Darkpills

**Name of the Vulnerable Software and Affected Versions** Symfony 1 versions 1.1.0 through 1.5.18 **Description** The issue is related to a gadget chain due to dangerous deserialization in the `sfNamespacedParameterHolder` class, which could enable an attacker to achieve remote code execution if a developer deserializes user input in their project. This vulnerability presents no direct threat but is a vector that will enable remote code execution if a developer deserializes untrusted user data. The estimated number of potentially affected devices worldwide is not provided. The vulnerability is exploited through the `unserialize()` method in the `sfNamespacedParameterHolder` class, which allows an attacker to provide any object type to make PHP access array or object properties other than intended by the developer. Specifically, the `sfOutputEscaperArrayDecorator` class implements the `ArrayAccess` interface, which can be abused to trigger the `escape()` function in the `sfOutputEscaper` class with attacker-controlled parameters. This can lead to the execution of arbitrary PHP code through the `call user func()` function. **Recommendations** For Symfony 1 versions 1.1.0 through 1.5.18, update to version 1.5.19, which contains a patch for the issue. As a temporary workaround, consider adding type checking before processing unserialized input, such as checking if the data is an array before accessing its elements. For example: ```php public function unserialize($data) { if (is array($data)) { $this->default namespace = $data[0]; $this->parameters = $data[1]; } else { $this->default namespace = null; $this->parameters = array(); } } ``` This fix should be applied in both `sfNamespacedParameterHolder` and `sfParameterHolder` classes.

**Name of the Vulnerable Software and Affected Versions** Symfony1 versions 1.3.0 through 1.5.17 **Description** This issue is related to a gadget chain in Symfony1 due to a vulnerable Swift Mailer dependency. The vulnerability allows an attacker to achieve remote code execution if a developer unserializes user input in their project. It presents no direct threat but can enable remote code execution if a developer deserializes untrusted data. Symfony1 depends on Swift Mailer, which is bundled by default in the vendor directory since version 1.3.0. Swift Mailer classes implement ` destruct()` methods, which can be exploited to access array or object properties not intended by the developer. This can lead to the execution of any PHP command, resulting in remote code execution. The issue has been addressed in version 1.5.18. **Recommendations** For Symfony1 versions 1.3.0 through 1.5.17, update to version 1.5.18 or higher to resolve the issue. If using composer, ensure that the Swift Mailer version is updated to 6.2.5 or higher. Alternatively, if Symfony 1.5 needs Swift 5.x, consider forking Swift Mailer and cherry-picking the commit that fixes the vulnerability. As a temporary workaround, consider avoiding the deserialization of user input in projects until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Target First WordPress Plugin version 2.0 **Description** The issue is related to a critical unauthenticated stored XSS vulnerability. An attacker can modify the licence key value by sending a POST request to any URL with the `weeWzKey` parameter, which is then saved as the `weeID` option without proper sanitization. **Recommendations** For version 2.0, consider disabling the licence key modification functionality until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to any URL that accepts the `weeWzKey` parameter to minimize the risk of exploitation. Avoid using the `weeWzKey` parameter in POST requests until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings versions prior to 4.1.0.2 **Description** The issue allows authenticated users with `aioseo tools settings` privilege, typically admins, to execute arbitrary code on the host. This is possible because the plugin attempts to unserialize values from uploaded .ini files in the "Tool > Import/Export" section. The embedded Monolog library can be exploited to create a gadget chain, leading to system command execution. **Recommendations** For versions prior to 4.1.0.2, update to version 4.1.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Tool > Import/Export" section and the `aioseo tools settings` privilege to minimize the risk of exploitation. Avoid uploading .ini files from untrusted sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Tatsu WordPress plugin versions prior to 3.3.12 **Description** The issue is related to the `add custom font` action in the Tatsu WordPress plugin, which can be used without prior authentication to upload a rogue zip file. This file is uncompressed under the WordPress upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process, making the shell file live long enough on the filesystem to be callable by an attacker. The vulnerability has been exploited in real-world attacks, with over 5.9 million attempts blocked between May 10 and 14. It is estimated that almost 100,000 sites are using the vulnerable plugin, and despite the availability of a fix since April, around 50,000 sites still use the vulnerable version. **Recommendations** For Tatsu WordPress plugin versions prior to 3.3.12, update to version 3.3.13 or later to resolve the issue. As a temporary workaround, consider disabling the `add custom font` action until a patch is available. Restrict access to the upload directory to minimize the risk of exploitation. Avoid using the `add custom font` action in the affected plugin until the issue is resolved.