CVE-2022-4155
published 2022-12-26CVE-2022-4155: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before…
PriorityP426medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
0.85%
53.4th percentile
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contest-gallery | contest_gallery | < 19.1.5.1 | 19.1.5.1 |
| linux | linux_kernel | >= 0 < 4.4.0-237.271 | 4.4.0-237.271 |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
osv5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
osv·2023-03-06·CVSS 5.5
CVE-2021-4155 linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
Kirill Tkhai discovered that the XFS file system implementation in the
Linux kernel did not calculate size correctly when pre-allocating space in
some situations. A local attacker could use this to expose sensitive
information. (CVE-2021-4155)
Lee Jones discovered that a use-after-free vulnerability existed in the
Bluetooth implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2022-20566)
Duoming Zhou discovered that a race condition existed in the SLIP driver in
the Linux kernel, leading to a null pointer dereference vulnerability. An
attacker could use this to cause a denial of service (system crash).
(CVE-2022-41858)
Tamás K
OSV
linux-aws vulnerabilities
osv·2023-02-23·CVSS 5.5
CVE-2021-4155 linux-aws vulnerabilities
linux-aws vulnerabilities
Kirill Tkhai discovered that the XFS file system implementation in the
Linux kernel did not calculate size correctly when pre-allocating space in
some situations. A local attacker could use this to expose sensitive
information. (CVE-2021-4155)
Lee Jones discovered that a use-after-free vulnerability existed in the
Bluetooth implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2022-20566)
Duoming Zhou discovered that a race condition existed in the SLIP driver in
the Linux kernel, leading to a null pointer dereference vulnerability. An
attacker could use this to cause a denial of service (system crash).
(CVE-2022-41858)
Tamás Koczka discovered that the Bluetooth
GHSA
GHSA-43qm-4w5w-7m4c: The Contest Gallery WordPress plugin before 19
ghsa_unreviewed·2022-12-26
CVE-2022-4155 [MEDIUM] CWE-89 GHSA-43qm-4w5w-7m4c: The Contest Gallery WordPress plugin before 19
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-12-26
Published