Vulnerabilities

A security vulnerability has been detected in AfterShip Package Tracker App up to 5.24.1 on Android. The affected element is an unknown function of the file AndroidManifest.xml of the component com.aftership.AfterShip. The manipulation leads to improper export of android application components. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure and replied: "After reviewing your report, we have confirmed that this vulnerability does indeed exist and we are actively working to fix it."

The Contact Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title’ parameter in all versions up to, and including, 8.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

The Nexter Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 4.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

An unauthenticated remote attacker can get access without password protection to the affected device. This enables the unprotected read-only access to the stored measurement data.

A low-privileged remote attacker can obtain the username of another registered Sunny Portal user by entering that user's email address.

The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The Flexible Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Flexible Maps shortcode in all versions up to, and including, 1.18.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.

Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wf_get_cookie shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including authentication cookies of other site users, which may make privilege escalation possible.<br /> <br /> Please note both FunnelKit – Funnel Builder for WooCommerce Checkout AND FunnelKit Automations – Email Marketing Automation and CRM for WordPress &amp; WooCommerce are affected by this.

The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the &amp;#39;imic_agent_register&amp;#39; function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during user registration.

The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the &amp;#39;change_role_member&amp;#39; parameter in all versions up to, and including, 3.5. This is due to a lack of restriction in the profile update role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during a profile update.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: Restrict conditions for adding duplicating netems to qdisc tree<br /> <br /> netem_enqueue&amp;#39;s duplication prevention logic breaks when a netem<br /> resides in a qdisc tree with other netems - this can lead to a<br /> soft lockup and OOM loop in netem_dequeue, as seen in [1].<br /> Ensure that a duplicating netem cannot exist in a tree with other<br /> netems.<br /> <br /> Previous approaches suggested in discussions in chronological order:<br /> <br /> 1) Track duplication status or ttl in the sk_buff struct. Considered<br /> too specific a use case to extend such a struct, though this would<br /> be a resilient fix and address other previous and potential future<br /> DOS bugs like the one described in loopy fun [2].<br /> <br /> 2) Restrict netem_enqueue recursion depth like in act_mirred with a<br /> per cpu variable. However, netem_dequeue can call enqueue on its<br /> child, and the depth restriction could be bypassed if the child is a<br /> netem.<br /> <br /> 3) Use the same approach as in 2, but add metadata in netem_skb_cb<br /> to handle the netem_dequeue case and track a packet&amp;#39;s involvement<br /> in duplication. This is an overly complex approach, and Jamal<br /> notes that the skb cb can be overwritten to circumvent this<br /> safeguard.<br /> <br /> 4) Prevent the addition of a netem to a qdisc tree if its ancestral<br /> path contains a netem. However, filters and actions can cause a<br /> packet to change paths when re-enqueued to the root from netem<br /> duplication, leading us to the current solution: prevent a<br /> duplicating netem from inhabiting the same tree as other netems.<br /> <br /> [1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/<br /> [2] https://lwn.net/Articles/719297/