SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

CVE-2019-16294: Scintilla

Adobe Flash Player 32.0.0.238 and earlier versions, 32.0.0.207 and earlier versions have a Same Origin Method Execution vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user.

Security Bulletin for Adobe Flash Player | APSB19-46

Bulletin ID

Date Published

Priority

APSB19-46

September 10, 2019

 2

Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Product

Version

Platform

Adobe Flash Player Desktop Runtime

32.0.0.238 and earlier 

Windows, macOS and Linux

Adobe Flash Player for Google Chrome

32.0.0.238 and earlier

Windows, macOS, Linux and Chrome OS 

Adobe Flash Player for Microsoft Edge and Internet Explorer 11

32.0.0.207  and earlier

Windows 10 and 8.1

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right- click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the latest version:

Note:

*   Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, macOS and Linux update to Adobe Flash Player 32.0.0.255 via the update mechanism within the product \[1\] or by visiting the Adobe Flash Player Download Center.
*   Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 32.0.0.255  for Windows, macOS, Linux and Chrome OS.
*   Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 32.0.0.255.
*   Please visit the Flash Player Help page for assistance in installing Flash Player.

\[1\] Users who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVE Number**

Use After Free

Arbitrary Code Execution

Critical

CVE-2019-8070

Same Origin Method Execution

Arbitrary Code Execution 

Critical 

CVE-2019-8069 

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-8070)
*   Eduardo Braun Prado working with Trend Micro Zero Day Initiative (CVE-2019-8069)

CVE-2019-8069: Adobe Security Bulletin

The cf7-invisible-recaptcha plugin before 1.3.2 for WordPress has XSS.

*   Details
*   Reviews
*   Installation
*   Development

CF7 Invisible reCAPTCHA plugin is an effective solution that secures your Contact form 7 forms on WordPress websites from spam entries while letting human pass over easily.

Just a single click they’ll confirm they are not a robot.

Activated only in cases where Google suspects that the visitor is not a human.

This plugin utilizes the popular anti-spam library, Google invisible reCAPTCHA, to help your blog stay clear of spams.

All it takes is 2 easy step to make your website stand out from rest of your competitors.

1.  Install the plugin.
2.  Add site and secret key.

It’s easy to use.

Read **How to use?** section to find out more about the CF7 Invisible reCAPTCHA configurations

**Need Support?** wp.support@vsourz.com

**Features**

*   Protection against disabled JavaScript from the browser.
*   Easy and simple settings for quick setup without a change in code.
*   Option to **Enable/Disable Protection** for Contact Form 7.
*   Easy to **Exclude** Invisible reCAPTCHA for the particular form.
*   Option to **Show/Hide** Google reCaptcha Badge.
*   Easy to Manage **Badge Position**.
*   Easy to validate your **Site Key** and **Secret key** from CF7 Invisible reCAPTCHA menu.

**How to use?**

1.  Install Plugin via WordPress Admin – Go to Admin > Plugins > Add New.
2.  Add CF7 Invisible reCAPTCHA Go To CF7 Invisible reCAPTCHA.
3.  Enable Protection for Contact Form 7.
4.  Add Site Key and Secret Key.
5.  Validate Site Key and Secret Key.

**License**

GPLv2 – https://www.gnu.org/licenses/gpl-2.0.html

**Install via WordPress Admin**

1.  Ready the zip file of the plugin
2.  Go to Admin > Plugins > Add New
3.  On the upper portion click the Upload link
4.  Using the file upload field, upload the plugin zip file here and activate the plugin

**Install via FTP**

1.  First, unzip the plugin file
2.  Using FTP go to your server’s wp-content/plugins directory
3.  Upload the unzipped plugin here
4.  Once finished login into your WP Admin and go to Admin > Plugins
5.  Look for CF7 Invisible reCAPTCHA and activate it

**Usage**

1.  Add site and secret key

**Can I Add Invisible reCAPTCHA in more than one form on the same page?**

Yes.

**Can I remove Invisible reCAPTCHA in particular form?**

Yes, we have provided exclude functionality to remove invisible reCAPTCHA in particular form.

**Can I Enable/Disable Invisible reCAPTCHA Protection for Contact Form 7?**

Yes, we have provided functionality to Enable/Disable Invisible reCAPTCHA Protection for all Contact Form.

**What to do if CF7 Invisible reCAPTCHA plugin not work?**

If the plugin does not work on the website, contact our Support Team via following email address: wp.support@vsourz.com.  
If you think, that you found a bug in our CF7 Invisible reCAPTCHA plugin or have any question contact us at wp.support@vsourz.com. Our support team will solve within 24 hours.

Does not work with the latest version of Contact form 7!

Good plugin if need to install Recaptcha for a contact form with the custom position.

Great plugin but it has stopped working for me and is in conflict with Contact Form 7. It's stuck at the spinning wheel after pressing submit button of Contact Form 7. Nothing happens. Please fix asap. WP v4.9.8 This Plugin v1.3.3

Simple plugin, one click to protect all the forms at once. You can exclude certain forms if needed.

The plugin overwrites standard CF7 validation, so I can't use it. Why is that?

Semplicemente non funziona e rompe il form rendendolo inutilizzabile. È molto meglio "Invisible reCaptcha for WordPress" di Mihai Chelaru.

Read all 13 reviews

“CF7 Invisible reCAPTCHA” is open source software. The following people have contributed to this plugin.

Contributors

*    Vsourz Digital

**1.3.3**

*   Optimised the JS code in header.
*   Add class option given for submit button.

**1.3.2**

*   **Minor bug fix:** Security against cross-site scripting (XSS) vulnerability.

**1.3.1**

*   **Minor bug fix:** Resolved the caching issue.

**1.3.0**

*   **Protect form against disabled javascript:** Added script to protect form against disabled javascript from the browser.
*   **Restrict spam entries:** Added script to restrict spam entries to the contact form.

**1.2.1**

*   **Minor tweak related to JavaScript**: Fix issue related to not get any action on click on form submit.

**1.2.0**

*   **Repositioning**: We have set the ‘CF7 Invisible reCAPTCHA’ menu under Contact Form menu.
*   **Validate Credentials**: You can validate your Site Key and Secret Key into ‘CF7 Invisible reCAPTCHA’ menu.

**1.1.0**

*   Fix drop down issue.

**1.0.0**

*   Initial

CVE-2018-21012: CF7 Invisible reCAPTCHA

CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.

*   Details
*   Reviews
*   Installation
*   Development

Sell tickets and collect RSVPs with the free Event Tickets plugin, from the team behind the number one calendar in WordPress.

This plugin makes it easy to sell tickets, collect registrations, and manage attendees for your in-person or virtual events. Plus, it comes with features backed by our world-class team of developers and designers. Easily integrate Event Tickets with your Stripe account or PayPal business account.

Connect to Stripe and take advantage of one of the world’s most popular payment gateways. Our Stripe integration lets you accept credit card payments on your website, along with additional payment methods including AfterPay, ClearPay, AliPay, Giropay, and Klarna.

See more videos on our YouTube channel

Easily connect to PayPal without any complicated API keys or code through our quick connection wizard in your WordPress backend. With just a few clicks, you can begin selling tickets and enable payment through PayPal, Venmo, and credit cards.

Even more, you can upgrade to Event Tickets Plus and unlock additional payment methods including digital wallets like ApplePay and Google Pay through Stripe, or use WooCommerce to take advantage of popular payment solutions including Braintree, Square, AmazonPay, and more.

**🎟️ Ticketing and Registration for WordPress**

See Event Tickets in action on our demo site. Just getting started? Check out the Getting Started Guide for an introduction to features, settings, and functionality.

Looking for additional features like custom registration fields, QR check-in, Zoom integration, and more? **Check out Event Tickets Plus and our other add-ons**.

**🔌🎨 Plug and Play or Customize**

Event Tickets is built to work out of the box. Just install the plugin, configure your settings, and start collecting RSVPs and selling tickets in minutes.

Add your own touch by using Event Tickets as the foundation for customization. Personalize to your heart’s content with the help of a skeleton stylesheet, partial template overrides, template tags, hooks and filters, careful documentation, and a library of free extensions.

Whether your vision is big or small, you’re in good company. Thousands of small businesses, musicians, venues, restaurants, and non-profits are increasing revenue from their in-person and virtual events with Event Tickets. Our plugins have also been scaled to work on large networks for Fortune 100 companies, universities, and government institutions.

**✨ Features**

✔️ Attendees can purchase tickets to events  
✔️ Attendees can RSVP to events  
✔️ Sell tickets with PayPal and/or Stripe using our free commerce solution, Tickets Commerce.  
✔️ Add RSVPs and tickets to posts, pages, or custom post types  
✔️ Collect ticket fees by connecting your PayPal business or Stripe account  
✔️ Generate sales and attendee reports  
✔️ Ticket stock countdown  
✔️ Automatic ticket confirmation emails  
✔️ Works out of the box with The Events Calendar  
✔️ Responsive design works on all devices  
✔️ Tested on the major theme frameworks such as Avada, Genesis, Kadence, Thesis and many more.  
✔️ Internationalized & translated  
✔️ Extensive template tags for customization  
✔️ Hooks & filters galore  
✔️ Library of extensions

Upgrade to Event Tickets Plus for full WooCommerce integration to use additional payment gateways.

**📃 Documentation**

All of our documentation can be found in our knowledgebase.

Additional helpful links:

*   Guide: Getting Started with Event Tickets
*   Installing Event Tickets Video
*   Using Tickets Commerce Video
*   Do I need Event Tickets or Event Tickets Plus?
*   How to Make Money with Virtual Events
*   Implementing Stripe on Event Tickets and Event Tickets Plus

If you have any questions about this plugin, you can post a thread in the WordPress.org forum. Please search existing threads before starting a new on

**➕ Add-Ons**

Take your calendar to the next level by pairing it with our plugins for ticketing, crowdsourcing, email marketing, and more. Learn more about all our products on our website.  
Our Free Plugins:  
📅 The Events Calendar  
📐 Advanced Post Manager

Our Premium Plugins and Services:

⚡ Events Calendar Pro  
↪️ Event Aggregator (service)  
🎟️ Event Tickets Plus  
✉️ Promoter  
👥 Community Events  
🎟️ Community Tickets  
✏️ Filter Bar  
🗓️ Eventbrite Tickets  
📡 Virtual Events

**Help**

If you aren’t familiar with Event Tickets, check out our Getting Started Guide. It will have you creating tickets in no time.

Ready to dig deeper? Check out these resources:

*   Tutorials
*   Known Issues
*   Help Videos
*   Release Notes

We check in on the Event Tickets forum here on WordPress.org about once a week to help users with basic troubleshooting and identifying bugs. If you’re looking for premium, personalized support, consider upgrading to Event Tickets Plus.

Still have a question? Shoot us an email at support@theeventscalendar.com.

**Translate**

Event Tickets is translated into multiple languages, including German, Danish, and Dutch. Help localize Event Tickets even further by adding your locale – visit translate.wordpress.org.

1.  From the dashboard of your site, navigate to Plugins –> Add New.
2.  Select the Upload option and hit “Choose File.”
3.  When the popup appears select the event-tickets.x.x.zip file from your desktop. (The ‘x.x’ will change depending on the current version number).
4.  Follow the on-screen instructions and wait as the upload completes.
5.  When it’s finished, activate the plugin via the prompt. A message will show confirming activation was successful.
6.  For access to new updates, make sure you have added your valid License Key under Tickets –> Settings –> Licenses.

**Are there any troubleshooting steps I should try before I post a new thread in the support forum?**

First, make sure that you’re running the latest version of Event Tickets. If you’ve got any other add-ons, make sure those are current and running the latest code as well. Also be sure to check our knowledgebase.

The most common issues we see are either plugin or theme conflicts. You can test if a plugin or theme is conflicting by manually deactivating other plugins until just Event Tickets is running on your site. If the issue persists, revert to the default Twenty Twenty theme. If the issue is resolved after deactivating a specific plugin or your theme, you’ll know that is the source of the conflict.

Note that we aren’t going to say “tough luck” if you identify a plugin/theme conflict. While we can’t guarantee 100% integration with any plugin or theme out there, we will do our best (and reach out the plugin/theme author as needed) to figure out a solution that benefits everyone.

**I’m still stuck. Where do I go to file a bug or ask a question?**

Free plugin users can post in the Event Tickets support forum on WordPress.org. Our team reviews that forum weekly to look for bug reports.

If you’re already an Event Tickets Plus subscriber, you’re entitled to our actively-monitored Premium Support on our website. Generally, except in times of increased support loads, we reply to all premium support tickets within 24 hours during the business week.

**What’s the difference between Event Tickets and Events Tickets Plus?**

Event Tickets is our free ticketing plugin that has all the basics you need to sell tickets and collect RSVPs on your website. You can use Event Tickets with or without The Events Calendar.

Event Tickets Plus is a premium plugin that runs alongside Event Tickets and enhances it with extra features, including custom registration fields, shortcodes, WooCommerce integration, enhanced Stripe functionality for Stripe for Tickets Commerce, our mobile ticketing app and more.

Read more to learn which plugin is right for you.

**Do I need The Events Calendar to run Event Tickets?**

Nope! Event Tickets works with or without The Events Calendar. Even if you don’t have The Events Calendar, you can create RSVPs and tickets on WordPress pages and posts.

**Can I email attendees using Event Tickets?**

Yes. Event Tickets automatically sends an email confirmation after attendees register or RSVP for an event. If the attendee purchases a ticket, the confirmation email will also provide a ticket to scan at the door for admission.

**What add-ons are available for Event Tickets, and where can I read more about them?**

The following add-ons are available for The Events Calendar:

*   Events Calendar Pro, for adding premium calendar features like recurring events, advanced views, cool widgets, shortcodes, additional fields, and more!
*   Event Aggregator, a service that effortlessly fills your calendar with events from Meetup, Google Calendar, iCalendar, Eventbrite, CSV, and ICS.
*   Virtual Events, which optimizes your calendar for virtual events including Zoom integration, video and livestream embeds, SEO optimization for online events and more.
*   Event Tickets Plus, which allows you to sell tickets for your events using your favorite e-commerce platform.
*   Promoter, automated email communication made just for The Events Calendar and Event Tickets. Stay in touch with your attendees every step of the way.
*   Community Events, for allowing frontend event submission from your readers.
*   Community Tickets, which allows event organizers to sell tickets to the events they submit via Community Events.
*   Filter Bar, for adding advanced frontend filtering capabilities to your events calendar.
*   Eventbrite Tickets, for selling tickets to your event directly through Eventbrite.

**I have a feature idea. What’s the best way to tell you about it?**

We’ve got a LoopedIn page where we’re actively watching for feature ideas from the community. Vote up existing feature requests or add your own, and help us shape the future of the products business in a way that best meets the community’s needs.

**I’ve still got questions. Where can I find answers?**

Check out our extensive knowledgebase for articles on using, tweaking, and troubleshooting our plugins.

Both my client and myself are very disappointed with the modernization process of TEC + Tickets Pro to the Block Editor. Every step has been painful for over 6 months. We’ll be replacing this with a competing plugin.

Email support was good. Apart from referring to the manuals, as they should, they still investigated further and gave us a solution for our problem. Well done!

So many bug when it comes to payment and support is so so so slow. I am losing sales because to this. Using Stripe: Apple pay freezes No Way to turn off Apple Pay, turning it off doesnt save Can't validate webhook Support keeps asking me to create a staging to test, sure, but they take a week to reply. Some support staff even told me they have no experience with apple pay and it is not their feature, i mean...come on...its right there in your setting

Followed the documentation, but cannot get Stripe to validate webhook. Read other support threads and have confirmed that everything is in order as per the documentation. I was testing out the plugin, but given the time wasted, there is no way I will continue to use it to sell tickets if the free version which includes a 2% fee doesn't work, why would I bother upgrading to the premium version. Seem to much of a risk. Also, looking at people comments, it seems support is slow (they are constantly away from the office/out of the office. Look at other plugins out there.

Constant issues. Nearly impossible to make work. Stops working for no apparent reason. I make websites, used probably hundreds of different plugins over the years. This is in the top 5 worst. There is an easy/user friendly way to do things. This plugin does the opposite in nearly every avenue.

Despite having over 18 months of warning from EDD that their plugin needed updating, they have failed to make any progress whatsoever. They use incompatible, depreciated methods which means tickets sold do not have the attendees details saved, just the purchaser. If I could give this negative stars, I would.

Read all 130 reviews

“Event Tickets and Registration” is open source software. The following people have contributed to this plugin.

Contributors

**\[5.5.8\] 2023-02-22**

*   Version – Event Tickets 5.5.8 is only compatible with The Events Calendar 6.0.10 and higher.
*   Version – Event Tickets 5.5.8 is only compatible with Event Tickets Plus 5.6.7 and higher.
*   Tweak – PHP version compatibility bumped to PHP 7.4
*   Tweak – Version Composer updated to 2
*   Tweak – Version Node updated to 18.13.0
*   Tweak – Version NPM update to 8.19.3
*   Tweak – Reduce JavaScript bundle sizes for Blocks editor

**\[5.5.7\] 2023-02-09**

*   Enhancement – Added currency format options to alter currency decimal separator, thousand separator, and number of decimal places. \[ET-1608\]
*   Tweak – Updated Currency options in Tickets Commerce settings for Croatian users from Kuna (HRK) to Euro (EUR). \[ET-1625\]
*   Tweak – Updated Attendee Registration Fields upsell notice to only display in admin dashboard. \[CT-67\]
*   Fix – Resolve provisional IDs properly on the event edit screen for ticket management actions. \[ET-1632\]
*   Fix – Fixed Ticket Commerce cart cookies not getting saved. \[ET-1629\]
*   Language – 28 new strings added, 189 updated, 5 fuzzied, and 3 obsoleted

**\[5.5.6\] 2023-01-16**

*   Tweak – Updated the settings description for stock handling options. \[ET-1603\]
*   Tweak – Added the tribe-tickets__tickets-item--shared-capacity wrapper class for tickets having shared capacity. \[ETP-841\]
*   Tweak – Added a dashboard notice for sites running PHP versions lower than 7.4 to alert them that the minimum version of PHP is changing to 7.4 in February 2023.
*   Enhancement – Added search capabilities to the Tickets Commerce Orders report page. \[ET-1259\]
*   Fix – Allow loading attendance page with event_id params that use The Events Calendar provisional IDs. \[ET-1624\]
*   Language – 4 new strings added, 43 updated, 0 fuzzied, and 2 obsoleted

**\[5.5.5\] 2022-12-08**

*   Fix – Remove need for Platform Controls to verify webhook signatures in Stripe. \[ET-1508\]
*   Fix – Fixed the order of tickets in an event changing when you haven’t manually requested it. \[ET-1568\]
*   Fix – Fixed shared capacity tickets only showing the lowest capacity between the shared pool tickets. \[ETP-815\]
*   Tweak – Removed locale param for Tickets Commerce JS SDK as per PayPal recommendation. \[ET-1615\]
*   Language – 110 new strings added, 193 updated, 5 fuzzied, and 24 obsoleted

**\[5.5.4\] 2022-11-09**

*   Fix – Fixes multiple of the same ticket form being on the same page being out of sync. \[GTRIA-729\]
*   Fix – Added a JS event that checks for attendee label validation if ET+ is active. \[ETP-803\]

**\[5.5.3\] 2022-10-31**

*   Fix – Orderby param not working for Attendee archive REST API. \[ET-1591\]
*   Fix – Properly save the check-in details for attendees on check-in. \[ETP-819\]
*   Fix – TicketsCommerce ticketed events not showing up for Events REST API. \[ET-1567\]
*   Fix – Update version of Firebase/JWT in Common from 5.x to 6.3.0
*   Enhancement – Added support for name and email param for searching in Attendee archive REST API. \[ET-1591\]
*   Enhancement – Add template tag to properly check if The Events Calendar is active. \[ETP-820\]
*   Enhancement – Add attendance information to the events REST API endpoint. \[ET-1580\]
*   Enhancement – Add check_in argument support for attendees REST API endpoint. \[ET-1588\]
*   Language – 0 new strings added, 18 updated, 0 fuzzied, and 0 obsoleted

**\[5.5.2\] 2022-10-20**

*   Fix – Update version of Firebase/JWT in Common from 5.x to 6.3.0

**\[5.5.1\] 2022-09-22**

*   Fix – Listing tickets is no longer limited by the global settings. \[ET-1584\]
*   Fix – Correct parameter type hinting when param can be null. \[ET-1582\]
*   Fix – Showing Checkout not available and credit card fields at the same time for PayPal gateway in TicketsCommerce. \[ETP-812\]
*   Language – 0 new strings added, 1 updated, 0 fuzzied, and 0 obsoleted

**\[5.5.0\] 2022-09-06**

*   Version – Event Tickets 5.5.0 is only compatible with The Events Calendar 6.0.0 and higher.
*   Version – Event Tickets 5.5.0 is only compatible with Event Tickets Plus 5.6.0 and higher.
*   Enhancement – Adds a compatibility layer to work with the new Recurrence Backend Engine in TEC/ECP.
*   Language – 4 new strings added, 49 updated, 0 fuzzied, and 3 obsoleted

See changelog for all versions

CVE-2019-16120: Event Tickets and Registration

In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

_Published September 3, 2019 | Updated September 12, 2019_

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices (Google devices). For Google devices, security patch levels of 2019-09-05 or later address all issues in this bulletin and all issues in the September 2019 Android Security Bulletin. To learn how to check a device's security patch level, see Check & update your Android version.

All supported Google devices will receive an update to the 2019-09-05 patch level. We encourage all customers to accept these updates for their devices.

**Announcements**

In addition to the security vulnerabilities described in the September 2019 Android Security Bulletin, supported Google devices that are updated to Android 10 also contain patches for the security vulnerabilities described in this bulletin. Partners were notified that these issues are addressed in Android 10.

**Security patches**

The following tables include security patches that are addressed on Pixel devices with Android 10. Vulnerabilities are grouped under the component that they affect. Issues are described in the below tables and include CVE ID, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Broadcom components**

    

CVE

References

Type

Severity

Component

CVE-2019-9426

A-110460199\*

EoP

Moderate

Bluetooth

**LG components**

    

CVE

References

Type

Severity

Component

CVE-2019-9436

A-127320561\*

EoP

Moderate

Bootloader

CVE-2019-2191

A-68770980\*

ID

Moderate

Bootloader

CVE-2019-2190

A-68771598\*

ID

Moderate

Bootloader

**Kernel components**

    

CVE

References

Type

Severity

Component

CVE-2019-9345

A-27915347\*

EoP

High

Kernel

CVE-2019-9461

A-120209610\*

ID

High

VPN

CVE-2019-9248

A-120279144\*

EoP

Moderate

Touch driver

CVE-2019-9270

A-65123745\*

EoP

Moderate

Wi-Fi

CVE-2019-2182

A-128700140  
Upstream kernel

EoP

Moderate

Kernel MMU

CVE-2019-9271

A-69006201\*

EoP

Moderate

MNH driver

CVE-2019-9273

A-70241598\*

EoP

Moderate

Touch driver

CVE-2019-9274

A-70809925\*

EoP

Moderate

MNH driver

CVE-2019-9275

A-71508439\*

EoP

Moderate

MNH driver

CVE-2019-9276

A-70294179\*

EoP

Moderate

Touch driver

CVE-2019-9441

A-69006882\*

EoP

Moderate

MNH driver

CVE-2019-9442

A-69808778\*

EoP

Moderate

MNH driver

CVE-2019-9443

A-70896844\*

EoP

Moderate

VL53L0 driver

CVE-2019-9446

A-118617506\*

EoP

Moderate

Touch driver

CVE-2019-9447

A-119120571  
Upstream kernel

EoP

Moderate

Touch driver

CVE-2019-9448

A-120141999  
Upstream kernel

EoP

Moderate

Touch driver

CVE-2019-9450

A-120141034  
Upstream kernel

EoP

Moderate

Touch driver

CVE-2019-9451

A-120211415  
Upstream kernel

EoP

Moderate

Touch driver

CVE-2019-9454

A-129148475  
Upstream kernel

EoP

Moderate

I2C driver

CVE-2019-9456

A-71362079  
Upstream kernel

EoP

Moderate

USB driver

CVE-2019-9457

A-116716935  
Upstream kernel

EoP

Moderate

Kernel

CVE-2019-9458

A-117989855  
Upstream kernel

EoP

Moderate

Video driver

CVE-2019-8912

A-125367761  
Upstream kernel

EoP

Moderate

Crypto

CVE-2018-18397

A-124036248  
Upstream kernel

EoP

Moderate

Storage

CVE-2018-14614

A-116406552  
Upstream kernel

EoP

Moderate

Storage

CVE-2018-1000199

A-110918800  
Upstream kernel

EoP

Moderate

ptrace

CVE-2018-13096

A-113148557  
Upstream kernel

EoP

Moderate

Storage

CVE-2018-5803

A-112406370  
Upstream kernel

DoS

Moderate

SCTP

CVE-2019-2189

A-112312381

EoP

Moderate

Image driver

CVE-2019-2188

A-112309571\*

EoP

Moderate

Image driver

CVE-2017-16939

A-70521013  
Upstream kernel

EoP

Moderate

Netlink XFRM

CVE-2018-20169

A-120783657  
Upstream kernel

ID

Moderate

USB driver

CVE-2019-9245

A-120491338  
Upstream kernel

ID

Moderate

Storage driver

CVE-2019-9444

A-78597155  
Upstream kernel

ID

Moderate

Storage driver

CVE-2019-9445

A-118153030  
Upstream kernel

ID

Moderate

Storage driver

CVE-2019-9449

A-120141031  
Upstream kernel

ID

Moderate

Touch driver

CVE-2019-9452

A-120211708  
Upstream kernel

ID

Moderate

Touch driver

CVE-2019-9453

A-126558260  
Upstream kernel

ID

Moderate

Storage driver

CVE-2019-9455

A-121035792  
Upstream kernel

ID

Moderate

Video driver

CVE-2018-19985

A-131963918  
Upstream kernel

ID

Moderate

USB driver

CVE-2018-20511

A-123742046  
Upstream kernel

ID

Moderate

nNet/AppleTalk

CVE-2018-1000204

A-113096593  
Upstream kernel

ID

Moderate

Storage

**Qualcomm components**

    

CVE

References

Type

Severity

Component

CVE-2017-14888

A-70237718  
QC-CR#2119729

N/A

Moderate

WLAN host

CVE-2018-3573

A-72957667  
QC-CR#2124525

N/A

Moderate

Bootloader

CVE-2017-15844

A-67749071  
QC-CR#2127276

N/A

Moderate

Kernel

CVE-2018-3574

A-72957321  
QC-CR#2148121 \[2\] \[3\]

N/A

Moderate

Kernel

CVE-2018-5861

A-77527684  
QC-CR#2167135

N/A

Moderate

Bootloader

CVE-2018-11302

A-109741923  
QC-CR#2209355

N/A

Moderate

WLAN host

CVE-2018-5919

A-65423852  
QC-CR#2213280

N/A

Moderate

WLAN host

CVE-2018-11818

A-111127974  
QC-CR#2170083 \[2\]

N/A

Moderate

MDSS driver

CVE-2018-11832

A-111127793  
QC-CR#2212896

N/A

Moderate

Kernel

CVE-2018-11893

A-111127990  
QC-CR#2231992

N/A

Moderate

WLAN host

CVE-2018-11919

A-79217930  
QC-CR#2209134 \[2\] \[3\]

N/A

Moderate

Kernel

CVE-2018-11939

A-77237693  
QC-CR#2254305

N/A

Moderate

WLAN host

CVE-2018-11823

A-112277122  
QC-CR#2204519

N/A

Moderate

Power

CVE-2018-11929

A-112277631  
QC-CR#2231300

N/A

Moderate

WLAN host

CVE-2018-11943

A-72117228  
QC-CR#2257823

N/A

Moderate

Bootloader

CVE-2018-11947

A-112277911  
QC-CR#2246110 \[2\]

N/A

Moderate

WLAN host

CVE-2018-11947

A-112278406  
QC-CR#2272696

N/A

Moderate

WLAN host

CVE-2018-11942

A-112278151  
QC-CR#2257688

N/A

Moderate

WLAN host

CVE-2018-11983

A-80095430  
QC-CR#2262576

N/A

Moderate

Kernel

CVE-2018-11984

A-80435805  
QC-CR#2266693

N/A

Moderate

Kernel

CVE-2018-11987

A-70638103  
QC-CR#2258691

N/A

Moderate

Kernel

CVE-2018-11985

A-114041193  
QC-CR#2163851

N/A

Moderate

Bootloader

CVE-2018-11988

A-114041748  
QC-CR#2172134 \[2\]

N/A

Moderate

Kernel

CVE-2018-11986

A-62916765  
QC-CR#2266969

N/A

Moderate

Camera

CVE-2018-12010

A-62711756  
QC-CR#2268386

N/A

Moderate

Kernel

CVE-2018-12006

A-77237704  
QC-CR#2257685 \[2\]

N/A

Moderate

Display

CVE-2018-13893

A-80302295  
QC-CR#2291309 \[2\]

N/A

Moderate

diag\_mask

CVE-2018-12011

A-109697864  
QC-CR#2274853

N/A

Moderate

Kernel

CVE-2018-13912

A-119053502  
QC-CR#2283160 \[2\]

N/A

Moderate

Camera

CVE-2018-13913

A-119053530  
QC-CR#2286485 \[2\]

N/A

Moderate

Display

CVE-2018-3564

A-119052383  
QC-CR#2225279

N/A

Moderate

DSP services

CVE-2019-2248

A-122474006  
QC-CR#2328906

N/A

Moderate

Display

CVE-2019-2277

A-127512945  
QC-CR#2342812

N/A

Moderate

WLAN host

CVE-2019-2263

A-116024809  
QC-CR#2076623

N/A

Moderate

Kernel

CVE-2019-2345

A-110849476  
QC-CR#2115578

N/A

Moderate

Camera

CVE-2019-2306

A-115907574  
QC-CR#2337383 \[2\]

N/A

Moderate

Display

CVE-2019-2299

A-117988970  
QC-CR#2243169

N/A

Moderate

WLAN host

CVE-2019-2312

A-117885392  
QC-CR#2341890

N/A

Moderate

WLAN host

CVE-2019-2314

A-120028144  
QC-CR#2357704

N/A

Moderate

Display

CVE-2019-2314

A-120029095  
QC-CR#2357704

N/A

Moderate

Display

CVE-2019-2302

A-130565935  
QC-CR#2300516

N/A

Moderate

WLAN host

CVE-2019-10506

A-117885703  
QC-CR#2252793

N/A

Moderate

WLAN host

CVE-2018-13890

A-111274306  
QC-CR#2288818

N/A

Moderate

WLAN host

CVE-2019-10507

A-132170503  
QC-CR#2253396

N/A

Moderate

WLAN host

CVE-2019-10508

A-132173922  
QC-CR#2288818

N/A

Moderate

WLAN host

CVE-2019-2284

A-132173427  
QC-CR#2358765

N/A

Moderate

Camera

CVE-2019-2333

A-132171964  
QC-CR#2381014 \[2\] \[3\]

N/A

Moderate

Kernel

CVE-2019-2341

A-132172264  
QC-CR#2389324 \[2\]

N/A

Moderate

Audio

CVE-2019-10497

A-132173298  
QC-CR#2395102

N/A

Moderate

Audio

CVE-2019-10542

A-134440623  
QC-CR#2359884

N/A

Moderate

WLAN host

CVE-2019-10502

A-134441002  
QC-CR#2401297 \[2\] \[3\]

N/A

Moderate

Camera

CVE-2019-10528

A-63528466  
QC-CR#2133028 \[2\]

N/A

Moderate

Kernel

CVE-2018-11825

A-117985523  
QC-CR#2205722

N/A

Moderate

WLAN host

CVE-2019-10565

A-129275872  
QC-CR#2213706

N/A

Moderate

Camera

**Qualcomm closed-source components**

    

CVE

References

Type

Severity

Component

CVE-2018-11899

A-69383398\*

N/A

Moderate

Closed-source component

CVE-2019-2298

A-118897119\*

N/A

Moderate

Closed-source component

CVE-2019-2281

A-129765896\*

N/A

Moderate

Closed-source component

CVE-2019-2343

A-130566880\*

N/A

Moderate

Closed-source component

**Functional patches**

Please see this post for a description of features included with Android 10.

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2019-09-05 or later address all issues associated with the 2019-09-05 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**Versions**

  

Version

Date

Notes

1.0

September 3, 2019

Bulletin published.

1.1

September 12, 2019

Bulletin updated.

CVE-2019-9456: Pixel Update Bulletin—September 2019  |  Android Open Source Project

In the Android kernel in VPN routing there is a possible information disclosure. This could lead to remote information disclosure by an adjacent network attacker with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2019-9461: Pixel Update Bulletin—September 2019  |  Android Open Source Project

The rsvpmaker plugin before 6.2 for WordPress has SQL injection.

CVE-2019-15646: RSVPMaker

The ad-inserter plugin before 2.4.20 for WordPress has path traversal.

CVE-2019-15323: Ad Inserter – Ad Manager & AdSense Ads

The cforms2 plugin before 14.6.10 for WordPress has SQL injection.

CVE-2015-9333: cformsII

The wp-slimstat plugin before 4.8.1 for WordPress has XSS.

*   Details
*   Reviews
*   Installation
*   Development

Track returning customers and registered users, monitor Javascript events, detect intrusions, analyze email campaigns. Thousands of WordPress sites are already using it.

**Main features**

*   **Real-Time Access Log**: measure server latency, track page events, keep an eye on your bounce rate and much more.
*   **Shortcodes**: display reports in widgets or directly in posts and pages.
*   **GDPR**: fully compliant with the GDPR European law. You can test your website at cookiebot.com.
*   **Filters**: exclude users from statistics collection based on various criteria, including user roles, common robots, IP subnets, admin pages, country, etc.
*   **Export to Excel**: download your reports as CSV files, generate user heatmaps or get daily emails right in your mailbox (via premium add-ons).
*   **Cache**: compatible with W3 Total Cache, WP SuperCache, CloudFlare and most caching plugins.
*   **Privacy**: hash IP addresses to protect your users’ privacy.
*   **Geolocation**: identify your visitors by city and country, browser type and operating system (courtesy of MaxMind and Browscap).
*   **World Map**: see where your visitors are coming from, even on your mobile device (courtesy of amMap).

**Requirements**

*   WordPress 5.0+
*   PHP 7.4+
*   MySQL 5.0.3+
*   At least 5 MB of free web space (240 MB if you plan on using the external libraries for geolocation and browser detection)
*   At least 10 MB of free DB space
*   At least 32 Mb of free PHP memory for the tracker (peak memory usage)

**Please note**

*   If you decide to uninstall Slimstat Analytics, all the stats will be **PERMANENTLY** deleted from your database. Make sure to setup a database backup (wp\_slim\_\*) to avoid losing your data.

1.  In your WordPress admin, go to Plugins > Add New
2.  Search for Slimstat Analytics
3.  Click on **Install Now** next to Slimstat Analytics and then activate the plugin
4.  Make sure your template calls wp_footer() or the equivalent hook somewhere (possibly just before the </body> tag)

An extensive knowledge base is available on our website.

Thanks for this plugin! I really enjoy using the real-time user data. It also helps to find out about 404 errors/links on the site. You are doing great 🙂

I want a real time stats of active users on various pages of my site. But the real time page simply lists the current users and there is a map showing their location. Also, there are setting for date range??? This page could be configured better. Include setting as to what qualifies a active user (such as entered page within the last 15 minutes). Some information presented is useful. Also, stats regarding performance taxing on server would be good. But as it is, I don't think I will keep this over GA4.

Best in-house stats plugin for wordpress I could find and great support. No more sharing my website data with third-parties, like Google Analytics. Highly recommend it.

The plugin has been updated. It downloads and unpacks the GeoLite2 database from Maxmind for WooCommerce website without a hiccup. Thank you for a great tool, essential for planning inventory and blocking gargoyles.

Demasiado brutal, tengo menos de un minuto usándola y ya la amo.

especially since the author renewed the plugin recently. It's got geolocation and browser useragent working. Wonderful

Read all 807 reviews

“Slimstat Analytics” is open source software. The following people have contributed to this plugin.

Contributors

**4.9.3.2**

*   \[Fix\] The filtering issue

**4.9.3.1**

*   \[Fix\] Query issue in UTF-8 slugs

**4.9.3**

*   \[Update\] New logo and icon for the plugin!
*   \[Fix\] Hardened plugin security and sanitization of user input and escaped output

**4.9.2**

*   \[Fix\] Fixed tweak notice errors while activating the plugin in fresh installation
*   \[Update\] Tested up to WordPress v6.1

**4.9.0.1**

*   \[Fix\] Entries in the Top Referring Domains report were pointing to broken links (thank you, s7ech).
*   \[Fix\] The new Browscap Library requires at least PHP 7.4, up from 7.1. (thank you, Daniel Jaraud).

**4.9**

*   \[New\] Browscap Library is now bundled with the main plugin, only definition files are downloaded dynamically.
*   \[New\] Support MaxMind License Key for GeoLite2 database downloads.
*   \[New\] Speedup Browscap version check when repository site is down.
*   \[New\] Delete plugin settings and stats only if explicitly enabled in settings
*   \[Fix\] Addressed a PHP warning of undefined variable when parsing a query string looking for search term keywords (thank you, inndesign).
*   \[Fix\] Fixed SQL error when Events Manager plugin is installed, ‘Posts and Pages’ is enabled, and no events are existing (thank you, lwangamaman.
*   \[Fix\] Starting with 4.9, PHP 7.4+ is required (thank you, stephanie-mitchell.
*   \[Fix\] Opt-Out cookie does not delete slimstat cookie.

**4.8.8.1**

*   \[Update\] The Privacy Mode option under Slimstat > Settings > Tracker now controls the fingerprint collection mechanism as well. If you have this option enabled to comply with European privacy laws, your visitors’ IP addresses will be masked and they won’t be fingerprinted (thank you, Peter).
*   \[Update\] Improved handling of our local DNS cache to store hostnames when the option to convert IP addresses is enabled in the settings.
*   \[Fix\] Redirects from the canonical URL to its corresponding nice permalink were being affected by a new feature introduce in version 4.8.7 (thank you, Brookjnk).
*   \[Fix\] The new tracker was throwing a Javascript error when handling events attached to DOM elements without a proper hierarchy (thank , you pollensteyn).
*   \[Fix\] Tracking downloads using third-party solutions like Download Attachments was not working as expected (thank you, damianomalorzo).
*   \[Fix\] Inverted stacking order of dots on the map so that the most recent pageviews are always on top, when dots are really close to each other.
*   \[Fix\] A warning message was being returned by the function looking for search keywords in the URL (thank you, Ryan).

**4.8.8**

*   \[New\] Implemented new FingerPrintJs2 library in the tracker. Your visitors are now associated with a unique identifier that does not rely on cookies, IP address or other unreliable information. This will allow Slimstat to produce more accurate results in terms of session lenghts, user patterns and much more.
*   \[New\] Added event handler for ‘beforeunload’, which will allow the tracker to better meausure the time spent by your visitors on each page. This will make our upcoming new charts even more accurate.
*   \[Update\] Improved algorithm that scans referrer URLs for search terms, and introduced a new list of search engines. Please help us improve this list by submitting your missing search engine entries.
*   \[Update\] Added title field to Slimstat widgets (thank you, jaroslawistok).
*   \[Update\] Reverted a change to the Top Web Pages report that was now combining URLs with a trailing slash and ones without one into one result. As James pointed out, this is a less accurate measure and hides the fact that people might be accessing the website in different ways.
*   \[Update\] The event tracker now annotates each event with information about the mouse button that was clicked and other useful data.
*   \[Fix\] The Country shortcode was not working as expected because of a change in how we handle localization files.
*   \[Fix\] Renamed slim\_i18n class to avoid conflict with external libraries.

**4.8.7.3**

*   \[New\] Implemented a simple query cache to minimize the number of requests needed to crunch and display the data in the reports.
*   \[Update\] Extended tracker to also record the ‘fragment’ portion of the URL, if available (this feature is only available in Client Mode).
*   \[Update\] Do not show the resource title in Network View mode.
*   \[Fix\] Some reports were not optimized for our Network Analytics add-on (thank you, Peter).
*   \[Fix\] The notice displayed to share the latest news with our users would not disappear even after clicking the X button to close it (thank you, Anton).
*   \[Fix\] The ‘Top Web Pages’ reports was listing duplicate entries.
*   \[Fix\] A regression bug was affecting the Currently Online report, by showing incorrect information for the IP addresses.
*   \[Fix\] After resetting the Customizer view, all reports were being listed twice (thank you, Anton).
*   \[Fix\] A new feature introduced by our Javascript tracker was not working as expected in IE11 (thank you, 51nullacht).

**4.8.7.2**

*   \[Fix\] The new tracker was having problems recording clicks on SVG elements within a link (thank you, pollensteyn).
*   \[Fix\] The event handler is now capable of tracking events on BUTTONs within FORM elements.
*   \[Fix\] Permalinks containing post query strings were not being recorded as expected.

**4.8.7.1**

*   \[Note\] We are in the process of deprecating the two columns _type_ and _event\_description_ in the events table, and consolidating that information in the _notes_ field. Code will be added to Slimstat in a few released to actually drop these columns from the database. If you are using those two columns in your custom code, please feel free to contact our support team to discuss your options and how to update your code using the information collected by the new tracker.
*   \[Fix\] A warning message was being displayed when enabling the opt-out feature with certain versions of PHP.
*   \[Fix\] PHP warning being displayed when trying to update some of the add-ons’ settings.
*   \[Fix\] The new tracker was recording the number of posts on an archive page even when the single article was being displayed.
*   \[Fix\] License keys for premium add-ons were not being saved as expected, due to a side effect of the new security features we implemented in the Settings.

**4.8.7**

*   \[New\] With this update, we are introducing an _updated tracker_ (both server and client-side): a new simplified codebase that gets rid of a few layers of convoluted functions and algorithms accumulated over the years. We have been working on this update for quite a while, and the recent conflict with another plugin discovered by some users convinced us to make this our top priority. Even though we have tested our new code using a variety of scenarios, you can understand how it would be impossible to cover all the possible environments available out there. Make sure to clear your caches (local, Cloudflare, WP plugins, etc), to allow Slimstat to append the new tracking script to your pages. Also, if you are using Slimstat to track _external_ pages (outside of your WP install), please make sure to update the code you’re using on those pages with the new one you can find in Slimstat > Settings > Tracker > External Pages.
*   \[New\] Increased minimum WordPress requirements to version 4.9, given that we are now using some more modern functions to enqueue the tracker and implement the customizer feature.
*   \[Update\] We tweaked the SQL query to retrieve ‘recent’ results, and added a GROUP BY clause to remove duplicates. This might affect some custom reports you might have created, so please don’t hesitate to contact us if you have any question or experience any issues.
*   \[Update\] The columns to store event type and description are being deprecated, and consolidated into the existing ‘notes’ column. Our function ss_track() will only accept the note parameter moving forward. Please update your custom code accordingly. In a few releases, we are going to drop those columns from the database.
*   \[Update\] Changed wording on Traffic Sources report to explain what kind of search engine result pages are being counted (thank you, Nina).
*   \[Fix\] The button to delete all the records from the database was not working as expected (thank you, Softfully).
*   \[Fix\] When the plugin was network activated on a group of existing blogs, the tables used to store all the records were not initialized as expected, under given circumstances.
*   \[Fix\] A bug was affecting certain shortcodes when PHP 7.2 was enabled (thank you, Peter).
*   \[Fix\] Emptying one of the settings and saving did not produce the desired effect.

Tag

#google