IWX-CVE-2022-8522 (2022-04-13) ============================== At approximately 17:43 Eastern, April 12, 2022, security researchers disclosed a new vulnerability in the InterWorx Password Reset process. A SiteWorx or NodeWorx user with filesystem access can provide a maliciously crafted reset token that can allow the attacker to reset another user’s password. At approximately 14:45 Eastern, April 13, 2022, InterWorx released hotfixes to correct this vulnerability. Affected InterWorx Versions --------------------------- -All InterWorx 6 <= 6.12.2 -All InterWorx 7 <= 7.9.9 Fixed in Versions ----------------- - 7.10.0 - 6.12.x (TBD) Hotfixes Available ------------------ - interworx-hotfix-6.1.26.1577-15 - interworx-hotfix-6.1.26.1626-128 - interworx-hotfix-6.9.0.1810-36 - interworx-hotfix-6.10.1.1856-30 - interworx-hotfix-6.11.1.1929-5 - interworx-hotfix-6.11.2.1931-6 - interworx-hotfix-6.12.0.1943-17 - interworx-hotfix-6.12.1.1964-5 - interworx-hotfix-6.12.2.1984-8 - interworx-hotfix-7.4.1.1851-14 - interworx-hotfix-7.9.3.1969-5 - interworx-hotfix-7.9.6.1987-5 - interworx-hotfix-7.9.7.1991-5 - interworx-hotfix-7.9.8.2025-3 Installation and Verification ----------------------------- On a standard InterWorx installation, hotfixes are automatically applied every 6 hours. To verify if a system has been patched: #. Log in to the server at the CLI as root, either via SSH or from the terminal #. At the CLI, run the following command, and compare the output to the list above: .. code-block:: rpm -q interworx-hotfix #. If the version listed in the command output is not in the list above, run the following to attempt to install the latest hotfix: .. code-block:: ~iworx/bin/hotfix.pex --install --force #. Check the list, again .. code-block:: rpm -q interworx-hotfix If the hotfix version in the command output is still not one found in the above list, please :doc:`enable Remote Assistance ` and then `open a support ticket with InterWorx support `__.