Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Realwebcare WRC Pricing Tables plugin <= 2.3.7 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WRC Pricing Tables Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-38517: WordPress WRC Pricing Tables plugin <= 2.3.7 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Exifography plugin <= 1.3.1 versions.

**Solution**

 No fix

No patched version available.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Exifography Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-38521: WordPress Exifography plugin <= 1.3.1 - Cross Site Scripting (XSS) - Patchstack

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.

Expand Up @@ -6,7 +6,7 @@ CheckScreendump  
func Test\_crash1() " The following used to crash Vim let opts \= #{wait\_for\_ruler: 0} let opts \= #{wait\_for\_ruler: 0, rows: 20} let args \= ' -u NONE -i NONE -n -e -s -S ' let buf \= RunVimInTerminal(args .. ' crash/poc\_huaf1', opts) call VerifyScreenDump(buf, 'Test\_crash\_01', {}) Expand All @@ -22,4 +22,13 @@ func Test\_crash1()  
endfunc  
func Test\_crash2() " The following used to crash Vim let opts \= #{wait\_for\_ruler: 0, rows: 20} let args \= ' -u NONE -i NONE -n -e -s -S ' let buf \= RunVimInTerminal(args .. ' crash/vim\_regsub\_both', opts) call VerifyScreenDump(buf, 'Test\_crash\_01', {}) exe buf .. "bw!" endfunc  
" vim: shiftwidth\=2 sts\=2 expandtab

CVE-2023-4738: patch 9.0.1848: [security] buffer-overflow in vim_regsub_both() · vim/vim@ced2c73

Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

patch 9.0.1833: \[security\] runtime file fixes

Problem:  runtime files may execute code in current dir
Solution: only execute, if not run from current directory

The perl, zig and ruby filetype plugins and the zip and gzip autoload
plugins may try to load malicious executable files from the current
working directory.  This is especially a problem on windows, where the
current directory is implicitly in your $PATH and windows may even run a
file with the extension \`.bat\` because of $PATHEXT.

So make sure that we are not trying to execute a file from the current
directory. If this would be the case, error out (for the zip and gzip)
plugins or silently do not run those commands (for the ftplugins).

This assumes, that only the current working directory is bad. For all
other directories, it is assumed that those directories were
intentionally set to the $PATH by the user.

Signed-off-by: Christian Brabandt <cb@256bit.org>

*   Loading branch information

CVE-2023-4736: patch 9.0.1833: [security] runtime file fixes · vim/vim@816fbcc

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.

CVE-2023-4735

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 5k

*   Code
*   Issues 1.3k
*   Pull requests 152
*   Discussions
*   Actions
*   Projects
*   Wiki
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

patch 9.0.1846: \[security\] crash in fullcommand

Problem:  crash in fullcommand
Solution: Check for typeval correctly

Signed-off-by: Christian Brabandt <cb@256bit.org>

*   Loading branch information

Showing **3 changed files** with **8 additions** and **1 deletion**.

*   *   ex\_docmd.c
    *   *   test\_functions.vim
    *   version.c

2 changes: 1 addition & 1 deletion src/ex\_docmd.c

Expand Up

@@ -4087,7 +4087,7 @@ f\_fullcommand(typval\_T \*argvars, typval\_T \*rettv)

|| check\_for\_opt\_bool\_arg(argvars, 1) \== FAIL))

return;

  

name \= argvars\[0\].vval.v\_string;

name \= tv\_get\_string(&argvars\[0\]);

if (name \== NULL)

return;

  

Expand Down

5 changes: 5 additions & 0 deletions src/testdir/test\_functions.vim

Expand Up

@@ -3607,4 +3607,9 @@ func Test\_string\_reverse()

let &encoding \= save\_enc

endfunc

  

func Test\_fullcommand()

" this used to crash vim

call assert\_equal('', fullcommand(10))

endfunc

  

" vim: shiftwidth\=2 sts\=2 expandtab

2 changes: 2 additions & 0 deletions src/version.c

Expand Up

@@ -699,6 +699,8 @@ static char \*(features\[\]) =

  

static int included\_patches\[\] \=

{ /\* Add new patch number below this line \*/

/\*\*/

1846,

/\*\*/

1845,

/\*\*/

Expand Down

**0 comments on commit 4c6fe2e**

Please sign in to comment.

CVE-2023-4734: patch 9.0.1846: [security] crash in fullcommand · vim/vim@4c6fe2e

A vulnerability that poses a potential risk of polluting the MXsecurity sqlite database and the nsm-web UI has been identified in MXsecurity versions prior to v1.0.1. This vulnerability might allow an unauthenticated remote attacker to register or add devices via the nsm-web application.



As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

**Please sign in**

**SUMMARY**

**MXsecurity Series Multiple Vulnerabilities**

*   Security Advisory ID: MPSA-230403
*   Version: V1.1
*   Release Date: Sep 01, 2023
*   Reference:
    *   CVE-2023-39979 (cve.org)
    *   CVE-2023-39980 (cve.org)
    *   CVE-2023-39981 (cve.org)
    *   CVE-2023-39982 (cve.org)
    *   CVE-2023-39983 (cve.org)

These vulnerabilities are caused by the improper design or implementation of authentication mechanisms and input validation. Exploiting these vulnerabilities could enable an attacker to bypass authentication, which could lead to the unauthorized disclosure or tampering of authenticated information, unauthorized access to sensitive data, and remote access without proper authorization.

  
The identified vulnerability types and potential impacts are shown below:

Item

Vulnerability Type

Impact

1

Small Space of Random Values (CWE-334)

CVE-2023-39979

An attacker can bypass authentication to gain unauthorized access.

2

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

CVE-2023-39980

An attacker can change the SQL command to gain unauthorized access to disclose information.

3

Improper Authentication (CWE-287)

CVE-2023-39981

An attacker can gain unauthorized access to disclose device information.

4

Use of Hard-coded Credentials (CWE-798)

CVE-2023-39982

An attacker can facilitate man-in-the-middle attacks and enable the decryption of SSH traffic.

5

Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)

CVE-2023-39983

An attacker can register/add a device via the nsm-web application.

**Vulnerability Scoring Details**

ID

CVSS V3.1

VECTOR

REMOTE EXPLOIT WITHOUT AUTH?

CVE-2023-39979

9.8

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Yes

CVE-2023-39980

7.1

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

No

CVE-2023-39981

7.5

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Yes

CVE-2023-39982

7.5

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Yes

CVE-2023-39983

5.3

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Yes

**AFFECTED PRODUCTS AND SOLUTIONS**

**Affected Products:**

The affected products and firmware versions are shown below.

Product Series

Affected Versions

MXsecurity Series

Software version v1.0.1 and prior versions

**Solutions:**

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series

Solutions

MXsecurity Series

Please upgrade to firmware v1.1.0 or later.

****Mitigation****

*   Minimize network exposure to ensure the device is not accessible from the Internet.
*   When remote access is required, use secure methods, such as Virtual Private Networks (VPNs).
*   The starting point of all the above vulnerabilities is from the web service, so it is suggested to disable web service temporarily if you completed configuration to prevent further damages from these vulnerabilities until installed patch or updated firmware. 

**Products Confirmed Not Vulnerable:**

Only products listed in the Affected Products section of this advisory are known to be affected by these vulnerabilities. 

**Acknowledgment:**

We would like to express our appreciation to Noam Moshe of Claroty Research - Team82 for reporting the vulnerabilities (CVE-2023-39979, CVE-2023-39980, and CVE-2023-39981), Darren Martyn for advising on a vulnerability (CVE-2023-39982), and James Sebree from the Tenable Bug Bounty Program for his contribution in reporting a vulnerability (CVE-2023-39983) and working with us to help enhance the security of our products and provide a better service to our customers.

**Revision History:**

VERSION

DESCRIPTION

RELEASE DATE

1.0

First Release

Sept. 1, 2023

1.1

Update credit to Claroty

Sept. 1, 2023

**Relevant Products**

MXsecurity Series ·

*     Print this page
    
*   You can manage and share your saved list in My Moxa
    

**Let’s get that fixed**

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability

You have some items waiting in your bag; click here to finish your quote!

You are currently on the Global / English site.  
Would you like to go to the site for your region?

Feedback

CVE-2023-39983: MXsecurity Series Multiple Vulnerabilities

The Font Awesome 4 Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fa' and 'fa-stack' shortcodes in versions up to, and including, 4.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

1<?php2/\*3Plugin Name: Font Awesome 4 Menus4Plugin URI: https://www.newnine.com/plugins/font-awesome-4-menus5Description: Join the retina/responsive revolution by easily adding Font Awesome 4.7.0 icons to your WordPress menus and anywhere else on your site! No programming necessary.6Version: 4.7.07Author: New Nine Media8Author URI: https://www.newnine.com9License: GPLv2 or later10\*/1112/\*13    Copyright 2013-2016  NEW NINE MEDIA  (tel : +1-800-288-9699)1415    This program is free software; you can redistribute it and/or modify16    it under the terms of the GNU General Public License, version 2, as 17    published by the Free Software Foundation.1819    This program is distributed in the hope that it will be useful,20    but WITHOUT ANY WARRANTY; without even the implied warranty of21    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the22    GNU General Public License for more details.2324    You should have received a copy of the GNU General Public License25    along with this program; if not, write to the Free Software26    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA27\*/2829class FontAwesomeFour {3031    public static $defaults \= array(32        'maxcdn\_location' \=> 'https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css',33        'spacing' \=> 1,34        'stylesheet' \=> 'local',35        'version' \=> '4.7.0'36    );3738    function \_\_construct(){39        global $wp\_version;4041        add\_action( 'admin\_enqueue\_scripts', array( $this, 'admin\_enqueue\_scripts' ) );42        add\_action( 'admin\_menu', array( $this, 'admin\_menu' ) );43        add\_action( 'admin\_notices', array( $this, 'admin\_notices' ) );44        add\_action( 'wp\_enqueue\_scripts', array( $this, 'wp\_enqueue\_scripts' ) );4546        add\_filter( 'nav\_menu\_css\_class', array( $this, 'nav\_menu\_css\_class' ) );47        add\_filter( 'walker\_nav\_menu\_start\_el', array( $this, 'walker\_nav\_menu\_start\_el' ), 10, 4 );4849        add\_shortcode( 'fa', array( $this, 'shortcode\_icon' ) );50        add\_shortcode( 'fa-stack', array( $this, 'shortcode\_stack' ) );51    }5253    function admin\_enqueue\_scripts( $hook ){54        if( 'settings\_page\_n9m-font-awesome-4-menus' \== $hook ){55            wp\_enqueue\_style( 'n9m-admin-font-awesome-4', plugins\_url( 'css/font-awesome.min.css', \_\_FILE\_\_ ), false, self::$defaults\[ 'version' \] );56        }57    }5859    function admin\_menu(){60        add\_submenu\_page( 'options-general.php', 'Font Awesome 4 Menus', 'Font Awesome', 'edit\_theme\_options', 'n9m-font-awesome-4-menus', array( $this, 'admin\_menu\_cb' ) );61    }6263    function admin\_menu\_cb(){64        if( $\_POST && check\_admin\_referer( 'n9m-fa' ) ){65            $settings \= array();66            switch( $\_POST\[ 'n9m\_location' \] ){67                case 'local':68                case 'maxcdn':69                case 'none':70                    $settings\[ 'stylesheet' \] \= $\_POST\[ 'n9m\_location' \];71                    break;72                case 'other':73                    $settings\[ 'stylesheet' \] \= 'other';74                    $settings\[ 'stylesheet\_location' \] \= sanitize\_text\_field( $\_POST\[ 'n9m\_location-other-location' \] );75                    break;76            }77            if( isset( $\_POST\[ 'n9m\_text\_spacing' \] ) ){78                $settings\[ 'spacing' \] \= 1;79            } else {80                $settings\[ 'spacing' \] \= 0;81            }82            update\_option( 'n9m-font-awesome-4-menus', $settings );83            print '<div class="updated"><p>Your settings have been saved!</p></div>';84        }85        $settings \= get\_option( 'n9m-font-awesome-4-menus', self::$defaults );86        print ' <div class="wrap">87                    <h2><i class="fa fa-thumbs-o-up"></i> ' . get\_admin\_page\_title() . '</h2>88                    <p>Thank you for using Font Awesome 4 Menus by <a href="https://www.newnine.com" target="\_blank">New Nine</a>! To view available icons, <a href="http://fortawesome.github.io/Font-Awesome/icons/" target="\_blank">click here to visit the Font Awesome website</a>.</p>89                    <form action="' . admin\_url( 'options-general.php?page=n9m-font-awesome-4-menus' ) . '" method="post">90                        <h3>Font Awesome Stylesheet</h3>91                        <p>Select how you want Font Awesome 4&#8217;s stylesheet loaded on your site (if at all):</p>92                        <table class="form-table">93                            <tbody>94                                <tr>95                                    <th scope="row">Load Font Awesome 4 From:</th>96                                    <td>97                                        <fieldset>98                                            <legend class="screen-reader-text"><span>Load Font Awesome 4 From</span></legend>99                                            <label for="n9m\_location-local"><input type="radio" name="n9m\_location" id="n9m\_location-local" value="local"' . ( 'local' \== $settings\[ 'stylesheet' \] ? ' checked' : false ) . '> Local plugin folder (default)</label>100                                            <br />101                                            <label for="n9m\_location-maxcdn"><input type="radio" name="n9m\_location" id="n9m\_location-maxcdn" value="maxcdn"' . ( 'maxcdn' \== $settings\[ 'stylesheet' \] ? ' checked' : false ) . '> Official Font Awesome CDN <span class="description">(<a href="https://www.bootstrapcdn.com/fontawesome/" target="\_blank">Font Awesome CDN powered by MaxCDN</a>)</span></label>102                                            <br />103                                            <label for="n9m\_location-other"><input type="radio" name="n9m\_location" id="n9m\_location-other" value="other"' . ( 'other' \== $settings\[ 'stylesheet' \] ? ' checked' : false ) . '> A custom location:</label> <input type="text" name="n9m\_location-other-location" id="n9m\_location-other-location" placeholder="Enter full url here" class="regular-text" value="' . ( isset( $settings\[ 'stylesheet\_location' \] ) ? $settings\[ 'stylesheet\_location' \] : '' ) . '">104                                            <br />105                                            <label for="n9m\_location-none"><input type="radio" name="n9m\_location" id="n9m\_location-none" value="none"' . ( 'none' \== $settings\[ 'stylesheet' \] ? ' checked' : false ) . '> Don&#8217;t load Font Awesome 4&#8217;s stylesheet <span class="description">(use this if you load Font Awesome 4 elsewhere on your site)</span></label>106                                        </fieldset>107                                    </td>108                                </tr>109                            </tbody>110                        </table>111                        <h3>Icon Spacing</h3>112                        <p>By default, Font Awesome 4 Menus adds a space before or after the icon in your menu. Uncheck the box below to remove this space and give you finer control over your custom styling.</p>113                        <p><label for="n9m\_text\_spacing"><input type="checkbox" name="n9m\_text\_spacing" id="n9m\_text\_spacing" value="1"' . ( 1 \== $settings\[ 'spacing' \] ? ' checked' : false ) . '> Keep the space between my text and my icons <span class="description">(default is checked)</span></label>114                        <p>' . wp\_nonce\_field( 'n9m-fa' ) . '<button type="submit" class="button button-primary">Save Settings</button></p>115                    </form>116                </div>';117    }118119    function admin\_notices(){120        global $current\_user, $pagenow;121        if( isset( $\_REQUEST\[ 'action' \] ) && 'kill-n9m-font-awesome-4-notice' \== $\_REQUEST\[ 'action' \] ){122            update\_user\_meta( $current\_user\->data\->ID, 'n9m-font-awesome-4-notice-hide', 1 );123        }124        $shownotice \= get\_user\_meta( $current\_user\->data\->ID, 'n9m-font-awesome-4-notice-hide', true );125        if( 'plugins.php' \== $pagenow && !$shownotice ){126            print ' <div class="updated is-dismissible">127                        <div style="float: right;"><a href="?action=kill-n9m-font-awesome-4-notice" style="color: #7ad03a; display: block; padding: 8px;">&#10008;</a></div>128                        <p>Thank you for installing Font Awesome Menus 4 by <a href="https://www.newnine.com">New Nine</a>! Want to see what else we&#8217;re up to? Subscribe below to our infrequent updates. You can unsubscribe at any time.</p>129                        <form action="http://newnine.us2.list-manage.com/subscribe/post?u=067bab5a6984981f003cf003d&amp;id=1b25a2aee6" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" target="\_blank">130                            <p><input type="text" name="FNAME" placeholder="First Name" value="' . ( !empty( $current\_user\->first\_name ) ? $current\_user\->first\_name : '' ) . '"> <input type="text" name="LNAME" placeholder="Last Name" value="' . ( !empty( $current\_user\->last\_name ) ? $current\_user\->last\_name : '' ) . '"> <input type="text" name="EMAIL" placeholder="Email address" required value="' . $current\_user\->user\_email . '"> <input type="hidden" id="group\_1" name="group\[14489\]\[1\]" value="1"> <input type="submit" name="subscribe" value="Join" class="button action"></p>131                        </form>132                    </div>';133        }134    }135136    function nav\_menu\_css\_class( $classes ){137        if( is\_array( $classes ) ){138            $tmp\_classes \= preg\_grep( '/^(fa)(-\\S+)?$/i', $classes );139            if( !empty( $tmp\_classes ) ){140                $classes \= array\_values( array\_diff( $classes, $tmp\_classes ) );141            }142        }143        return $classes;144    }145146    public static function register\_uninstall\_hook(){147        if( current\_user\_can( 'delete\_plugins' ) ){148            delete\_option( 'n9m-font-awesome-4-menus' );149            $users\_with\_meta \= get\_users( array(150                'meta\_key' \=> 'n9m-font-awesome-4-notice-hide',151                'meta\_value' \=> 1152            ) );153            foreach( $users\_with\_meta as $user\_with\_meta ){154                delete\_user\_meta( $user\_with\_meta\->ID, 'n9m-font-awesome-4-notice-hide' );155            }156        }157    }158159    protected function replace\_item( $item\_output, $classes ){160        $settings \= get\_option( 'n9m-font-awesome-4-menus', FontAwesomeFour::$defaults );161        $spacer \= 1 \== $settings\[ 'spacing' \] ? ' ' : '';162163        if( !in\_array( 'fa', $classes ) ){164            array\_unshift( $classes, 'fa' );165        }166167        $before \= true;168        if( in\_array( 'fa-after', $classes ) ){169            $classes \= array\_values( array\_diff( $classes, array( 'fa-after' ) ) );170            $before \= false;171        }172173        $icon \= '<i class="' . implode( ' ', $classes ) . '"></i>';174175        preg\_match( '/(<a.+>)(.+)(<\\/a>)/i', $item\_output, $matches );176        if( 4 \=== count( $matches ) ){177            $item\_output \= $matches\[1\];178            if( $before ){179                $item\_output .= $icon . '<span class="fontawesome-text">' . $spacer . $matches\[2\] . '</span>';180            } else {181                $item\_output .= '<span class="fontawesome-text">' . $matches\[2\] . $spacer . '</span>' . $icon;182            }183            $item\_output .= $matches\[3\];184        }185        return $item\_output;186    }187    188    function shortcode\_icon( $atts ){189        $a \= shortcode\_atts( array(190            'class' \=> ''191        ), $atts );192        if( !empty( $a\[ 'class' \] ) ){193            $class\_array \= explode( ' ', $a\[ 'class' \] );194            if( !in\_array( 'fa', $class\_array ) ){195                $class\_array\[\] \= 'fa';196            }197            return '<i class="' . implode( ' ', $class\_array ) . '"></i>';198        }199    }200    201    function shortcode\_stack( $atts, $content \= null ){202        $a \= shortcode\_atts( array(203            'class' \=> ''204        ), $atts );205        $class\_array \= array();206        if( empty( $a\[ 'class' \] ) ){207            $class\_array \= array( 'fa-stack' );208        } else {209            $class\_array \= explode( ' ', $a\[ 'class' \] );210            if( !in\_array( 'fa-stack', $class\_array ) ){211                $class\_array\[\] \= 'fa-stack';212            }213        }214        return '<span class="' . implode( ' ', $class\_array ) . '">' . do\_shortcode( $content ) . '</span>';215    }216217    function walker\_nav\_menu\_start\_el( $item\_output, $item, $depth, $args ){218        if( is\_array( $item\->classes ) ){219            $classes \= preg\_grep( '/^(fa)(-\\S+)?$/i', $item\->classes );220            if( !empty( $classes ) ){221                $item\_output \= $this\->replace\_item( $item\_output, $classes );222            }223        }224        return $item\_output;225    }226227    function wp\_enqueue\_scripts(){228        $settings \= get\_option( 'n9m-font-awesome-4-menus', self::$defaults );229        switch( $settings\[ 'stylesheet' \] ){230            case 'local':231                wp\_register\_style( 'font-awesome-four', plugins\_url( 'css/font-awesome.min.css', \_\_FILE\_\_ ), array(), self::$defaults\[ 'version' \], 'all' );232                wp\_enqueue\_style( 'font-awesome-four' );233                break;234            case 'maxcdn':235                wp\_register\_style( 'font-awesome-four', self::$defaults\[ 'maxcdn\_location' \], array(), self::$defaults\[ 'version' \], 'all' );236                wp\_enqueue\_style( 'font-awesome-four' );237                break;238            case 'none':239                break;240            case 'other':241                wp\_register\_style( 'font-awesome-four', $settings\[ 'stylesheet\_location' \], array(), self::$defaults\[ 'version' \], 'all' );242                wp\_enqueue\_style( 'font-awesome-four' );243                break;244        }245    }246247    public static function write\_log( $log ){248        if( is\_array( $log ) || is\_object( $log ) ){249            error\_log( print\_r( $log, true ) );250        } else {251            error\_log( $log );252        }253    }254    255}256$n9m\_font\_awesome\_four \= new FontAwesomeFour();257258register\_uninstall\_hook( \_\_FILE\_\_, array( 'FontAwesomeFour', 'register\_uninstall\_hook' ) );

CVE-2023-4718: n9m-font-awesome-4.php in font-awesome-4-menus/trunk – WordPress Plugin Repository

In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process.

**Coordinated Disclosure Timeline**

*   2023-06-16: reported to Ubuntu: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024182
*   2023-06-16: reply received
*   2023-06-16: CVE-2023-3297 assigned
*   2023-06-16: fix proposed
*   2023-06-28: CVE-2023-3297 disclosed

**Summary**

An unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process.

**Product**

accountsservice

**Tested Version**

22.08.8-1ubuntu7

The bug is easier to observe on Ubuntu 23.04 than on Ubuntu 22.04 LTS, but it is present on both.

**Details****Use-after-free when throw_error is called (GHSL-2023-139)**

After receiving a D-Bus method call, a D-Bus server is expected to send either a METHOD_RETURN or a ERROR message back to the client, _but not both_. This is done incorrectly in several places in accountsservice. For example, in user_change_language_authorized_cb:

    static void
    user_change_language_authorized_cb (Daemon                *daemon,
                                        User                  *user,
                                        GDBusMethodInvocation *context,
                                        gpointer               data)
    
    {
            const gchar *language = data;
    
            if (!user_HOME_available (user)) {
    
                    /* SetLanguage was probably called from a login greeter,
                       and HOME not mounted and/or not decrypted.
                       Hence don't save anything, or else accountsservice
                       and ~/.pam_environment would become out of sync. */
                    throw_error (context, ERROR_FAILED, "not access to HOME yet so language not saved");  <===== 1
                    goto out;
            }
    
            <snip>
    
    out:
            accounts_user_complete_set_language (ACCOUNTS_USER (user), context);  <===== 2
    }
    

If user_HOME_available returns an error, then throw_error is called at 1 to send an ERROR message, but a regular METHOD_RETURN is also sent at 2. This is incorrect D-Bus protocol, but the more serious problem is that it causes a use-after-free because both throw_error and accounts_user_complete_set_language decrease the reference count on context. In other words, context is freed by throw_error and a UAF occurs in accounts_user_complete_set_language.

An attacker can trigger the bug above by causing user_HOME_available to fail, which they can do by deleting all the files from their home directory. But there are other incorrect uses of throw_error in user.c which are less inconvenient to trigger. For example, this command triggers a call to throw_error in user_update_environment due to the invalid characters in the string:

    dbus-send --system --print-reply --dest=org.freedesktop.Accounts /org/freedesktop/Accounts/User`id -u` org.freedesktop.Accounts.User.SetLanguage string:'**'
    

On Ubuntu 23.04, the above command causes accounts-daemon to crash with a SIGSEGV. But on Ubuntu 22.04 LTS it doesn’t cause any visible harm. The difference is due to a recent change in GLib’s memory allocation: older versions of GLib used the “slice” allocator, but newer version uses the system allocator. The system allocator trashes the memory when it’s freed in a way that causes the use-after-free to trigger a SIGSEGV, whereas the “slice” allocator trashes the memory in a way that causes the UAF to go unnoticed.

**Impact**

Exploitation is likely to be difficult, but this bug could potentially enable a local unprivileged attacker to gain root privileges.

*   CVE-2023-3297

**Credit**

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-139 in any communication regarding this issue.

CVE-2023-3297: GHSL-2023-139: Use After Free (UAF) in accountsservice - CVE-2023-3297

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "VelocityWiki". For the former, the syntax of the document needs to be set the `xwiki/1.0` (this syntax doesn't need to be installed). In both cases, when adding the property to an object, the Velocity code is executed regardless of the rights of the author of the property (edit right is still required, though). In both cases, the code is executed with the correct context author so no privileged APIs can be accessed. However, Velocity still grants access to otherwise inaccessible data and APIs that could allow further privilege escalation. At least for "VelocityCode", this behavior is most likely very old but only since XWiki 7.2, script right is a separate right, before that version all users were allowed to execute Velocity and thus this was expected and not a security issue. This has been patched in XWiki 14.10.10 and 15.4 RC1. Users are advised to upgrade. There are no known workarounds.

**Steps to reproduce:**

1.  Log in as a user without script right
2.  Edit your user profile (or any other document) with the class editor and add a new field of type "TextArea", named "Test" and set "Content Type" to "VelocityWiki".
3.  Edit the same document with the object editor and add an object of the just created class. Set its content to $request.cookies.
4.  Open <xwiki-host>/xwiki/bin/get/XWiki/username?xpage=display&property=XWiki.username.Test&type=object where <xwiki-host> is the URL of your XWiki installation and username is your user's name.

**Expected result:**

$request.cookies is displayed.

**Actual result:**

Content similar to \[javax.servlet.http.Cookie@2f0535e1, javax.servlet.http.Cookie@3ed6f4f6, javax.servlet.http.Cookie@6eb94904, javax.servlet.http.Cookie@4e4fbe60, javax.servlet.http.Cookie@48632075\] is displayed, showing that the Velocity code has been executed. Note that while the Velocity code is executed, it is executed with the correct context author. Therefore, no privileged APIs can be accessed. However, still dangerous data might be accessed and security issues that are only exploitable with script right can be exploited.

This is caused by XWIKI-18222 which introduced the "VelocityWiki" type.

Source

CVE