Vulnerabilities

The WP Simple Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The WP Test Email plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vmwgfx: Disable coherent dumb buffers without 3d<br /> <br /> Coherent surfaces make only sense if the host renders to them using<br /> accelerated apis. Without 3d the entire content of dumb buffers stays<br /> in the guest making all of the extra work they&amp;#39;re doing to synchronize<br /> between guest and host useless.<br /> <br /> Configurations without 3d also tend to run with very low graphics<br /> memory limits. The pinned console fb, mob cursors and graphical login<br /> manager tend to run out of 16MB graphics memory that those guests use.<br /> <br /> Fix it by making sure the coherent dumb buffers are only used on<br /> configs with 3d enabled.

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 27.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

The Classified Listing – Classified ads &amp; Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libfs: fix infinite directory reads for offset dir<br /> <br /> After we switch tmpfs dir operations from simple_dir_operations to<br /> simple_offset_dir_operations, every rename happened will fill new dentry<br /> to dest dir&amp;#39;s maple tree(&amp;SHMEM_I(inode)-&gt;dir_offsets-&gt;mt) with a free<br /> key starting with octx-&gt;newx_offset, and then set newx_offset equals to<br /> free key + 1. This will lead to infinite readdir combine with rename<br /> happened at the same time, which fail generic/736 in xfstests(detail show<br /> as below).<br /> <br /> 1. create 5000 files(1 2 3...) under one dir<br /> 2. call readdir(man 3 readdir) once, and get one entry<br /> 3. rename(entry, "TEMPFILE"), then rename("TEMPFILE", entry)<br /> 4. loop 2~3, until readdir return nothing or we loop too many<br /> times(tmpfs break test with the second condition)<br /> <br /> We choose the same logic what commit 9b378f6ad48cf ("btrfs: fix infinite<br /> directory reads") to fix it, record the last_index when we open dir, and<br /> do not emit the entry which index &gt;= last_index. The file-&gt;private_data<br /> now used in offset dir can use directly to do this, and we also update<br /> the last_index when we llseek the dir file.<br /> <br /> [brauner: only update last_index after seek when offset is zero like Jan suggested]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "serial: 8250_omap: Set the console genpd always on if no console suspend"<br /> <br /> This reverts commit 68e6939ea9ec3d6579eadeab16060339cdeaf940.<br /> <br /> Kevin reported that this causes a crash during suspend on platforms that<br /> dont use PM domains.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> workqueue: Fix spruious data race in __flush_work()<br /> <br /> When flushing a work item for cancellation, __flush_work() knows that it<br /> exclusively owns the work item through its PENDING bit. 134874e2eee9<br /> ("workqueue: Allow cancel_work_sync() and disable_work() from atomic<br /> contexts on BH work items") added a read of @work-&gt;data to determine whether<br /> to use busy wait for BH work items that are being canceled. While the read<br /> is safe when @from_cancel, @work-&gt;data was read before testing @from_cancel<br /> to simplify code structure:<br /> <br /> data = *work_data_bits(work);<br /> if (from_cancel &amp;&amp;<br /> !WARN_ON_ONCE(data &amp; WORK_STRUCT_PWQ) &amp;&amp; (data &amp; WORK_OFFQ_BH)) {<br /> <br /> While the read data was never used if !@from_cancel, this could trigger<br /> KCSAN data race detection spuriously:<br /> <br /> ==================================================================<br /> BUG: KCSAN: data-race in __flush_work / __flush_work<br /> <br /> write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0:<br /> instrument_write include/linux/instrumented.h:41 [inline]<br /> ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline]<br /> insert_wq_barrier kernel/workqueue.c:3790 [inline]<br /> start_flush_work kernel/workqueue.c:4142 [inline]<br /> __flush_work+0x30b/0x570 kernel/workqueue.c:4178<br /> flush_work kernel/workqueue.c:4229 [inline]<br /> ...<br /> <br /> read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1:<br /> __flush_work+0x42a/0x570 kernel/workqueue.c:4188<br /> flush_work kernel/workqueue.c:4229 [inline]<br /> flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251<br /> ...<br /> <br /> value changed: 0x0000000000400000 -&gt; 0xffff88810006c00d<br /> <br /> Reorganize the code so that @from_cancel is tested before @work-&gt;data is<br /> accessed. The only problem is triggering KCSAN detection spuriously. This<br /> shouldn&amp;#39;t need READ_ONCE() or other access qualifiers.<br /> <br /> No functional changes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: reset mmio mappings with devm<br /> <br /> Set our various mmio mappings to NULL. This should make it easier to<br /> catch something rogue trying to mess with mmio after device removal. For<br /> example, we might unmap everything and then start hitting some mmio<br /> address which has already been unmamped by us and then remapped by<br /> something else, causing all kinds of carnage.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: serial: fsl_lpuart: mark last busy before uart_add_one_port<br /> <br /> With "earlycon initcall_debug=1 loglevel=8" in bootargs, kernel<br /> sometimes boot hang. It is because normal console still is not ready,<br /> but runtime suspend is called, so early console putchar will hang<br /> in waiting TRDE set in UARTSTAT.<br /> <br /> The lpuart driver has auto suspend delay set to 3000ms, but during<br /> uart_add_one_port, a child device serial ctrl will added and probed with<br /> its pm runtime enabled(see serial_ctrl.c).<br /> The runtime suspend call path is:<br /> device_add<br /> |-&gt; bus_probe_device<br /> |-&gt;device_initial_probe<br /> |-&gt;__device_attach<br /> |-&gt; pm_runtime_get_sync(dev-&gt;parent);<br /> |-&gt; pm_request_idle(dev);<br /> |-&gt; pm_runtime_put(dev-&gt;parent);<br /> <br /> So in the end, before normal console ready, the lpuart get runtime<br /> suspended. And earlycon putchar will hang.<br /> <br /> To address the issue, mark last busy just after pm_runtime_enable,<br /> three seconds is long enough to switch from bootconsole to normal<br /> console.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: qcom: x1e80100: Fix special pin offsets<br /> <br /> Remove the erroneus 0x100000 offset to prevent the boards from crashing<br /> on pin state setting, as well as for the intended state changes to take<br /> effect.