Luca Jungnickel

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.

**Name of the Vulnerable Software and Affected Versions** Form Builder CP WordPress plugin versions prior to 1.2.47 **Description** Insufficient sanitization of a form configuration value before storage and subsequent use in client-side script execution allows authenticated users with Editor-level access or higher to perform Stored Cross-Site Scripting (XSS). This occurs even when the `unfiltered html` capability is disabled, such as in multisite networks, affecting any visitor who views a page rendering the compromised form. **Recommendations** Update the plugin to version 1.2.47 or later.

**Name of the Vulnerable Software and Affected Versions** Iptanus File Upload versions prior to 5.1.7 **Description** Improper file handling occurs when the `duplicatepolicy` setting is configured to "maintain both." A Time-of-Check to Time-of-Use (TOCTOU) race condition—a scenario where a system checks a condition (such as file existence) but the state changes before the resulting action (writing the file) is performed—exists between the file existence check and the actual file write operation. This allows an authenticated attacker to overwrite files uploaded by other users. **Recommendations** Update to version 5.1.7 or later.

**Name of the Vulnerable Software and Affected Versions** Secure Copy Content Protection and Content Locking versions prior to 5.1.5 **Description** The plugin fails to sanitize and escape certain settings, enabling high-privilege users, such as administrators, to execute Stored Cross-Site Scripting attacks. This occurs even in environments where the `unfiltered html` capability is disabled, such as multisite setups. The issue is specifically linked to the `ays sccp sub icon image` parameter. **Recommendations** Update to version 5.1.5 or later.

**Name of the Vulnerable Software and Affected Versions** Custom Block Builder versions prior to 4.3.0 **Description** The plugin fails to consistently verify the `unfiltered html` capability across all paths that write to block template code fields. This allows administrators on multisite installations, or single-site installations where `DISALLOW UNFILTERED HTML` is defined, to perform a stored cross-site scripting (XSS) attack by injecting arbitrary JavaScript. This script executes for any visitor who views pages embedding the affected block. **Recommendations** Update to version 4.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** Open5GS versions prior to 2.7.7 **Description** A remote denial of service issue exists in the AMF component within the `src/amf/gmm-handler.c` file. The flaw is triggered by the manipulation of the `reg type` argument. **Recommendations** Upgrade to version 2.7.7.

**Name of the Vulnerable Software and Affected Versions** Open5GS versions through 2.7.6 **Description** A security flaw exists in Open5GS. The issue involves a stack-based buffer overflow in the `hss ogs diam cx mar cb` function within the `src/hss/hss-cx-path.c` file, part of the VoLTE Cx-Test component. The `OGS KEY LEN` argument can be manipulated, leading to the overflow. This issue can be exploited remotely. **Recommendations** Apply patch 54dda041211098730221d0ae20a2f9f9173e7a21 to remediate the issue.