Vulnerabilities

Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Premium Addons for Elementor: from n/a through

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: arm_sdei: Fix sleep from invalid context BUG<br /> <br /> Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra<br /> triggers:<br /> <br /> BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46<br /> in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0<br /> preempt_count: 0, expected: 0<br /> RCU nest depth: 0, expected: 0<br /> 3 locks held by cpuhp/0/24:<br /> #0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248<br /> #1: ffffda30217c7120 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248<br /> #2: ffffda3021c711f0 (sdei_list_lock){....}-{3:3}, at: sdei_cpuhp_up+0x3c/0x130<br /> irq event stamp: 36<br /> hardirqs last enabled at (35): [] finish_task_switch+0xb4/0x2b0<br /> hardirqs last disabled at (36): [] cpuhp_thread_fun+0x21c/0x248<br /> softirqs last enabled at (0): [] copy_process+0x63c/0x1ac0<br /> softirqs last disabled at (0): [] 0x0<br /> CPU: 0 PID: 24 Comm: cpuhp/0 Not tainted 5.19.0-rc3-rt5-[...]<br /> Hardware name: WIWYNN Mt.Jade Server [...]<br /> Call trace:<br /> dump_backtrace+0x114/0x120<br /> show_stack+0x20/0x70<br /> dump_stack_lvl+0x9c/0xd8<br /> dump_stack+0x18/0x34<br /> __might_resched+0x188/0x228<br /> rt_spin_lock+0x70/0x120<br /> sdei_cpuhp_up+0x3c/0x130<br /> cpuhp_invoke_callback+0x250/0xf08<br /> cpuhp_thread_fun+0x120/0x248<br /> smpboot_thread_fn+0x280/0x320<br /> kthread+0x130/0x140<br /> ret_from_fork+0x10/0x20<br /> <br /> sdei_cpuhp_up() is called in the STARTING hotplug section,<br /> which runs with interrupts disabled. Use a CPUHP_AP_ONLINE_DYN entry<br /> instead to execute the cpuhp cb later, with preemption enabled.<br /> <br /> SDEI originally got its own cpuhp slot to allow interacting<br /> with perf. It got superseded by pNMI and this early slot is not<br /> relevant anymore. [1]<br /> <br /> Some SDEI calls (e.g. SDEI_1_0_FN_SDEI_PE_MASK) take actions on the<br /> calling CPU. It is checked that preemption is disabled for them.<br /> _ONLINE cpuhp cb are executed in the &amp;#39;per CPU hotplug thread&amp;#39;.<br /> Preemption is enabled in those threads, but their cpumask is limited<br /> to 1 CPU.<br /> Move &amp;#39;WARN_ON_ONCE(preemptible())&amp;#39; statements so that SDEI cpuhp cb<br /> don&amp;#39;t trigger them.<br /> <br /> Also add a check for the SDEI_1_0_FN_SDEI_PRIVATE_RESET SDEI call<br /> which acts on the calling CPU.<br /> <br /> [1]:<br /> https://lore.kernel.org/all/5813b8c5-ae3e-87fd-fccc-94c9cd08816d@arm.com/

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in 10up Eight Day Week Print Workflow eight-day-week-print-workflow allows Retrieve Embedded Sensitive Data.This issue affects Eight Day Week Print Workflow: from n/a through

Cross-Site Request Forgery (CSRF) vulnerability in titopandub Evergreen Post Tweeter evergreen-post-tweeter allows Stored XSS.This issue affects Evergreen Post Tweeter: from n/a through

Server-Side Request Forgery (SSRF) vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Server Side Request Forgery.This issue affects 6Storage Rentals: from n/a through

Cross-Site Request Forgery (CSRF) vulnerability in tmtraderunner Trade Runner traderunner allows Cross Site Request Forgery.This issue affects Trade Runner: from n/a through

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in TouchOfTech Draft Notify draft-notify allows Stored XSS.This issue affects Draft Notify: from n/a through

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in AMP-MODE Review Disclaimer review-disclaimer allows Stored XSS.This issue affects Review Disclaimer: from n/a through

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd: Fix an out of bounds error in BIOS parser<br /> <br /> The array is hardcoded to 8 in atomfirmware.h, but firmware provides<br /> a bigger one sometimes. Deferencing the larger array causes an out<br /> of bounds error.<br /> <br /> commit 4fc1ba4aa589 ("drm/amd/display: fix array index out of bound error<br /> in bios parser") fixed some of this, but there are two other cases<br /> not covered by it. Fix those as well.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: Fix system crash due to lack of free space in LFS<br /> <br /> When f2fs tries to checkpoint during foreground gc in LFS mode, system<br /> crash occurs due to lack of free space if the amount of dirty node and<br /> dentry pages generated by data migration exceeds free space.<br /> The reproduction sequence is as follows.<br /> <br /> - 20GiB capacity block device (null_blk)<br /> - format and mount with LFS mode<br /> - create a file and write 20,000MiB<br /> - 4k random write on full range of the file<br /> <br /> RIP: 0010:new_curseg+0x48a/0x510 [f2fs]<br /> Code: 55 e7 f5 89 c0 48 0f af c3 48 8b 5d c0 48 c1 e8 20 83 c0 01 89 43 6c 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0b f0 41 80 4f 48 04 45 85 f6 0f 84 ba fd ff ff e9 ef fe ff ff<br /> RSP: 0018:ffff977bc397b218 EFLAGS: 00010246<br /> RAX: 00000000000027b9 RBX: 0000000000000000 RCX: 00000000000027c0<br /> RDX: 0000000000000000 RSI: 00000000000027b9 RDI: ffff8c25ab4e74f8<br /> RBP: ffff977bc397b268 R08: 00000000000027b9 R09: ffff8c29e4a34b40<br /> R10: 0000000000000001 R11: ffff977bc397b0d8 R12: 0000000000000000<br /> R13: ffff8c25b4dd81a0 R14: 0000000000000000 R15: ffff8c2f667f9000<br /> FS: 0000000000000000(0000) GS:ffff8c344ec80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000c00055d000 CR3: 0000000e30810003 CR4: 00000000003706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> allocate_segment_by_default+0x9c/0x110 [f2fs]<br /> f2fs_allocate_data_block+0x243/0xa30 [f2fs]<br /> ? __mod_lruvec_page_state+0xa0/0x150<br /> do_write_page+0x80/0x160 [f2fs]<br /> f2fs_do_write_node_page+0x32/0x50 [f2fs]<br /> __write_node_page+0x339/0x730 [f2fs]<br /> f2fs_sync_node_pages+0x5a6/0x780 [f2fs]<br /> block_operations+0x257/0x340 [f2fs]<br /> f2fs_write_checkpoint+0x102/0x1050 [f2fs]<br /> f2fs_gc+0x27c/0x630 [f2fs]<br /> ? folio_mark_dirty+0x36/0x70<br /> f2fs_balance_fs+0x16f/0x180 [f2fs]<br /> <br /> This patch adds checking whether free sections are enough before checkpoint<br /> during gc.<br /> <br /> [Jaegeuk Kim: code clean-up]