Vulnerabilities

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hung Trang Si SB Breadcrumbs sb-breadcrumbs allows Reflected XSS.This issue affects SB Breadcrumbs: from n/a through

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in machouinard Aviation Weather from NOAA aviation-weather-from-noaa allows Path Traversal.This issue affects Aviation Weather from NOAA: from n/a through

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey homey allows Reflected XSS.This issue affects Homey: from n/a through

Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub logistics-hub allows Upload a Web Shell to a Web Server.This issue affects LogisticsHub: from n/a through

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Content Manager Light content-manager-light allows Reflected XSS.This issue affects Content Manager Light: from n/a through

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce printcart-integration allows SQL Injection.This issue affects Printcart Web to Print Product Designer for WooCommerce: from n/a through

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac WP Wall wp-wall allows Reflected XSS.This issue affects WP Wall: from n/a through

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dsrodzin Email Address Security by WebEmailProtector webemailprotector allows Stored XSS.This issue affects Email Address Security by WebEmailProtector: from n/a through

Incorrect Privilege Assignment vulnerability in aonetheme Service Finder Booking sf-booking allows Privilege Escalation.This issue affects Service Finder Booking: from n/a through

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix use-after-free in binderfs_evict_inode()<br /> <br /> Running &amp;#39;stress-ng --binderfs 16 --timeout 300&amp;#39; under KASAN-enabled<br /> kernel, I&amp;#39;ve noticed the following:<br /> <br /> BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0<br /> Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699<br /> <br /> CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x1c2/0x2a0<br /> ? __pfx_dump_stack_lvl+0x10/0x10<br /> ? __pfx__printk+0x10/0x10<br /> ? __pfx_lock_release+0x10/0x10<br /> ? __virt_addr_valid+0x18c/0x540<br /> ? __virt_addr_valid+0x469/0x540<br /> print_report+0x155/0x840<br /> ? __virt_addr_valid+0x18c/0x540<br /> ? __virt_addr_valid+0x469/0x540<br /> ? __phys_addr+0xba/0x170<br /> ? binderfs_evict_inode+0x1de/0x2d0<br /> kasan_report+0x147/0x180<br /> ? binderfs_evict_inode+0x1de/0x2d0<br /> binderfs_evict_inode+0x1de/0x2d0<br /> ? __pfx_binderfs_evict_inode+0x10/0x10<br /> evict+0x524/0x9f0<br /> ? __pfx_lock_release+0x10/0x10<br /> ? __pfx_evict+0x10/0x10<br /> ? do_raw_spin_unlock+0x4d/0x210<br /> ? _raw_spin_unlock+0x28/0x50<br /> ? iput+0x697/0x9b0<br /> __dentry_kill+0x209/0x660<br /> ? shrink_kill+0x8d/0x2c0<br /> shrink_kill+0xa9/0x2c0<br /> shrink_dentry_list+0x2e0/0x5e0<br /> shrink_dcache_parent+0xa2/0x2c0<br /> ? __pfx_shrink_dcache_parent+0x10/0x10<br /> ? __pfx_lock_release+0x10/0x10<br /> ? __pfx_do_raw_spin_lock+0x10/0x10<br /> do_one_tree+0x23/0xe0<br /> shrink_dcache_for_umount+0xa0/0x170<br /> generic_shutdown_super+0x67/0x390<br /> kill_litter_super+0x76/0xb0<br /> binderfs_kill_super+0x44/0x90<br /> deactivate_locked_super+0xb9/0x130<br /> cleanup_mnt+0x422/0x4c0<br /> ? lockdep_hardirqs_on+0x9d/0x150<br /> task_work_run+0x1d2/0x260<br /> ? __pfx_task_work_run+0x10/0x10<br /> resume_user_mode_work+0x52/0x60<br /> syscall_exit_to_user_mode+0x9a/0x120<br /> do_syscall_64+0x103/0x210<br /> ? asm_sysvec_apic_timer_interrupt+0x1a/0x20<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0xcac57b<br /> Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8<br /> RSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6<br /> RAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850<br /> RBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff<br /> R10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718<br /> R13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830<br /> <br /> <br /> Allocated by task 1705:<br /> kasan_save_track+0x3e/0x80<br /> __kasan_kmalloc+0x8f/0xa0<br /> __kmalloc_cache_noprof+0x213/0x3e0<br /> binderfs_binder_device_create+0x183/0xa80<br /> binder_ctl_ioctl+0x138/0x190<br /> __x64_sys_ioctl+0x120/0x1b0<br /> do_syscall_64+0xf6/0x210<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 1705:<br /> kasan_save_track+0x3e/0x80<br /> kasan_save_free_info+0x46/0x50<br /> __kasan_slab_free+0x62/0x70<br /> kfree+0x194/0x440<br /> evict+0x524/0x9f0<br /> do_unlinkat+0x390/0x5b0<br /> __x64_sys_unlink+0x47/0x50<br /> do_syscall_64+0xf6/0x210<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> This &amp;#39;stress-ng&amp;#39; workload causes the concurrent deletions from<br /> &amp;#39;binder_devices&amp;#39; and so requires full-featured synchronization<br /> to prevent list corruption.<br /> <br /> I&amp;#39;ve found this issue independently but pretty sure that syzbot did<br /> the same, so Reported-by: and Closes: should be applicable here as well.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix yet another UAF in binder_devices<br /> <br /> Commit e77aff5528a18 ("binderfs: fix use-after-free in binder_devices")<br /> addressed a use-after-free where devices could be released without first<br /> being removed from the binder_devices list. However, there is a similar<br /> path in binder_free_proc() that was missed:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100<br /> Write of size 8 at addr ffff0000c773b900 by task umount/467<br /> CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> binder_remove_device+0xd4/0x100<br /> binderfs_evict_inode+0x230/0x2f0<br /> evict+0x25c/0x5dc<br /> iput+0x304/0x480<br /> dentry_unlink_inode+0x208/0x46c<br /> __dentry_kill+0x154/0x530<br /> [...]<br /> <br /> Allocated by task 463:<br /> __kmalloc_cache_noprof+0x13c/0x324<br /> binderfs_binder_device_create.isra.0+0x138/0xa60<br /> binder_ctl_ioctl+0x1ac/0x230<br /> [...]<br /> <br /> Freed by task 215:<br /> kfree+0x184/0x31c<br /> binder_proc_dec_tmpref+0x33c/0x4ac<br /> binder_deferred_func+0xc10/0x1108<br /> process_one_work+0x520/0xba4<br /> [...]<br /> ==================================================================<br /> <br /> Call binder_remove_device() within binder_free_proc() to ensure the<br /> device is removed from the binder_devices list before being kfreed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thunderbolt: Do not double dequeue a configuration request<br /> <br /> Some of our devices crash in tb_cfg_request_dequeue():<br /> <br /> general protection fault, probably for non-canonical address 0xdead000000000122<br /> <br /> CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65<br /> RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0<br /> Call Trace:<br /> <br /> ? tb_cfg_request_dequeue+0x2d/0xa0<br /> tb_cfg_request_work+0x33/0x80<br /> worker_thread+0x386/0x8f0<br /> kthread+0xed/0x110<br /> ret_from_fork+0x38/0x50<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> The circumstances are unclear, however, the theory is that<br /> tb_cfg_request_work() can be scheduled twice for a request:<br /> first time via frame.callback from ring_work() and second<br /> time from tb_cfg_request(). Both times kworkers will execute<br /> tb_cfg_request_dequeue(), which results in double list_del()<br /> from the ctl-&gt;request_queue (the list poison deference hints<br /> at it: 0xdead000000000122).<br /> <br /> Do not dequeue requests that don&amp;#39;t have TB_CFG_REQUEST_ACTIVE<br /> bit set.