Vulnerabilities

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mtd: rawnand: brcmnand: fix PM resume warning<br /> <br /> Fixed warning on PM resume as shown below caused due to uninitialized<br /> struct nand_operation that checks chip select field :<br /> WARN_ON(op-&gt;cs &gt;= nanddev_ntargets(&amp;chip-&gt;base)<br /> <br /> [ 14.588522] ------------[ cut here ]------------<br /> [ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8<br /> [ 14.588553] Modules linked in: bdc udc_core<br /> [ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16<br /> [ 14.588590] Tainted: [W]=WARN<br /> [ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree)<br /> [ 14.588598] Call trace:<br /> [ 14.588604] dump_backtrace from show_stack+0x18/0x1c<br /> [ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c<br /> [ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c<br /> [ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c<br /> [ 14.588653] r5:c08d40b0 r4:c1003cb0<br /> [ 14.588656] dump_stack from __warn+0x84/0xe4<br /> [ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194<br /> [ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000<br /> [ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8<br /> [ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048<br /> [ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150<br /> [ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040<br /> [ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54<br /> [ 14.588735] r5:00000010 r4:c0840a50<br /> [ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c<br /> [ 14.588757] dpm_run_callback from device_resume+0xc0/0x324<br /> [ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010<br /> [ 14.588779] device_resume from dpm_resume+0x130/0x160<br /> [ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0<br /> [ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20<br /> [ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414<br /> [ 14.588826] r4:00000010<br /> [ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8<br /> [ 14.588848] r5:c228a414 r4:00000000<br /> [ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc<br /> [ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000<br /> [ 14.588871] r4:00000003<br /> [ 14.588874] pm_suspend from state_store+0x74/0xd0<br /> [ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003<br /> [ 14.588892] state_store from kobj_attr_store+0x1c/0x28<br /> [ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250<br /> [ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c<br /> [ 14.588936] r5:c3502900 r4:c0d92a48<br /> [ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0<br /> [ 14.588956] r5:c3502900 r4:c3501f40<br /> [ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420<br /> [ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00<br /> [ 14.588983] r4:c042a88c<br /> [ 14.588987] vfs_write from ksys_write+0x74/0xe4<br /> [ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00<br /> [ 14.589008] r4:c34f7f00<br /> [ 14.589011] ksys_write from sys_write+0x10/0x14<br /> [ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004<br /> [ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c<br /> [ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0)<br /> [ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001<br /> [ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78<br /> [ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8<br /> [ 14.589065] ---[ end trace 0000000000000000 ]---<br /> <br /> The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when<br /> doing PM resume operation in compliance with the controller support for single<br /> die nand chip. Switching from nand_reset_op() to nan<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: Fix reference leak in pci_register_host_bridge()<br /> <br /> If device_register() fails, call put_device() to give up the reference to<br /> avoid a memory leak, per the comment at device_register().<br /> <br /> Found by code review.<br /> <br /> [bhelgaas: squash Dan Carpenter&amp;#39;s double free fix from<br /> https://lore.kernel.org/r/db806a6c-a91b-4e5a-a84b-6b7e01bdac85@stanley.mountain]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jbd2: remove wrong sb-&gt;s_sequence check<br /> <br /> Journal emptiness is not determined by sb-&gt;s_sequence == 0 but rather by<br /> sb-&gt;s_start == 0 (which is set a few lines above). Furthermore 0 is a<br /> valid transaction ID so the check can spuriously trigger. Remove the<br /> invalid WARN_ON.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent()<br /> <br /> Two WARNINGs are observed when SMMU driver rolls back upon failure:<br /> arm-smmu-v3.9.auto: Failed to register iommu<br /> arm-smmu-v3.9.auto: probe with driver arm-smmu-v3 failed with error -22<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 5 PID: 1 at kernel/dma/mapping.c:74 dmam_free_coherent+0xc0/0xd8<br /> Call trace:<br /> dmam_free_coherent+0xc0/0xd8 (P)<br /> tegra241_vintf_free_lvcmdq+0x74/0x188<br /> tegra241_cmdqv_remove_vintf+0x60/0x148<br /> tegra241_cmdqv_remove+0x48/0xc8<br /> arm_smmu_impl_remove+0x28/0x60<br /> devm_action_release+0x1c/0x40<br /> ------------[ cut here ]------------<br /> 128 pages are still in use!<br /> WARNING: CPU: 16 PID: 1 at mm/page_alloc.c:6902 free_contig_range+0x18c/0x1c8<br /> Call trace:<br /> free_contig_range+0x18c/0x1c8 (P)<br /> cma_release+0x154/0x2f0<br /> dma_free_contiguous+0x38/0xa0<br /> dma_direct_free+0x10c/0x248<br /> dma_free_attrs+0x100/0x290<br /> dmam_free_coherent+0x78/0xd8<br /> tegra241_vintf_free_lvcmdq+0x74/0x160<br /> tegra241_cmdqv_remove+0x98/0x198<br /> arm_smmu_impl_remove+0x28/0x60<br /> devm_action_release+0x1c/0x40<br /> <br /> This is because the LVCMDQ queue memory are managed by devres, while that<br /> dmam_free_coherent() is called in the context of devm_action_release().<br /> <br /> Jason pointed out that "arm_smmu_impl_probe() has mis-ordered the devres<br /> callbacks if ops-&gt;device_remove() is going to be manually freeing things<br /> that probe allocated":<br /> https://lore.kernel.org/linux-iommu/20250407174408.GB1722458@nvidia.com/<br /> <br /> In fact, tegra241_cmdqv_init_structures() only allocates memory resources<br /> which means any failure that it generates would be similar to -ENOMEM, so<br /> there is no point in having that "falling back to standard SMMU" routine,<br /> as the standard SMMU would likely fail to allocate memory too.<br /> <br /> Remove the unwind part in tegra241_cmdqv_init_structures(), and return a<br /> proper error code to ask SMMU driver to call tegra241_cmdqv_remove() via<br /> impl_ops-&gt;device_remove(). Then, drop tegra241_vintf_free_lvcmdq() since<br /> devres will take care of that.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: fsl-qspi: use devm function instead of driver remove<br /> <br /> Driver use devm APIs to manage clk/irq/resources and register the spi<br /> controller, but the legacy remove function will be called first during<br /> device detach and trigger kernel panic. Drop the remove function and use<br /> devm_add_action_or_reset() for driver cleanup to ensure the release<br /> sequence.<br /> <br /> Trigger kernel panic on i.MX8MQ by<br /> echo 30bb0000.spi &gt;/sys/bus/platform/drivers/fsl-quadspi/unbind

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pm: cpupower: bench: Prevent NULL dereference on malloc failure<br /> <br /> If malloc returns NULL due to low memory, &amp;#39;config&amp;#39; pointer can be NULL.<br /> Add a check to prevent NULL dereference.

The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the &amp;#39;zetra_languageUpload&amp;#39; and &amp;#39;zetra_fontsUpload&amp;#39; functions in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible.

Improper Limitation of a Pathname caused a Path Traversal vulnerability in Sparx Systems Pro Cloud Server.<br /> <br /> This vulnerability is present in logview.php and it allows reading arbitrary files on the filesystem. <br /> <br /> Logview is accessible on Pro Cloud Server Configuration interface. <br /> <br /> <br /> This issue affects Pro Cloud Server: earlier than 6.0.165.

A vulnerability was found in itsourcecode Gym Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_schedule. The manipulation of the argument member_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability has been found in itsourcecode Gym Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=save_plan. The manipulation of the argument plan leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.