Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/v3d: Ensure job pointer is set to NULL after job completion<br /> <br /> After a job completes, the corresponding pointer in the device must<br /> be set to NULL. Failing to do so triggers a warning when unloading<br /> the driver, as it appears the job is still active. To prevent this,<br /> assign the job pointer to NULL after completing the job, indicating<br /> the job has finished.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "libfs: fix infinite directory reads for offset dir"<br /> <br /> The current directory offset allocator (based on mtree_alloc_cyclic)<br /> stores the next offset value to return in octx-&gt;next_offset. This<br /> mechanism typically returns values that increase monotonically over<br /> time. Eventually, though, the newly allocated offset value wraps<br /> back to a low number (say, 2) which is smaller than other already-<br /> allocated offset values.<br /> <br /> Yu Kuai reports that, after commit 64a7ce76fb90<br /> ("libfs: fix infinite directory reads for offset dir"), if a<br /> directory&amp;#39;s offset allocator wraps, existing entries are no longer<br /> visible via readdir/getdents because offset_readdir() stops listing<br /> entries once an entry&amp;#39;s offset is larger than octx-&gt;next_offset.<br /> These entries vanish persistently -- they can be looked up, but will<br /> never again appear in readdir(3) output.<br /> <br /> The reason for this is that the commit treats directory offsets as<br /> monotonically increasing integer values rather than opaque cookies,<br /> and introduces this comparison:<br /> <br /> if (dentry2offset(dentry) &gt;= last_index) {<br /> <br /> On 64-bit platforms, the directory offset value upper bound is<br /> 2^63 - 1. Directory offsets will monotonically increase for millions<br /> of years without wrapping.<br /> <br /> On 32-bit platforms, however, LONG_MAX is 2^31 - 1. The allocator<br /> can wrap after only a few weeks (at worst).<br /> <br /> Revert commit 64a7ce76fb90 ("libfs: fix infinite directory reads for<br /> offset dir") to prepare for a fix that can work properly on 32-bit<br /> systems and might apply to recent LTS kernels where shmem employs<br /> the simple_offset mechanism.

A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.

A CWE-204 "Observable Response Discrepancy" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests.

A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability via crafted URLs or HTTP requests.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hrtimers: Handle CPU state correctly on hotplug<br /> <br /> Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway<br /> through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to<br /> CPUHP_ONLINE:<br /> <br /> Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set<br /> to 1 throughout. However, during a CPU unplug operation, the tick and the<br /> clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online<br /> state, for instance CFS incorrectly assumes that the hrtick is already<br /> active, and the chance of the clockevent device to transition to oneshot<br /> mode is also lost forever for the CPU, unless it goes back to a lower state<br /> than CPUHP_HRTIMERS_PREPARE once.<br /> <br /> This round-trip reveals another issue; cpu_base.online is not set to 1<br /> after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().<br /> <br /> Aside of that, the bulk of the per CPU state is not reset either, which<br /> means there are dangling pointers in the worst case.<br /> <br /> Address this by adding a corresponding startup() callback, which resets the<br /> stale per CPU state and sets the online flag.<br /> <br /> [ tglx: Make the new callback unconditionally available, remove the online<br /> modification in the prepare() callback and clear the remaining<br /> state in the starting callback instead of the prepare callback ]

HCL Connections Docs is vulnerable to a sensitive information disclosure which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data.

A vulnerability was found in SourceCodester Best Church Management Software 1.1. It has been classified as critical. This affects an unknown part of the file /admin/app/role_crud.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability has been found in code-projects Real Estate Property Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /_parse/load_user-profile.php. The manipulation of the argument userhash leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

The Small Package Quotes – Purolator Edition plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;edit_id&amp;#39; and &amp;#39;dropship_edit_id&amp;#39; parameters in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.