Vulnerabilities

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmeventlist' shortcode in all versions up to, and including, 1.2.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmflat' shortcode in all versions up to, and including, 1.2.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmcalendarview' shortcode in all versions up to, and including, 1.2.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Contact Us Page – Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network.

Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network.

An incorrect privilege assignment vulnerability in Palo Alto Networks Cortex® XDR Broker VM allows an authenticated administrative user to execute certain files available within the Broker VM and escalate their privileges to root.

A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI.<br /> <br /> The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. <br /> <br /> Cloud NGFW and Prisma® Access are not affected by this vulnerability.

A command injection vulnerability in Palo Alto Networks PAN-OS® enables an authenticated administrative user to perform actions as the root user.<br /> <br /> The attacker must have network access to the management web interface and successfully authenticate to exploit this issue.<br /> <br /> Cloud NGFW and Prisma Access are not impacted by this vulnerability.

An improper neutralization of wildcards vulnerability in the log collection feature of Palo Alto Networks GlobalProtect™ app on macOS allows a non administrative user to escalate their privileges to root.

An insufficient implementation of cache vulnerability in Palo Alto Networks Prisma® Access Browser enables users to bypass certain data control policies.

Description<br /> <br /> In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.<br /> <br /> Specifically, an application is vulnerable when all the following are true:<br /> <br /> * The header is prepared with org.springframework.http.ContentDisposition.<br /> * The filename is set via ContentDisposition.Builder#filename(String, Charset).<br /> * The value for the filename is derived from user-supplied input.<br /> * The application does not sanitize the user-supplied input.<br /> * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).<br /> <br /> <br /> An application is not vulnerable if any of the following is true:<br /> <br /> * The application does not set a “Content-Disposition” response header.<br /> * The header is not prepared with org.springframework.http.ContentDisposition.<br /> * The filename is set via one of: * ContentDisposition.Builder#filename(String), or<br /> * ContentDisposition.Builder#filename(String, ASCII)<br /> <br /> <br /> <br /> * The filename is not derived from user-supplied input.<br /> * The filename is derived from user-supplied input but sanitized by the application.<br /> * The attacker cannot inject malicious content in the downloaded content of the response.<br /> <br /> <br /> Affected Spring Products and VersionsSpring Framework:<br /> <br /> * 6.2.0 - 6.2.7<br /> * 6.1.0 - 6.1.20<br /> * 6.0.5 - 6.0.28<br /> * Older, unsupported versions are not affected<br /> <br /> <br /> MitigationUsers of affected versions should upgrade to the corresponding fixed version.<br /> <br /> Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.<br /> <br /> <br /> CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.