach using comments.md b/source/_posts/Mutation XSS in Mozilla-bleach using comments.md
@@ -6,6 +6,7 @@ tags:
 	- "mozilla"
 	- "xss"
 	- "mxss"
+	- "bypass"
 advisory: true
 origin: https://advisory.checkmarx.net/advisory/CX-2021-4303/
 cves:
diff --git a/source/_posts/Mutation XSS in Mozilla-bleach via noscript.md b/source/_posts/Mutation XSS in Mozilla-bleach via noscript.md
@@ -6,6 +6,7 @@ tags:
 	- "mozilla"
 	- "xss"
 	- "mxss"
+	- "bypass"
 advisory: true
 origin: https://advisory.checkmarx.net/advisory/CX-2020-4276/
 cves:
diff --git a/source/_posts/Mutation XSS in Mozilla-bleach via svg or math.md b/source/_posts/Mutation XSS in Mozilla-bleach via svg or math.md
@@ -6,6 +6,7 @@ tags:
 	- "mozilla"
 	- "xss"
 	- "mxss"
+	- "bypass"
 advisory: true
 origin: https://advisory.checkmarx.net/advisory/CX-2020-4277/
 cves:
diff --git a/source/_posts/Vendure Cross Site Request Forgery vulnerability impacting all API requests.md b/source/_posts/Vendure Cross Site Request Forgery vulnerability impacting all API requests.md
@@ -0,0 +1,28 @@
+---
+title: "Vendure Cross Site Request Forgery vulnerability impacting all API requests"
+date: 2023-07-12
+tags:
+	- "csrf"
+	- "npm"
+advisory: true
+origin: https://github.com/advisories/GHSA-h9wq-xcqx-mqxm
+cves:
+ghsas:
+	- "GHSA-h9wq-xcqx-mqxm"
+---
+## Impact
+Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of
+authorization. By default the Cookie settings are insecure, having the SameSite setting as false
+which results in not having one (originates from the cookie-session npm package’s default
+settings).
+
+# Patches
+Update to versions 2.0.3 or above.
+
+# Workarounds
+Manually set the `authOptions.cookieOptions.sameSite` configuration option to `'strict'`, `'lax'` or `true`.
+
+# References
+Are there any links users can visit to find out more?
+* [GHSA-h9wq-xcqx-mqxm](https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-h9wq-xcqx-mqxm)
+* [vendure-ecommerce/vendure@4a10d67](https://github.com/vendure-ecommerce/vendure/commit/4a10d6785a3bf792ddf84053cdf232c205b82c81)
diff --git a/source/_posts/Vendure admin-ui-plugin authenticated Cross-site Scripting.md b/source/_posts/Vendure admin-ui-plugin authenticated Cross-site Scripting.md
@@ -0,0 +1,32 @@
+---
+title: "@vendure/admin-ui-plugin authenticated XSS"
+date: 2023-07-04
+tags:
+    - "xss"
+    - "npm"
+advisory: true
+origin: https://github.com/advisories/GHSA-gm68-572p-q28r
+cves:
+ghsas:
+	- "GHSA-9f66-54xg-pc2c"
+---
+## Impact
+Vendure provides an authorization system with different levels of privileges. For example, an administrator cannot create another administrator.
+
+In the admin UI, there are a couple of places with description inputs, such as inventory/collection catalog, shipping methods, promotions, and more.
+
+While the WYSIWYG editor allows limited customization, altering the request data (not in the ui) saves and returns arbitrary HTML with no sanitization. Causing an XSS when viewing the page.
+
+The impact of this XSS is privilege escalation. A user that can write any type of description can trigger the attack. Then any other user that visits the vulnerable page is prone to arbitrary Javascript code execution, giving the attacker ability to execute actions on behalf of this user.
+
+# Patches
+Update to versions 2.0.3 or above.
+
+# Workarounds
+Is there a way for users to fix or remediate the vulnerability without upgrading?
+
+# References
+Are there any links users can visit to find out more?
+* [GHSA-gm68-572p-q28r](https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-gm68-572p-q28r)
+* [vendure-ecommerce/vendure@0cdc92b](https://github.com/vendure-ecommerce/vendure/commit/0cdc92b241e6fd4017ddfc9fbdca189fc7c1ada0)
+* https://github.com/vendure-ecommerce/vendure/blob/master/CHANGELOG.md#203-2023-07-04
