Antivirus zap 3.0 upgrade#
Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. Depending on the "charset", this response can not be decoded by the web application firewall. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks for reporting.
There are no known workarounds apart from upgrading to a version including the fix.Ĭoncrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. This problem has been patched in XWiki 14.6 RC1 with the introduction of a filter with allowed HTML elements and attributes that is enabled in restricted mode.
Antivirus zap 3.0 code#
This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `` and ``-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like ``. XWiki Commons are technical libraries common to several other top level XWiki projects.
0 kommentar(er)
