The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user-submitted-content’ parameter in versions up to, and including, 20230809 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Timestamp:

08/11/2023 10:14:44 PM (10 days ago)

specialk

Message:

Updates plugin to version 20230811  

Location:

user-submitted-posts

Files:

  

*   tags/20230811 _(copied from user-submitted-posts/trunk)_
*   tags/20230811/library/plugin-display.php (1 diff)
*   tags/20230811/library/shortcode-misc.php (3 diffs)
*   tags/20230811/readme.txt (2 diffs)
*   tags/20230811/user-submitted-posts.php (2 diffs)
*   trunk/library/plugin-display.php (1 diff)
*   trunk/library/shortcode-misc.php (3 diffs)
*   trunk/readme.txt (2 diffs)
*   trunk/user-submitted-posts.php (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **user-submitted-posts/tags/20230811/library/plugin-display.php**
    
    r2944386
    
    r2952471
    
     
    
    739
    
    739
    
    <pre>class  = classes for the parent element (optional, default: none)
    
    740
    
    740
    
    value  = link text (optional, default: "Reset form")
    
    741
    
     
    
    url    = the URL where your form is displayed (required, default: none)
    
    742
    
     
    
    custom = any attributes or custom code for the link element (optional, default: none)</pre>
    
     
    
    741
    
    url    = the URL where your form is displayed (required, default: none)</pre>
    
    743
    
    742
    
                                    <p><?php esc\_html\_e('Note that the url attribute accepts', 'usp'); ?> <code>%%current%%</code> <?php esc\_html\_e('to get the current URL.', 'usp'); ?></p>
    
    744
    
    743
    
                                </div>
    
*   **user-submitted-posts/tags/20230811/library/shortcode-misc.php**
    
    r2951862
    
    r2952471
    
     
    
    9
    
    9
    
            value  = link text (optional, default: "Reset form")
    
    10
    
    10
    
            url    = the URL where your form is displayed (can use %%current%% for current URL)
    
    11
    
     
    
            custom = any attributes or custom code for the link element
    
    12
    
    11
    
       
    
    13
    
    12
    
    \*/
    
    …
    
    …
    
     
    
    15
    
    14
    
       
    
    16
    
    15
    
        extract(shortcode\_atts(array(
    
    17
    
     
    
            'class'  => '',
    
    18
    
     
    
            'value'  => \_\_('Reset form', 'usp'),
    
    19
    
     
    
            'url'    => '#please-check-shortcode',
    
    20
    
     
    
            'custom' => '',
    
     
    
    16
    
            'class' => '',
    
     
    
    17
    
            'value' => \_\_('Reset form', 'usp'),
    
     
    
    18
    
            'url'   => '#please-check-shortcode',
    
    21
    
    19
    
        ), $args));
    
    22
    
    20
    
       
    
    …
    
    …
    
     
    
    35
    
    33
    
        $class = empty($class) ? '' : ' class="'. esc\_attr($class) .'"';
    
    36
    
    34
    
       
    
    37
    
     
    
        $output = '<p'. $class .'><a href="'. esc\_url($href) .'"'. esc\_attr($custom) .'\>'. esc\_html($value) .'</a></p>';
    
     
    
    35
    
        $output = '<p'. $class .'><a href="'. esc\_url($href) .'"\>'. esc\_html($value) .'</a></p>';
    
    38
    
    36
    
       
    
    39
    
    37
    
        return $output;
    
*   **user-submitted-posts/tags/20230811/readme.txt**
    
    r2951862
    
    r2952471
    
     
    
    11
    
    11
    
    Requires at least: 4.6
    
    12
    
    12
    
    Tested up to: 6.3
    
    13
    
     
    
    Stable tag: 20230809
    
    14
    
     
    
    Version:    20230809
    
     
    
    13
    
    Stable tag: 20230811
    
     
    
    14
    
    Version:    20230811
    
    15
    
    15
    
    Requires PHP: 5.6.20
    
    16
    
    16
    
    Text Domain: usp
    
    …
    
    …
    
     
    
    819
    
    819
    
    820
    
    820
    
     
    
    821
    
    \*\*20230811\*\*
    
     
    
    822
    
     
    
    823
    
    \* Removes \`$custom\` variable from \`usp\_reset\_button\_shortcode()\`
    
     
    
    824
    
    \* Tests on WordPress 6.3
    
     
    
    825
    
    821
    
    826
    
    \*\*20230809\*\*
    
    822
    
    827
    
*   **user-submitted-posts/tags/20230811/user-submitted-posts.php**
    
    r2951862
    
    r2952471
    
     
    
    11
    
    11
    
        Requires at least: 4.6
    
    12
    
    12
    
        Tested up to: 6.3
    
    13
    
     
    
        Stable tag: 20230809
    
    14
    
     
    
        Version:    20230809
    
     
    
    13
    
        Stable tag: 20230811
    
     
    
    14
    
        Version:    20230811
    
    15
    
    15
    
        Requires PHP: 5.6.20
    
    16
    
    16
    
        Text Domain: usp
    
    …
    
    …
    
     
    
    39
    
    39
    
    40
    
    40
    
    if (!defined('USP\_WP\_VERSION')) define('USP\_WP\_VERSION', '4.6');
    
    41
    
     
    
    if (!defined('USP\_VERSION'))    define('USP\_VERSION', '20230809');
    
     
    
    41
    
    if (!defined('USP\_VERSION'))    define('USP\_VERSION', '20230811');
    
    42
    
    42
    
    if (!defined('USP\_PLUGIN'))     define('USP\_PLUGIN', esc\_html\_\_('User Submitted Posts', 'usp'));
    
    43
    
    43
    
    if (!defined('USP\_FILE'))       define('USP\_FILE', plugin\_basename(\_\_FILE\_\_));
    
*   **user-submitted-posts/trunk/library/plugin-display.php**
    
    r2944386
    
    r2952471
    
     
    
    739
    
    739
    
    <pre>class  = classes for the parent element (optional, default: none)
    
    740
    
    740
    
    value  = link text (optional, default: "Reset form")
    
    741
    
     
    
    url    = the URL where your form is displayed (required, default: none)
    
    742
    
     
    
    custom = any attributes or custom code for the link element (optional, default: none)</pre>
    
     
    
    741
    
    url    = the URL where your form is displayed (required, default: none)</pre>
    
    743
    
    742
    
                                    <p><?php esc\_html\_e('Note that the url attribute accepts', 'usp'); ?> <code>%%current%%</code> <?php esc\_html\_e('to get the current URL.', 'usp'); ?></p>
    
    744
    
    743
    
                                </div>
    
*   **user-submitted-posts/trunk/library/shortcode-misc.php**
    
    r2951862
    
    r2952471
    
     
    
    9
    
    9
    
            value  = link text (optional, default: "Reset form")
    
    10
    
    10
    
            url    = the URL where your form is displayed (can use %%current%% for current URL)
    
    11
    
     
    
            custom = any attributes or custom code for the link element
    
    12
    
    11
    
       
    
    13
    
    12
    
    \*/
    
    …
    
    …
    
     
    
    15
    
    14
    
       
    
    16
    
    15
    
        extract(shortcode\_atts(array(
    
    17
    
     
    
            'class'  => '',
    
    18
    
     
    
            'value'  => \_\_('Reset form', 'usp'),
    
    19
    
     
    
            'url'    => '#please-check-shortcode',
    
    20
    
     
    
            'custom' => '',
    
     
    
    16
    
            'class' => '',
    
     
    
    17
    
            'value' => \_\_('Reset form', 'usp'),
    
     
    
    18
    
            'url'   => '#please-check-shortcode',
    
    21
    
    19
    
        ), $args));
    
    22
    
    20
    
       
    
    …
    
    …
    
     
    
    35
    
    33
    
        $class = empty($class) ? '' : ' class="'. esc\_attr($class) .'"';
    
    36
    
    34
    
       
    
    37
    
     
    
        $output = '<p'. $class .'><a href="'. esc\_url($href) .'"'. esc\_attr($custom) .'\>'. esc\_html($value) .'</a></p>';
    
     
    
    35
    
        $output = '<p'. $class .'><a href="'. esc\_url($href) .'"\>'. esc\_html($value) .'</a></p>';
    
    38
    
    36
    
       
    
    39
    
    37
    
        return $output;
    
*   **user-submitted-posts/trunk/readme.txt**
    
    r2951862
    
    r2952471
    
     
    
    11
    
    11
    
    Requires at least: 4.6
    
    12
    
    12
    
    Tested up to: 6.3
    
    13
    
     
    
    Stable tag: 20230809
    
    14
    
     
    
    Version:    20230809
    
     
    
    13
    
    Stable tag: 20230811
    
     
    
    14
    
    Version:    20230811
    
    15
    
    15
    
    Requires PHP: 5.6.20
    
    16
    
    16
    
    Text Domain: usp
    
    …
    
    …
    
     
    
    819
    
    819
    
    820
    
    820
    
     
    
    821
    
    \*\*20230811\*\*
    
     
    
    822
    
     
    
    823
    
    \* Removes \`$custom\` variable from \`usp\_reset\_button\_shortcode()\`
    
     
    
    824
    
    \* Tests on WordPress 6.3
    
     
    
    825
    
    821
    
    826
    
    \*\*20230809\*\*
    
    822
    
    827
    
*   **user-submitted-posts/trunk/user-submitted-posts.php**
    
    r2951862
    
    r2952471
    
     
    
    11
    
    11
    
        Requires at least: 4.6
    
    12
    
    12
    
        Tested up to: 6.3
    
    13
    
     
    
        Stable tag: 20230809
    
    14
    
     
    
        Version:    20230809
    
     
    
    13
    
        Stable tag: 20230811
    
     
    
    14
    
        Version:    20230811
    
    15
    
    15
    
        Requires PHP: 5.6.20
    
    16
    
    16
    
        Text Domain: usp
    
    …
    
    …
    
     
    
    39
    
    39
    
    40
    
    40
    
    if (!defined('USP\_WP\_VERSION')) define('USP\_WP\_VERSION', '4.6');
    
    41
    
     
    
    if (!defined('USP\_VERSION'))    define('USP\_VERSION', '20230809');
    
     
    
    41
    
    if (!defined('USP\_VERSION'))    define('USP\_VERSION', '20230811');
    
    42
    
    42
    
    if (!defined('USP\_PLUGIN'))     define('USP\_PLUGIN', esc\_html\_\_('User Submitted Posts', 'usp'));
    
    43
    
    43
    
    if (!defined('USP\_FILE'))       define('USP\_FILE', plugin\_basename(\_\_FILE\_\_));
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-4308: Changeset 2952471 for user-submitted-posts – WordPress Plugin Repository

Cross-site Scripting (XSS) - Reflected in GitHub repository librenms/librenms prior to 23.8.0.

Expand Up

@@ -113,20 +113,20 @@ function formatUnits(units,decimals,display,base) {

post: function ()

{

return {

device\_id: '<?php echo $vars\['device\_id'\] ?? ''; ?>',

device\_id: '<?php echo htmlspecialchars($vars\['device\_id'\] ?? ''); ?>',

hostname: '<?php echo htmlspecialchars($vars\['hostname'\] ?? ''); ?>',

state: '<?php echo $vars\['state'\] ?? ''; ?>',

ifSpeed: '<?php echo $vars\['ifSpeed'\] ?? ''; ?>',

ifType: '<?php echo $vars\['ifType'\] ?? ''; ?>',

port\_descr\_type: '<?php echo $vars\['port\_descr\_type'\] ?? ''; ?>',

ifAlias: '<?php echo $vars\['ifAlias'\] ?? ''; ?>',

location: '<?php echo $vars\['location'\] ?? ''; ?>',

disabled: '<?php echo $vars\['disabled'\] ?? ''; ?>',

ignore: '<?php echo $vars\['ignore'\] ?? ''; ?>',

deleted: '<?php echo $vars\['deleted'\] ?? ''; ?>',

errors: '<?php echo $vars\['errors'\] ?? ''; ?>',

group: '<?php echo $vars\['group'\] ?? ''; ?>',

devicegroup: '<?php echo $vars\['devicegroup'\] ?? ''; ?>',

state: '<?php echo htmlspecialchars($vars\['state'\] ?? ''); ?>',

ifSpeed: '<?php echo htmlspecialchars($vars\['ifSpeed'\] ?? ''); ?>',

ifType: '<?php echo htmlspecialchars($vars\['ifType'\] ?? ''); ?>',

port\_descr\_type: '<?php echo htmlspecialchars($vars\['port\_descr\_type'\] ?? ''); ?>',

ifAlias: '<?php echo htmlspecialchars($vars\['ifAlias'\] ?? ''); ?>',

location: '<?php echo htmlspecialchars($vars\['location'\] ?? '') ?>',

disabled: '<?php echo htmlspecialchars($vars\['disabled'\] ?? ''); ?>',

ignore: '<?php echo htmlspecialchars($vars\['ignore'\] ?? ''); ?>',

deleted: '<?php echo htmlspecialchars($vars\['deleted'\] ?? ''); ?>',

errors: '<?php echo htmlspecialchars($vars\['errors'\] ?? ''); ?>',

group: '<?php echo htmlspecialchars($vars\['group'\] ?? ''); ?>',

devicegroup: '<?php echo htmlspecialchars($vars\['devicegroup'\] ?? ''); ?>',

};

},

url: '<?php echo route('table.ports') ?>'

Expand Down

CVE-2023-4347: Fix unsanitized input injection (#15184) · librenms/librenms@91c57a1

LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers.

CVE-2023-40518: LiteSpeed Web Server Release Log

In multiple locations, there is a possible way to obscure the microphone privacy indicator due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "49773f9d871dd8975128fccf71513928a5a97345", "tree": "0b2eafd1cd6da9c436a3632b188b8c94e71114d7", "parents": \[ "06e772e05514af4aa427641784c5eec39a892ed3" \], "author": { "name": "Johannes Gallmann", "email": "gallmann@google.com", "time": "Mon May 22 10:21:02 2023 +0200" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:09 2023 +0000" }, "message": "Fix PrivacyChip not visible issue\\n\\nBug: 281807669\\nTest: Manual, i.e. posting the following sequence of events (within few milliseconds) to the scheduler and observe the behaviour with and without the fix: Mic in use -\\u003e Mic not in use -\\u003e Mic in use\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a45e1d045770eaabfdbf0e1212c9eb84caf1d565)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:20ea049a4a52dbc8d4e5ed957a2b6b9aa02a2f34)\\nMerged-In: I9851e6ed4cb956d0459ef56251eb0ef3210764b8\\nChange-Id: I9851e6ed4cb956d0459ef56251eb0ef3210764b8\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "4e1404d0637b027eb488f3f6702b4afd7311e95a", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/statusbar/events/StatusEvent.kt", "new\_id": "31d196b542d718e03798522869549cb356fcc96c", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/statusbar/events/StatusEvent.kt" } \] }

CVE-2023-21278

In visitUris of RemoteViews.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "9b58aee2a4528c60b0aa2540bd0f48d2871d2dc7", "tree": "dd725ead57947a7429e13b3f6303e33a84b421b7", "parents": \[ "155b14600fb13553a47b4e45fe0acd163da07453" \], "author": { "name": "Ioana Alexandru", "email": "aioana@google.com", "time": "Thu May 25 11:43:43 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:21 2023 +0000" }, "message": "Visit URIs in themed remoteviews icons.\\n\\nBug: 281018094\\nTest: atest RemoteViewsTest NotificationVisitUrisTest\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:634a69b7700017eac534f3f58cdcc2572f3cc659)\\nMerged-In: I2014bf21cf90267f7f1b3f370bf00ab7001b064e\\nChange-Id: I2014bf21cf90267f7f1b3f370bf00ab7001b064e\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "406c7694e5033d2967e0f893224fb9f4218f3e61", "old\_mode": 33188, "old\_path": "core/java/android/widget/RemoteViews.java", "new\_id": "04e46e8b031bc0a9ceebea2ac37cd98b35f6760e", "new\_mode": 33188, "new\_path": "core/java/android/widget/RemoteViews.java" }, { "type": "modify", "old\_id": "e0cccf2f52008ebfb7a63b47baa2e5eb417e5fe9", "old\_mode": 33188, "old\_path": "core/tests/coretests/src/android/widget/RemoteViewsTest.java", "new\_id": "a8f2b1d22aed7980b4635ef68e943fd687257bfd", "new\_mode": 33188, "new\_path": "core/tests/coretests/src/android/widget/RemoteViewsTest.java" } \] }

CVE-2023-21277

In writeToParcel of CursorWindow.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "1272eec833fb49c30a4d8bdc432765e7c4413b3f", "tree": "884d0ae6f1bf31532ad8935459591f6336479e80", "parents": \[ "badb243574d7fca9aa89152d9d25eeb4f8615385" \], "author": { "name": "Lee Shombert", "email": "shombert@google.com", "time": "Fri May 19 15:52:00 2023 -0700" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:32 2023 +0000" }, "message": "Remove unnecessary padding code\\n\\nBug: 213170822\\n\\nRemove the code that CursorWindow::writeToParcel() uses to ensure slot\\ndata is 4-byte aligned. Because mAllocOffset and mSlotsOffset are\\nalready 4-byte aligned, the alignment step here is unnecessary.\\n\\nCursorWindow::spaceInUse() returns the total space used. The tests\\nverify that the total space used is always a multiple of 4 bytes.\\n\\nTest: atest\\n \* libandroidfw\_tests\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d4afa0986cbc440f458b4b8db05fd176ef3e6d2)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5b0232d7e1c2087839d9bc029943c8780b2484ab)\\nMerged-In: I720699093d5c5a584283e5b76851938f449ffa21\\nChange-Id: I720699093d5c5a584283e5b76851938f449ffa21\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "3527eeead1d590cd7d9431566b4d44e3ae11510f", "old\_mode": 33188, "old\_path": "libs/androidfw/CursorWindow.cpp", "new\_id": "2a6dc7b95c073073c5c96c5978d649a1d6c3c3e5", "new\_mode": 33188, "new\_path": "libs/androidfw/CursorWindow.cpp" }, { "type": "modify", "old\_id": "6e55a9a0eb8b9ed739ed8ce890cf02055405378b", "old\_mode": 33188, "old\_path": "libs/androidfw/include/androidfw/CursorWindow.h", "new\_id": "9ec026a19c4cfaaac02be32e68a07b23070bc9ab", "new\_mode": 33188, "new\_path": "libs/androidfw/include/androidfw/CursorWindow.h" }, { "type": "modify", "old\_id": "15be80c481926d6406fefbd3fb0e65b2fad107db", "old\_mode": 33188, "old\_path": "libs/androidfw/tests/CursorWindow\_test.cpp", "new\_id": "9ac427b66cb3c96ab7ed5cae9d4f32459360faa3", "new\_mode": 33188, "new\_path": "libs/androidfw/tests/CursorWindow\_test.cpp" } \] }

CVE-2023-21276

In convertSubgraphFromHAL of ShimConverter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "2bffd7f5e66dd0cf7e5668fb65c4f2b2e9f87cf7", "tree": "0a10917fa10721a8923ca524ec4ab32282386c77", "parents": \[ "fc3117e0d8bad19c08b38078f17f58293dd4f3ef" \], "author": { "name": "Przemysław Szczepaniak", "email": "pszczepaniak@google.com", "time": "Mon Mar 13 14:38:28 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:43 2023 +0000" }, "message": "Fix OOB Read in setOperandValue\\n\\nBug: 269456018\\nTest: Run the POC\\n(cherry picked from https://android-review.googlesource.com/q/commit:c45bdb6ac47bf8cf2853144e82910f43f2f0b1e9)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d81dcf032155c2967f613629bb67f629f835636)\\nMerged-In: I7325d56a380f05753356875623a2b5eaba3ca578\\nChange-Id: I7325d56a380f05753356875623a2b5eaba3ca578\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "2cbdc092dadb65d743325f082d2a747f18b4bd42", "old\_mode": 33188, "old\_path": "shim\_and\_sl/ShimConverter.cpp", "new\_id": "1ed0e31cf87bdf6b2d75ad52bf21218a578ca666", "new\_mode": 33188, "new\_path": "shim\_and\_sl/ShimConverter.cpp" } \] }

CVE-2023-21274

In setMediaButtonBroadcastReceiver of MediaSessionRecord.java, there is a possible permanent DoS due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "06e772e05514af4aa427641784c5eec39a892ed3", "tree": "0a82d1a5e5179db0b679917ee76e2e43ca63110f", "parents": \[ "a65429742caf05205ea7f1c2fdd1119ca652b810" \], "author": { "name": "Iván Budnik", "email": "ivanbuper@google.com", "time": "Tue Apr 04 17:58:26 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:05 2023 +0000" }, "message": "Validate ComponentName for MediaButtonBroadcastReceiver\\n\\nThis is a security fix for b/270049379.\\n\\nBug: 270049379\\nTest: atest CtsMediaMiscTestCases\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c573c83a2aa36ca022302f675d705518dd723a3c)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba546a306217389a8ff9e5e948612651fd496081)\\nMerged-In: I05626f7abf1efef86c9e01ee3f077d7177d7f662\\nChange-Id: I05626f7abf1efef86c9e01ee3f077d7177d7f662\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "84ecc06d172f9922beef8a77949df5eac5e14938", "old\_mode": 33188, "old\_path": "media/java/android/media/session/MediaSession.java", "new\_id": "09eff9e4e13aa7be73869dd7f92050300a0a13d5", "new\_mode": 33188, "new\_path": "media/java/android/media/session/MediaSession.java" }, { "type": "modify", "old\_id": "1bd50632ccbf7258d2addfb5667d791f877fcbe3", "old\_mode": 33188, "old\_path": "services/core/java/com/android/server/media/MediaSessionRecord.java", "new\_id": "cc4895ffaf24a7a3e0bab6d4c364801ea7b72d14", "new\_mode": 33188, "new\_path": "services/core/java/com/android/server/media/MediaSessionRecord.java" } \] }

CVE-2023-21280

In visitUris of RemoteViews.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "155b14600fb13553a47b4e45fe0acd163da07453", "tree": "3cf9fcc3aa0cdf2ce9f32a1f32b537fd445acc9e", "parents": \[ "70ec64dc5a2a816d6aa324190a726a85fd749b30" \], "author": { "name": "Ioana Alexandru", "email": "aioana@google.com", "time": "Tue May 23 16:26:41 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:18 2023 +0000" }, "message": "Check URIs in sized remote views.\\n\\nBug: 277741109\\nTest: atest RemoteViewsTest\\n(cherry picked from commit ae0d45137b0f8ea49a085bbce4d39f901685c4a5)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:902f020bc81e5b584d5cb0276568b888a728fc4a)\\nMerged-In: Iceb33606da3a49b9638ab21aeae17a168c1b411a\\nChange-Id: Iceb33606da3a49b9638ab21aeae17a168c1b411a\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "25f97ab0994486e0671a4cc5f2b3d844db1a342e", "old\_mode": 33188, "old\_path": "core/java/android/widget/RemoteViews.java", "new\_id": "406c7694e5033d2967e0f893224fb9f4218f3e61", "new\_mode": 33188, "new\_path": "core/java/android/widget/RemoteViews.java" }, { "type": "modify", "old\_id": "350b7fc2926f728a097be4d0ffbd0a25db4f0e2f", "old\_mode": 33188, "old\_path": "core/tests/coretests/src/android/widget/RemoteViewsTest.java", "new\_id": "e0cccf2f52008ebfb7a63b47baa2e5eb417e5fe9", "new\_mode": 33188, "new\_path": "core/tests/coretests/src/android/widget/RemoteViewsTest.java" } \] }

CVE-2023-21279

In multiple functions of KeyguardViewMediator.java, there is a possible failure to lock after screen timeout due to a logic error in the code. This could lead to local escalation of privilege across users with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "badb243574d7fca9aa89152d9d25eeb4f8615385", "tree": "9326e3afec08486cb46575bbbde3fc6a1d92d5c6", "parents": \[ "0c3b7ec3377e7fb645ec366be3be96bb1a252ca1" \], "author": { "name": "Chandru S", "email": "chandruis@google.com", "time": "Tue May 16 10:41:07 2023 -0700" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:29 2023 +0000" }, "message": "Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used\\n\\nBug: 265431505\\nTest: atest KeyguardViewMediatorTest\\n(cherry picked from commit 625e009fc195ba5d658ca2d78ebb23d2770cc6c4)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dbdfadc24c81453c9c51e0d549b0ace924f4341e)\\nMerged-In: I66a660c091c90a957a0fd1e144c013840db3f47e\\nChange-Id: I66a660c091c90a957a0fd1e144c013840db3f47e\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "89994b0c228d5c7ff47d233f719f81723bbe3709", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java", "new\_id": "5d086e833e14a5f3909946425b4fb80baf24efa8", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java" } \] }

Source

CVE