Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08.

**Insyde ID**

**Advisory Category**

**Impact of Vulnerability**

**Severity Rating**

**Original Date**

**Last Revised**

INSYDE-SA-2019001

Software

Escalation of Privilege, Information Disclosure

MEDIUM

08/12/2019

09/04/2019

****Summary:****

A potential security vulnerability in the Insyde software tools may allow escalation of privilege, or information disclosure. Insyde is releasing software updates to mitigate this potential vulnerability.

****Vulnerability Details****

CVEID: CVE-2019-12532

Description: Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a BIOS issue.

CVSS Base Score: 6.9 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:L

****Affected Insyde Tools:****

*   H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23, 200.00.00.01~200.00.00.05
*   H2OOAE before version 200.00.00.02
*   H2OSDE before version 200.00.00.07
*   H2OUVE before version 200.00.02.02
*   H2OPCM before version 100.00.06.00
*   H2OELV before version 100.00.02.08

****Recommendations:****

*   Insyde Software has released new version of software tools to hardware manufacturers to mitigate this potential vulnerability.
*   Insyde Software recommends that users contact hardware manufacturers to get updated version of BIOS flash package.

****Acknowledgements:****

Insyde would like to thank Mickey Shkatov and Jesse Michael from Eclypsium for reporting this issue and working with us on coordinated disclosure.

****Revision History:****

**Revision**

**Date**

**Description**

1.0

12-August-2019

Initial Release

1.1

04-September-2019

Update Tool Release Status

**Return to Insyde's Security Pledge**

CVE-2019-12532: Security Advisory | Insyde Software

The cforms2 plugin before 14.6.10 for WordPress has SQL injection.

CVE-2015-9333: cformsII

The wp-slimstat plugin before 4.8.1 for WordPress has XSS.

*   Details
*   Reviews
*   Installation
*   Development

Track returning customers and registered users, monitor Javascript events, detect intrusions, analyze email campaigns. Thousands of WordPress sites are already using it.

**Main features**

*   **Real-Time Access Log**: measure server latency, track page events, keep an eye on your bounce rate and much more.
*   **Shortcodes**: display reports in widgets or directly in posts and pages.
*   **GDPR**: fully compliant with the GDPR European law. You can test your website at cookiebot.com.
*   **Filters**: exclude users from statistics collection based on various criteria, including user roles, common robots, IP subnets, admin pages, country, etc.
*   **Export to Excel**: download your reports as CSV files, generate user heatmaps or get daily emails right in your mailbox (via premium add-ons).
*   **Cache**: compatible with W3 Total Cache, WP SuperCache, CloudFlare and most caching plugins.
*   **Privacy**: hash IP addresses to protect your users’ privacy.
*   **Geolocation**: identify your visitors by city and country, browser type and operating system (courtesy of MaxMind and Browscap).
*   **World Map**: see where your visitors are coming from, even on your mobile device (courtesy of amMap).

**Requirements**

*   WordPress 5.0+
*   PHP 7.4+
*   MySQL 5.0.3+
*   At least 5 MB of free web space (240 MB if you plan on using the external libraries for geolocation and browser detection)
*   At least 10 MB of free DB space
*   At least 32 Mb of free PHP memory for the tracker (peak memory usage)

**Please note**

*   If you decide to uninstall Slimstat Analytics, all the stats will be **PERMANENTLY** deleted from your database. Make sure to setup a database backup (wp\_slim\_\*) to avoid losing your data.

1.  In your WordPress admin, go to Plugins > Add New
2.  Search for Slimstat Analytics
3.  Click on **Install Now** next to Slimstat Analytics and then activate the plugin
4.  Make sure your template calls wp_footer() or the equivalent hook somewhere (possibly just before the </body> tag)

An extensive knowledge base is available on our website.

Thanks for this plugin! I really enjoy using the real-time user data. It also helps to find out about 404 errors/links on the site. You are doing great 🙂

I want a real time stats of active users on various pages of my site. But the real time page simply lists the current users and there is a map showing their location. Also, there are setting for date range??? This page could be configured better. Include setting as to what qualifies a active user (such as entered page within the last 15 minutes). Some information presented is useful. Also, stats regarding performance taxing on server would be good. But as it is, I don't think I will keep this over GA4.

Best in-house stats plugin for wordpress I could find and great support. No more sharing my website data with third-parties, like Google Analytics. Highly recommend it.

The plugin has been updated. It downloads and unpacks the GeoLite2 database from Maxmind for WooCommerce website without a hiccup. Thank you for a great tool, essential for planning inventory and blocking gargoyles.

Demasiado brutal, tengo menos de un minuto usándola y ya la amo.

especially since the author renewed the plugin recently. It's got geolocation and browser useragent working. Wonderful

Read all 807 reviews

“Slimstat Analytics” is open source software. The following people have contributed to this plugin.

Contributors

**4.9.3.2**

*   \[Fix\] The filtering issue

**4.9.3.1**

*   \[Fix\] Query issue in UTF-8 slugs

**4.9.3**

*   \[Update\] New logo and icon for the plugin!
*   \[Fix\] Hardened plugin security and sanitization of user input and escaped output

**4.9.2**

*   \[Fix\] Fixed tweak notice errors while activating the plugin in fresh installation
*   \[Update\] Tested up to WordPress v6.1

**4.9.0.1**

*   \[Fix\] Entries in the Top Referring Domains report were pointing to broken links (thank you, s7ech).
*   \[Fix\] The new Browscap Library requires at least PHP 7.4, up from 7.1. (thank you, Daniel Jaraud).

**4.9**

*   \[New\] Browscap Library is now bundled with the main plugin, only definition files are downloaded dynamically.
*   \[New\] Support MaxMind License Key for GeoLite2 database downloads.
*   \[New\] Speedup Browscap version check when repository site is down.
*   \[New\] Delete plugin settings and stats only if explicitly enabled in settings
*   \[Fix\] Addressed a PHP warning of undefined variable when parsing a query string looking for search term keywords (thank you, inndesign).
*   \[Fix\] Fixed SQL error when Events Manager plugin is installed, ‘Posts and Pages’ is enabled, and no events are existing (thank you, lwangamaman.
*   \[Fix\] Starting with 4.9, PHP 7.4+ is required (thank you, stephanie-mitchell.
*   \[Fix\] Opt-Out cookie does not delete slimstat cookie.

**4.8.8.1**

*   \[Update\] The Privacy Mode option under Slimstat > Settings > Tracker now controls the fingerprint collection mechanism as well. If you have this option enabled to comply with European privacy laws, your visitors’ IP addresses will be masked and they won’t be fingerprinted (thank you, Peter).
*   \[Update\] Improved handling of our local DNS cache to store hostnames when the option to convert IP addresses is enabled in the settings.
*   \[Fix\] Redirects from the canonical URL to its corresponding nice permalink were being affected by a new feature introduce in version 4.8.7 (thank you, Brookjnk).
*   \[Fix\] The new tracker was throwing a Javascript error when handling events attached to DOM elements without a proper hierarchy (thank , you pollensteyn).
*   \[Fix\] Tracking downloads using third-party solutions like Download Attachments was not working as expected (thank you, damianomalorzo).
*   \[Fix\] Inverted stacking order of dots on the map so that the most recent pageviews are always on top, when dots are really close to each other.
*   \[Fix\] A warning message was being returned by the function looking for search keywords in the URL (thank you, Ryan).

**4.8.8**

*   \[New\] Implemented new FingerPrintJs2 library in the tracker. Your visitors are now associated with a unique identifier that does not rely on cookies, IP address or other unreliable information. This will allow Slimstat to produce more accurate results in terms of session lenghts, user patterns and much more.
*   \[New\] Added event handler for ‘beforeunload’, which will allow the tracker to better meausure the time spent by your visitors on each page. This will make our upcoming new charts even more accurate.
*   \[Update\] Improved algorithm that scans referrer URLs for search terms, and introduced a new list of search engines. Please help us improve this list by submitting your missing search engine entries.
*   \[Update\] Added title field to Slimstat widgets (thank you, jaroslawistok).
*   \[Update\] Reverted a change to the Top Web Pages report that was now combining URLs with a trailing slash and ones without one into one result. As James pointed out, this is a less accurate measure and hides the fact that people might be accessing the website in different ways.
*   \[Update\] The event tracker now annotates each event with information about the mouse button that was clicked and other useful data.
*   \[Fix\] The Country shortcode was not working as expected because of a change in how we handle localization files.
*   \[Fix\] Renamed slim\_i18n class to avoid conflict with external libraries.

**4.8.7.3**

*   \[New\] Implemented a simple query cache to minimize the number of requests needed to crunch and display the data in the reports.
*   \[Update\] Extended tracker to also record the ‘fragment’ portion of the URL, if available (this feature is only available in Client Mode).
*   \[Update\] Do not show the resource title in Network View mode.
*   \[Fix\] Some reports were not optimized for our Network Analytics add-on (thank you, Peter).
*   \[Fix\] The notice displayed to share the latest news with our users would not disappear even after clicking the X button to close it (thank you, Anton).
*   \[Fix\] The ‘Top Web Pages’ reports was listing duplicate entries.
*   \[Fix\] A regression bug was affecting the Currently Online report, by showing incorrect information for the IP addresses.
*   \[Fix\] After resetting the Customizer view, all reports were being listed twice (thank you, Anton).
*   \[Fix\] A new feature introduced by our Javascript tracker was not working as expected in IE11 (thank you, 51nullacht).

**4.8.7.2**

*   \[Fix\] The new tracker was having problems recording clicks on SVG elements within a link (thank you, pollensteyn).
*   \[Fix\] The event handler is now capable of tracking events on BUTTONs within FORM elements.
*   \[Fix\] Permalinks containing post query strings were not being recorded as expected.

**4.8.7.1**

*   \[Note\] We are in the process of deprecating the two columns _type_ and _event\_description_ in the events table, and consolidating that information in the _notes_ field. Code will be added to Slimstat in a few released to actually drop these columns from the database. If you are using those two columns in your custom code, please feel free to contact our support team to discuss your options and how to update your code using the information collected by the new tracker.
*   \[Fix\] A warning message was being displayed when enabling the opt-out feature with certain versions of PHP.
*   \[Fix\] PHP warning being displayed when trying to update some of the add-ons’ settings.
*   \[Fix\] The new tracker was recording the number of posts on an archive page even when the single article was being displayed.
*   \[Fix\] License keys for premium add-ons were not being saved as expected, due to a side effect of the new security features we implemented in the Settings.

**4.8.7**

*   \[New\] With this update, we are introducing an _updated tracker_ (both server and client-side): a new simplified codebase that gets rid of a few layers of convoluted functions and algorithms accumulated over the years. We have been working on this update for quite a while, and the recent conflict with another plugin discovered by some users convinced us to make this our top priority. Even though we have tested our new code using a variety of scenarios, you can understand how it would be impossible to cover all the possible environments available out there. Make sure to clear your caches (local, Cloudflare, WP plugins, etc), to allow Slimstat to append the new tracking script to your pages. Also, if you are using Slimstat to track _external_ pages (outside of your WP install), please make sure to update the code you’re using on those pages with the new one you can find in Slimstat > Settings > Tracker > External Pages.
*   \[New\] Increased minimum WordPress requirements to version 4.9, given that we are now using some more modern functions to enqueue the tracker and implement the customizer feature.
*   \[Update\] We tweaked the SQL query to retrieve ‘recent’ results, and added a GROUP BY clause to remove duplicates. This might affect some custom reports you might have created, so please don’t hesitate to contact us if you have any question or experience any issues.
*   \[Update\] The columns to store event type and description are being deprecated, and consolidated into the existing ‘notes’ column. Our function ss_track() will only accept the note parameter moving forward. Please update your custom code accordingly. In a few releases, we are going to drop those columns from the database.
*   \[Update\] Changed wording on Traffic Sources report to explain what kind of search engine result pages are being counted (thank you, Nina).
*   \[Fix\] The button to delete all the records from the database was not working as expected (thank you, Softfully).
*   \[Fix\] When the plugin was network activated on a group of existing blogs, the tables used to store all the records were not initialized as expected, under given circumstances.
*   \[Fix\] A bug was affecting certain shortcodes when PHP 7.2 was enabled (thank you, Peter).
*   \[Fix\] Emptying one of the settings and saving did not produce the desired effect.

CVE-2019-15112: Slimstat Analytics

Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.

CVE-2019-15232

An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.

CVE-2019-15218

An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.

CVE-2019-15216

An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver.

CVE-2019-15222

An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver.

CVE-2019-15215

An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.

CVE-2019-15221

A vulnerability was reported in various BIOS versions of older ThinkPad systems that could allow a user with administrative privileges or physical access the ability to update the Embedded Controller with unsigned firmware.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources

**Resources**

*   Where to Buy
*   Shopping Help
*   Sales Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

Tag

#ios