The AltaGrade Blog

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Project: Role Delegation
Date: 2022-March-23
Security risk: Moderately critical 14∕25
Vulnerability: Privilege escalation

Description

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.

The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.

Read More

WordPress 5.9.2 Security and Maintenance Release

WordPress 5.9.2 Security and Maintenance Release

WordPress 5.9.2 is now available!

This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.9.2 is a security and maintenance release. The next major release will be version 6.0.

Read More

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Project: Opigno Learning path
Date: 2022-March-09
Security risk: Moderately critical 13∕25
Vulnerability: Access bypass

Description

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS.

The module was providing too much user information about users such as the list of groups a uid is in.

Solution

Install the latest version:

Read More

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

Project: SVG Formatter
Date: 2022-March-09
Security risk: Critical 15∕25 
Vulnerability: Cross Site Scripting

Description

SVG Formatter module provides support for using SVG images on your website.

Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.

Read More

Pages