<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - [CVE 21] bolt 0.9.4 CVEs found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13499">13499</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[CVE 21] bolt 0.9.4  CVEs found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>ROSA Fresh

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>CVE-2019-15483, CVE-2019-15484, CVE-2019-15485, CVE-2019-9185, CVE-2020-28925, CVE-2020-4040, CVE-2020-4041, CVE-2021-27367,

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>e.kosachev&#64;rosalinux.ru, s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Flags</th>

          <td>secteam_verified?

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Please patch CVEs for package bolt version 0.9.4

INFO (CVEs are): bolt 0.9.4

 cves found

CVE-2019-15483

Desc: Bolt before 3.6.10 has XSS via a title that is mishandled in the system

log.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-15483">https://nvd.nist.gov/vuln/detail/CVE-2019-15483</a>

Severity: MEDIUM

CVE-2019-15484

Desc: Bolt before 3.6.10 has XSS via an image's alt or title field.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-15484">https://nvd.nist.gov/vuln/detail/CVE-2019-15484</a>

Severity: MEDIUM

CVE-2019-15485

Desc: Bolt before 3.6.10 has XSS via createFolder or createFile in

Controller/Async/FilesystemManager.php.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-15485">https://nvd.nist.gov/vuln/detail/CVE-2019-15485</a>

Severity: MEDIUM

CVE-2019-9185

Desc: Controller/Async/FilesystemManager.php in the filemanager in Bolt before

3.6.5 allows remote attackers to execute arbitrary PHP code by renaming a

previously uploaded file to have a .php extension.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-9185">https://nvd.nist.gov/vuln/detail/CVE-2019-9185</a>

Severity: HIGH

CVE-2020-28925

Desc: Bolt before 3.7.2 does not restrict filter options in a Request in the

Twig context, and is therefore inconsistent with the &quot;How to Harden Your PHP

for Better Security&quot; guidance.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-28925">https://nvd.nist.gov/vuln/detail/CVE-2020-28925</a>

Severity: MEDIUM

CVE-2020-4040

Desc: Bolt CMS before version 3.7.1 lacked CSRF protection in the preview

generating endpoint. Previews are intended to be generated by the admins,

developers, chief-editors, and editors, who are authorized to create content in

the application. But due to lack of proper CSRF protection, unauthorized users

could generate a preview. This has been fixed in Bolt 3.7.1

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-4040">https://nvd.nist.gov/vuln/detail/CVE-2020-4040</a>

Severity: MEDIUM

CVE-2020-4041

Desc: In Bolt CMS before version 3.7.1, the filename of uploaded files was

vulnerable to stored XSS. It is not possible to inject javascript code in the

file name when creating/uploading the file. But, once created/uploaded, it can

be renamed to inject the payload in it. Additionally, the measures to prevent

renaming the file to disallowed filename extensions could be circumvented. This

is fixed in Bolt 3.7.1.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-4041">https://nvd.nist.gov/vuln/detail/CVE-2020-4041</a>

Severity: MEDIUM

CVE-2021-27367

Desc: Controller/Backend/FileEditController.php and

Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow

Directory Traversal.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-27367">https://nvd.nist.gov/vuln/detail/CVE-2021-27367</a>

Severity: HIGH</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>