The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'mappress' shortcode in versions up to, and including, 2.88.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-4840: mappress.php in mappress-google-maps-for-wordpress/tags/2.88.5 – WordPress Plugin Repository

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "7428962d3b064ce1122809d87af65099d1129c9e", "tree": "1deeadc22093f2abd0eb83df703d39bb3ebd04d5", "parents": \[ "375227708b825b70a1b50f0feb0355036d0058fb" \], "author": { "name": "Achim Thesmann", "email": "achim@google.com", "time": "Tue May 23 00:26:33 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:30:03 2023 +0000" }, "message": "Ignore virtual presentation windows - RESTRICT AUTOMERGE\\n\\nWindows of TYPE\_PRESENTATION on virtual displays should not be counted\\nas visible windows to determine if BAL is allowed.\\n\\nTest: manual test, atest BackgroundActivityLaunchTest\\nBug: 264029851, 205130886\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4c40b187cd5277c27d20758c675865bf89180c7a)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5bf9607bec3f1224158cfcff7dd91ac558b46c0f)\\nMerged-In: I08b16ba1c155e951286ddc22019180cbd6334dfa\\nChange-Id: I08b16ba1c155e951286ddc22019180cbd6334dfa\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "4c32edc6d709debe9792f88c5680652a38d4c5ce", "old\_mode": 33188, "old\_path": "services/core/java/com/android/server/wm/WindowState.java", "new\_id": "8a14c93c1d3844e8fe9a705f688ef2934404b4d9", "new\_mode": 33188, "new\_path": "services/core/java/com/android/server/wm/WindowState.java" } \] }

CVE-2023-35674

In bindSelection of DatabaseUtils.java, there is a possible way to access files from other applications due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "23d156ed1bed6d2c2b325f0be540d0afca510c49", "tree": "f54e4f4739f4a720de25255369dd018bae3b8a54", "parents": \[ "192c7711c1adc835c06720d59ddacb86c5e32b5f" \], "author": { "name": "Krishang Garodia", "email": "krishang@google.com", "time": "Mon Jun 19 11:43:45 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:32:33 2023 +0000" }, "message": "Remove invalid surrogates during bindSelection\\n\\nTest: atest MediaProviderTests\\nBug: 223793631\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:108f736d0ec6e974c3f947e7e568845b7e039a0a)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a48b01f78f28fc642b144c673bfcd12ae78c5a73)\\nMerged-In: I18b879f1a51394b4739225ec88b862fd6d0d5526\\nChange-Id: I18b879f1a51394b4739225ec88b862fd6d0d5526\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "55efafc7f79911ea4d1a6e57b01d745c277aaf4a", "old\_mode": 33188, "old\_path": "src/com/android/providers/media/util/DatabaseUtils.java", "new\_id": "53ecf964eef6d0a075c3af85a713744decb648f9", "new\_mode": 33188, "new\_path": "src/com/android/providers/media/util/DatabaseUtils.java" }, { "type": "modify", "old\_id": "685d897041ef04ba469574150494f0b0c1ed316d", "old\_mode": 33188, "old\_path": "tests/src/com/android/providers/media/util/DatabaseUtilsTest.java", "new\_id": "a907875898476236c1f5de7e25812fdf928509a1", "new\_mode": 33188, "new\_path": "tests/src/com/android/providers/media/util/DatabaseUtilsTest.java" } \] }

CVE-2023-35683

In convertSubgraphFromHAL of ShimConverter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "47299fd978258e67a8eebc361cb7a4dd2936205e", "tree": "075dc5c899ad93a3d58dda2207e8bd3c5c236388", "parents": \[ "016c65c282bc262d85d663ef6f8a978bd2a45848" \], "author": { "name": "Ian Hua", "email": "ianhua@google.com", "time": "Thu Jul 06 10:05:36 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:32:27 2023 +0000" }, "message": "Fix out of Bounds Read in convertSubgraphFromHAL in ShimConverter.cpp in libneuralnetworks\_shim\_static\\n\\nBug: 269270167\\nTest: N/A\\n(cherry picked from commit 4bf7bb6b50b412678a681d29f7ced70a4d737762)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:244ac21307a785d49930d4c7e289b74856fa9647)\\nMerged-In: I33272284b965efcbb531f64cbf838a0d59c28e00\\nChange-Id: I33272284b965efcbb531f64cbf838a0d59c28e00\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "1ed0e31cf87bdf6b2d75ad52bf21218a578ca666", "old\_mode": 33188, "old\_path": "shim\_and\_sl/ShimConverter.cpp", "new\_id": "4830c5d05d4e9f096d3b2ae9b232eb2497f9c9c9", "new\_mode": 33188, "new\_path": "shim\_and\_sl/ShimConverter.cpp" } \] }

CVE-2023-35664

In hasPermissionForActivity of PackageManagerHelper.java, there is a possible way to start arbitrary components due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

)\]}' { "commit": "09f8b0e52e45a0b39bab457534ba2e5ae91ffad0", "tree": "dbd3cd11150c6a5ea77d78e2afe420a578af4d1b", "parents": \[ "4d098abb45aa38004cc5057b6dc382a148b56f01" \], "author": { "name": "Pinyao Ting", "email": "pinyaoting@google.com", "time": "Thu Jun 01 18:12:44 2023 -0700" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:31:09 2023 +0000" }, "message": "Fix permission issue in legacy shortcut\\n\\nWhen building legacy shortcut, Launcher calls\\nPackageManager#resolveActivity to retrieve necessary permission to\\nlaunch the intent.\\n\\nHowever, when the source app wraps an arbitrary intent within\\nIntent#createChooser, the existing logic will fail because launching\\nChooser doesn\\u0027t require additional permission.\\n\\nThis CL fixes the security vulnerability by performing the permission\\ncheck against the intent that is wrapped within.\\n\\nBug: 270152142\\nTest: manual\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c53818a16b4322a823497726ac7e7a44501b4442)\\nMerged-In: If35344c08975e35085c7c2b9b814a3c457a144b0\\nChange-Id: If35344c08975e35085c7c2b9b814a3c457a144b0\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "f42d30453b1727a5155f1bf5c56329e2c097b696", "old\_mode": 33188, "old\_path": "src/com/android/launcher3/util/PackageManagerHelper.java", "new\_id": "557d57e2d2d7efb4b310fe1bd1b8db50f9e86a71", "new\_mode": 33188, "new\_path": "src/com/android/launcher3/util/PackageManagerHelper.java" } \] }

CVE-2023-35682

In eatt_l2cap_reconfig_completed of eatt_impl.h, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "d8d95291f16a8f18f8ffbd6322c14686897c5730", "tree": "1ddeb1141fe0fb7b0deacbea1f39cfcc5b6cf520", "parents": \[ "24a10ec636b30c59dbaadfeb13fbfaca5d74a23b" \], "author": { "name": "Hui Peng", "email": "phui@google.com", "time": "Thu May 11 01:10:04 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:31:54 2023 +0000" }, "message": "Fix multiple OOB bugs resulted from tx mtu in EATT\\n\\nThe tx mtu in EATT can be controlled by remote device. With malicious\\nmtu values, it is possible to trigger integer overflow and\\nOOB write at multiple places (see the bug below).\\n\\nThis fix enforces a max tx mtu in EATT.\\n\\nBug: 271335899\\nTest: manual\\nIgnore-AOSP-First: security\\nTag: #security\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ea76b7d99e6366e2043c5621eda630d559104d36)\\nMerged-In: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31\\nChange-Id: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "2eac63118d72fe8cfea93d5349773e9f0dde5b2c", "old\_mode": 33188, "old\_path": "system/stack/eatt/eatt.h", "new\_id": "92b61c533ee590914b083edca0dcb2a3edd5c33a", "new\_mode": 33188, "new\_path": "system/stack/eatt/eatt.h" }, { "type": "modify", "old\_id": "0324808680145a4a66dcceda91bbbf09dc4d36da", "old\_mode": 33188, "old\_path": "system/stack/eatt/eatt\_impl.h", "new\_id": "67587c61803dbc1fbb8227ba1a608c01100ec3ff", "new\_mode": 33188, "new\_path": "system/stack/eatt/eatt\_impl.h" } \] }

CVE-2023-35681

In createQuickShareAction of SaveImageInBackgroundTask.java, there is a possible way to trigger a background activity launch due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "109e58b62dc9fedcee93983678ef9d4931e72afa", "tree": "7ef156a2d1225c1cb3d43620732bf609091ed48a", "parents": \[ "05b1ada4ed1326d7ad781142f4fff0de70dffeff" \], "author": { "name": "Miranda Kephart", "email": "mkephart@google.com", "time": "Fri Apr 28 10:58:46 2023 -0400" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:30:22 2023 +0000" }, "message": "\[DO NOT MERGE\] Update quickshare intent rather than recreating\\n\\nCurrently, we extract the quickshare intent and re-wrap it as a new\\nPendingIntent once we get the screenshot URI. This is insecure as\\nit leads to executing the original with SysUI\\u0027s permissions, which\\nthe app may not have. This change switches to using Intent.fillin\\nto add the URI, keeping the original PendingIntent and original\\npermission set.\\n\\nBug: 278720336\\nTest: manual (to test successful quickshare), atest\\nSaveImageInBackgroundTaskTest (to verify original pending intent\\nunchanged)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:02938e8ccae910d96578475a19dff0a5e746b03d)\\nMerged-In: Icad3d5f939fcfb894e2038948954bc2735dbe326\\nChange-Id: Icad3d5f939fcfb894e2038948954bc2735dbe326\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "50ee1f7ba97aabd377d1838b2cb3e17c46a909c9", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SaveImageInBackgroundTask.java", "new\_id": "f4a257fdd3ec7b6b5c97b8e6252f6ddf7059ddcc", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SaveImageInBackgroundTask.java" }, { "type": "modify", "old\_id": "5b6e5ce95b1483c83098f72fa5cb7051bb92425d", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/screenshot/ScreenshotController.java", "new\_id": "5928c9ec608589e9b245e5a4950db5077bb75c2c", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/screenshot/ScreenshotController.java" }, { "type": "modify", "old\_id": "f703058f4a0fb6251bcf51e099b79bb58d1e82a2", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SmartActionsReceiver.java", "new\_id": "ecc13ee747c8b4e116310436832ba03599c137c6", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SmartActionsReceiver.java" }, { "type": "add", "old\_id": "0000000000000000000000000000000000000000", "old\_mode": 0, "old\_path": "/dev/null", "new\_id": "03f8c93942184a59caa0ba86a737fa45e043b24e", "new\_mode": 33188, "new\_path": "packages/SystemUI/tests/src/com/android/systemui/screenshot/SaveImageInBackgroundTaskTest.kt" } \] }

CVE-2023-35676

In loadMediaResumptionControls of MediaResumeListener.kt, there is a possible way to play and listen to media files played by another user on the same device due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "c1cf4b9746c9641190730172522324ccd5b8c914", "tree": "8d25b1a0e76a99f4ad4862e72c3841c6d75925b4", "parents": \[ "f810d81839af38ee121c446105ca67cb12992fc6" \], "author": { "name": "Beth Thibodeau", "email": "ethibodeau@google.com", "time": "Thu Jun 22 18:26:44 2023 -0500" }, "committer": { "name": "Duy Truong", "email": "duytruong@google.com", "time": "Wed Jul 19 17:51:46 2023 -0700" }, "message": "Improve user handling when querying for resumable media\\n\\n- Before trying to query recent media from a saved component, check\\n whether the current user actually has that component installed\\n- Track user when creating the MediaBrowser, in case the user changes\\n before the MBS returns a result\\n\\nTest: atest MediaResumeListenerTest\\nBug: 284297711\\n(cherry picked from commit e566a250ad61e269119b475c7ebdae6ca962c4a7)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d61741288b4d7614e4677428aac6418f6f1d79f0)\\nMerged-In: I838ff0e125acadabc8436a00dbff707cc4be6249\\nChange-Id: I838ff0e125acadabc8436a00dbff707cc4be6249\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "cc06b6c678794756e09fb5a2915727137f21fc48", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/media/MediaResumeListener.kt", "new\_id": "bad87de438e5f4c5e6154f606bd673e1ebc21bab", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/media/MediaResumeListener.kt" }, { "type": "modify", "old\_id": "40a5653a15a0e4d787714c00a042d64f3b868a4a", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowser.java", "new\_id": "018697f772e0024ea6101501a62e55027b23ca1b", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowser.java" }, { "type": "modify", "old\_id": "3d1380b6bd243ccaa79bb1f4fc512444f9ab4494", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowserFactory.java", "new\_id": "fca0ab7e531650f01663aceb0f770b098ccf232c", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowserFactory.java" }, { "type": "modify", "old\_id": "3d3ac836d26499639288249db236b2c7a4b405d5", "old\_mode": 33188, "old\_path": "packages/SystemUI/tests/src/com/android/systemui/media/MediaResumeListenerTest.kt", "new\_id": "e7df1a219d3e2502da142a8be84371d63ef4f99e", "new\_mode": 33188, "new\_path": "packages/SystemUI/tests/src/com/android/systemui/media/MediaResumeListenerTest.kt" }, { "type": "modify", "old\_id": "dafaa6b936968ea7f59078be6405875b43444421", "old\_mode": 33188, "old\_path": "packages/SystemUI/tests/src/com/android/systemui/media/ResumeMediaBrowserTest.kt", "new\_id": "e3134d482955c2aa56ecd990be5bedd4af6abe43", "new\_mode": 33188, "new\_path": "packages/SystemUI/tests/src/com/android/systemui/media/ResumeMediaBrowserTest.kt" } \] }

CVE-2023-35675

In bta_av_rc_msg of bta_av_act.cc, there is a possible use after free due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "b7ea57f620436c83a9766f928437ddadaa232e3a", "tree": "44210c93593b095aefa8e594538a82ed0f55242d", "parents": \[ "8770c07c102c7fdc74626dc717acc8f6dd1c92cc" \], "author": { "name": "Brian Delwiche", "email": "delwiche@google.com", "time": "Wed Mar 01 00:22:59 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:32:14 2023 +0000" }, "message": "Fix potential abort in btu\_av\_act.cc\\n\\nPartner analysis shows that bta\_av\_rc\_msg does not respect handling\\nestablished for a null browse packet, instead dispatching the null\\npointer to bta\_av\_rc\_free\_browse\_msg. Strictly speaking this does\\nnot cause a UAF, as osi\_free\_and\_reset will find the null and abort,\\nbut it will lead to improper program termination.\\n\\nHandle the case instead.\\n\\nBug: 269253349\\nTest: atest bluetooth\_test\_gd\_unit\\nTag: #security\\nIgnore-AOSP-First: Security\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d3ee136851de30261e56c62fbb488541dc564b94)\\nMerged-In: I14dc4910476c733b246bcf7ff292afe9b7c0cc3d\\nChange-Id: I14dc4910476c733b246bcf7ff292afe9b7c0cc3d\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "10019e7edcfbe8bc414161c55065caff40a198a6", "old\_mode": 33188, "old\_path": "system/bta/av/bta\_av\_act.cc", "new\_id": "dce4ea2012ed8268023a64c21c8ac0e46b465aaa", "new\_mode": 33188, "new\_path": "system/bta/av/bta\_av\_act.cc" } \] }

CVE-2023-35666

In MtpPropertyValue of MtpProperty.h, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "ea6131efa76a0b2a12724ffd157909e2c6fb4036", "tree": "319c72a5161203965654fc6695aece4c98ee4a65", "parents": \[ "f11b333bf64438eaa7f8ccb5d8d02b472406e6bd" \], "author": { "name": "Shruti Bihani", "email": "shrutibihani@google.com", "time": "Thu Jul 06 08:41:56 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:29:53 2023 +0000" }, "message": "Fix Segv on unknown address error flagged by fuzzer test.\\n\\nThe error is thrown when the destructor tries to free pointer memory.\\nThis is happening for cases where the pointer was not initialized. Initializing it to a default value fixes the error.\\n\\nBug: 245135112\\nTest: Build mtp\_host\_property\_fuzzer and run on the target device\\n(cherry picked from commit 3afa6e80e8568fe63f893fa354bc79ef91d3dcc0)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:99d0823ca2b8275f000a437150fb8d1938b1b31a)\\nMerged-In: I255cd68b7641e96ac47ab81479b9b46b78c15580\\nChange-Id: I255cd68b7641e96ac47ab81479b9b46b78c15580\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "36d736065f30b1e525e8ea2efd8a1cf08feaa39c", "old\_mode": 33188, "old\_path": "media/mtp/MtpProperty.h", "new\_id": "2bdbfd32627d5c6438169022604fd403495eb1e1", "new\_mode": 33188, "new\_path": "media/mtp/MtpProperty.h" } \] }

Tag

#google