<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Platform</th>
<td>2021.1
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - bolt 0.9.4 cve-s found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13219">13219</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>bolt 0.9.4 cve-s found
</td>
</tr>
<tr>
<th>Classification</th>
<td>ROSA-based products
</td>
</tr>
<tr>
<th>Product</th>
<td>Certified ROSA distros
</td>
</tr>
<tr>
<th>Version</th>
<td>Chrome
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>CONFIRMED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>System (kernel, glibc, systemd, bash, PAM...)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Reporter</th>
<td>y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Target Milestone</th>
<td>---
</td>
</tr>
<tr>
<th>Group</th>
<td>ROSA-plus-NTCIT
</td>
</tr></table>
<p>
<div>
<pre>CVE-2019-15483 Bolt before 3.6.10 has XSS via a title that is mishandled in
the system log. <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-15483">https://nvd.nist.gov/vuln/detail/CVE-2019-15483</a> MEDIUM
CVE-2019-15484 Bolt before 3.6.10 has XSS via an image's alt or title field.
<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-15484">https://nvd.nist.gov/vuln/detail/CVE-2019-15484</a> MEDIUM
CVE-2019-15485 Bolt before 3.6.10 has XSS via createFolder or createFile in
Controller/Async/FilesystemManager.php.
<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-15485">https://nvd.nist.gov/vuln/detail/CVE-2019-15485</a> MEDIUM
CVE-2019-9185 Controller/Async/FilesystemManager.php in the filemanager in
Bolt before 3.6.5 allows remote attackers to execute arbitrary PHP code by
renaming a previously uploaded file to have a .php extension.
<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-9185">https://nvd.nist.gov/vuln/detail/CVE-2019-9185</a> HIGH
CVE-2020-28925 Bolt before 3.7.2 does not restrict filter options in a Request
in the Twig context, and is therefore inconsistent with the "How to Harden Your
PHP for Better Security" guidance.
<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-28925">https://nvd.nist.gov/vuln/detail/CVE-2020-28925</a> MEDIUM
CVE-2020-4040 Bolt CMS before version 3.7.1 lacked CSRF protection in the
preview generating endpoint. Previews are intended to be generated by the
admins, developers, chief-editors, and editors, who are authorized to create
content in the application. But due to lack of proper CSRF protection,
unauthorized users could generate a preview. This has been fixed in Bolt 3.7.1
<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-4040">https://nvd.nist.gov/vuln/detail/CVE-2020-4040</a> MEDIUM
CVE-2020-4041 In Bolt CMS before version 3.7.1, the filename of uploaded
files was vulnerable to stored XSS. It is not possible to inject javascript
code in the file name when creating/uploading the file. But, once
created/uploaded, it can be renamed to inject the payload in it. Additionally,
the measures to prevent renaming the file to disallowed filename extensions
could be circumvented. This is fixed in Bolt 3.7.1.
<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-4041">https://nvd.nist.gov/vuln/detail/CVE-2020-4041</a> MEDIUM
CVE-2021-27367 Controller/Backend/FileEditController.php and
Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow
Directory Traversal. <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-27367">https://nvd.nist.gov/vuln/detail/CVE-2021-27367</a> HIGH</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>